{ "type": "Domain", "indicator": "command.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/command.com", "alexa": "http://www.alexa.com/siteinfo/command.com", "indicator": "command.com", "type": "domain", "type_title": "Domain", "validation": [ { "source": "majestic", "message": "Whitelisted domain command.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 69831970, "indicator": "command.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 14, "pulses": [ { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-05-17T15:52:35.396000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all." ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28000, "FileHash-SHA256": 48374, "FileHash-MD5": 42596, "FileHash-SHA1": 23243, "hostname": 35654, "URL": 75758, "SSLCertFingerprint": 30, "CVE": 7585, "email": 316, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "URI": 5, "IPv4": 574, "Mutex": 1 }, "indicator_count": 288350, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69db956f031caeb41837fe82", "name": "VirusTotal report\n for Digi-Loader-1-exe-Download-Added-TOP.pdf", "description": " A collection from U or Oreg. - thanks to the tipster. While the dates askew from cert. abuse the overall Month/day appear aligned, however the diff year predated to invalid certs (suspect- more than a theory). Interesting, research subjects pii on pdx flight aligns.\nConsistent \"Research time signed outside timestamp\" burden of proof has been met, goodnight. \nSecond Write- Can read a malicious pdf docs quicker than anyone. Thank you Second Write Sandbox", "modified": "2026-05-12T14:28:43.689000", "created": "2026-04-12T12:51:59.240000", "tags": [ "file type", "united", "json", "com executable", "network info", "malicious", "urls", "t1055 process", "ascii", "mitre attack", "phishing", "next", "windows sandbox", "calls process", "foxpro fpt", "links file", "152 x", "sqlite version", "utf8", "sqlite rollback", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "strong", "library", "win1", "cultureneutral", "accept", "shutdown", "back", "msie", "windows nt", "wow64", "slcc2", "media center", "get http", "type annot", "subtype link", "rect", "stream", "xport", "possible", "matrix", "packer", "strings", "enterprise", "sandbox", "title", "core", "agent", "snort", "context", "destination ip", "http requests", "dns resolutions", "acrongl integ", "adc4240758", "sha1", "potential pdx intersect", "spellbound. librarian things" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997378&Signature=KsJYbpoN6hteGv0hQe%2B7MgknKi2y7G9y%2Bv0JJZqMcuUdnf3gyNBPBzyKTVuoWOtaG8ix3%2BctGPzbrSe5UI3cg4Z0gK%2B6X75apikmjWPqBKofhIc5BqSpHspjoDYtiKLxroPreiitG4QqViG8yPq7ZCkMLfT71MSIE9dJ9XhV4fO2MSLHJA0qzdykwolGgi0i5r12p1nNsE1eHXJY0HwJl%2Fqka%2FKRtekjeEG1K1qHo6QJlzKhiCRubQwgU7", "https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997612&Signature=l%2FoIF7cZSCGanh2IyxGroiq3YNwdCp9oVTfF02Zi7d4yp4LMuvnnLFWqVzfWbvIHB94EaU0ICQHP6MwgUb5Z4bF2OVcHxdHieB3iTKEX6sGurBIeKYNAPuakGTzCRv%2FSnZJHpZbsoH11i%2F%2BIwHQLGAKerBuNCuq%2FDi8tvVKCDiF9JQGxOYhQsjlzQJtUBiVEVnBTKbjIdeg9iAMES8qHj0eAglff6gxDk1t%2FU5HmKB1T", "https://vtbehaviour.commondatastorage.googleapis.com/26b3bfa810cd37fe4046221ab2269b360e9a6c51961db6fd95e7499e2d76d544_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997821&Signature=IjR3qiuvOqpJ0ChD%2FQ%2B0QKlCAsWejT6Ei8KIh27ZO2t%2BnO1oDrCrR7D3x3lf6xKLr93CFw7bU1IUQONv3WbJ%2BJ0oyQ0yhyalr5VTTy1mHEphjCvObM%2B8PPv6o5cjYXYDpKVcQjBFrkgGvJxrleE5kQvx6irIRcFMTUdnDVuNEcV6sALKN3oYRo%2B%2Fvk7TA%2FfAVTtpBhUfsC4dvVAJnRQgBC4gEzEYuZN3oaDzlYUCoghsW5", "https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997952&Signature=Pc%2FXTIxysZhpywMxwwW%2BrBcX9VHIrYH%2BL3sUsVHUCm1TUbCCtQe7ZIpfTtqIl%2FWLsaehPWv%2FBt4Q6PbZH1IFYbFrKet6C2NOwwOh9WtZQ0cak9wRRun6IjZTU33hWBk4GyEAh%2FpE5nF4ND%2BQSOQuZ5DiMtHeXRlWjRI6KwJ8ApdtNpccNlYGYGKmqj%2BLK7CZTI%2FmpO8GkbS2UkwUwBa6TFoYFvBiQ5SHdRUJ2MT7t3RzWvn8hGyb", "https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775998043&Signature=atj43IFZmS1xhCQtPEtGr1gjAzp5YJ5SAqKqPXrExtpioezLoyIJKw91Cc1EPO9Ff86CNaeS%2BNKNidgGEvFkAFNQpY8CEvbl7dcNVj3FUVUS3ybBoI8xLShMhwUy%2F0aYbXdMfYG3KdE%2FXDvt56Et6LjAj6N0lh1mp0m48Zz2hNTlghpHTSGlP3SY1VjfKxBYwh%2BWAJOSrHiXvzeVhuN5Qj6JWU%2FLg824mJRsUPe7iyNe2u", "https://vtbehaviour.commondatastorage.googleapis.com/3aefe8dfb9c99f3a84f5f74b15afeaeca682c8c50f18fa59b2e0b06da9619f1d_SecondWrite.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775998118&Signature=oZItRZYU06S7GWIVhygTK0XUPoeDlmpVWee4ri8K1nSYOFjKP7WjYTzw03EoC6pzqFjdjNKm2lQytBKbv%2BcMJT%2F%2BWZ7nF71PUUmExKgSsvfD6PXKzUcX8vuHnJwcu3NlTOuhNKNfed2iOEAGybINfsgUO6DFzlTsGd51hjV3I%2BT4t%2FTn1aszBeDzRu01gkhvTI5%2BmXmxZfhYmVTFVADNEociZ8DSGmafzUamrXrSTRcAurmFTNmC4", "https://vtbehaviour.commondatastorage.googleapis.com/3aefe8dfb9c99f3a84f5f74b15afeaeca682c8c50f18fa59b2e0b06da9619f1d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775998463&Signature=qYYMHcxIAT2xuxsg%2F5YbX%2B0y0xuq1Bdd9afbiFWSZHWHsm16y4KPWqE8YDY6heMDu8H6K1bmLZjUn59Bei5cJgnVJtX4Qv6%2FJ9i%2FJXNS6kxDf5xDJvv%2FF%2FcK%2FVKyZS%2BVYzAwJ2OLrXxw4BNVIrT4nxtE34M2lc%2FjwH6H%2FLWNBighCC1k8cvWNbNJkBtGmfWtAfK%2FueAgi5glMRbAmq7xAC5XJGlhgUzo%2Fu2U9N", "" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 458, "FileHash-MD5": 575, "FileHash-SHA1": 478, "FileHash-SHA256": 1401, "domain": 96, "hostname": 235, "email": 6, "CVE": 3 }, "indicator_count": 3252, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fc4d77afa81737a1d6262c", "name": "Fsysna - Privileged Agent Rufus", "description": "The adversary exploits the legitimate operational footprint of Rufus to mask Master Boot Record (MBR) manipulation and bypass heuristic defenses. This indicates a well-versed actor utilizing high-integrity tool-masking to maintain stealth.Technical AnalysisSubversion of Security Policies: The artifact targets HKLM\\\u2026\\SAFER\\CODEIDENTIFIERS to enumerate and likely neutralize Software Restriction Policies (SRP).Direct Disk Manipulation: Exploits the utility\u2019s disk-write primitive to establish persistence at the boot layer, bypassing standard OS-level detection.Privileged Discovery: Forces UAC elevation to conduct exhaustive hardware reconnaissance and volume profiling, facilitating environmental awareness.Heuristic Evasion: masquerades as a trusted unsigned binary to exploit the \"administrative whitelist\" blind spot in signature-based engines.", "modified": "2026-05-08T06:33:56.667000", "created": "2026-05-07T08:29:43.174000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 138, "domain": 29, "FileHash-MD5": 6, "FileHash-SHA1": 6, "IPv4": 41, "hostname": 79, "URL": 84, "email": 48 }, "indicator_count": 431, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fc4d769e89dc96fce03ffe", "name": "Fsysna - Privileged Agent Rufus", "description": "The adversary exploits the legitimate operational footprint of Rufus to mask Master Boot Record (MBR) manipulation and bypass heuristic defenses. This indicates a well-versed actor utilizing high-integrity tool-masking to maintain stealth.Technical AnalysisSubversion of Security Policies: The artifact targets HKLM\\\u2026\\SAFER\\CODEIDENTIFIERS to enumerate and likely neutralize Software Restriction Policies (SRP).Direct Disk Manipulation: Exploits the utility\u2019s disk-write primitive to establish persistence at the boot layer, bypassing standard OS-level detection.Privileged Discovery: Forces UAC elevation to conduct exhaustive hardware reconnaissance and volume profiling, facilitating environmental awareness.Heuristic Evasion: masquerades as a trusted unsigned binary to exploit the \"administrative whitelist\" blind spot in signature-based engines.", "modified": "2026-05-08T06:33:56.571000", "created": "2026-05-07T08:29:42.377000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 138, "domain": 29, "FileHash-MD5": 6, "FileHash-SHA1": 6, "IPv4": 41, "hostname": 79, "URL": 84, "email": 48 }, "indicator_count": 431, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fc4d75bbb155224dcb27b7", "name": "Fsysna - Privileged Agent Rufus", "description": "The adversary exploits the legitimate operational footprint of Rufus to mask Master Boot Record (MBR) manipulation and bypass heuristic defenses. This indicates a well-versed actor utilizing high-integrity tool-masking to maintain stealth.Technical AnalysisSubversion of Security Policies: The artifact targets HKLM\\\u2026\\SAFER\\CODEIDENTIFIERS to enumerate and likely neutralize Software Restriction Policies (SRP).Direct Disk Manipulation: Exploits the utility\u2019s disk-write primitive to establish persistence at the boot layer, bypassing standard OS-level detection.Privileged Discovery: Forces UAC elevation to conduct exhaustive hardware reconnaissance and volume profiling, facilitating environmental awareness.Heuristic Evasion: masquerades as a trusted unsigned binary to exploit the \"administrative whitelist\" blind spot in signature-based engines.", "modified": "2026-05-08T06:33:55.728000", "created": "2026-05-07T08:29:41.963000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 138, "domain": 30, "FileHash-MD5": 6, "FileHash-SHA1": 6, "IPv4": 41, "hostname": 79, "URL": 84, "email": 48 }, "indicator_count": 432, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69eae3465a9cbe437bca96df", "name": "[The infectors and The infected - string.dmp] credit: DorkingBeauty1 Cloned", "description": "", "modified": "2026-04-24T03:28:06.951000", "created": "2026-04-24T03:28:06.951000", "tags": [ "ven1af4", "dev0022", "ctlrven8086", "subsys1af40022", "ctlrdev293e", "system", "ms shell", "shell dlg", "corporation", "func01", "service", "error", "open", "copy", "click", "config", "model", "close", "class", "find", "null", "encrypt", "install", "problem", "shift", "bits", "agent", "false", "mexico", "next", "desktop", "window", "small", "core", "explorer", "refresh", "fail", "info", "unknown", "swedish", "done", "pipes", "xtra", "burn", "back", "insert", "fyou", "date", "front", "turn", "starfield", "this", "dword", "critical", "panama", "uruguay", "paraguay", "italian", "calendar", "indonesia", "mongolian", "legacy", "restart", "icmp", "media", "loader", "flash", "look", "format", "screen", "green", "cascade", "defender", "toolbar", "leave", "already", "strings", "body", "dump", "generator", "restrict", "trace", "zero", "stack", "sinf", "czech", "icelandic", "korean", "polish", "slovak", "slovakia", "albanian", "albania", "turkish", "ukraine", "belarus", "armenia", "shutdown", "scroll", "reboot", "download", "minsk", "phase", "dcom", "never", "form", "target", "fullscreen", "shown", "general", "code", "blank", "specified", "refer", "accept", "waiting", "voice", "terminal", "tools", "meta", "delta", "colors", "clock", "dragdrop", "friendly" ], "references": [ "472.dmp.strings" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "628d95bd59109416c444c985", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 71, "hostname": 81, "URL": 141, "domain": 62, "FileHash-MD5": 2, "FileHash-SHA1": 1, "email": 1 }, "indicator_count": 359, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "37 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c5d13d94af758096d048b9", "name": "Comprehensive Tria.ge import - Pro tip by Merkd1904 clone", "description": "", "modified": "2026-03-27T00:37:17.833000", "created": "2026-03-27T00:37:17.833000", "tags": [ "implementation", "murmurhash3", "jens taylor", "gary court", "austin appleby", "typeof h", "please", "javascript", "triage", "malware", "analysis", "report", "reported", "analyze", "sandbox", "score", "behavioral task", "resource", "ck v13", "general", "target", "size", "sha256", "sha512", "ssdeep", "config", "copy", "shell", "sample", "sha1", "execution", "sample sample", "gpio promo", "sample gpio", "gpio2 driv", "sample gpio2", "target gpio", "adversaries", "bypass", "download submit", "filesize", "executes", "file", "download", "key value", "set value", "explorer", "class", "monitor", "signatures", "discovery", "iocs", "asusit885", "vendady", "venmsft", "proddadydvdrom4", "prodharddisk4", "drops file", "checks scsi", "processes", "network", "replay", "armourycra", "armoury crate", "token", "exe loads", "factory", "prefetch8", "service", "ck v6", "mitre", "f13eed8e", "suspicious use", "samsungma", "defense", "alderlakep", "alderlake", "sunrisepoi", "skylakesk", "tigerlakep", "reads cpu", "reads runtime", "tmpinxi", "ttps", "checks computer", "ngen worker", "process", "state migration", "installer", "binzsh c", "ksversion", "kschannelid", "apps", "plugins", "xpcproxy", "helper", "chrome helper", "renderer", "binlaunchctl", "data filesize", "error", "document being", "devnull md5", "play", "hypervisor", "mount o", "t iso9660", "f varlogmount", "analog", "triage submit", "static", "report analysis", "logs loading", "analysis log", "dos win95", "f win98", "f hpfs", "w95 f", "fat12 fat16", "extend", "setpasswd", "f root", "checks cpu", "discovery t1082", "managerwar", "wifinetwor", "query registry", "multimedia", "inprocserver32", "apartment", "typelib", "persistence", "progid", "nummethods", "10 discovery", "t1012 system", "appdir", "prefetch1", "registers com", "both", "chromehtml", "windowsdef", "enumerates", "systemroot", "windows media", "9801", "components", "checks", "localserver32", "open", "edit", "xport", "maxwellbio", "execution flow", "write file", "nvidialin", "excel", "sample https", "modifies", "fdoemcdcd", "klinks", "t1120 system", "windowstemp", "sample read", "traffic", "go play", "sample go", "cuckptn", "cuckicrc", "binsh c", "tags", "deviceinfo", "windowsinf", "targets", "ck matrix", "attempts", "m2 ssd", "p40 game", "filesintelintel", "legacy", "catalogfile", "pciven8086", "ndisasuss", "sample http", "microsoftw", "destination ip", "waasregke", "qeaa", "ueaa", "yaxxz", "iebapeadxz", "iebapeagxz", "headers dll", "lredmond", "locale", "suspicious", "player list", "sample bcd", "resources", "usrbinlogger t", "updater", "pid1522", "shadow copy", "dellsuppor", "landriver", "inputperso", "ipsmigrati", "sample intel", "servicingkey", "0008", "viper m2", "cannonlake", "cometlakep", "coffeelake", "cometlake", "10 blocklisted", "data", "supportass", "iocs reads", "APT1" ], "references": [ "imurmurhash.min.js", "https://www.virustotal.com/gui/file/e58fe1f551a6fb3e0a8bbaed5f8cae96194ccbbba5f4da2914a5046a4df3725e?nocache=1", "https://www.virustotal.com/gui/file/03759f9a14c983a9e70d17d0552fb2bff9dc1fe8c9b837f859403449ecdadd11?nocache=1", "https://www.virustotal.com/gui/file/32dbd62fce658336afc05435cafed68029dba626e5863a39305eaf8f42ed74cd?nocache=1", "https://www.virustotal.com/gui/file/049645f56e88a33c0d5d74b5ad9dc7da425a326ee72db4885b712c16f9edeb54?nocache=1", "https://www.virustotal.com/gui/file/b9cee56cd245633f7debe4b6e93f1606ac6788a9749a8eba2d742cfd84e935fd?nocache=1", "https://www.virustotal.com/gui/file/b9cee56cd245633f7debe4b6e93f1606ac6788a9749a8eba2d742cfd84e935fd", "https://www.virustotal.com/gui/file/8694bebdcbe7854aae97fcecfce0fa0b5a9aa07b5f95cd2e55d62a25caaaa8d8?nocache=1", "https://www.virustotal.com/gui/file/b2b37af320b637acc1001404b6a7f9bbfc4dcfb7319bba92333be2050b398318/relations", "https://tria.ge/231217-yjcc1afeap", "https://tria.ge/231217-yl3mzafebp", "https://tria.ge/231217-yscecsfefl", "https://tria.ge/231217-ysjtfahaf3", "https://tria.ge/231217-zztgwsfger", "https://tria.ge/231224-g5gq6sbhb2", "https://tria.ge/231224-3h4hbaefg7", "https://tria.ge/240106-dbq6zafccm", "https://tria.ge/240107-eq4w2sfch5", "https://tria.ge/240111-cahyjaccem", "https://tria.ge/240129-lkztgaehh2", "https://tria.ge/240129-m661cagdb6", "https://tria.ge/240317-kz93babd61", "https://tria.ge/240317-kz93babd61/behavioral2", "https://tria.ge/240410-aceyjseb6v/behavioral4", "https://tria.ge/230108-ftrlkagb7z/behavioral1", "https://tria.ge/230108-ftyd4sgb71/behavioral10", "https://tria.ge/230108-fvadnsgb8s/behavioral27", "https://tria.ge/230108-qrmvpsdf96/behavioral3", "https://tria.ge/230108-qrv63sdf97/behavioral3", "https://tria.ge/230108-qr1fssdf98/behavioral2", "https://tria.ge/230108-qr6b2sdg22/behavioral3", "https://tria.ge/230108-qsdneshb2w/behavioral10", "https://tria.ge/230113-ctz16adf45/behavioral1", "https://tria.ge/230113-c3xbmadf82/behavioral2", "https://tria.ge/230113-c79shshd41/behavioral2", "https://tria.ge/230108-qvj8zshb3t/behavioral2", "https://tria.ge/230109-ywqq6aba3z/behavioral27", "https://tria.ge/230113-dbgbrshd61/behavioral5", "https://tria.ge/230113-dfhemadg66/behavioral7", "https://tria.ge/231015-l3gqlsdg6w/behavioral11", "https://tria.ge/230906-vajh6shg63/behavioral3", "https://tria.ge/230901-qkt1faeh2v/behavioral3", "https://tria.ge/231128-vbn52sbf51/behavioral7", "https://tria.ge/231206-gkeq3sbg68/behavioral7", "https://tria.ge/231206-hf1cnacb98/behavioral7", "https://tria.ge/240409-25x4dagh63/behavioral4", "https://tria.ge/240409-dhdjfsce54/behavioral3", "https://tria.ge/240409-btvwrshh94/behavioral2", "https://tria.ge/240402-zjrcladb42/behavioral28", "https://tria.ge/240402-zjrcladb42/behavioral27", "https://tria.ge/240402-zjrcladb42/behavioral1", "https://tria.ge/240402-zjrcladb42/behavioral2", "https://tria.ge/240402-zjrcladb42/behavioral3", "https://tria.ge/240402-zjrcladb42/behavioral4", "https://tria.ge/240402-zjrcladb42/behavioral5", "https://tria.ge/240402-zjrcladb42/behavioral6", "https://tria.ge/240402-zjrcladb42/behavioral9", "https://tria.ge/240402-zjrcladb42/behavioral13", "https://tria.ge/240402-zjrcladb42/behavioral13/analog", "https://tria.ge/240402-zjrcladb42/behavioral17", "https://tria.ge/240402-zjrcladb42/behavioral21", "https://tria.ge/240402-zjrcladb42/behavioral25", "https://tria.ge/240402-zjrcladb42/behavioral29", "https://tria.ge/240402-cb476add4w/behavioral2", "https://tria.ge/240401-b3bt9aad37/behavioral11", "https://tria.ge/240401-bztwnaac57/behavioral2", "https://tria.ge/240331-y9w54abd6t/behavioral7", "https://tria.ge/240331-yqk9gsaf9z/behavioral10", "https://tria.ge/240331-ykp1gsae3z/behavioral28", "https://tria.ge/240331-ykp1gsae3z/behavioral20", "https://tria.ge/240331-ykp1gsae3z/behavioral14", "https://tria.ge/240331-ykp1gsae3z/behavioral12", "https://tria.ge/240331-ykp1gsae3z/behavioral4", "https://tria.ge/240331-ykp1gsae3z/behavioral2", "https://tria.ge/220803-zggqdafbh7/behavioral2", "https://tria.ge/220803-y7119sgafr/behavioral12", "https://tria.ge/220803-y6bpzsfag2/behavioral28", "https://tria.ge/220803-y6bpzsfag2/behavioral26", "https://tria.ge/220803-y6bpzsfag2/behavioral22", "https://tria.ge/220803-y6bpzsfag2/behavioral20", "https://tria.ge/220803-y6bpzsfag2/behavioral18", "https://tria.ge/220803-y6bpzsfag2/behavioral16", "https://tria.ge/220803-y6bpzsfag2/behavioral12", "https://tria.ge/220803-y6bpzsfag2/behavioral10", "https://tria.ge/220803-1m2heafgb9/behavioral13", "https://tria.ge/220803-1m2heafgb9/behavioral8", "https://tria.ge/220803-1m4yjafgc2/behavioral31", "https://tria.ge/220803-1m4yjafgc2/behavioral29", "https://tria.ge/220803-1m4yjafgc2/behavioral27", "https://tria.ge/220803-1m4yjafgc2/behavioral25", "https://tria.ge/220803-1m4yjafgc2/behavioral23", "https://tria.ge/220803-1m4yjafgc2/behavioral22", "https://tria.ge/220803-1m4yjafgc2/behavioral19", "https://tria.ge/220803-1m4yjafgc2/behavioral17", "https://tria.ge/220803-1m4yjafgc2/behavioral15", "https://tria.ge/220803-1m4yjafgc2/behavioral13", "https://tria.ge/220803-1m4yjafgc2/behavioral9", "https://tria.ge/220803-1m4yjafgc2/behavioral7", "https://tria.ge/220803-1m4yjafgc2/behavioral6", "https://tria.ge/220803-1m4yjafgc2/behavioral5", "https://tria.ge/220803-1m4yjafgc2/behavioral3", "https://tria.ge/220803-1m4yjafgc2/behavioral2", "https://tria.ge/220803-1m4yjafgc2/behavioral1", "https://tria.ge/220803-1nlhksfgc3/behavioral32", "https://tria.ge/220803-1nlhksfgc3/behavioral1", "https://tria.ge/220803-1pfnqagffp/behavioral32", "https://tria.ge/220803-1pfnqagffp/behavioral4", "https://tria.ge/220803-1qd7aafgd9/behavioral28", "https://tria.ge/220803-1qd7aafgd9/behavioral24", "https://tria.ge/220803-1qd7aafgd9/behavioral23", "https://tria.ge/220803-1qd7aafgd9/behavioral22", "https://tria.ge/220803-1qd7aafgd9/behavioral21", "https://tria.ge/220803-1qd7aafgd9/behavioral15", "https://tria.ge/220803-1qs1fafge3/behavioral29", "https://tria.ge/220803-1qs1fafge3/behavioral27", "https://tria.ge/220803-1qs1fafge3/behavioral25", "https://tria.ge/220803-1qs1fafge3/behavioral23", "https://tria.ge/220803-1qs1fafge3/behavioral22", "https://tria.ge/220803-1qs1fafge3/behavioral19", "https://tria.ge/220803-1qs1fafge3/behavioral17", "https://tria.ge/220803-1qs1fafge3/behavioral13", "https://tria.ge/220803-1qs1fafge3/behavioral9", "https://tria.ge/220803-1qs1fafge3/behavioral6", "https://tria.ge/220803-1qs1fafge3/behavioral5", "https://tria.ge/220803-1qs1fafge3/behavioral1", "https://tria.ge/220803-1qs1fafge3/behavioral2", "https://tria.ge/220803-1qs1fafge3/behavioral3", "https://tria.ge/220803-1rxd9afgf2/behavioral28", "https://tria.ge/220803-1rxd9afgf2/behavioral27", "https://tria.ge/220803-1rxd9afgf2/behavioral23", "https://tria.ge/220803-1rxd9afgf2/behavioral19", "https://tria.ge/220803-1rxd9afgf2/behavioral15", "https://tria.ge/220804-cb7naaafeq", "https://tria.ge/220804-cb7naaafeq/behavioral1", "https://tria.ge/220805-fqatmsgbdr/behavioral3", "https://tria.ge/220805-fqkzlsfcb6/behavioral3", "https://tria.ge/220805-ft3zlafce6/behavioral1", "https://tria.ge/220805-ft3zlafce6/behavioral3", "https://tria.ge/220805-ft3zlafce6/behavioral2", "https://tria.ge/220805-fwthyagcbq/behavioral3", "https://tria.ge/220805-fwthyagcbq/behavioral2", "https://tria.ge/220805-fwthyagcbq/behavioral1", "https://tria.ge/220805-f286ksfdc7", "https://tria.ge/220805-f286ksfdc7/behavioral3", "https://tria.ge/220805-gca3xsgeaj/behavioral2", "https://tria.ge/220805-gca3xsgeaj/behavioral3", "https://tria.ge/220805-gv8rxafgf8/behavioral3", "https://tria.ge/220805-gv8rxafgf8/behavioral1", "https://tria.ge/220805-h1w6qshdaq/behavioral3", "https://tria.ge/220805-h1w6qshdaq/behavioral2", "https://tria.ge/220805-h1w6qshdaq/behavioral1", "https://tria.ge/220805-yv476aggd6/behavioral3", "https://tria.ge/220805-yv476aggd6/behavioral2", "https://tria.ge/220805-zetbdshag5/behavioral3", "https://tria.ge/220805-zetbdshag5/behavioral1", "https://tria.ge/220806-brndxabdh6/behavioral1", "https://tria.ge/220806-brndxabdh6/behavioral2", "https://tria.ge/220806-brndxabdh6/behavioral3", "https://tria.ge/220806-btaktsbea5/behavioral3", "https://tria.ge/220806-btaktsbea5/behavioral2", "https://tria.ge/220806-btaktsbea5/behavioral1", "https://tria.ge/220806-jrkl1sccfl", "https://tria.ge/220806-jrkl1sccfl/behavioral3", "https://tria.ge/220806-jrkl1sccfl/behavioral2", "https://tria.ge/220806-jrkl1sccfl/behavioral1", "https://tria.ge/220806-j2ztpaceak/behavioral1", "https://tria.ge/220806-j2ztpaceak/behavioral3", "https://tria.ge/220806-j3912scebk/behavioral3", "https://tria.ge/220806-j4w6ksfab3/behavioral3", "https://tria.ge/220830-17kqdsdfb2/behavioral3", "https://tria.ge/220830-17kqdsdfb2/behavioral2", "https://tria.ge/220830-17kqdsdfb2/behavioral1", "https://tria.ge/220729-d8e5zadga9/behavioral2", "https://tria.ge/220729-d8av9adga3/behavioral2", "https://tria.ge/220729-d74f6seedk/behavioral2", "https://tria.ge/220729-d7ta7sdfh9/behavioral2", "https://tria.ge/220729-d347xadfe7/behavioral2", "https://tria.ge/220729-d3yecseeam/behavioral2", "https://tria.ge/220729-d3sh4seeal/behavioral2", "https://tria.ge/220729-d3m9dsdfe3/behavioral2", "https://tria.ge/220729-d3dd7aedhk/behavioral2", "https://tria.ge/220729-d2kf4sedgl/behavioral2", "https://tria.ge/220729-d1hwwsdfc7/behavioral2", "https://tria.ge/220729-d85evsdgb3/behavioral2", "https://tria.ge/220729-ecv2zsdgd7/behavioral2", "https://tria.ge/220729-ecnb5sdgd5/behavioral2", "https://tria.ge/220729-wzxyjacgal/behavioral2", "https://tria.ge/220729-wzxyjacgal/behavioral1", "https://tria.ge/220729-w1gmyabhf2/behavioral2", "https://tria.ge/220729-24hbjaeeep/behavioral1", "https://tria.ge/220730-chkgbsehh6/behavioral2", "https://tria.ge/220731-f45wyabgbr/behavioral3", "https://tria.ge/220801-sppmmaafd6/behavioral28", "https://tria.ge/220801-sppmmaafd6/behavioral20", "https://tria.ge/220801-sppmmaafd6/behavioral19", "https://tria.ge/220802-kwqt9secdp", "https://tria.ge/220802-kwqt9secdp/behavioral1", "https://tria.ge/220803-yl8h8afgdn/behavioral1", "https://tria.ge/220803-yl8h8afgdn/behavioral12", "https://tria.ge/220803-yl8h8afgdn/behavioral8", "https://tria.ge/220803-yl8h8afgdn/behavioral7", "https://tria.ge/220803-yl8h8afgdn/behavioral4", "https://tria.ge/220803-yl8h8afgdn/behavioral3", "https://tria.ge/220803-ymle3sfgdp/behavioral6", "https://tria.ge/220803-ymle3sfgdp/behavioral28", "https://tria.ge/220803-ymle3sfgdp/behavioral27", "https://tria.ge/220803-ymle3sfgdp/behavioral23", "https://tria.ge/220803-ymle3sfgdp/behavioral19", "https://tria.ge/220803-ymle3sfgdp/behavioral15", "https://tria.ge/220803-yshldaehd8/behavioral14", "https://tria.ge/220803-yshldaehd8/behavioral13", "https://tria.ge/220803-yshldaehd8/behavioral3", "https://tria.ge/220726-xskv3addar/behavioral2", "https://tria.ge/220726-xskv3addar/behavioral1", "https://tria.ge/220726-xz7y6sddgk/behavioral1", "https://tria.ge/220726-xz7y6sddgk/behavioral4", "https://tria.ge/220726-xz7y6sddgk/behavioral3", "https://tria.ge/220726-xz7y6sddgk/behavioral2", "https://tria.ge/220726-x1m1dsddgl/behavioral1", "https://tria.ge/220726-x1m1dsddgl/behavioral4", "https://tria.ge/220726-x1m1dsddgl/behavioral3", "https://tria.ge/220726-x1m1dsddgl/behavioral2", "https://tria.ge/220727-bv535aghfl/behavioral8", "https://tria.ge/220727-bv535aghfl/behavioral7", "https://tria.ge/220727-bv535aghfl/behavioral1", "https://tria.ge/220729-dqk89secfn/behavioral1", "https://tria.ge/220729-dqgwvaecfm/behavioral1", "https://tria.ge/220724-rl2mcafdbm/behavioral1", "https://tria.ge/220724-rtnqfsfeg6/behavioral1", "https://tria.ge/220724-sheh3sgddl/behavioral1", "https://tria.ge/220724-slp4zsgdh2/behavioral1", "https://tria.ge/220724-tacvysheh8/behavioral7", "https://tria.ge/220724-tetn9shgf9", "https://tria.ge/220724-tmtn8sacej/behavioral1", "https://tria.ge/220724-tmtn8sacej/behavioral26", "https://tria.ge/220724-tmtn8sacej/behavioral25", "https://tria.ge/220724-tmtn8sacej/behavioral15", "https://tria.ge/220724-fgjeesffc7/behavioral1", "https://tria.ge/220724-fgjeesffc7/behavioral2", "https://tria.ge/220916-d8f29seef7/behavioral2", "https://tria.ge/220912-r4wh2shccm", "https://tria.ge/220912-r4wh2shccm/behavioral1", "https://tria.ge/220912-r4fsladea8/behavioral1", "https://tria.ge/220912-r36ydsdea7/behavioral2", "https://tria.ge/220912-r3z5vahccj/behavioral2", "https://tria.ge/220912-r25nyahcbp/behavioral2", "https://tria.ge/220912-r2sdlshcbn/behavioral2", "https://tria.ge/220912-r2j28sdea3/behavioral2", "https://tria.ge/220912-r2j28sdea3/behavioral1", "https://tria.ge/220912-r2dkfsdea2/behavioral2", "https://tria.ge/220912-r16vlsddh9/behavioral2", "https://tria.ge/220912-rxnvmaddh6/behavioral2", "https://tria.ge/220912-rxb6tsddh5/behavioral2", "https://tria.ge/220912-rtwfashcaq/behavioral2", "https://tria.ge/220912-rtf1lsddg8", "https://tria.ge/220912-rsreyshcam/behavioral2", "https://tria.ge/220912-rsc8bsddg6/behavioral3", "https://tria.ge/220912-rqlrpahbhr/behavioral2", "https://tria.ge/220912-rp93wshbhq/behavioral2", "https://tria.ge/220912-rpzxxshbhp/behavioral2", "https://tria.ge/220912-rpjkyaddf9/behavioral3", "https://tria.ge/220912-rn3meshbhl/behavioral2", "https://tria.ge/220912-regnladdd6/behavioral3", "https://tria.ge/220930-vmljasfbcm/behavioral2", "https://tria.ge/220930-vmv3qsfbcn/behavioral2", "https://tria.ge/221007-2b72gsdga7/behavioral32", "https://tria.ge/221007-2b72gsdga7/behavioral26", "https://tria.ge/221007-2b72gsdga7/behavioral25", "https://tria.ge/221007-2b72gsdga7/behavioral20", "https://tria.ge/221007-2b72gsdga7/behavioral19", "https://tria.ge/221007-2b72gsdga7/behavioral16", "https://tria.ge/221007-2b72gsdga7/behavioral15", "https://tria.ge/221012-bm6ppacbam/behavioral3", "https://tria.ge/221012-bm6ppacbam/behavioral14", "https://tria.ge/221012-bm6ppacbam/behavioral12", "https://tria.ge/221014-2dbfasegfn/behavioral3", "https://tria.ge/221015-rqzcsaffhq/behavioral2", "https://tria.ge/221202-wskpmaeg7x/behavioral2", "https://tria.ge/221202-wskpmaeg7x/behavioral1", "https://tria.ge/221205-jd6bkada9w/behavioral1", "https://tria.ge/221205-jd6bkada9w/behavioral2", "https://tria.ge/221212-j9yxcsdf2z/behavioral2", "https://tria.ge/221212-kcchjaah54/behavioral3", "https://tria.ge/221212-kcchjaah54/behavioral2", "https://tria.ge/221212-kcchjaah54/behavioral1", "https://tria.ge/221212-kdv19sdf3t/behavioral32", "https://tria.ge/221212-kdv19sdf3t/behavioral2", "https://tria.ge/221212-kd3q4sah55/behavioral3", "https://tria.ge/221215-sqzh8acf73/behavioral1", "https://tria.ge/221215-ta2t3sff7y/behavioral4", "https://tria.ge/221220-y6pa3seb4w/behavioral2", "https://tria.ge/221221-h9mcwsbg93/behavioral1", "https://tria.ge/221221-h9mcwsbg93/behavioral32", "https://tria.ge/221221-h9mcwsbg93/behavioral26", "https://tria.ge/221221-h9mcwsbg93/behavioral2", "https://tria.ge/221015-tfg2vsfge9/behavioral1", "https://tria.ge/221015-tfg2vsfge9/behavioral3", "https://tria.ge/221015-tfg2vsfge9/behavioral2", "https://tria.ge/221015-tlpznafgf6/behavioral1", "https://tria.ge/221015-tlpznafgf6/behavioral2", "https://tria.ge/221015-tl29zsfgf8/behavioral1", "https://tria.ge/221015-tl29zsfgf8/behavioral2", "https://tria.ge/221015-tlxz9sfgf7/behavioral1", "https://tria.ge/221015-tlxz9sfgf7/behavioral2", "https://tria.ge/221017-2zl4xsdec9/behavioral31", "https://tria.ge/221017-2zl4xsdec9/behavioral29", "https://tria.ge/221017-2zl4xsdec9/behavioral25", "https://tria.ge/221017-2zl4xsdec9/behavioral21", "https://tria.ge/221017-2zl4xsdec9/behavioral18", "https://tria.ge/221017-2zl4xsdec9/behavioral17", "https://tria.ge/221017-2zl4xsdec9/behavioral9", "https://tria.ge/221017-2zl4xsdec9/behavioral14", "https://tria.ge/221025-gp398sbfhp/behavioral15", "https://tria.ge/221025-gp398sbfhp/behavioral9", "https://tria.ge/221025-gp398sbfhp/behavioral8", "https://tria.ge/221025-gp398sbfhp/behavioral7", "https://tria.ge/221025-gp398sbfhp/behavioral6", "https://tria.ge/221025-gp398sbfhp/behavioral5", "https://tria.ge/221025-gp398sbfhp/behavioral4", "https://tria.ge/221025-gqnwyabfh3/behavioral1", "https://tria.ge/221025-gqnwyabfh3/behavioral3", "https://tria.ge/221025-gqnwyabfh3/behavioral2", "https://tria.ge/221028-y169psecbn/behavioral3", "https://tria.ge/221029-bjlv4sfcbr/behavioral15", "https://tria.ge/221029-bjlv4sfcbr/behavioral13", "https://tria.ge/221029-bjlv4sfcbr/behavioral8", "https://tria.ge/221029-bjlv4sfcbr/behavioral7", "https://tria.ge/221029-bj1z2afcdk/behavioral10", "https://tria.ge/221029-bj1z2afcdk/behavioral9", "https://tria.ge/221029-bj1z2afcdk/behavioral6", "https://tria.ge/221029-bj1z2afcdk/behavioral5", "https://tria.ge/221115-cpxegaee62/behavioral1", "https://tria.ge/221115-cpxegaee62/behavioral2", "https://tria.ge/230113-ctz16adf45", "https://tria.ge/230109-ywqq6aba3z", "https://tria.ge/230109-ywqq6aba3z/behavioral32", "https://tria.ge/230109-ywqq6aba3z/behavioral31", "https://tria.ge/230109-ywqq6aba3z/behavioral30", "https://tria.ge/230109-ywqq6aba3z/behavioral2", "https://tria.ge/230109-ywqq6aba3z/behavioral5", "https://tria.ge/230109-ywqq6aba3z/behavioral6", "https://tria.ge/230109-ywqq6aba3z/behavioral7", "https://tria.ge/230109-ywqq6aba3z/behavioral8", "https://tria.ge/230109-ywqq6aba3z/behavioral9", "https://tria.ge/230109-ywqq6aba3z/behavioral10", "https://tria.ge/230109-ywqq6aba3z/behavioral12", "https://tria.ge/230109-ywqq6aba3z/behavioral11", "https://tria.ge/230109-ywqq6aba3z/behavioral13", "https://tria.ge/230109-ywqq6aba3z/behavioral14", "https://tria.ge/230109-ywqq6aba3z/behavioral15", "https://tria.ge/230109-ywqq6aba3z/behavioral16", "https://tria.ge/230109-ywqq6aba3z/behavioral17", "https://tria.ge/230109-ywqq6aba3z/behavioral18", "https://tria.ge/230109-ywqq6aba3z/behavioral19", "https://tria.ge/230109-ywqq6aba3z/behavioral20", "https://tria.ge/230109-ywqq6aba3z/behavioral21", "https://tria.ge/230109-ywqq6aba3z/behavioral22", "https://tria.ge/230109-ywqq6aba3z/behavioral23", "https://tria.ge/230109-ywqq6aba3z/behavioral24", "https://tria.ge/230109-ywqq6aba3z/behavioral25", "https://tria.ge/230109-ywqq6aba3z/behavioral26", "https://tria.ge/230109-ywqq6aba3z/behavioral28", "https://tria.ge/230109-ywqq6aba3z/behavioral29", "https://tria.ge/230108-qvj8zshb3t/behavioral1", "https://tria.ge/230108-qskfzahb2y/behavioral12", "https://tria.ge/230108-qskfzahb2y/behavioral28", "https://tria.ge/230108-qskfzahb2y/behavioral27", "https://tria.ge/230108-qr6b2sdg22/behavioral1", "https://tria.ge/230108-qr6b2sdg22/behavioral2", "https://tria.ge/230108-qr1fssdf98/behavioral3", "https://tria.ge/230108-qr1fssdf98/behavioral1", "https://tria.ge/230108-qrv63sdf97/behavioral1", "https://tria.ge/230108-qrv63sdf97/behavioral2", "https://tria.ge/230108-qrmvpsdf96/behavioral1", "https://tria.ge/230108-qrmvpsdf96/behavioral2", "https://tria.ge/230108-fvadnsgb8s/behavioral12", "https://tria.ge/230108-fvadnsgb8s/behavioral2", "https://tria.ge/230108-ftyd4sgb71/behavioral9", "https://tria.ge/230108-ftrlkagb7z/behavioral2", "https://tria.ge/230106-ryhp1ace8y/behavioral2", "https://tria.ge/230120-lncs4sad55/behavioral3", "https://tria.ge/230115-xqrwlaag69/behavioral6", "https://tria.ge/230115-x2h3tsbb49/behavioral6", "https://tria.ge/230115-x2h3tsbb49/behavioral32", "https://tria.ge/230115-x2h3tsbb49/behavioral28", "https://tria.ge/230115-x2h3tsbb49/behavioral26", "https://tria.ge/230115-x2h3tsbb49/behavioral14", "https://tria.ge/230115-x2h3tsbb49/behavioral10", "https://tria.ge/230120-1vxjesbg9t/behavioral1", "https://tria.ge/230120-1vxjesbg9t/behavioral2", "https://tria.ge/230102-s2ryhseg39/behavioral10", "https://tria.ge/230102-s3kktshh7t/behavioral2", "https://tria.ge/230102-s3v2kahh7v/behavioral2", "https://tria.ge/230102-s38bwshh7y/behavioral2", "https://tria.ge/230102-s4zq5seg44/behavioral32", "https://tria.ge/230102-s2n7maeg38/behavioral12", "https://tria.ge/230102-s2n7maeg38/static1", "https://tria.ge/230102-tekflaeg63/static1", "https://tria.ge/230105-xbxhjacg76/behavioral1", "https://tria.ge/230105-xbxhjacg76/behavioral2", "https://tria.ge/221221-zk1mnagd4x/behavioral3", "https://tria.ge/221221-zjmz6sdc27/behavioral3", "https://tria.ge/221221-zjjmradc26/behavioral3", "https://tria.ge/221221-zjezkagd3w/behavioral3", "https://tria.ge/221225-df32bseb6z/behavioral11", "https://tria.ge/221225-df32bseb6z/behavioral26", "https://tria.ge/221225-df32bseb6z/behavioral25", "https://tria.ge/221225-destzaeb6y/behavioral1", "https://tria.ge/221225-destzaeb6y/behavioral2", "https://tria.ge/221224-hvmp4shf85/behavioral2", "https://tria.ge/221224-hqfq1ahf77/behavioral1", "https://tria.ge/221224-hqfq1ahf77/behavioral2", "https://tria.ge/221221-zvhvlagd7y/behavioral3", "https://tria.ge/240331-yqk9gsaf9z/behavioral8", "https://tria.ge/240331-yqk9gsaf9z/behavioral9", "https://tria.ge/240129-m661cagdb6/behavioral2", "https://tria.ge/240129-lkztgaehh2/behavioral3", "https://tria.ge/240111-cahyjaccem/behavioral31", "https://tria.ge/240111-cahyjaccem/behavioral30", "https://tria.ge/240111-cahyjaccem/behavioral29", "https://tria.ge/240111-cahyjaccem/behavioral22", "https://tria.ge/240111-cahyjaccem/behavioral21", "https://tria.ge/240111-cahyjaccem/behavioral11", "https://tria.ge/240107-eq4w2sfch5/behavioral7", "https://tria.ge/240106-dbq6zafccm/behavioral3", "https://tria.ge/231224-3h4hbaefg7/behavioral3", "https://tria.ge/231224-3h4hbaefg7/behavioral7", "https://tria.ge/231224-g5gq6sbhb2/behavioral7", "https://tria.ge/231217-zztgwsfger/behavioral2", "https://tria.ge/231217-ysjtfahaf3/behavioral7", "https://tria.ge/231217-yscecsfefl/behavioral7", "https://tria.ge/231217-yscecsfefl/behavioral11", "https://tria.ge/231217-yl3mzafebp/behavioral7", "https://tria.ge/231217-yl3mzafebp/behavioral2", "https://tria.ge/231217-yjcc1afeap/behavioral7", "https://tria.ge/231217-yjcc1afeap/behavioral3", "https://tria.ge/240317-kz93babd61/behavioral7", "https://tria.ge/240317-kz93babd61/behavioral3", "https://tria.ge/240409-btvwrshh94/behavioral3", "https://tria.ge/240409-btvwrshh94/behavioral11", "https://tria.ge/231015-l3gqlsdg6w/behavioral8", "https://tria.ge/230324-hax1cacf74", "https://tria.ge/230324-g9c9jscf67/behavioral2", "https://tria.ge/230324-g8jd6seg41/behavioral3", "https://tria.ge/230321-gr8yhaha33/behavioral5", "https://tria.ge/230321-gr8yhaha33/behavioral10", "https://tria.ge/230321-gr8yhaha33/behavioral9", "https://tria.ge/230321-gr8yhaha33/behavioral6", "https://tria.ge/230321-grwyyaha29/behavioral7", "https://tria.ge/230321-grwyyaha29/behavioral16", "https://tria.ge/230321-grwyyaha29/behavioral15", "https://tria.ge/230321-grwyyaha29/behavioral13", "https://tria.ge/230321-grwyyaha29/behavioral8", "https://tria.ge/230321-f6rgbsah5x", "https://tria.ge/230321-f1p2bagh55/behavioral2", "https://tria.ge/230321-f1p2bagh55/behavioral3", "https://tria.ge/230313-jp94wsbb8x/behavioral2", "https://tria.ge/230308-zttwgaha65/behavioral2", "https://tria.ge/230308-zr5j7aha49/behavioral2", "https://tria.ge/230308-zp7xjaga2z/behavioral3", "https://tria.ge/230307-1xx8qsbg5v/behavioral3", "https://tria.ge/230307-1xx8qsbg5v/behavioral4", "https://tria.ge/230307-1rdl5scc53/behavioral1", "https://tria.ge/230307-1f7e3scb88/behavioral4", "https://tria.ge/230307-1f7e3scb88/behavioral16", "https://tria.ge/230305-31dplshh79/behavioral2", "https://tria.ge/230305-31dplshh79/behavioral3", "https://tria.ge/230305-3s617ahd3s/behavioral2", "https://tria.ge/230305-3s617ahd3s/behavioral3", "https://tria.ge/230305-3snjvahh67/behavioral3", "https://tria.ge/230305-eckw1sff35/behavioral3", "https://tria.ge/230305-eckw1sff35/behavioral1", "https://tria.ge/230305-eb63vsfa61/behavioral3", "https://tria.ge/230305-eabwbsfa6z/behavioral2", "https://tria.ge/230305-eabwbsfa6z/behavioral3", "https://tria.ge/230305-d9lddafa6y/behavioral1", "https://tria.ge/230305-d9lddafa6y/behavioral2", "https://tria.ge/230305-d82c7sff27/behavioral3", "https://tria.ge/230305-d82c7sff27/behavioral1", "https://tria.ge/230305-d8rtrsff26/behavioral1", "https://tria.ge/230305-d8rtrsff26/behavioral2", "https://tria.ge/230305-d62aesff25/behavioral1", "https://tria.ge/230305-d62aesff25/behavioral2", "https://tria.ge/230305-d4phvafe99/behavioral1", "https://tria.ge/230305-d4phvafe99/behavioral2", "https://tria.ge/230305-d4a1fsfe98/behavioral1", "https://tria.ge/230305-d33dbafa51/behavioral1", "https://tria.ge/230305-d33dbafa51/behavioral2", "https://tria.ge/230305-d21s4afe93/behavioral1", "https://tria.ge/230305-d21s4afe93/behavioral31", "https://tria.ge/230305-d21s4afe93/behavioral23", "https://tria.ge/230305-d21s4afe93/behavioral21", "https://tria.ge/230305-d21s4afe93/behavioral13", "https://tria.ge/230305-dyzrmafe89", "https://tria.ge/230305-dycl4afa5v/behavioral29", "https://tria.ge/230305-dycl4afa5v/behavioral27", "https://tria.ge/230305-dycl4afa5v/behavioral7", "https://tria.ge/230305-dycl4afa5v/behavioral15", "https://tria.ge/230220-pbc5wsah96/behavioral3", "https://tria.ge/230220-pbc5wsah96/behavioral2", "https://tria.ge/230215-baxk9ahc37/behavioral1", "https://tria.ge/230215-baxk9ahc37/behavioral2", "https://tria.ge/230204-rnp2bsgh3y/behavioral1", "https://tria.ge/230204-rnp2bsgh3y/behavioral2", "https://tria.ge/230204-qvwa9add55", "https://tria.ge/230204-qvlrtadd53/behavioral3", "https://tria.ge/230202-h81h5ahc9z/behavioral2", "https://tria.ge/230202-h81h5ahc9z/behavioral3", "https://tria.ge/230201-av97eabb24/behavioral2", "https://tria.ge/230127-v6q8wsdg5y/behavioral2", "https://tria.ge/230125-kn9meafe37/behavioral1", "https://tria.ge/230125-kn9meafe37/behavioral2", "https://tria.ge/230122-tqj9zaac8v/behavioral3", "https://tria.ge/230122-tqj9zaac8v/behavioral1", "https://tria.ge/230122-tqj9zaac8v/behavioral2", "https://tria.ge/231206-hwhgsacd32/behavioral1", "https://tria.ge/231206-hwsbzscd34", "https://tria.ge/231206-hwsbzscd34/behavioral1", "https://tria.ge/231206-hvz1facd27/behavioral1" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1130", "name": "Install Root Certificate", "display_name": "T1130 - Install Root Certificate" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1067", "name": "Bootkit", "display_name": "T1067 - Bootkit" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1042", "name": "Change Default File Association", "display_name": "T1042 - Change Default File Association" } ], "industries": [], "TLP": "white", "cloned_from": "661c5aeb351e7ed1fd41dccd", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2817, "FileHash-SHA1": 2698, "FileHash-SHA256": 2703, "domain": 65, "URL": 12, "hostname": 13, "SSLCertFingerprint": 1 }, "indicator_count": 8309, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "65 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c5d13d5b19bfb5cf77057a", "name": "Comprehensive Tria.ge import - Pro tip by Merkd1904 clone", "description": "", "modified": "2026-03-27T00:37:17.317000", "created": "2026-03-27T00:37:17.317000", "tags": [ "implementation", "murmurhash3", "jens taylor", "gary court", "austin appleby", "typeof h", "please", "javascript", "triage", "malware", "analysis", "report", "reported", "analyze", "sandbox", "score", "behavioral task", "resource", "ck v13", "general", "target", "size", "sha256", "sha512", "ssdeep", "config", "copy", "shell", "sample", "sha1", "execution", "sample sample", "gpio promo", "sample gpio", "gpio2 driv", "sample gpio2", "target gpio", "adversaries", "bypass", "download submit", "filesize", "executes", "file", "download", "key value", "set value", "explorer", "class", "monitor", "signatures", "discovery", "iocs", "asusit885", "vendady", "venmsft", "proddadydvdrom4", "prodharddisk4", "drops file", "checks scsi", "processes", "network", "replay", "armourycra", "armoury crate", "token", "exe loads", "factory", "prefetch8", "service", "ck v6", "mitre", "f13eed8e", "suspicious use", "samsungma", "defense", "alderlakep", "alderlake", "sunrisepoi", "skylakesk", "tigerlakep", "reads cpu", "reads runtime", "tmpinxi", "ttps", "checks computer", "ngen worker", "process", "state migration", "installer", "binzsh c", "ksversion", "kschannelid", "apps", "plugins", "xpcproxy", "helper", "chrome helper", "renderer", "binlaunchctl", "data filesize", "error", "document being", "devnull md5", "play", "hypervisor", "mount o", "t iso9660", "f varlogmount", "analog", "triage submit", "static", "report analysis", "logs loading", "analysis log", "dos win95", "f win98", "f hpfs", "w95 f", "fat12 fat16", "extend", "setpasswd", "f root", "checks cpu", "discovery t1082", "managerwar", "wifinetwor", "query registry", "multimedia", "inprocserver32", "apartment", "typelib", "persistence", "progid", "nummethods", "10 discovery", "t1012 system", "appdir", "prefetch1", "registers com", "both", "chromehtml", "windowsdef", "enumerates", "systemroot", "windows media", "9801", "components", "checks", "localserver32", "open", "edit", "xport", "maxwellbio", "execution flow", "write file", "nvidialin", "excel", "sample https", "modifies", "fdoemcdcd", "klinks", "t1120 system", "windowstemp", "sample read", "traffic", "go play", "sample go", "cuckptn", "cuckicrc", "binsh c", "tags", "deviceinfo", "windowsinf", "targets", "ck matrix", "attempts", "m2 ssd", "p40 game", "filesintelintel", "legacy", "catalogfile", "pciven8086", "ndisasuss", "sample http", "microsoftw", "destination ip", "waasregke", "qeaa", "ueaa", "yaxxz", "iebapeadxz", "iebapeagxz", "headers dll", "lredmond", "locale", "suspicious", "player list", "sample bcd", "resources", "usrbinlogger t", "updater", "pid1522", "shadow copy", "dellsuppor", "landriver", "inputperso", "ipsmigrati", "sample intel", "servicingkey", "0008", "viper m2", "cannonlake", "cometlakep", "coffeelake", "cometlake", "10 blocklisted", "data", "supportass", "iocs reads", "APT1" ], "references": [ "imurmurhash.min.js", "https://www.virustotal.com/gui/file/e58fe1f551a6fb3e0a8bbaed5f8cae96194ccbbba5f4da2914a5046a4df3725e?nocache=1", "https://www.virustotal.com/gui/file/03759f9a14c983a9e70d17d0552fb2bff9dc1fe8c9b837f859403449ecdadd11?nocache=1", "https://www.virustotal.com/gui/file/32dbd62fce658336afc05435cafed68029dba626e5863a39305eaf8f42ed74cd?nocache=1", "https://www.virustotal.com/gui/file/049645f56e88a33c0d5d74b5ad9dc7da425a326ee72db4885b712c16f9edeb54?nocache=1", "https://www.virustotal.com/gui/file/b9cee56cd245633f7debe4b6e93f1606ac6788a9749a8eba2d742cfd84e935fd?nocache=1", "https://www.virustotal.com/gui/file/b9cee56cd245633f7debe4b6e93f1606ac6788a9749a8eba2d742cfd84e935fd", "https://www.virustotal.com/gui/file/8694bebdcbe7854aae97fcecfce0fa0b5a9aa07b5f95cd2e55d62a25caaaa8d8?nocache=1", "https://www.virustotal.com/gui/file/b2b37af320b637acc1001404b6a7f9bbfc4dcfb7319bba92333be2050b398318/relations", "https://tria.ge/231217-yjcc1afeap", "https://tria.ge/231217-yl3mzafebp", "https://tria.ge/231217-yscecsfefl", "https://tria.ge/231217-ysjtfahaf3", "https://tria.ge/231217-zztgwsfger", "https://tria.ge/231224-g5gq6sbhb2", "https://tria.ge/231224-3h4hbaefg7", "https://tria.ge/240106-dbq6zafccm", "https://tria.ge/240107-eq4w2sfch5", "https://tria.ge/240111-cahyjaccem", "https://tria.ge/240129-lkztgaehh2", "https://tria.ge/240129-m661cagdb6", "https://tria.ge/240317-kz93babd61", "https://tria.ge/240317-kz93babd61/behavioral2", "https://tria.ge/240410-aceyjseb6v/behavioral4", "https://tria.ge/230108-ftrlkagb7z/behavioral1", "https://tria.ge/230108-ftyd4sgb71/behavioral10", "https://tria.ge/230108-fvadnsgb8s/behavioral27", "https://tria.ge/230108-qrmvpsdf96/behavioral3", "https://tria.ge/230108-qrv63sdf97/behavioral3", "https://tria.ge/230108-qr1fssdf98/behavioral2", "https://tria.ge/230108-qr6b2sdg22/behavioral3", "https://tria.ge/230108-qsdneshb2w/behavioral10", "https://tria.ge/230113-ctz16adf45/behavioral1", "https://tria.ge/230113-c3xbmadf82/behavioral2", "https://tria.ge/230113-c79shshd41/behavioral2", "https://tria.ge/230108-qvj8zshb3t/behavioral2", "https://tria.ge/230109-ywqq6aba3z/behavioral27", "https://tria.ge/230113-dbgbrshd61/behavioral5", "https://tria.ge/230113-dfhemadg66/behavioral7", "https://tria.ge/231015-l3gqlsdg6w/behavioral11", "https://tria.ge/230906-vajh6shg63/behavioral3", "https://tria.ge/230901-qkt1faeh2v/behavioral3", "https://tria.ge/231128-vbn52sbf51/behavioral7", "https://tria.ge/231206-gkeq3sbg68/behavioral7", "https://tria.ge/231206-hf1cnacb98/behavioral7", "https://tria.ge/240409-25x4dagh63/behavioral4", "https://tria.ge/240409-dhdjfsce54/behavioral3", "https://tria.ge/240409-btvwrshh94/behavioral2", "https://tria.ge/240402-zjrcladb42/behavioral28", "https://tria.ge/240402-zjrcladb42/behavioral27", "https://tria.ge/240402-zjrcladb42/behavioral1", "https://tria.ge/240402-zjrcladb42/behavioral2", "https://tria.ge/240402-zjrcladb42/behavioral3", "https://tria.ge/240402-zjrcladb42/behavioral4", "https://tria.ge/240402-zjrcladb42/behavioral5", "https://tria.ge/240402-zjrcladb42/behavioral6", "https://tria.ge/240402-zjrcladb42/behavioral9", "https://tria.ge/240402-zjrcladb42/behavioral13", "https://tria.ge/240402-zjrcladb42/behavioral13/analog", "https://tria.ge/240402-zjrcladb42/behavioral17", "https://tria.ge/240402-zjrcladb42/behavioral21", "https://tria.ge/240402-zjrcladb42/behavioral25", "https://tria.ge/240402-zjrcladb42/behavioral29", "https://tria.ge/240402-cb476add4w/behavioral2", "https://tria.ge/240401-b3bt9aad37/behavioral11", "https://tria.ge/240401-bztwnaac57/behavioral2", "https://tria.ge/240331-y9w54abd6t/behavioral7", "https://tria.ge/240331-yqk9gsaf9z/behavioral10", "https://tria.ge/240331-ykp1gsae3z/behavioral28", "https://tria.ge/240331-ykp1gsae3z/behavioral20", "https://tria.ge/240331-ykp1gsae3z/behavioral14", "https://tria.ge/240331-ykp1gsae3z/behavioral12", "https://tria.ge/240331-ykp1gsae3z/behavioral4", "https://tria.ge/240331-ykp1gsae3z/behavioral2", "https://tria.ge/220803-zggqdafbh7/behavioral2", "https://tria.ge/220803-y7119sgafr/behavioral12", "https://tria.ge/220803-y6bpzsfag2/behavioral28", "https://tria.ge/220803-y6bpzsfag2/behavioral26", "https://tria.ge/220803-y6bpzsfag2/behavioral22", "https://tria.ge/220803-y6bpzsfag2/behavioral20", "https://tria.ge/220803-y6bpzsfag2/behavioral18", "https://tria.ge/220803-y6bpzsfag2/behavioral16", "https://tria.ge/220803-y6bpzsfag2/behavioral12", "https://tria.ge/220803-y6bpzsfag2/behavioral10", "https://tria.ge/220803-1m2heafgb9/behavioral13", "https://tria.ge/220803-1m2heafgb9/behavioral8", "https://tria.ge/220803-1m4yjafgc2/behavioral31", "https://tria.ge/220803-1m4yjafgc2/behavioral29", "https://tria.ge/220803-1m4yjafgc2/behavioral27", "https://tria.ge/220803-1m4yjafgc2/behavioral25", "https://tria.ge/220803-1m4yjafgc2/behavioral23", "https://tria.ge/220803-1m4yjafgc2/behavioral22", "https://tria.ge/220803-1m4yjafgc2/behavioral19", "https://tria.ge/220803-1m4yjafgc2/behavioral17", "https://tria.ge/220803-1m4yjafgc2/behavioral15", "https://tria.ge/220803-1m4yjafgc2/behavioral13", "https://tria.ge/220803-1m4yjafgc2/behavioral9", "https://tria.ge/220803-1m4yjafgc2/behavioral7", "https://tria.ge/220803-1m4yjafgc2/behavioral6", "https://tria.ge/220803-1m4yjafgc2/behavioral5", "https://tria.ge/220803-1m4yjafgc2/behavioral3", "https://tria.ge/220803-1m4yjafgc2/behavioral2", "https://tria.ge/220803-1m4yjafgc2/behavioral1", "https://tria.ge/220803-1nlhksfgc3/behavioral32", "https://tria.ge/220803-1nlhksfgc3/behavioral1", "https://tria.ge/220803-1pfnqagffp/behavioral32", "https://tria.ge/220803-1pfnqagffp/behavioral4", "https://tria.ge/220803-1qd7aafgd9/behavioral28", "https://tria.ge/220803-1qd7aafgd9/behavioral24", "https://tria.ge/220803-1qd7aafgd9/behavioral23", "https://tria.ge/220803-1qd7aafgd9/behavioral22", "https://tria.ge/220803-1qd7aafgd9/behavioral21", "https://tria.ge/220803-1qd7aafgd9/behavioral15", "https://tria.ge/220803-1qs1fafge3/behavioral29", "https://tria.ge/220803-1qs1fafge3/behavioral27", "https://tria.ge/220803-1qs1fafge3/behavioral25", "https://tria.ge/220803-1qs1fafge3/behavioral23", "https://tria.ge/220803-1qs1fafge3/behavioral22", "https://tria.ge/220803-1qs1fafge3/behavioral19", "https://tria.ge/220803-1qs1fafge3/behavioral17", "https://tria.ge/220803-1qs1fafge3/behavioral13", "https://tria.ge/220803-1qs1fafge3/behavioral9", "https://tria.ge/220803-1qs1fafge3/behavioral6", "https://tria.ge/220803-1qs1fafge3/behavioral5", "https://tria.ge/220803-1qs1fafge3/behavioral1", "https://tria.ge/220803-1qs1fafge3/behavioral2", "https://tria.ge/220803-1qs1fafge3/behavioral3", "https://tria.ge/220803-1rxd9afgf2/behavioral28", "https://tria.ge/220803-1rxd9afgf2/behavioral27", "https://tria.ge/220803-1rxd9afgf2/behavioral23", "https://tria.ge/220803-1rxd9afgf2/behavioral19", "https://tria.ge/220803-1rxd9afgf2/behavioral15", "https://tria.ge/220804-cb7naaafeq", "https://tria.ge/220804-cb7naaafeq/behavioral1", "https://tria.ge/220805-fqatmsgbdr/behavioral3", "https://tria.ge/220805-fqkzlsfcb6/behavioral3", "https://tria.ge/220805-ft3zlafce6/behavioral1", "https://tria.ge/220805-ft3zlafce6/behavioral3", "https://tria.ge/220805-ft3zlafce6/behavioral2", "https://tria.ge/220805-fwthyagcbq/behavioral3", "https://tria.ge/220805-fwthyagcbq/behavioral2", "https://tria.ge/220805-fwthyagcbq/behavioral1", "https://tria.ge/220805-f286ksfdc7", "https://tria.ge/220805-f286ksfdc7/behavioral3", "https://tria.ge/220805-gca3xsgeaj/behavioral2", "https://tria.ge/220805-gca3xsgeaj/behavioral3", "https://tria.ge/220805-gv8rxafgf8/behavioral3", "https://tria.ge/220805-gv8rxafgf8/behavioral1", "https://tria.ge/220805-h1w6qshdaq/behavioral3", "https://tria.ge/220805-h1w6qshdaq/behavioral2", "https://tria.ge/220805-h1w6qshdaq/behavioral1", "https://tria.ge/220805-yv476aggd6/behavioral3", "https://tria.ge/220805-yv476aggd6/behavioral2", "https://tria.ge/220805-zetbdshag5/behavioral3", "https://tria.ge/220805-zetbdshag5/behavioral1", "https://tria.ge/220806-brndxabdh6/behavioral1", "https://tria.ge/220806-brndxabdh6/behavioral2", "https://tria.ge/220806-brndxabdh6/behavioral3", "https://tria.ge/220806-btaktsbea5/behavioral3", "https://tria.ge/220806-btaktsbea5/behavioral2", "https://tria.ge/220806-btaktsbea5/behavioral1", "https://tria.ge/220806-jrkl1sccfl", "https://tria.ge/220806-jrkl1sccfl/behavioral3", "https://tria.ge/220806-jrkl1sccfl/behavioral2", "https://tria.ge/220806-jrkl1sccfl/behavioral1", "https://tria.ge/220806-j2ztpaceak/behavioral1", "https://tria.ge/220806-j2ztpaceak/behavioral3", "https://tria.ge/220806-j3912scebk/behavioral3", "https://tria.ge/220806-j4w6ksfab3/behavioral3", "https://tria.ge/220830-17kqdsdfb2/behavioral3", "https://tria.ge/220830-17kqdsdfb2/behavioral2", "https://tria.ge/220830-17kqdsdfb2/behavioral1", "https://tria.ge/220729-d8e5zadga9/behavioral2", "https://tria.ge/220729-d8av9adga3/behavioral2", "https://tria.ge/220729-d74f6seedk/behavioral2", "https://tria.ge/220729-d7ta7sdfh9/behavioral2", "https://tria.ge/220729-d347xadfe7/behavioral2", "https://tria.ge/220729-d3yecseeam/behavioral2", "https://tria.ge/220729-d3sh4seeal/behavioral2", "https://tria.ge/220729-d3m9dsdfe3/behavioral2", "https://tria.ge/220729-d3dd7aedhk/behavioral2", "https://tria.ge/220729-d2kf4sedgl/behavioral2", "https://tria.ge/220729-d1hwwsdfc7/behavioral2", "https://tria.ge/220729-d85evsdgb3/behavioral2", "https://tria.ge/220729-ecv2zsdgd7/behavioral2", "https://tria.ge/220729-ecnb5sdgd5/behavioral2", "https://tria.ge/220729-wzxyjacgal/behavioral2", "https://tria.ge/220729-wzxyjacgal/behavioral1", "https://tria.ge/220729-w1gmyabhf2/behavioral2", "https://tria.ge/220729-24hbjaeeep/behavioral1", "https://tria.ge/220730-chkgbsehh6/behavioral2", "https://tria.ge/220731-f45wyabgbr/behavioral3", "https://tria.ge/220801-sppmmaafd6/behavioral28", "https://tria.ge/220801-sppmmaafd6/behavioral20", "https://tria.ge/220801-sppmmaafd6/behavioral19", "https://tria.ge/220802-kwqt9secdp", "https://tria.ge/220802-kwqt9secdp/behavioral1", "https://tria.ge/220803-yl8h8afgdn/behavioral1", "https://tria.ge/220803-yl8h8afgdn/behavioral12", "https://tria.ge/220803-yl8h8afgdn/behavioral8", "https://tria.ge/220803-yl8h8afgdn/behavioral7", "https://tria.ge/220803-yl8h8afgdn/behavioral4", "https://tria.ge/220803-yl8h8afgdn/behavioral3", "https://tria.ge/220803-ymle3sfgdp/behavioral6", "https://tria.ge/220803-ymle3sfgdp/behavioral28", "https://tria.ge/220803-ymle3sfgdp/behavioral27", "https://tria.ge/220803-ymle3sfgdp/behavioral23", "https://tria.ge/220803-ymle3sfgdp/behavioral19", "https://tria.ge/220803-ymle3sfgdp/behavioral15", "https://tria.ge/220803-yshldaehd8/behavioral14", "https://tria.ge/220803-yshldaehd8/behavioral13", "https://tria.ge/220803-yshldaehd8/behavioral3", "https://tria.ge/220726-xskv3addar/behavioral2", "https://tria.ge/220726-xskv3addar/behavioral1", "https://tria.ge/220726-xz7y6sddgk/behavioral1", "https://tria.ge/220726-xz7y6sddgk/behavioral4", "https://tria.ge/220726-xz7y6sddgk/behavioral3", "https://tria.ge/220726-xz7y6sddgk/behavioral2", "https://tria.ge/220726-x1m1dsddgl/behavioral1", "https://tria.ge/220726-x1m1dsddgl/behavioral4", "https://tria.ge/220726-x1m1dsddgl/behavioral3", "https://tria.ge/220726-x1m1dsddgl/behavioral2", "https://tria.ge/220727-bv535aghfl/behavioral8", "https://tria.ge/220727-bv535aghfl/behavioral7", "https://tria.ge/220727-bv535aghfl/behavioral1", "https://tria.ge/220729-dqk89secfn/behavioral1", "https://tria.ge/220729-dqgwvaecfm/behavioral1", "https://tria.ge/220724-rl2mcafdbm/behavioral1", "https://tria.ge/220724-rtnqfsfeg6/behavioral1", "https://tria.ge/220724-sheh3sgddl/behavioral1", "https://tria.ge/220724-slp4zsgdh2/behavioral1", "https://tria.ge/220724-tacvysheh8/behavioral7", "https://tria.ge/220724-tetn9shgf9", "https://tria.ge/220724-tmtn8sacej/behavioral1", "https://tria.ge/220724-tmtn8sacej/behavioral26", "https://tria.ge/220724-tmtn8sacej/behavioral25", "https://tria.ge/220724-tmtn8sacej/behavioral15", "https://tria.ge/220724-fgjeesffc7/behavioral1", "https://tria.ge/220724-fgjeesffc7/behavioral2", "https://tria.ge/220916-d8f29seef7/behavioral2", "https://tria.ge/220912-r4wh2shccm", "https://tria.ge/220912-r4wh2shccm/behavioral1", "https://tria.ge/220912-r4fsladea8/behavioral1", "https://tria.ge/220912-r36ydsdea7/behavioral2", "https://tria.ge/220912-r3z5vahccj/behavioral2", "https://tria.ge/220912-r25nyahcbp/behavioral2", "https://tria.ge/220912-r2sdlshcbn/behavioral2", "https://tria.ge/220912-r2j28sdea3/behavioral2", "https://tria.ge/220912-r2j28sdea3/behavioral1", "https://tria.ge/220912-r2dkfsdea2/behavioral2", "https://tria.ge/220912-r16vlsddh9/behavioral2", "https://tria.ge/220912-rxnvmaddh6/behavioral2", "https://tria.ge/220912-rxb6tsddh5/behavioral2", "https://tria.ge/220912-rtwfashcaq/behavioral2", "https://tria.ge/220912-rtf1lsddg8", "https://tria.ge/220912-rsreyshcam/behavioral2", "https://tria.ge/220912-rsc8bsddg6/behavioral3", "https://tria.ge/220912-rqlrpahbhr/behavioral2", "https://tria.ge/220912-rp93wshbhq/behavioral2", "https://tria.ge/220912-rpzxxshbhp/behavioral2", "https://tria.ge/220912-rpjkyaddf9/behavioral3", "https://tria.ge/220912-rn3meshbhl/behavioral2", "https://tria.ge/220912-regnladdd6/behavioral3", "https://tria.ge/220930-vmljasfbcm/behavioral2", "https://tria.ge/220930-vmv3qsfbcn/behavioral2", "https://tria.ge/221007-2b72gsdga7/behavioral32", "https://tria.ge/221007-2b72gsdga7/behavioral26", "https://tria.ge/221007-2b72gsdga7/behavioral25", "https://tria.ge/221007-2b72gsdga7/behavioral20", "https://tria.ge/221007-2b72gsdga7/behavioral19", "https://tria.ge/221007-2b72gsdga7/behavioral16", "https://tria.ge/221007-2b72gsdga7/behavioral15", "https://tria.ge/221012-bm6ppacbam/behavioral3", "https://tria.ge/221012-bm6ppacbam/behavioral14", "https://tria.ge/221012-bm6ppacbam/behavioral12", "https://tria.ge/221014-2dbfasegfn/behavioral3", "https://tria.ge/221015-rqzcsaffhq/behavioral2", "https://tria.ge/221202-wskpmaeg7x/behavioral2", "https://tria.ge/221202-wskpmaeg7x/behavioral1", "https://tria.ge/221205-jd6bkada9w/behavioral1", "https://tria.ge/221205-jd6bkada9w/behavioral2", "https://tria.ge/221212-j9yxcsdf2z/behavioral2", "https://tria.ge/221212-kcchjaah54/behavioral3", "https://tria.ge/221212-kcchjaah54/behavioral2", "https://tria.ge/221212-kcchjaah54/behavioral1", "https://tria.ge/221212-kdv19sdf3t/behavioral32", "https://tria.ge/221212-kdv19sdf3t/behavioral2", "https://tria.ge/221212-kd3q4sah55/behavioral3", "https://tria.ge/221215-sqzh8acf73/behavioral1", "https://tria.ge/221215-ta2t3sff7y/behavioral4", "https://tria.ge/221220-y6pa3seb4w/behavioral2", "https://tria.ge/221221-h9mcwsbg93/behavioral1", "https://tria.ge/221221-h9mcwsbg93/behavioral32", "https://tria.ge/221221-h9mcwsbg93/behavioral26", "https://tria.ge/221221-h9mcwsbg93/behavioral2", "https://tria.ge/221015-tfg2vsfge9/behavioral1", "https://tria.ge/221015-tfg2vsfge9/behavioral3", "https://tria.ge/221015-tfg2vsfge9/behavioral2", "https://tria.ge/221015-tlpznafgf6/behavioral1", "https://tria.ge/221015-tlpznafgf6/behavioral2", "https://tria.ge/221015-tl29zsfgf8/behavioral1", "https://tria.ge/221015-tl29zsfgf8/behavioral2", "https://tria.ge/221015-tlxz9sfgf7/behavioral1", "https://tria.ge/221015-tlxz9sfgf7/behavioral2", "https://tria.ge/221017-2zl4xsdec9/behavioral31", "https://tria.ge/221017-2zl4xsdec9/behavioral29", "https://tria.ge/221017-2zl4xsdec9/behavioral25", "https://tria.ge/221017-2zl4xsdec9/behavioral21", "https://tria.ge/221017-2zl4xsdec9/behavioral18", "https://tria.ge/221017-2zl4xsdec9/behavioral17", "https://tria.ge/221017-2zl4xsdec9/behavioral9", "https://tria.ge/221017-2zl4xsdec9/behavioral14", "https://tria.ge/221025-gp398sbfhp/behavioral15", "https://tria.ge/221025-gp398sbfhp/behavioral9", "https://tria.ge/221025-gp398sbfhp/behavioral8", "https://tria.ge/221025-gp398sbfhp/behavioral7", "https://tria.ge/221025-gp398sbfhp/behavioral6", "https://tria.ge/221025-gp398sbfhp/behavioral5", "https://tria.ge/221025-gp398sbfhp/behavioral4", "https://tria.ge/221025-gqnwyabfh3/behavioral1", "https://tria.ge/221025-gqnwyabfh3/behavioral3", "https://tria.ge/221025-gqnwyabfh3/behavioral2", "https://tria.ge/221028-y169psecbn/behavioral3", "https://tria.ge/221029-bjlv4sfcbr/behavioral15", "https://tria.ge/221029-bjlv4sfcbr/behavioral13", "https://tria.ge/221029-bjlv4sfcbr/behavioral8", "https://tria.ge/221029-bjlv4sfcbr/behavioral7", "https://tria.ge/221029-bj1z2afcdk/behavioral10", "https://tria.ge/221029-bj1z2afcdk/behavioral9", "https://tria.ge/221029-bj1z2afcdk/behavioral6", "https://tria.ge/221029-bj1z2afcdk/behavioral5", "https://tria.ge/221115-cpxegaee62/behavioral1", "https://tria.ge/221115-cpxegaee62/behavioral2", "https://tria.ge/230113-ctz16adf45", "https://tria.ge/230109-ywqq6aba3z", "https://tria.ge/230109-ywqq6aba3z/behavioral32", "https://tria.ge/230109-ywqq6aba3z/behavioral31", "https://tria.ge/230109-ywqq6aba3z/behavioral30", "https://tria.ge/230109-ywqq6aba3z/behavioral2", "https://tria.ge/230109-ywqq6aba3z/behavioral5", "https://tria.ge/230109-ywqq6aba3z/behavioral6", "https://tria.ge/230109-ywqq6aba3z/behavioral7", "https://tria.ge/230109-ywqq6aba3z/behavioral8", "https://tria.ge/230109-ywqq6aba3z/behavioral9", "https://tria.ge/230109-ywqq6aba3z/behavioral10", "https://tria.ge/230109-ywqq6aba3z/behavioral12", "https://tria.ge/230109-ywqq6aba3z/behavioral11", "https://tria.ge/230109-ywqq6aba3z/behavioral13", "https://tria.ge/230109-ywqq6aba3z/behavioral14", "https://tria.ge/230109-ywqq6aba3z/behavioral15", "https://tria.ge/230109-ywqq6aba3z/behavioral16", "https://tria.ge/230109-ywqq6aba3z/behavioral17", "https://tria.ge/230109-ywqq6aba3z/behavioral18", "https://tria.ge/230109-ywqq6aba3z/behavioral19", "https://tria.ge/230109-ywqq6aba3z/behavioral20", "https://tria.ge/230109-ywqq6aba3z/behavioral21", "https://tria.ge/230109-ywqq6aba3z/behavioral22", "https://tria.ge/230109-ywqq6aba3z/behavioral23", "https://tria.ge/230109-ywqq6aba3z/behavioral24", "https://tria.ge/230109-ywqq6aba3z/behavioral25", "https://tria.ge/230109-ywqq6aba3z/behavioral26", "https://tria.ge/230109-ywqq6aba3z/behavioral28", "https://tria.ge/230109-ywqq6aba3z/behavioral29", "https://tria.ge/230108-qvj8zshb3t/behavioral1", "https://tria.ge/230108-qskfzahb2y/behavioral12", "https://tria.ge/230108-qskfzahb2y/behavioral28", "https://tria.ge/230108-qskfzahb2y/behavioral27", "https://tria.ge/230108-qr6b2sdg22/behavioral1", "https://tria.ge/230108-qr6b2sdg22/behavioral2", "https://tria.ge/230108-qr1fssdf98/behavioral3", "https://tria.ge/230108-qr1fssdf98/behavioral1", "https://tria.ge/230108-qrv63sdf97/behavioral1", "https://tria.ge/230108-qrv63sdf97/behavioral2", "https://tria.ge/230108-qrmvpsdf96/behavioral1", "https://tria.ge/230108-qrmvpsdf96/behavioral2", "https://tria.ge/230108-fvadnsgb8s/behavioral12", "https://tria.ge/230108-fvadnsgb8s/behavioral2", "https://tria.ge/230108-ftyd4sgb71/behavioral9", "https://tria.ge/230108-ftrlkagb7z/behavioral2", "https://tria.ge/230106-ryhp1ace8y/behavioral2", "https://tria.ge/230120-lncs4sad55/behavioral3", "https://tria.ge/230115-xqrwlaag69/behavioral6", "https://tria.ge/230115-x2h3tsbb49/behavioral6", "https://tria.ge/230115-x2h3tsbb49/behavioral32", "https://tria.ge/230115-x2h3tsbb49/behavioral28", "https://tria.ge/230115-x2h3tsbb49/behavioral26", "https://tria.ge/230115-x2h3tsbb49/behavioral14", "https://tria.ge/230115-x2h3tsbb49/behavioral10", "https://tria.ge/230120-1vxjesbg9t/behavioral1", "https://tria.ge/230120-1vxjesbg9t/behavioral2", "https://tria.ge/230102-s2ryhseg39/behavioral10", "https://tria.ge/230102-s3kktshh7t/behavioral2", "https://tria.ge/230102-s3v2kahh7v/behavioral2", "https://tria.ge/230102-s38bwshh7y/behavioral2", "https://tria.ge/230102-s4zq5seg44/behavioral32", "https://tria.ge/230102-s2n7maeg38/behavioral12", "https://tria.ge/230102-s2n7maeg38/static1", "https://tria.ge/230102-tekflaeg63/static1", "https://tria.ge/230105-xbxhjacg76/behavioral1", "https://tria.ge/230105-xbxhjacg76/behavioral2", "https://tria.ge/221221-zk1mnagd4x/behavioral3", "https://tria.ge/221221-zjmz6sdc27/behavioral3", "https://tria.ge/221221-zjjmradc26/behavioral3", "https://tria.ge/221221-zjezkagd3w/behavioral3", "https://tria.ge/221225-df32bseb6z/behavioral11", "https://tria.ge/221225-df32bseb6z/behavioral26", "https://tria.ge/221225-df32bseb6z/behavioral25", "https://tria.ge/221225-destzaeb6y/behavioral1", "https://tria.ge/221225-destzaeb6y/behavioral2", "https://tria.ge/221224-hvmp4shf85/behavioral2", "https://tria.ge/221224-hqfq1ahf77/behavioral1", "https://tria.ge/221224-hqfq1ahf77/behavioral2", "https://tria.ge/221221-zvhvlagd7y/behavioral3", "https://tria.ge/240331-yqk9gsaf9z/behavioral8", "https://tria.ge/240331-yqk9gsaf9z/behavioral9", "https://tria.ge/240129-m661cagdb6/behavioral2", "https://tria.ge/240129-lkztgaehh2/behavioral3", "https://tria.ge/240111-cahyjaccem/behavioral31", "https://tria.ge/240111-cahyjaccem/behavioral30", "https://tria.ge/240111-cahyjaccem/behavioral29", "https://tria.ge/240111-cahyjaccem/behavioral22", "https://tria.ge/240111-cahyjaccem/behavioral21", "https://tria.ge/240111-cahyjaccem/behavioral11", "https://tria.ge/240107-eq4w2sfch5/behavioral7", "https://tria.ge/240106-dbq6zafccm/behavioral3", "https://tria.ge/231224-3h4hbaefg7/behavioral3", "https://tria.ge/231224-3h4hbaefg7/behavioral7", "https://tria.ge/231224-g5gq6sbhb2/behavioral7", "https://tria.ge/231217-zztgwsfger/behavioral2", "https://tria.ge/231217-ysjtfahaf3/behavioral7", "https://tria.ge/231217-yscecsfefl/behavioral7", "https://tria.ge/231217-yscecsfefl/behavioral11", "https://tria.ge/231217-yl3mzafebp/behavioral7", "https://tria.ge/231217-yl3mzafebp/behavioral2", "https://tria.ge/231217-yjcc1afeap/behavioral7", "https://tria.ge/231217-yjcc1afeap/behavioral3", "https://tria.ge/240317-kz93babd61/behavioral7", "https://tria.ge/240317-kz93babd61/behavioral3", "https://tria.ge/240409-btvwrshh94/behavioral3", "https://tria.ge/240409-btvwrshh94/behavioral11", "https://tria.ge/231015-l3gqlsdg6w/behavioral8", "https://tria.ge/230324-hax1cacf74", "https://tria.ge/230324-g9c9jscf67/behavioral2", "https://tria.ge/230324-g8jd6seg41/behavioral3", "https://tria.ge/230321-gr8yhaha33/behavioral5", "https://tria.ge/230321-gr8yhaha33/behavioral10", "https://tria.ge/230321-gr8yhaha33/behavioral9", "https://tria.ge/230321-gr8yhaha33/behavioral6", "https://tria.ge/230321-grwyyaha29/behavioral7", "https://tria.ge/230321-grwyyaha29/behavioral16", "https://tria.ge/230321-grwyyaha29/behavioral15", "https://tria.ge/230321-grwyyaha29/behavioral13", "https://tria.ge/230321-grwyyaha29/behavioral8", "https://tria.ge/230321-f6rgbsah5x", "https://tria.ge/230321-f1p2bagh55/behavioral2", "https://tria.ge/230321-f1p2bagh55/behavioral3", "https://tria.ge/230313-jp94wsbb8x/behavioral2", "https://tria.ge/230308-zttwgaha65/behavioral2", "https://tria.ge/230308-zr5j7aha49/behavioral2", "https://tria.ge/230308-zp7xjaga2z/behavioral3", "https://tria.ge/230307-1xx8qsbg5v/behavioral3", "https://tria.ge/230307-1xx8qsbg5v/behavioral4", "https://tria.ge/230307-1rdl5scc53/behavioral1", "https://tria.ge/230307-1f7e3scb88/behavioral4", "https://tria.ge/230307-1f7e3scb88/behavioral16", "https://tria.ge/230305-31dplshh79/behavioral2", "https://tria.ge/230305-31dplshh79/behavioral3", "https://tria.ge/230305-3s617ahd3s/behavioral2", "https://tria.ge/230305-3s617ahd3s/behavioral3", "https://tria.ge/230305-3snjvahh67/behavioral3", "https://tria.ge/230305-eckw1sff35/behavioral3", "https://tria.ge/230305-eckw1sff35/behavioral1", "https://tria.ge/230305-eb63vsfa61/behavioral3", "https://tria.ge/230305-eabwbsfa6z/behavioral2", "https://tria.ge/230305-eabwbsfa6z/behavioral3", "https://tria.ge/230305-d9lddafa6y/behavioral1", "https://tria.ge/230305-d9lddafa6y/behavioral2", "https://tria.ge/230305-d82c7sff27/behavioral3", "https://tria.ge/230305-d82c7sff27/behavioral1", "https://tria.ge/230305-d8rtrsff26/behavioral1", "https://tria.ge/230305-d8rtrsff26/behavioral2", "https://tria.ge/230305-d62aesff25/behavioral1", "https://tria.ge/230305-d62aesff25/behavioral2", "https://tria.ge/230305-d4phvafe99/behavioral1", "https://tria.ge/230305-d4phvafe99/behavioral2", "https://tria.ge/230305-d4a1fsfe98/behavioral1", "https://tria.ge/230305-d33dbafa51/behavioral1", "https://tria.ge/230305-d33dbafa51/behavioral2", "https://tria.ge/230305-d21s4afe93/behavioral1", "https://tria.ge/230305-d21s4afe93/behavioral31", "https://tria.ge/230305-d21s4afe93/behavioral23", "https://tria.ge/230305-d21s4afe93/behavioral21", "https://tria.ge/230305-d21s4afe93/behavioral13", "https://tria.ge/230305-dyzrmafe89", "https://tria.ge/230305-dycl4afa5v/behavioral29", "https://tria.ge/230305-dycl4afa5v/behavioral27", "https://tria.ge/230305-dycl4afa5v/behavioral7", "https://tria.ge/230305-dycl4afa5v/behavioral15", "https://tria.ge/230220-pbc5wsah96/behavioral3", "https://tria.ge/230220-pbc5wsah96/behavioral2", "https://tria.ge/230215-baxk9ahc37/behavioral1", "https://tria.ge/230215-baxk9ahc37/behavioral2", "https://tria.ge/230204-rnp2bsgh3y/behavioral1", "https://tria.ge/230204-rnp2bsgh3y/behavioral2", "https://tria.ge/230204-qvwa9add55", "https://tria.ge/230204-qvlrtadd53/behavioral3", "https://tria.ge/230202-h81h5ahc9z/behavioral2", "https://tria.ge/230202-h81h5ahc9z/behavioral3", "https://tria.ge/230201-av97eabb24/behavioral2", "https://tria.ge/230127-v6q8wsdg5y/behavioral2", "https://tria.ge/230125-kn9meafe37/behavioral1", "https://tria.ge/230125-kn9meafe37/behavioral2", "https://tria.ge/230122-tqj9zaac8v/behavioral3", "https://tria.ge/230122-tqj9zaac8v/behavioral1", "https://tria.ge/230122-tqj9zaac8v/behavioral2", "https://tria.ge/231206-hwhgsacd32/behavioral1", "https://tria.ge/231206-hwsbzscd34", "https://tria.ge/231206-hwsbzscd34/behavioral1", "https://tria.ge/231206-hvz1facd27/behavioral1" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1130", "name": "Install Root Certificate", "display_name": "T1130 - Install Root Certificate" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1067", "name": "Bootkit", "display_name": "T1067 - Bootkit" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1042", "name": "Change Default File Association", "display_name": "T1042 - Change Default File Association" } ], "industries": [], "TLP": "white", "cloned_from": "661c5aeb351e7ed1fd41dccd", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2817, "FileHash-SHA1": 2698, "FileHash-SHA256": 2703, "domain": 65, "URL": 12, "hostname": 13, "SSLCertFingerprint": 1 }, "indicator_count": 8309, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "65 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b4f1234e20d1551dd7647a", "name": "Boratoken - x.com | Ransom | SnakeKeylogger | X.com redirect | Brian Sabey search results", "description": "Aggressively malicious x.com template.\nIntroduction: ' I was surprised to find this' regarding Google Phish of a 'Samuel Tulach' @X.Com Discussion: Exodus/ Cellebrite/Pegasus/NSO, Brian Sabey,etc,.\nImpacts at least 1 single individual, virustotal, Twitter/x.com.", "modified": "2024-09-07T22:38:23.513000", "created": "2024-08-08T16:24:02.550000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "all scoreblue", "pulse use", "domain", "ipv4", "url http", "url https", "cidr", "email", "ipv6", "code", "pdf report", "contact", "contacted", "registrar abuse", "phishing", "malware beacon", "x com", "twitter", "ransomware", "pyinstaller", "trojanspy", "trojan", "borpa", "samas", "formbook", "formbook cnc", "vtflooder", "namecheap", "'m nudie", "remote job", "get her work", "false files", "pornhub", "aaaa", "proofpoint", "are you hiring", "unknown", "united", "asnone united", "creation date", "search", "germany unknown", "expiration date", "date", "showing", "as61969 team", "body", "meta", "code", "screenshot", "servers", "server", "web attack" ], "references": [ "https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "http://borpatoken.com/", "netflix.com Akamai rank: #6", "phyn.app", "https://phyn.app/assets/images/Netflix-Background-phyn-dark.png", "pornhero.net 'we don't need another hero, hero, hero...' No Expiration\t0\t URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian No Expiration\t0\t Hostname www.pornhub.com No Expiration\t0\t URL https://8muses.info/other/adventure-time-porn-vault-boners-3-cartoon-porn-frosty-sanchez/20/ No Expiration\t14\t URL https://8muses.info/simpsons-porn/simpsons-special-bigboy/", "https://twitter.com/PORNO_SEXYBABES [Twitter Tsara Brashears related]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "x.com related: www.pornhub.com", "Twitter/ X.xom related: https://8muses.info/other/adventure-time-porn-vault-boners-3-cartoon-porn-frosty-sanchez/20/", "TAGS: api call app store as13414 twitter as15133 verizon as16625 akamai as18450 as20940 as2914 ntt as397240 as397241 asnone ca issuers", "TAGS: camaro dragon canada click cloudfront cname co number code contact content content gmt copy crlf line cyber defense", "TAGS: email expiry gmt false file files final url for privacy form format malware beacon meta http meta tags namecheap inc", "TAGS: passive dns pattern match title page trojandropper united 12110kb aaaa add tag adversary tags", "TAGS: all scoreblue analyzer apache autoit borpa browser canada cidr ck id ck matrix code code contact contacted", "TAGS: create new domain email expiration filehashmd5 formbook cnc get google phish green hackers hackers heroku hostname", "TAGS: iocs layoutid8 malware nameaul namecheap next no expiration pcap pdf report pegasus topic phish phishing", "TAGS: photoshop prefs privacy service provider public tlp pulse provide pulse use pyinstaller", "TAGS: ransom ransomware red team registrar abuse roboto samas samuel tulach scan endpoints", "TAGS: screenshot snake snake keylogger suspicious template trojan downloader trojanspy tulach url http url https x template x verce" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 500, "FileHash-SHA1": 485, "FileHash-SHA256": 1177, "URL": 1033, "SSLCertFingerprint": 4, "domain": 801, "hostname": 1139, "email": 14, "CIDR": 2 }, "indicator_count": 5155, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "630 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "661c5aeb351e7ed1fd41dccd", "name": "Comprehensive Tria.ge import - Pro tip", "description": "You have to upload the specific behavior page to import IoC's outside of the static analysis. It's also important to note that over the course of the last six months the anti-VM and anti-sandbox and anti-debug capabilities got noticably better. This is only analysis that got a 6+ threat score. Not the countless files that did not run.", "modified": "2024-05-14T21:00:00.653000", "created": "2024-04-14T22:38:35.008000", "tags": [ "implementation", "murmurhash3", "jens taylor", "gary court", "austin appleby", "typeof h", "please", "javascript", "triage", "malware", "analysis", "report", "reported", "analyze", "sandbox", "score", "behavioral task", "resource", "ck v13", "general", "target", "size", "sha256", "sha512", "ssdeep", "config", "copy", "shell", "sample", "sha1", "execution", "sample sample", "gpio promo", "sample gpio", "gpio2 driv", "sample gpio2", "target gpio", "adversaries", "bypass", "download submit", "filesize", "executes", "file", "download", "key value", "set value", "explorer", "class", "monitor", "signatures", "discovery", "iocs", "asusit885", "vendady", "venmsft", "proddadydvdrom4", "prodharddisk4", "drops file", "checks scsi", "processes", "network", "replay", "armourycra", "armoury crate", "token", "exe loads", "factory", "prefetch8", "service", "ck v6", "mitre", "f13eed8e", "suspicious use", "samsungma", "defense", "alderlakep", "alderlake", "sunrisepoi", "skylakesk", "tigerlakep", "reads cpu", "reads runtime", "tmpinxi", "ttps", "checks computer", "ngen worker", "process", "state migration", "installer", "binzsh c", "ksversion", "kschannelid", "apps", "plugins", "xpcproxy", "helper", "chrome helper", "renderer", "binlaunchctl", "data filesize", "error", "document being", "devnull md5", "play", "hypervisor", "mount o", "t iso9660", "f varlogmount", "analog", "triage submit", "static", "report analysis", "logs loading", "analysis log", "dos win95", "f win98", "f hpfs", "w95 f", "fat12 fat16", "extend", "setpasswd", "f root", "checks cpu", "discovery t1082", "managerwar", "wifinetwor", "query registry", "multimedia", "inprocserver32", "apartment", "typelib", "persistence", "progid", "nummethods", "10 discovery", "t1012 system", "appdir", "prefetch1", "registers com", "both", "chromehtml", "windowsdef", "enumerates", "systemroot", "windows media", "9801", "components", "checks", "localserver32", "open", "edit", "xport", "maxwellbio", "execution flow", "write file", "nvidialin", "excel", "sample https", "modifies", "fdoemcdcd", "klinks", "t1120 system", "windowstemp", "sample read", "traffic", "go play", "sample go", "cuckptn", "cuckicrc", "binsh c", "tags", "deviceinfo", "windowsinf", "targets", "ck matrix", "attempts", "m2 ssd", "p40 game", "filesintelintel", "legacy", "catalogfile", "pciven8086", "ndisasuss", "sample http", "microsoftw", "destination ip", "waasregke", "qeaa", "ueaa", "yaxxz", "iebapeadxz", "iebapeagxz", "headers dll", "lredmond", "locale", "suspicious", "player list", "sample bcd", "resources", "usrbinlogger t", "updater", "pid1522", "shadow copy", "dellsuppor", "landriver", "inputperso", "ipsmigrati", "sample intel", "servicingkey", "0008", "viper m2", "cannonlake", "cometlakep", "coffeelake", "cometlake", "10 blocklisted", "data", "supportass", "iocs reads", "APT1" ], "references": [ "imurmurhash.min.js", "https://www.virustotal.com/gui/file/e58fe1f551a6fb3e0a8bbaed5f8cae96194ccbbba5f4da2914a5046a4df3725e?nocache=1", "https://www.virustotal.com/gui/file/03759f9a14c983a9e70d17d0552fb2bff9dc1fe8c9b837f859403449ecdadd11?nocache=1", "https://www.virustotal.com/gui/file/32dbd62fce658336afc05435cafed68029dba626e5863a39305eaf8f42ed74cd?nocache=1", "https://www.virustotal.com/gui/file/049645f56e88a33c0d5d74b5ad9dc7da425a326ee72db4885b712c16f9edeb54?nocache=1", "https://www.virustotal.com/gui/file/b9cee56cd245633f7debe4b6e93f1606ac6788a9749a8eba2d742cfd84e935fd?nocache=1", "https://www.virustotal.com/gui/file/b9cee56cd245633f7debe4b6e93f1606ac6788a9749a8eba2d742cfd84e935fd", "https://www.virustotal.com/gui/file/8694bebdcbe7854aae97fcecfce0fa0b5a9aa07b5f95cd2e55d62a25caaaa8d8?nocache=1", "https://www.virustotal.com/gui/file/b2b37af320b637acc1001404b6a7f9bbfc4dcfb7319bba92333be2050b398318/relations", "https://tria.ge/231217-yjcc1afeap", "https://tria.ge/231217-yl3mzafebp", "https://tria.ge/231217-yscecsfefl", "https://tria.ge/231217-ysjtfahaf3", "https://tria.ge/231217-zztgwsfger", "https://tria.ge/231224-g5gq6sbhb2", "https://tria.ge/231224-3h4hbaefg7", "https://tria.ge/240106-dbq6zafccm", "https://tria.ge/240107-eq4w2sfch5", "https://tria.ge/240111-cahyjaccem", "https://tria.ge/240129-lkztgaehh2", "https://tria.ge/240129-m661cagdb6", "https://tria.ge/240317-kz93babd61", "https://tria.ge/240317-kz93babd61/behavioral2", "https://tria.ge/240410-aceyjseb6v/behavioral4", "https://tria.ge/230108-ftrlkagb7z/behavioral1", "https://tria.ge/230108-ftyd4sgb71/behavioral10", "https://tria.ge/230108-fvadnsgb8s/behavioral27", "https://tria.ge/230108-qrmvpsdf96/behavioral3", "https://tria.ge/230108-qrv63sdf97/behavioral3", "https://tria.ge/230108-qr1fssdf98/behavioral2", "https://tria.ge/230108-qr6b2sdg22/behavioral3", "https://tria.ge/230108-qsdneshb2w/behavioral10", "https://tria.ge/230113-ctz16adf45/behavioral1", "https://tria.ge/230113-c3xbmadf82/behavioral2", "https://tria.ge/230113-c79shshd41/behavioral2", "https://tria.ge/230108-qvj8zshb3t/behavioral2", "https://tria.ge/230109-ywqq6aba3z/behavioral27", "https://tria.ge/230113-dbgbrshd61/behavioral5", "https://tria.ge/230113-dfhemadg66/behavioral7", "https://tria.ge/231015-l3gqlsdg6w/behavioral11", "https://tria.ge/230906-vajh6shg63/behavioral3", "https://tria.ge/230901-qkt1faeh2v/behavioral3", "https://tria.ge/231128-vbn52sbf51/behavioral7", "https://tria.ge/231206-gkeq3sbg68/behavioral7", "https://tria.ge/231206-hf1cnacb98/behavioral7", "https://tria.ge/240409-25x4dagh63/behavioral4", "https://tria.ge/240409-dhdjfsce54/behavioral3", "https://tria.ge/240409-btvwrshh94/behavioral2", "https://tria.ge/240402-zjrcladb42/behavioral28", "https://tria.ge/240402-zjrcladb42/behavioral27", "https://tria.ge/240402-zjrcladb42/behavioral1", "https://tria.ge/240402-zjrcladb42/behavioral2", "https://tria.ge/240402-zjrcladb42/behavioral3", "https://tria.ge/240402-zjrcladb42/behavioral4", "https://tria.ge/240402-zjrcladb42/behavioral5", "https://tria.ge/240402-zjrcladb42/behavioral6", "https://tria.ge/240402-zjrcladb42/behavioral9", "https://tria.ge/240402-zjrcladb42/behavioral13", "https://tria.ge/240402-zjrcladb42/behavioral13/analog", "https://tria.ge/240402-zjrcladb42/behavioral17", "https://tria.ge/240402-zjrcladb42/behavioral21", "https://tria.ge/240402-zjrcladb42/behavioral25", "https://tria.ge/240402-zjrcladb42/behavioral29", "https://tria.ge/240402-cb476add4w/behavioral2", "https://tria.ge/240401-b3bt9aad37/behavioral11", "https://tria.ge/240401-bztwnaac57/behavioral2", "https://tria.ge/240331-y9w54abd6t/behavioral7", "https://tria.ge/240331-yqk9gsaf9z/behavioral10", "https://tria.ge/240331-ykp1gsae3z/behavioral28", "https://tria.ge/240331-ykp1gsae3z/behavioral20", "https://tria.ge/240331-ykp1gsae3z/behavioral14", "https://tria.ge/240331-ykp1gsae3z/behavioral12", "https://tria.ge/240331-ykp1gsae3z/behavioral4", "https://tria.ge/240331-ykp1gsae3z/behavioral2", "https://tria.ge/220803-zggqdafbh7/behavioral2", "https://tria.ge/220803-y7119sgafr/behavioral12", "https://tria.ge/220803-y6bpzsfag2/behavioral28", "https://tria.ge/220803-y6bpzsfag2/behavioral26", "https://tria.ge/220803-y6bpzsfag2/behavioral22", "https://tria.ge/220803-y6bpzsfag2/behavioral20", "https://tria.ge/220803-y6bpzsfag2/behavioral18", "https://tria.ge/220803-y6bpzsfag2/behavioral16", "https://tria.ge/220803-y6bpzsfag2/behavioral12", "https://tria.ge/220803-y6bpzsfag2/behavioral10", "https://tria.ge/220803-1m2heafgb9/behavioral13", "https://tria.ge/220803-1m2heafgb9/behavioral8", "https://tria.ge/220803-1m4yjafgc2/behavioral31", "https://tria.ge/220803-1m4yjafgc2/behavioral29", "https://tria.ge/220803-1m4yjafgc2/behavioral27", "https://tria.ge/220803-1m4yjafgc2/behavioral25", "https://tria.ge/220803-1m4yjafgc2/behavioral23", "https://tria.ge/220803-1m4yjafgc2/behavioral22", "https://tria.ge/220803-1m4yjafgc2/behavioral19", "https://tria.ge/220803-1m4yjafgc2/behavioral17", "https://tria.ge/220803-1m4yjafgc2/behavioral15", "https://tria.ge/220803-1m4yjafgc2/behavioral13", "https://tria.ge/220803-1m4yjafgc2/behavioral9", "https://tria.ge/220803-1m4yjafgc2/behavioral7", "https://tria.ge/220803-1m4yjafgc2/behavioral6", "https://tria.ge/220803-1m4yjafgc2/behavioral5", "https://tria.ge/220803-1m4yjafgc2/behavioral3", "https://tria.ge/220803-1m4yjafgc2/behavioral2", "https://tria.ge/220803-1m4yjafgc2/behavioral1", "https://tria.ge/220803-1nlhksfgc3/behavioral32", "https://tria.ge/220803-1nlhksfgc3/behavioral1", "https://tria.ge/220803-1pfnqagffp/behavioral32", "https://tria.ge/220803-1pfnqagffp/behavioral4", "https://tria.ge/220803-1qd7aafgd9/behavioral28", "https://tria.ge/220803-1qd7aafgd9/behavioral24", "https://tria.ge/220803-1qd7aafgd9/behavioral23", "https://tria.ge/220803-1qd7aafgd9/behavioral22", "https://tria.ge/220803-1qd7aafgd9/behavioral21", "https://tria.ge/220803-1qd7aafgd9/behavioral15", "https://tria.ge/220803-1qs1fafge3/behavioral29", "https://tria.ge/220803-1qs1fafge3/behavioral27", "https://tria.ge/220803-1qs1fafge3/behavioral25", "https://tria.ge/220803-1qs1fafge3/behavioral23", "https://tria.ge/220803-1qs1fafge3/behavioral22", "https://tria.ge/220803-1qs1fafge3/behavioral19", "https://tria.ge/220803-1qs1fafge3/behavioral17", "https://tria.ge/220803-1qs1fafge3/behavioral13", "https://tria.ge/220803-1qs1fafge3/behavioral9", "https://tria.ge/220803-1qs1fafge3/behavioral6", "https://tria.ge/220803-1qs1fafge3/behavioral5", "https://tria.ge/220803-1qs1fafge3/behavioral1", "https://tria.ge/220803-1qs1fafge3/behavioral2", "https://tria.ge/220803-1qs1fafge3/behavioral3", "https://tria.ge/220803-1rxd9afgf2/behavioral28", "https://tria.ge/220803-1rxd9afgf2/behavioral27", "https://tria.ge/220803-1rxd9afgf2/behavioral23", "https://tria.ge/220803-1rxd9afgf2/behavioral19", "https://tria.ge/220803-1rxd9afgf2/behavioral15", "https://tria.ge/220804-cb7naaafeq", "https://tria.ge/220804-cb7naaafeq/behavioral1", "https://tria.ge/220805-fqatmsgbdr/behavioral3", "https://tria.ge/220805-fqkzlsfcb6/behavioral3", "https://tria.ge/220805-ft3zlafce6/behavioral1", "https://tria.ge/220805-ft3zlafce6/behavioral3", "https://tria.ge/220805-ft3zlafce6/behavioral2", "https://tria.ge/220805-fwthyagcbq/behavioral3", "https://tria.ge/220805-fwthyagcbq/behavioral2", "https://tria.ge/220805-fwthyagcbq/behavioral1", "https://tria.ge/220805-f286ksfdc7", "https://tria.ge/220805-f286ksfdc7/behavioral3", "https://tria.ge/220805-gca3xsgeaj/behavioral2", "https://tria.ge/220805-gca3xsgeaj/behavioral3", "https://tria.ge/220805-gv8rxafgf8/behavioral3", "https://tria.ge/220805-gv8rxafgf8/behavioral1", "https://tria.ge/220805-h1w6qshdaq/behavioral3", "https://tria.ge/220805-h1w6qshdaq/behavioral2", "https://tria.ge/220805-h1w6qshdaq/behavioral1", "https://tria.ge/220805-yv476aggd6/behavioral3", "https://tria.ge/220805-yv476aggd6/behavioral2", "https://tria.ge/220805-zetbdshag5/behavioral3", "https://tria.ge/220805-zetbdshag5/behavioral1", "https://tria.ge/220806-brndxabdh6/behavioral1", "https://tria.ge/220806-brndxabdh6/behavioral2", "https://tria.ge/220806-brndxabdh6/behavioral3", "https://tria.ge/220806-btaktsbea5/behavioral3", "https://tria.ge/220806-btaktsbea5/behavioral2", "https://tria.ge/220806-btaktsbea5/behavioral1", "https://tria.ge/220806-jrkl1sccfl", "https://tria.ge/220806-jrkl1sccfl/behavioral3", "https://tria.ge/220806-jrkl1sccfl/behavioral2", "https://tria.ge/220806-jrkl1sccfl/behavioral1", "https://tria.ge/220806-j2ztpaceak/behavioral1", "https://tria.ge/220806-j2ztpaceak/behavioral3", "https://tria.ge/220806-j3912scebk/behavioral3", "https://tria.ge/220806-j4w6ksfab3/behavioral3", "https://tria.ge/220830-17kqdsdfb2/behavioral3", "https://tria.ge/220830-17kqdsdfb2/behavioral2", "https://tria.ge/220830-17kqdsdfb2/behavioral1", "https://tria.ge/220729-d8e5zadga9/behavioral2", "https://tria.ge/220729-d8av9adga3/behavioral2", "https://tria.ge/220729-d74f6seedk/behavioral2", "https://tria.ge/220729-d7ta7sdfh9/behavioral2", "https://tria.ge/220729-d347xadfe7/behavioral2", "https://tria.ge/220729-d3yecseeam/behavioral2", "https://tria.ge/220729-d3sh4seeal/behavioral2", "https://tria.ge/220729-d3m9dsdfe3/behavioral2", "https://tria.ge/220729-d3dd7aedhk/behavioral2", "https://tria.ge/220729-d2kf4sedgl/behavioral2", "https://tria.ge/220729-d1hwwsdfc7/behavioral2", "https://tria.ge/220729-d85evsdgb3/behavioral2", "https://tria.ge/220729-ecv2zsdgd7/behavioral2", "https://tria.ge/220729-ecnb5sdgd5/behavioral2", "https://tria.ge/220729-wzxyjacgal/behavioral2", "https://tria.ge/220729-wzxyjacgal/behavioral1", "https://tria.ge/220729-w1gmyabhf2/behavioral2", "https://tria.ge/220729-24hbjaeeep/behavioral1", "https://tria.ge/220730-chkgbsehh6/behavioral2", "https://tria.ge/220731-f45wyabgbr/behavioral3", "https://tria.ge/220801-sppmmaafd6/behavioral28", "https://tria.ge/220801-sppmmaafd6/behavioral20", "https://tria.ge/220801-sppmmaafd6/behavioral19", "https://tria.ge/220802-kwqt9secdp", "https://tria.ge/220802-kwqt9secdp/behavioral1", "https://tria.ge/220803-yl8h8afgdn/behavioral1", "https://tria.ge/220803-yl8h8afgdn/behavioral12", "https://tria.ge/220803-yl8h8afgdn/behavioral8", "https://tria.ge/220803-yl8h8afgdn/behavioral7", "https://tria.ge/220803-yl8h8afgdn/behavioral4", "https://tria.ge/220803-yl8h8afgdn/behavioral3", "https://tria.ge/220803-ymle3sfgdp/behavioral6", "https://tria.ge/220803-ymle3sfgdp/behavioral28", "https://tria.ge/220803-ymle3sfgdp/behavioral27", "https://tria.ge/220803-ymle3sfgdp/behavioral23", "https://tria.ge/220803-ymle3sfgdp/behavioral19", "https://tria.ge/220803-ymle3sfgdp/behavioral15", "https://tria.ge/220803-yshldaehd8/behavioral14", "https://tria.ge/220803-yshldaehd8/behavioral13", "https://tria.ge/220803-yshldaehd8/behavioral3", "https://tria.ge/220726-xskv3addar/behavioral2", "https://tria.ge/220726-xskv3addar/behavioral1", "https://tria.ge/220726-xz7y6sddgk/behavioral1", "https://tria.ge/220726-xz7y6sddgk/behavioral4", "https://tria.ge/220726-xz7y6sddgk/behavioral3", "https://tria.ge/220726-xz7y6sddgk/behavioral2", "https://tria.ge/220726-x1m1dsddgl/behavioral1", "https://tria.ge/220726-x1m1dsddgl/behavioral4", "https://tria.ge/220726-x1m1dsddgl/behavioral3", "https://tria.ge/220726-x1m1dsddgl/behavioral2", "https://tria.ge/220727-bv535aghfl/behavioral8", "https://tria.ge/220727-bv535aghfl/behavioral7", "https://tria.ge/220727-bv535aghfl/behavioral1", "https://tria.ge/220729-dqk89secfn/behavioral1", "https://tria.ge/220729-dqgwvaecfm/behavioral1", "https://tria.ge/220724-rl2mcafdbm/behavioral1", "https://tria.ge/220724-rtnqfsfeg6/behavioral1", "https://tria.ge/220724-sheh3sgddl/behavioral1", "https://tria.ge/220724-slp4zsgdh2/behavioral1", "https://tria.ge/220724-tacvysheh8/behavioral7", "https://tria.ge/220724-tetn9shgf9", "https://tria.ge/220724-tmtn8sacej/behavioral1", "https://tria.ge/220724-tmtn8sacej/behavioral26", "https://tria.ge/220724-tmtn8sacej/behavioral25", "https://tria.ge/220724-tmtn8sacej/behavioral15", "https://tria.ge/220724-fgjeesffc7/behavioral1", "https://tria.ge/220724-fgjeesffc7/behavioral2", "https://tria.ge/220916-d8f29seef7/behavioral2", "https://tria.ge/220912-r4wh2shccm", "https://tria.ge/220912-r4wh2shccm/behavioral1", "https://tria.ge/220912-r4fsladea8/behavioral1", "https://tria.ge/220912-r36ydsdea7/behavioral2", "https://tria.ge/220912-r3z5vahccj/behavioral2", "https://tria.ge/220912-r25nyahcbp/behavioral2", "https://tria.ge/220912-r2sdlshcbn/behavioral2", "https://tria.ge/220912-r2j28sdea3/behavioral2", "https://tria.ge/220912-r2j28sdea3/behavioral1", "https://tria.ge/220912-r2dkfsdea2/behavioral2", "https://tria.ge/220912-r16vlsddh9/behavioral2", "https://tria.ge/220912-rxnvmaddh6/behavioral2", "https://tria.ge/220912-rxb6tsddh5/behavioral2", "https://tria.ge/220912-rtwfashcaq/behavioral2", "https://tria.ge/220912-rtf1lsddg8", "https://tria.ge/220912-rsreyshcam/behavioral2", "https://tria.ge/220912-rsc8bsddg6/behavioral3", "https://tria.ge/220912-rqlrpahbhr/behavioral2", "https://tria.ge/220912-rp93wshbhq/behavioral2", "https://tria.ge/220912-rpzxxshbhp/behavioral2", "https://tria.ge/220912-rpjkyaddf9/behavioral3", "https://tria.ge/220912-rn3meshbhl/behavioral2", "https://tria.ge/220912-regnladdd6/behavioral3", "https://tria.ge/220930-vmljasfbcm/behavioral2", "https://tria.ge/220930-vmv3qsfbcn/behavioral2", "https://tria.ge/221007-2b72gsdga7/behavioral32", "https://tria.ge/221007-2b72gsdga7/behavioral26", "https://tria.ge/221007-2b72gsdga7/behavioral25", "https://tria.ge/221007-2b72gsdga7/behavioral20", "https://tria.ge/221007-2b72gsdga7/behavioral19", "https://tria.ge/221007-2b72gsdga7/behavioral16", "https://tria.ge/221007-2b72gsdga7/behavioral15", "https://tria.ge/221012-bm6ppacbam/behavioral3", "https://tria.ge/221012-bm6ppacbam/behavioral14", "https://tria.ge/221012-bm6ppacbam/behavioral12", "https://tria.ge/221014-2dbfasegfn/behavioral3", "https://tria.ge/221015-rqzcsaffhq/behavioral2", "https://tria.ge/221202-wskpmaeg7x/behavioral2", "https://tria.ge/221202-wskpmaeg7x/behavioral1", "https://tria.ge/221205-jd6bkada9w/behavioral1", "https://tria.ge/221205-jd6bkada9w/behavioral2", "https://tria.ge/221212-j9yxcsdf2z/behavioral2", "https://tria.ge/221212-kcchjaah54/behavioral3", "https://tria.ge/221212-kcchjaah54/behavioral2", "https://tria.ge/221212-kcchjaah54/behavioral1", "https://tria.ge/221212-kdv19sdf3t/behavioral32", "https://tria.ge/221212-kdv19sdf3t/behavioral2", "https://tria.ge/221212-kd3q4sah55/behavioral3", "https://tria.ge/221215-sqzh8acf73/behavioral1", "https://tria.ge/221215-ta2t3sff7y/behavioral4", "https://tria.ge/221220-y6pa3seb4w/behavioral2", "https://tria.ge/221221-h9mcwsbg93/behavioral1", "https://tria.ge/221221-h9mcwsbg93/behavioral32", "https://tria.ge/221221-h9mcwsbg93/behavioral26", "https://tria.ge/221221-h9mcwsbg93/behavioral2", "https://tria.ge/221015-tfg2vsfge9/behavioral1", "https://tria.ge/221015-tfg2vsfge9/behavioral3", "https://tria.ge/221015-tfg2vsfge9/behavioral2", "https://tria.ge/221015-tlpznafgf6/behavioral1", "https://tria.ge/221015-tlpznafgf6/behavioral2", "https://tria.ge/221015-tl29zsfgf8/behavioral1", "https://tria.ge/221015-tl29zsfgf8/behavioral2", "https://tria.ge/221015-tlxz9sfgf7/behavioral1", "https://tria.ge/221015-tlxz9sfgf7/behavioral2", "https://tria.ge/221017-2zl4xsdec9/behavioral31", "https://tria.ge/221017-2zl4xsdec9/behavioral29", "https://tria.ge/221017-2zl4xsdec9/behavioral25", "https://tria.ge/221017-2zl4xsdec9/behavioral21", "https://tria.ge/221017-2zl4xsdec9/behavioral18", "https://tria.ge/221017-2zl4xsdec9/behavioral17", "https://tria.ge/221017-2zl4xsdec9/behavioral9", "https://tria.ge/221017-2zl4xsdec9/behavioral14", "https://tria.ge/221025-gp398sbfhp/behavioral15", "https://tria.ge/221025-gp398sbfhp/behavioral9", "https://tria.ge/221025-gp398sbfhp/behavioral8", "https://tria.ge/221025-gp398sbfhp/behavioral7", "https://tria.ge/221025-gp398sbfhp/behavioral6", "https://tria.ge/221025-gp398sbfhp/behavioral5", "https://tria.ge/221025-gp398sbfhp/behavioral4", "https://tria.ge/221025-gqnwyabfh3/behavioral1", "https://tria.ge/221025-gqnwyabfh3/behavioral3", "https://tria.ge/221025-gqnwyabfh3/behavioral2", "https://tria.ge/221028-y169psecbn/behavioral3", "https://tria.ge/221029-bjlv4sfcbr/behavioral15", "https://tria.ge/221029-bjlv4sfcbr/behavioral13", "https://tria.ge/221029-bjlv4sfcbr/behavioral8", "https://tria.ge/221029-bjlv4sfcbr/behavioral7", "https://tria.ge/221029-bj1z2afcdk/behavioral10", "https://tria.ge/221029-bj1z2afcdk/behavioral9", "https://tria.ge/221029-bj1z2afcdk/behavioral6", "https://tria.ge/221029-bj1z2afcdk/behavioral5", "https://tria.ge/221115-cpxegaee62/behavioral1", "https://tria.ge/221115-cpxegaee62/behavioral2", "https://tria.ge/230113-ctz16adf45", "https://tria.ge/230109-ywqq6aba3z", "https://tria.ge/230109-ywqq6aba3z/behavioral32", "https://tria.ge/230109-ywqq6aba3z/behavioral31", "https://tria.ge/230109-ywqq6aba3z/behavioral30", "https://tria.ge/230109-ywqq6aba3z/behavioral2", "https://tria.ge/230109-ywqq6aba3z/behavioral5", "https://tria.ge/230109-ywqq6aba3z/behavioral6", "https://tria.ge/230109-ywqq6aba3z/behavioral7", "https://tria.ge/230109-ywqq6aba3z/behavioral8", "https://tria.ge/230109-ywqq6aba3z/behavioral9", "https://tria.ge/230109-ywqq6aba3z/behavioral10", "https://tria.ge/230109-ywqq6aba3z/behavioral12", "https://tria.ge/230109-ywqq6aba3z/behavioral11", "https://tria.ge/230109-ywqq6aba3z/behavioral13", "https://tria.ge/230109-ywqq6aba3z/behavioral14", "https://tria.ge/230109-ywqq6aba3z/behavioral15", "https://tria.ge/230109-ywqq6aba3z/behavioral16", "https://tria.ge/230109-ywqq6aba3z/behavioral17", "https://tria.ge/230109-ywqq6aba3z/behavioral18", "https://tria.ge/230109-ywqq6aba3z/behavioral19", "https://tria.ge/230109-ywqq6aba3z/behavioral20", "https://tria.ge/230109-ywqq6aba3z/behavioral21", "https://tria.ge/230109-ywqq6aba3z/behavioral22", "https://tria.ge/230109-ywqq6aba3z/behavioral23", "https://tria.ge/230109-ywqq6aba3z/behavioral24", "https://tria.ge/230109-ywqq6aba3z/behavioral25", "https://tria.ge/230109-ywqq6aba3z/behavioral26", "https://tria.ge/230109-ywqq6aba3z/behavioral28", "https://tria.ge/230109-ywqq6aba3z/behavioral29", "https://tria.ge/230108-qvj8zshb3t/behavioral1", "https://tria.ge/230108-qskfzahb2y/behavioral12", "https://tria.ge/230108-qskfzahb2y/behavioral28", "https://tria.ge/230108-qskfzahb2y/behavioral27", "https://tria.ge/230108-qr6b2sdg22/behavioral1", "https://tria.ge/230108-qr6b2sdg22/behavioral2", "https://tria.ge/230108-qr1fssdf98/behavioral3", "https://tria.ge/230108-qr1fssdf98/behavioral1", "https://tria.ge/230108-qrv63sdf97/behavioral1", "https://tria.ge/230108-qrv63sdf97/behavioral2", "https://tria.ge/230108-qrmvpsdf96/behavioral1", "https://tria.ge/230108-qrmvpsdf96/behavioral2", "https://tria.ge/230108-fvadnsgb8s/behavioral12", "https://tria.ge/230108-fvadnsgb8s/behavioral2", "https://tria.ge/230108-ftyd4sgb71/behavioral9", "https://tria.ge/230108-ftrlkagb7z/behavioral2", "https://tria.ge/230106-ryhp1ace8y/behavioral2", "https://tria.ge/230120-lncs4sad55/behavioral3", "https://tria.ge/230115-xqrwlaag69/behavioral6", "https://tria.ge/230115-x2h3tsbb49/behavioral6", "https://tria.ge/230115-x2h3tsbb49/behavioral32", "https://tria.ge/230115-x2h3tsbb49/behavioral28", "https://tria.ge/230115-x2h3tsbb49/behavioral26", "https://tria.ge/230115-x2h3tsbb49/behavioral14", "https://tria.ge/230115-x2h3tsbb49/behavioral10", "https://tria.ge/230120-1vxjesbg9t/behavioral1", "https://tria.ge/230120-1vxjesbg9t/behavioral2", "https://tria.ge/230102-s2ryhseg39/behavioral10", "https://tria.ge/230102-s3kktshh7t/behavioral2", "https://tria.ge/230102-s3v2kahh7v/behavioral2", "https://tria.ge/230102-s38bwshh7y/behavioral2", "https://tria.ge/230102-s4zq5seg44/behavioral32", "https://tria.ge/230102-s2n7maeg38/behavioral12", "https://tria.ge/230102-s2n7maeg38/static1", "https://tria.ge/230102-tekflaeg63/static1", "https://tria.ge/230105-xbxhjacg76/behavioral1", "https://tria.ge/230105-xbxhjacg76/behavioral2", "https://tria.ge/221221-zk1mnagd4x/behavioral3", "https://tria.ge/221221-zjmz6sdc27/behavioral3", "https://tria.ge/221221-zjjmradc26/behavioral3", "https://tria.ge/221221-zjezkagd3w/behavioral3", "https://tria.ge/221225-df32bseb6z/behavioral11", "https://tria.ge/221225-df32bseb6z/behavioral26", "https://tria.ge/221225-df32bseb6z/behavioral25", "https://tria.ge/221225-destzaeb6y/behavioral1", "https://tria.ge/221225-destzaeb6y/behavioral2", "https://tria.ge/221224-hvmp4shf85/behavioral2", "https://tria.ge/221224-hqfq1ahf77/behavioral1", "https://tria.ge/221224-hqfq1ahf77/behavioral2", "https://tria.ge/221221-zvhvlagd7y/behavioral3", "https://tria.ge/240331-yqk9gsaf9z/behavioral8", "https://tria.ge/240331-yqk9gsaf9z/behavioral9", "https://tria.ge/240129-m661cagdb6/behavioral2", "https://tria.ge/240129-lkztgaehh2/behavioral3", "https://tria.ge/240111-cahyjaccem/behavioral31", "https://tria.ge/240111-cahyjaccem/behavioral30", "https://tria.ge/240111-cahyjaccem/behavioral29", "https://tria.ge/240111-cahyjaccem/behavioral22", "https://tria.ge/240111-cahyjaccem/behavioral21", "https://tria.ge/240111-cahyjaccem/behavioral11", "https://tria.ge/240107-eq4w2sfch5/behavioral7", "https://tria.ge/240106-dbq6zafccm/behavioral3", "https://tria.ge/231224-3h4hbaefg7/behavioral3", "https://tria.ge/231224-3h4hbaefg7/behavioral7", "https://tria.ge/231224-g5gq6sbhb2/behavioral7", "https://tria.ge/231217-zztgwsfger/behavioral2", "https://tria.ge/231217-ysjtfahaf3/behavioral7", "https://tria.ge/231217-yscecsfefl/behavioral7", "https://tria.ge/231217-yscecsfefl/behavioral11", "https://tria.ge/231217-yl3mzafebp/behavioral7", "https://tria.ge/231217-yl3mzafebp/behavioral2", "https://tria.ge/231217-yjcc1afeap/behavioral7", "https://tria.ge/231217-yjcc1afeap/behavioral3", "https://tria.ge/240317-kz93babd61/behavioral7", "https://tria.ge/240317-kz93babd61/behavioral3", "https://tria.ge/240409-btvwrshh94/behavioral3", "https://tria.ge/240409-btvwrshh94/behavioral11", "https://tria.ge/231015-l3gqlsdg6w/behavioral8", "https://tria.ge/230324-hax1cacf74", "https://tria.ge/230324-g9c9jscf67/behavioral2", "https://tria.ge/230324-g8jd6seg41/behavioral3", "https://tria.ge/230321-gr8yhaha33/behavioral5", "https://tria.ge/230321-gr8yhaha33/behavioral10", "https://tria.ge/230321-gr8yhaha33/behavioral9", "https://tria.ge/230321-gr8yhaha33/behavioral6", "https://tria.ge/230321-grwyyaha29/behavioral7", "https://tria.ge/230321-grwyyaha29/behavioral16", "https://tria.ge/230321-grwyyaha29/behavioral15", "https://tria.ge/230321-grwyyaha29/behavioral13", "https://tria.ge/230321-grwyyaha29/behavioral8", "https://tria.ge/230321-f6rgbsah5x", "https://tria.ge/230321-f1p2bagh55/behavioral2", "https://tria.ge/230321-f1p2bagh55/behavioral3", "https://tria.ge/230313-jp94wsbb8x/behavioral2", "https://tria.ge/230308-zttwgaha65/behavioral2", "https://tria.ge/230308-zr5j7aha49/behavioral2", "https://tria.ge/230308-zp7xjaga2z/behavioral3", "https://tria.ge/230307-1xx8qsbg5v/behavioral3", "https://tria.ge/230307-1xx8qsbg5v/behavioral4", "https://tria.ge/230307-1rdl5scc53/behavioral1", "https://tria.ge/230307-1f7e3scb88/behavioral4", "https://tria.ge/230307-1f7e3scb88/behavioral16", "https://tria.ge/230305-31dplshh79/behavioral2", "https://tria.ge/230305-31dplshh79/behavioral3", "https://tria.ge/230305-3s617ahd3s/behavioral2", "https://tria.ge/230305-3s617ahd3s/behavioral3", "https://tria.ge/230305-3snjvahh67/behavioral3", "https://tria.ge/230305-eckw1sff35/behavioral3", "https://tria.ge/230305-eckw1sff35/behavioral1", "https://tria.ge/230305-eb63vsfa61/behavioral3", "https://tria.ge/230305-eabwbsfa6z/behavioral2", "https://tria.ge/230305-eabwbsfa6z/behavioral3", "https://tria.ge/230305-d9lddafa6y/behavioral1", "https://tria.ge/230305-d9lddafa6y/behavioral2", "https://tria.ge/230305-d82c7sff27/behavioral3", "https://tria.ge/230305-d82c7sff27/behavioral1", "https://tria.ge/230305-d8rtrsff26/behavioral1", "https://tria.ge/230305-d8rtrsff26/behavioral2", "https://tria.ge/230305-d62aesff25/behavioral1", "https://tria.ge/230305-d62aesff25/behavioral2", "https://tria.ge/230305-d4phvafe99/behavioral1", "https://tria.ge/230305-d4phvafe99/behavioral2", "https://tria.ge/230305-d4a1fsfe98/behavioral1", "https://tria.ge/230305-d33dbafa51/behavioral1", "https://tria.ge/230305-d33dbafa51/behavioral2", "https://tria.ge/230305-d21s4afe93/behavioral1", "https://tria.ge/230305-d21s4afe93/behavioral31", "https://tria.ge/230305-d21s4afe93/behavioral23", "https://tria.ge/230305-d21s4afe93/behavioral21", "https://tria.ge/230305-d21s4afe93/behavioral13", "https://tria.ge/230305-dyzrmafe89", "https://tria.ge/230305-dycl4afa5v/behavioral29", "https://tria.ge/230305-dycl4afa5v/behavioral27", "https://tria.ge/230305-dycl4afa5v/behavioral7", "https://tria.ge/230305-dycl4afa5v/behavioral15", "https://tria.ge/230220-pbc5wsah96/behavioral3", "https://tria.ge/230220-pbc5wsah96/behavioral2", "https://tria.ge/230215-baxk9ahc37/behavioral1", "https://tria.ge/230215-baxk9ahc37/behavioral2", "https://tria.ge/230204-rnp2bsgh3y/behavioral1", "https://tria.ge/230204-rnp2bsgh3y/behavioral2", "https://tria.ge/230204-qvwa9add55", "https://tria.ge/230204-qvlrtadd53/behavioral3", "https://tria.ge/230202-h81h5ahc9z/behavioral2", "https://tria.ge/230202-h81h5ahc9z/behavioral3", "https://tria.ge/230201-av97eabb24/behavioral2", "https://tria.ge/230127-v6q8wsdg5y/behavioral2", "https://tria.ge/230125-kn9meafe37/behavioral1", "https://tria.ge/230125-kn9meafe37/behavioral2", "https://tria.ge/230122-tqj9zaac8v/behavioral3", "https://tria.ge/230122-tqj9zaac8v/behavioral1", "https://tria.ge/230122-tqj9zaac8v/behavioral2", "https://tria.ge/231206-hwhgsacd32/behavioral1", "https://tria.ge/231206-hwsbzscd34", "https://tria.ge/231206-hwsbzscd34/behavioral1", "https://tria.ge/231206-hvz1facd27/behavioral1" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1130", "name": "Install Root Certificate", "display_name": "T1130 - Install Root Certificate" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1067", "name": "Bootkit", "display_name": "T1067 - Bootkit" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1042", "name": "Change Default File Association", "display_name": "T1042 - Change Default File Association" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2817, "FileHash-SHA1": 2698, "FileHash-SHA256": 2703, "domain": 65, "URL": 12, "hostname": 13, "SSLCertFingerprint": 1 }, "indicator_count": 8309, "is_author": false, "is_subscribing": null, "subscriber_count": 76, "modified_text": "746 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708ee7a409836789d2ea66", "name": "The infectors and The infected - string.dmp", "description": "", "modified": "2023-12-06T15:10:31.338000", "created": "2023-12-06T15:10:31.338000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 71, "hostname": 81, "domain": 62, "URL": 141, "FileHash-MD5": 2, "FileHash-SHA1": 1, "email": 1 }, "indicator_count": 359, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "906 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "622eecb821c1662cc7a0d9b4", "name": "KoiMiner\u6316\u77ff\u6728\u9a6cIOC", "description": "KoiMiner\u6316\u77ff\u6728\u9a6cIOC", "modified": "2022-07-17T00:04:12.269000", "created": "2022-03-14T07:20:24.371000", "tags": [ "network", "\u6316\u77ff\u6728\u9a6c", "freebuf", "shell00", "server", "koiminer5000sql", "program", "cncert cnnvd", "wiki", "server koiminer", "sql server", "koiminer", "crack", "HotSpot", "CoinMiner" ], "references": [ "https://www.freebuf.com/articles/network/189501.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "KoiMiner", "display_name": "KoiMiner", "target": null } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "chuanjia_yi", "id": "176066", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 6, "FileHash-SHA256": 6, "URL": 17 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 46, "modified_text": "1414 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 0 }, { "id": "628d95bd59109416c444c985", "name": "The infectors and The infected - string.dmp", "description": "", "modified": "2022-06-24T00:01:00.706000", "created": "2022-05-25T02:34:37.956000", "tags": [ "ven1af4", "dev0022", "ctlrven8086", "subsys1af40022", "ctlrdev293e", "system", "ms shell", "shell dlg", "corporation", "func01", "service", "error", "open", "copy", "click", "config", "model", "close", "class", "find", "null", "encrypt", "install", "problem", "shift", "bits", "agent", "false", "mexico", "next", "desktop", "window", "small", "core", "explorer", "refresh", "fail", "info", "unknown", "swedish", "done", "pipes", "xtra", "burn", "back", "insert", "fyou", "date", "front", "turn", "starfield", "this", "dword", "critical", "panama", "uruguay", "paraguay", "italian", "calendar", "indonesia", "mongolian", "legacy", "restart", "icmp", "media", "loader", "flash", "look", "format", "screen", "green", "cascade", "defender", "toolbar", "leave", "already", "strings", "body", "dump", "generator", "restrict", "trace", "zero", "stack", "sinf", "czech", "icelandic", "korean", "polish", "slovak", "slovakia", "albanian", "albania", "turkish", "ukraine", "belarus", "armenia", "shutdown", "scroll", "reboot", "download", "minsk", "phase", "dcom", "never", "form", "target", "fullscreen", "shown", "general", "code", "blank", "specified", "refer", "accept", "waiting", "voice", "terminal", "tools", "meta", "delta", "colors", "clock", "dragdrop", "friendly" ], "references": [ "472.dmp.strings" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 71, "hostname": 81, "URL": 141, "domain": 62, "FileHash-MD5": 2, "FileHash-SHA1": 1, "email": 1 }, "indicator_count": 359, "is_author": false, "is_subscribing": null, "subscriber_count": 394, "modified_text": "1437 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62221d71474b323d486dc3f2", "name": "WTF 2022", "description": "", "modified": "2022-04-03T00:00:55.161000", "created": "2022-03-04T14:08:49.518000", "tags": [], "references": [ "WTF.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 587, "URL": 668, "hostname": 613, "domain": 1320, "FileHash-MD5": 59, "FileHash-SHA1": 2 }, "indicator_count": 3249, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1519 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://tria.ge/221017-2zl4xsdec9/behavioral14", "https://tria.ge/221012-bm6ppacbam/behavioral14", "https://tria.ge/220729-d2kf4sedgl/behavioral2", "https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997612&Signature=l%2FoIF7cZSCGanh2IyxGroiq3YNwdCp9oVTfF02Zi7d4yp4LMuvnnLFWqVzfWbvIHB94EaU0ICQHP6MwgUb5Z4bF2OVcHxdHieB3iTKEX6sGurBIeKYNAPuakGTzCRv%2FSnZJHpZbsoH11i%2F%2BIwHQLGAKerBuNCuq%2FDi8tvVKCDiF9JQGxOYhQsjlzQJtUBiVEVnBTKbjIdeg9iAMES8qHj0eAglff6gxDk1t%2FU5HmKB1T", "https://tria.ge/220726-xskv3addar/behavioral1", "https://tria.ge/220912-rtwfashcaq/behavioral2", "https://tria.ge/220801-sppmmaafd6/behavioral19", "https://www.virustotal.com/gui/file/03759f9a14c983a9e70d17d0552fb2bff9dc1fe8c9b837f859403449ecdadd11?nocache=1", "https://tria.ge/220830-17kqdsdfb2/behavioral1", "https://tria.ge/220805-yv476aggd6/behavioral3", "https://tria.ge/220805-ft3zlafce6/behavioral1", "https://tria.ge/220803-1qs1fafge3/behavioral17", "https://tria.ge/230109-ywqq6aba3z/behavioral28", "https://tria.ge/220803-yl8h8afgdn/behavioral1", "https://tria.ge/230109-ywqq6aba3z/behavioral20", "https://tria.ge/220803-1qs1fafge3/behavioral27", "https://tria.ge/220726-x1m1dsddgl/behavioral1", "https://tria.ge/230105-xbxhjacg76/behavioral2", "https://tria.ge/220726-xskv3addar/behavioral2", "TAGS: ransom ransomware red team registrar abuse roboto samas samuel tulach scan endpoints", "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "https://tria.ge/230122-tqj9zaac8v/behavioral1", "https://vtbehaviour.commondatastorage.googleapis.com/26b3bfa810cd37fe4046221ab2269b360e9a6c51961db6fd95e7499e2d76d544_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997821&Signature=IjR3qiuvOqpJ0ChD%2FQ%2B0QKlCAsWejT6Ei8KIh27ZO2t%2BnO1oDrCrR7D3x3lf6xKLr93CFw7bU1IUQONv3WbJ%2BJ0oyQ0yhyalr5VTTy1mHEphjCvObM%2B8PPv6o5cjYXYDpKVcQjBFrkgGvJxrleE5kQvx6irIRcFMTUdnDVuNEcV6sALKN3oYRo%2B%2Fvk7TA%2FfAVTtpBhUfsC4dvVAJnRQgBC4gEzEYuZN3oaDzlYUCoghsW5", "https://tria.ge/230120-1vxjesbg9t/behavioral1", "https://tria.ge/230122-tqj9zaac8v/behavioral2", "https://tria.ge/231217-yscecsfefl", "https://tria.ge/220803-yl8h8afgdn/behavioral12", "https://tria.ge/230220-pbc5wsah96/behavioral3", "https://tria.ge/220803-y6bpzsfag2/behavioral20", "https://tria.ge/220806-btaktsbea5/behavioral1", "https://tria.ge/221012-bm6ppacbam/behavioral12", "https://tria.ge/230109-ywqq6aba3z/behavioral29", "https://tria.ge/220803-ymle3sfgdp/behavioral27", "https://tria.ge/220724-tmtn8sacej/behavioral25", "https://tria.ge/220731-f45wyabgbr/behavioral3", "https://tria.ge/220803-1m4yjafgc2/behavioral9", "https://tria.ge/220912-rpzxxshbhp/behavioral2", "https://tria.ge/231217-yjcc1afeap/behavioral3", "https://tria.ge/230108-qrv63sdf97/behavioral2", "https://tria.ge/221221-zk1mnagd4x/behavioral3", "https://tria.ge/230321-f6rgbsah5x", "https://tria.ge/220805-fqatmsgbdr/behavioral3", "https://tria.ge/220724-fgjeesffc7/behavioral1", "https://tria.ge/230109-ywqq6aba3z/behavioral30", "https://tria.ge/230305-eckw1sff35/behavioral1", "https://tria.ge/220916-d8f29seef7/behavioral2", "https://tria.ge/230109-ywqq6aba3z/behavioral16", "https://tria.ge/220803-ymle3sfgdp/behavioral6", "https://tria.ge/221029-bj1z2afcdk/behavioral10", "https://tria.ge/220726-x1m1dsddgl/behavioral4", "https://tria.ge/221015-tlxz9sfgf7/behavioral2", "https://tria.ge/230115-xqrwlaag69/behavioral6", "https://tria.ge/230307-1f7e3scb88/behavioral16", "https://tria.ge/220803-1m4yjafgc2/behavioral17", "https://tria.ge/221221-zjmz6sdc27/behavioral3", "https://tria.ge/230109-ywqq6aba3z/behavioral6", "https://tria.ge/240106-dbq6zafccm/behavioral3", "https://tria.ge/220912-rp93wshbhq/behavioral2", "https://tria.ge/221007-2b72gsdga7/behavioral26", "https://tria.ge/220805-f286ksfdc7/behavioral3", "https://tria.ge/220803-1m4yjafgc2/behavioral13", "https://tria.ge/220803-1m4yjafgc2/behavioral29", "https://tria.ge/221220-y6pa3seb4w/behavioral2", "https://tria.ge/221221-h9mcwsbg93/behavioral26", "https://tria.ge/230321-f1p2bagh55/behavioral3", "https://tria.ge/220729-d8e5zadga9/behavioral2", "https://tria.ge/220803-1m4yjafgc2/behavioral2", "https://www.freebuf.com/articles/network/189501.html", "https://tria.ge/240317-kz93babd61/behavioral3", "https://tria.ge/230109-ywqq6aba3z/behavioral25", "https://tria.ge/220803-y7119sgafr/behavioral12", "https://tria.ge/230308-zttwgaha65/behavioral2", "https://tria.ge/220803-ymle3sfgdp/behavioral15", "https://www.virustotal.com/gui/file/e58fe1f551a6fb3e0a8bbaed5f8cae96194ccbbba5f4da2914a5046a4df3725e?nocache=1", "https://tria.ge/230109-ywqq6aba3z/behavioral32", "TAGS: photoshop prefs privacy service provider public tlp pulse provide pulse use pyinstaller", "https://tria.ge/230120-1vxjesbg9t/behavioral2", "https://www.virustotal.com/gui/file/32dbd62fce658336afc05435cafed68029dba626e5863a39305eaf8f42ed74cd?nocache=1", "https://tria.ge/230305-d21s4afe93/behavioral1", "https://tria.ge/240402-zjrcladb42/behavioral13", "https://tria.ge/231206-hwsbzscd34/behavioral1", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://tria.ge/220729-d3sh4seeal/behavioral2", "https://tria.ge/221225-df32bseb6z/behavioral26", "https://tria.ge/240331-ykp1gsae3z/behavioral4", "https://tria.ge/230102-s3v2kahh7v/behavioral2", "https://tria.ge/220803-yl8h8afgdn/behavioral4", "https://tria.ge/240402-zjrcladb42/behavioral17", "https://tria.ge/220803-1qs1fafge3/behavioral6", "https://tria.ge/230108-qrmvpsdf96/behavioral2", "https://tria.ge/220805-zetbdshag5/behavioral3", "https://tria.ge/220912-rpjkyaddf9/behavioral3", "https://tria.ge/221015-rqzcsaffhq/behavioral2", "https://tria.ge/230108-qr6b2sdg22/behavioral3", "https://tria.ge/221225-df32bseb6z/behavioral11", "https://tria.ge/220804-cb7naaafeq/behavioral1", "https://tria.ge/230108-qr6b2sdg22/behavioral1", "https://tria.ge/230305-d9lddafa6y/behavioral1", "https://tria.ge/220805-h1w6qshdaq/behavioral2", "https://tria.ge/230321-grwyyaha29/behavioral13", "https://tria.ge/220729-wzxyjacgal/behavioral2", "https://tria.ge/230109-ywqq6aba3z/behavioral19", "https://tria.ge/231224-3h4hbaefg7/behavioral3", "https://tria.ge/221215-sqzh8acf73/behavioral1", "https://tria.ge/230305-3s617ahd3s/behavioral2", "https://tria.ge/220803-y6bpzsfag2/behavioral26", "https://tria.ge/240331-yqk9gsaf9z/behavioral8", "https://tria.ge/230321-gr8yhaha33/behavioral9", "https://tria.ge/220726-xz7y6sddgk/behavioral1", "https://tria.ge/221015-tl29zsfgf8/behavioral2", "https://tria.ge/230109-ywqq6aba3z/behavioral22", "https://tria.ge/220912-r25nyahcbp/behavioral2", "https://tria.ge/240317-kz93babd61/behavioral2", "https://tria.ge/231015-l3gqlsdg6w/behavioral11", "TAGS: screenshot snake snake keylogger suspicious template trojan downloader trojanspy tulach url http url https x template x verce", "https://tria.ge/240107-eq4w2sfch5", "https://tria.ge/220729-24hbjaeeep/behavioral1", "https://tria.ge/220806-jrkl1sccfl/behavioral2", "https://tria.ge/230307-1xx8qsbg5v/behavioral3", "https://tria.ge/231217-zztgwsfger/behavioral2", "https://tria.ge/230108-fvadnsgb8s/behavioral27", "TAGS: create new domain email expiration filehashmd5 formbook cnc get google phish green hackers hackers heroku hostname", "https://tria.ge/230305-dycl4afa5v/behavioral29", "https://tria.ge/230102-s2ryhseg39/behavioral10", "https://tria.ge/230102-s38bwshh7y/behavioral2", "https://tria.ge/220912-regnladdd6/behavioral3", "https://tria.ge/231015-l3gqlsdg6w/behavioral8", "https://tria.ge/230305-eabwbsfa6z/behavioral2", "https://tria.ge/220802-kwqt9secdp", "https://tria.ge/220806-btaktsbea5/behavioral2", "https://tria.ge/220803-yl8h8afgdn/behavioral8", "https://tria.ge/221225-df32bseb6z/behavioral25", "https://tria.ge/220724-rtnqfsfeg6/behavioral1", "https://tria.ge/220912-r4wh2shccm/behavioral1", "https://tria.ge/220912-r36ydsdea7/behavioral2", "https://tria.ge/230113-c79shshd41/behavioral2", "https://tria.ge/230108-qvj8zshb3t/behavioral1", "https://tria.ge/220805-zetbdshag5/behavioral1", "https://tria.ge/220803-1qd7aafgd9/behavioral23", "https://tria.ge/220803-1rxd9afgf2/behavioral23", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "https://tria.ge/220803-yl8h8afgdn/behavioral7", "https://tria.ge/230906-vajh6shg63/behavioral3", "https://tria.ge/220803-1qs1fafge3/behavioral1", "https://tria.ge/240331-ykp1gsae3z/behavioral14", "https://tria.ge/230305-eb63vsfa61/behavioral3", "https://tria.ge/220727-bv535aghfl/behavioral1", "https://tria.ge/230108-qr1fssdf98/behavioral2", "https://tria.ge/220803-y6bpzsfag2/behavioral28", "https://tria.ge/220729-d3m9dsdfe3/behavioral2", "https://tria.ge/230108-qrmvpsdf96/behavioral1", "https://tria.ge/230109-ywqq6aba3z/behavioral11", "https://tria.ge/220803-1qs1fafge3/behavioral5", "https://tria.ge/220806-j2ztpaceak/behavioral3", "https://tria.ge/220729-dqk89secfn/behavioral1", "https://tria.ge/230125-kn9meafe37/behavioral1", "https://tria.ge/230109-ywqq6aba3z/behavioral23", "https://tria.ge/230305-d82c7sff27/behavioral3", "https://tria.ge/220803-1qs1fafge3/behavioral13", "https://tria.ge/230321-grwyyaha29/behavioral8", "https://tria.ge/240409-dhdjfsce54/behavioral3", "https://tria.ge/230305-d21s4afe93/behavioral31", "https://tria.ge/220806-jrkl1sccfl/behavioral1", "https://tria.ge/230901-qkt1faeh2v/behavioral3", "https://tria.ge/220803-1m4yjafgc2/behavioral1", "https://tria.ge/220803-1qs1fafge3/behavioral19", "https://tria.ge/230215-baxk9ahc37/behavioral1", "https://tria.ge/220803-1m4yjafgc2/behavioral23", "https://tria.ge/221007-2b72gsdga7/behavioral19", "https://tria.ge/230201-av97eabb24/behavioral2", "https://tria.ge/220806-jrkl1sccfl/behavioral3", "Twitter/ X.xom related: https://8muses.info/other/adventure-time-porn-vault-boners-3-cartoon-porn-frosty-sanchez/20/", "https://tria.ge/220803-1rxd9afgf2/behavioral15", "https://tria.ge/240107-eq4w2sfch5/behavioral7", "pornhero.net 'we don't need another hero, hero, hero...' No Expiration\t0\t URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian No Expiration\t0\t Hostname www.pornhub.com No Expiration\t0\t URL https://8muses.info/other/adventure-time-porn-vault-boners-3-cartoon-porn-frosty-sanchez/20/ No Expiration\t14\t URL https://8muses.info/simpsons-porn/simpsons-special-bigboy/", "https://tria.ge/220803-1qd7aafgd9/behavioral22", "https://tria.ge/220803-y6bpzsfag2/behavioral22", "https://tria.ge/230305-31dplshh79/behavioral3", "https://tria.ge/221015-tlpznafgf6/behavioral2", "https://tria.ge/220801-sppmmaafd6/behavioral28", "https://tria.ge/220803-yshldaehd8/behavioral14", "https://tria.ge/230305-eabwbsfa6z/behavioral3", "https://tria.ge/230204-rnp2bsgh3y/behavioral2", "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all.", "https://tria.ge/220806-brndxabdh6/behavioral1", "https://tria.ge/220803-1m4yjafgc2/behavioral7", "https://tria.ge/221221-h9mcwsbg93/behavioral2", "https://tria.ge/240331-ykp1gsae3z/behavioral28", "https://tria.ge/221015-tlxz9sfgf7/behavioral1", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "https://tria.ge/220805-ft3zlafce6/behavioral3", "https://tria.ge/240402-zjrcladb42/behavioral4", "https://www.virustotal.com/gui/file/b2b37af320b637acc1001404b6a7f9bbfc4dcfb7319bba92333be2050b398318/relations", "https://tria.ge/221025-gqnwyabfh3/behavioral3", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "https://tria.ge/220805-gca3xsgeaj/behavioral3", "https://tria.ge/230305-3snjvahh67/behavioral3", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "https://tria.ge/231217-yscecsfefl/behavioral11", "https://tria.ge/220806-j4w6ksfab3/behavioral3", "https://tria.ge/221115-cpxegaee62/behavioral2", "https://tria.ge/221028-y169psecbn/behavioral3", "https://tria.ge/230115-x2h3tsbb49/behavioral6", "https://tria.ge/230305-d4phvafe99/behavioral2", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "https://tria.ge/220726-x1m1dsddgl/behavioral2", "https://tria.ge/221212-j9yxcsdf2z/behavioral2", "https://tria.ge/221029-bj1z2afcdk/behavioral9", "https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997952&Signature=Pc%2FXTIxysZhpywMxwwW%2BrBcX9VHIrYH%2BL3sUsVHUCm1TUbCCtQe7ZIpfTtqIl%2FWLsaehPWv%2FBt4Q6PbZH1IFYbFrKet6C2NOwwOh9WtZQ0cak9wRRun6IjZTU33hWBk4GyEAh%2FpE5nF4ND%2BQSOQuZ5DiMtHeXRlWjRI6KwJ8ApdtNpccNlYGYGKmqj%2BLK7CZTI%2FmpO8GkbS2UkwUwBa6TFoYFvBiQ5SHdRUJ2MT7t3RzWvn8hGyb", "https://tria.ge/220912-rtf1lsddg8", "https://tria.ge/240410-aceyjseb6v/behavioral4", "https://tria.ge/230308-zp7xjaga2z/behavioral3", "https://tria.ge/221015-tfg2vsfge9/behavioral2", "https://tria.ge/221015-tl29zsfgf8/behavioral1", "https://tria.ge/221017-2zl4xsdec9/behavioral29", "https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "https://tria.ge/220805-gca3xsgeaj/behavioral2", "https://tria.ge/230108-ftrlkagb7z/behavioral2", "https://tria.ge/230215-baxk9ahc37/behavioral2", "https://tria.ge/240129-lkztgaehh2/behavioral3", "https://tria.ge/231217-ysjtfahaf3/behavioral7", "https://tria.ge/230108-qskfzahb2y/behavioral12", "https://tria.ge/230321-gr8yhaha33/behavioral6", "https://tria.ge/220803-ymle3sfgdp/behavioral19", "https://tria.ge/230108-qrv63sdf97/behavioral3", "https://tria.ge/221007-2b72gsdga7/behavioral15", "https://tria.ge/230109-ywqq6aba3z/behavioral26", "https://tria.ge/230321-gr8yhaha33/behavioral5", "x.com related: www.pornhub.com", "https://tria.ge/240111-cahyjaccem", "https://tria.ge/220912-r2j28sdea3/behavioral1", "https://tria.ge/230305-d21s4afe93/behavioral23", "https://tria.ge/220802-kwqt9secdp/behavioral1", "https://tria.ge/230115-x2h3tsbb49/behavioral26", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "https://tria.ge/220803-y6bpzsfag2/behavioral16", "https://tria.ge/220806-btaktsbea5/behavioral3", "https://tria.ge/230109-ywqq6aba3z/behavioral2", "https://tria.ge/230321-grwyyaha29/behavioral7", "https://tria.ge/220803-1m4yjafgc2/behavioral5", "https://tria.ge/220727-bv535aghfl/behavioral7", "https://tria.ge/220912-r2j28sdea3/behavioral2", "https://phyn.app/assets/images/Netflix-Background-phyn-dark.png", "https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775998043&Signature=atj43IFZmS1xhCQtPEtGr1gjAzp5YJ5SAqKqPXrExtpioezLoyIJKw91Cc1EPO9Ff86CNaeS%2BNKNidgGEvFkAFNQpY8CEvbl7dcNVj3FUVUS3ybBoI8xLShMhwUy%2F0aYbXdMfYG3KdE%2FXDvt56Et6LjAj6N0lh1mp0m48Zz2hNTlghpHTSGlP3SY1VjfKxBYwh%2BWAJOSrHiXvzeVhuN5Qj6JWU%2FLg824mJRsUPe7iyNe2u", "https://tria.ge/230108-fvadnsgb8s/behavioral12", "https://tria.ge/230115-x2h3tsbb49/behavioral10", "https://tria.ge/240402-zjrcladb42/behavioral6", "https://tria.ge/230108-ftyd4sgb71/behavioral10", "https://tria.ge/240331-yqk9gsaf9z/behavioral9", "https://tria.ge/221025-gp398sbfhp/behavioral8", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "https://tria.ge/220803-ymle3sfgdp/behavioral23", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "https://tria.ge/230105-xbxhjacg76/behavioral1", "https://tria.ge/220724-slp4zsgdh2/behavioral1", "https://www.virustotal.com/gui/file/b9cee56cd245633f7debe4b6e93f1606ac6788a9749a8eba2d742cfd84e935fd?nocache=1", "https://tria.ge/231224-3h4hbaefg7/behavioral7", "https://www.virustotal.com/gui/file/b9cee56cd245633f7debe4b6e93f1606ac6788a9749a8eba2d742cfd84e935fd", "https://tria.ge/230305-eckw1sff35/behavioral3", "TAGS: api call app store as13414 twitter as15133 verizon as16625 akamai as18450 as20940 as2914 ntt as397240 as397241 asnone ca issuers", "https://tria.ge/230102-s2n7maeg38/static1", "https://tria.ge/240402-cb476add4w/behavioral2", "https://vtbehaviour.commondatastorage.googleapis.com/3aefe8dfb9c99f3a84f5f74b15afeaeca682c8c50f18fa59b2e0b06da9619f1d_SecondWrite.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775998118&Signature=oZItRZYU06S7GWIVhygTK0XUPoeDlmpVWee4ri8K1nSYOFjKP7WjYTzw03EoC6pzqFjdjNKm2lQytBKbv%2BcMJT%2F%2BWZ7nF71PUUmExKgSsvfD6PXKzUcX8vuHnJwcu3NlTOuhNKNfed2iOEAGybINfsgUO6DFzlTsGd51hjV3I%2BT4t%2FTn1aszBeDzRu01gkhvTI5%2BmXmxZfhYmVTFVADNEociZ8DSGmafzUamrXrSTRcAurmFTNmC4", "https://tria.ge/230115-x2h3tsbb49/behavioral32", "https://tria.ge/230305-dycl4afa5v/behavioral15", "https://tria.ge/220803-y6bpzsfag2/behavioral18", "https://tria.ge/221007-2b72gsdga7/behavioral25", "https://tria.ge/221007-2b72gsdga7/behavioral16", "https://tria.ge/230109-ywqq6aba3z/behavioral17", "https://tria.ge/230321-gr8yhaha33/behavioral10", "https://tria.ge/220803-1qd7aafgd9/behavioral21", "https://tria.ge/230305-d33dbafa51/behavioral2", "https://tria.ge/220912-rxb6tsddh5/behavioral2", "TAGS: all scoreblue analyzer apache autoit borpa browser canada cidr ck id ck matrix code code contact contacted", "https://tria.ge/230109-ywqq6aba3z/behavioral9", "https://tria.ge/230202-h81h5ahc9z/behavioral2", "https://tria.ge/230305-d62aesff25/behavioral1", "https://tria.ge/220806-brndxabdh6/behavioral3", "https://tria.ge/240402-zjrcladb42/behavioral29", "https://tria.ge/240402-zjrcladb42/behavioral9", "472.dmp.strings", "netflix.com Akamai rank: #6", "TAGS: passive dns pattern match title page trojandropper united 12110kb aaaa add tag adversary tags", "https://tria.ge/230109-ywqq6aba3z/behavioral21", "https://tria.ge/240106-dbq6zafccm", "https://tria.ge/220830-17kqdsdfb2/behavioral2", "https://tria.ge/240402-zjrcladb42/behavioral21", "https://tria.ge/240402-zjrcladb42/behavioral3", "https://tria.ge/220803-1m4yjafgc2/behavioral25", "https://tria.ge/220805-fwthyagcbq/behavioral2", "https://tria.ge/230109-ywqq6aba3z/behavioral24", "https://tria.ge/220805-ft3zlafce6/behavioral2", "https://tria.ge/221007-2b72gsdga7/behavioral20", "https://tria.ge/230120-lncs4sad55/behavioral3", "https://tria.ge/221115-cpxegaee62/behavioral1", "https://tria.ge/221225-destzaeb6y/behavioral1", "https://tria.ge/240402-zjrcladb42/behavioral2", "https://tria.ge/220729-d85evsdgb3/behavioral2", "https://tria.ge/220803-1qs1fafge3/behavioral3", "https://tria.ge/220805-fwthyagcbq/behavioral1", "https://tria.ge/230108-ftrlkagb7z/behavioral1", "https://tria.ge/240129-m661cagdb6", "https://tria.ge/231206-hvz1facd27/behavioral1", "https://tria.ge/220805-fqkzlsfcb6/behavioral3", "https://tria.ge/221212-kd3q4sah55/behavioral3", "https://tria.ge/230313-jp94wsbb8x/behavioral2", "https://tria.ge/221205-jd6bkada9w/behavioral1", "https://tria.ge/240317-kz93babd61", "https://tria.ge/221015-tfg2vsfge9/behavioral3", "https://tria.ge/231217-yscecsfefl/behavioral7", "https://tria.ge/220930-vmljasfbcm/behavioral2", "https://tria.ge/220724-tmtn8sacej/behavioral1", "https://tria.ge/220805-yv476aggd6/behavioral2", "https://tria.ge/220830-17kqdsdfb2/behavioral3", "https://tria.ge/220912-rn3meshbhl/behavioral2", "https://tria.ge/230307-1xx8qsbg5v/behavioral4", "https://tria.ge/220912-r2sdlshcbn/behavioral2", "https://tria.ge/221025-gp398sbfhp/behavioral7", "https://tria.ge/220803-1qd7aafgd9/behavioral15", "https://tria.ge/230321-f1p2bagh55/behavioral2", "https://tria.ge/240401-bztwnaac57/behavioral2", "https://tria.ge/220729-w1gmyabhf2/behavioral2", "https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997378&Signature=KsJYbpoN6hteGv0hQe%2B7MgknKi2y7G9y%2Bv0JJZqMcuUdnf3gyNBPBzyKTVuoWOtaG8ix3%2BctGPzbrSe5UI3cg4Z0gK%2B6X75apikmjWPqBKofhIc5BqSpHspjoDYtiKLxroPreiitG4QqViG8yPq7ZCkMLfT71MSIE9dJ9XhV4fO2MSLHJA0qzdykwolGgi0i5r12p1nNsE1eHXJY0HwJl%2Fqka%2FKRtekjeEG1K1qHo6QJlzKhiCRubQwgU7", "https://tria.ge/240331-ykp1gsae3z/behavioral20", "https://tria.ge/220726-xz7y6sddgk/behavioral2", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "https://tria.ge/220803-1qs1fafge3/behavioral23", "https://tria.ge/221029-bjlv4sfcbr/behavioral15", "https://tria.ge/231206-hwhgsacd32/behavioral1", "https://tria.ge/221212-kdv19sdf3t/behavioral32", "https://tria.ge/221025-gp398sbfhp/behavioral15", "https://tria.ge/230109-ywqq6aba3z/behavioral10", "https://tria.ge/230305-d82c7sff27/behavioral1", "https://tria.ge/220803-yl8h8afgdn/behavioral3", "https://tria.ge/231217-ysjtfahaf3", "https://tria.ge/220803-y6bpzsfag2/behavioral10", "https://tria.ge/220729-d74f6seedk/behavioral2", "https://tria.ge/221212-kdv19sdf3t/behavioral2", "https://tria.ge/240129-lkztgaehh2", "https://tria.ge/221015-tlpznafgf6/behavioral1", "https://tria.ge/230109-ywqq6aba3z/behavioral8", "https://tria.ge/230109-ywqq6aba3z/behavioral12", "https://tria.ge/230109-ywqq6aba3z/behavioral14", "https://tria.ge/230108-qr1fssdf98/behavioral3", "https://tria.ge/220803-1m4yjafgc2/behavioral19", "https://tria.ge/221221-zjjmradc26/behavioral3", "https://tria.ge/221221-h9mcwsbg93/behavioral1", "https://tria.ge/220724-tetn9shgf9", "https://tria.ge/230122-tqj9zaac8v/behavioral3", "https://tria.ge/220803-1qs1fafge3/behavioral9", "https://tria.ge/220806-brndxabdh6/behavioral2", "https://tria.ge/230108-qr1fssdf98/behavioral1", "https://tria.ge/240111-cahyjaccem/behavioral22", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "https://tria.ge/220803-y6bpzsfag2/behavioral12", "https://tria.ge/220803-1m2heafgb9/behavioral8", "https://tria.ge/220803-1nlhksfgc3/behavioral32", "TAGS: iocs layoutid8 malware nameaul namecheap next no expiration pcap pdf report pegasus topic phish phishing", "https://tria.ge/220805-h1w6qshdaq/behavioral3", "https://tria.ge/221029-bjlv4sfcbr/behavioral13", "Verification failure observed in automated verification handlers during sandbox replay.", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "https://tria.ge/230204-rnp2bsgh3y/behavioral1", "https://tria.ge/221015-tfg2vsfge9/behavioral1", "https://tria.ge/221221-h9mcwsbg93/behavioral32", "https://tria.ge/221012-bm6ppacbam/behavioral3", "https://tria.ge/240409-btvwrshh94/behavioral11", "https://tria.ge/230102-s3kktshh7t/behavioral2", "https://tria.ge/231217-yjcc1afeap", "https://tria.ge/240111-cahyjaccem/behavioral21", "https://tria.ge/230305-3s617ahd3s/behavioral3", "https://tria.ge/221017-2zl4xsdec9/behavioral21", "https://tria.ge/230108-qvj8zshb3t/behavioral2", "https://tria.ge/221029-bjlv4sfcbr/behavioral7", "https://tria.ge/220729-d3dd7aedhk/behavioral2", "https://tria.ge/230115-x2h3tsbb49/behavioral28", "https://tria.ge/230102-s2n7maeg38/behavioral12", "https://tria.ge/230108-qskfzahb2y/behavioral28", "https://tria.ge/220803-1m4yjafgc2/behavioral15", "https://tria.ge/220912-rxnvmaddh6/behavioral2", "https://tria.ge/230109-ywqq6aba3z/behavioral5", "https://tria.ge/230220-pbc5wsah96/behavioral2", "https://tria.ge/220729-ecv2zsdgd7/behavioral2", "https://tria.ge/221225-destzaeb6y/behavioral2", "https://tria.ge/220803-1m4yjafgc2/behavioral22", "https://tria.ge/230109-ywqq6aba3z/behavioral27", "https://tria.ge/230113-dbgbrshd61/behavioral5", "https://tria.ge/221224-hqfq1ahf77/behavioral1", "https://tria.ge/230102-s4zq5seg44/behavioral32", "https://tria.ge/220730-chkgbsehh6/behavioral2", "https://tria.ge/221017-2zl4xsdec9/behavioral31", "https://tria.ge/220803-1qs1fafge3/behavioral2", "https://tria.ge/221025-gp398sbfhp/behavioral6", "https://tria.ge/221029-bj1z2afcdk/behavioral5", "https://tria.ge/220803-zggqdafbh7/behavioral2", "https://tria.ge/220805-f286ksfdc7", "https://tria.ge/240331-yqk9gsaf9z/behavioral10", "https://tria.ge/230321-grwyyaha29/behavioral16", "https://tria.ge/240409-btvwrshh94/behavioral2", "https://tria.ge/220724-tmtn8sacej/behavioral26", "https://tria.ge/220805-h1w6qshdaq/behavioral1", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "https://tria.ge/221017-2zl4xsdec9/behavioral9", "https://tria.ge/230305-d62aesff25/behavioral2", "https://tria.ge/220726-xz7y6sddgk/behavioral4", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "https://tria.ge/220804-cb7naaafeq", "https://tria.ge/221025-gp398sbfhp/behavioral9", "https://tria.ge/231224-g5gq6sbhb2/behavioral7", "https://tria.ge/221202-wskpmaeg7x/behavioral1", "https://tria.ge/220803-1m4yjafgc2/behavioral31", "https://tria.ge/240317-kz93babd61/behavioral7", "https://tria.ge/220803-1pfnqagffp/behavioral32", "https://tria.ge/240331-ykp1gsae3z/behavioral12", "https://tria.ge/220805-gv8rxafgf8/behavioral3", "https://tria.ge/221014-2dbfasegfn/behavioral3", "https://tria.ge/220803-ymle3sfgdp/behavioral28", "https://tria.ge/230204-qvwa9add55", "https://tria.ge/221007-2b72gsdga7/behavioral32", "https://vtbehaviour.commondatastorage.googleapis.com/3aefe8dfb9c99f3a84f5f74b15afeaeca682c8c50f18fa59b2e0b06da9619f1d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775998463&Signature=qYYMHcxIAT2xuxsg%2F5YbX%2B0y0xuq1Bdd9afbiFWSZHWHsm16y4KPWqE8YDY6heMDu8H6K1bmLZjUn59Bei5cJgnVJtX4Qv6%2FJ9i%2FJXNS6kxDf5xDJvv%2FF%2FcK%2FVKyZS%2BVYzAwJ2OLrXxw4BNVIrT4nxtE34M2lc%2FjwH6H%2FLWNBighCC1k8cvWNbNJkBtGmfWtAfK%2FueAgi5glMRbAmq7xAC5XJGlhgUzo%2Fu2U9N", "https://tria.ge/220729-dqgwvaecfm/behavioral1", "https://tria.ge/220803-1qs1fafge3/behavioral25", "https://tria.ge/230305-d9lddafa6y/behavioral2", "https://tria.ge/221224-hvmp4shf85/behavioral2", "https://tria.ge/221224-hqfq1ahf77/behavioral2", "https://tria.ge/220803-1m4yjafgc2/behavioral6", "https://tria.ge/230108-ftyd4sgb71/behavioral9", "https://tria.ge/230109-ywqq6aba3z/behavioral13", "WTF.pdf", "https://tria.ge/240402-zjrcladb42/behavioral1", "TAGS: camaro dragon canada click cloudfront cname co number code contact content content gmt copy crlf line cyber defense", "https://tria.ge/220726-x1m1dsddgl/behavioral3", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "https://tria.ge/220803-1nlhksfgc3/behavioral1", "https://tria.ge/230102-tekflaeg63/static1", "https://tria.ge/221205-jd6bkada9w/behavioral2", "https://tria.ge/230324-g8jd6seg41/behavioral3", "https://www.virustotal.com/gui/file/049645f56e88a33c0d5d74b5ad9dc7da425a326ee72db4885b712c16f9edeb54?nocache=1", "https://tria.ge/220806-jrkl1sccfl", "https://tria.ge/221212-kcchjaah54/behavioral1", "https://tria.ge/220803-1rxd9afgf2/behavioral27", "https://tria.ge/230305-d8rtrsff26/behavioral2", "https://tria.ge/230108-fvadnsgb8s/behavioral2", "https://tria.ge/230305-d4a1fsfe98/behavioral1", "https://tria.ge/230324-g9c9jscf67/behavioral2", "https://tria.ge/220729-d7ta7sdfh9/behavioral2", "https://tria.ge/221029-bjlv4sfcbr/behavioral8", "https://tria.ge/230106-ryhp1ace8y/behavioral2", "https://tria.ge/220727-bv535aghfl/behavioral8", "https://tria.ge/220803-1qd7aafgd9/behavioral28", "https://tria.ge/240402-zjrcladb42/behavioral27", "https://tria.ge/231206-hwsbzscd34", "https://tria.ge/220724-tacvysheh8/behavioral7", "https://twitter.com/PORNO_SEXYBABES [Twitter Tsara Brashears related]", "https://tria.ge/230109-ywqq6aba3z/behavioral7", "https://tria.ge/240111-cahyjaccem/behavioral30", "https://tria.ge/230204-qvlrtadd53/behavioral3", "https://tria.ge/220729-wzxyjacgal/behavioral1", "https://tria.ge/220912-rsreyshcam/behavioral2", "https://tria.ge/240401-b3bt9aad37/behavioral11", "https://tria.ge/230307-1f7e3scb88/behavioral4", "https://tria.ge/230109-ywqq6aba3z", "https://tria.ge/240409-25x4dagh63/behavioral4", "https://tria.ge/230308-zr5j7aha49/behavioral2", "https://tria.ge/221017-2zl4xsdec9/behavioral18", "https://tria.ge/230305-d33dbafa51/behavioral1", "https://tria.ge/220912-r3z5vahccj/behavioral2", "https://tria.ge/231217-yl3mzafebp", "https://tria.ge/220806-j3912scebk/behavioral3", "https://tria.ge/221221-zvhvlagd7y/behavioral3", "https://tria.ge/230125-kn9meafe37/behavioral2", "https://tria.ge/230108-qsdneshb2w/behavioral10", "https://tria.ge/220803-1qs1fafge3/behavioral22", "https://tria.ge/230305-dycl4afa5v/behavioral27", "https://tria.ge/221221-zjezkagd3w/behavioral3", "https://tria.ge/230305-d21s4afe93/behavioral13", "https://tria.ge/230202-h81h5ahc9z/behavioral3", "https://tria.ge/230305-d21s4afe93/behavioral21", "https://tria.ge/230307-1rdl5scc53/behavioral1", "https://tria.ge/220803-1m4yjafgc2/behavioral3", "https://tria.ge/220912-r2dkfsdea2/behavioral2", "https://tria.ge/220806-j2ztpaceak/behavioral1", "https://tria.ge/220912-rsc8bsddg6/behavioral3", "https://tria.ge/231217-yl3mzafebp/behavioral2", "https://tria.ge/240129-m661cagdb6/behavioral2", "https://tria.ge/220724-sheh3sgddl/behavioral1", "https://tria.ge/221017-2zl4xsdec9/behavioral25", "https://tria.ge/240402-zjrcladb42/behavioral25", "https://tria.ge/220724-fgjeesffc7/behavioral2", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "https://tria.ge/220803-1m4yjafgc2/behavioral27", "https://tria.ge/221025-gp398sbfhp/behavioral4", "https://tria.ge/221025-gp398sbfhp/behavioral5", "phyn.app", "https://tria.ge/220912-rqlrpahbhr/behavioral2", "https://tria.ge/230109-ywqq6aba3z/behavioral18", "https://tria.ge/220803-yshldaehd8/behavioral3", "https://tria.ge/230321-grwyyaha29/behavioral15", "https://tria.ge/221215-ta2t3sff7y/behavioral4", "https://tria.ge/220724-tmtn8sacej/behavioral15", "https://tria.ge/220912-r4wh2shccm", "https://tria.ge/230113-ctz16adf45", "https://tria.ge/220803-1pfnqagffp/behavioral4", "https://tria.ge/230109-ywqq6aba3z/behavioral31", "https://tria.ge/231224-g5gq6sbhb2", "https://tria.ge/231128-vbn52sbf51/behavioral7", "https://tria.ge/220729-d8av9adga3/behavioral2", "https://tria.ge/220729-d3yecseeam/behavioral2", "https://tria.ge/220930-vmv3qsfbcn/behavioral2", "https://tria.ge/220912-r16vlsddh9/behavioral2", "https://tria.ge/230113-dfhemadg66/behavioral7", "https://tria.ge/230305-dycl4afa5v/behavioral7", "https://tria.ge/220803-1rxd9afgf2/behavioral28", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "https://tria.ge/240331-ykp1gsae3z/behavioral2", "https://tria.ge/221202-wskpmaeg7x/behavioral2", "https://tria.ge/221025-gqnwyabfh3/behavioral2", "https://tria.ge/240111-cahyjaccem/behavioral29", "https://www.virustotal.com/gui/file/8694bebdcbe7854aae97fcecfce0fa0b5a9aa07b5f95cd2e55d62a25caaaa8d8?nocache=1", "https://tria.ge/230108-qrv63sdf97/behavioral1", "http://borpatoken.com/", "https://tria.ge/221025-gqnwyabfh3/behavioral1", "https://tria.ge/231217-yjcc1afeap/behavioral7", "https://tria.ge/230127-v6q8wsdg5y/behavioral2", "https://tria.ge/230108-qskfzahb2y/behavioral27", "https://tria.ge/230305-dyzrmafe89", "https://tria.ge/221212-kcchjaah54/behavioral2", "https://tria.ge/230108-qrmvpsdf96/behavioral3", "https://tria.ge/230115-x2h3tsbb49/behavioral14", "https://tria.ge/230113-ctz16adf45/behavioral1", "https://tria.ge/220912-r4fsladea8/behavioral1", "https://tria.ge/230108-qr6b2sdg22/behavioral2", "https://tria.ge/230324-hax1cacf74", "https://tria.ge/220803-1qs1fafge3/behavioral29", "https://tria.ge/240402-zjrcladb42/behavioral5", "https://tria.ge/220729-d347xadfe7/behavioral2", "https://tria.ge/220803-1rxd9afgf2/behavioral19", "https://tria.ge/220805-gv8rxafgf8/behavioral1", "https://tria.ge/240402-zjrcladb42/behavioral28", "https://tria.ge/220803-1qd7aafgd9/behavioral24", "https://tria.ge/230109-ywqq6aba3z/behavioral15", "https://tria.ge/230305-d8rtrsff26/behavioral1", "TAGS: email expiry gmt false file files final url for privacy form format malware beacon meta http meta tags namecheap inc", "imurmurhash.min.js", "https://tria.ge/240331-y9w54abd6t/behavioral7", "https://tria.ge/230113-c3xbmadf82/behavioral2", "https://tria.ge/220729-ecnb5sdgd5/behavioral2", "https://tria.ge/220803-1m2heafgb9/behavioral13", "https://tria.ge/221017-2zl4xsdec9/behavioral17", "https://tria.ge/240409-btvwrshh94/behavioral3", "https://tria.ge/220729-d1hwwsdfc7/behavioral2", "https://tria.ge/230305-31dplshh79/behavioral2", "https://tria.ge/240402-zjrcladb42/behavioral13/analog", "https://tria.ge/220805-fwthyagcbq/behavioral3", "https://tria.ge/220726-xz7y6sddgk/behavioral3", "https://tria.ge/231206-gkeq3sbg68/behavioral7", "https://tria.ge/231224-3h4hbaefg7", "https://tria.ge/220803-yshldaehd8/behavioral13", "https://tria.ge/221029-bj1z2afcdk/behavioral6", "https://tria.ge/240111-cahyjaccem/behavioral11", "https://tria.ge/220801-sppmmaafd6/behavioral20", "https://tria.ge/231217-yl3mzafebp/behavioral7", "https://tria.ge/231217-zztgwsfger", "https://tria.ge/221212-kcchjaah54/behavioral3", "https://tria.ge/220724-rl2mcafdbm/behavioral1", "https://tria.ge/231206-hf1cnacb98/behavioral7", "https://tria.ge/240111-cahyjaccem/behavioral31", "https://tria.ge/230305-d4phvafe99/behavioral1" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Koiminer" ], "industries": [ "Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 14, "pulses": [ { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-05-17T15:52:35.396000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all." ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28000, "FileHash-SHA256": 48374, "FileHash-MD5": 42596, "FileHash-SHA1": 23243, "hostname": 35654, "URL": 75758, "SSLCertFingerprint": 30, "CVE": 7585, "email": 316, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "URI": 5, "IPv4": 574, "Mutex": 1 }, "indicator_count": 288350, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69db956f031caeb41837fe82", "name": "VirusTotal report\n for Digi-Loader-1-exe-Download-Added-TOP.pdf", "description": " A collection from U or Oreg. - thanks to the tipster. While the dates askew from cert. abuse the overall Month/day appear aligned, however the diff year predated to invalid certs (suspect- more than a theory). Interesting, research subjects pii on pdx flight aligns.\nConsistent \"Research time signed outside timestamp\" burden of proof has been met, goodnight. \nSecond Write- Can read a malicious pdf docs quicker than anyone. Thank you Second Write Sandbox", "modified": "2026-05-12T14:28:43.689000", "created": "2026-04-12T12:51:59.240000", "tags": [ "file type", "united", "json", "com executable", "network info", "malicious", "urls", "t1055 process", "ascii", "mitre attack", "phishing", "next", "windows sandbox", "calls process", "foxpro fpt", "links file", "152 x", "sqlite version", "utf8", "sqlite rollback", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "strong", "library", "win1", "cultureneutral", "accept", "shutdown", "back", "msie", "windows nt", "wow64", "slcc2", "media center", "get http", "type annot", "subtype link", "rect", "stream", "xport", "possible", "matrix", "packer", "strings", "enterprise", "sandbox", "title", "core", "agent", "snort", "context", "destination ip", "http requests", "dns resolutions", "acrongl integ", "adc4240758", "sha1", "potential pdx intersect", "spellbound. librarian things" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997378&Signature=KsJYbpoN6hteGv0hQe%2B7MgknKi2y7G9y%2Bv0JJZqMcuUdnf3gyNBPBzyKTVuoWOtaG8ix3%2BctGPzbrSe5UI3cg4Z0gK%2B6X75apikmjWPqBKofhIc5BqSpHspjoDYtiKLxroPreiitG4QqViG8yPq7ZCkMLfT71MSIE9dJ9XhV4fO2MSLHJA0qzdykwolGgi0i5r12p1nNsE1eHXJY0HwJl%2Fqka%2FKRtekjeEG1K1qHo6QJlzKhiCRubQwgU7", "https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997612&Signature=l%2FoIF7cZSCGanh2IyxGroiq3YNwdCp9oVTfF02Zi7d4yp4LMuvnnLFWqVzfWbvIHB94EaU0ICQHP6MwgUb5Z4bF2OVcHxdHieB3iTKEX6sGurBIeKYNAPuakGTzCRv%2FSnZJHpZbsoH11i%2F%2BIwHQLGAKerBuNCuq%2FDi8tvVKCDiF9JQGxOYhQsjlzQJtUBiVEVnBTKbjIdeg9iAMES8qHj0eAglff6gxDk1t%2FU5HmKB1T", "https://vtbehaviour.commondatastorage.googleapis.com/26b3bfa810cd37fe4046221ab2269b360e9a6c51961db6fd95e7499e2d76d544_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997821&Signature=IjR3qiuvOqpJ0ChD%2FQ%2B0QKlCAsWejT6Ei8KIh27ZO2t%2BnO1oDrCrR7D3x3lf6xKLr93CFw7bU1IUQONv3WbJ%2BJ0oyQ0yhyalr5VTTy1mHEphjCvObM%2B8PPv6o5cjYXYDpKVcQjBFrkgGvJxrleE5kQvx6irIRcFMTUdnDVuNEcV6sALKN3oYRo%2B%2Fvk7TA%2FfAVTtpBhUfsC4dvVAJnRQgBC4gEzEYuZN3oaDzlYUCoghsW5", "https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997952&Signature=Pc%2FXTIxysZhpywMxwwW%2BrBcX9VHIrYH%2BL3sUsVHUCm1TUbCCtQe7ZIpfTtqIl%2FWLsaehPWv%2FBt4Q6PbZH1IFYbFrKet6C2NOwwOh9WtZQ0cak9wRRun6IjZTU33hWBk4GyEAh%2FpE5nF4ND%2BQSOQuZ5DiMtHeXRlWjRI6KwJ8ApdtNpccNlYGYGKmqj%2BLK7CZTI%2FmpO8GkbS2UkwUwBa6TFoYFvBiQ5SHdRUJ2MT7t3RzWvn8hGyb", "https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775998043&Signature=atj43IFZmS1xhCQtPEtGr1gjAzp5YJ5SAqKqPXrExtpioezLoyIJKw91Cc1EPO9Ff86CNaeS%2BNKNidgGEvFkAFNQpY8CEvbl7dcNVj3FUVUS3ybBoI8xLShMhwUy%2F0aYbXdMfYG3KdE%2FXDvt56Et6LjAj6N0lh1mp0m48Zz2hNTlghpHTSGlP3SY1VjfKxBYwh%2BWAJOSrHiXvzeVhuN5Qj6JWU%2FLg824mJRsUPe7iyNe2u", "https://vtbehaviour.commondatastorage.googleapis.com/3aefe8dfb9c99f3a84f5f74b15afeaeca682c8c50f18fa59b2e0b06da9619f1d_SecondWrite.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775998118&Signature=oZItRZYU06S7GWIVhygTK0XUPoeDlmpVWee4ri8K1nSYOFjKP7WjYTzw03EoC6pzqFjdjNKm2lQytBKbv%2BcMJT%2F%2BWZ7nF71PUUmExKgSsvfD6PXKzUcX8vuHnJwcu3NlTOuhNKNfed2iOEAGybINfsgUO6DFzlTsGd51hjV3I%2BT4t%2FTn1aszBeDzRu01gkhvTI5%2BmXmxZfhYmVTFVADNEociZ8DSGmafzUamrXrSTRcAurmFTNmC4", "https://vtbehaviour.commondatastorage.googleapis.com/3aefe8dfb9c99f3a84f5f74b15afeaeca682c8c50f18fa59b2e0b06da9619f1d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775998463&Signature=qYYMHcxIAT2xuxsg%2F5YbX%2B0y0xuq1Bdd9afbiFWSZHWHsm16y4KPWqE8YDY6heMDu8H6K1bmLZjUn59Bei5cJgnVJtX4Qv6%2FJ9i%2FJXNS6kxDf5xDJvv%2FF%2FcK%2FVKyZS%2BVYzAwJ2OLrXxw4BNVIrT4nxtE34M2lc%2FjwH6H%2FLWNBighCC1k8cvWNbNJkBtGmfWtAfK%2FueAgi5glMRbAmq7xAC5XJGlhgUzo%2Fu2U9N", "" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 458, "FileHash-MD5": 575, "FileHash-SHA1": 478, "FileHash-SHA256": 1401, "domain": 96, "hostname": 235, "email": 6, "CVE": 3 }, "indicator_count": 3252, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fc4d77afa81737a1d6262c", "name": "Fsysna - Privileged Agent Rufus", "description": "The adversary exploits the legitimate operational footprint of Rufus to mask Master Boot Record (MBR) manipulation and bypass heuristic defenses. This indicates a well-versed actor utilizing high-integrity tool-masking to maintain stealth.Technical AnalysisSubversion of Security Policies: The artifact targets HKLM\\\u2026\\SAFER\\CODEIDENTIFIERS to enumerate and likely neutralize Software Restriction Policies (SRP).Direct Disk Manipulation: Exploits the utility\u2019s disk-write primitive to establish persistence at the boot layer, bypassing standard OS-level detection.Privileged Discovery: Forces UAC elevation to conduct exhaustive hardware reconnaissance and volume profiling, facilitating environmental awareness.Heuristic Evasion: masquerades as a trusted unsigned binary to exploit the \"administrative whitelist\" blind spot in signature-based engines.", "modified": "2026-05-08T06:33:56.667000", "created": "2026-05-07T08:29:43.174000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 138, "domain": 29, "FileHash-MD5": 6, "FileHash-SHA1": 6, "IPv4": 41, "hostname": 79, "URL": 84, "email": 48 }, "indicator_count": 431, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fc4d769e89dc96fce03ffe", "name": "Fsysna - Privileged Agent Rufus", "description": "The adversary exploits the legitimate operational footprint of Rufus to mask Master Boot Record (MBR) manipulation and bypass heuristic defenses. This indicates a well-versed actor utilizing high-integrity tool-masking to maintain stealth.Technical AnalysisSubversion of Security Policies: The artifact targets HKLM\\\u2026\\SAFER\\CODEIDENTIFIERS to enumerate and likely neutralize Software Restriction Policies (SRP).Direct Disk Manipulation: Exploits the utility\u2019s disk-write primitive to establish persistence at the boot layer, bypassing standard OS-level detection.Privileged Discovery: Forces UAC elevation to conduct exhaustive hardware reconnaissance and volume profiling, facilitating environmental awareness.Heuristic Evasion: masquerades as a trusted unsigned binary to exploit the \"administrative whitelist\" blind spot in signature-based engines.", "modified": "2026-05-08T06:33:56.571000", "created": "2026-05-07T08:29:42.377000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 138, "domain": 29, "FileHash-MD5": 6, "FileHash-SHA1": 6, "IPv4": 41, "hostname": 79, "URL": 84, "email": 48 }, "indicator_count": 431, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fc4d75bbb155224dcb27b7", "name": "Fsysna - Privileged Agent Rufus", "description": "The adversary exploits the legitimate operational footprint of Rufus to mask Master Boot Record (MBR) manipulation and bypass heuristic defenses. This indicates a well-versed actor utilizing high-integrity tool-masking to maintain stealth.Technical AnalysisSubversion of Security Policies: The artifact targets HKLM\\\u2026\\SAFER\\CODEIDENTIFIERS to enumerate and likely neutralize Software Restriction Policies (SRP).Direct Disk Manipulation: Exploits the utility\u2019s disk-write primitive to establish persistence at the boot layer, bypassing standard OS-level detection.Privileged Discovery: Forces UAC elevation to conduct exhaustive hardware reconnaissance and volume profiling, facilitating environmental awareness.Heuristic Evasion: masquerades as a trusted unsigned binary to exploit the \"administrative whitelist\" blind spot in signature-based engines.", "modified": "2026-05-08T06:33:55.728000", "created": "2026-05-07T08:29:41.963000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 138, "domain": 30, "FileHash-MD5": 6, "FileHash-SHA1": 6, "IPv4": 41, "hostname": 79, "URL": 84, "email": 48 }, "indicator_count": 432, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69eae3465a9cbe437bca96df", "name": "[The infectors and The infected - string.dmp] credit: DorkingBeauty1 Cloned", "description": "", "modified": "2026-04-24T03:28:06.951000", "created": "2026-04-24T03:28:06.951000", "tags": [ "ven1af4", "dev0022", "ctlrven8086", "subsys1af40022", "ctlrdev293e", "system", "ms shell", "shell dlg", "corporation", "func01", "service", "error", "open", "copy", "click", "config", "model", "close", "class", "find", "null", "encrypt", "install", "problem", "shift", "bits", "agent", "false", "mexico", "next", "desktop", "window", "small", "core", "explorer", "refresh", "fail", "info", "unknown", "swedish", "done", "pipes", "xtra", "burn", "back", "insert", "fyou", "date", "front", "turn", "starfield", "this", "dword", "critical", "panama", "uruguay", "paraguay", "italian", "calendar", "indonesia", "mongolian", "legacy", "restart", "icmp", "media", "loader", "flash", "look", "format", "screen", "green", "cascade", "defender", "toolbar", "leave", "already", "strings", "body", "dump", "generator", "restrict", "trace", "zero", "stack", "sinf", "czech", "icelandic", "korean", "polish", "slovak", "slovakia", "albanian", "albania", "turkish", "ukraine", "belarus", "armenia", "shutdown", "scroll", "reboot", "download", "minsk", "phase", "dcom", "never", "form", "target", "fullscreen", "shown", "general", "code", "blank", "specified", "refer", "accept", "waiting", "voice", "terminal", "tools", "meta", "delta", "colors", "clock", "dragdrop", "friendly" ], "references": [ "472.dmp.strings" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "628d95bd59109416c444c985", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 71, "hostname": 81, "URL": 141, "domain": 62, "FileHash-MD5": 2, "FileHash-SHA1": 1, "email": 1 }, "indicator_count": 359, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "37 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c5d13d94af758096d048b9", "name": "Comprehensive Tria.ge import - Pro tip by Merkd1904 clone", "description": "", "modified": "2026-03-27T00:37:17.833000", "created": "2026-03-27T00:37:17.833000", "tags": [ "implementation", "murmurhash3", "jens taylor", "gary court", "austin appleby", "typeof h", "please", "javascript", "triage", "malware", "analysis", "report", "reported", "analyze", "sandbox", "score", "behavioral task", "resource", "ck v13", "general", "target", "size", "sha256", "sha512", "ssdeep", "config", "copy", "shell", "sample", "sha1", "execution", "sample sample", "gpio promo", "sample gpio", "gpio2 driv", "sample gpio2", "target gpio", "adversaries", "bypass", "download submit", "filesize", "executes", "file", "download", "key value", "set value", "explorer", "class", "monitor", "signatures", "discovery", "iocs", "asusit885", "vendady", "venmsft", "proddadydvdrom4", "prodharddisk4", "drops file", "checks scsi", "processes", "network", "replay", "armourycra", "armoury crate", "token", "exe loads", "factory", "prefetch8", "service", "ck v6", "mitre", "f13eed8e", "suspicious use", "samsungma", "defense", "alderlakep", "alderlake", "sunrisepoi", "skylakesk", "tigerlakep", "reads cpu", "reads runtime", "tmpinxi", "ttps", "checks computer", "ngen worker", "process", "state migration", "installer", "binzsh c", "ksversion", "kschannelid", "apps", "plugins", "xpcproxy", "helper", "chrome helper", "renderer", "binlaunchctl", "data filesize", "error", "document being", "devnull md5", "play", "hypervisor", "mount o", "t iso9660", "f varlogmount", "analog", "triage submit", "static", "report analysis", "logs loading", "analysis log", "dos win95", "f win98", "f hpfs", "w95 f", "fat12 fat16", "extend", "setpasswd", "f root", "checks cpu", "discovery t1082", "managerwar", "wifinetwor", "query registry", "multimedia", "inprocserver32", "apartment", "typelib", "persistence", "progid", "nummethods", "10 discovery", "t1012 system", "appdir", "prefetch1", "registers com", "both", "chromehtml", "windowsdef", "enumerates", "systemroot", "windows media", "9801", "components", "checks", "localserver32", "open", "edit", "xport", "maxwellbio", "execution flow", "write file", "nvidialin", "excel", "sample https", "modifies", "fdoemcdcd", "klinks", "t1120 system", "windowstemp", "sample read", "traffic", "go play", "sample go", "cuckptn", "cuckicrc", "binsh c", "tags", "deviceinfo", "windowsinf", "targets", "ck matrix", "attempts", "m2 ssd", "p40 game", "filesintelintel", "legacy", "catalogfile", "pciven8086", "ndisasuss", "sample http", "microsoftw", "destination ip", "waasregke", "qeaa", "ueaa", "yaxxz", "iebapeadxz", "iebapeagxz", "headers dll", "lredmond", "locale", "suspicious", "player list", "sample bcd", "resources", "usrbinlogger t", "updater", "pid1522", "shadow copy", "dellsuppor", "landriver", "inputperso", "ipsmigrati", "sample intel", "servicingkey", "0008", "viper m2", "cannonlake", "cometlakep", "coffeelake", "cometlake", "10 blocklisted", "data", "supportass", "iocs reads", "APT1" ], "references": [ "imurmurhash.min.js", "https://www.virustotal.com/gui/file/e58fe1f551a6fb3e0a8bbaed5f8cae96194ccbbba5f4da2914a5046a4df3725e?nocache=1", "https://www.virustotal.com/gui/file/03759f9a14c983a9e70d17d0552fb2bff9dc1fe8c9b837f859403449ecdadd11?nocache=1", "https://www.virustotal.com/gui/file/32dbd62fce658336afc05435cafed68029dba626e5863a39305eaf8f42ed74cd?nocache=1", "https://www.virustotal.com/gui/file/049645f56e88a33c0d5d74b5ad9dc7da425a326ee72db4885b712c16f9edeb54?nocache=1", "https://www.virustotal.com/gui/file/b9cee56cd245633f7debe4b6e93f1606ac6788a9749a8eba2d742cfd84e935fd?nocache=1", "https://www.virustotal.com/gui/file/b9cee56cd245633f7debe4b6e93f1606ac6788a9749a8eba2d742cfd84e935fd", "https://www.virustotal.com/gui/file/8694bebdcbe7854aae97fcecfce0fa0b5a9aa07b5f95cd2e55d62a25caaaa8d8?nocache=1", "https://www.virustotal.com/gui/file/b2b37af320b637acc1001404b6a7f9bbfc4dcfb7319bba92333be2050b398318/relations", "https://tria.ge/231217-yjcc1afeap", "https://tria.ge/231217-yl3mzafebp", "https://tria.ge/231217-yscecsfefl", "https://tria.ge/231217-ysjtfahaf3", "https://tria.ge/231217-zztgwsfger", "https://tria.ge/231224-g5gq6sbhb2", "https://tria.ge/231224-3h4hbaefg7", "https://tria.ge/240106-dbq6zafccm", "https://tria.ge/240107-eq4w2sfch5", "https://tria.ge/240111-cahyjaccem", "https://tria.ge/240129-lkztgaehh2", "https://tria.ge/240129-m661cagdb6", "https://tria.ge/240317-kz93babd61", "https://tria.ge/240317-kz93babd61/behavioral2", "https://tria.ge/240410-aceyjseb6v/behavioral4", "https://tria.ge/230108-ftrlkagb7z/behavioral1", "https://tria.ge/230108-ftyd4sgb71/behavioral10", "https://tria.ge/230108-fvadnsgb8s/behavioral27", "https://tria.ge/230108-qrmvpsdf96/behavioral3", "https://tria.ge/230108-qrv63sdf97/behavioral3", "https://tria.ge/230108-qr1fssdf98/behavioral2", "https://tria.ge/230108-qr6b2sdg22/behavioral3", "https://tria.ge/230108-qsdneshb2w/behavioral10", "https://tria.ge/230113-ctz16adf45/behavioral1", "https://tria.ge/230113-c3xbmadf82/behavioral2", "https://tria.ge/230113-c79shshd41/behavioral2", "https://tria.ge/230108-qvj8zshb3t/behavioral2", "https://tria.ge/230109-ywqq6aba3z/behavioral27", "https://tria.ge/230113-dbgbrshd61/behavioral5", "https://tria.ge/230113-dfhemadg66/behavioral7", "https://tria.ge/231015-l3gqlsdg6w/behavioral11", "https://tria.ge/230906-vajh6shg63/behavioral3", "https://tria.ge/230901-qkt1faeh2v/behavioral3", "https://tria.ge/231128-vbn52sbf51/behavioral7", "https://tria.ge/231206-gkeq3sbg68/behavioral7", "https://tria.ge/231206-hf1cnacb98/behavioral7", "https://tria.ge/240409-25x4dagh63/behavioral4", "https://tria.ge/240409-dhdjfsce54/behavioral3", "https://tria.ge/240409-btvwrshh94/behavioral2", "https://tria.ge/240402-zjrcladb42/behavioral28", "https://tria.ge/240402-zjrcladb42/behavioral27", "https://tria.ge/240402-zjrcladb42/behavioral1", "https://tria.ge/240402-zjrcladb42/behavioral2", "https://tria.ge/240402-zjrcladb42/behavioral3", "https://tria.ge/240402-zjrcladb42/behavioral4", "https://tria.ge/240402-zjrcladb42/behavioral5", "https://tria.ge/240402-zjrcladb42/behavioral6", "https://tria.ge/240402-zjrcladb42/behavioral9", "https://tria.ge/240402-zjrcladb42/behavioral13", "https://tria.ge/240402-zjrcladb42/behavioral13/analog", "https://tria.ge/240402-zjrcladb42/behavioral17", "https://tria.ge/240402-zjrcladb42/behavioral21", "https://tria.ge/240402-zjrcladb42/behavioral25", "https://tria.ge/240402-zjrcladb42/behavioral29", "https://tria.ge/240402-cb476add4w/behavioral2", "https://tria.ge/240401-b3bt9aad37/behavioral11", "https://tria.ge/240401-bztwnaac57/behavioral2", "https://tria.ge/240331-y9w54abd6t/behavioral7", "https://tria.ge/240331-yqk9gsaf9z/behavioral10", "https://tria.ge/240331-ykp1gsae3z/behavioral28", "https://tria.ge/240331-ykp1gsae3z/behavioral20", "https://tria.ge/240331-ykp1gsae3z/behavioral14", "https://tria.ge/240331-ykp1gsae3z/behavioral12", "https://tria.ge/240331-ykp1gsae3z/behavioral4", "https://tria.ge/240331-ykp1gsae3z/behavioral2", "https://tria.ge/220803-zggqdafbh7/behavioral2", "https://tria.ge/220803-y7119sgafr/behavioral12", "https://tria.ge/220803-y6bpzsfag2/behavioral28", "https://tria.ge/220803-y6bpzsfag2/behavioral26", "https://tria.ge/220803-y6bpzsfag2/behavioral22", "https://tria.ge/220803-y6bpzsfag2/behavioral20", "https://tria.ge/220803-y6bpzsfag2/behavioral18", "https://tria.ge/220803-y6bpzsfag2/behavioral16", "https://tria.ge/220803-y6bpzsfag2/behavioral12", "https://tria.ge/220803-y6bpzsfag2/behavioral10", "https://tria.ge/220803-1m2heafgb9/behavioral13", "https://tria.ge/220803-1m2heafgb9/behavioral8", "https://tria.ge/220803-1m4yjafgc2/behavioral31", "https://tria.ge/220803-1m4yjafgc2/behavioral29", "https://tria.ge/220803-1m4yjafgc2/behavioral27", "https://tria.ge/220803-1m4yjafgc2/behavioral25", "https://tria.ge/220803-1m4yjafgc2/behavioral23", "https://tria.ge/220803-1m4yjafgc2/behavioral22", "https://tria.ge/220803-1m4yjafgc2/behavioral19", "https://tria.ge/220803-1m4yjafgc2/behavioral17", "https://tria.ge/220803-1m4yjafgc2/behavioral15", "https://tria.ge/220803-1m4yjafgc2/behavioral13", "https://tria.ge/220803-1m4yjafgc2/behavioral9", "https://tria.ge/220803-1m4yjafgc2/behavioral7", "https://tria.ge/220803-1m4yjafgc2/behavioral6", "https://tria.ge/220803-1m4yjafgc2/behavioral5", "https://tria.ge/220803-1m4yjafgc2/behavioral3", "https://tria.ge/220803-1m4yjafgc2/behavioral2", "https://tria.ge/220803-1m4yjafgc2/behavioral1", "https://tria.ge/220803-1nlhksfgc3/behavioral32", "https://tria.ge/220803-1nlhksfgc3/behavioral1", "https://tria.ge/220803-1pfnqagffp/behavioral32", "https://tria.ge/220803-1pfnqagffp/behavioral4", "https://tria.ge/220803-1qd7aafgd9/behavioral28", "https://tria.ge/220803-1qd7aafgd9/behavioral24", "https://tria.ge/220803-1qd7aafgd9/behavioral23", "https://tria.ge/220803-1qd7aafgd9/behavioral22", "https://tria.ge/220803-1qd7aafgd9/behavioral21", "https://tria.ge/220803-1qd7aafgd9/behavioral15", "https://tria.ge/220803-1qs1fafge3/behavioral29", "https://tria.ge/220803-1qs1fafge3/behavioral27", "https://tria.ge/220803-1qs1fafge3/behavioral25", "https://tria.ge/220803-1qs1fafge3/behavioral23", "https://tria.ge/220803-1qs1fafge3/behavioral22", "https://tria.ge/220803-1qs1fafge3/behavioral19", "https://tria.ge/220803-1qs1fafge3/behavioral17", "https://tria.ge/220803-1qs1fafge3/behavioral13", "https://tria.ge/220803-1qs1fafge3/behavioral9", "https://tria.ge/220803-1qs1fafge3/behavioral6", "https://tria.ge/220803-1qs1fafge3/behavioral5", "https://tria.ge/220803-1qs1fafge3/behavioral1", "https://tria.ge/220803-1qs1fafge3/behavioral2", "https://tria.ge/220803-1qs1fafge3/behavioral3", "https://tria.ge/220803-1rxd9afgf2/behavioral28", "https://tria.ge/220803-1rxd9afgf2/behavioral27", "https://tria.ge/220803-1rxd9afgf2/behavioral23", "https://tria.ge/220803-1rxd9afgf2/behavioral19", "https://tria.ge/220803-1rxd9afgf2/behavioral15", "https://tria.ge/220804-cb7naaafeq", "https://tria.ge/220804-cb7naaafeq/behavioral1", "https://tria.ge/220805-fqatmsgbdr/behavioral3", "https://tria.ge/220805-fqkzlsfcb6/behavioral3", "https://tria.ge/220805-ft3zlafce6/behavioral1", "https://tria.ge/220805-ft3zlafce6/behavioral3", "https://tria.ge/220805-ft3zlafce6/behavioral2", "https://tria.ge/220805-fwthyagcbq/behavioral3", "https://tria.ge/220805-fwthyagcbq/behavioral2", "https://tria.ge/220805-fwthyagcbq/behavioral1", "https://tria.ge/220805-f286ksfdc7", "https://tria.ge/220805-f286ksfdc7/behavioral3", "https://tria.ge/220805-gca3xsgeaj/behavioral2", "https://tria.ge/220805-gca3xsgeaj/behavioral3", "https://tria.ge/220805-gv8rxafgf8/behavioral3", "https://tria.ge/220805-gv8rxafgf8/behavioral1", "https://tria.ge/220805-h1w6qshdaq/behavioral3", "https://tria.ge/220805-h1w6qshdaq/behavioral2", "https://tria.ge/220805-h1w6qshdaq/behavioral1", "https://tria.ge/220805-yv476aggd6/behavioral3", "https://tria.ge/220805-yv476aggd6/behavioral2", "https://tria.ge/220805-zetbdshag5/behavioral3", "https://tria.ge/220805-zetbdshag5/behavioral1", "https://tria.ge/220806-brndxabdh6/behavioral1", "https://tria.ge/220806-brndxabdh6/behavioral2", "https://tria.ge/220806-brndxabdh6/behavioral3", "https://tria.ge/220806-btaktsbea5/behavioral3", "https://tria.ge/220806-btaktsbea5/behavioral2", "https://tria.ge/220806-btaktsbea5/behavioral1", "https://tria.ge/220806-jrkl1sccfl", "https://tria.ge/220806-jrkl1sccfl/behavioral3", "https://tria.ge/220806-jrkl1sccfl/behavioral2", "https://tria.ge/220806-jrkl1sccfl/behavioral1", "https://tria.ge/220806-j2ztpaceak/behavioral1", "https://tria.ge/220806-j2ztpaceak/behavioral3", "https://tria.ge/220806-j3912scebk/behavioral3", "https://tria.ge/220806-j4w6ksfab3/behavioral3", "https://tria.ge/220830-17kqdsdfb2/behavioral3", "https://tria.ge/220830-17kqdsdfb2/behavioral2", "https://tria.ge/220830-17kqdsdfb2/behavioral1", "https://tria.ge/220729-d8e5zadga9/behavioral2", "https://tria.ge/220729-d8av9adga3/behavioral2", "https://tria.ge/220729-d74f6seedk/behavioral2", "https://tria.ge/220729-d7ta7sdfh9/behavioral2", "https://tria.ge/220729-d347xadfe7/behavioral2", "https://tria.ge/220729-d3yecseeam/behavioral2", "https://tria.ge/220729-d3sh4seeal/behavioral2", "https://tria.ge/220729-d3m9dsdfe3/behavioral2", "https://tria.ge/220729-d3dd7aedhk/behavioral2", "https://tria.ge/220729-d2kf4sedgl/behavioral2", "https://tria.ge/220729-d1hwwsdfc7/behavioral2", "https://tria.ge/220729-d85evsdgb3/behavioral2", "https://tria.ge/220729-ecv2zsdgd7/behavioral2", "https://tria.ge/220729-ecnb5sdgd5/behavioral2", "https://tria.ge/220729-wzxyjacgal/behavioral2", "https://tria.ge/220729-wzxyjacgal/behavioral1", "https://tria.ge/220729-w1gmyabhf2/behavioral2", "https://tria.ge/220729-24hbjaeeep/behavioral1", "https://tria.ge/220730-chkgbsehh6/behavioral2", "https://tria.ge/220731-f45wyabgbr/behavioral3", "https://tria.ge/220801-sppmmaafd6/behavioral28", "https://tria.ge/220801-sppmmaafd6/behavioral20", "https://tria.ge/220801-sppmmaafd6/behavioral19", "https://tria.ge/220802-kwqt9secdp", "https://tria.ge/220802-kwqt9secdp/behavioral1", "https://tria.ge/220803-yl8h8afgdn/behavioral1", "https://tria.ge/220803-yl8h8afgdn/behavioral12", "https://tria.ge/220803-yl8h8afgdn/behavioral8", "https://tria.ge/220803-yl8h8afgdn/behavioral7", "https://tria.ge/220803-yl8h8afgdn/behavioral4", "https://tria.ge/220803-yl8h8afgdn/behavioral3", "https://tria.ge/220803-ymle3sfgdp/behavioral6", "https://tria.ge/220803-ymle3sfgdp/behavioral28", "https://tria.ge/220803-ymle3sfgdp/behavioral27", "https://tria.ge/220803-ymle3sfgdp/behavioral23", "https://tria.ge/220803-ymle3sfgdp/behavioral19", "https://tria.ge/220803-ymle3sfgdp/behavioral15", "https://tria.ge/220803-yshldaehd8/behavioral14", "https://tria.ge/220803-yshldaehd8/behavioral13", "https://tria.ge/220803-yshldaehd8/behavioral3", "https://tria.ge/220726-xskv3addar/behavioral2", "https://tria.ge/220726-xskv3addar/behavioral1", "https://tria.ge/220726-xz7y6sddgk/behavioral1", "https://tria.ge/220726-xz7y6sddgk/behavioral4", "https://tria.ge/220726-xz7y6sddgk/behavioral3", "https://tria.ge/220726-xz7y6sddgk/behavioral2", "https://tria.ge/220726-x1m1dsddgl/behavioral1", "https://tria.ge/220726-x1m1dsddgl/behavioral4", "https://tria.ge/220726-x1m1dsddgl/behavioral3", "https://tria.ge/220726-x1m1dsddgl/behavioral2", "https://tria.ge/220727-bv535aghfl/behavioral8", "https://tria.ge/220727-bv535aghfl/behavioral7", "https://tria.ge/220727-bv535aghfl/behavioral1", "https://tria.ge/220729-dqk89secfn/behavioral1", "https://tria.ge/220729-dqgwvaecfm/behavioral1", "https://tria.ge/220724-rl2mcafdbm/behavioral1", "https://tria.ge/220724-rtnqfsfeg6/behavioral1", "https://tria.ge/220724-sheh3sgddl/behavioral1", "https://tria.ge/220724-slp4zsgdh2/behavioral1", "https://tria.ge/220724-tacvysheh8/behavioral7", "https://tria.ge/220724-tetn9shgf9", "https://tria.ge/220724-tmtn8sacej/behavioral1", "https://tria.ge/220724-tmtn8sacej/behavioral26", "https://tria.ge/220724-tmtn8sacej/behavioral25", "https://tria.ge/220724-tmtn8sacej/behavioral15", "https://tria.ge/220724-fgjeesffc7/behavioral1", "https://tria.ge/220724-fgjeesffc7/behavioral2", "https://tria.ge/220916-d8f29seef7/behavioral2", "https://tria.ge/220912-r4wh2shccm", "https://tria.ge/220912-r4wh2shccm/behavioral1", "https://tria.ge/220912-r4fsladea8/behavioral1", "https://tria.ge/220912-r36ydsdea7/behavioral2", "https://tria.ge/220912-r3z5vahccj/behavioral2", "https://tria.ge/220912-r25nyahcbp/behavioral2", "https://tria.ge/220912-r2sdlshcbn/behavioral2", "https://tria.ge/220912-r2j28sdea3/behavioral2", "https://tria.ge/220912-r2j28sdea3/behavioral1", "https://tria.ge/220912-r2dkfsdea2/behavioral2", "https://tria.ge/220912-r16vlsddh9/behavioral2", "https://tria.ge/220912-rxnvmaddh6/behavioral2", "https://tria.ge/220912-rxb6tsddh5/behavioral2", "https://tria.ge/220912-rtwfashcaq/behavioral2", "https://tria.ge/220912-rtf1lsddg8", "https://tria.ge/220912-rsreyshcam/behavioral2", "https://tria.ge/220912-rsc8bsddg6/behavioral3", "https://tria.ge/220912-rqlrpahbhr/behavioral2", "https://tria.ge/220912-rp93wshbhq/behavioral2", "https://tria.ge/220912-rpzxxshbhp/behavioral2", "https://tria.ge/220912-rpjkyaddf9/behavioral3", "https://tria.ge/220912-rn3meshbhl/behavioral2", "https://tria.ge/220912-regnladdd6/behavioral3", "https://tria.ge/220930-vmljasfbcm/behavioral2", "https://tria.ge/220930-vmv3qsfbcn/behavioral2", "https://tria.ge/221007-2b72gsdga7/behavioral32", "https://tria.ge/221007-2b72gsdga7/behavioral26", "https://tria.ge/221007-2b72gsdga7/behavioral25", "https://tria.ge/221007-2b72gsdga7/behavioral20", "https://tria.ge/221007-2b72gsdga7/behavioral19", "https://tria.ge/221007-2b72gsdga7/behavioral16", "https://tria.ge/221007-2b72gsdga7/behavioral15", "https://tria.ge/221012-bm6ppacbam/behavioral3", "https://tria.ge/221012-bm6ppacbam/behavioral14", "https://tria.ge/221012-bm6ppacbam/behavioral12", "https://tria.ge/221014-2dbfasegfn/behavioral3", "https://tria.ge/221015-rqzcsaffhq/behavioral2", "https://tria.ge/221202-wskpmaeg7x/behavioral2", "https://tria.ge/221202-wskpmaeg7x/behavioral1", "https://tria.ge/221205-jd6bkada9w/behavioral1", "https://tria.ge/221205-jd6bkada9w/behavioral2", "https://tria.ge/221212-j9yxcsdf2z/behavioral2", "https://tria.ge/221212-kcchjaah54/behavioral3", "https://tria.ge/221212-kcchjaah54/behavioral2", "https://tria.ge/221212-kcchjaah54/behavioral1", "https://tria.ge/221212-kdv19sdf3t/behavioral32", "https://tria.ge/221212-kdv19sdf3t/behavioral2", "https://tria.ge/221212-kd3q4sah55/behavioral3", "https://tria.ge/221215-sqzh8acf73/behavioral1", "https://tria.ge/221215-ta2t3sff7y/behavioral4", "https://tria.ge/221220-y6pa3seb4w/behavioral2", "https://tria.ge/221221-h9mcwsbg93/behavioral1", "https://tria.ge/221221-h9mcwsbg93/behavioral32", "https://tria.ge/221221-h9mcwsbg93/behavioral26", "https://tria.ge/221221-h9mcwsbg93/behavioral2", "https://tria.ge/221015-tfg2vsfge9/behavioral1", "https://tria.ge/221015-tfg2vsfge9/behavioral3", "https://tria.ge/221015-tfg2vsfge9/behavioral2", "https://tria.ge/221015-tlpznafgf6/behavioral1", "https://tria.ge/221015-tlpznafgf6/behavioral2", "https://tria.ge/221015-tl29zsfgf8/behavioral1", "https://tria.ge/221015-tl29zsfgf8/behavioral2", "https://tria.ge/221015-tlxz9sfgf7/behavioral1", "https://tria.ge/221015-tlxz9sfgf7/behavioral2", "https://tria.ge/221017-2zl4xsdec9/behavioral31", "https://tria.ge/221017-2zl4xsdec9/behavioral29", "https://tria.ge/221017-2zl4xsdec9/behavioral25", "https://tria.ge/221017-2zl4xsdec9/behavioral21", "https://tria.ge/221017-2zl4xsdec9/behavioral18", "https://tria.ge/221017-2zl4xsdec9/behavioral17", "https://tria.ge/221017-2zl4xsdec9/behavioral9", "https://tria.ge/221017-2zl4xsdec9/behavioral14", "https://tria.ge/221025-gp398sbfhp/behavioral15", "https://tria.ge/221025-gp398sbfhp/behavioral9", "https://tria.ge/221025-gp398sbfhp/behavioral8", "https://tria.ge/221025-gp398sbfhp/behavioral7", "https://tria.ge/221025-gp398sbfhp/behavioral6", "https://tria.ge/221025-gp398sbfhp/behavioral5", "https://tria.ge/221025-gp398sbfhp/behavioral4", "https://tria.ge/221025-gqnwyabfh3/behavioral1", "https://tria.ge/221025-gqnwyabfh3/behavioral3", "https://tria.ge/221025-gqnwyabfh3/behavioral2", "https://tria.ge/221028-y169psecbn/behavioral3", "https://tria.ge/221029-bjlv4sfcbr/behavioral15", "https://tria.ge/221029-bjlv4sfcbr/behavioral13", "https://tria.ge/221029-bjlv4sfcbr/behavioral8", "https://tria.ge/221029-bjlv4sfcbr/behavioral7", "https://tria.ge/221029-bj1z2afcdk/behavioral10", "https://tria.ge/221029-bj1z2afcdk/behavioral9", "https://tria.ge/221029-bj1z2afcdk/behavioral6", "https://tria.ge/221029-bj1z2afcdk/behavioral5", "https://tria.ge/221115-cpxegaee62/behavioral1", "https://tria.ge/221115-cpxegaee62/behavioral2", "https://tria.ge/230113-ctz16adf45", "https://tria.ge/230109-ywqq6aba3z", "https://tria.ge/230109-ywqq6aba3z/behavioral32", "https://tria.ge/230109-ywqq6aba3z/behavioral31", "https://tria.ge/230109-ywqq6aba3z/behavioral30", "https://tria.ge/230109-ywqq6aba3z/behavioral2", "https://tria.ge/230109-ywqq6aba3z/behavioral5", "https://tria.ge/230109-ywqq6aba3z/behavioral6", "https://tria.ge/230109-ywqq6aba3z/behavioral7", "https://tria.ge/230109-ywqq6aba3z/behavioral8", "https://tria.ge/230109-ywqq6aba3z/behavioral9", "https://tria.ge/230109-ywqq6aba3z/behavioral10", "https://tria.ge/230109-ywqq6aba3z/behavioral12", "https://tria.ge/230109-ywqq6aba3z/behavioral11", "https://tria.ge/230109-ywqq6aba3z/behavioral13", "https://tria.ge/230109-ywqq6aba3z/behavioral14", "https://tria.ge/230109-ywqq6aba3z/behavioral15", "https://tria.ge/230109-ywqq6aba3z/behavioral16", "https://tria.ge/230109-ywqq6aba3z/behavioral17", "https://tria.ge/230109-ywqq6aba3z/behavioral18", "https://tria.ge/230109-ywqq6aba3z/behavioral19", "https://tria.ge/230109-ywqq6aba3z/behavioral20", "https://tria.ge/230109-ywqq6aba3z/behavioral21", "https://tria.ge/230109-ywqq6aba3z/behavioral22", "https://tria.ge/230109-ywqq6aba3z/behavioral23", "https://tria.ge/230109-ywqq6aba3z/behavioral24", "https://tria.ge/230109-ywqq6aba3z/behavioral25", "https://tria.ge/230109-ywqq6aba3z/behavioral26", "https://tria.ge/230109-ywqq6aba3z/behavioral28", "https://tria.ge/230109-ywqq6aba3z/behavioral29", "https://tria.ge/230108-qvj8zshb3t/behavioral1", "https://tria.ge/230108-qskfzahb2y/behavioral12", "https://tria.ge/230108-qskfzahb2y/behavioral28", "https://tria.ge/230108-qskfzahb2y/behavioral27", "https://tria.ge/230108-qr6b2sdg22/behavioral1", "https://tria.ge/230108-qr6b2sdg22/behavioral2", "https://tria.ge/230108-qr1fssdf98/behavioral3", "https://tria.ge/230108-qr1fssdf98/behavioral1", "https://tria.ge/230108-qrv63sdf97/behavioral1", "https://tria.ge/230108-qrv63sdf97/behavioral2", "https://tria.ge/230108-qrmvpsdf96/behavioral1", "https://tria.ge/230108-qrmvpsdf96/behavioral2", "https://tria.ge/230108-fvadnsgb8s/behavioral12", "https://tria.ge/230108-fvadnsgb8s/behavioral2", "https://tria.ge/230108-ftyd4sgb71/behavioral9", "https://tria.ge/230108-ftrlkagb7z/behavioral2", "https://tria.ge/230106-ryhp1ace8y/behavioral2", "https://tria.ge/230120-lncs4sad55/behavioral3", "https://tria.ge/230115-xqrwlaag69/behavioral6", "https://tria.ge/230115-x2h3tsbb49/behavioral6", "https://tria.ge/230115-x2h3tsbb49/behavioral32", "https://tria.ge/230115-x2h3tsbb49/behavioral28", "https://tria.ge/230115-x2h3tsbb49/behavioral26", "https://tria.ge/230115-x2h3tsbb49/behavioral14", "https://tria.ge/230115-x2h3tsbb49/behavioral10", "https://tria.ge/230120-1vxjesbg9t/behavioral1", "https://tria.ge/230120-1vxjesbg9t/behavioral2", "https://tria.ge/230102-s2ryhseg39/behavioral10", "https://tria.ge/230102-s3kktshh7t/behavioral2", "https://tria.ge/230102-s3v2kahh7v/behavioral2", "https://tria.ge/230102-s38bwshh7y/behavioral2", "https://tria.ge/230102-s4zq5seg44/behavioral32", "https://tria.ge/230102-s2n7maeg38/behavioral12", "https://tria.ge/230102-s2n7maeg38/static1", "https://tria.ge/230102-tekflaeg63/static1", "https://tria.ge/230105-xbxhjacg76/behavioral1", "https://tria.ge/230105-xbxhjacg76/behavioral2", "https://tria.ge/221221-zk1mnagd4x/behavioral3", "https://tria.ge/221221-zjmz6sdc27/behavioral3", "https://tria.ge/221221-zjjmradc26/behavioral3", "https://tria.ge/221221-zjezkagd3w/behavioral3", "https://tria.ge/221225-df32bseb6z/behavioral11", "https://tria.ge/221225-df32bseb6z/behavioral26", "https://tria.ge/221225-df32bseb6z/behavioral25", "https://tria.ge/221225-destzaeb6y/behavioral1", "https://tria.ge/221225-destzaeb6y/behavioral2", "https://tria.ge/221224-hvmp4shf85/behavioral2", "https://tria.ge/221224-hqfq1ahf77/behavioral1", "https://tria.ge/221224-hqfq1ahf77/behavioral2", "https://tria.ge/221221-zvhvlagd7y/behavioral3", "https://tria.ge/240331-yqk9gsaf9z/behavioral8", "https://tria.ge/240331-yqk9gsaf9z/behavioral9", "https://tria.ge/240129-m661cagdb6/behavioral2", "https://tria.ge/240129-lkztgaehh2/behavioral3", "https://tria.ge/240111-cahyjaccem/behavioral31", "https://tria.ge/240111-cahyjaccem/behavioral30", "https://tria.ge/240111-cahyjaccem/behavioral29", "https://tria.ge/240111-cahyjaccem/behavioral22", "https://tria.ge/240111-cahyjaccem/behavioral21", "https://tria.ge/240111-cahyjaccem/behavioral11", "https://tria.ge/240107-eq4w2sfch5/behavioral7", "https://tria.ge/240106-dbq6zafccm/behavioral3", "https://tria.ge/231224-3h4hbaefg7/behavioral3", "https://tria.ge/231224-3h4hbaefg7/behavioral7", "https://tria.ge/231224-g5gq6sbhb2/behavioral7", "https://tria.ge/231217-zztgwsfger/behavioral2", "https://tria.ge/231217-ysjtfahaf3/behavioral7", "https://tria.ge/231217-yscecsfefl/behavioral7", "https://tria.ge/231217-yscecsfefl/behavioral11", "https://tria.ge/231217-yl3mzafebp/behavioral7", "https://tria.ge/231217-yl3mzafebp/behavioral2", "https://tria.ge/231217-yjcc1afeap/behavioral7", "https://tria.ge/231217-yjcc1afeap/behavioral3", "https://tria.ge/240317-kz93babd61/behavioral7", "https://tria.ge/240317-kz93babd61/behavioral3", "https://tria.ge/240409-btvwrshh94/behavioral3", "https://tria.ge/240409-btvwrshh94/behavioral11", "https://tria.ge/231015-l3gqlsdg6w/behavioral8", "https://tria.ge/230324-hax1cacf74", "https://tria.ge/230324-g9c9jscf67/behavioral2", "https://tria.ge/230324-g8jd6seg41/behavioral3", "https://tria.ge/230321-gr8yhaha33/behavioral5", "https://tria.ge/230321-gr8yhaha33/behavioral10", "https://tria.ge/230321-gr8yhaha33/behavioral9", "https://tria.ge/230321-gr8yhaha33/behavioral6", "https://tria.ge/230321-grwyyaha29/behavioral7", "https://tria.ge/230321-grwyyaha29/behavioral16", "https://tria.ge/230321-grwyyaha29/behavioral15", "https://tria.ge/230321-grwyyaha29/behavioral13", "https://tria.ge/230321-grwyyaha29/behavioral8", "https://tria.ge/230321-f6rgbsah5x", "https://tria.ge/230321-f1p2bagh55/behavioral2", "https://tria.ge/230321-f1p2bagh55/behavioral3", "https://tria.ge/230313-jp94wsbb8x/behavioral2", "https://tria.ge/230308-zttwgaha65/behavioral2", "https://tria.ge/230308-zr5j7aha49/behavioral2", "https://tria.ge/230308-zp7xjaga2z/behavioral3", "https://tria.ge/230307-1xx8qsbg5v/behavioral3", "https://tria.ge/230307-1xx8qsbg5v/behavioral4", "https://tria.ge/230307-1rdl5scc53/behavioral1", "https://tria.ge/230307-1f7e3scb88/behavioral4", "https://tria.ge/230307-1f7e3scb88/behavioral16", "https://tria.ge/230305-31dplshh79/behavioral2", "https://tria.ge/230305-31dplshh79/behavioral3", "https://tria.ge/230305-3s617ahd3s/behavioral2", "https://tria.ge/230305-3s617ahd3s/behavioral3", "https://tria.ge/230305-3snjvahh67/behavioral3", "https://tria.ge/230305-eckw1sff35/behavioral3", "https://tria.ge/230305-eckw1sff35/behavioral1", "https://tria.ge/230305-eb63vsfa61/behavioral3", "https://tria.ge/230305-eabwbsfa6z/behavioral2", "https://tria.ge/230305-eabwbsfa6z/behavioral3", "https://tria.ge/230305-d9lddafa6y/behavioral1", "https://tria.ge/230305-d9lddafa6y/behavioral2", "https://tria.ge/230305-d82c7sff27/behavioral3", "https://tria.ge/230305-d82c7sff27/behavioral1", "https://tria.ge/230305-d8rtrsff26/behavioral1", "https://tria.ge/230305-d8rtrsff26/behavioral2", "https://tria.ge/230305-d62aesff25/behavioral1", "https://tria.ge/230305-d62aesff25/behavioral2", "https://tria.ge/230305-d4phvafe99/behavioral1", "https://tria.ge/230305-d4phvafe99/behavioral2", "https://tria.ge/230305-d4a1fsfe98/behavioral1", "https://tria.ge/230305-d33dbafa51/behavioral1", "https://tria.ge/230305-d33dbafa51/behavioral2", "https://tria.ge/230305-d21s4afe93/behavioral1", "https://tria.ge/230305-d21s4afe93/behavioral31", "https://tria.ge/230305-d21s4afe93/behavioral23", "https://tria.ge/230305-d21s4afe93/behavioral21", "https://tria.ge/230305-d21s4afe93/behavioral13", "https://tria.ge/230305-dyzrmafe89", "https://tria.ge/230305-dycl4afa5v/behavioral29", "https://tria.ge/230305-dycl4afa5v/behavioral27", "https://tria.ge/230305-dycl4afa5v/behavioral7", "https://tria.ge/230305-dycl4afa5v/behavioral15", "https://tria.ge/230220-pbc5wsah96/behavioral3", "https://tria.ge/230220-pbc5wsah96/behavioral2", "https://tria.ge/230215-baxk9ahc37/behavioral1", "https://tria.ge/230215-baxk9ahc37/behavioral2", "https://tria.ge/230204-rnp2bsgh3y/behavioral1", "https://tria.ge/230204-rnp2bsgh3y/behavioral2", "https://tria.ge/230204-qvwa9add55", "https://tria.ge/230204-qvlrtadd53/behavioral3", "https://tria.ge/230202-h81h5ahc9z/behavioral2", "https://tria.ge/230202-h81h5ahc9z/behavioral3", "https://tria.ge/230201-av97eabb24/behavioral2", "https://tria.ge/230127-v6q8wsdg5y/behavioral2", "https://tria.ge/230125-kn9meafe37/behavioral1", "https://tria.ge/230125-kn9meafe37/behavioral2", "https://tria.ge/230122-tqj9zaac8v/behavioral3", "https://tria.ge/230122-tqj9zaac8v/behavioral1", "https://tria.ge/230122-tqj9zaac8v/behavioral2", "https://tria.ge/231206-hwhgsacd32/behavioral1", "https://tria.ge/231206-hwsbzscd34", "https://tria.ge/231206-hwsbzscd34/behavioral1", "https://tria.ge/231206-hvz1facd27/behavioral1" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1130", "name": "Install Root Certificate", "display_name": "T1130 - Install Root Certificate" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1067", "name": "Bootkit", "display_name": "T1067 - Bootkit" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1042", "name": "Change Default File Association", "display_name": "T1042 - Change Default File Association" } ], "industries": [], "TLP": "white", "cloned_from": "661c5aeb351e7ed1fd41dccd", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2817, "FileHash-SHA1": 2698, "FileHash-SHA256": 2703, "domain": 65, "URL": 12, "hostname": 13, "SSLCertFingerprint": 1 }, "indicator_count": 8309, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "65 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c5d13d5b19bfb5cf77057a", "name": "Comprehensive Tria.ge import - Pro tip by Merkd1904 clone", "description": "", "modified": "2026-03-27T00:37:17.317000", "created": "2026-03-27T00:37:17.317000", "tags": [ "implementation", "murmurhash3", "jens taylor", "gary court", "austin appleby", "typeof h", "please", "javascript", "triage", "malware", "analysis", "report", "reported", "analyze", "sandbox", "score", "behavioral task", "resource", "ck v13", "general", "target", "size", "sha256", "sha512", "ssdeep", "config", "copy", "shell", "sample", "sha1", "execution", "sample sample", "gpio promo", "sample gpio", "gpio2 driv", "sample gpio2", "target gpio", "adversaries", "bypass", "download submit", "filesize", "executes", "file", "download", "key value", "set value", "explorer", "class", "monitor", "signatures", "discovery", "iocs", "asusit885", "vendady", "venmsft", "proddadydvdrom4", "prodharddisk4", "drops file", "checks scsi", "processes", "network", "replay", "armourycra", "armoury crate", "token", "exe loads", "factory", "prefetch8", "service", "ck v6", "mitre", "f13eed8e", "suspicious use", "samsungma", "defense", "alderlakep", "alderlake", "sunrisepoi", "skylakesk", "tigerlakep", "reads cpu", "reads runtime", "tmpinxi", "ttps", "checks computer", "ngen worker", "process", "state migration", "installer", "binzsh c", "ksversion", "kschannelid", "apps", "plugins", "xpcproxy", "helper", "chrome helper", "renderer", "binlaunchctl", "data filesize", "error", "document being", "devnull md5", "play", "hypervisor", "mount o", "t iso9660", "f varlogmount", "analog", "triage submit", "static", "report analysis", "logs loading", "analysis log", "dos win95", "f win98", "f hpfs", "w95 f", "fat12 fat16", "extend", "setpasswd", "f root", "checks cpu", "discovery t1082", "managerwar", "wifinetwor", "query registry", "multimedia", "inprocserver32", "apartment", "typelib", "persistence", "progid", "nummethods", "10 discovery", "t1012 system", "appdir", "prefetch1", "registers com", "both", "chromehtml", "windowsdef", "enumerates", "systemroot", "windows media", "9801", "components", "checks", "localserver32", "open", "edit", "xport", "maxwellbio", "execution flow", "write file", "nvidialin", "excel", "sample https", "modifies", "fdoemcdcd", "klinks", "t1120 system", "windowstemp", "sample read", "traffic", "go play", "sample go", "cuckptn", "cuckicrc", "binsh c", "tags", "deviceinfo", "windowsinf", "targets", "ck matrix", "attempts", "m2 ssd", "p40 game", "filesintelintel", "legacy", "catalogfile", "pciven8086", "ndisasuss", "sample http", "microsoftw", "destination ip", "waasregke", "qeaa", "ueaa", "yaxxz", "iebapeadxz", "iebapeagxz", "headers dll", "lredmond", "locale", "suspicious", "player list", "sample bcd", "resources", "usrbinlogger t", "updater", "pid1522", "shadow copy", "dellsuppor", "landriver", "inputperso", "ipsmigrati", "sample intel", "servicingkey", "0008", "viper m2", "cannonlake", "cometlakep", "coffeelake", "cometlake", "10 blocklisted", "data", "supportass", "iocs reads", "APT1" ], "references": [ "imurmurhash.min.js", "https://www.virustotal.com/gui/file/e58fe1f551a6fb3e0a8bbaed5f8cae96194ccbbba5f4da2914a5046a4df3725e?nocache=1", "https://www.virustotal.com/gui/file/03759f9a14c983a9e70d17d0552fb2bff9dc1fe8c9b837f859403449ecdadd11?nocache=1", "https://www.virustotal.com/gui/file/32dbd62fce658336afc05435cafed68029dba626e5863a39305eaf8f42ed74cd?nocache=1", "https://www.virustotal.com/gui/file/049645f56e88a33c0d5d74b5ad9dc7da425a326ee72db4885b712c16f9edeb54?nocache=1", "https://www.virustotal.com/gui/file/b9cee56cd245633f7debe4b6e93f1606ac6788a9749a8eba2d742cfd84e935fd?nocache=1", "https://www.virustotal.com/gui/file/b9cee56cd245633f7debe4b6e93f1606ac6788a9749a8eba2d742cfd84e935fd", "https://www.virustotal.com/gui/file/8694bebdcbe7854aae97fcecfce0fa0b5a9aa07b5f95cd2e55d62a25caaaa8d8?nocache=1", "https://www.virustotal.com/gui/file/b2b37af320b637acc1001404b6a7f9bbfc4dcfb7319bba92333be2050b398318/relations", "https://tria.ge/231217-yjcc1afeap", "https://tria.ge/231217-yl3mzafebp", "https://tria.ge/231217-yscecsfefl", "https://tria.ge/231217-ysjtfahaf3", "https://tria.ge/231217-zztgwsfger", "https://tria.ge/231224-g5gq6sbhb2", "https://tria.ge/231224-3h4hbaefg7", "https://tria.ge/240106-dbq6zafccm", "https://tria.ge/240107-eq4w2sfch5", "https://tria.ge/240111-cahyjaccem", "https://tria.ge/240129-lkztgaehh2", "https://tria.ge/240129-m661cagdb6", "https://tria.ge/240317-kz93babd61", "https://tria.ge/240317-kz93babd61/behavioral2", "https://tria.ge/240410-aceyjseb6v/behavioral4", "https://tria.ge/230108-ftrlkagb7z/behavioral1", "https://tria.ge/230108-ftyd4sgb71/behavioral10", "https://tria.ge/230108-fvadnsgb8s/behavioral27", "https://tria.ge/230108-qrmvpsdf96/behavioral3", "https://tria.ge/230108-qrv63sdf97/behavioral3", "https://tria.ge/230108-qr1fssdf98/behavioral2", "https://tria.ge/230108-qr6b2sdg22/behavioral3", "https://tria.ge/230108-qsdneshb2w/behavioral10", "https://tria.ge/230113-ctz16adf45/behavioral1", "https://tria.ge/230113-c3xbmadf82/behavioral2", "https://tria.ge/230113-c79shshd41/behavioral2", "https://tria.ge/230108-qvj8zshb3t/behavioral2", "https://tria.ge/230109-ywqq6aba3z/behavioral27", "https://tria.ge/230113-dbgbrshd61/behavioral5", "https://tria.ge/230113-dfhemadg66/behavioral7", "https://tria.ge/231015-l3gqlsdg6w/behavioral11", "https://tria.ge/230906-vajh6shg63/behavioral3", "https://tria.ge/230901-qkt1faeh2v/behavioral3", "https://tria.ge/231128-vbn52sbf51/behavioral7", "https://tria.ge/231206-gkeq3sbg68/behavioral7", "https://tria.ge/231206-hf1cnacb98/behavioral7", "https://tria.ge/240409-25x4dagh63/behavioral4", "https://tria.ge/240409-dhdjfsce54/behavioral3", "https://tria.ge/240409-btvwrshh94/behavioral2", "https://tria.ge/240402-zjrcladb42/behavioral28", "https://tria.ge/240402-zjrcladb42/behavioral27", "https://tria.ge/240402-zjrcladb42/behavioral1", "https://tria.ge/240402-zjrcladb42/behavioral2", "https://tria.ge/240402-zjrcladb42/behavioral3", "https://tria.ge/240402-zjrcladb42/behavioral4", "https://tria.ge/240402-zjrcladb42/behavioral5", "https://tria.ge/240402-zjrcladb42/behavioral6", "https://tria.ge/240402-zjrcladb42/behavioral9", "https://tria.ge/240402-zjrcladb42/behavioral13", "https://tria.ge/240402-zjrcladb42/behavioral13/analog", "https://tria.ge/240402-zjrcladb42/behavioral17", "https://tria.ge/240402-zjrcladb42/behavioral21", "https://tria.ge/240402-zjrcladb42/behavioral25", "https://tria.ge/240402-zjrcladb42/behavioral29", "https://tria.ge/240402-cb476add4w/behavioral2", "https://tria.ge/240401-b3bt9aad37/behavioral11", "https://tria.ge/240401-bztwnaac57/behavioral2", "https://tria.ge/240331-y9w54abd6t/behavioral7", "https://tria.ge/240331-yqk9gsaf9z/behavioral10", "https://tria.ge/240331-ykp1gsae3z/behavioral28", "https://tria.ge/240331-ykp1gsae3z/behavioral20", "https://tria.ge/240331-ykp1gsae3z/behavioral14", "https://tria.ge/240331-ykp1gsae3z/behavioral12", "https://tria.ge/240331-ykp1gsae3z/behavioral4", "https://tria.ge/240331-ykp1gsae3z/behavioral2", "https://tria.ge/220803-zggqdafbh7/behavioral2", "https://tria.ge/220803-y7119sgafr/behavioral12", "https://tria.ge/220803-y6bpzsfag2/behavioral28", "https://tria.ge/220803-y6bpzsfag2/behavioral26", "https://tria.ge/220803-y6bpzsfag2/behavioral22", "https://tria.ge/220803-y6bpzsfag2/behavioral20", "https://tria.ge/220803-y6bpzsfag2/behavioral18", "https://tria.ge/220803-y6bpzsfag2/behavioral16", "https://tria.ge/220803-y6bpzsfag2/behavioral12", "https://tria.ge/220803-y6bpzsfag2/behavioral10", "https://tria.ge/220803-1m2heafgb9/behavioral13", "https://tria.ge/220803-1m2heafgb9/behavioral8", "https://tria.ge/220803-1m4yjafgc2/behavioral31", "https://tria.ge/220803-1m4yjafgc2/behavioral29", "https://tria.ge/220803-1m4yjafgc2/behavioral27", "https://tria.ge/220803-1m4yjafgc2/behavioral25", "https://tria.ge/220803-1m4yjafgc2/behavioral23", "https://tria.ge/220803-1m4yjafgc2/behavioral22", "https://tria.ge/220803-1m4yjafgc2/behavioral19", "https://tria.ge/220803-1m4yjafgc2/behavioral17", "https://tria.ge/220803-1m4yjafgc2/behavioral15", "https://tria.ge/220803-1m4yjafgc2/behavioral13", "https://tria.ge/220803-1m4yjafgc2/behavioral9", "https://tria.ge/220803-1m4yjafgc2/behavioral7", "https://tria.ge/220803-1m4yjafgc2/behavioral6", "https://tria.ge/220803-1m4yjafgc2/behavioral5", "https://tria.ge/220803-1m4yjafgc2/behavioral3", "https://tria.ge/220803-1m4yjafgc2/behavioral2", "https://tria.ge/220803-1m4yjafgc2/behavioral1", "https://tria.ge/220803-1nlhksfgc3/behavioral32", "https://tria.ge/220803-1nlhksfgc3/behavioral1", "https://tria.ge/220803-1pfnqagffp/behavioral32", "https://tria.ge/220803-1pfnqagffp/behavioral4", "https://tria.ge/220803-1qd7aafgd9/behavioral28", "https://tria.ge/220803-1qd7aafgd9/behavioral24", "https://tria.ge/220803-1qd7aafgd9/behavioral23", "https://tria.ge/220803-1qd7aafgd9/behavioral22", "https://tria.ge/220803-1qd7aafgd9/behavioral21", "https://tria.ge/220803-1qd7aafgd9/behavioral15", "https://tria.ge/220803-1qs1fafge3/behavioral29", "https://tria.ge/220803-1qs1fafge3/behavioral27", "https://tria.ge/220803-1qs1fafge3/behavioral25", "https://tria.ge/220803-1qs1fafge3/behavioral23", "https://tria.ge/220803-1qs1fafge3/behavioral22", "https://tria.ge/220803-1qs1fafge3/behavioral19", "https://tria.ge/220803-1qs1fafge3/behavioral17", "https://tria.ge/220803-1qs1fafge3/behavioral13", "https://tria.ge/220803-1qs1fafge3/behavioral9", "https://tria.ge/220803-1qs1fafge3/behavioral6", "https://tria.ge/220803-1qs1fafge3/behavioral5", "https://tria.ge/220803-1qs1fafge3/behavioral1", "https://tria.ge/220803-1qs1fafge3/behavioral2", "https://tria.ge/220803-1qs1fafge3/behavioral3", "https://tria.ge/220803-1rxd9afgf2/behavioral28", "https://tria.ge/220803-1rxd9afgf2/behavioral27", "https://tria.ge/220803-1rxd9afgf2/behavioral23", "https://tria.ge/220803-1rxd9afgf2/behavioral19", "https://tria.ge/220803-1rxd9afgf2/behavioral15", "https://tria.ge/220804-cb7naaafeq", "https://tria.ge/220804-cb7naaafeq/behavioral1", "https://tria.ge/220805-fqatmsgbdr/behavioral3", "https://tria.ge/220805-fqkzlsfcb6/behavioral3", "https://tria.ge/220805-ft3zlafce6/behavioral1", "https://tria.ge/220805-ft3zlafce6/behavioral3", "https://tria.ge/220805-ft3zlafce6/behavioral2", "https://tria.ge/220805-fwthyagcbq/behavioral3", "https://tria.ge/220805-fwthyagcbq/behavioral2", "https://tria.ge/220805-fwthyagcbq/behavioral1", "https://tria.ge/220805-f286ksfdc7", "https://tria.ge/220805-f286ksfdc7/behavioral3", "https://tria.ge/220805-gca3xsgeaj/behavioral2", "https://tria.ge/220805-gca3xsgeaj/behavioral3", "https://tria.ge/220805-gv8rxafgf8/behavioral3", "https://tria.ge/220805-gv8rxafgf8/behavioral1", "https://tria.ge/220805-h1w6qshdaq/behavioral3", "https://tria.ge/220805-h1w6qshdaq/behavioral2", "https://tria.ge/220805-h1w6qshdaq/behavioral1", "https://tria.ge/220805-yv476aggd6/behavioral3", "https://tria.ge/220805-yv476aggd6/behavioral2", "https://tria.ge/220805-zetbdshag5/behavioral3", "https://tria.ge/220805-zetbdshag5/behavioral1", "https://tria.ge/220806-brndxabdh6/behavioral1", "https://tria.ge/220806-brndxabdh6/behavioral2", "https://tria.ge/220806-brndxabdh6/behavioral3", "https://tria.ge/220806-btaktsbea5/behavioral3", "https://tria.ge/220806-btaktsbea5/behavioral2", "https://tria.ge/220806-btaktsbea5/behavioral1", "https://tria.ge/220806-jrkl1sccfl", "https://tria.ge/220806-jrkl1sccfl/behavioral3", "https://tria.ge/220806-jrkl1sccfl/behavioral2", "https://tria.ge/220806-jrkl1sccfl/behavioral1", "https://tria.ge/220806-j2ztpaceak/behavioral1", "https://tria.ge/220806-j2ztpaceak/behavioral3", "https://tria.ge/220806-j3912scebk/behavioral3", "https://tria.ge/220806-j4w6ksfab3/behavioral3", "https://tria.ge/220830-17kqdsdfb2/behavioral3", "https://tria.ge/220830-17kqdsdfb2/behavioral2", "https://tria.ge/220830-17kqdsdfb2/behavioral1", "https://tria.ge/220729-d8e5zadga9/behavioral2", "https://tria.ge/220729-d8av9adga3/behavioral2", "https://tria.ge/220729-d74f6seedk/behavioral2", "https://tria.ge/220729-d7ta7sdfh9/behavioral2", "https://tria.ge/220729-d347xadfe7/behavioral2", "https://tria.ge/220729-d3yecseeam/behavioral2", "https://tria.ge/220729-d3sh4seeal/behavioral2", "https://tria.ge/220729-d3m9dsdfe3/behavioral2", "https://tria.ge/220729-d3dd7aedhk/behavioral2", "https://tria.ge/220729-d2kf4sedgl/behavioral2", "https://tria.ge/220729-d1hwwsdfc7/behavioral2", "https://tria.ge/220729-d85evsdgb3/behavioral2", "https://tria.ge/220729-ecv2zsdgd7/behavioral2", "https://tria.ge/220729-ecnb5sdgd5/behavioral2", "https://tria.ge/220729-wzxyjacgal/behavioral2", "https://tria.ge/220729-wzxyjacgal/behavioral1", "https://tria.ge/220729-w1gmyabhf2/behavioral2", "https://tria.ge/220729-24hbjaeeep/behavioral1", "https://tria.ge/220730-chkgbsehh6/behavioral2", "https://tria.ge/220731-f45wyabgbr/behavioral3", "https://tria.ge/220801-sppmmaafd6/behavioral28", "https://tria.ge/220801-sppmmaafd6/behavioral20", "https://tria.ge/220801-sppmmaafd6/behavioral19", "https://tria.ge/220802-kwqt9secdp", "https://tria.ge/220802-kwqt9secdp/behavioral1", "https://tria.ge/220803-yl8h8afgdn/behavioral1", "https://tria.ge/220803-yl8h8afgdn/behavioral12", "https://tria.ge/220803-yl8h8afgdn/behavioral8", "https://tria.ge/220803-yl8h8afgdn/behavioral7", "https://tria.ge/220803-yl8h8afgdn/behavioral4", "https://tria.ge/220803-yl8h8afgdn/behavioral3", "https://tria.ge/220803-ymle3sfgdp/behavioral6", "https://tria.ge/220803-ymle3sfgdp/behavioral28", "https://tria.ge/220803-ymle3sfgdp/behavioral27", "https://tria.ge/220803-ymle3sfgdp/behavioral23", "https://tria.ge/220803-ymle3sfgdp/behavioral19", "https://tria.ge/220803-ymle3sfgdp/behavioral15", "https://tria.ge/220803-yshldaehd8/behavioral14", "https://tria.ge/220803-yshldaehd8/behavioral13", "https://tria.ge/220803-yshldaehd8/behavioral3", "https://tria.ge/220726-xskv3addar/behavioral2", "https://tria.ge/220726-xskv3addar/behavioral1", "https://tria.ge/220726-xz7y6sddgk/behavioral1", "https://tria.ge/220726-xz7y6sddgk/behavioral4", "https://tria.ge/220726-xz7y6sddgk/behavioral3", "https://tria.ge/220726-xz7y6sddgk/behavioral2", "https://tria.ge/220726-x1m1dsddgl/behavioral1", "https://tria.ge/220726-x1m1dsddgl/behavioral4", "https://tria.ge/220726-x1m1dsddgl/behavioral3", "https://tria.ge/220726-x1m1dsddgl/behavioral2", "https://tria.ge/220727-bv535aghfl/behavioral8", "https://tria.ge/220727-bv535aghfl/behavioral7", "https://tria.ge/220727-bv535aghfl/behavioral1", "https://tria.ge/220729-dqk89secfn/behavioral1", "https://tria.ge/220729-dqgwvaecfm/behavioral1", "https://tria.ge/220724-rl2mcafdbm/behavioral1", "https://tria.ge/220724-rtnqfsfeg6/behavioral1", "https://tria.ge/220724-sheh3sgddl/behavioral1", "https://tria.ge/220724-slp4zsgdh2/behavioral1", "https://tria.ge/220724-tacvysheh8/behavioral7", "https://tria.ge/220724-tetn9shgf9", "https://tria.ge/220724-tmtn8sacej/behavioral1", "https://tria.ge/220724-tmtn8sacej/behavioral26", "https://tria.ge/220724-tmtn8sacej/behavioral25", "https://tria.ge/220724-tmtn8sacej/behavioral15", "https://tria.ge/220724-fgjeesffc7/behavioral1", "https://tria.ge/220724-fgjeesffc7/behavioral2", "https://tria.ge/220916-d8f29seef7/behavioral2", "https://tria.ge/220912-r4wh2shccm", "https://tria.ge/220912-r4wh2shccm/behavioral1", "https://tria.ge/220912-r4fsladea8/behavioral1", "https://tria.ge/220912-r36ydsdea7/behavioral2", "https://tria.ge/220912-r3z5vahccj/behavioral2", "https://tria.ge/220912-r25nyahcbp/behavioral2", "https://tria.ge/220912-r2sdlshcbn/behavioral2", "https://tria.ge/220912-r2j28sdea3/behavioral2", "https://tria.ge/220912-r2j28sdea3/behavioral1", "https://tria.ge/220912-r2dkfsdea2/behavioral2", "https://tria.ge/220912-r16vlsddh9/behavioral2", "https://tria.ge/220912-rxnvmaddh6/behavioral2", "https://tria.ge/220912-rxb6tsddh5/behavioral2", "https://tria.ge/220912-rtwfashcaq/behavioral2", "https://tria.ge/220912-rtf1lsddg8", "https://tria.ge/220912-rsreyshcam/behavioral2", "https://tria.ge/220912-rsc8bsddg6/behavioral3", "https://tria.ge/220912-rqlrpahbhr/behavioral2", "https://tria.ge/220912-rp93wshbhq/behavioral2", "https://tria.ge/220912-rpzxxshbhp/behavioral2", "https://tria.ge/220912-rpjkyaddf9/behavioral3", "https://tria.ge/220912-rn3meshbhl/behavioral2", "https://tria.ge/220912-regnladdd6/behavioral3", "https://tria.ge/220930-vmljasfbcm/behavioral2", "https://tria.ge/220930-vmv3qsfbcn/behavioral2", "https://tria.ge/221007-2b72gsdga7/behavioral32", "https://tria.ge/221007-2b72gsdga7/behavioral26", "https://tria.ge/221007-2b72gsdga7/behavioral25", "https://tria.ge/221007-2b72gsdga7/behavioral20", "https://tria.ge/221007-2b72gsdga7/behavioral19", "https://tria.ge/221007-2b72gsdga7/behavioral16", "https://tria.ge/221007-2b72gsdga7/behavioral15", "https://tria.ge/221012-bm6ppacbam/behavioral3", "https://tria.ge/221012-bm6ppacbam/behavioral14", "https://tria.ge/221012-bm6ppacbam/behavioral12", "https://tria.ge/221014-2dbfasegfn/behavioral3", "https://tria.ge/221015-rqzcsaffhq/behavioral2", "https://tria.ge/221202-wskpmaeg7x/behavioral2", "https://tria.ge/221202-wskpmaeg7x/behavioral1", "https://tria.ge/221205-jd6bkada9w/behavioral1", "https://tria.ge/221205-jd6bkada9w/behavioral2", "https://tria.ge/221212-j9yxcsdf2z/behavioral2", "https://tria.ge/221212-kcchjaah54/behavioral3", "https://tria.ge/221212-kcchjaah54/behavioral2", "https://tria.ge/221212-kcchjaah54/behavioral1", "https://tria.ge/221212-kdv19sdf3t/behavioral32", "https://tria.ge/221212-kdv19sdf3t/behavioral2", "https://tria.ge/221212-kd3q4sah55/behavioral3", "https://tria.ge/221215-sqzh8acf73/behavioral1", "https://tria.ge/221215-ta2t3sff7y/behavioral4", "https://tria.ge/221220-y6pa3seb4w/behavioral2", "https://tria.ge/221221-h9mcwsbg93/behavioral1", "https://tria.ge/221221-h9mcwsbg93/behavioral32", "https://tria.ge/221221-h9mcwsbg93/behavioral26", "https://tria.ge/221221-h9mcwsbg93/behavioral2", "https://tria.ge/221015-tfg2vsfge9/behavioral1", "https://tria.ge/221015-tfg2vsfge9/behavioral3", "https://tria.ge/221015-tfg2vsfge9/behavioral2", "https://tria.ge/221015-tlpznafgf6/behavioral1", "https://tria.ge/221015-tlpznafgf6/behavioral2", "https://tria.ge/221015-tl29zsfgf8/behavioral1", "https://tria.ge/221015-tl29zsfgf8/behavioral2", "https://tria.ge/221015-tlxz9sfgf7/behavioral1", "https://tria.ge/221015-tlxz9sfgf7/behavioral2", "https://tria.ge/221017-2zl4xsdec9/behavioral31", "https://tria.ge/221017-2zl4xsdec9/behavioral29", "https://tria.ge/221017-2zl4xsdec9/behavioral25", "https://tria.ge/221017-2zl4xsdec9/behavioral21", "https://tria.ge/221017-2zl4xsdec9/behavioral18", "https://tria.ge/221017-2zl4xsdec9/behavioral17", "https://tria.ge/221017-2zl4xsdec9/behavioral9", "https://tria.ge/221017-2zl4xsdec9/behavioral14", "https://tria.ge/221025-gp398sbfhp/behavioral15", "https://tria.ge/221025-gp398sbfhp/behavioral9", "https://tria.ge/221025-gp398sbfhp/behavioral8", "https://tria.ge/221025-gp398sbfhp/behavioral7", "https://tria.ge/221025-gp398sbfhp/behavioral6", "https://tria.ge/221025-gp398sbfhp/behavioral5", "https://tria.ge/221025-gp398sbfhp/behavioral4", "https://tria.ge/221025-gqnwyabfh3/behavioral1", "https://tria.ge/221025-gqnwyabfh3/behavioral3", "https://tria.ge/221025-gqnwyabfh3/behavioral2", "https://tria.ge/221028-y169psecbn/behavioral3", "https://tria.ge/221029-bjlv4sfcbr/behavioral15", "https://tria.ge/221029-bjlv4sfcbr/behavioral13", "https://tria.ge/221029-bjlv4sfcbr/behavioral8", "https://tria.ge/221029-bjlv4sfcbr/behavioral7", "https://tria.ge/221029-bj1z2afcdk/behavioral10", "https://tria.ge/221029-bj1z2afcdk/behavioral9", "https://tria.ge/221029-bj1z2afcdk/behavioral6", "https://tria.ge/221029-bj1z2afcdk/behavioral5", "https://tria.ge/221115-cpxegaee62/behavioral1", "https://tria.ge/221115-cpxegaee62/behavioral2", "https://tria.ge/230113-ctz16adf45", "https://tria.ge/230109-ywqq6aba3z", "https://tria.ge/230109-ywqq6aba3z/behavioral32", "https://tria.ge/230109-ywqq6aba3z/behavioral31", "https://tria.ge/230109-ywqq6aba3z/behavioral30", "https://tria.ge/230109-ywqq6aba3z/behavioral2", "https://tria.ge/230109-ywqq6aba3z/behavioral5", "https://tria.ge/230109-ywqq6aba3z/behavioral6", "https://tria.ge/230109-ywqq6aba3z/behavioral7", "https://tria.ge/230109-ywqq6aba3z/behavioral8", "https://tria.ge/230109-ywqq6aba3z/behavioral9", "https://tria.ge/230109-ywqq6aba3z/behavioral10", "https://tria.ge/230109-ywqq6aba3z/behavioral12", "https://tria.ge/230109-ywqq6aba3z/behavioral11", "https://tria.ge/230109-ywqq6aba3z/behavioral13", "https://tria.ge/230109-ywqq6aba3z/behavioral14", "https://tria.ge/230109-ywqq6aba3z/behavioral15", "https://tria.ge/230109-ywqq6aba3z/behavioral16", "https://tria.ge/230109-ywqq6aba3z/behavioral17", "https://tria.ge/230109-ywqq6aba3z/behavioral18", "https://tria.ge/230109-ywqq6aba3z/behavioral19", "https://tria.ge/230109-ywqq6aba3z/behavioral20", "https://tria.ge/230109-ywqq6aba3z/behavioral21", "https://tria.ge/230109-ywqq6aba3z/behavioral22", "https://tria.ge/230109-ywqq6aba3z/behavioral23", "https://tria.ge/230109-ywqq6aba3z/behavioral24", "https://tria.ge/230109-ywqq6aba3z/behavioral25", "https://tria.ge/230109-ywqq6aba3z/behavioral26", "https://tria.ge/230109-ywqq6aba3z/behavioral28", "https://tria.ge/230109-ywqq6aba3z/behavioral29", "https://tria.ge/230108-qvj8zshb3t/behavioral1", "https://tria.ge/230108-qskfzahb2y/behavioral12", "https://tria.ge/230108-qskfzahb2y/behavioral28", "https://tria.ge/230108-qskfzahb2y/behavioral27", "https://tria.ge/230108-qr6b2sdg22/behavioral1", "https://tria.ge/230108-qr6b2sdg22/behavioral2", "https://tria.ge/230108-qr1fssdf98/behavioral3", "https://tria.ge/230108-qr1fssdf98/behavioral1", "https://tria.ge/230108-qrv63sdf97/behavioral1", "https://tria.ge/230108-qrv63sdf97/behavioral2", "https://tria.ge/230108-qrmvpsdf96/behavioral1", "https://tria.ge/230108-qrmvpsdf96/behavioral2", "https://tria.ge/230108-fvadnsgb8s/behavioral12", "https://tria.ge/230108-fvadnsgb8s/behavioral2", "https://tria.ge/230108-ftyd4sgb71/behavioral9", "https://tria.ge/230108-ftrlkagb7z/behavioral2", "https://tria.ge/230106-ryhp1ace8y/behavioral2", "https://tria.ge/230120-lncs4sad55/behavioral3", "https://tria.ge/230115-xqrwlaag69/behavioral6", "https://tria.ge/230115-x2h3tsbb49/behavioral6", "https://tria.ge/230115-x2h3tsbb49/behavioral32", "https://tria.ge/230115-x2h3tsbb49/behavioral28", "https://tria.ge/230115-x2h3tsbb49/behavioral26", "https://tria.ge/230115-x2h3tsbb49/behavioral14", "https://tria.ge/230115-x2h3tsbb49/behavioral10", "https://tria.ge/230120-1vxjesbg9t/behavioral1", "https://tria.ge/230120-1vxjesbg9t/behavioral2", "https://tria.ge/230102-s2ryhseg39/behavioral10", "https://tria.ge/230102-s3kktshh7t/behavioral2", "https://tria.ge/230102-s3v2kahh7v/behavioral2", "https://tria.ge/230102-s38bwshh7y/behavioral2", "https://tria.ge/230102-s4zq5seg44/behavioral32", "https://tria.ge/230102-s2n7maeg38/behavioral12", "https://tria.ge/230102-s2n7maeg38/static1", "https://tria.ge/230102-tekflaeg63/static1", "https://tria.ge/230105-xbxhjacg76/behavioral1", "https://tria.ge/230105-xbxhjacg76/behavioral2", "https://tria.ge/221221-zk1mnagd4x/behavioral3", "https://tria.ge/221221-zjmz6sdc27/behavioral3", "https://tria.ge/221221-zjjmradc26/behavioral3", "https://tria.ge/221221-zjezkagd3w/behavioral3", "https://tria.ge/221225-df32bseb6z/behavioral11", "https://tria.ge/221225-df32bseb6z/behavioral26", "https://tria.ge/221225-df32bseb6z/behavioral25", "https://tria.ge/221225-destzaeb6y/behavioral1", "https://tria.ge/221225-destzaeb6y/behavioral2", "https://tria.ge/221224-hvmp4shf85/behavioral2", "https://tria.ge/221224-hqfq1ahf77/behavioral1", "https://tria.ge/221224-hqfq1ahf77/behavioral2", "https://tria.ge/221221-zvhvlagd7y/behavioral3", "https://tria.ge/240331-yqk9gsaf9z/behavioral8", "https://tria.ge/240331-yqk9gsaf9z/behavioral9", "https://tria.ge/240129-m661cagdb6/behavioral2", "https://tria.ge/240129-lkztgaehh2/behavioral3", "https://tria.ge/240111-cahyjaccem/behavioral31", "https://tria.ge/240111-cahyjaccem/behavioral30", "https://tria.ge/240111-cahyjaccem/behavioral29", "https://tria.ge/240111-cahyjaccem/behavioral22", "https://tria.ge/240111-cahyjaccem/behavioral21", "https://tria.ge/240111-cahyjaccem/behavioral11", "https://tria.ge/240107-eq4w2sfch5/behavioral7", "https://tria.ge/240106-dbq6zafccm/behavioral3", "https://tria.ge/231224-3h4hbaefg7/behavioral3", "https://tria.ge/231224-3h4hbaefg7/behavioral7", "https://tria.ge/231224-g5gq6sbhb2/behavioral7", "https://tria.ge/231217-zztgwsfger/behavioral2", "https://tria.ge/231217-ysjtfahaf3/behavioral7", "https://tria.ge/231217-yscecsfefl/behavioral7", "https://tria.ge/231217-yscecsfefl/behavioral11", "https://tria.ge/231217-yl3mzafebp/behavioral7", "https://tria.ge/231217-yl3mzafebp/behavioral2", "https://tria.ge/231217-yjcc1afeap/behavioral7", "https://tria.ge/231217-yjcc1afeap/behavioral3", "https://tria.ge/240317-kz93babd61/behavioral7", "https://tria.ge/240317-kz93babd61/behavioral3", "https://tria.ge/240409-btvwrshh94/behavioral3", "https://tria.ge/240409-btvwrshh94/behavioral11", "https://tria.ge/231015-l3gqlsdg6w/behavioral8", "https://tria.ge/230324-hax1cacf74", "https://tria.ge/230324-g9c9jscf67/behavioral2", "https://tria.ge/230324-g8jd6seg41/behavioral3", "https://tria.ge/230321-gr8yhaha33/behavioral5", "https://tria.ge/230321-gr8yhaha33/behavioral10", "https://tria.ge/230321-gr8yhaha33/behavioral9", "https://tria.ge/230321-gr8yhaha33/behavioral6", "https://tria.ge/230321-grwyyaha29/behavioral7", "https://tria.ge/230321-grwyyaha29/behavioral16", "https://tria.ge/230321-grwyyaha29/behavioral15", "https://tria.ge/230321-grwyyaha29/behavioral13", "https://tria.ge/230321-grwyyaha29/behavioral8", "https://tria.ge/230321-f6rgbsah5x", "https://tria.ge/230321-f1p2bagh55/behavioral2", "https://tria.ge/230321-f1p2bagh55/behavioral3", "https://tria.ge/230313-jp94wsbb8x/behavioral2", "https://tria.ge/230308-zttwgaha65/behavioral2", "https://tria.ge/230308-zr5j7aha49/behavioral2", "https://tria.ge/230308-zp7xjaga2z/behavioral3", "https://tria.ge/230307-1xx8qsbg5v/behavioral3", "https://tria.ge/230307-1xx8qsbg5v/behavioral4", "https://tria.ge/230307-1rdl5scc53/behavioral1", "https://tria.ge/230307-1f7e3scb88/behavioral4", "https://tria.ge/230307-1f7e3scb88/behavioral16", "https://tria.ge/230305-31dplshh79/behavioral2", "https://tria.ge/230305-31dplshh79/behavioral3", "https://tria.ge/230305-3s617ahd3s/behavioral2", "https://tria.ge/230305-3s617ahd3s/behavioral3", "https://tria.ge/230305-3snjvahh67/behavioral3", "https://tria.ge/230305-eckw1sff35/behavioral3", "https://tria.ge/230305-eckw1sff35/behavioral1", "https://tria.ge/230305-eb63vsfa61/behavioral3", "https://tria.ge/230305-eabwbsfa6z/behavioral2", "https://tria.ge/230305-eabwbsfa6z/behavioral3", "https://tria.ge/230305-d9lddafa6y/behavioral1", "https://tria.ge/230305-d9lddafa6y/behavioral2", "https://tria.ge/230305-d82c7sff27/behavioral3", "https://tria.ge/230305-d82c7sff27/behavioral1", "https://tria.ge/230305-d8rtrsff26/behavioral1", "https://tria.ge/230305-d8rtrsff26/behavioral2", "https://tria.ge/230305-d62aesff25/behavioral1", "https://tria.ge/230305-d62aesff25/behavioral2", "https://tria.ge/230305-d4phvafe99/behavioral1", "https://tria.ge/230305-d4phvafe99/behavioral2", "https://tria.ge/230305-d4a1fsfe98/behavioral1", "https://tria.ge/230305-d33dbafa51/behavioral1", "https://tria.ge/230305-d33dbafa51/behavioral2", "https://tria.ge/230305-d21s4afe93/behavioral1", "https://tria.ge/230305-d21s4afe93/behavioral31", "https://tria.ge/230305-d21s4afe93/behavioral23", "https://tria.ge/230305-d21s4afe93/behavioral21", "https://tria.ge/230305-d21s4afe93/behavioral13", "https://tria.ge/230305-dyzrmafe89", "https://tria.ge/230305-dycl4afa5v/behavioral29", "https://tria.ge/230305-dycl4afa5v/behavioral27", "https://tria.ge/230305-dycl4afa5v/behavioral7", "https://tria.ge/230305-dycl4afa5v/behavioral15", "https://tria.ge/230220-pbc5wsah96/behavioral3", "https://tria.ge/230220-pbc5wsah96/behavioral2", "https://tria.ge/230215-baxk9ahc37/behavioral1", "https://tria.ge/230215-baxk9ahc37/behavioral2", "https://tria.ge/230204-rnp2bsgh3y/behavioral1", "https://tria.ge/230204-rnp2bsgh3y/behavioral2", "https://tria.ge/230204-qvwa9add55", "https://tria.ge/230204-qvlrtadd53/behavioral3", "https://tria.ge/230202-h81h5ahc9z/behavioral2", "https://tria.ge/230202-h81h5ahc9z/behavioral3", "https://tria.ge/230201-av97eabb24/behavioral2", "https://tria.ge/230127-v6q8wsdg5y/behavioral2", "https://tria.ge/230125-kn9meafe37/behavioral1", "https://tria.ge/230125-kn9meafe37/behavioral2", "https://tria.ge/230122-tqj9zaac8v/behavioral3", "https://tria.ge/230122-tqj9zaac8v/behavioral1", "https://tria.ge/230122-tqj9zaac8v/behavioral2", "https://tria.ge/231206-hwhgsacd32/behavioral1", "https://tria.ge/231206-hwsbzscd34", "https://tria.ge/231206-hwsbzscd34/behavioral1", "https://tria.ge/231206-hvz1facd27/behavioral1" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1130", "name": "Install Root Certificate", "display_name": "T1130 - Install Root Certificate" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1067", "name": "Bootkit", "display_name": "T1067 - Bootkit" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1042", "name": "Change Default File Association", "display_name": "T1042 - Change Default File Association" } ], "industries": [], "TLP": "white", "cloned_from": "661c5aeb351e7ed1fd41dccd", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2817, "FileHash-SHA1": 2698, "FileHash-SHA256": 2703, "domain": 65, "URL": 12, "hostname": 13, "SSLCertFingerprint": 1 }, "indicator_count": 8309, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "65 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b4f1234e20d1551dd7647a", "name": "Boratoken - x.com | Ransom | SnakeKeylogger | X.com redirect | Brian Sabey search results", "description": "Aggressively malicious x.com template.\nIntroduction: ' I was surprised to find this' regarding Google Phish of a 'Samuel Tulach' @X.Com Discussion: Exodus/ Cellebrite/Pegasus/NSO, Brian Sabey,etc,.\nImpacts at least 1 single individual, virustotal, Twitter/x.com.", "modified": "2024-09-07T22:38:23.513000", "created": "2024-08-08T16:24:02.550000", "tags": [ "no expiration", "filehashmd5", "iocs", "next", "all scoreblue", "pulse use", "domain", "ipv4", "url http", "url https", "cidr", "email", "ipv6", "code", "pdf report", "contact", "contacted", "registrar abuse", "phishing", "malware beacon", "x com", "twitter", "ransomware", "pyinstaller", "trojanspy", "trojan", "borpa", "samas", "formbook", "formbook cnc", "vtflooder", "namecheap", "'m nudie", "remote job", "get her work", "false files", "pornhub", "aaaa", "proofpoint", "are you hiring", "unknown", "united", "asnone united", "creation date", "search", "germany unknown", "expiration date", "date", "showing", "as61969 team", "body", "meta", "code", "screenshot", "servers", "server", "web attack" ], "references": [ "https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "http://borpatoken.com/", "netflix.com Akamai rank: #6", "phyn.app", "https://phyn.app/assets/images/Netflix-Background-phyn-dark.png", "pornhero.net 'we don't need another hero, hero, hero...' No Expiration\t0\t URL https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian No Expiration\t0\t Hostname www.pornhub.com No Expiration\t0\t URL https://8muses.info/other/adventure-time-porn-vault-boners-3-cartoon-porn-frosty-sanchez/20/ No Expiration\t14\t URL https://8muses.info/simpsons-porn/simpsons-special-bigboy/", "https://twitter.com/PORNO_SEXYBABES [Twitter Tsara Brashears related]", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "x.com related: www.pornhub.com", "Twitter/ X.xom related: https://8muses.info/other/adventure-time-porn-vault-boners-3-cartoon-porn-frosty-sanchez/20/", "TAGS: api call app store as13414 twitter as15133 verizon as16625 akamai as18450 as20940 as2914 ntt as397240 as397241 asnone ca issuers", "TAGS: camaro dragon canada click cloudfront cname co number code contact content content gmt copy crlf line cyber defense", "TAGS: email expiry gmt false file files final url for privacy form format malware beacon meta http meta tags namecheap inc", "TAGS: passive dns pattern match title page trojandropper united 12110kb aaaa add tag adversary tags", "TAGS: all scoreblue analyzer apache autoit borpa browser canada cidr ck id ck matrix code code contact contacted", "TAGS: create new domain email expiration filehashmd5 formbook cnc get google phish green hackers hackers heroku hostname", "TAGS: iocs layoutid8 malware nameaul namecheap next no expiration pcap pdf report pegasus topic phish phishing", "TAGS: photoshop prefs privacy service provider public tlp pulse provide pulse use pyinstaller", "TAGS: ransom ransomware red team registrar abuse roboto samas samuel tulach scan endpoints", "TAGS: screenshot snake snake keylogger suspicious template trojan downloader trojanspy tulach url http url https x template x verce" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 500, "FileHash-SHA1": 485, "FileHash-SHA256": 1177, "URL": 1033, "SSLCertFingerprint": 4, "domain": 801, "hostname": 1139, "email": 14, "CIDR": 2 }, "indicator_count": 5155, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "630 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "661c5aeb351e7ed1fd41dccd", "name": "Comprehensive Tria.ge import - Pro tip", "description": "You have to upload the specific behavior page to import IoC's outside of the static analysis. It's also important to note that over the course of the last six months the anti-VM and anti-sandbox and anti-debug capabilities got noticably better. This is only analysis that got a 6+ threat score. Not the countless files that did not run.", "modified": "2024-05-14T21:00:00.653000", "created": "2024-04-14T22:38:35.008000", "tags": [ "implementation", "murmurhash3", "jens taylor", "gary court", "austin appleby", "typeof h", "please", "javascript", "triage", "malware", "analysis", "report", "reported", "analyze", "sandbox", "score", "behavioral task", "resource", "ck v13", "general", "target", "size", "sha256", "sha512", "ssdeep", "config", "copy", "shell", "sample", "sha1", "execution", "sample sample", "gpio promo", "sample gpio", "gpio2 driv", "sample gpio2", "target gpio", "adversaries", "bypass", "download submit", "filesize", "executes", "file", "download", "key value", "set value", "explorer", "class", "monitor", "signatures", "discovery", "iocs", "asusit885", "vendady", "venmsft", "proddadydvdrom4", "prodharddisk4", "drops file", "checks scsi", "processes", "network", "replay", "armourycra", "armoury crate", "token", "exe loads", "factory", "prefetch8", "service", "ck v6", "mitre", "f13eed8e", "suspicious use", "samsungma", "defense", "alderlakep", "alderlake", "sunrisepoi", "skylakesk", "tigerlakep", "reads cpu", "reads runtime", "tmpinxi", "ttps", "checks computer", "ngen worker", "process", "state migration", "installer", "binzsh c", "ksversion", "kschannelid", "apps", "plugins", "xpcproxy", "helper", "chrome helper", "renderer", "binlaunchctl", "data filesize", "error", "document being", "devnull md5", "play", "hypervisor", "mount o", "t iso9660", "f varlogmount", "analog", "triage submit", "static", "report analysis", "logs loading", "analysis log", "dos win95", "f win98", "f hpfs", "w95 f", "fat12 fat16", "extend", "setpasswd", "f root", "checks cpu", "discovery t1082", "managerwar", "wifinetwor", "query registry", "multimedia", "inprocserver32", "apartment", "typelib", "persistence", "progid", "nummethods", "10 discovery", "t1012 system", "appdir", "prefetch1", "registers com", "both", "chromehtml", "windowsdef", "enumerates", "systemroot", "windows media", "9801", "components", "checks", "localserver32", "open", "edit", "xport", "maxwellbio", "execution flow", "write file", "nvidialin", "excel", "sample https", "modifies", "fdoemcdcd", "klinks", "t1120 system", "windowstemp", "sample read", "traffic", "go play", "sample go", "cuckptn", "cuckicrc", "binsh c", "tags", "deviceinfo", "windowsinf", "targets", "ck matrix", "attempts", "m2 ssd", "p40 game", "filesintelintel", "legacy", "catalogfile", "pciven8086", "ndisasuss", "sample http", "microsoftw", "destination ip", "waasregke", "qeaa", "ueaa", "yaxxz", "iebapeadxz", "iebapeagxz", "headers dll", "lredmond", "locale", "suspicious", "player list", "sample bcd", "resources", "usrbinlogger t", "updater", "pid1522", "shadow copy", "dellsuppor", "landriver", "inputperso", "ipsmigrati", "sample intel", "servicingkey", "0008", "viper m2", "cannonlake", "cometlakep", "coffeelake", "cometlake", "10 blocklisted", "data", "supportass", "iocs reads", "APT1" ], "references": [ "imurmurhash.min.js", "https://www.virustotal.com/gui/file/e58fe1f551a6fb3e0a8bbaed5f8cae96194ccbbba5f4da2914a5046a4df3725e?nocache=1", "https://www.virustotal.com/gui/file/03759f9a14c983a9e70d17d0552fb2bff9dc1fe8c9b837f859403449ecdadd11?nocache=1", "https://www.virustotal.com/gui/file/32dbd62fce658336afc05435cafed68029dba626e5863a39305eaf8f42ed74cd?nocache=1", "https://www.virustotal.com/gui/file/049645f56e88a33c0d5d74b5ad9dc7da425a326ee72db4885b712c16f9edeb54?nocache=1", "https://www.virustotal.com/gui/file/b9cee56cd245633f7debe4b6e93f1606ac6788a9749a8eba2d742cfd84e935fd?nocache=1", "https://www.virustotal.com/gui/file/b9cee56cd245633f7debe4b6e93f1606ac6788a9749a8eba2d742cfd84e935fd", "https://www.virustotal.com/gui/file/8694bebdcbe7854aae97fcecfce0fa0b5a9aa07b5f95cd2e55d62a25caaaa8d8?nocache=1", "https://www.virustotal.com/gui/file/b2b37af320b637acc1001404b6a7f9bbfc4dcfb7319bba92333be2050b398318/relations", "https://tria.ge/231217-yjcc1afeap", "https://tria.ge/231217-yl3mzafebp", "https://tria.ge/231217-yscecsfefl", "https://tria.ge/231217-ysjtfahaf3", "https://tria.ge/231217-zztgwsfger", "https://tria.ge/231224-g5gq6sbhb2", "https://tria.ge/231224-3h4hbaefg7", "https://tria.ge/240106-dbq6zafccm", "https://tria.ge/240107-eq4w2sfch5", "https://tria.ge/240111-cahyjaccem", "https://tria.ge/240129-lkztgaehh2", "https://tria.ge/240129-m661cagdb6", "https://tria.ge/240317-kz93babd61", "https://tria.ge/240317-kz93babd61/behavioral2", "https://tria.ge/240410-aceyjseb6v/behavioral4", "https://tria.ge/230108-ftrlkagb7z/behavioral1", "https://tria.ge/230108-ftyd4sgb71/behavioral10", "https://tria.ge/230108-fvadnsgb8s/behavioral27", "https://tria.ge/230108-qrmvpsdf96/behavioral3", "https://tria.ge/230108-qrv63sdf97/behavioral3", "https://tria.ge/230108-qr1fssdf98/behavioral2", "https://tria.ge/230108-qr6b2sdg22/behavioral3", "https://tria.ge/230108-qsdneshb2w/behavioral10", "https://tria.ge/230113-ctz16adf45/behavioral1", "https://tria.ge/230113-c3xbmadf82/behavioral2", "https://tria.ge/230113-c79shshd41/behavioral2", "https://tria.ge/230108-qvj8zshb3t/behavioral2", "https://tria.ge/230109-ywqq6aba3z/behavioral27", "https://tria.ge/230113-dbgbrshd61/behavioral5", "https://tria.ge/230113-dfhemadg66/behavioral7", "https://tria.ge/231015-l3gqlsdg6w/behavioral11", "https://tria.ge/230906-vajh6shg63/behavioral3", "https://tria.ge/230901-qkt1faeh2v/behavioral3", "https://tria.ge/231128-vbn52sbf51/behavioral7", "https://tria.ge/231206-gkeq3sbg68/behavioral7", "https://tria.ge/231206-hf1cnacb98/behavioral7", "https://tria.ge/240409-25x4dagh63/behavioral4", "https://tria.ge/240409-dhdjfsce54/behavioral3", "https://tria.ge/240409-btvwrshh94/behavioral2", "https://tria.ge/240402-zjrcladb42/behavioral28", "https://tria.ge/240402-zjrcladb42/behavioral27", "https://tria.ge/240402-zjrcladb42/behavioral1", "https://tria.ge/240402-zjrcladb42/behavioral2", "https://tria.ge/240402-zjrcladb42/behavioral3", "https://tria.ge/240402-zjrcladb42/behavioral4", "https://tria.ge/240402-zjrcladb42/behavioral5", "https://tria.ge/240402-zjrcladb42/behavioral6", "https://tria.ge/240402-zjrcladb42/behavioral9", "https://tria.ge/240402-zjrcladb42/behavioral13", "https://tria.ge/240402-zjrcladb42/behavioral13/analog", "https://tria.ge/240402-zjrcladb42/behavioral17", "https://tria.ge/240402-zjrcladb42/behavioral21", "https://tria.ge/240402-zjrcladb42/behavioral25", "https://tria.ge/240402-zjrcladb42/behavioral29", "https://tria.ge/240402-cb476add4w/behavioral2", "https://tria.ge/240401-b3bt9aad37/behavioral11", "https://tria.ge/240401-bztwnaac57/behavioral2", "https://tria.ge/240331-y9w54abd6t/behavioral7", "https://tria.ge/240331-yqk9gsaf9z/behavioral10", "https://tria.ge/240331-ykp1gsae3z/behavioral28", "https://tria.ge/240331-ykp1gsae3z/behavioral20", "https://tria.ge/240331-ykp1gsae3z/behavioral14", "https://tria.ge/240331-ykp1gsae3z/behavioral12", "https://tria.ge/240331-ykp1gsae3z/behavioral4", "https://tria.ge/240331-ykp1gsae3z/behavioral2", "https://tria.ge/220803-zggqdafbh7/behavioral2", "https://tria.ge/220803-y7119sgafr/behavioral12", "https://tria.ge/220803-y6bpzsfag2/behavioral28", "https://tria.ge/220803-y6bpzsfag2/behavioral26", "https://tria.ge/220803-y6bpzsfag2/behavioral22", "https://tria.ge/220803-y6bpzsfag2/behavioral20", "https://tria.ge/220803-y6bpzsfag2/behavioral18", "https://tria.ge/220803-y6bpzsfag2/behavioral16", "https://tria.ge/220803-y6bpzsfag2/behavioral12", "https://tria.ge/220803-y6bpzsfag2/behavioral10", "https://tria.ge/220803-1m2heafgb9/behavioral13", "https://tria.ge/220803-1m2heafgb9/behavioral8", "https://tria.ge/220803-1m4yjafgc2/behavioral31", "https://tria.ge/220803-1m4yjafgc2/behavioral29", "https://tria.ge/220803-1m4yjafgc2/behavioral27", "https://tria.ge/220803-1m4yjafgc2/behavioral25", "https://tria.ge/220803-1m4yjafgc2/behavioral23", "https://tria.ge/220803-1m4yjafgc2/behavioral22", "https://tria.ge/220803-1m4yjafgc2/behavioral19", "https://tria.ge/220803-1m4yjafgc2/behavioral17", "https://tria.ge/220803-1m4yjafgc2/behavioral15", "https://tria.ge/220803-1m4yjafgc2/behavioral13", "https://tria.ge/220803-1m4yjafgc2/behavioral9", "https://tria.ge/220803-1m4yjafgc2/behavioral7", "https://tria.ge/220803-1m4yjafgc2/behavioral6", "https://tria.ge/220803-1m4yjafgc2/behavioral5", "https://tria.ge/220803-1m4yjafgc2/behavioral3", "https://tria.ge/220803-1m4yjafgc2/behavioral2", "https://tria.ge/220803-1m4yjafgc2/behavioral1", "https://tria.ge/220803-1nlhksfgc3/behavioral32", "https://tria.ge/220803-1nlhksfgc3/behavioral1", "https://tria.ge/220803-1pfnqagffp/behavioral32", "https://tria.ge/220803-1pfnqagffp/behavioral4", "https://tria.ge/220803-1qd7aafgd9/behavioral28", "https://tria.ge/220803-1qd7aafgd9/behavioral24", "https://tria.ge/220803-1qd7aafgd9/behavioral23", "https://tria.ge/220803-1qd7aafgd9/behavioral22", "https://tria.ge/220803-1qd7aafgd9/behavioral21", "https://tria.ge/220803-1qd7aafgd9/behavioral15", "https://tria.ge/220803-1qs1fafge3/behavioral29", "https://tria.ge/220803-1qs1fafge3/behavioral27", "https://tria.ge/220803-1qs1fafge3/behavioral25", "https://tria.ge/220803-1qs1fafge3/behavioral23", "https://tria.ge/220803-1qs1fafge3/behavioral22", "https://tria.ge/220803-1qs1fafge3/behavioral19", "https://tria.ge/220803-1qs1fafge3/behavioral17", "https://tria.ge/220803-1qs1fafge3/behavioral13", "https://tria.ge/220803-1qs1fafge3/behavioral9", "https://tria.ge/220803-1qs1fafge3/behavioral6", "https://tria.ge/220803-1qs1fafge3/behavioral5", "https://tria.ge/220803-1qs1fafge3/behavioral1", "https://tria.ge/220803-1qs1fafge3/behavioral2", "https://tria.ge/220803-1qs1fafge3/behavioral3", "https://tria.ge/220803-1rxd9afgf2/behavioral28", "https://tria.ge/220803-1rxd9afgf2/behavioral27", "https://tria.ge/220803-1rxd9afgf2/behavioral23", "https://tria.ge/220803-1rxd9afgf2/behavioral19", "https://tria.ge/220803-1rxd9afgf2/behavioral15", "https://tria.ge/220804-cb7naaafeq", "https://tria.ge/220804-cb7naaafeq/behavioral1", "https://tria.ge/220805-fqatmsgbdr/behavioral3", "https://tria.ge/220805-fqkzlsfcb6/behavioral3", "https://tria.ge/220805-ft3zlafce6/behavioral1", "https://tria.ge/220805-ft3zlafce6/behavioral3", "https://tria.ge/220805-ft3zlafce6/behavioral2", "https://tria.ge/220805-fwthyagcbq/behavioral3", "https://tria.ge/220805-fwthyagcbq/behavioral2", "https://tria.ge/220805-fwthyagcbq/behavioral1", "https://tria.ge/220805-f286ksfdc7", "https://tria.ge/220805-f286ksfdc7/behavioral3", "https://tria.ge/220805-gca3xsgeaj/behavioral2", "https://tria.ge/220805-gca3xsgeaj/behavioral3", "https://tria.ge/220805-gv8rxafgf8/behavioral3", "https://tria.ge/220805-gv8rxafgf8/behavioral1", "https://tria.ge/220805-h1w6qshdaq/behavioral3", "https://tria.ge/220805-h1w6qshdaq/behavioral2", "https://tria.ge/220805-h1w6qshdaq/behavioral1", "https://tria.ge/220805-yv476aggd6/behavioral3", "https://tria.ge/220805-yv476aggd6/behavioral2", "https://tria.ge/220805-zetbdshag5/behavioral3", "https://tria.ge/220805-zetbdshag5/behavioral1", "https://tria.ge/220806-brndxabdh6/behavioral1", "https://tria.ge/220806-brndxabdh6/behavioral2", "https://tria.ge/220806-brndxabdh6/behavioral3", "https://tria.ge/220806-btaktsbea5/behavioral3", "https://tria.ge/220806-btaktsbea5/behavioral2", "https://tria.ge/220806-btaktsbea5/behavioral1", "https://tria.ge/220806-jrkl1sccfl", "https://tria.ge/220806-jrkl1sccfl/behavioral3", "https://tria.ge/220806-jrkl1sccfl/behavioral2", "https://tria.ge/220806-jrkl1sccfl/behavioral1", "https://tria.ge/220806-j2ztpaceak/behavioral1", "https://tria.ge/220806-j2ztpaceak/behavioral3", "https://tria.ge/220806-j3912scebk/behavioral3", "https://tria.ge/220806-j4w6ksfab3/behavioral3", "https://tria.ge/220830-17kqdsdfb2/behavioral3", "https://tria.ge/220830-17kqdsdfb2/behavioral2", "https://tria.ge/220830-17kqdsdfb2/behavioral1", "https://tria.ge/220729-d8e5zadga9/behavioral2", "https://tria.ge/220729-d8av9adga3/behavioral2", "https://tria.ge/220729-d74f6seedk/behavioral2", "https://tria.ge/220729-d7ta7sdfh9/behavioral2", "https://tria.ge/220729-d347xadfe7/behavioral2", "https://tria.ge/220729-d3yecseeam/behavioral2", "https://tria.ge/220729-d3sh4seeal/behavioral2", "https://tria.ge/220729-d3m9dsdfe3/behavioral2", "https://tria.ge/220729-d3dd7aedhk/behavioral2", "https://tria.ge/220729-d2kf4sedgl/behavioral2", "https://tria.ge/220729-d1hwwsdfc7/behavioral2", "https://tria.ge/220729-d85evsdgb3/behavioral2", "https://tria.ge/220729-ecv2zsdgd7/behavioral2", "https://tria.ge/220729-ecnb5sdgd5/behavioral2", "https://tria.ge/220729-wzxyjacgal/behavioral2", "https://tria.ge/220729-wzxyjacgal/behavioral1", "https://tria.ge/220729-w1gmyabhf2/behavioral2", "https://tria.ge/220729-24hbjaeeep/behavioral1", "https://tria.ge/220730-chkgbsehh6/behavioral2", "https://tria.ge/220731-f45wyabgbr/behavioral3", "https://tria.ge/220801-sppmmaafd6/behavioral28", "https://tria.ge/220801-sppmmaafd6/behavioral20", "https://tria.ge/220801-sppmmaafd6/behavioral19", "https://tria.ge/220802-kwqt9secdp", "https://tria.ge/220802-kwqt9secdp/behavioral1", "https://tria.ge/220803-yl8h8afgdn/behavioral1", "https://tria.ge/220803-yl8h8afgdn/behavioral12", "https://tria.ge/220803-yl8h8afgdn/behavioral8", "https://tria.ge/220803-yl8h8afgdn/behavioral7", "https://tria.ge/220803-yl8h8afgdn/behavioral4", "https://tria.ge/220803-yl8h8afgdn/behavioral3", "https://tria.ge/220803-ymle3sfgdp/behavioral6", "https://tria.ge/220803-ymle3sfgdp/behavioral28", "https://tria.ge/220803-ymle3sfgdp/behavioral27", "https://tria.ge/220803-ymle3sfgdp/behavioral23", "https://tria.ge/220803-ymle3sfgdp/behavioral19", "https://tria.ge/220803-ymle3sfgdp/behavioral15", "https://tria.ge/220803-yshldaehd8/behavioral14", "https://tria.ge/220803-yshldaehd8/behavioral13", "https://tria.ge/220803-yshldaehd8/behavioral3", "https://tria.ge/220726-xskv3addar/behavioral2", "https://tria.ge/220726-xskv3addar/behavioral1", "https://tria.ge/220726-xz7y6sddgk/behavioral1", "https://tria.ge/220726-xz7y6sddgk/behavioral4", "https://tria.ge/220726-xz7y6sddgk/behavioral3", "https://tria.ge/220726-xz7y6sddgk/behavioral2", "https://tria.ge/220726-x1m1dsddgl/behavioral1", "https://tria.ge/220726-x1m1dsddgl/behavioral4", "https://tria.ge/220726-x1m1dsddgl/behavioral3", "https://tria.ge/220726-x1m1dsddgl/behavioral2", "https://tria.ge/220727-bv535aghfl/behavioral8", "https://tria.ge/220727-bv535aghfl/behavioral7", "https://tria.ge/220727-bv535aghfl/behavioral1", "https://tria.ge/220729-dqk89secfn/behavioral1", "https://tria.ge/220729-dqgwvaecfm/behavioral1", "https://tria.ge/220724-rl2mcafdbm/behavioral1", "https://tria.ge/220724-rtnqfsfeg6/behavioral1", "https://tria.ge/220724-sheh3sgddl/behavioral1", "https://tria.ge/220724-slp4zsgdh2/behavioral1", "https://tria.ge/220724-tacvysheh8/behavioral7", "https://tria.ge/220724-tetn9shgf9", "https://tria.ge/220724-tmtn8sacej/behavioral1", "https://tria.ge/220724-tmtn8sacej/behavioral26", "https://tria.ge/220724-tmtn8sacej/behavioral25", "https://tria.ge/220724-tmtn8sacej/behavioral15", "https://tria.ge/220724-fgjeesffc7/behavioral1", "https://tria.ge/220724-fgjeesffc7/behavioral2", "https://tria.ge/220916-d8f29seef7/behavioral2", "https://tria.ge/220912-r4wh2shccm", "https://tria.ge/220912-r4wh2shccm/behavioral1", "https://tria.ge/220912-r4fsladea8/behavioral1", "https://tria.ge/220912-r36ydsdea7/behavioral2", "https://tria.ge/220912-r3z5vahccj/behavioral2", "https://tria.ge/220912-r25nyahcbp/behavioral2", "https://tria.ge/220912-r2sdlshcbn/behavioral2", "https://tria.ge/220912-r2j28sdea3/behavioral2", "https://tria.ge/220912-r2j28sdea3/behavioral1", "https://tria.ge/220912-r2dkfsdea2/behavioral2", "https://tria.ge/220912-r16vlsddh9/behavioral2", "https://tria.ge/220912-rxnvmaddh6/behavioral2", "https://tria.ge/220912-rxb6tsddh5/behavioral2", "https://tria.ge/220912-rtwfashcaq/behavioral2", "https://tria.ge/220912-rtf1lsddg8", "https://tria.ge/220912-rsreyshcam/behavioral2", "https://tria.ge/220912-rsc8bsddg6/behavioral3", "https://tria.ge/220912-rqlrpahbhr/behavioral2", "https://tria.ge/220912-rp93wshbhq/behavioral2", "https://tria.ge/220912-rpzxxshbhp/behavioral2", "https://tria.ge/220912-rpjkyaddf9/behavioral3", "https://tria.ge/220912-rn3meshbhl/behavioral2", "https://tria.ge/220912-regnladdd6/behavioral3", "https://tria.ge/220930-vmljasfbcm/behavioral2", "https://tria.ge/220930-vmv3qsfbcn/behavioral2", "https://tria.ge/221007-2b72gsdga7/behavioral32", "https://tria.ge/221007-2b72gsdga7/behavioral26", "https://tria.ge/221007-2b72gsdga7/behavioral25", "https://tria.ge/221007-2b72gsdga7/behavioral20", "https://tria.ge/221007-2b72gsdga7/behavioral19", "https://tria.ge/221007-2b72gsdga7/behavioral16", "https://tria.ge/221007-2b72gsdga7/behavioral15", "https://tria.ge/221012-bm6ppacbam/behavioral3", "https://tria.ge/221012-bm6ppacbam/behavioral14", "https://tria.ge/221012-bm6ppacbam/behavioral12", "https://tria.ge/221014-2dbfasegfn/behavioral3", "https://tria.ge/221015-rqzcsaffhq/behavioral2", "https://tria.ge/221202-wskpmaeg7x/behavioral2", "https://tria.ge/221202-wskpmaeg7x/behavioral1", "https://tria.ge/221205-jd6bkada9w/behavioral1", "https://tria.ge/221205-jd6bkada9w/behavioral2", "https://tria.ge/221212-j9yxcsdf2z/behavioral2", "https://tria.ge/221212-kcchjaah54/behavioral3", "https://tria.ge/221212-kcchjaah54/behavioral2", "https://tria.ge/221212-kcchjaah54/behavioral1", "https://tria.ge/221212-kdv19sdf3t/behavioral32", "https://tria.ge/221212-kdv19sdf3t/behavioral2", "https://tria.ge/221212-kd3q4sah55/behavioral3", "https://tria.ge/221215-sqzh8acf73/behavioral1", "https://tria.ge/221215-ta2t3sff7y/behavioral4", "https://tria.ge/221220-y6pa3seb4w/behavioral2", "https://tria.ge/221221-h9mcwsbg93/behavioral1", "https://tria.ge/221221-h9mcwsbg93/behavioral32", "https://tria.ge/221221-h9mcwsbg93/behavioral26", "https://tria.ge/221221-h9mcwsbg93/behavioral2", "https://tria.ge/221015-tfg2vsfge9/behavioral1", "https://tria.ge/221015-tfg2vsfge9/behavioral3", "https://tria.ge/221015-tfg2vsfge9/behavioral2", "https://tria.ge/221015-tlpznafgf6/behavioral1", "https://tria.ge/221015-tlpznafgf6/behavioral2", "https://tria.ge/221015-tl29zsfgf8/behavioral1", "https://tria.ge/221015-tl29zsfgf8/behavioral2", "https://tria.ge/221015-tlxz9sfgf7/behavioral1", "https://tria.ge/221015-tlxz9sfgf7/behavioral2", "https://tria.ge/221017-2zl4xsdec9/behavioral31", "https://tria.ge/221017-2zl4xsdec9/behavioral29", "https://tria.ge/221017-2zl4xsdec9/behavioral25", "https://tria.ge/221017-2zl4xsdec9/behavioral21", "https://tria.ge/221017-2zl4xsdec9/behavioral18", "https://tria.ge/221017-2zl4xsdec9/behavioral17", "https://tria.ge/221017-2zl4xsdec9/behavioral9", "https://tria.ge/221017-2zl4xsdec9/behavioral14", "https://tria.ge/221025-gp398sbfhp/behavioral15", "https://tria.ge/221025-gp398sbfhp/behavioral9", "https://tria.ge/221025-gp398sbfhp/behavioral8", "https://tria.ge/221025-gp398sbfhp/behavioral7", "https://tria.ge/221025-gp398sbfhp/behavioral6", "https://tria.ge/221025-gp398sbfhp/behavioral5", "https://tria.ge/221025-gp398sbfhp/behavioral4", "https://tria.ge/221025-gqnwyabfh3/behavioral1", "https://tria.ge/221025-gqnwyabfh3/behavioral3", "https://tria.ge/221025-gqnwyabfh3/behavioral2", "https://tria.ge/221028-y169psecbn/behavioral3", "https://tria.ge/221029-bjlv4sfcbr/behavioral15", "https://tria.ge/221029-bjlv4sfcbr/behavioral13", "https://tria.ge/221029-bjlv4sfcbr/behavioral8", "https://tria.ge/221029-bjlv4sfcbr/behavioral7", "https://tria.ge/221029-bj1z2afcdk/behavioral10", "https://tria.ge/221029-bj1z2afcdk/behavioral9", "https://tria.ge/221029-bj1z2afcdk/behavioral6", "https://tria.ge/221029-bj1z2afcdk/behavioral5", "https://tria.ge/221115-cpxegaee62/behavioral1", "https://tria.ge/221115-cpxegaee62/behavioral2", "https://tria.ge/230113-ctz16adf45", "https://tria.ge/230109-ywqq6aba3z", "https://tria.ge/230109-ywqq6aba3z/behavioral32", "https://tria.ge/230109-ywqq6aba3z/behavioral31", "https://tria.ge/230109-ywqq6aba3z/behavioral30", "https://tria.ge/230109-ywqq6aba3z/behavioral2", "https://tria.ge/230109-ywqq6aba3z/behavioral5", "https://tria.ge/230109-ywqq6aba3z/behavioral6", "https://tria.ge/230109-ywqq6aba3z/behavioral7", "https://tria.ge/230109-ywqq6aba3z/behavioral8", "https://tria.ge/230109-ywqq6aba3z/behavioral9", "https://tria.ge/230109-ywqq6aba3z/behavioral10", "https://tria.ge/230109-ywqq6aba3z/behavioral12", "https://tria.ge/230109-ywqq6aba3z/behavioral11", "https://tria.ge/230109-ywqq6aba3z/behavioral13", "https://tria.ge/230109-ywqq6aba3z/behavioral14", "https://tria.ge/230109-ywqq6aba3z/behavioral15", "https://tria.ge/230109-ywqq6aba3z/behavioral16", "https://tria.ge/230109-ywqq6aba3z/behavioral17", "https://tria.ge/230109-ywqq6aba3z/behavioral18", "https://tria.ge/230109-ywqq6aba3z/behavioral19", "https://tria.ge/230109-ywqq6aba3z/behavioral20", "https://tria.ge/230109-ywqq6aba3z/behavioral21", "https://tria.ge/230109-ywqq6aba3z/behavioral22", "https://tria.ge/230109-ywqq6aba3z/behavioral23", "https://tria.ge/230109-ywqq6aba3z/behavioral24", "https://tria.ge/230109-ywqq6aba3z/behavioral25", "https://tria.ge/230109-ywqq6aba3z/behavioral26", "https://tria.ge/230109-ywqq6aba3z/behavioral28", "https://tria.ge/230109-ywqq6aba3z/behavioral29", "https://tria.ge/230108-qvj8zshb3t/behavioral1", "https://tria.ge/230108-qskfzahb2y/behavioral12", "https://tria.ge/230108-qskfzahb2y/behavioral28", "https://tria.ge/230108-qskfzahb2y/behavioral27", "https://tria.ge/230108-qr6b2sdg22/behavioral1", "https://tria.ge/230108-qr6b2sdg22/behavioral2", "https://tria.ge/230108-qr1fssdf98/behavioral3", "https://tria.ge/230108-qr1fssdf98/behavioral1", "https://tria.ge/230108-qrv63sdf97/behavioral1", "https://tria.ge/230108-qrv63sdf97/behavioral2", "https://tria.ge/230108-qrmvpsdf96/behavioral1", "https://tria.ge/230108-qrmvpsdf96/behavioral2", "https://tria.ge/230108-fvadnsgb8s/behavioral12", "https://tria.ge/230108-fvadnsgb8s/behavioral2", "https://tria.ge/230108-ftyd4sgb71/behavioral9", "https://tria.ge/230108-ftrlkagb7z/behavioral2", "https://tria.ge/230106-ryhp1ace8y/behavioral2", "https://tria.ge/230120-lncs4sad55/behavioral3", "https://tria.ge/230115-xqrwlaag69/behavioral6", "https://tria.ge/230115-x2h3tsbb49/behavioral6", "https://tria.ge/230115-x2h3tsbb49/behavioral32", "https://tria.ge/230115-x2h3tsbb49/behavioral28", "https://tria.ge/230115-x2h3tsbb49/behavioral26", "https://tria.ge/230115-x2h3tsbb49/behavioral14", "https://tria.ge/230115-x2h3tsbb49/behavioral10", "https://tria.ge/230120-1vxjesbg9t/behavioral1", "https://tria.ge/230120-1vxjesbg9t/behavioral2", "https://tria.ge/230102-s2ryhseg39/behavioral10", "https://tria.ge/230102-s3kktshh7t/behavioral2", "https://tria.ge/230102-s3v2kahh7v/behavioral2", "https://tria.ge/230102-s38bwshh7y/behavioral2", "https://tria.ge/230102-s4zq5seg44/behavioral32", "https://tria.ge/230102-s2n7maeg38/behavioral12", "https://tria.ge/230102-s2n7maeg38/static1", "https://tria.ge/230102-tekflaeg63/static1", "https://tria.ge/230105-xbxhjacg76/behavioral1", "https://tria.ge/230105-xbxhjacg76/behavioral2", "https://tria.ge/221221-zk1mnagd4x/behavioral3", "https://tria.ge/221221-zjmz6sdc27/behavioral3", "https://tria.ge/221221-zjjmradc26/behavioral3", "https://tria.ge/221221-zjezkagd3w/behavioral3", "https://tria.ge/221225-df32bseb6z/behavioral11", "https://tria.ge/221225-df32bseb6z/behavioral26", "https://tria.ge/221225-df32bseb6z/behavioral25", "https://tria.ge/221225-destzaeb6y/behavioral1", "https://tria.ge/221225-destzaeb6y/behavioral2", "https://tria.ge/221224-hvmp4shf85/behavioral2", "https://tria.ge/221224-hqfq1ahf77/behavioral1", "https://tria.ge/221224-hqfq1ahf77/behavioral2", "https://tria.ge/221221-zvhvlagd7y/behavioral3", "https://tria.ge/240331-yqk9gsaf9z/behavioral8", "https://tria.ge/240331-yqk9gsaf9z/behavioral9", "https://tria.ge/240129-m661cagdb6/behavioral2", "https://tria.ge/240129-lkztgaehh2/behavioral3", "https://tria.ge/240111-cahyjaccem/behavioral31", "https://tria.ge/240111-cahyjaccem/behavioral30", "https://tria.ge/240111-cahyjaccem/behavioral29", "https://tria.ge/240111-cahyjaccem/behavioral22", "https://tria.ge/240111-cahyjaccem/behavioral21", "https://tria.ge/240111-cahyjaccem/behavioral11", "https://tria.ge/240107-eq4w2sfch5/behavioral7", "https://tria.ge/240106-dbq6zafccm/behavioral3", "https://tria.ge/231224-3h4hbaefg7/behavioral3", "https://tria.ge/231224-3h4hbaefg7/behavioral7", "https://tria.ge/231224-g5gq6sbhb2/behavioral7", "https://tria.ge/231217-zztgwsfger/behavioral2", "https://tria.ge/231217-ysjtfahaf3/behavioral7", "https://tria.ge/231217-yscecsfefl/behavioral7", "https://tria.ge/231217-yscecsfefl/behavioral11", "https://tria.ge/231217-yl3mzafebp/behavioral7", "https://tria.ge/231217-yl3mzafebp/behavioral2", "https://tria.ge/231217-yjcc1afeap/behavioral7", "https://tria.ge/231217-yjcc1afeap/behavioral3", "https://tria.ge/240317-kz93babd61/behavioral7", "https://tria.ge/240317-kz93babd61/behavioral3", "https://tria.ge/240409-btvwrshh94/behavioral3", "https://tria.ge/240409-btvwrshh94/behavioral11", "https://tria.ge/231015-l3gqlsdg6w/behavioral8", "https://tria.ge/230324-hax1cacf74", "https://tria.ge/230324-g9c9jscf67/behavioral2", "https://tria.ge/230324-g8jd6seg41/behavioral3", "https://tria.ge/230321-gr8yhaha33/behavioral5", "https://tria.ge/230321-gr8yhaha33/behavioral10", "https://tria.ge/230321-gr8yhaha33/behavioral9", "https://tria.ge/230321-gr8yhaha33/behavioral6", "https://tria.ge/230321-grwyyaha29/behavioral7", "https://tria.ge/230321-grwyyaha29/behavioral16", "https://tria.ge/230321-grwyyaha29/behavioral15", "https://tria.ge/230321-grwyyaha29/behavioral13", "https://tria.ge/230321-grwyyaha29/behavioral8", "https://tria.ge/230321-f6rgbsah5x", "https://tria.ge/230321-f1p2bagh55/behavioral2", "https://tria.ge/230321-f1p2bagh55/behavioral3", "https://tria.ge/230313-jp94wsbb8x/behavioral2", "https://tria.ge/230308-zttwgaha65/behavioral2", "https://tria.ge/230308-zr5j7aha49/behavioral2", "https://tria.ge/230308-zp7xjaga2z/behavioral3", "https://tria.ge/230307-1xx8qsbg5v/behavioral3", "https://tria.ge/230307-1xx8qsbg5v/behavioral4", "https://tria.ge/230307-1rdl5scc53/behavioral1", "https://tria.ge/230307-1f7e3scb88/behavioral4", "https://tria.ge/230307-1f7e3scb88/behavioral16", "https://tria.ge/230305-31dplshh79/behavioral2", "https://tria.ge/230305-31dplshh79/behavioral3", "https://tria.ge/230305-3s617ahd3s/behavioral2", "https://tria.ge/230305-3s617ahd3s/behavioral3", "https://tria.ge/230305-3snjvahh67/behavioral3", "https://tria.ge/230305-eckw1sff35/behavioral3", "https://tria.ge/230305-eckw1sff35/behavioral1", "https://tria.ge/230305-eb63vsfa61/behavioral3", "https://tria.ge/230305-eabwbsfa6z/behavioral2", "https://tria.ge/230305-eabwbsfa6z/behavioral3", "https://tria.ge/230305-d9lddafa6y/behavioral1", "https://tria.ge/230305-d9lddafa6y/behavioral2", "https://tria.ge/230305-d82c7sff27/behavioral3", "https://tria.ge/230305-d82c7sff27/behavioral1", "https://tria.ge/230305-d8rtrsff26/behavioral1", "https://tria.ge/230305-d8rtrsff26/behavioral2", "https://tria.ge/230305-d62aesff25/behavioral1", "https://tria.ge/230305-d62aesff25/behavioral2", "https://tria.ge/230305-d4phvafe99/behavioral1", "https://tria.ge/230305-d4phvafe99/behavioral2", "https://tria.ge/230305-d4a1fsfe98/behavioral1", "https://tria.ge/230305-d33dbafa51/behavioral1", "https://tria.ge/230305-d33dbafa51/behavioral2", "https://tria.ge/230305-d21s4afe93/behavioral1", "https://tria.ge/230305-d21s4afe93/behavioral31", "https://tria.ge/230305-d21s4afe93/behavioral23", "https://tria.ge/230305-d21s4afe93/behavioral21", "https://tria.ge/230305-d21s4afe93/behavioral13", "https://tria.ge/230305-dyzrmafe89", "https://tria.ge/230305-dycl4afa5v/behavioral29", "https://tria.ge/230305-dycl4afa5v/behavioral27", "https://tria.ge/230305-dycl4afa5v/behavioral7", "https://tria.ge/230305-dycl4afa5v/behavioral15", "https://tria.ge/230220-pbc5wsah96/behavioral3", "https://tria.ge/230220-pbc5wsah96/behavioral2", "https://tria.ge/230215-baxk9ahc37/behavioral1", "https://tria.ge/230215-baxk9ahc37/behavioral2", "https://tria.ge/230204-rnp2bsgh3y/behavioral1", "https://tria.ge/230204-rnp2bsgh3y/behavioral2", "https://tria.ge/230204-qvwa9add55", "https://tria.ge/230204-qvlrtadd53/behavioral3", "https://tria.ge/230202-h81h5ahc9z/behavioral2", "https://tria.ge/230202-h81h5ahc9z/behavioral3", "https://tria.ge/230201-av97eabb24/behavioral2", "https://tria.ge/230127-v6q8wsdg5y/behavioral2", "https://tria.ge/230125-kn9meafe37/behavioral1", "https://tria.ge/230125-kn9meafe37/behavioral2", "https://tria.ge/230122-tqj9zaac8v/behavioral3", "https://tria.ge/230122-tqj9zaac8v/behavioral1", "https://tria.ge/230122-tqj9zaac8v/behavioral2", "https://tria.ge/231206-hwhgsacd32/behavioral1", "https://tria.ge/231206-hwsbzscd34", "https://tria.ge/231206-hwsbzscd34/behavioral1", "https://tria.ge/231206-hvz1facd27/behavioral1" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1130", "name": "Install Root Certificate", "display_name": "T1130 - Install Root Certificate" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1067", "name": "Bootkit", "display_name": "T1067 - Bootkit" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1042", "name": "Change Default File Association", "display_name": "T1042 - Change Default File Association" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2817, "FileHash-SHA1": 2698, "FileHash-SHA256": 2703, "domain": 65, "URL": 12, "hostname": 13, "SSLCertFingerprint": 1 }, "indicator_count": 8309, "is_author": false, "is_subscribing": null, "subscriber_count": 76, "modified_text": "746 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "command.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "command.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780222167.4157639 }