{ "type": "Domain", "indicator": "constants.py", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/constants.py", "alexa": "http://www.alexa.com/siteinfo/constants.py", "indicator": "constants.py", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3329713367, "indicator": "constants.py", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "6a132a7a71682c83e9c17835", "name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox", "description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa", "modified": "2026-05-26T06:44:42.987000", "created": "2026-05-24T16:42:34.355000", "tags": [ "ip address", "status code", "body length", "kb body", "sha256", "csv text", "altitude", "south shore", "uas imagery", "massachusetts", "marshfield", "scituate", "hingham", "norwell", "hanover", "pembroke", "epub document", "structure ebook", "zip document", "epub", "nigel poulton", "docker deep", "nielson book", "docker", "single book", "anna", "dive", "dive zero", "deep dive", "zero", "script", "ieedge", "squarespace", "drones", "title", "secchuamodel", "link", "static", "supporte", "marshfield ldap", "marshfield ssl", "certificate", "common name", "issued", "charter", "llc united", "statesunited", "new london", "diesel", "comcast ip", "derry village", "ssl certificate", "encrypt", "comcast cable", "communications", "boston", "key identifier", "x509v3 subject", "full name", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "ca1 validity", "cus stnew", "range", "cidr", "network name", "type", "status", "whois server", "entity squar30", "handle", "net198", "net1980000", "squar30", "varick st", "city", "new york", "stateprov", "postalcode", "orgtechhandle", "orgtechref", "orgabusehandle", "orgabuseref", "orgnochandle", "orgnocref", "p version", "address range", "span", "google public", "form", "doctype html", "google", "public dns", "head", "public", "footer", "body", "file type", "ascii text", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "sample", "persistence", "defense evasion", "info", "next", "performs dns", "united", "urls", "found", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "phishing", "headers age", "homenet", "et info", "file hosting", "service domain", "domain", "dns lookup", "clientendpoint", "perimeter", "high", "informational", "domain related", "as54113", "top source", "top destination", "source source", "status domain", "tcp include", "udp include", "country united", "unique", "ja3 clients", "destination ip", "dest port", "ja3 ja3", "digest", "cache", "california", "san francisco", "fastly", "globalsign", "title pypi", "package", "a domains", "accept", "showing", "entries", "previous", "domains show", "search", "amazon ec2", "orgnocemail", "net75", "net750000", "amazon web", "services", "ip routing", "nethandle", "amazo4", "aws rpki", "historical ssl", "certificates", "first", "thumbprint", "graph summary", "algorithm", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "pdf document", "adobe portable", "document format", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "sha1", "acrongl integ", "adc4240758", "shutdown", "sqlite version", "sqlite rollback", "utf8", "json", "creates", "journal", "malicious", "resolutions", "date", "detection", "hostmaster", "amazon legal", "dept", "amazon", "code", "email", "icann whois", "nv admin", "phone", "stateprovince", "tech", "gatsby", "golf", "hrhrhr" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Norwell", "display_name": "Norwell", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1765, "URL": 1325, "hostname": 1489, "FileHash-MD5": 224, "FileHash-SHA1": 268, "IPv4": 152, "domain": 1177, "CIDR": 4, "email": 11, "IPv6": 1, "URI": 3, "CVE": 2, "SSLCertFingerprint": 2, "Mutex": 2 }, "indicator_count": 6425, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a13404a015fc885f5edb1c9", "name": "An error occurred: breadcrumb. IpLogger - piggy back on @skocherhan", "description": "[Find out the best IP logging tools and tools at \u00c2\u00a31.5m in the UK, Ireland, Wales, Scotland and Northern Ireland on the website+ here is the full list.]", "modified": "2026-05-24T18:15:38.213000", "created": "2026-05-24T18:15:38.213000", "tags": [ "::keywords_error_main", "sign", "url shortener", "track phone", "tracking pixel", "my ip", "ip counters", "ip generator", "internet", "best ip", "logger", "accept", "pe32", "intel", "ms windows", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "exe32", "compiler", "ltcgc", "ascii text", "redacted for", "postal code", "privacy tech", "stateprovince", "server", "registrar abuse", "registrant name", "domain id", "iana id", "admin country", "date", "key identifier", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "x509v3 subject", "x509v3 key", "delegated", "unverified", "record type", "ttl value", "homenet", "0xf82", "externalnet", "policy ip", "check domain", "tls sni", "high", "informational", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "read files", "apis nothing", "pe file", "performs dns", "network info", "processes extra", "aslr", "sample", "t1055 process", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "generic cil", "executable", "mono", "win32 dynamic", "link library", "pe32 library", "file type", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "persistence", "info", "Expired certificate", "Drops", "Oa auth abuse [potential]" ], "references": [ "http://iplogger.org/1tnbw7%0Ahttp://gsoftclean.top/ver.txt%0Ahttp://iplogger.org/1z9A57%0Ahttp://gsoftclean.top/main.exe%0Ahttp://gsoftclean.top/aus%0Ahttp://gsoftclean.top/settings.dll%0Ahttp://iplogger.org/1nLz47%0Ahttp://iplogger.org/1z6A57%0Ahttps://iplogger.org/1z6A57%0Ahttp://iplogger.org/1PMX37%0Ahttps://iplogger.org/1nLz47", "https://vtbehaviour.commondatastorage.googleapis.com/e920fc67e098b7a6f3a13d99935239edc4c6c799bbaf2126c28da9b6e77fcf6f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779645922&Signature=JwLo32luwQokWOHR7lJz4dmUcLMQf18tKN2sLujlReeuplXL3B7kObdnC6EAKvj0%2FbPufiSY60CcdkPZ0L38f2ezSQ%2FpUd%2B9vwTI0sIkA%2BKOPYbhRV0zr7%2FH0rSo%2Fe1bb7p3YS9o0fzclIJ9iT6lWjLBnyAgZ4ZvwYmLkJk2x9beiNvBoWd5BPX2QLlZXDEzKgUbGKGGjHZQPfSIi3YI3zIRo16YJkaQzjxGBhhyGB4Ao8%2Fr", "https://vtbehaviour.commondatastorage.googleapis.com/e920fc67e098b7a6f3a13d99935239edc4c6c799bbaf2126c28da9b6e77fcf6f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779646024&Signature=GY3f%2BonWSmAE2r3xAvXp%2F0FLSZV%2B761HeH7MY%2F8jak5D8A6eAtDD6dxfY3qi8RFAYc2JIbh%2BWXZHSBZkxzZskVfm5S22fwOHMoCy9ezLI3%2BUbKxsL0uv64YuKmYd8s9FPp4wHA7tAXPPEMApUtclPZEQeo1AHVK7AN9zQZqAGYGnbfQtD1Ew5Bny5yT6axRterHcQPbXI8aPUvmJjP0131Op%2FKquhhierCzlcA3JIPWrYGomlInU9wZg", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779646404&Signature=RAWN3ziUE4nt7cOF13GailGKiIaXg1kyzWnV3ohWPQWImilq1jkY6T9cnu7vh%2F0SwtRBev83RCV6GntS%2BJCyx7SBzUDQfqgPb3FwbcVEKgVziqaqJnxUSRgT0fWVsRCXJCisv9WjaxDGYcpAG8VMSXObs0HpYbgKvL%2FmbwN2wmzCCwSIiyGZj72303oaIQHVyqX9LoYWhs16g1xe%2B%2BXBcJaVerKyva6h3EWLVO9dkwM0cWEidZPw" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 200, "domain": 530, "hostname": 84, "FileHash-SHA256": 1090, "FileHash-MD5": 104, "Mutex": 2, "FileHash-SHA1": 97, "IPv4": 58, "email": 1, "CVE": 1 }, "indicator_count": 2167, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1340485f49d8abce143eea", "name": "An error occurred: breadcrumb. IpLogger - piggy back on @skocherhan", "description": "[Find out the best IP logging tools and tools at \u00c2\u00a31.5m in the UK, Ireland, Wales, Scotland and Northern Ireland on the website+ here is the full list.]", "modified": "2026-05-24T18:15:36.238000", "created": "2026-05-24T18:15:36.238000", "tags": [ "::keywords_error_main", "sign", "url shortener", "track phone", "tracking pixel", "my ip", "ip counters", "ip generator", "internet", "best ip", "logger", "accept", "pe32", "intel", "ms windows", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "exe32", "compiler", "ltcgc", "ascii text", "redacted for", "postal code", "privacy tech", "stateprovince", "server", "registrar abuse", "registrant name", "domain id", "iana id", "admin country", "date", "key identifier", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "x509v3 subject", "x509v3 key", "delegated", "unverified", "record type", "ttl value", "homenet", "0xf82", "externalnet", "policy ip", "check domain", "tls sni", "high", "informational", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "read files", "apis nothing", "pe file", "performs dns", "network info", "processes extra", "aslr", "sample", "t1055 process", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "generic cil", "executable", "mono", "win32 dynamic", "link library", "pe32 library", "file type", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "persistence", "info", "Expired certificate", "Drops", "Oa auth abuse [potential]" ], "references": [ "http://iplogger.org/1tnbw7%0Ahttp://gsoftclean.top/ver.txt%0Ahttp://iplogger.org/1z9A57%0Ahttp://gsoftclean.top/main.exe%0Ahttp://gsoftclean.top/aus%0Ahttp://gsoftclean.top/settings.dll%0Ahttp://iplogger.org/1nLz47%0Ahttp://iplogger.org/1z6A57%0Ahttps://iplogger.org/1z6A57%0Ahttp://iplogger.org/1PMX37%0Ahttps://iplogger.org/1nLz47", "https://vtbehaviour.commondatastorage.googleapis.com/e920fc67e098b7a6f3a13d99935239edc4c6c799bbaf2126c28da9b6e77fcf6f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779645922&Signature=JwLo32luwQokWOHR7lJz4dmUcLMQf18tKN2sLujlReeuplXL3B7kObdnC6EAKvj0%2FbPufiSY60CcdkPZ0L38f2ezSQ%2FpUd%2B9vwTI0sIkA%2BKOPYbhRV0zr7%2FH0rSo%2Fe1bb7p3YS9o0fzclIJ9iT6lWjLBnyAgZ4ZvwYmLkJk2x9beiNvBoWd5BPX2QLlZXDEzKgUbGKGGjHZQPfSIi3YI3zIRo16YJkaQzjxGBhhyGB4Ao8%2Fr", "https://vtbehaviour.commondatastorage.googleapis.com/e920fc67e098b7a6f3a13d99935239edc4c6c799bbaf2126c28da9b6e77fcf6f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779646024&Signature=GY3f%2BonWSmAE2r3xAvXp%2F0FLSZV%2B761HeH7MY%2F8jak5D8A6eAtDD6dxfY3qi8RFAYc2JIbh%2BWXZHSBZkxzZskVfm5S22fwOHMoCy9ezLI3%2BUbKxsL0uv64YuKmYd8s9FPp4wHA7tAXPPEMApUtclPZEQeo1AHVK7AN9zQZqAGYGnbfQtD1Ew5Bny5yT6axRterHcQPbXI8aPUvmJjP0131Op%2FKquhhierCzlcA3JIPWrYGomlInU9wZg", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779646404&Signature=RAWN3ziUE4nt7cOF13GailGKiIaXg1kyzWnV3ohWPQWImilq1jkY6T9cnu7vh%2F0SwtRBev83RCV6GntS%2BJCyx7SBzUDQfqgPb3FwbcVEKgVziqaqJnxUSRgT0fWVsRCXJCisv9WjaxDGYcpAG8VMSXObs0HpYbgKvL%2FmbwN2wmzCCwSIiyGZj72303oaIQHVyqX9LoYWhs16g1xe%2B%2BXBcJaVerKyva6h3EWLVO9dkwM0cWEidZPw" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 200, "domain": 530, "hostname": 84, "FileHash-SHA256": 1090, "FileHash-MD5": 104, "Mutex": 2, "FileHash-SHA1": 97, "IPv4": 58, "email": 1, "CVE": 1 }, "indicator_count": 2167, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a132a7a34bcc860b0e44ffc", "name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox", "description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa", "modified": "2026-05-24T16:42:34.350000", "created": "2026-05-24T16:42:34.350000", "tags": [ "ip address", "status code", "body length", "kb body", "sha256", "csv text", "altitude", "south shore", "uas imagery", "massachusetts", "marshfield", "scituate", "hingham", "norwell", "hanover", "pembroke", "epub document", "structure ebook", "zip document", "epub", "nigel poulton", "docker deep", "nielson book", "docker", "single book", "anna", "dive", "dive zero", "deep dive", "zero", "script", "ieedge", "squarespace", "drones", "title", "secchuamodel", "link", "static", "supporte", "marshfield ldap", "marshfield ssl", "certificate", "common name", "issued", "charter", "llc united", "statesunited", "new london", "diesel", "comcast ip", "derry village", "ssl certificate", "encrypt", "comcast cable", "communications", "boston", "key identifier", "x509v3 subject", "full name", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "ca1 validity", "cus stnew", "range", "cidr", "network name", "type", "status", "whois server", "entity squar30", "handle", "net198", "net1980000", "squar30", "varick st", "city", "new york", "stateprov", "postalcode", "orgtechhandle", "orgtechref", "orgabusehandle", "orgabuseref", "orgnochandle", "orgnocref", "p version", "address range", "span", "google public", "form", "doctype html", "google", "public dns", "head", "public", "footer", "body", "file type", "ascii text", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "sample", "persistence", "defense evasion", "info", "next", "performs dns", "united", "urls", "found", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "phishing", "headers age", "homenet", "et info", "file hosting", "service domain", "domain", "dns lookup", "clientendpoint", "perimeter", "high", "informational", "domain related", "as54113", "top source", "top destination", "source source", "status domain", "tcp include", "udp include", "country united", "unique", "ja3 clients", "destination ip", "dest port", "ja3 ja3", "digest", "cache", "california", "san francisco", "fastly", "globalsign", "title pypi", "package", "a domains", "accept", "showing", "entries", "previous", "domains show", "search", "amazon ec2", "orgnocemail", "net75", "net750000", "amazon web", "services", "ip routing", "nethandle", "amazo4", "aws rpki", "historical ssl", "certificates", "first", "thumbprint", "graph summary", "algorithm", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "pdf document", "adobe portable", "document format", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "sha1", "acrongl integ", "adc4240758", "shutdown", "sqlite version", "sqlite rollback", "utf8", "json", "creates", "journal", "malicious", "resolutions", "date", "detection", "hostmaster", "amazon legal", "dept", "amazon", "code", "email", "icann whois", "nv admin", "phone", "stateprovince", "tech", "gatsby", "golf", "hrhrhr" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Norwell", "display_name": "Norwell", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1686, "URL": 1309, "hostname": 1474, "FileHash-MD5": 166, "FileHash-SHA1": 204, "IPv4": 152, "domain": 1177, "CIDR": 3, "email": 11, "IPv6": 1, "URI": 1, "CVE": 1, "SSLCertFingerprint": 2, "Mutex": 2 }, "indicator_count": 6189, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a132a7762cac9a1007d9ece", "name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox", "description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa", "modified": "2026-05-24T16:42:31.294000", "created": "2026-05-24T16:42:31.294000", "tags": [ "ip address", "status code", "body length", "kb body", "sha256", "csv text", "altitude", "south shore", "uas imagery", "massachusetts", "marshfield", "scituate", "hingham", "norwell", "hanover", "pembroke", "epub document", "structure ebook", "zip document", "epub", "nigel poulton", "docker deep", "nielson book", "docker", "single book", "anna", "dive", "dive zero", "deep dive", "zero", "script", "ieedge", "squarespace", "drones", "title", "secchuamodel", "link", "static", "supporte", "marshfield ldap", "marshfield ssl", "certificate", "common name", "issued", "charter", "llc united", "statesunited", "new london", "diesel", "comcast ip", "derry village", "ssl certificate", "encrypt", "comcast cable", "communications", "boston", "key identifier", "x509v3 subject", "full name", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "ca1 validity", "cus stnew", "range", "cidr", "network name", "type", "status", "whois server", "entity squar30", "handle", "net198", "net1980000", "squar30", "varick st", "city", "new york", "stateprov", "postalcode", "orgtechhandle", "orgtechref", "orgabusehandle", "orgabuseref", "orgnochandle", "orgnocref", "p version", "address range", "span", "google public", "form", "doctype html", "google", "public dns", "head", "public", "footer", "body", "file type", "ascii text", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "sample", "persistence", "defense evasion", "info", "next", "performs dns", "united", "urls", "found", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "phishing", "headers age", "homenet", "et info", "file hosting", "service domain", "domain", "dns lookup", "clientendpoint", "perimeter", "high", "informational", "domain related", "as54113", "top source", "top destination", "source source", "status domain", "tcp include", "udp include", "country united", "unique", "ja3 clients", "destination ip", "dest port", "ja3 ja3", "digest", "cache", "california", "san francisco", "fastly", "globalsign", "title pypi", "package", "a domains", "accept", "showing", "entries", "previous", "domains show", "search", "amazon ec2", "orgnocemail", "net75", "net750000", "amazon web", "services", "ip routing", "nethandle", "amazo4", "aws rpki", "historical ssl", "certificates", "first", "thumbprint", "graph summary", "algorithm", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "pdf document", "adobe portable", "document format", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "sha1", "acrongl integ", "adc4240758", "shutdown", "sqlite version", "sqlite rollback", "utf8", "json", "creates", "journal", "malicious", "resolutions", "date", "detection", "hostmaster", "amazon legal", "dept", "amazon", "code", "email", "icann whois", "nv admin", "phone", "stateprovince", "tech", "gatsby", "golf", "hrhrhr" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Norwell", "display_name": "Norwell", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1686, "URL": 1309, "hostname": 1474, "FileHash-MD5": 166, "FileHash-SHA1": 204, "IPv4": 152, "domain": 1177, "CIDR": 3, "email": 11, "IPv6": 1, "URI": 1, "CVE": 1, "SSLCertFingerprint": 2, "Mutex": 2 }, "indicator_count": 6189, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a132a66fa217054f3e57883", "name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox", "description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa", "modified": "2026-05-24T16:42:14.218000", "created": "2026-05-24T16:42:14.218000", "tags": [ "ip address", "status code", "body length", "kb body", "sha256", "csv text", "altitude", "south shore", "uas imagery", "massachusetts", "marshfield", "scituate", "hingham", "norwell", "hanover", "pembroke", "epub document", "structure ebook", "zip document", "epub", "nigel poulton", "docker deep", "nielson book", "docker", "single book", "anna", "dive", "dive zero", "deep dive", "zero", "script", "ieedge", "squarespace", "drones", "title", "secchuamodel", "link", "static", "supporte", "marshfield ldap", "marshfield ssl", "certificate", "common name", "issued", "charter", "llc united", "statesunited", "new london", "diesel", "comcast ip", "derry village", "ssl certificate", "encrypt", "comcast cable", "communications", "boston", "key identifier", "x509v3 subject", "full name", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "ca1 validity", "cus stnew", "range", "cidr", "network name", "type", "status", "whois server", "entity squar30", "handle", "net198", "net1980000", "squar30", "varick st", "city", "new york", "stateprov", "postalcode", "orgtechhandle", "orgtechref", "orgabusehandle", "orgabuseref", "orgnochandle", "orgnocref", "p version", "address range", "span", "google public", "form", "doctype html", "google", "public dns", "head", "public", "footer", "body", "file type", "ascii text", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "sample", "persistence", "defense evasion", "info", "next", "performs dns", "united", "urls", "found", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "phishing", "headers age", "homenet", "et info", "file hosting", "service domain", "domain", "dns lookup", "clientendpoint", "perimeter", "high", "informational", "domain related", "as54113", "top source", "top destination", "source source", "status domain", "tcp include", "udp include", "country united", "unique", "ja3 clients", "destination ip", "dest port", "ja3 ja3", "digest", "cache", "california", "san francisco", "fastly", "globalsign", "title pypi", "package", "a domains", "accept", "showing", "entries", "previous", "domains show", "search", "amazon ec2", "orgnocemail", "net75", "net750000", "amazon web", "services", "ip routing", "nethandle", "amazo4", "aws rpki", "historical ssl", "certificates", "first", "thumbprint", "graph summary", "algorithm", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "pdf document", "adobe portable", "document format", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "sha1", "acrongl integ", "adc4240758", "shutdown", "sqlite version", "sqlite rollback", "utf8", "json", "creates", "journal", "malicious", "resolutions", "date", "detection", "hostmaster", "amazon legal", "dept", "amazon", "code", "email", "icann whois", "nv admin", "phone", "stateprovince", "tech", "gatsby", "golf", "hrhrhr" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Norwell", "display_name": "Norwell", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1686, "URL": 1309, "hostname": 1474, "FileHash-MD5": 166, "FileHash-SHA1": 204, "IPv4": 152, "domain": 1177, "CIDR": 3, "email": 11, "IPv6": 1, "URI": 1, "CVE": 1, "SSLCertFingerprint": 2, "Mutex": 2 }, "indicator_count": 6189, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a132a577896901b2c0b993b", "name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox", "description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa", "modified": "2026-05-24T16:41:59.005000", "created": "2026-05-24T16:41:59.005000", "tags": [ "ip address", "status code", "body length", "kb body", "sha256", "csv text", "altitude", "south shore", "uas imagery", "massachusetts", "marshfield", "scituate", "hingham", "norwell", "hanover", "pembroke", "epub document", "structure ebook", "zip document", "epub", "nigel poulton", "docker deep", "nielson book", "docker", "single book", "anna", "dive", "dive zero", "deep dive", "zero", "script", "ieedge", "squarespace", "drones", "title", "secchuamodel", "link", "static", "supporte", "marshfield ldap", "marshfield ssl", "certificate", "common name", "issued", "charter", "llc united", "statesunited", "new london", "diesel", "comcast ip", "derry village", "ssl certificate", "encrypt", "comcast cable", "communications", "boston", "key identifier", "x509v3 subject", "full name", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "ca1 validity", "cus stnew", "range", "cidr", "network name", "type", "status", "whois server", "entity squar30", "handle", "net198", "net1980000", "squar30", "varick st", "city", "new york", "stateprov", "postalcode", "orgtechhandle", "orgtechref", "orgabusehandle", "orgabuseref", "orgnochandle", "orgnocref", "p version", "address range", "span", "google public", "form", "doctype html", "google", "public dns", "head", "public", "footer", "body", "file type", "ascii text", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "sample", "persistence", "defense evasion", "info", "next", "performs dns", "united", "urls", "found", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "phishing", "headers age", "homenet", "et info", "file hosting", "service domain", "domain", "dns lookup", "clientendpoint", "perimeter", "high", "informational", "domain related", "as54113", "top source", "top destination", "source source", "status domain", "tcp include", "udp include", "country united", "unique", "ja3 clients", "destination ip", "dest port", "ja3 ja3", "digest", "cache", "california", "san francisco", "fastly", "globalsign", "title pypi", "package", "a domains", "accept", "showing", "entries", "previous", "domains show", "search", "amazon ec2", "orgnocemail", "net75", "net750000", "amazon web", "services", "ip routing", "nethandle", "amazo4", "aws rpki", "historical ssl", "certificates", "first", "thumbprint", "graph summary", "algorithm", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "pdf document", "adobe portable", "document format", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "sha1", "acrongl integ", "adc4240758", "shutdown", "sqlite version", "sqlite rollback", "utf8", "json", "creates", "journal", "malicious", "resolutions", "date", "detection", "hostmaster", "amazon legal", "dept", "amazon", "code", "email", "icann whois", "nv admin", "phone", "stateprovince", "tech", "gatsby", "golf", "hrhrhr" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Norwell", "display_name": "Norwell", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1686, "URL": 1309, "hostname": 1474, "FileHash-MD5": 166, "FileHash-SHA1": 204, "IPv4": 152, "domain": 1177, "CIDR": 3, "email": 11, "IPv6": 1, "URI": 1, "CVE": 1, "SSLCertFingerprint": 2, "Mutex": 2 }, "indicator_count": 6189, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694f0aa090aedc7e498b2e9a", "name": "Qakbot | *NEW Malware found and analyzed \u2022 IRS", "description": "IRS.GOV We have run several test on multiple machines/ devices PC , MacBook , iPhone , Android, Desktop hoping for better results. I believe proximity of most of the devices were well distanced , but have doubts. For this test IRS. GOV redirects payments to sawww4. or sa.www4. web addresses (example: 2fsa.www4.irs.gov) that now reads (connection error) during research. Pages still exist and will not process information. Still threatens levy no matter what (legal) information is entered. \n\nI\u2019m aware of Trump IRS proposals for 2026. The issue is taxpayers are being directed to alleged IRS employees or in person licensed CPA\u2019s. \n(sa. prefix Saudi Arabia?) SA. could be a prefix for anything including South Africa.", "modified": "2026-01-25T21:03:27.507000", "created": "2025-12-26T22:22:24.480000", "tags": [ "related tags", "none google", "win32", "united", "united states", "irs", "qakbot", "qbot", "inject", "keylogger", "botx", "active", "bot network", "et trojan", "hello ssl", "destination", "port", "unknown", "ciphersuite", "sessionid", "asnone", "write", "virustotal", "drweb", "vipre", "mcafee", "panda", "malware", "pandex!gen1", "et", "brazil as16625", "akamai", "united kingdom", "dynamicloader", "medium", "tls handshake", "failure", "yara rule", "high", "cape", "guard", "error", "delphi", "qakbot", "tlsv1", "entries", "iobit unikstall", "global", "read c", "rgba", "unicode", "memcommit", "delete", "msie", "windows nt", "next", "dock", "execution", "server header", "download", "suspicious", "specified", "logic", "web products", "present nov", "present dec", "present jun", "present oct", "present may", "aaaa", "next associated", "urls show", "scheme", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "ip address", "ascii text", "pattern match", "href", "mitre att", "ck id", "show technique", "ck matrix", "beginstring", "show process", "null", "refresh", "span", "hybrid", "general", "local", "path", "iframe", "click", "strings", "tools", "title", "look", "verify", "restart", "learn", "command", "name tactics", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "adult content", "lol fun hackers" ], "references": [ "Start at https://www.irs.gov/ redirected to 2fsa.www4.irs.gov (connection error) irs.gov (active) Positive for all Malware", "IRS.GOV - Crypt3.BXVC ET Inject2.BIVE Win.Keylogger.Qbot-9987768-0 Win.Trojan.Qakbot-9988002-1 Win32:BotX-gen\\ [Trj]", "Pandex!gen1 Web Products", "Crypt3.BXVC IDS: Suspicious double Server Header", "Crypt3.BXVC IDS: Possible Kelihos.F EXE Download Common Structure", "Crypt3.BXVC IDS: Win32/Kelihos.F Checkin", "Crypt3.BXVC IDS: Fun Web Products Spyware User-Agent (FunWebProducts)", "Crypt3.BXVC IDS: Possible Kelihos Infection Executable Download With Malformed Header", "Crypt3.BXVC IDS: DNS Query for Suspicious .co.cc Domain", "Crypt3.BXVC IDS: Executable Download from dotted-quad Host", "Crypt3.BXVC IDS: Abuseat.org Block Message", "Crypt3.BXVC IDS: Executable Retrieved With Minimal HTTP", "Crypt3.BXVC IDS: PE EXE or DLL Windows file download HTTP", "Crypt3.BXVC IDS: Headers - Potential Second Stage Download", "Alerts: persistence_autorun sniffer_winpcap network_bind antivirus_virustotal network_http", "Alerts: network_icmp infostealer_browser recon_fingerprint infostealer_ftp network_smtp", "ET Trojan \u2022 https://otx.alienvault.com/indicator/file/43dbcee5aee3caab830ac840737bb591cfa99ae81f1280aeb38ad73ad9c317af" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Canada", "Brazil", "Ireland", "India", "Georgia", "Singapore", "Spain", "Japan" ], "malware_families": [ { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null }, { "id": "Win.Keylogger.Qbot-9987768-0", "display_name": "Win.Keylogger.Qbot-9987768-0", "target": null }, { "id": "Win.Trojan.Qakbot-9988002-1", "display_name": "Win.Trojan.Qakbot-9988002-1", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Pandex!gen1", "display_name": "Pandex!gen1", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Web Products", "display_name": "Web Products", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Finance", "Government", "IRS" ], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 158, "URL": 140, "hostname": 287, "FileHash-SHA256": 85, "FileHash-MD5": 110, "FileHash-SHA1": 77, "SSLCertFingerprint": 8 }, "indicator_count": 865, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "125 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62221d71474b323d486dc3f2", "name": "WTF 2022", "description": "", "modified": "2022-04-03T00:00:55.161000", "created": "2022-03-04T14:08:49.518000", "tags": [], "references": [ "WTF.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 587, "URL": 668, "hostname": 613, "domain": 1320, "FileHash-MD5": 59, "FileHash-SHA1": 2 }, "indicator_count": 3249, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1519 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IRS.GOV - Crypt3.BXVC ET Inject2.BIVE Win.Keylogger.Qbot-9987768-0 Win.Trojan.Qakbot-9988002-1 Win32:BotX-gen\\ [Trj]", "Crypt3.BXVC IDS: Possible Kelihos.F EXE Download Common Structure", "Pandex!gen1 Web Products", "Crypt3.BXVC IDS: Executable Download from dotted-quad Host", "https://vtbehaviour.commondatastorage.googleapis.com/e920fc67e098b7a6f3a13d99935239edc4c6c799bbaf2126c28da9b6e77fcf6f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779646024&Signature=GY3f%2BonWSmAE2r3xAvXp%2F0FLSZV%2B761HeH7MY%2F8jak5D8A6eAtDD6dxfY3qi8RFAYc2JIbh%2BWXZHSBZkxzZskVfm5S22fwOHMoCy9ezLI3%2BUbKxsL0uv64YuKmYd8s9FPp4wHA7tAXPPEMApUtclPZEQeo1AHVK7AN9zQZqAGYGnbfQtD1Ew5Bny5yT6axRterHcQPbXI8aPUvmJjP0131Op%2FKquhhierCzlcA3JIPWrYGomlInU9wZg", "Crypt3.BXVC IDS: Possible Kelihos Infection Executable Download With Malformed Header", "WTF.pdf", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "Alerts: network_icmp infostealer_browser recon_fingerprint infostealer_ftp network_smtp", "Start at https://www.irs.gov/ redirected to 2fsa.www4.irs.gov (connection error) irs.gov (active) Positive for all Malware", "Crypt3.BXVC IDS: Fun Web Products Spyware User-Agent (FunWebProducts)", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/e920fc67e098b7a6f3a13d99935239edc4c6c799bbaf2126c28da9b6e77fcf6f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779645922&Signature=JwLo32luwQokWOHR7lJz4dmUcLMQf18tKN2sLujlReeuplXL3B7kObdnC6EAKvj0%2FbPufiSY60CcdkPZ0L38f2ezSQ%2FpUd%2B9vwTI0sIkA%2BKOPYbhRV0zr7%2FH0rSo%2Fe1bb7p3YS9o0fzclIJ9iT6lWjLBnyAgZ4ZvwYmLkJk2x9beiNvBoWd5BPX2QLlZXDEzKgUbGKGGjHZQPfSIi3YI3zIRo16YJkaQzjxGBhhyGB4Ao8%2Fr", "Crypt3.BXVC IDS: Executable Retrieved With Minimal HTTP", "Alerts: persistence_autorun sniffer_winpcap network_bind antivirus_virustotal network_http", "Crypt3.BXVC IDS: Headers - Potential Second Stage Download", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "http://iplogger.org/1tnbw7%0Ahttp://gsoftclean.top/ver.txt%0Ahttp://iplogger.org/1z9A57%0Ahttp://gsoftclean.top/main.exe%0Ahttp://gsoftclean.top/aus%0Ahttp://gsoftclean.top/settings.dll%0Ahttp://iplogger.org/1nLz47%0Ahttp://iplogger.org/1z6A57%0Ahttps://iplogger.org/1z6A57%0Ahttp://iplogger.org/1PMX37%0Ahttps://iplogger.org/1nLz47", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779646404&Signature=RAWN3ziUE4nt7cOF13GailGKiIaXg1kyzWnV3ohWPQWImilq1jkY6T9cnu7vh%2F0SwtRBev83RCV6GntS%2BJCyx7SBzUDQfqgPb3FwbcVEKgVziqaqJnxUSRgT0fWVsRCXJCisv9WjaxDGYcpAG8VMSXObs0HpYbgKvL%2FmbwN2wmzCCwSIiyGZj72303oaIQHVyqX9LoYWhs16g1xe%2B%2BXBcJaVerKyva6h3EWLVO9dkwM0cWEidZPw", "Crypt3.BXVC IDS: Abuseat.org Block Message", "Crypt3.BXVC IDS: DNS Query for Suspicious .co.cc Domain", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "Crypt3.BXVC IDS: Win32/Kelihos.F Checkin", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "Crypt3.BXVC IDS: Suspicious double Server Header", "Crypt3.BXVC IDS: PE EXE or DLL Windows file download HTTP", "ET Trojan \u2022 https://otx.alienvault.com/indicator/file/43dbcee5aee3caab830ac840737bb591cfa99ae81f1280aeb38ad73ad9c317af", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Crypt3.bxvc", "Norwell", "Web products", "Pandex!gen1", "Win.trojan.qakbot-9988002-1", "Inject2.bive", "Et", "Win.keylogger.qbot-9987768-0", "Win32:botx-gen\\ [trj]" ], "industries": [ "Irs", "Finance", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "6a132a7a71682c83e9c17835", "name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox", "description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa", "modified": "2026-05-26T06:44:42.987000", "created": "2026-05-24T16:42:34.355000", "tags": [ "ip address", "status code", "body length", "kb body", "sha256", "csv text", "altitude", "south shore", "uas imagery", "massachusetts", "marshfield", "scituate", "hingham", "norwell", "hanover", "pembroke", "epub document", "structure ebook", "zip document", "epub", "nigel poulton", "docker deep", "nielson book", "docker", "single book", "anna", "dive", "dive zero", "deep dive", "zero", "script", "ieedge", "squarespace", "drones", "title", "secchuamodel", "link", "static", "supporte", "marshfield ldap", "marshfield ssl", "certificate", "common name", "issued", "charter", "llc united", "statesunited", "new london", "diesel", "comcast ip", "derry village", "ssl certificate", "encrypt", "comcast cable", "communications", "boston", "key identifier", "x509v3 subject", "full name", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "ca1 validity", "cus stnew", "range", "cidr", "network name", "type", "status", "whois server", "entity squar30", "handle", "net198", "net1980000", "squar30", "varick st", "city", "new york", "stateprov", "postalcode", "orgtechhandle", "orgtechref", "orgabusehandle", "orgabuseref", "orgnochandle", "orgnocref", "p version", "address range", "span", "google public", "form", "doctype html", "google", "public dns", "head", "public", "footer", "body", "file type", "ascii text", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "sample", "persistence", "defense evasion", "info", "next", "performs dns", "united", "urls", "found", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "phishing", "headers age", "homenet", "et info", "file hosting", "service domain", "domain", "dns lookup", "clientendpoint", "perimeter", "high", "informational", "domain related", "as54113", "top source", "top destination", "source source", "status domain", "tcp include", "udp include", "country united", "unique", "ja3 clients", "destination ip", "dest port", "ja3 ja3", "digest", "cache", "california", "san francisco", "fastly", "globalsign", "title pypi", "package", "a domains", "accept", "showing", "entries", "previous", "domains show", "search", "amazon ec2", "orgnocemail", "net75", "net750000", "amazon web", "services", "ip routing", "nethandle", "amazo4", "aws rpki", "historical ssl", "certificates", "first", "thumbprint", "graph summary", "algorithm", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "pdf document", "adobe portable", "document format", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "sha1", "acrongl integ", "adc4240758", "shutdown", "sqlite version", "sqlite rollback", "utf8", "json", "creates", "journal", "malicious", "resolutions", "date", "detection", "hostmaster", "amazon legal", "dept", "amazon", "code", "email", "icann whois", "nv admin", "phone", "stateprovince", "tech", "gatsby", "golf", "hrhrhr" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Norwell", "display_name": "Norwell", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1765, "URL": 1325, "hostname": 1489, "FileHash-MD5": 224, "FileHash-SHA1": 268, "IPv4": 152, "domain": 1177, "CIDR": 4, "email": 11, "IPv6": 1, "URI": 3, "CVE": 2, "SSLCertFingerprint": 2, "Mutex": 2 }, "indicator_count": 6425, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a13404a015fc885f5edb1c9", "name": "An error occurred: breadcrumb. IpLogger - piggy back on @skocherhan", "description": "[Find out the best IP logging tools and tools at \u00c2\u00a31.5m in the UK, Ireland, Wales, Scotland and Northern Ireland on the website+ here is the full list.]", "modified": "2026-05-24T18:15:38.213000", "created": "2026-05-24T18:15:38.213000", "tags": [ "::keywords_error_main", "sign", "url shortener", "track phone", "tracking pixel", "my ip", "ip counters", "ip generator", "internet", "best ip", "logger", "accept", "pe32", "intel", "ms windows", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "exe32", "compiler", "ltcgc", "ascii text", "redacted for", "postal code", "privacy tech", "stateprovince", "server", "registrar abuse", "registrant name", "domain id", "iana id", "admin country", "date", "key identifier", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "x509v3 subject", "x509v3 key", "delegated", "unverified", "record type", "ttl value", "homenet", "0xf82", "externalnet", "policy ip", "check domain", "tls sni", "high", "informational", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "read files", "apis nothing", "pe file", "performs dns", "network info", "processes extra", "aslr", "sample", "t1055 process", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "generic cil", "executable", "mono", "win32 dynamic", "link library", "pe32 library", "file type", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "persistence", "info", "Expired certificate", "Drops", "Oa auth abuse [potential]" ], "references": [ "http://iplogger.org/1tnbw7%0Ahttp://gsoftclean.top/ver.txt%0Ahttp://iplogger.org/1z9A57%0Ahttp://gsoftclean.top/main.exe%0Ahttp://gsoftclean.top/aus%0Ahttp://gsoftclean.top/settings.dll%0Ahttp://iplogger.org/1nLz47%0Ahttp://iplogger.org/1z6A57%0Ahttps://iplogger.org/1z6A57%0Ahttp://iplogger.org/1PMX37%0Ahttps://iplogger.org/1nLz47", "https://vtbehaviour.commondatastorage.googleapis.com/e920fc67e098b7a6f3a13d99935239edc4c6c799bbaf2126c28da9b6e77fcf6f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779645922&Signature=JwLo32luwQokWOHR7lJz4dmUcLMQf18tKN2sLujlReeuplXL3B7kObdnC6EAKvj0%2FbPufiSY60CcdkPZ0L38f2ezSQ%2FpUd%2B9vwTI0sIkA%2BKOPYbhRV0zr7%2FH0rSo%2Fe1bb7p3YS9o0fzclIJ9iT6lWjLBnyAgZ4ZvwYmLkJk2x9beiNvBoWd5BPX2QLlZXDEzKgUbGKGGjHZQPfSIi3YI3zIRo16YJkaQzjxGBhhyGB4Ao8%2Fr", "https://vtbehaviour.commondatastorage.googleapis.com/e920fc67e098b7a6f3a13d99935239edc4c6c799bbaf2126c28da9b6e77fcf6f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779646024&Signature=GY3f%2BonWSmAE2r3xAvXp%2F0FLSZV%2B761HeH7MY%2F8jak5D8A6eAtDD6dxfY3qi8RFAYc2JIbh%2BWXZHSBZkxzZskVfm5S22fwOHMoCy9ezLI3%2BUbKxsL0uv64YuKmYd8s9FPp4wHA7tAXPPEMApUtclPZEQeo1AHVK7AN9zQZqAGYGnbfQtD1Ew5Bny5yT6axRterHcQPbXI8aPUvmJjP0131Op%2FKquhhierCzlcA3JIPWrYGomlInU9wZg", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779646404&Signature=RAWN3ziUE4nt7cOF13GailGKiIaXg1kyzWnV3ohWPQWImilq1jkY6T9cnu7vh%2F0SwtRBev83RCV6GntS%2BJCyx7SBzUDQfqgPb3FwbcVEKgVziqaqJnxUSRgT0fWVsRCXJCisv9WjaxDGYcpAG8VMSXObs0HpYbgKvL%2FmbwN2wmzCCwSIiyGZj72303oaIQHVyqX9LoYWhs16g1xe%2B%2BXBcJaVerKyva6h3EWLVO9dkwM0cWEidZPw" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 200, "domain": 530, "hostname": 84, "FileHash-SHA256": 1090, "FileHash-MD5": 104, "Mutex": 2, "FileHash-SHA1": 97, "IPv4": 58, "email": 1, "CVE": 1 }, "indicator_count": 2167, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1340485f49d8abce143eea", "name": "An error occurred: breadcrumb. IpLogger - piggy back on @skocherhan", "description": "[Find out the best IP logging tools and tools at \u00c2\u00a31.5m in the UK, Ireland, Wales, Scotland and Northern Ireland on the website+ here is the full list.]", "modified": "2026-05-24T18:15:36.238000", "created": "2026-05-24T18:15:36.238000", "tags": [ "::keywords_error_main", "sign", "url shortener", "track phone", "tracking pixel", "my ip", "ip counters", "ip generator", "internet", "best ip", "logger", "accept", "pe32", "intel", "ms windows", "win16 ne", "icons library", "os2 executable", "pe32 compiler", "exe32", "compiler", "ltcgc", "ascii text", "redacted for", "postal code", "privacy tech", "stateprovince", "server", "registrar abuse", "registrant name", "domain id", "iana id", "admin country", "date", "key identifier", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "x509v3 subject", "x509v3 key", "delegated", "unverified", "record type", "ttl value", "homenet", "0xf82", "externalnet", "policy ip", "check domain", "tls sni", "high", "informational", "registry keys", "nothing", "mutexes nothing", "parent pid", "full path", "command line", "read files", "apis nothing", "pe file", "performs dns", "network info", "processes extra", "aslr", "sample", "t1055 process", "overview", "mitre attack", "overview zenbox", "defense evasion", "next", "generic cil", "executable", "mono", "win32 dynamic", "link library", "pe32 library", "file type", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "persistence", "info", "Expired certificate", "Drops", "Oa auth abuse [potential]" ], "references": [ "http://iplogger.org/1tnbw7%0Ahttp://gsoftclean.top/ver.txt%0Ahttp://iplogger.org/1z9A57%0Ahttp://gsoftclean.top/main.exe%0Ahttp://gsoftclean.top/aus%0Ahttp://gsoftclean.top/settings.dll%0Ahttp://iplogger.org/1nLz47%0Ahttp://iplogger.org/1z6A57%0Ahttps://iplogger.org/1z6A57%0Ahttp://iplogger.org/1PMX37%0Ahttps://iplogger.org/1nLz47", "https://vtbehaviour.commondatastorage.googleapis.com/e920fc67e098b7a6f3a13d99935239edc4c6c799bbaf2126c28da9b6e77fcf6f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779645922&Signature=JwLo32luwQokWOHR7lJz4dmUcLMQf18tKN2sLujlReeuplXL3B7kObdnC6EAKvj0%2FbPufiSY60CcdkPZ0L38f2ezSQ%2FpUd%2B9vwTI0sIkA%2BKOPYbhRV0zr7%2FH0rSo%2Fe1bb7p3YS9o0fzclIJ9iT6lWjLBnyAgZ4ZvwYmLkJk2x9beiNvBoWd5BPX2QLlZXDEzKgUbGKGGjHZQPfSIi3YI3zIRo16YJkaQzjxGBhhyGB4Ao8%2Fr", "https://vtbehaviour.commondatastorage.googleapis.com/e920fc67e098b7a6f3a13d99935239edc4c6c799bbaf2126c28da9b6e77fcf6f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779646024&Signature=GY3f%2BonWSmAE2r3xAvXp%2F0FLSZV%2B761HeH7MY%2F8jak5D8A6eAtDD6dxfY3qi8RFAYc2JIbh%2BWXZHSBZkxzZskVfm5S22fwOHMoCy9ezLI3%2BUbKxsL0uv64YuKmYd8s9FPp4wHA7tAXPPEMApUtclPZEQeo1AHVK7AN9zQZqAGYGnbfQtD1Ew5Bny5yT6axRterHcQPbXI8aPUvmJjP0131Op%2FKquhhierCzlcA3JIPWrYGomlInU9wZg", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779646404&Signature=RAWN3ziUE4nt7cOF13GailGKiIaXg1kyzWnV3ohWPQWImilq1jkY6T9cnu7vh%2F0SwtRBev83RCV6GntS%2BJCyx7SBzUDQfqgPb3FwbcVEKgVziqaqJnxUSRgT0fWVsRCXJCisv9WjaxDGYcpAG8VMSXObs0HpYbgKvL%2FmbwN2wmzCCwSIiyGZj72303oaIQHVyqX9LoYWhs16g1xe%2B%2BXBcJaVerKyva6h3EWLVO9dkwM0cWEidZPw" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 200, "domain": 530, "hostname": 84, "FileHash-SHA256": 1090, "FileHash-MD5": 104, "Mutex": 2, "FileHash-SHA1": 97, "IPv4": 58, "email": 1, "CVE": 1 }, "indicator_count": 2167, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a132a7a34bcc860b0e44ffc", "name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox", "description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa", "modified": "2026-05-24T16:42:34.350000", "created": "2026-05-24T16:42:34.350000", "tags": [ "ip address", "status code", "body length", "kb body", "sha256", "csv text", "altitude", "south shore", "uas imagery", "massachusetts", "marshfield", "scituate", "hingham", "norwell", "hanover", "pembroke", "epub document", "structure ebook", "zip document", "epub", "nigel poulton", "docker deep", "nielson book", "docker", "single book", "anna", "dive", "dive zero", "deep dive", "zero", "script", "ieedge", "squarespace", "drones", "title", "secchuamodel", "link", "static", "supporte", "marshfield ldap", "marshfield ssl", "certificate", "common name", "issued", "charter", "llc united", "statesunited", "new london", "diesel", "comcast ip", "derry village", "ssl certificate", "encrypt", "comcast cable", "communications", "boston", "key identifier", "x509v3 subject", "full name", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "ca1 validity", "cus stnew", "range", "cidr", "network name", "type", "status", "whois server", "entity squar30", "handle", "net198", "net1980000", "squar30", "varick st", "city", "new york", "stateprov", "postalcode", "orgtechhandle", "orgtechref", "orgabusehandle", "orgabuseref", "orgnochandle", "orgnocref", "p version", "address range", "span", "google public", "form", "doctype html", "google", "public dns", "head", "public", "footer", "body", "file type", "ascii text", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "sample", "persistence", "defense evasion", "info", "next", "performs dns", "united", "urls", "found", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "phishing", "headers age", "homenet", "et info", "file hosting", "service domain", "domain", "dns lookup", "clientendpoint", "perimeter", "high", "informational", "domain related", "as54113", "top source", "top destination", "source source", "status domain", "tcp include", "udp include", "country united", "unique", "ja3 clients", "destination ip", "dest port", "ja3 ja3", "digest", "cache", "california", "san francisco", "fastly", "globalsign", "title pypi", "package", "a domains", "accept", "showing", "entries", "previous", "domains show", "search", "amazon ec2", "orgnocemail", "net75", "net750000", "amazon web", "services", "ip routing", "nethandle", "amazo4", "aws rpki", "historical ssl", "certificates", "first", "thumbprint", "graph summary", "algorithm", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "pdf document", "adobe portable", "document format", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "sha1", "acrongl integ", "adc4240758", "shutdown", "sqlite version", "sqlite rollback", "utf8", "json", "creates", "journal", "malicious", "resolutions", "date", "detection", "hostmaster", "amazon legal", "dept", "amazon", "code", "email", "icann whois", "nv admin", "phone", "stateprovince", "tech", "gatsby", "golf", "hrhrhr" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Norwell", "display_name": "Norwell", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1686, "URL": 1309, "hostname": 1474, "FileHash-MD5": 166, "FileHash-SHA1": 204, "IPv4": 152, "domain": 1177, "CIDR": 3, "email": 11, "IPv6": 1, "URI": 1, "CVE": 1, "SSLCertFingerprint": 2, "Mutex": 2 }, "indicator_count": 6189, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a132a7762cac9a1007d9ece", "name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox", "description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa", "modified": "2026-05-24T16:42:31.294000", "created": "2026-05-24T16:42:31.294000", "tags": [ "ip address", "status code", "body length", "kb body", "sha256", "csv text", "altitude", "south shore", "uas imagery", "massachusetts", "marshfield", "scituate", "hingham", "norwell", "hanover", "pembroke", "epub document", "structure ebook", "zip document", "epub", "nigel poulton", "docker deep", "nielson book", "docker", "single book", "anna", "dive", "dive zero", "deep dive", "zero", "script", "ieedge", "squarespace", "drones", "title", "secchuamodel", "link", "static", "supporte", "marshfield ldap", "marshfield ssl", "certificate", "common name", "issued", "charter", "llc united", "statesunited", "new london", "diesel", "comcast ip", "derry village", "ssl certificate", "encrypt", "comcast cable", "communications", "boston", "key identifier", "x509v3 subject", "full name", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "ca1 validity", "cus stnew", "range", "cidr", "network name", "type", "status", "whois server", "entity squar30", "handle", "net198", "net1980000", "squar30", "varick st", "city", "new york", "stateprov", "postalcode", "orgtechhandle", "orgtechref", "orgabusehandle", "orgabuseref", "orgnochandle", "orgnocref", "p version", "address range", "span", "google public", "form", "doctype html", "google", "public dns", "head", "public", "footer", "body", "file type", "ascii text", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "sample", "persistence", "defense evasion", "info", "next", "performs dns", "united", "urls", "found", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "phishing", "headers age", "homenet", "et info", "file hosting", "service domain", "domain", "dns lookup", "clientendpoint", "perimeter", "high", "informational", "domain related", "as54113", "top source", "top destination", "source source", "status domain", "tcp include", "udp include", "country united", "unique", "ja3 clients", "destination ip", "dest port", "ja3 ja3", "digest", "cache", "california", "san francisco", "fastly", "globalsign", "title pypi", "package", "a domains", "accept", "showing", "entries", "previous", "domains show", "search", "amazon ec2", "orgnocemail", "net75", "net750000", "amazon web", "services", "ip routing", "nethandle", "amazo4", "aws rpki", "historical ssl", "certificates", "first", "thumbprint", "graph summary", "algorithm", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "pdf document", "adobe portable", "document format", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "sha1", "acrongl integ", "adc4240758", "shutdown", "sqlite version", "sqlite rollback", "utf8", "json", "creates", "journal", "malicious", "resolutions", "date", "detection", "hostmaster", "amazon legal", "dept", "amazon", "code", "email", "icann whois", "nv admin", "phone", "stateprovince", "tech", "gatsby", "golf", "hrhrhr" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Norwell", "display_name": "Norwell", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1686, "URL": 1309, "hostname": 1474, "FileHash-MD5": 166, "FileHash-SHA1": 204, "IPv4": 152, "domain": 1177, "CIDR": 3, "email": 11, "IPv6": 1, "URI": 1, "CVE": 1, "SSLCertFingerprint": 2, "Mutex": 2 }, "indicator_count": 6189, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a132a66fa217054f3e57883", "name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox", "description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa", "modified": "2026-05-24T16:42:14.218000", "created": "2026-05-24T16:42:14.218000", "tags": [ "ip address", "status code", "body length", "kb body", "sha256", "csv text", "altitude", "south shore", "uas imagery", "massachusetts", "marshfield", "scituate", "hingham", "norwell", "hanover", "pembroke", "epub document", "structure ebook", "zip document", "epub", "nigel poulton", "docker deep", "nielson book", "docker", "single book", "anna", "dive", "dive zero", "deep dive", "zero", "script", "ieedge", "squarespace", "drones", "title", "secchuamodel", "link", "static", "supporte", "marshfield ldap", "marshfield ssl", "certificate", "common name", "issued", "charter", "llc united", "statesunited", "new london", "diesel", "comcast ip", "derry village", "ssl certificate", "encrypt", "comcast cable", "communications", "boston", "key identifier", "x509v3 subject", "full name", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "ca1 validity", "cus stnew", "range", "cidr", "network name", "type", "status", "whois server", "entity squar30", "handle", "net198", "net1980000", "squar30", "varick st", "city", "new york", "stateprov", "postalcode", "orgtechhandle", "orgtechref", "orgabusehandle", "orgabuseref", "orgnochandle", "orgnocref", "p version", "address range", "span", "google public", "form", "doctype html", "google", "public dns", "head", "public", "footer", "body", "file type", "ascii text", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "sample", "persistence", "defense evasion", "info", "next", "performs dns", "united", "urls", "found", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "phishing", "headers age", "homenet", "et info", "file hosting", "service domain", "domain", "dns lookup", "clientendpoint", "perimeter", "high", "informational", "domain related", "as54113", "top source", "top destination", "source source", "status domain", "tcp include", "udp include", "country united", "unique", "ja3 clients", "destination ip", "dest port", "ja3 ja3", "digest", "cache", "california", "san francisco", "fastly", "globalsign", "title pypi", "package", "a domains", "accept", "showing", "entries", "previous", "domains show", "search", "amazon ec2", "orgnocemail", "net75", "net750000", "amazon web", "services", "ip routing", "nethandle", "amazo4", "aws rpki", "historical ssl", "certificates", "first", "thumbprint", "graph summary", "algorithm", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "pdf document", "adobe portable", "document format", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "sha1", "acrongl integ", "adc4240758", "shutdown", "sqlite version", "sqlite rollback", "utf8", "json", "creates", "journal", "malicious", "resolutions", "date", "detection", "hostmaster", "amazon legal", "dept", "amazon", "code", "email", "icann whois", "nv admin", "phone", "stateprovince", "tech", "gatsby", "golf", "hrhrhr" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Norwell", "display_name": "Norwell", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1686, "URL": 1309, "hostname": 1474, "FileHash-MD5": 166, "FileHash-SHA1": 204, "IPv4": 152, "domain": 1177, "CIDR": 3, "email": 11, "IPv6": 1, "URI": 1, "CVE": 1, "SSLCertFingerprint": 2, "Mutex": 2 }, "indicator_count": 6189, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a132a577896901b2c0b993b", "name": "Fastly: find your muse + keep them on your radar * CAPE Sandbox", "description": "Optics at Altitude is a commercial drone photography and videography service based out of the South Shore, Massachusetts, and beyond, which provides high-quality imagery for a wide-variety of industries and needs.-443 Certificate Caissuers\thttp://secure.globalsign.com/cacert/cloudsslsha2g3.crt\n443 Certificate Ocsp\thttp://ocsp2.globalsign.com/cloudsslsha2g3\n443 Certificate Serialnumber\t0C3B770C982FCBFC7B00B74A\n443 Certificate Notafter\tApr 14 16:28:35 2019 GMT\n443 Certificate Version\t3\n443 Certificate Subject\tUS\n443 Certificate Subject\tCalifornia\n443 Certificate Subject\tSan Francisco\n443 Certificate Subject\tFastly, Inc\n443 Certificate Issuer\tBE\n443 Certificate Issuer\tGlobalSign nv-sa", "modified": "2026-05-24T16:41:59.005000", "created": "2026-05-24T16:41:59.005000", "tags": [ "ip address", "status code", "body length", "kb body", "sha256", "csv text", "altitude", "south shore", "uas imagery", "massachusetts", "marshfield", "scituate", "hingham", "norwell", "hanover", "pembroke", "epub document", "structure ebook", "zip document", "epub", "nigel poulton", "docker deep", "nielson book", "docker", "single book", "anna", "dive", "dive zero", "deep dive", "zero", "script", "ieedge", "squarespace", "drones", "title", "secchuamodel", "link", "static", "supporte", "marshfield ldap", "marshfield ssl", "certificate", "common name", "issued", "charter", "llc united", "statesunited", "new london", "diesel", "comcast ip", "derry village", "ssl certificate", "encrypt", "comcast cable", "communications", "boston", "key identifier", "x509v3 subject", "full name", "cus odigicert", "inc cndigicert", "global g2", "tls rsa", "ca1 validity", "cus stnew", "range", "cidr", "network name", "type", "status", "whois server", "entity squar30", "handle", "net198", "net1980000", "squar30", "varick st", "city", "new york", "stateprov", "postalcode", "orgtechhandle", "orgtechref", "orgabusehandle", "orgabuseref", "orgnochandle", "orgnocref", "p version", "address range", "span", "google public", "form", "doctype html", "google", "public dns", "head", "public", "footer", "body", "file type", "ascii text", "python script", "python", "writes shell", "unicode text", "utf8 text", "ascii", "writes", "sample", "persistence", "defense evasion", "info", "next", "performs dns", "united", "urls", "found", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "phishing", "headers age", "homenet", "et info", "file hosting", "service domain", "domain", "dns lookup", "clientendpoint", "perimeter", "high", "informational", "domain related", "as54113", "top source", "top destination", "source source", "status domain", "tcp include", "udp include", "country united", "unique", "ja3 clients", "destination ip", "dest port", "ja3 ja3", "digest", "cache", "california", "san francisco", "fastly", "globalsign", "title pypi", "package", "a domains", "accept", "showing", "entries", "previous", "domains show", "search", "amazon ec2", "orgnocemail", "net75", "net750000", "amazon web", "services", "ip routing", "nethandle", "amazo4", "aws rpki", "historical ssl", "certificates", "first", "thumbprint", "graph summary", "algorithm", "number", "issuer", "cus cnlet", "x3 olet", "subject public", "key info", "key algorithm", "pdf document", "adobe portable", "document format", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "sha1", "acrongl integ", "adc4240758", "shutdown", "sqlite version", "sqlite rollback", "utf8", "json", "creates", "journal", "malicious", "resolutions", "date", "detection", "hostmaster", "amazon legal", "dept", "amazon", "code", "email", "icann whois", "nv admin", "phone", "stateprovince", "tech", "gatsby", "golf", "hrhrhr" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779636742&Signature=0Jmd8OZhEoMcSIRjjLwJ25yOqQqGciJ%2Bi7fIHdY6hAZ943%2BagmRX%2BVjBhTYlLgakIWK9x6Xl42tsN8Zxr1F8%2B9UsiTGouw2FhmIYb0m%2BVstAqLsFZfxFVME005klDDValb5ctckQfmbabxNIeSo3vmrY3IDcc%2FGfcbCW6Iqp9O8UhbCjMEW208ycLJ%2FpHTi1oEgnBzteXKkR%2F6bkcgsXuMmv2zPR5aFV%2FRoRKG4d00Gf", "https://vtbehaviour.commondatastorage.googleapis.com/92be0ca27d8a8501a9e3647d71d4aa3cf9cc36c64f4a20f1af181c424cb18a4e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638452&Signature=W7GSOCee0L88oD17mS9F7ugbL5UuvCROQTEX3x6zxE6iy%2Fq7d4R2VgKW6vrIVn5INn9P%2Bd4nE9bdDm9hFZfYZtWp2fA8kLWCXUIn9yyEalW3TZiqc3F0VaXhxyOt1z8RxWxNkSJ4q%2FiKIW0UIBNzP3Xb%2BS4HiU1ygKuUsKMrM94faA%2B%2FLvWo8blWHNZjcwJxB6tZER0I70vtmS%2BQUms49SUXQukji6eyu2GeJXt%2BrsVoCx", "https://vtbehaviour.commondatastorage.googleapis.com/8ed092fba4497e2cdde226956c589a21ccfb01c1a23305c029746d6f3f8441f2_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638734&Signature=xtQED2V3PJ2BlKWGnzpYaInFIj0LtQ5HvUiHwVUnjQrf3nkdgTSOmKHoM8bt07LdXE2gP38gtUEORx1kvCz9WwS2vbQug9jFenQquTV1ymmuBzpRJ3ScOedOXYRUZ0xlMHMSKlEl7EDyuv5oI%2BbysetFZM7njE1QyFexdSfTFnaQLLOfOVYSrLignovntUHgLGqW%2B3pvMPXRK31YQ8G2uah9wKhgHX%2BvBuMBpVk%2Fu%2FB3k9m8DUZK", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779638904&Signature=sNLoXHL%2FJqR%2FKpCUpZ3xk1M3w2ix%2F0EztNMcyqjmOrRnpEfN2KtvqN%2BbjjNSOJZ60nF%2Blqn8e%2FCMW1hKcoVai1M%2BJhJchZCA5HTt9I%2FRxELce8C4AtkLuiJkLUydTO2Og2t9T5LjutTKwPeMWArNq9V2OX3NPY4my9NOxSl4azNDj3g2x0Bh%2B4cWRwh2kvoZOqEwQDfwSn1CPloWhsxGvXRWqmxgA5Qg0noBBB4dJGxNwoRKsOWF", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639054&Signature=EEV1EitssGhRiArTQwwI46vPKgz7UanaRN35lG8rZ3aqSaByMgJMG4F%2BBZ3gxHg87k8HJ5ajkCxPtTqsKEvG4C7b9cxkNALabAkhAdOiUgQJcMsP2RYCOcgI%2BpyVmB2ibfAqUo8ZBKCEmQhHPScOb9P3ccZc4cKW7Y%2Fstw5FecP4ddOC%2FimKqWnvBdvueQ0MDbsW20AXvNupNpXm0o09LG91CjzmrHeBMEC%2FTNDhCblMEN2x5oRkK%2Fz7VX", "https://vtbehaviour.commondatastorage.googleapis.com/4ac26c6b9045057df857c6994504138c0f11842f2f8cf54baa43830266dcd8fa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779639078&Signature=tzu4uNt492zFP%2BWaTxQzmPFHxea44DCMQdndQBcAY4YqVoVJ1UV6gsEPg8jB8shQPteUVKvm%2B46kCJpXntnbaegaLcNPwSYtTzGgpwWp13I2RzIYaaQoSBbQRNBF6y8v8Ql3l1FJLbz8vtarUjxrF%2BvvS6LwjT0BzLTAjR%2F5uVviAMddfZphJ1s1wKmfLrEmnZaXomiR8PkhX2nYZMc4jLxkJa%2BomaUKKKMggdRFFCcCLLoe%2Bo", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640480&Signature=q34riu0M3M72fz%2FxMMZS6FzxbC%2B8Z1WiO4MLyitIqJjdW95CvaeHBdE50%2BQk2P%2BSgNInq83S55ECox7wveKcpQLScNK4nfIaUO2jJIzkPNEFvO%2F%2BE%2F5CuRCW2H4HWji84nlyWZ7rlT9tvRWINFyCeI0sMYjD2gCovuOfhbEz717%2BUcycH2xU64CcOUIB0JH5kJzclp2AK1E0qdtDf12RLMD5z9Xgy0Wv8ElKSr75JpXomp", "https://vtbehaviour.commondatastorage.googleapis.com/1ea6d01132210234b1da26f181bdcefa423f883ed5b15bd42915b19f68e0604f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779640501&Signature=wQUBsRErARJ4flqai%2Fy45lWPUEVVpsxKIVhMiqVCcX3pSfwLxIUQD2aoderkcyUwUNFvaqQQ8jFN2XcbZcQZd2mYBvhNZQ8AxNhD%2BczvWObNrnN9MXmL7Yigcrf1ZfADDnHyk3ReVhUWSr5VW35SrWmrWcksCRf5egYC7hfcS0hqmYx%2F5%2B0iF7zlvKAWT9Iad4FU3zmas1Bri4p8csHlAX5zWpTWHflEQU5H2BddZyie8hc9vloTzOlLZTqmpy" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Norwell", "display_name": "Norwell", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1686, "URL": 1309, "hostname": 1474, "FileHash-MD5": 166, "FileHash-SHA1": 204, "IPv4": 152, "domain": 1177, "CIDR": 3, "email": 11, "IPv6": 1, "URI": 1, "CVE": 1, "SSLCertFingerprint": 2, "Mutex": 2 }, "indicator_count": 6189, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694f0aa090aedc7e498b2e9a", "name": "Qakbot | *NEW Malware found and analyzed \u2022 IRS", "description": "IRS.GOV We have run several test on multiple machines/ devices PC , MacBook , iPhone , Android, Desktop hoping for better results. I believe proximity of most of the devices were well distanced , but have doubts. For this test IRS. GOV redirects payments to sawww4. or sa.www4. web addresses (example: 2fsa.www4.irs.gov) that now reads (connection error) during research. Pages still exist and will not process information. Still threatens levy no matter what (legal) information is entered. \n\nI\u2019m aware of Trump IRS proposals for 2026. The issue is taxpayers are being directed to alleged IRS employees or in person licensed CPA\u2019s. \n(sa. prefix Saudi Arabia?) SA. could be a prefix for anything including South Africa.", "modified": "2026-01-25T21:03:27.507000", "created": "2025-12-26T22:22:24.480000", "tags": [ "related tags", "none google", "win32", "united", "united states", "irs", "qakbot", "qbot", "inject", "keylogger", "botx", "active", "bot network", "et trojan", "hello ssl", "destination", "port", "unknown", "ciphersuite", "sessionid", "asnone", "write", "virustotal", "drweb", "vipre", "mcafee", "panda", "malware", "pandex!gen1", "et", "brazil as16625", "akamai", "united kingdom", "dynamicloader", "medium", "tls handshake", "failure", "yara rule", "high", "cape", "guard", "error", "delphi", "qakbot", "tlsv1", "entries", "iobit unikstall", "global", "read c", "rgba", "unicode", "memcommit", "delete", "msie", "windows nt", "next", "dock", "execution", "server header", "download", "suspicious", "specified", "logic", "web products", "present nov", "present dec", "present jun", "present oct", "present may", "aaaa", "next associated", "urls show", "scheme", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "ip address", "ascii text", "pattern match", "href", "mitre att", "ck id", "show technique", "ck matrix", "beginstring", "show process", "null", "refresh", "span", "hybrid", "general", "local", "path", "iframe", "click", "strings", "tools", "title", "look", "verify", "restart", "learn", "command", "name tactics", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "adult content", "lol fun hackers" ], "references": [ "Start at https://www.irs.gov/ redirected to 2fsa.www4.irs.gov (connection error) irs.gov (active) Positive for all Malware", "IRS.GOV - Crypt3.BXVC ET Inject2.BIVE Win.Keylogger.Qbot-9987768-0 Win.Trojan.Qakbot-9988002-1 Win32:BotX-gen\\ [Trj]", "Pandex!gen1 Web Products", "Crypt3.BXVC IDS: Suspicious double Server Header", "Crypt3.BXVC IDS: Possible Kelihos.F EXE Download Common Structure", "Crypt3.BXVC IDS: Win32/Kelihos.F Checkin", "Crypt3.BXVC IDS: Fun Web Products Spyware User-Agent (FunWebProducts)", "Crypt3.BXVC IDS: Possible Kelihos Infection Executable Download With Malformed Header", "Crypt3.BXVC IDS: DNS Query for Suspicious .co.cc Domain", "Crypt3.BXVC IDS: Executable Download from dotted-quad Host", "Crypt3.BXVC IDS: Abuseat.org Block Message", "Crypt3.BXVC IDS: Executable Retrieved With Minimal HTTP", "Crypt3.BXVC IDS: PE EXE or DLL Windows file download HTTP", "Crypt3.BXVC IDS: Headers - Potential Second Stage Download", "Alerts: persistence_autorun sniffer_winpcap network_bind antivirus_virustotal network_http", "Alerts: network_icmp infostealer_browser recon_fingerprint infostealer_ftp network_smtp", "ET Trojan \u2022 https://otx.alienvault.com/indicator/file/43dbcee5aee3caab830ac840737bb591cfa99ae81f1280aeb38ad73ad9c317af" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Kingdom of Great Britain and Northern Ireland", "Canada", "Brazil", "Ireland", "India", "Georgia", "Singapore", "Spain", "Japan" ], "malware_families": [ { "id": "Inject2.BIVE", "display_name": "Inject2.BIVE", "target": null }, { "id": "Win.Keylogger.Qbot-9987768-0", "display_name": "Win.Keylogger.Qbot-9987768-0", "target": null }, { "id": "Win.Trojan.Qakbot-9988002-1", "display_name": "Win.Trojan.Qakbot-9988002-1", "target": null }, { "id": "Win32:BotX-gen\\ [Trj]", "display_name": "Win32:BotX-gen\\ [Trj]", "target": null }, { "id": "Crypt3.BXVC", "display_name": "Crypt3.BXVC", "target": null }, { "id": "Pandex!gen1", "display_name": "Pandex!gen1", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Web Products", "display_name": "Web Products", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Finance", "Government", "IRS" ], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 158, "URL": 140, "hostname": 287, "FileHash-SHA256": 85, "FileHash-MD5": 110, "FileHash-SHA1": 77, "SSLCertFingerprint": 8 }, "indicator_count": 865, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "125 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62221d71474b323d486dc3f2", "name": "WTF 2022", "description": "", "modified": "2022-04-03T00:00:55.161000", "created": "2022-03-04T14:08:49.518000", "tags": [], "references": [ "WTF.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 587, "URL": 668, "hostname": 613, "domain": 1320, "FileHash-MD5": 59, "FileHash-SHA1": 2 }, "indicator_count": 3249, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1519 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "constants.py", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "constants.py", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780237575.2528152 }