{ "type": "Domain", "indicator": "contributing.md", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/contributing.md", "alexa": "http://www.alexa.com/siteinfo/contributing.md", "indicator": "contributing.md", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2634194806, "indicator": "contributing.md", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "67aa04f81eb91601c0afbef4", "name": "LegionLoader exposed!", "description": "LegionLoader, also known as Satacom, CurlyGate, and RobotDropper, is an active downloader malware that has gained significant traction recently, amassing over 2,000 samples in weeks. The campaign appears to have started on December 19, 2024, with Brazil being the most affected country. The malware is delivered through drive-by downloads from insecure websites, often using the .monster TLD for malicious redirections. It employs anti-sandbox techniques and uses a multi-stage infection process. The initial MSI file extracts and executes a malicious DLL, which then downloads and executes a second stage payload. The final payload communicates with command and control servers to potentially download additional malware.", "modified": "2025-02-10T15:19:05.547000", "created": "2025-02-10T13:54:00.953000", "tags": [ "msi", "legionloader", "robotdropper", "dll injection", "brazil", "downloader", "curlygate", "anti-sandbox", "drive-by download", "multi-stage", "satacom" ], "references": [ "https://tehtris.com/en/blog/legionloader-exposed/" ], "public": 1, "adversary": "LegionLoader", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "LegionLoader", "display_name": "LegionLoader", "target": null }, { "id": "Satacom", "display_name": "Satacom", "target": null }, { "id": "CurlyGate", "display_name": "CurlyGate", "target": null }, { "id": "RobotDropper", "display_name": "RobotDropper", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.002", "name": "Portable Executable Injection", "display_name": "T1055.002 - Portable Executable Injection" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 39, "URL": 26, "FileHash-MD5": 21, "FileHash-SHA1": 17, "FileHash-SHA256": 43 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 386491, "modified_text": "474 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e936ce3f3ebd4b76fee29", "name": "MAV-en * VirusTotal report for setup-maven-master.zip", "description": "[The full text of the statement on the subject of human rights, as compiled by BBC Radio 4's Panorama, will be published on Wednesday, 27 March.. and will appear on BBC iPlayer]usernotificationsd, \"freeze_skip_reason:\" : \"none\",\n \"pid\" : 851,\n \"cpuTime\" : 0.52999799999999997,\n \"name\" : \"HeuristicInterpreter\",\n country_code\":\"US\",\"agent\":\"parsecd\\/1 (iPhone17,4; iPhone OS 26.3.1 23D8133) parsecd\\/", "modified": "2026-05-21T23:45:08.365000", "created": "2026-05-21T05:09:00.942000", "tags": [ "file type", "ascii", "ascii text", "java source", "json", "unicode text", "utf8 text", "c source", "sgml document", "creates", "persistence", "malicious", "next", "windows sandbox", "calls clear", "png image", "svg scalable", "vector graphics", "rgba", "crlf line", "ms windows", "title", "installer", "template", "pcx ver", "code helper", "helper", "plugin", "renderer", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "screnshots", "mitre attack", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "zip archive" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339747&Signature=R%2FOTx2wxfF3MkMsUAEbX76dOSFXtiY%2BBtXR6Kl7PxVGTXaylNjmhXaxofJAQ0RP2z7ICeXit4nmXky1HIQZnPX74ZyD16ICTt3%2BAXA6yZSU%2Fw%2Fks9M2Ju1xi3m8IMloiUH7Z9Le5L5Mlfrw5QO4ZO%2FgDHG3ATHUk0qk%2BFUT2gsjT8jS6aztZHjZo4xVQLlmmwWY2%2F8%2FKZejJlFptwLfMZEA%2BDW1ZbssKpkNsXZGu69SkdNPO9c", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339770&Signature=tPgwja3MWoODqbVlxhsock2mBa1WfALhB00A%2FSu4klEizmiV6VxM5y6vH%2FGm%2FFf67mLtz5mR6Mt17RKGQUPK11iYmQax86WhcCuxTpR0mDpo12tG4HAI5ht8qM4xgOQcjspEhBgsXPDvw2Np7e9trD0l8MytxvCqOuA7DVNdiUL2xvLNXAG1yCptFpvqyZo7kokLxp4RwsvDJuOrH8%2FGrNAOjdaHFQ8FWGhgkhyO6Q767Szi", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339792&Signature=O6r4LzVdjNFj7wZVT%2B0a4%2BGemB4yEqip9waMS7NlonESXy80tfqV33UBqEEp8i%2B2qOg6S%2Ba4cSwzi3nXOtjSaUaFAI43DmvSsxq5Y5WsA8cMb4Ul6FhGON6Cr0JT1xoEMtACmSdxG8Vo%2Be4PVcu93v6CBeWMZnFb8exU8ku4GUDY8ZEFW%2FJqeu266wn59KD9gFKRwlqx3NuRzMLdwqMA7f9o6QLPcM8WWnB%2BkvJVFk3BnxJAfBn7T2JO", "https://vtbehaviour.commondatastorage.googleapis.com/f839e941d0d2b6d9c5d6fd9b8b9ea9d34629182973bb9cc8af28e1e3ccdbbdd4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339838&Signature=GgSFM3a3czj9g63hY67%2B%2FAyC%2FcGgMmTIqhErAonJ7vV9C8snHKwK0GtHZ6drm%2Fd%2BKaMonYJwSmh1LrRzYF9toBJc5rBwpR%2BPlsrS9EArViMI%2Bd%2Fb8ZZBHgqFsmCiiSWfzz4kIQRPM0RB4osCHqQxKmGW2i1uyWrytYjA4V%2FZREm1%2Bm2EEWx38PebvBFrM9pMznjF6rghFHp8ls6tzuolbXD4WUfR0OSoXjcAaAgihobJ%2FmOd", "https://vtbehaviour.commondatastorage.googleapis.com/e2f820daf9f578d5f3219ae8b3c6391017badf913a68c4aaac4e52c5155c566f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339867&Signature=l%2F%2BDGW7ZLqIfVvi1NOyg4%2FCgXPJBdSweWglJKW7iMb5GfnK0pX4yYYVL3OKkqrzAbMUcR2fqLUXHJfnMwSKBhQxjGR8LGF1nh7TeXxVGIQVh8kAyEZBCuXNHsZfzxR0zVbZfKAIEvC9D8S2%2FwBmpI6xztHiC7vmaJ5OhJD%2BoPDojRqXH2bmBpCz1XTZd7JphPNXRIbefZL4mR%2FrRe7o8WO2JHylOy9rIodNKKPEv5W9Q54%2BaA%2FG926", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339948&Signature=JA8BamPMfn7P8xM9CTv8ndNuaNtng0n%2Btofwj05768pJwsCB6Mgd6GU18%2BpNjCvwwZg%2F%2Bw0a2xOYIsvuqdDQAFzoO3jl3EUYKu7dPoOelD2NPrIcyCAHc8qKhqpPdjZKpo%2B8AJCxvO13OXHoSh94%2B%2Bht9h6mIJs8y7YO2CUo%2FqlV8M0fa5Px90aErgl%2BarD7%2ByQWlt0QD2caFKl%2BHViTViTx", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779340034&Signature=tbq82yoC%2BAKXaH%2F2XjmRWiAbt911K91ltP8zHTYrstzi0i1UKrzJxM48ky9ypV%2B%2FvrYdgBnaOfI9MzgZH0C%2FOFJUaVJ3WB87ULkjglD%2F6GeEDDcPtDX%2BY6aw2%2Bb8WaJU2xLc%2F9JbwoTbPP0n83pJv1qe0KLqckLIjEN4iREH1zU%2FldO5TBRicvB%2BxjeAxpPFZnjNZmyFl%2FNHbavuuvRc%2FMNR0DbjnriB2Mub" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 90, "FileHash-SHA256": 1997, "IPv4": 49, "domain": 34, "hostname": 124, "URL": 429, "URI": 1, "CIDR": 16 }, "indicator_count": 2944, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e9725b323ae1350c36488", "name": "no comment", "description": "", "modified": "2026-05-21T06:52:08.577000", "created": "2026-05-21T05:24:53.947000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 366, "FileHash-SHA1": 366, "FileHash-SHA256": 5078, "IPv4": 44, "URL": 2414, "domain": 1305, "hostname": 366, "CIDR": 1, "email": 2, "Mutex": 1 }, "indicator_count": 9943, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e9725823bc1d6ac78350e", "name": "no comment", "description": "", "modified": "2026-05-21T06:37:36.247000", "created": "2026-05-21T05:24:53.229000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 35, "FileHash-SHA1": 35, "FileHash-SHA256": 679, "IPv4": 15, "URL": 200, "domain": 32, "hostname": 26 }, "indicator_count": 1022, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e891990e460b7c453f3c3", "name": "Spyware: Q. Vashti, VirusTotal Box of Apples Sandbox report", "description": "[Spyware: A complete list of words, phrases, symbols and symbols. and the full text of this page, published by Q.Vashti Public TLP, has been released.] Follow Q.Vashti, excellent researcher.", "modified": "2026-05-21T05:24:25.308000", "created": "2026-05-21T04:24:57.187000", "tags": [ "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "screnshots", "file", "operations", "process open", "write delete", "move time", "url https", "url http", "months ago", "spam author", "spyware created", "modified", "iiiii whoo", "maas", "scan", "iocs", "indicator role", "title added", "active related", "pulses url", "cloudflare", "net104", "net1040000", "cloud14", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "postalcode", "MA", "legal deadlock", "Compliance lock abuse", "Phone carrier interception 9999999999", "Plot", "Coordinated state abuse", "Enemy of the state", "Suppression", "Guard abuse", "the real fake admin of all domains and devices", "Mass", "Ina", "Maassina", "Signet" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/000033bb30ef26261f53f933a0f21cf4eed370bd987e081e0679898b3a6bddda_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779336524&Signature=O5n0S4aWPfyjTDJc05rzvbBhcbEoG8Ay%2Fz1o8K3hGVa9yUcttzmFeiPiaEhLbNVb9JiGIOIDKYipVl89pWQnYGXvGkFlwlFEXMP7Bk0zMMRedzKnp5vRpurrgLFfTgr%2BB1LVJyMVDEvDnGezrwX3d6OVEfW4XJ1w3he09Vvhr6fmuca3vBNMTc%2F%2BLGyb5JKBbQl06mGcymu8a2NNt8LXHTceDjZdRnfEyCWqn9" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4288, "domain": 63, "IPv4": 4, "hostname": 207, "URL": 570, "FileHash-MD5": 39, "FileHash-SHA1": 40, "CIDR": 1, "email": 3 }, "indicator_count": 5215, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e935a4a7df45548fe942d", "name": "MAV-en * VirusTotal report for setup-maven-master.zip", "description": "[The full text of the statement on the subject of human rights, as compiled by BBC Radio 4's Panorama, will be published on Wednesday, 27 March.. and will appear on BBC iPlayer]usernotificationsd, \"freeze_skip_reason:\" : \"none\",\n \"pid\" : 851,\n \"cpuTime\" : 0.52999799999999997,\n \"name\" : \"HeuristicInterpreter\",\n country_code\":\"US\",\"agent\":\"parsecd\\/1 (iPhone17,4; iPhone OS 26.3.1 23D8133) parsecd\\/", "modified": "2026-05-21T05:21:46.242000", "created": "2026-05-21T05:08:42.394000", "tags": [ "file type", "ascii", "ascii text", "java source", "json", "unicode text", "utf8 text", "c source", "sgml document", "creates", "persistence", "malicious", "next", "windows sandbox", "calls clear", "png image", "svg scalable", "vector graphics", "rgba", "crlf line", "ms windows", "title", "installer", "template", "pcx ver", "code helper", "helper", "plugin", "renderer", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "screnshots", "mitre attack", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "zip archive" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339747&Signature=R%2FOTx2wxfF3MkMsUAEbX76dOSFXtiY%2BBtXR6Kl7PxVGTXaylNjmhXaxofJAQ0RP2z7ICeXit4nmXky1HIQZnPX74ZyD16ICTt3%2BAXA6yZSU%2Fw%2Fks9M2Ju1xi3m8IMloiUH7Z9Le5L5Mlfrw5QO4ZO%2FgDHG3ATHUk0qk%2BFUT2gsjT8jS6aztZHjZo4xVQLlmmwWY2%2F8%2FKZejJlFptwLfMZEA%2BDW1ZbssKpkNsXZGu69SkdNPO9c", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339770&Signature=tPgwja3MWoODqbVlxhsock2mBa1WfALhB00A%2FSu4klEizmiV6VxM5y6vH%2FGm%2FFf67mLtz5mR6Mt17RKGQUPK11iYmQax86WhcCuxTpR0mDpo12tG4HAI5ht8qM4xgOQcjspEhBgsXPDvw2Np7e9trD0l8MytxvCqOuA7DVNdiUL2xvLNXAG1yCptFpvqyZo7kokLxp4RwsvDJuOrH8%2FGrNAOjdaHFQ8FWGhgkhyO6Q767Szi", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339792&Signature=O6r4LzVdjNFj7wZVT%2B0a4%2BGemB4yEqip9waMS7NlonESXy80tfqV33UBqEEp8i%2B2qOg6S%2Ba4cSwzi3nXOtjSaUaFAI43DmvSsxq5Y5WsA8cMb4Ul6FhGON6Cr0JT1xoEMtACmSdxG8Vo%2Be4PVcu93v6CBeWMZnFb8exU8ku4GUDY8ZEFW%2FJqeu266wn59KD9gFKRwlqx3NuRzMLdwqMA7f9o6QLPcM8WWnB%2BkvJVFk3BnxJAfBn7T2JO", "https://vtbehaviour.commondatastorage.googleapis.com/f839e941d0d2b6d9c5d6fd9b8b9ea9d34629182973bb9cc8af28e1e3ccdbbdd4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339838&Signature=GgSFM3a3czj9g63hY67%2B%2FAyC%2FcGgMmTIqhErAonJ7vV9C8snHKwK0GtHZ6drm%2Fd%2BKaMonYJwSmh1LrRzYF9toBJc5rBwpR%2BPlsrS9EArViMI%2Bd%2Fb8ZZBHgqFsmCiiSWfzz4kIQRPM0RB4osCHqQxKmGW2i1uyWrytYjA4V%2FZREm1%2Bm2EEWx38PebvBFrM9pMznjF6rghFHp8ls6tzuolbXD4WUfR0OSoXjcAaAgihobJ%2FmOd", "https://vtbehaviour.commondatastorage.googleapis.com/e2f820daf9f578d5f3219ae8b3c6391017badf913a68c4aaac4e52c5155c566f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339867&Signature=l%2F%2BDGW7ZLqIfVvi1NOyg4%2FCgXPJBdSweWglJKW7iMb5GfnK0pX4yYYVL3OKkqrzAbMUcR2fqLUXHJfnMwSKBhQxjGR8LGF1nh7TeXxVGIQVh8kAyEZBCuXNHsZfzxR0zVbZfKAIEvC9D8S2%2FwBmpI6xztHiC7vmaJ5OhJD%2BoPDojRqXH2bmBpCz1XTZd7JphPNXRIbefZL4mR%2FrRe7o8WO2JHylOy9rIodNKKPEv5W9Q54%2BaA%2FG926", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339948&Signature=JA8BamPMfn7P8xM9CTv8ndNuaNtng0n%2Btofwj05768pJwsCB6Mgd6GU18%2BpNjCvwwZg%2F%2Bw0a2xOYIsvuqdDQAFzoO3jl3EUYKu7dPoOelD2NPrIcyCAHc8qKhqpPdjZKpo%2B8AJCxvO13OXHoSh94%2B%2Bht9h6mIJs8y7YO2CUo%2FqlV8M0fa5Px90aErgl%2BarD7%2ByQWlt0QD2caFKl%2BHViTViTx", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779340034&Signature=tbq82yoC%2BAKXaH%2F2XjmRWiAbt911K91ltP8zHTYrstzi0i1UKrzJxM48ky9ypV%2B%2FvrYdgBnaOfI9MzgZH0C%2FOFJUaVJ3WB87ULkjglD%2F6GeEDDcPtDX%2BY6aw2%2Bb8WaJU2xLc%2F9JbwoTbPP0n83pJv1qe0KLqckLIjEN4iREH1zU%2FldO5TBRicvB%2BxjeAxpPFZnjNZmyFl%2FNHbavuuvRc%2FMNR0DbjnriB2Mub" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 216, "FileHash-SHA1": 122, "FileHash-SHA256": 2487, "IPv4": 19, "domain": 47, "hostname": 73, "URL": 205, "URI": 1, "email": 1 }, "indicator_count": 3171, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e936aec67867b0f6d29f3", "name": "MAV-en * VirusTotal report for setup-maven-master.zip", "description": "[The full text of the statement on the subject of human rights, as compiled by BBC Radio 4's Panorama, will be published on Wednesday, 27 March.. and will appear on BBC iPlayer]usernotificationsd, \"freeze_skip_reason:\" : \"none\",\n \"pid\" : 851,\n \"cpuTime\" : 0.52999799999999997,\n \"name\" : \"HeuristicInterpreter\",\n country_code\":\"US\",\"agent\":\"parsecd\\/1 (iPhone17,4; iPhone OS 26.3.1 23D8133) parsecd\\/", "modified": "2026-05-21T05:13:23.417000", "created": "2026-05-21T05:08:58.537000", "tags": [ "file type", "ascii", "ascii text", "java source", "json", "unicode text", "utf8 text", "c source", "sgml document", "creates", "persistence", "malicious", "next", "windows sandbox", "calls clear", "png image", "svg scalable", "vector graphics", "rgba", "crlf line", "ms windows", "title", "installer", "template", "pcx ver", "code helper", "helper", "plugin", "renderer", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "screnshots", "mitre attack", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "zip archive" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339747&Signature=R%2FOTx2wxfF3MkMsUAEbX76dOSFXtiY%2BBtXR6Kl7PxVGTXaylNjmhXaxofJAQ0RP2z7ICeXit4nmXky1HIQZnPX74ZyD16ICTt3%2BAXA6yZSU%2Fw%2Fks9M2Ju1xi3m8IMloiUH7Z9Le5L5Mlfrw5QO4ZO%2FgDHG3ATHUk0qk%2BFUT2gsjT8jS6aztZHjZo4xVQLlmmwWY2%2F8%2FKZejJlFptwLfMZEA%2BDW1ZbssKpkNsXZGu69SkdNPO9c", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339770&Signature=tPgwja3MWoODqbVlxhsock2mBa1WfALhB00A%2FSu4klEizmiV6VxM5y6vH%2FGm%2FFf67mLtz5mR6Mt17RKGQUPK11iYmQax86WhcCuxTpR0mDpo12tG4HAI5ht8qM4xgOQcjspEhBgsXPDvw2Np7e9trD0l8MytxvCqOuA7DVNdiUL2xvLNXAG1yCptFpvqyZo7kokLxp4RwsvDJuOrH8%2FGrNAOjdaHFQ8FWGhgkhyO6Q767Szi", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339792&Signature=O6r4LzVdjNFj7wZVT%2B0a4%2BGemB4yEqip9waMS7NlonESXy80tfqV33UBqEEp8i%2B2qOg6S%2Ba4cSwzi3nXOtjSaUaFAI43DmvSsxq5Y5WsA8cMb4Ul6FhGON6Cr0JT1xoEMtACmSdxG8Vo%2Be4PVcu93v6CBeWMZnFb8exU8ku4GUDY8ZEFW%2FJqeu266wn59KD9gFKRwlqx3NuRzMLdwqMA7f9o6QLPcM8WWnB%2BkvJVFk3BnxJAfBn7T2JO", "https://vtbehaviour.commondatastorage.googleapis.com/f839e941d0d2b6d9c5d6fd9b8b9ea9d34629182973bb9cc8af28e1e3ccdbbdd4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339838&Signature=GgSFM3a3czj9g63hY67%2B%2FAyC%2FcGgMmTIqhErAonJ7vV9C8snHKwK0GtHZ6drm%2Fd%2BKaMonYJwSmh1LrRzYF9toBJc5rBwpR%2BPlsrS9EArViMI%2Bd%2Fb8ZZBHgqFsmCiiSWfzz4kIQRPM0RB4osCHqQxKmGW2i1uyWrytYjA4V%2FZREm1%2Bm2EEWx38PebvBFrM9pMznjF6rghFHp8ls6tzuolbXD4WUfR0OSoXjcAaAgihobJ%2FmOd", "https://vtbehaviour.commondatastorage.googleapis.com/e2f820daf9f578d5f3219ae8b3c6391017badf913a68c4aaac4e52c5155c566f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339867&Signature=l%2F%2BDGW7ZLqIfVvi1NOyg4%2FCgXPJBdSweWglJKW7iMb5GfnK0pX4yYYVL3OKkqrzAbMUcR2fqLUXHJfnMwSKBhQxjGR8LGF1nh7TeXxVGIQVh8kAyEZBCuXNHsZfzxR0zVbZfKAIEvC9D8S2%2FwBmpI6xztHiC7vmaJ5OhJD%2BoPDojRqXH2bmBpCz1XTZd7JphPNXRIbefZL4mR%2FrRe7o8WO2JHylOy9rIodNKKPEv5W9Q54%2BaA%2FG926", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339948&Signature=JA8BamPMfn7P8xM9CTv8ndNuaNtng0n%2Btofwj05768pJwsCB6Mgd6GU18%2BpNjCvwwZg%2F%2Bw0a2xOYIsvuqdDQAFzoO3jl3EUYKu7dPoOelD2NPrIcyCAHc8qKhqpPdjZKpo%2B8AJCxvO13OXHoSh94%2B%2Bht9h6mIJs8y7YO2CUo%2FqlV8M0fa5Px90aErgl%2BarD7%2ByQWlt0QD2caFKl%2BHViTViTx", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779340034&Signature=tbq82yoC%2BAKXaH%2F2XjmRWiAbt911K91ltP8zHTYrstzi0i1UKrzJxM48ky9ypV%2B%2FvrYdgBnaOfI9MzgZH0C%2FOFJUaVJ3WB87ULkjglD%2F6GeEDDcPtDX%2BY6aw2%2Bb8WaJU2xLc%2F9JbwoTbPP0n83pJv1qe0KLqckLIjEN4iREH1zU%2FldO5TBRicvB%2BxjeAxpPFZnjNZmyFl%2FNHbavuuvRc%2FMNR0DbjnriB2Mub" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 88, "FileHash-SHA256": 1993, "IPv4": 19, "domain": 34, "hostname": 60, "URL": 203, "URI": 1 }, "indicator_count": 2602, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e9368acb77419bf65660d", "name": "MAV-en * VirusTotal report for setup-maven-master.zip", "description": "[The full text of the statement on the subject of human rights, as compiled by BBC Radio 4's Panorama, will be published on Wednesday, 27 March.. and will appear on BBC iPlayer]usernotificationsd, \"freeze_skip_reason:\" : \"none\",\n \"pid\" : 851,\n \"cpuTime\" : 0.52999799999999997,\n \"name\" : \"HeuristicInterpreter\",\n country_code\":\"US\",\"agent\":\"parsecd\\/1 (iPhone17,4; iPhone OS 26.3.1 23D8133) parsecd\\/", "modified": "2026-05-21T05:13:16.005000", "created": "2026-05-21T05:08:56.934000", "tags": [ "file type", "ascii", "ascii text", "java source", "json", "unicode text", "utf8 text", "c source", "sgml document", "creates", "persistence", "malicious", "next", "windows sandbox", "calls clear", "png image", "svg scalable", "vector graphics", "rgba", "crlf line", "ms windows", "title", "installer", "template", "pcx ver", "code helper", "helper", "plugin", "renderer", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "screnshots", "mitre attack", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "zip archive" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339747&Signature=R%2FOTx2wxfF3MkMsUAEbX76dOSFXtiY%2BBtXR6Kl7PxVGTXaylNjmhXaxofJAQ0RP2z7ICeXit4nmXky1HIQZnPX74ZyD16ICTt3%2BAXA6yZSU%2Fw%2Fks9M2Ju1xi3m8IMloiUH7Z9Le5L5Mlfrw5QO4ZO%2FgDHG3ATHUk0qk%2BFUT2gsjT8jS6aztZHjZo4xVQLlmmwWY2%2F8%2FKZejJlFptwLfMZEA%2BDW1ZbssKpkNsXZGu69SkdNPO9c", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339770&Signature=tPgwja3MWoODqbVlxhsock2mBa1WfALhB00A%2FSu4klEizmiV6VxM5y6vH%2FGm%2FFf67mLtz5mR6Mt17RKGQUPK11iYmQax86WhcCuxTpR0mDpo12tG4HAI5ht8qM4xgOQcjspEhBgsXPDvw2Np7e9trD0l8MytxvCqOuA7DVNdiUL2xvLNXAG1yCptFpvqyZo7kokLxp4RwsvDJuOrH8%2FGrNAOjdaHFQ8FWGhgkhyO6Q767Szi", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339792&Signature=O6r4LzVdjNFj7wZVT%2B0a4%2BGemB4yEqip9waMS7NlonESXy80tfqV33UBqEEp8i%2B2qOg6S%2Ba4cSwzi3nXOtjSaUaFAI43DmvSsxq5Y5WsA8cMb4Ul6FhGON6Cr0JT1xoEMtACmSdxG8Vo%2Be4PVcu93v6CBeWMZnFb8exU8ku4GUDY8ZEFW%2FJqeu266wn59KD9gFKRwlqx3NuRzMLdwqMA7f9o6QLPcM8WWnB%2BkvJVFk3BnxJAfBn7T2JO", "https://vtbehaviour.commondatastorage.googleapis.com/f839e941d0d2b6d9c5d6fd9b8b9ea9d34629182973bb9cc8af28e1e3ccdbbdd4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339838&Signature=GgSFM3a3czj9g63hY67%2B%2FAyC%2FcGgMmTIqhErAonJ7vV9C8snHKwK0GtHZ6drm%2Fd%2BKaMonYJwSmh1LrRzYF9toBJc5rBwpR%2BPlsrS9EArViMI%2Bd%2Fb8ZZBHgqFsmCiiSWfzz4kIQRPM0RB4osCHqQxKmGW2i1uyWrytYjA4V%2FZREm1%2Bm2EEWx38PebvBFrM9pMznjF6rghFHp8ls6tzuolbXD4WUfR0OSoXjcAaAgihobJ%2FmOd", "https://vtbehaviour.commondatastorage.googleapis.com/e2f820daf9f578d5f3219ae8b3c6391017badf913a68c4aaac4e52c5155c566f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339867&Signature=l%2F%2BDGW7ZLqIfVvi1NOyg4%2FCgXPJBdSweWglJKW7iMb5GfnK0pX4yYYVL3OKkqrzAbMUcR2fqLUXHJfnMwSKBhQxjGR8LGF1nh7TeXxVGIQVh8kAyEZBCuXNHsZfzxR0zVbZfKAIEvC9D8S2%2FwBmpI6xztHiC7vmaJ5OhJD%2BoPDojRqXH2bmBpCz1XTZd7JphPNXRIbefZL4mR%2FrRe7o8WO2JHylOy9rIodNKKPEv5W9Q54%2BaA%2FG926", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339948&Signature=JA8BamPMfn7P8xM9CTv8ndNuaNtng0n%2Btofwj05768pJwsCB6Mgd6GU18%2BpNjCvwwZg%2F%2Bw0a2xOYIsvuqdDQAFzoO3jl3EUYKu7dPoOelD2NPrIcyCAHc8qKhqpPdjZKpo%2B8AJCxvO13OXHoSh94%2B%2Bht9h6mIJs8y7YO2CUo%2FqlV8M0fa5Px90aErgl%2BarD7%2ByQWlt0QD2caFKl%2BHViTViTx", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779340034&Signature=tbq82yoC%2BAKXaH%2F2XjmRWiAbt911K91ltP8zHTYrstzi0i1UKrzJxM48ky9ypV%2B%2FvrYdgBnaOfI9MzgZH0C%2FOFJUaVJ3WB87ULkjglD%2F6GeEDDcPtDX%2BY6aw2%2Bb8WaJU2xLc%2F9JbwoTbPP0n83pJv1qe0KLqckLIjEN4iREH1zU%2FldO5TBRicvB%2BxjeAxpPFZnjNZmyFl%2FNHbavuuvRc%2FMNR0DbjnriB2Mub" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 88, "FileHash-SHA256": 1993, "IPv4": 19, "domain": 34, "hostname": 60, "URL": 203, "URI": 1 }, "indicator_count": 2602, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e936b647274be6ed25227", "name": "MAV-en * VirusTotal report for setup-maven-master.zip", "description": "[The full text of the statement on the subject of human rights, as compiled by BBC Radio 4's Panorama, will be published on Wednesday, 27 March.. and will appear on BBC iPlayer]usernotificationsd, \"freeze_skip_reason:\" : \"none\",\n \"pid\" : 851,\n \"cpuTime\" : 0.52999799999999997,\n \"name\" : \"HeuristicInterpreter\",\n country_code\":\"US\",\"agent\":\"parsecd\\/1 (iPhone17,4; iPhone OS 26.3.1 23D8133) parsecd\\/", "modified": "2026-05-21T05:13:13.100000", "created": "2026-05-21T05:08:59.081000", "tags": [ "file type", "ascii", "ascii text", "java source", "json", "unicode text", "utf8 text", "c source", "sgml document", "creates", "persistence", "malicious", "next", "windows sandbox", "calls clear", "png image", "svg scalable", "vector graphics", "rgba", "crlf line", "ms windows", "title", "installer", "template", "pcx ver", "code helper", "helper", "plugin", "renderer", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "screnshots", "mitre attack", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "zip archive" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339747&Signature=R%2FOTx2wxfF3MkMsUAEbX76dOSFXtiY%2BBtXR6Kl7PxVGTXaylNjmhXaxofJAQ0RP2z7ICeXit4nmXky1HIQZnPX74ZyD16ICTt3%2BAXA6yZSU%2Fw%2Fks9M2Ju1xi3m8IMloiUH7Z9Le5L5Mlfrw5QO4ZO%2FgDHG3ATHUk0qk%2BFUT2gsjT8jS6aztZHjZo4xVQLlmmwWY2%2F8%2FKZejJlFptwLfMZEA%2BDW1ZbssKpkNsXZGu69SkdNPO9c", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339770&Signature=tPgwja3MWoODqbVlxhsock2mBa1WfALhB00A%2FSu4klEizmiV6VxM5y6vH%2FGm%2FFf67mLtz5mR6Mt17RKGQUPK11iYmQax86WhcCuxTpR0mDpo12tG4HAI5ht8qM4xgOQcjspEhBgsXPDvw2Np7e9trD0l8MytxvCqOuA7DVNdiUL2xvLNXAG1yCptFpvqyZo7kokLxp4RwsvDJuOrH8%2FGrNAOjdaHFQ8FWGhgkhyO6Q767Szi", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339792&Signature=O6r4LzVdjNFj7wZVT%2B0a4%2BGemB4yEqip9waMS7NlonESXy80tfqV33UBqEEp8i%2B2qOg6S%2Ba4cSwzi3nXOtjSaUaFAI43DmvSsxq5Y5WsA8cMb4Ul6FhGON6Cr0JT1xoEMtACmSdxG8Vo%2Be4PVcu93v6CBeWMZnFb8exU8ku4GUDY8ZEFW%2FJqeu266wn59KD9gFKRwlqx3NuRzMLdwqMA7f9o6QLPcM8WWnB%2BkvJVFk3BnxJAfBn7T2JO", "https://vtbehaviour.commondatastorage.googleapis.com/f839e941d0d2b6d9c5d6fd9b8b9ea9d34629182973bb9cc8af28e1e3ccdbbdd4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339838&Signature=GgSFM3a3czj9g63hY67%2B%2FAyC%2FcGgMmTIqhErAonJ7vV9C8snHKwK0GtHZ6drm%2Fd%2BKaMonYJwSmh1LrRzYF9toBJc5rBwpR%2BPlsrS9EArViMI%2Bd%2Fb8ZZBHgqFsmCiiSWfzz4kIQRPM0RB4osCHqQxKmGW2i1uyWrytYjA4V%2FZREm1%2Bm2EEWx38PebvBFrM9pMznjF6rghFHp8ls6tzuolbXD4WUfR0OSoXjcAaAgihobJ%2FmOd", "https://vtbehaviour.commondatastorage.googleapis.com/e2f820daf9f578d5f3219ae8b3c6391017badf913a68c4aaac4e52c5155c566f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339867&Signature=l%2F%2BDGW7ZLqIfVvi1NOyg4%2FCgXPJBdSweWglJKW7iMb5GfnK0pX4yYYVL3OKkqrzAbMUcR2fqLUXHJfnMwSKBhQxjGR8LGF1nh7TeXxVGIQVh8kAyEZBCuXNHsZfzxR0zVbZfKAIEvC9D8S2%2FwBmpI6xztHiC7vmaJ5OhJD%2BoPDojRqXH2bmBpCz1XTZd7JphPNXRIbefZL4mR%2FrRe7o8WO2JHylOy9rIodNKKPEv5W9Q54%2BaA%2FG926", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339948&Signature=JA8BamPMfn7P8xM9CTv8ndNuaNtng0n%2Btofwj05768pJwsCB6Mgd6GU18%2BpNjCvwwZg%2F%2Bw0a2xOYIsvuqdDQAFzoO3jl3EUYKu7dPoOelD2NPrIcyCAHc8qKhqpPdjZKpo%2B8AJCxvO13OXHoSh94%2B%2Bht9h6mIJs8y7YO2CUo%2FqlV8M0fa5Px90aErgl%2BarD7%2ByQWlt0QD2caFKl%2BHViTViTx", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779340034&Signature=tbq82yoC%2BAKXaH%2F2XjmRWiAbt911K91ltP8zHTYrstzi0i1UKrzJxM48ky9ypV%2B%2FvrYdgBnaOfI9MzgZH0C%2FOFJUaVJ3WB87ULkjglD%2F6GeEDDcPtDX%2BY6aw2%2Bb8WaJU2xLc%2F9JbwoTbPP0n83pJv1qe0KLqckLIjEN4iREH1zU%2FldO5TBRicvB%2BxjeAxpPFZnjNZmyFl%2FNHbavuuvRc%2FMNR0DbjnriB2Mub" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 88, "FileHash-SHA256": 1993, "IPv4": 19, "domain": 34, "hostname": 60, "URL": 203, "URI": 1 }, "indicator_count": 2602, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e936cb4a9e6db51876ae2", "name": "MAV-en * VirusTotal report for setup-maven-master.zip", "description": "[The full text of the statement on the subject of human rights, as compiled by BBC Radio 4's Panorama, will be published on Wednesday, 27 March.. and will appear on BBC iPlayer]usernotificationsd, \"freeze_skip_reason:\" : \"none\",\n \"pid\" : 851,\n \"cpuTime\" : 0.52999799999999997,\n \"name\" : \"HeuristicInterpreter\",\n country_code\":\"US\",\"agent\":\"parsecd\\/1 (iPhone17,4; iPhone OS 26.3.1 23D8133) parsecd\\/", "modified": "2026-05-21T05:13:12.402000", "created": "2026-05-21T05:09:00.401000", "tags": [ "file type", "ascii", "ascii text", "java source", "json", "unicode text", "utf8 text", "c source", "sgml document", "creates", "persistence", "malicious", "next", "windows sandbox", "calls clear", "png image", "svg scalable", "vector graphics", "rgba", "crlf line", "ms windows", "title", "installer", "template", "pcx ver", "code helper", "helper", "plugin", "renderer", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "screnshots", "mitre attack", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "zip archive" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339747&Signature=R%2FOTx2wxfF3MkMsUAEbX76dOSFXtiY%2BBtXR6Kl7PxVGTXaylNjmhXaxofJAQ0RP2z7ICeXit4nmXky1HIQZnPX74ZyD16ICTt3%2BAXA6yZSU%2Fw%2Fks9M2Ju1xi3m8IMloiUH7Z9Le5L5Mlfrw5QO4ZO%2FgDHG3ATHUk0qk%2BFUT2gsjT8jS6aztZHjZo4xVQLlmmwWY2%2F8%2FKZejJlFptwLfMZEA%2BDW1ZbssKpkNsXZGu69SkdNPO9c", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339770&Signature=tPgwja3MWoODqbVlxhsock2mBa1WfALhB00A%2FSu4klEizmiV6VxM5y6vH%2FGm%2FFf67mLtz5mR6Mt17RKGQUPK11iYmQax86WhcCuxTpR0mDpo12tG4HAI5ht8qM4xgOQcjspEhBgsXPDvw2Np7e9trD0l8MytxvCqOuA7DVNdiUL2xvLNXAG1yCptFpvqyZo7kokLxp4RwsvDJuOrH8%2FGrNAOjdaHFQ8FWGhgkhyO6Q767Szi", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339792&Signature=O6r4LzVdjNFj7wZVT%2B0a4%2BGemB4yEqip9waMS7NlonESXy80tfqV33UBqEEp8i%2B2qOg6S%2Ba4cSwzi3nXOtjSaUaFAI43DmvSsxq5Y5WsA8cMb4Ul6FhGON6Cr0JT1xoEMtACmSdxG8Vo%2Be4PVcu93v6CBeWMZnFb8exU8ku4GUDY8ZEFW%2FJqeu266wn59KD9gFKRwlqx3NuRzMLdwqMA7f9o6QLPcM8WWnB%2BkvJVFk3BnxJAfBn7T2JO", "https://vtbehaviour.commondatastorage.googleapis.com/f839e941d0d2b6d9c5d6fd9b8b9ea9d34629182973bb9cc8af28e1e3ccdbbdd4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339838&Signature=GgSFM3a3czj9g63hY67%2B%2FAyC%2FcGgMmTIqhErAonJ7vV9C8snHKwK0GtHZ6drm%2Fd%2BKaMonYJwSmh1LrRzYF9toBJc5rBwpR%2BPlsrS9EArViMI%2Bd%2Fb8ZZBHgqFsmCiiSWfzz4kIQRPM0RB4osCHqQxKmGW2i1uyWrytYjA4V%2FZREm1%2Bm2EEWx38PebvBFrM9pMznjF6rghFHp8ls6tzuolbXD4WUfR0OSoXjcAaAgihobJ%2FmOd", "https://vtbehaviour.commondatastorage.googleapis.com/e2f820daf9f578d5f3219ae8b3c6391017badf913a68c4aaac4e52c5155c566f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339867&Signature=l%2F%2BDGW7ZLqIfVvi1NOyg4%2FCgXPJBdSweWglJKW7iMb5GfnK0pX4yYYVL3OKkqrzAbMUcR2fqLUXHJfnMwSKBhQxjGR8LGF1nh7TeXxVGIQVh8kAyEZBCuXNHsZfzxR0zVbZfKAIEvC9D8S2%2FwBmpI6xztHiC7vmaJ5OhJD%2BoPDojRqXH2bmBpCz1XTZd7JphPNXRIbefZL4mR%2FrRe7o8WO2JHylOy9rIodNKKPEv5W9Q54%2BaA%2FG926", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339948&Signature=JA8BamPMfn7P8xM9CTv8ndNuaNtng0n%2Btofwj05768pJwsCB6Mgd6GU18%2BpNjCvwwZg%2F%2Bw0a2xOYIsvuqdDQAFzoO3jl3EUYKu7dPoOelD2NPrIcyCAHc8qKhqpPdjZKpo%2B8AJCxvO13OXHoSh94%2B%2Bht9h6mIJs8y7YO2CUo%2FqlV8M0fa5Px90aErgl%2BarD7%2ByQWlt0QD2caFKl%2BHViTViTx", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779340034&Signature=tbq82yoC%2BAKXaH%2F2XjmRWiAbt911K91ltP8zHTYrstzi0i1UKrzJxM48ky9ypV%2B%2FvrYdgBnaOfI9MzgZH0C%2FOFJUaVJ3WB87ULkjglD%2F6GeEDDcPtDX%2BY6aw2%2Bb8WaJU2xLc%2F9JbwoTbPP0n83pJv1qe0KLqckLIjEN4iREH1zU%2FldO5TBRicvB%2BxjeAxpPFZnjNZmyFl%2FNHbavuuvRc%2FMNR0DbjnriB2Mub" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 88, "FileHash-SHA256": 1993, "IPv4": 19, "domain": 34, "hostname": 60, "URL": 203, "URI": 1 }, "indicator_count": 2602, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0dad06d8bb37ada19229bc", "name": "Credit:Q.Vashti [Exposing_Malware_in20_Linnux] - clone >post today had related items", "description": "", "modified": "2026-05-20T12:45:58.360000", "created": "2026-05-20T12:45:58.360000", "tags": [ "ipv4", "url http", "expiration", "url https", "eid1338769034", "united", "unknown ns", "present jun", "unknown cname", "name servers", "search", "servers", "showing", "ip address", "creation date", "date", "encrypt", "sha256", "submitted", "passive dns", "urls", "address", "xmpg", "malware", "span", "extgstate", "bbox", "subtypeform", "rlength", "resource", "rfit", "pattern match", "path", "code", "cobalt strike", "false", "cloud", "core", "footer", "meta", "black", "ransomware", "r980", "facebook", "discord", "stream", "form", "contact", "story", "february", "rats", "stack", "defense", "launcher", "trace", "august", "hellokitty", "twitter", "upgrade", "android", "decryptor", "green", "enterprise", "team", "small", "systemd", "service", "python", "shell", "reload", "find", "haiduc", "hybrid", "general", "suspicious", "click", "strings", "iframe", "loader", "tools", "template", "daily", "hypervisor", "capture", "stars", "download", "copy", "cobaltstrike", "install", "madcap", "protect", "shift", "beyond", "leverage", "agent", "info", "xmrig", "attack", "demonbot", "multi", "live", "grep", "pass", "ri falsek", "process", "xobject", "format", "june", "crypto", "close", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "apis", "found" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": "684690d6dc730b0842d341a7", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 39, "FileHash-SHA1": 48, "FileHash-SHA256": 67, "domain": 173, "hostname": 110, "URL": 429, "email": 10 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0dacb22ae45efab0266fc2", "name": "Credit:Q.Vashti [Exposing_Malware_in20_Linnux] - clone >post today had related items", "description": "", "modified": "2026-05-20T12:44:34.775000", "created": "2026-05-20T12:44:34.775000", "tags": [ "ipv4", "url http", "expiration", "url https", "eid1338769034", "united", "unknown ns", "present jun", "unknown cname", "name servers", "search", "servers", "showing", "ip address", "creation date", "date", "encrypt", "sha256", "submitted", "passive dns", "urls", "address", "xmpg", "malware", "span", "extgstate", "bbox", "subtypeform", "rlength", "resource", "rfit", "pattern match", "path", "code", "cobalt strike", "false", "cloud", "core", "footer", "meta", "black", "ransomware", "r980", "facebook", "discord", "stream", "form", "contact", "story", "february", "rats", "stack", "defense", "launcher", "trace", "august", "hellokitty", "twitter", "upgrade", "android", "decryptor", "green", "enterprise", "team", "small", "systemd", "service", "python", "shell", "reload", "find", "haiduc", "hybrid", "general", "suspicious", "click", "strings", "iframe", "loader", "tools", "template", "daily", "hypervisor", "capture", "stars", "download", "copy", "cobaltstrike", "install", "madcap", "protect", "shift", "beyond", "leverage", "agent", "info", "xmrig", "attack", "demonbot", "multi", "live", "grep", "pass", "ri falsek", "process", "xobject", "format", "june", "crypto", "close", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "apis", "found" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": "684690d6dc730b0842d341a7", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 39, "FileHash-SHA1": 48, "FileHash-SHA256": 67, "domain": 173, "hostname": 110, "URL": 429, "email": 10 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0dacb2971f3103a0dddbcc", "name": "Credit:Q.Vashti [Exposing_Malware_in20_Linnux] - clone >post today had related items", "description": "", "modified": "2026-05-20T12:44:34.547000", "created": "2026-05-20T12:44:34.547000", "tags": [ "ipv4", "url http", "expiration", "url https", "eid1338769034", "united", "unknown ns", "present jun", "unknown cname", "name servers", "search", "servers", "showing", "ip address", "creation date", "date", "encrypt", "sha256", "submitted", "passive dns", "urls", "address", "xmpg", "malware", "span", "extgstate", "bbox", "subtypeform", "rlength", "resource", "rfit", "pattern match", "path", "code", "cobalt strike", "false", "cloud", "core", "footer", "meta", "black", "ransomware", "r980", "facebook", "discord", "stream", "form", "contact", "story", "february", "rats", "stack", "defense", "launcher", "trace", "august", "hellokitty", "twitter", "upgrade", "android", "decryptor", "green", "enterprise", "team", "small", "systemd", "service", "python", "shell", "reload", "find", "haiduc", "hybrid", "general", "suspicious", "click", "strings", "iframe", "loader", "tools", "template", "daily", "hypervisor", "capture", "stars", "download", "copy", "cobaltstrike", "install", "madcap", "protect", "shift", "beyond", "leverage", "agent", "info", "xmrig", "attack", "demonbot", "multi", "live", "grep", "pass", "ri falsek", "process", "xobject", "format", "june", "crypto", "close", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "apis", "found" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": "684690d6dc730b0842d341a7", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 39, "FileHash-SHA1": 48, "FileHash-SHA256": 67, "domain": 173, "hostname": 110, "URL": 429, "email": 10 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f6f81dc2388c0fa027", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.563000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 218, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 119, "hostname": 133, "email": 4 }, "indicator_count": 2154, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f683111bbbe1c9ae35", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.775000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 218, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 119, "hostname": 133, "email": 4 }, "indicator_count": 2154, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f6657dd0c212d8344a", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.060000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 217, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 118, "hostname": 133, "email": 2 }, "indicator_count": 2150, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f511d0121d253b753d", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:53.436000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 224, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 140, "hostname": 166, "email": 2, "CVE": 8 }, "indicator_count": 2220, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f4d72c30f9586634b9", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:52.444000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 220, "FileHash-MD5": 562, "FileHash-SHA1": 566, "FileHash-SHA256": 1011, "URL": 125, "hostname": 139, "email": 4 }, "indicator_count": 2627, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d79c38e0a059039b475ebe", "name": "CAPE Sandbox", "description": "Email today from them on my line. Very wild things happening here. trying to close my line", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T12:31:52.495000", "tags": [ "html document", "unicode text", "utf8 text", "crlf", "lf line", "site", "meta", "verizon", "wireless", "internet", "phone services", "official", "shop verizon", "lte network", "get fios", "title", "code", "error", "utc na", "utc google", "tag manager", "gtmw2vn2cq", "utc dc9849921", "utc dc685973", "utc g12r1dx1lx7", "utc aw647962234", "utc aw2761768", "utc aw685973", "verizon business", "verizon for business", "verizon business account", "verizon business phone", "verizon wireless for business", "verizon business service", "verizon business plan", "business internet services", "learn", "gartner", "contact", "find", "discover", "support", "close log", "shop", "upgrade", "small", "voice", "chat", "mitre attack", "network info", "program", "html page", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "phishing", "next", "ver2", "msclkidn", "utc amazon", "analytics na", "utc bing", "vids1", "vids0", "gdlname" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737365&Signature=S%2B7RcHYjab1hbKlKwFfvUbDirFPJS1A2TJQ3bVIObMcON4PD9pRDvhMtYMCnEBrYsICi0UJCFW5eUDolL5Jlbngsc587kF36vvuhlkPprbkSOY1jOyDTpe3Qsb6jRFz3xwOfZc9S5QervoLnRKb%2FyGSyZE6ZK6TxzBrOPczPtZ7sLf9NfD6E%2B2gMRXaRjEqVwVITLG7YqCiiNuohFOuNlK3uNHFpIk53viKvBSAIqLtSklH9bHW4q1DX", "https://www.verizon.com/business/", "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737710&Signature=fbsokraSd7lsYmUfaTEl8Phs2K3hp7AtVmQU9axeEBcYmYbrrYrrfpP5lPEQaE%2Fh3%2BEP9Rn8mD8D1haqQVXCN0VVlxJ4sddjWmyC5USsgBsvUb0%2F72h1WHDS2KXHlteZWE%2Bauckabain9D5kX501AnqFY38s77OIqO6SMOkQ%2BvXiDSSRK%2FZhbfradBnei3ZLHsXGxkoshTyvB0%2BC%2F8SiUzdVsqSjik0Bn2r%2BIlLpDQK90GlZTD0N" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 772, "hostname": 706, "domain": 875, "FileHash-SHA256": 2348, "FileHash-MD5": 2237, "FileHash-SHA1": 2260, "CVE": 1, "email": 9 }, "indicator_count": 9208, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4f2dd828bbf0ac5efaa23", "name": "VirusTotal report\n for sample.crx", "description": "A small sample of malware has been identified by researchers at the University of Oregon in the US, and the results are published on the web, as well as on Google's Chrome extension and other sites.", "modified": "2026-05-07T12:05:50.774000", "created": "2026-04-07T12:04:44.957000", "tags": [ "file type", "json", "ascii text", "png image", "crlf line", "ascii", "rgba", "unicode text", "utf8 text", "defense evasion", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 668, "FileHash-MD5": 668, "FileHash-SHA1": 675, "URL": 153, "domain": 230, "hostname": 177, "email": 2 }, "indicator_count": 2573, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4f2d9ce86a445b484593b", "name": "VirusTotal report\n for sample.crx", "description": "A small sample of malware has been identified by researchers at the University of Oregon in the US, and the results are published on the web, as well as on Google's Chrome extension and other sites.", "modified": "2026-05-07T12:05:50.774000", "created": "2026-04-07T12:04:41.097000", "tags": [ "file type", "json", "ascii text", "png image", "crlf line", "ascii", "rgba", "unicode text", "utf8 text", "defense evasion", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 668, "FileHash-MD5": 668, "FileHash-SHA1": 675, "URL": 153, "domain": 230, "hostname": 177, "email": 2 }, "indicator_count": 2573, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4f2db0b3448671adcce16", "name": "VirusTotal report\n for sample.crx", "description": "A small sample of malware has been identified by researchers at the University of Oregon in the US, and the results are published on the web, as well as on Google's Chrome extension and other sites.", "modified": "2026-05-07T12:05:50.774000", "created": "2026-04-07T12:04:43.156000", "tags": [ "file type", "json", "ascii text", "png image", "crlf line", "ascii", "rgba", "unicode text", "utf8 text", "defense evasion", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 668, "FileHash-MD5": 668, "FileHash-SHA1": 675, "URL": 153, "domain": 230, "hostname": 177, "email": 2 }, "indicator_count": 2573, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "23 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4442a0b5217c34bbcbd2d", "name": "VirusTotal report\n for install.sh", "description": "", "modified": "2026-05-06T23:07:30.047000", "created": "2026-04-06T23:39:22.105000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 43, "FileHash-SHA1": 45, "FileHash-SHA256": 1421, "URL": 261, "hostname": 73, "domain": 235, "email": 1 }, "indicator_count": 2079, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d44428ad43f231ff43e175", "name": "VirusTotal report\n for install.sh", "description": "", "modified": "2026-05-06T23:07:30.047000", "created": "2026-04-06T23:39:20.767000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 43, "FileHash-SHA1": 45, "FileHash-SHA256": 1421, "URL": 261, "hostname": 73, "domain": 235, "email": 1 }, "indicator_count": 2079, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cc5cc7017a82e1df3fcbcc", "name": "Thunderstore Mod", "description": "The full text of the words \"glob\" and \"blubber\" has been published by BBC Radio 4 in the UK and Ireland, as well as the BBC Sport website and app.25f1531aa2073adb690c29a6be6b96e5\n565440a20048838fc7c7bac04e68afb5e8c22033\n087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980\n0cdbf7db333899d26d0fa0c09cfb318c\n393216:qKtKBjQtJlQmiSgMnA1bMtICpQTTH6M8qw:HMRQtJKmiSe1bCkTHWqw\nT188D6330AAA1D1C22CE7590FE75161103B74BE184548DF72A1A6F387EDC576C43EAF22E\nZIP \ncompressed\nzip\nZip archive data, at least v1.0 to extract, compression method=store\nThunderstore Mod package (82.6%) ZIP compressed archive (17.3%)\nZIP\n12.03 MB (12616201 bytes)", "modified": "2026-04-30T23:10:15.978000", "created": "2026-03-31T23:46:15.865000", "tags": [ "zip archive" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA1": 7, "FileHash-SHA256": 660, "hostname": 30, "domain": 36, "URL": 62 }, "indicator_count": 801, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cc51f0a58991e351321a0b", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA).", "modified": "2026-04-30T23:10:15.978000", "created": "2026-03-31T23:00:00.551000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774998167&Signature=utDs3%2B4MkyePrZxIa4LDJ8Z3xTy%2FSYPrRcuBtMqBNlWIaFR%2Ftqp82I3Dx7z4PG4CFAFUeDx4NGkwUFJd6%2B0u7grbfQ2CJtW2A6CWvczNiq0IEBDF0l5BAPkzE9KXDHRrfI37zeeo7SO%2FOahMZY7sJYqP3CAd2uqFSR57CkDB6vboYMzF8YUM8NWRhKXcEu9QY%2BbbHYQ2iGgjFAIvBKznE7L5oLu6F9UXKzrJ9%2FbyE61pXQduGaVGg1AF" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 51, "FileHash-MD5": 3, "FileHash-SHA1": 6, "FileHash-SHA256": 189, "URL": 83, "hostname": 33 }, "indicator_count": 365, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d9aeb4f571a55c916fc973", "name": "(Credit Q Vashti Clone: Cyber Espionage - Project Helix)", "description": "", "modified": "2026-04-11T05:42:31.615000", "created": "2026-04-11T02:15:16.240000", "tags": [ "foundry", "helix", "espionage", "intel", "abuse", "tech bro", "united", "unknown aaaa", "unknown ns", "search", "date", "servers", "ip address", "registrar", "encrypt", "record value", "refresh", "denver", "ibm", "monitored target", "dns", "network", "t1071", "protocol", "web protocols", "t1005", "local system", "monitored target", "project helix", "sign", "code", "github", "appearance", "github advanced", "view", "notifications", "find", "star", "project", "anything", "stars", "footer", "dynamicloader", "show", "yara detections", "http", "port", "dynamic", "delete", "entries", "top source", "phishing", "write", "malware infection", "tls handshake", "failure", "default", "medium", "ptjsw", "total", "copy", "upatre", "malware", "unknown", "windows nt", "wow64", "write c", "suspicious", "ukraine domain", "double", "trojan", "yandex.net", "behavior_upatre" ], "references": [ "Spy.Bancos.OQI Checkin", "Double User-Agent (User-Agent User-Agent)", "Crowdsourced Research from multiple sources" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "trojandownloader:Win32/Upatre.A", "display_name": "trojandownloader:Win32/Upatre.A", "target": "/malware/trojandownloader:Win32/Upatre.A" }, { "id": "TrojanDownloader:Win32/Tasekjom.A", "display_name": "TrojanDownloader:Win32/Tasekjom.A", "target": "/malware/TrojanDownloader:Win32/Tasekjom.A" } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Government", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": "6851a3a099527852f95f1092", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1823, "hostname": 503, "domain": 583, "FileHash-SHA1": 154, "email": 3, "FileHash-SHA256": 695, "FileHash-MD5": 156 }, "indicator_count": 3917, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "50 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43faf7160e03036338663", "name": "VirusTotal report\n for hr100xfiles.zip", "description": "The full text of the full set of files compiled by Microsoft, Microsoft and other companies, as well as their own, has been published on the Microsoft website, and here is the complete list:", "modified": "2026-04-06T23:20:15.603000", "created": "2026-04-06T23:20:15.603000", "tags": [ "file type", "php script", "ascii text", "ascii", "html document", "json", "unicode text", "utf8 text", "creates", "mitre attack", "window", "info", "next", "sgml document", "web open", "toggle", "xd0tb xd0tb", "xc7exfc xc7exfc", "x85xc0u x85xc0u", "x85xc0t x85xc0t", "x8bxe5", "xc7a xc7a", "xc7exf8 xc7exf8", "x85xc0 x85xc0", "xc7exf0 xc7exf0", "dynamicloader", "first", "path", "enterprise", "service", "close" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/1d8220c8dd21980b3011d4d5f270989e8ec6976bfac43bb68e26210f0132d73a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775517690&Signature=ss9QfKS7opM7i4y0qJTNns2ZH2%2FMJsUYWVIL%2FPE2inms8fNXu%2BbNyyv%2ByYvzfOQeAuk6RLNZDEOhLiGokHWpqZiclVpv8vxLtlqIEAHvgJ%2F4ZIcTgVkGXIXnNvyEEQfE96d0SzSMd2dMGq5%2FychQ%2BT26ZdyxoyTtMSTIUgK9jqBdXfmCaICEp22pfV99slaMlBzNdL7kQ%2BWELMfEtoO72EQxXJQtIZ7ezn3mBEoLa%2BnYqTHCaBbW", "https://vtbehaviour.commondatastorage.googleapis.com/6c0127433f689c0861355352460f7dc6b6ae3d86aa7db0747e60b3b9a18c4a87_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775517857&Signature=vah2Y1tu1hUAIU2Nzl5Tj42a52U%2F4iHbQMQ97tgsD9m4WS0cP%2FDouswDcCWgQBks1IZNZLNdNIN4zhFGqu5TKTGa%2BfaFH53FyJKTW8qWIWhfzHeg7juIKdf%2Bg31OT2ch6vWmA12PTN5NyGUdyDJXhtiJoJY7fDAnNQevIgYxRXZV4DroufLQPXPwAd3hsBLc4RLDkrtL%2BeuuXcWkZ95SYsHpvwpswlCvj20Pa9nMFjXYgw4%2Bt5k" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 33, "FileHash-SHA1": 30, "FileHash-SHA256": 1018, "domain": 6, "URL": 23, "hostname": 2 }, "indicator_count": 1112, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "54 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43fae5b7c4b40e3c63fb2", "name": "VirusTotal report\n for hr100xfiles.zip", "description": "The full text of the full set of files compiled by Microsoft, Microsoft and other companies, as well as their own, has been published on the Microsoft website, and here is the complete list:", "modified": "2026-04-06T23:20:14.130000", "created": "2026-04-06T23:20:14.130000", "tags": [ "file type", "php script", "ascii text", "ascii", "html document", "json", "unicode text", "utf8 text", "creates", "mitre attack", "window", "info", "next", "sgml document", "web open", "toggle", "xd0tb xd0tb", "xc7exfc xc7exfc", "x85xc0u x85xc0u", "x85xc0t x85xc0t", "x8bxe5", "xc7a xc7a", "xc7exf8 xc7exf8", "x85xc0 x85xc0", "xc7exf0 xc7exf0", "dynamicloader", "first", "path", "enterprise", "service", "close" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/1d8220c8dd21980b3011d4d5f270989e8ec6976bfac43bb68e26210f0132d73a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775517690&Signature=ss9QfKS7opM7i4y0qJTNns2ZH2%2FMJsUYWVIL%2FPE2inms8fNXu%2BbNyyv%2ByYvzfOQeAuk6RLNZDEOhLiGokHWpqZiclVpv8vxLtlqIEAHvgJ%2F4ZIcTgVkGXIXnNvyEEQfE96d0SzSMd2dMGq5%2FychQ%2BT26ZdyxoyTtMSTIUgK9jqBdXfmCaICEp22pfV99slaMlBzNdL7kQ%2BWELMfEtoO72EQxXJQtIZ7ezn3mBEoLa%2BnYqTHCaBbW", "https://vtbehaviour.commondatastorage.googleapis.com/6c0127433f689c0861355352460f7dc6b6ae3d86aa7db0747e60b3b9a18c4a87_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775517857&Signature=vah2Y1tu1hUAIU2Nzl5Tj42a52U%2F4iHbQMQ97tgsD9m4WS0cP%2FDouswDcCWgQBks1IZNZLNdNIN4zhFGqu5TKTGa%2BfaFH53FyJKTW8qWIWhfzHeg7juIKdf%2Bg31OT2ch6vWmA12PTN5NyGUdyDJXhtiJoJY7fDAnNQevIgYxRXZV4DroufLQPXPwAd3hsBLc4RLDkrtL%2BeuuXcWkZ95SYsHpvwpswlCvj20Pa9nMFjXYgw4%2Bt5k" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 33, "FileHash-SHA1": 30, "FileHash-SHA256": 1018, "domain": 6, "URL": 23, "hostname": 2 }, "indicator_count": 1112, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "54 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64ed117e2308a042e50e1e9e", "name": "Investigation of Distribution Vectors and Threat Network Infrastructure", "description": "Targets: Individual(s), University of Alberta Infrastructure, Covenant Health (Alberta Health Services), TELUS Communications (Network & Mobile infrastructure), Government of Alberta, Government of Canada. International entities spanning primarily government, healthcare, and educational institutions.", "modified": "2025-11-23T23:20:07.571000", "created": "2023-08-28T21:28:30.294000", "tags": [ "Domains", "ip addresses", "URLs", "Files", "Alberta Health Services", "BEC", "Education", "University of Alberta", "Government of Alberta", "Covenant Health Alberta", "Telus Communications", "Canadian Universities", "Malicious Certificates", "Digital Identity Theft / Credential Theft" ], "references": [ "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376", "https://www.virustotal.com/gui/collection/50919d9e9d6d71522b641a3907ed32093293c400a2ae4faaab142f175c48de4b", "https://www.virustotal.com/gui/collection/bb0c0633dbe98b659fb06e07acd6e1f51ca43d3a1b4be09b4e9bfe8b3fde0cdb", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783", "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9", "https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e", "https://www.virustotal.com/gui/collection/be10f2ed2776b9b4028ac868814ab14bdd576ca5e5bce877ac2954389ba9d328", "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305", "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98", "https://www.virustotal.com/gui/collection/02bef6a3cf1a035ad5bfb238cac2e913f4ed9425847d7cec5e7dc4097aa3c352", "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327/summary", "https://www.virustotal.com/gui/collection/3bf1c0922ee6f4d041effbf9f72a21a1e9f4b38d0593cfbeaca24851cf712eac", "https://www.virustotal.com/gui/collection/2cdadbf6aa2ec4f9815c038b0e9375b1475ac7e049fd123861d6e925e7802c6a", "https://www.virustotal.com/gui/collection/ba238f4d585b87abb85c126f927090cb866facfa9e4e2e0db8e307aff553397d", "https://www.virustotal.com/gui/collection/385f419c1c3733dd9dd151d4403bdb38cb24d12c21f18ce8f4f41d818d7a12a5/summary", "https://www.virustotal.com/gui/collection/9220d9375ebb4289fdbc4a7aac232b75a5c1b01e5e27edd965982bc6fe28f0e2", "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327", "https://www.virustotal.com/gui/collection/fd8ebe64d72b2ad9e90773791522c3ec5863868dc3b9c58a929c6b4e01bb3042", "https://www.virustotal.com/gui/collection/8d65d93130b4775903adbffbb53820d40bb9425dcf1848b806ffee65ee883984", "https://www.virustotal.com/gui/collection/385f419c1c3733dd9dd151d4403bdb38cb24d12c21f18ce8f4f41d818d7a12a5", "https://www.virustotal.com/gui/collection/6434f0cf09638991baf3be289834696b46e11c4c6cbe1e7b9548f9ac27372b53", "https://www.virustotal.com/gui/collection/bc7e252dcc07855314e153efe890d70e7a7e9b8a743e171eac31e5951260c1b7", "https://www.virustotal.com/gui/collection/dbf356b0a281fa94308e2e24738d839491491bfb2defa4e6c42662646e52c8f8", "https://www.virustotal.com/gui/collection/f60b8061133367a1047262a1e90d54cd72de4d59885c267906c6eeb557a35500", "https://www.virustotal.com/gui/collection/da124f42943c08f1cafdc1c42635457b0c69ccce41b4031263af3235717996a2/summary", "https://www.virustotal.com/gui/collection/daab0521ae533cbdfeec047e51a9499aedfd27c8cc05c644950126c1947131f9", "https://www.virustotal.com/gui/collection/12100cb4982365cfe5122fcedda2c084d60cebe09314846cae980c36fc90fc8c/iocs", "https://www.virustotal.com/graph/embed/g9219350397134ff3a645319a88b67833077c9cf0f50d4979aa0239a3d0b6ecea?theme=dark", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs", "https://www.virustotal.com/gui/collection/da35693aa528a682ca91aee332c8155d99ac8e4a13077cc73b2a8921c8fea36b", "https://www.virustotal.com/gui/collection/1497c56a475d73236c67292964eabd7f8961f88c57fa5a2e3f30720dc29a51e7", "https://www.virustotal.com/gui/collection/8228434e85241bd42ae063de8cf2ee2afb86f0848675ed11e3f33b967e8c3c7c", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188", "https://www.virustotal.com/gui/collection/6a4e699473879d39e15ed7cd130f2ee9543f842b92c9ad8b78e310968f4b086f", "https://www.virustotal.com/graph/embed/g3dae42eb79cc447182e3a3dd746e462f0903d71c784d4f5cacf970954deea221?theme=dark", "https://www.virustotal.com/graph/embed/gc0d82762363b4aa88991027c391afdbfe9585395bd8d4273bbe09907fbfaf532?theme=light", "https://www.virustotal.com/graph/embed/g78ea5ea9b68b4a4bbcd2bc078e23b321985e72d90da146c19d8d80ede366c1fa?theme=dark", "https://www.virustotal.com/gui/collection/8f89eb9579ca53d15294ec27a4c1e763998ce57d3644ea746621d9fe0cb57e55/iocs", "https://www.virustotal.com/graph/g994d0094226240eba65c081dfbc3e4936aa010abf4db48049e3a964e7c5ad076", "https://www.virustotal.com/gui/collection/86f3d77a28744357c14d92dba7ac6302d57700308c64b641513119d8fcad411f/iocs", "https://www.virustotal.com/graph/g38632f8b939b443ab3b69f6a3171d02ffd2696a0f3714325a84b9a5f227a7d1c", "https://www.virustotal.com/gui/collection/4b166c2c1752d85215da951b15a065688bfe24ea92c65228a45ded6f2d94685b/iocs", "https://www.virustotal.com/graph/embed/g798b5e01446c4711ba22802009d71f5ba78553df16794088a907ae7456e2a017?theme=dark", "https://www.virustotal.com/gui/collection/86f3d77a28744357c14d92dba7ac6302d57700308c64b641513119d8fcad411f", "https://www.virustotal.com/gui/collection/a6a81c8412b19ac6357a7c6e978c31a38d52a75fbb3b2e44f0f1a2bf0deb8a58/iocs", "https://www.virustotal.com/graph/embed/g699a7b9bfb324855859555181d01666c372310cf233441e08a095459b3394dea?theme=dark", "https://www.virustotal.com/graph/embed/g6a67af8ffa22446da35d6989d7d0bc47efcd295eb893471e9b4912080c1dddef?theme=dark", "https://www.virustotal.com/graph/embed/g23481631a7c745c6ba19f72ce9f853643d17706c08ab44eb8851eb5c56c0f073?theme=dark", "https://www.virustotal.com/graph/embed/g3b316b58b8c54064b322b2e186d62950d7632add2f3f408f8d8a1706563fd3c0?theme=dark", "https://www.virustotal.com/graph/embed/g994d0094226240eba65c081dfbc3e4936aa010abf4db48049e3a964e7c5ad076?theme=dark", "https://www.virustotal.com/graph/g40f442f2b5d64cba818cac88855ba4ce274d109ce4ef4fb496f1af4efb993886", "https://www.virustotal.com/gui/collection/0c9360cb9f8601bd6cdf912eb414d67902487f0c4eec96e952377e300ff4e983/iocs", "https://www.virustotal.com/gui/collection/a1866f4c7dbc79920d0c7e914a3bace0d3dc424a2aac06bf30bf724c6c8b0375/iocs", "https://www.virustotal.com/gui/collection/82dc29932b9184d02b037289fd4605c158e96a57f376b08a8b2b94e43d0ae18b/iocs", "https://viz.greynoise.io/ip/analysis/ae06b3b5-c746-4b44-b2ac-19bb3aea14a1 [11.23.25 - 1000ipv4]" ], "public": 1, "adversary": "Unknown APT Group(s) / Threat Actor (s)", "targeted_countries": [ "Canada", "United States of America", "Philippines", "Panama", "Netherlands", "Anguilla", "Saint Vincent and the Grenadines", "Aruba", "Mexico", "Guatemala", "Costa Rica", "Tanzania, United Republic of" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 111, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 236, "FileHash-SHA1": 139, "FileHash-SHA256": 1421, "URL": 9580, "CIDR": 30, "domain": 10205, "email": 12, "hostname": 517612, "IPv4": 11, "CVE": 62 }, "indicator_count": 539308, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "188 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68396d9ae8b96e90ff1848d5", "name": "AcK-U // unenriched - 05.30.25", "description": "Just a quick check", "modified": "2025-07-23T20:11:01.749000", "created": "2025-05-30T08:34:34.215000", "tags": [ "amazon02", "cloudflarenet", "amazonaes", "fastly", "github", "google", "facebook", "namecheapnet", "service", "cdck", "level3", "cloud", "com laude", "ltd dba", "namecheap inc", "gandi sas", "gmbh", "cloudflare", "namecheap", "registrarsafe", "ascio", "tucows", "spaceship", "please", "javascript", "iocs", "threat", "malware unread", "collection", "crowdsourced", "acku new", "share", "updated", "first ioc", "seen", "premium", "entity" ], "references": [ "https://www.virustotal.com/gui/collection/e03439bc07bcb1908764755571e127ec051193d4cc24cf842ec3179557f533cb/iocs", "https://www.virustotal.com/graph/embed/g36d8fc13d786418ab1d0a75cc331f0eb5bca28d4a4fe4666a84f23e25fb6600b?theme=dark", "https://www.virustotal.com/gui/collection/e03439bc07bcb1908764755571e127ec051193d4cc24cf842ec3179557f533cb/summary", "https://report.netcraft.com/submission/iduhE4oNTsMOSAeOeBjzZdIfCLtefF3P - 07.23.25 - see notes on references*" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 91, "domain": 204, "hostname": 192, "URL": 731, "FileHash-SHA256": 27, "email": 1 }, "indicator_count": 1246, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "311 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6851a3a099527852f95f1092", "name": "Cyber Espionage - Project Helix", "description": "", "modified": "2025-07-17T17:03:28.261000", "created": "2025-06-17T17:19:28.985000", "tags": [ "foundry", "helix", "espionage", "intel", "abuse", "tech bro", "united", "unknown aaaa", "unknown ns", "search", "date", "servers", "ip address", "registrar", "encrypt", "record value", "refresh", "denver", "ibm", "monitored target", "dns", "network", "t1071", "protocol", "web protocols", "t1005", "local system", "monitored target", "project helix", "sign", "code", "github", "appearance", "github advanced", "view", "notifications", "find", "star", "project", "anything", "stars", "footer", "dynamicloader", "show", "yara detections", "http", "port", "dynamic", "delete", "entries", "top source", "phishing", "write", "malware infection", "tls handshake", "failure", "default", "medium", "ptjsw", "total", "copy", "upatre", "malware", "unknown", "windows nt", "wow64", "write c", "suspicious", "ukraine domain", "double", "trojan", "yandex.net", "behavior_upatre" ], "references": [ "Spy.Bancos.OQI Checkin", "Double User-Agent (User-Agent User-Agent)", "Crowdsourced Research from multiple sources" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "trojandownloader:Win32/Upatre.A", "display_name": "trojandownloader:Win32/Upatre.A", "target": "/malware/trojandownloader:Win32/Upatre.A" }, { "id": "TrojanDownloader:Win32/Tasekjom.A", "display_name": "TrojanDownloader:Win32/Tasekjom.A", "target": "/malware/TrojanDownloader:Win32/Tasekjom.A" } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Government", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1820, "hostname": 501, "domain": 583, "FileHash-SHA1": 154, "email": 3, "FileHash-SHA256": 695, "FileHash-MD5": 156 }, "indicator_count": 3912, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "317 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684690d6dc730b0842d341a7", "name": "Exposing_Malware_in20Linux-Based_Multi-Cloud_Environments_R1Final.pdf", "description": "Falcon Sandbox: \nRansomware/Banking\nDetected indicator that file is ransomware\ndetails\n\"5 | Exposing Malware in Linux-Based Multi-Cloud Environments Ransomware and cryptominers Ransomware The impact of a ransomware attack can range from being a nuisance (e.g., having to restore data from backups and clean up the network) to being devastating (e.g., having to pay large sums of money to regain access to key assets). Unfortunately, when talking about cloud environments, the results tend to be more on the devastating side. Recently, cybercriminals have started calculating the damage they might cause to the valuation of a company going through a financial event to make the potential impact of their attack clear and incentivize ransom payments.5 At the same time, they\\x2122ve been honing their tactics with increasingly sophisticated techniques to target victim organizations\u2026more: https://www.hybrid-analysis.com/sample/92c1ca86f4d025e72acb94ae3cbdd3c6435aaa1b5e3fc3dcb06f8501b5dd3bb7/62e7fdd19a99ce4fa32e6d64", "modified": "2025-07-09T07:03:10.726000", "created": "2025-06-09T07:44:22.507000", "tags": [ "ipv4", "url http", "expiration", "url https", "eid1338769034", "united", "unknown ns", "present jun", "unknown cname", "name servers", "search", "servers", "showing", "ip address", "creation date", "date", "encrypt", "sha256", "submitted", "passive dns", "urls", "address", "xmpg", "malware", "span", "extgstate", "bbox", "subtypeform", "rlength", "resource", "rfit", "pattern match", "path", "code", "cobalt strike", "false", "cloud", "core", "footer", "meta", "black", "ransomware", "r980", "facebook", "discord", "stream", "form", "contact", "story", "february", "rats", "stack", "defense", "launcher", "trace", "august", "hellokitty", "twitter", "upgrade", "android", "decryptor", "green", "enterprise", "team", "small", "systemd", "service", "python", "shell", "reload", "find", "haiduc", "hybrid", "general", "suspicious", "click", "strings", "iframe", "loader", "tools", "template", "daily", "hypervisor", "capture", "stars", "download", "copy", "cobaltstrike", "install", "madcap", "protect", "shift", "beyond", "leverage", "agent", "info", "xmrig", "attack", "demonbot", "multi", "live", "grep", "pass", "ri falsek", "process", "xobject", "format", "june", "crypto", "close", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "apis", "found" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1491", "name": "Defacement", "display_name": "T1491 - Defacement" }, { "id": "T1530", "name": "Data from Cloud Storage Object", "display_name": "T1530 - Data from Cloud Storage Object" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 39, "FileHash-SHA1": 48, "FileHash-SHA256": 67, "domain": 173, "hostname": 110, "URL": 429, "email": 10 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "326 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6761c6d68582c49eff306fe6", "name": "Likely malicious Google Analytics Alternative - App & Web Analytics - Matomo", "description": "The full text of the \"suspicious\"obfuscation using unescape has been published on the website tylabs.com, as well as the official release of a new version of PDF.", "modified": "2025-05-14T21:24:25.364000", "created": "2024-12-17T18:45:42.250000", "tags": [ "bitcoin address", "didier stevens", "didierstevens", "bitcoinaddress", "june", "copyright", "t1027", "unesc", "unescape", "flash define", "matomo", "string", "date", "sufeffxa0", "regexp", "please", "blob", "null", "tag manager", "link", "url https", "ipv4", "url http", "learn", "it for", "no credit", "cloud trial", "start", "contact", "matomo team", "help", "free", "easy", "tools" ], "references": [ "https://matomo.org https://matomo.www.gov.pl/analytics/js/container_68lYTZ79.js", "https://www.filescan.io/uploads/67619a0f99caec9a276f9efd/reports/92e63ab1-1ebd-41a7-90da-f842f0b90392/details" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 62, "YARA": 8, "domain": 83, "URL": 657, "email": 3, "hostname": 152, "IPv4": 15, "CIDR": 1, "FileHash-SHA1": 57, "FileHash-SHA256": 734 }, "indicator_count": 1772, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67127cfd194972b2b7a01965", "name": "Discord", "description": "Discord W11 Sample Device\nC:\\ProgramData*\\Discord", "modified": "2024-11-17T15:01:49.122000", "created": "2024-10-18T15:21:33.350000", "tags": [ "Discord" ], "references": [ "https://www.virustotal.com/gui/collection/ab283165c61c702e1aed28375718dd2674179c61c517d93baabc2219becf081a/community", "https://www.virustotal.com/gui/collection/ab283165c61c702e1aed28375718dd2674179c61c517d93baabc2219becf081a/iocs", "https://www.virustotal.com/gui/collection/ab283165c61c702e1aed28375718dd2674179c61c517d93baabc2219becf081a/summary", "https://www.virustotal.com/gui/collection/ab283165c61c702e1aed28375718dd2674179c61c517d93baabc2219becf081a/graph" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 80, "FileHash-SHA1": 80, "FileHash-SHA256": 357, "URL": 472, "domain": 413, "hostname": 153 }, "indicator_count": 1555, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "559 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "669ac41b3186b8cc8c40e9e3", "name": "Powershell", "description": "Matches rule PowerShell Module File Created By Non-PowerShell Process by Nasreddine Bencherchali\nDetects creation of a new PowerShell module \".psm1\", \".psd1\", \".dll\", \".ps1\", etc. by a non-PowerShell process\n\nFilescan.io\nWindowsPowerShell.zip\napplication/zip\nMD5:\n07d37fc575e373f878ae3c7cca2bfc25\nSHA1:\na2fc89aba12f8739184d44d0fffbe6323d9654eb\nSHA256:\ne75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832\nSHA512:\n36dc7349d052cd474818a6ae3149eda469d829cf2e4d9a0e55252468cdf9e9704d5293b8b4f73b4a25b07f8c8dd8eeab2ed18bbb1ff7d76958b51eb555562339\n\nTriage:\nhttps://tria.ge/240719-taxv5aydlj\nhttps://tria.ge/240719-tfpfyasdqh\nhttps://tria.ge/240719-tj9laasfke\nhttps://tria.ge/240719-tnb6kssgmc\nhttps://tria.ge/240719-trwpdsshqh\nhttps://tria.ge/240719-tv84wstbkg\nhttps://tria.ge/240719-t1hh5atcpd\nhttps://tria.ge/240719-t7wpbszgkl\n\nMalcore: https://app.malcore.io/share/652553f6aec33d70a1dbbd25/669993193506cdb760b3f36a\n\nKaspersky: E75FF18EE5C7226E225AA9959DF439F1488DF8CD3D43F5471361ED0426700832", "modified": "2024-09-01T17:02:12.379000", "created": "2024-07-19T19:52:59.626000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/summary", "https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/iocs", "https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/graph", "https://www.virustotal.com/graph/embed/g4d28c765e54941129dbbf8d4a8dc25bb3b5452f14e0a4886a0af0c2991188611?theme=dark", "https://www.virustotal.com/gui/file/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832/relations", "https://vtbehaviour.commondatastorage.googleapis.com/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721578339&Signature=fTYUE3KoGSnr2%2BSrv9dZpgk3uXJc2rf%2BQeCyhAVDWiuiHGaYqhFHfgzQD2KheomXUSHne5MCvS9XH1LGW7Xhrg7CIG0gEe5cVjxrkmumne%2B%2Fd%2FBQagomnCKzfbwdExaO45sfA9rz4eQtyfLzFifYoRXDRtJK7P%2BNmISkv0Qz9FGIgXrrPDvmwJevgry%2FaMfiTEa2%2BxSDdWf9e6kdZW5YBVuxEdpGowcPsPEkpbdiSG12pG", "https://vtbehaviour.commondatastorage.googleapis.com/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721578437&Signature=HM1ThjLEyrQmeLst3eY3osRWxC6ETs2RVbR4uKhN5emP%2Fe3Jbf6OsLPvmoAyaPTh%2B9RLyjIrqyR3f4rwg%2B4kkyiEZCyCkGKSRvQK4zC8eMuq80kOGYcvFLPwtvcH20xe7%2FPhGk2au3z4GfauzR1s8meGtQYRDlmXZARLTB2G0tno%2FJOq8rNm7NLHvVH1MpMBoQ47RRIwE0ecUUSYXmQGMAOQVAgmigrpydiFzFYN2wYJDkmfVTmEc9kylTmQ", "https://vtbehaviour.commondatastorage.googleapis.com/460264c62a85a79d25424920b7b80763354151146da5cba933c198ebbe9a0588_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583501&Signature=igubOWmez%2BKPjBiU2Af7vHhJ5SwgwsKaafuyzobymmqUDs%2F8vkuh1A%2BbsMADWo0B%2FBEZht3BD%2B1%2FvItWrcfBgja57sMCBln9vBXfK7nCclcy9%2BeujGu7wlQLlhyfAeGNd8suRdK8x4WrJJ5bdqfAh7Ns0mOjPliF9uu3UJ9I7qH6N5IAd%2Bkb8h7Xce%2F%2BavnF8jLmHHwwCP5ILzgNRc94rmrWFp5eXzxQ3aHd9btY2D", "https://vtbehaviour.commondatastorage.googleapis.com/e6f203e988e7aa801739359c6222dcb181d290fc10de5f61d354d43f8557daa0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583905&Signature=QPgFBr8MN1iCe8SwxWZ4BgTfkaViEC4PHLzUrGQ3Jdndo8Z44osVc0CIRcnkJJtNDFU03AM82A8wJ2jMjaFYoEbthsaxPWWufSulM8nS%2BU8RoCr04jUq5GnAWPVNjxukSTbgD0F7pUSf0pVaFwwvpSWCQ6hedQEwF52DQyViV8u9UDOeLii4rkmRlMfMlGIsxIP4CEwy0Gy8Q7Lw6FX8cxG%2FehoJatyiwaFdwwbbLbnu2lQHDaZuwZ38Oy", "https://vtbehaviour.commondatastorage.googleapis.com/460264c62a85a79d25424920b7b80763354151146da5cba933c198ebbe9a0588_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583790&Signature=K2lWpuyPxZ8FgvBVeyB6hsfMbuIBkRXd522JtGonUcHxxtwoomV2fuuFbXC5edVAoGPuZJ24D%2Fv7rEHOHYCS2347F4Mq0VQr0PQt68rfbA8DBHTGs1XBS3QFLveflOjIkNzmhJWg23fuvM%2F1Ci0jSxKnR5XeURTArrkbf5eYA72p4QUFMKDgYO6kRpNXHLuDocJdXWjM7AiQ7ZBQdx%2F%2FeNZgb7k7s%2FPTzGuZ%2FTgEvxiGAiaV6PghFIIPSj", "https://vtbehaviour.commondatastorage.googleapis.com/3a498e611cdc305e0ce67b68971ebc9e8b8aa575e9de08ae4bb081e1f6b87945_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583388&Signature=L5dgUL09kvWOiINZMa%2FvgcDAW5AFV%2Fqie184iaXQKGccuTzwDYsyx0%2BhI%2FxOXIkON%2Bw0RoRuoasFag44WeapuTjlnv8di%2FZ8iWJdeRGqWOdJ8P4EAPZIICsU%2BxjXP%2BzOSNTz5tcekdSceS%2BkTyDYMO%2F9QxZVwsIV1WnvZaGiR%2BOKIfs4YFXgeGWc23ktkKxbRfeKQY1kFyHTh8Re3lBLC%2Fkq%2FExvl7kqxKIebqquWmo%", "https://vtbehaviour.commondatastorage.googleapis.com/d2cb7cca87c98c4d7a7eb9a40e0f00a231390cfe2f4786e161471a5ca4397a41_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583872&Signature=cfVN9vaAZ5UXUaFiEoATwrbKG2RNxzOu3wiH5KMlXdPxTgtpQ920ONEqOhhUb8MNxJwW3AVsCAahYTLdN3FigRPmjIClNTYz%2BoS%2BDl354Z4ZxefdKjl0HJ4%2FmGuzVTBNtc6pftGk4VMAvjgoerYhBf6Olu3ajrMT3h89lKsdBSGc6ra20Btzd%2BzY3Uh1J2gPZ%2BzZPHkTbR0OUTh3oorvIq9Fue8rDbL6PzZLxfPFEZ%2FFCRUnFo", "https://vtbehaviour.commondatastorage.googleapis.com/d2cb7cca87c98c4d7a7eb9a40e0f00a231390cfe2f4786e161471a5ca4397a41_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583838&Signature=dw6B7oYQHQ1CxhfF67YE3TZfvqWvO%2FgErgu9Ms4R462ssOAuET7%2F9guBVvhETqvO7ClziwNXLV%2F31SM7aYXjXEUOmfJtHqf5vpFUCub63bX6a1GILj%2BtbX8EmURT4JftAGT%2BwDdgQnHX3y5MvnWd9NpYE8TTYStcf%2BQOWZLWiMNe%2BSxjpsMyOG2ryZdsm7iCyH%2BWdXrvG%2Bh9ccwxPOnUOwoOxUV3hp1ifVzCkbUtYySGTom29VJ8", "https://vtbehaviour.commondatastorage.googleapis.com/3a498e611cdc305e0ce67b68971ebc9e8b8aa575e9de08ae4bb081e1f6b87945_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583383&Signature=N7snLsiqkPikwYU0zKl8QxasbcLXiGFXIFaIVT%2FEvzaLWUbnPEkuvuuOAxz9la0bmVndAimDsaexUgrGErDmDbBZ46apRuUnYH3GwBNvZ3YaBIVII4IfP8kDN%2Bi2b3meTPaoyhnWR4UIuYord2Ejg5nAYQ3FJxv4KKyrm8NTlU1cEHTpiBToFL3AVBUOHvCUQ4T1wRMpgO6%2FmyokYYZl8GZa4tjpI%2BncAIOTAfOZePVQ7sAnKHmckU", "https://viz.greynoise.io/analysis/b5c2d562-eee0-46cb-8696-0585e3ce27b8" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1070.006", "name": "Timestomp", "display_name": "T1070.006 - Timestomp" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [ "Education", "Government", "Healthcare", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4402, "URL": 1463, "domain": 621, "hostname": 1159, "FileHash-MD5": 423, "FileHash-SHA1": 423 }, "indicator_count": 8491, "is_author": false, "is_subscribing": null, "subscriber_count": 135, "modified_text": "636 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "665e3cc8e5f574c0359ee961", "name": "Unaccounted for Node and Rust libs on disk", "description": "This morning I went to try and recompile Suricata only to be met with a slew of different errors, pointers to suspect files within the repository, as well as corrupted references and dangling symlinks. Not to mention a failure to mount partitions at boot, my journalctl journal being corrupted, etc. \n\nAfter auditing with pacman -Qn `pacman -Qoq /path/to/files I uncovered a slew of unaccounted for node paths as well as rust paths within /usr/ and /root/. Attached are all of the corresponding sha256's as I get the lot uploaded to VT and a new collection.", "modified": "2024-06-03T22:00:38.320000", "created": "2024-06-03T21:59:36.683000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/de4f1959c0d0a3097e7faf50b97413adf8d043804c6f612e5bd19d0852795c5b/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 343, "FileHash-SHA1": 343, "FileHash-SHA256": 1709, "domain": 15, "hostname": 4 }, "indicator_count": 2414, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "726 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6605781ad51380e5b1c22815", "name": "haul from the last two weeks of wrangling - presumed malware and IOC's found on my personal devices", "description": "nearing the two year mark of the first initial attack - unfortunately OTX was only able to pull domains from the large majority of files uploaded which seems to be a built in anti-debug feature and goes with the theme and \"look & feel\" of this latest iteration being that most of them were somehow someway remote and acting as a net file system on my machine", "modified": "2024-04-27T02:04:29.606000", "created": "2024-03-28T14:00:58.809000", "tags": [ "dddf", "target", "dddj", "path", "base o", "base", "backupfile", "base rw", "exit", "date", "hell", "gnu libtool", "please do", "linker", "lsmime3 lnss3", "lplc4 lnspr4", "ludev", "directory", "lmagic ljansson", "feugiat", "lorem ipsum", "nulla facilisi", "malesuada", "etiam tempor", "suspendisse", "consectetur", "bibendum", "amet", "eget aliquet", "basesectors", "date echo", "default", "label", "kernel", "append rhgb", "clsid", "systemroot", "webbrowser", "ispell", "imagemagick", "flex", "zle c", "whois", "locate", "rubber", "chown", "ruby", "ninja", "pacman", "restart", "kill", "django", "mark", "repl", "service", "term", "mkdir", "borg", "black", "conan", "dolphin", "dotnet", "hello", "john", "generic", "find", "shutdown", "mozilla", "first", "subsystem", "action", "goto", "load", "devtype", "idnetdriver", "drivers", "program", "interface", "nmunmanaged", "ethernet", "mac prefix", "attr", "virtualbox host", "mac address", "interface name", "hello world", "unit", "timer", "onbootsec5min", "install", "wait online", "networkmanager", "edit", "note", "typeoneshot", "cloud", "optin", "helper", "for testing", "only", "restrict", "grant", "enable debug", "trace", "killmodeprocess", "typedbus", "reload", "capdacoverride", "dhcp etc", "include", "yara", "cflags", "libs", "xxx remove", "the author", "this software", "isc license", "copyright", "schlueter", "permission", "software is", "provided", "as is", "disclaims all", "direct", "require", "semver", "comparator", "range", "releasetypes", "simple", "tilde", "09azaz", "prerelease", "same", "beta", "semverrangesgtr", "semverrangesltr", "coerce version", "ranges", "alpha", "standalone", "exits", "null", "false", "reverse", "compare", "a javascript", "copyright isaac", "typeerror", "maxsafeinteger", "maxlength", "break", "error", "number", "drop", "same direction", "symbol", "comp", "const", "caret", "flagloose", "xrange", "parse", "identifier", "object", "match", "string", "walk", "manually", "stop", "highhaspre", "major", "minor", "patch", "istanbul", "preminor", "index", "regexp", "build metadata", "meaning", "replace", "token", "zero", "star", "infinity", "return", "a cache", "build status", "coverage status", "the same", "options", "before", "lrulist", "cache", "length", "dispose", "maxage", "allowstale", "nodisposeonset", "yallist", "node", "array", "head", "function", "tail", "start", "insert", "just", "node object", "barbar", "array method", "default export", "any comparator", "complex range", "simple range", "c1 c2", "outer", "every simple", "ecomp", "must", "clone", "case", "ignore", "setmin", "determine", "version", "typeof", "contribute", "status", "node package", "manager", "benchmark suite", "installation", "direct download", "ql https", "node version", "usage", "project", "calendar", "package", "source", "license", "source form", "perl foundation", "distributor fee", "distribute", "standard", "neither", "module", "basecommand", "lifecyclecmd", "base command", "pacote", "browser", "workspace", "pkgname", "await", "boolean", "base class", "wrapwidth", "chalk", "command", "config", "npmcliconfig", "logfile", "timers", "display", "location", "audit", "arboristcmd", "arborist", "global", "whoami", "async", "json", "view", "pref", "pckmnt", "resolve", "utf8", "libnpmversion", "unstar", "update", "save", "omit", "packagelock", "dryrun", "force", "libnpmaccess", "spec", "uninstall", "todo", "enoent", "enotdir", "test", "scriptshell", "scope", "team", "create", "user", "libnpmteam", "destroy", "table", "list", "cidr", "stars", "eneedauth", "shrinkwrap", "rename", "npmcliarborist", "value", "unicode", "sbom", "cyclonedx", "build", "sbomformats", "response", "software bill", "look", "script", "runscript", "indent", "root", "minipass", "search", "pipeline", "filterstream", "libnpmsearch", "long", "grab", "packageurlcmd", "repo", "info", "repo const", "rebuild", "reifycmd", "publish", "libnpmpack", "npmclirunscript", "prune", "remove", "prefix", "args", "queryable", "packagejson", "pong", "cleanurl", "registry", "pack", "load tarball", "noise", "query", "edge", "etarget", "e403", "e404", "outdated", "homepage", "developer", "admin", "owner", "libnpmorg", "npmfetch", "logout", "getauth", "invalid", "parent", "depth", "type", "filteredby", "dedupe", "problems", "login", "link", "util", "installcitest", "runs", "prop", "password", "profile", "mode", "email", "twitter", "hook", "libnpmhook", "init", "wpath", "installtest", "complete", "globaltop", "help", "viewer", "glob", "pattern", "file", "globify", "explore", "shell", "handle", "fund", "which", "fundingsource", "archy", "explain", "helpsearch", "text", "part", "editor", "editor const", "childprocess", "check", "nodemodules", "docs", "promisify", "doctor", "cacache", "mask", "win32", "disttag", "packagespec", "semver range", "delete", "diff", "workspacepath", "actualtree", "libnpmdiff", "deprecate", "message", "write", "clean", "spawn", "compline", "comppoint", "compcword", "epipe", "completion", "compfish", "os x", "bugs", "report", "adduser", "exec", "libnpmexec", "localprefix", "runpath", "skip", "public key", "npmauditreport", "access", "item", "finddupes", "syntaxerror", "getcli", "eventemitter", "abort", "ssri", "columnify", "bundled", "tarball details", "sha1", "daily", "latest", "check daily", "weekly", "cyclonedxschema", "cyclonedxformat", "proppath", "propbundled", "propdevelopment", "propextraneous", "propprivate", "refvcs", "refwebsite", "crypto", "readpassword", "readusername", "reademail", "enter", "enter otp", "otpprompt", "afaf09", "passwordprompt", "auditerror", "getfundinginfo", "json output", "data", "append", "maybeindex", "ontimeend", "name", "returns", "noassertion", "spdxidentifer", "spdxdatalicense", "reldescribes", "reldep", "reftypepurl", "spdxid", "eotp", "e401", "setinterval", "npmlog", "proclog", "maxlogsperfile", "fsminipass", "open", "colmax", "colmin", "colgutter", "quick help", "convert", "b return", "mb return", "gb return", "sigint", "readline", "prompt", "promise", "eresolve error", "overridden", "peer", "extraneous", "optional", "isworkspace", "maxlen", "code", "unfinished", "notice", "isshellout", "matcherrorcode", "devnull", "npmcompletion", "compwords", "compreply", "o default", "f npmcompletion", "ifs compadd", "fish shell", "l cmd", "taken", "comp stuff", "lx compline", "abbrev", "please", "enyi", "json version", "cygwin", "c1 control", "numbers", "x09 x0a", "10000", "nodemodulesnpm", "builtin", "npmrc", "notsup", "notarget", "nospc", "rofs", "author", "npmclifs", "minimatch", "pathtofoo", "relative", "synopsis", "description", "field", "person", "configuration", "whether", "premajor", "prepatch", "prevents", "run git", "upgrade", "examples", "will", "shareman", "cidr whitelist", "please refer", "tokenid", "eslint", "c eslint", "compatibility", "older", "versions", "nodeoptions", "details", "output", "example", "posix", "unstarring", "lcall", "starring", "lock", "materials", "spdx", "lodash", "nodeenv", "initcwd", "boolean set", "boolean tells", "windows", "unix", "selector", "use cases", "queries", "equivalent", "boolean show", "nocolor environ", "cli look", "boolean force", "dependency", "json object", "production", "files", "cicd system", "property", "change", "url opener", "basic auth", "allow", "description a", "removes", "semvermajor", "ping https", "ping http", "found", "get http", "example add", "json format", "handy", "display prefix", "g usrlocal", "mycorp", "associate", "deprecated", "libnodemodules", "caveat note", "workspace usage", "string override", "tarball", "githubrepo", "initializer", "usrfoo", "forwarding", "suppose", "commandsnpm", "hooks", "url endpoint", "browse", "consider", "ci environment", "string optional", "promzard", "top level", "expect", "javascript", "it staff", "https", "cli team", "ecmascript", "readme", "package current", "latest location", "depended", "git repos", "git dependency", "newest version", "modify package", "description add", "show", "purpose tags", "tags", "keyvalue", "16 16", "boolean ignore", "boolean do", "string source", "treat", "example make", "grep", "travis ci", "details npm", "localappdata", "tab completion", "bulk advisory", "sha256publickey", "endpoint", "quick audit", "set access", "that user", "scoped", "python", "description npm", "node javascript", "important npm", "introduction", "c code", "unix system", "integrity", "provide", "facilitate", "cli tool", "handling old", "lockfiles", "file format", "legacy", "urls", "spdx license", "most", "barney rubble", "specify", "github", "dependencies", "github urls", "node installer", "linux", "overview", "windows node", "prefixetcnpmrc", "variablename", "home", "comments", "peruser config", "global config", "builtin config", "auth", "cycles", "local install", "global install", "appdata", "below", "please note", "stage", "after", "life cycle", "runs after", "post scripts", "scripts", "slate", "synopsis so", "rf usrlocal", "modules", "with", "laf usrlocal", "l npm", "description all", "installing", "myorgmypackage", "requiring", "publishing", "private modules", "scopes", "apis", "auth related", "does", "package name", "aliases", "folders", "os equivalent", "tarballs", "teams", "orgs", "super admin", "team admins", "developer guide", "description so", "be explicit", "blank", "standard glob", "link packages", "syntax", "selectors", "querying", "log file", "location all", "log levels", "information", "headers", "logs", "alias", "certificate", "format", "docext", "content", "descriptions", "shorthands", "keyb", "print", "dir1", "manual", "input", "line", "process", "display help", "dirs", "get contents", "maxdepth", "contents", "u2665 bxe5r", "ud834udf06 baz", "single", "cssesc", "usage arborist", "commands", "options most", "npm install", "npm rm", "time", "silent", "fetch", "conf", "handler", "extract", "additional", "jackspeak", "jack", "glob v", "expand", "drive letter", "never", "true", "rob browning", "gnu library", "general", "public license", "license file", "future import", "adderror", "cdfq", "charles levert", "egrep", "egrepegrep", "fgrepfgrep", "grepgrep", "svr4 grepegrep", "times", "attributeerror", "fixcygwinid", "enhanced", "false try", "false assert", "tsns", "inetaddress", "none", "return value", "unixaddress", "localrepo", "httpserver", "valueerror", "resourcepath", "exception", "eoferror", "c version", "bytesio", "offset", "binary", "ascii", "baseversion", "commit", "throw", "in n", "send", "data end", "if 10", "copy", "send logoutn", "exitatoi", "tmplink", "lcallc binls", "varlogsetup rm", "sf tmp", "slackware", "system console", "entry", "ansi mode", "b007e", "slackware ftp", "cdrom", "miquel van", "smoorenburg", "okay", "minix", "fixme", "overwrite", "connect", "ssh connection", "subcmd", "bbupttywidth", "bupforcetty", "hashsplitter", "b options", "false def", "hack", "kbytesr", "srcpath", "tmptagfiles", "device", "tmpreply", "reply", "including", "but not", "quotesplit", "quoteerror", "not word", "split line", "mainselect", "tpxetcfstab", "select", "slackware linux", "varlogmount", "anything", "tmpswapmsg", "swappart", "ndir", "swaplist", "tmpsetswap", "linux swap", "swap space", "redir", "linux fdisk", "tmptmpscript", "eof fi", "instsets", "gnome", "tmpsetds", "tmpsetseries", "gnu emacs", "gnome desktop", "linux kernel", "k desktop", "uucp", "tmp fi", "tmpsettpx", "tpxetcshadow", "root password", "detected", "internet", "press", "linux native", "partitions", "tmpreturn", "nodes", "nextpartition", "rootdevice", "mtpt", "size", "formatting", "doformat", "main", "done", "sourcemedia", "tmpmedia", "source media", "selection", "slackware cd", "network file", "tmpsetreturn", "maketag", "choice", "mount", "tagext", "tmpsetnewtag", "tmpsettagmake", "sorry", "tmpsetkeymap", "mapname", "moorhead", "keyboard map", "us keyboard", "updown", "copying", "kernel chmod", "kernel rdev", "lilo", "fullerr", "tmpsettestfull", "partition full", "setup", "altf2", "slackware setup", "dospart", "newdir", "tmptempscript", "tmpsetdos", "partition", "ntfs", "doslist", "installscripts", "tpxproc", "atapi cd", "kerberos", "file transfer", "iana", "appletalk", "network", "control", "secure shell", "chat", "contact", "prospero", "outtag", "outshift", "if 30", "conn", "setmode", "dumb", "smart", "clienterror", "rather", "stopiteration", "firstexclusion", "appendcommit", "firstbranchitem", "filterbranch", "origtip", "oldnew", "remoterepo", "group", "prevpath", "sisdir import", "dangerous", "count", "subcount", "ioerror", "oserror", "gitmodetree", "gitmodefile", "gitmodesymlink", "stack", "nonlocal", "revision", "presdir", "admdirpackages", "warn", "tmprequiredlist", "trigger", "arch", "procscsiscsi", "luns", "scsi", "ax1b", "skript", "scsi bus", "kurt garloff", "gnu gpl", "ieee1394", "l found0", "nextrepoid", "repoid", "realpath", "usb keyboard", "d libmodules", "nousb", "procbususb a", "procbususb fi", "load input", "q input", "inet system", "hostname", "attach", "etcmotd", "newdisk", "scan", "slackkernel", "ram disk", "r sbp2", "r ieee1394", "firewire", "noieee1394", "q ieee1394", "attempt", "use f", "none def", "return password", "return none", "passwd", "nametopwdcache", "gidtogrpcache", "nametogrpcache", "tagfile", "prompt mode", "help software", "less", "removepkg", "gnu cc", "linux source", "pkgtool", "proccmdline", "termvt100", "termlinux", "homeroot lessmm", "ps1u", "home path", "display less", "term ps1", "kind", "branch", "period", "tmpsetfdisk", "minor elif", "smashedline", "l dev", "tmpsetfdisk fi", "probe", "mylex", "raid", "disksets", "packagedir", "blurb", "sourcedir", "tmptmpmsg", "tmptagfile", "media", "pcmcia", "umountcdrom", "o ro", "floppy", "pcmcia andor", "cardbus", "usedflopfalse", "libdir", "libdir exedir", "bcmd", "exedir", "openssl set", "packageversion", "versiongreater", "invert", "optdict", "intify", "limited to", "sockets layer", "argv", "normally", "shutwr", "sigexception", "demuxconn", "pipe import", "demultiplex", "openssl", "debug", "opensslversion", "static imported", "target openssl", "cmake", "shared imported", "fatalerror", "obex", "import", "stringio import", "obex service", "bdaddr channeln", "ascii character", "alength", "notfoundreturn", "use nis", "nis version", "name service", "switch config", "legal", "use dns", "domain name", "os2 boot", "os2 fdisk", "partition magic", "boot manager", "tcpip subsystem", "nfs install", "network support", "make", "sample file", "zip disk", "zip drive", "first scsi", "first ide", "atari", "solaris", "drive x", "zip100", "linkdir", "linkdir fi", "tmp directory", "asap", "linkdir tmp", "indexerror", "want", "midxversion", "wrapper", "multiple index", "filename", "desiredhwm", "domidx", "exitstack", "total", "option", "c option", "vmsize", "vmrss", "vmdata", "vmstk", "majflt", "september", "guess object", "longmatch", "raid device", "devrd", "devname", "concord", "applyerror", "metadata", "einval", "macos", "frozen", "fifo", "common code", "faildelay", "faillogenab", "logunkfailenab", "logoklogins", "lastlogenab", "mailcheckenab", "quotasenab", "syslogsuenab", "syslogsgenab", "console console", "ttywidth", "baseexception", "pythonpath", "pipe", "sigismember", "xdropaqueauth", "libcpvalloc", "rtld", "gnu c", "library", "free software", "foundation", "gnu lesser", "general public", "merchantability", "refs", "keyerror", "important", "carefully", "kwargs", "super", "true result", "priority", "pmsg", "crunch", "tmptempmsg", "localnetmask", "localipaddr", "upnrun", "ip address", "localgateway", "kversion", "eof dialog", "tmpmask", "localnetwork", "slackdevice", "fgrep", "ftp site", "tmpsetmount", "reboot machine", "tmpwhichdrv", "tmpsetmount cat", "select floppy", "drive", "tmptempmsg exit", "tmptempmsg mv", "tmpsourcedir", "drivefound", "cddvd", "rdir", "cddvd drive", "tmpsetcddev", "ide bus", "tmperrordo exit", "third", "login binsh", "l ttys0", "l ttys1", "x0 s", "reboot", "stuff", "bupdir", "iterhelper", "next", "none d", "indexhdr", "ixexists", "ixhashvalid", "ixshamissing", "indexsig", "entlen", "footersig", "tmpdir", "experimental", "bdupcache", "brestore", "bindex", "agulbra", "tcpip", "linux box", "hlinkdb", "verify", "maxpertree", "bupblobbits", "buptreeblobbits", "giterror", "mpicount", "bupnormal", "bupchunked", "refresh", "close", "dump", "dest", "commonargs", "ref dest", "pick", "btree", "missingobject", "bloom filter", "existingcount", "idxlivecount", "ram budget", "bupfs", "importerror", "fuse", "verbose", "fakemetadata", "fsdecode", "ptraceerror", "ptracesetregs", "cpu64bits", "ptraceattach", "ptracedetach", "ptracesyscall", "cpuwordsize", "runningbsd", "ext2", "proc proc", "commanderror", "optionerror", "lcctype", "iso88591", "localrepo repo", "sbine2fsck", "bfailed", "elif", "bcanary", "posix acls", "linux partition", "move", "pgdnspace", "olargefile", "onofollow", "xdev", "xdevxdev", "dirlist", "prepend", "cyan", "white", "blue", "dialog box", "yellow", "active button", "inactive button", "search box", "input box", "green", "excluderxs", "doit", "s seed", "this command", "is extremely", "dangerous n", "chunksize", "socket", "return hex", "supports python", "rethrow", "hostrs", "bnone", "bload", "branchpath", "snapshotroot", "snapshot", "tmpidx", "bashsource", "bashlineno", "int dryrun", "importing", "ux f", "sbinbrc", "eof binsync", "unmounting file", "devnull echo", "rest", "first assert", "existing", "restcount", "none path", "maxbloombits", "bloomversion", "maxbitseach", "discussion", "k4 k5", "k6 k7", "k8 k9", "rvatoi", "exitrv", "exit 1", "noblock", "sisdir", "sislnk", "writetree", "rawtreeitem", "splittreeitem", "metadataro", "meta", "builtmodulename", "dkms", "packagename", "autoinstall", "kernelrelease", "kbuild", "kerneluname", "implementation", "murmurhash3", "jens taylor", "gary court", "austin appleby", "typeof h", "later", "tls1", "fbtfr", "fbfr", "apache http", "fbefr", "fbhfr", "fbabfr", "http", "keepalive", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "runtime data", "ansi", "getprocaddress", "access type", "ck id", "observed ja3", "mitre att", "show technique", "suspicious", "hybrid", "click", "delphi", "strings", "malicious", "february", "middle", "exploit", "gameover", "hybrid analysis", "api key", "vetting process", "ck matrix", "accept", "memoryfile scan", "invalid octet", "falcon sandbox", "tmpp59thrck", "informative", "name tactics" ], "references": [ "itl-logo.txt", "empty.exe", "libnm.la", "libyara.la", "sunjava_map.xml", "lorem.txt", "stage2", "q\u00e9\u00d5?e\u00ac\u00d2\u00b6.\u000f\u001c\u00cc", "syslinux.cfg", "x.jnlp", "desktop.ini", "a.txt", "a.txt:ads.txt", "dir:ads.txt", "b.txt:ads.txt", "no_ads.txt", ".:ads.txt", "b.txt", "nm-shared.xml", ".zcompdump-m1904-5.9", ".zcompdump", "90-nm-thunderbolt.rules", "84-nm-drivers.rules", "85-nm-unmanaged.rules", "???? ????????.txt", "notes.txt", "notes.txt:ads", "nm-cloud-setup.timer", "NetworkManager-wait-online.service", "nm-cloud-setup.service", "nm-priv-helper.service", "NetworkManager-dispatcher.service", "NetworkManager.service", "NetworkManager-ovs.conf", "nm-pppd-plugin.la", "yara.pc", "libnm.pc", "preload.js", "LICENSE", "index.js", "range.bnf", "package.json", "README.md", "semver.js", "comparator.js", "range.js", "valid.js", "sort.js", "satisfies.js", "rsort.js", "rcompare.js", "prerelease.js", "patch.js", "neq.js", "minor.js", "major.js", "lt.js", "inc.js", "parse.js", "gt.js", "eq.js", "gte.js", "compare-loose.js", "compare.js", "clean.js", "cmp.js", "coerce.js", "compare-build.js", "diff.js", "lte.js", "parse-options.js", "identifiers.js", "debug.js", "constants.js", "re.js", "yallist.js", "iterator.js", "subset.js", "to-comparators.js", "outside.js", "min-version.js", "min-satisfying.js", "max-satisfying.js", "ltr.js", "simplify.js", "intersects.js", "gtr.js", "npmrc", "cli.js", "lifecycle-cmd.js", "cli-entry.js", "package-url-cmd.js", "base-command.js", "npm.js", "arborist-cmd.js", "whoami.js", "view.js", "version.js", "unstar.js", "update.js", "unpublish.js", "uninstall.js", "test.js", "team.js", "stop.js", "start.js", "token.js", "stars.js", "shrinkwrap.js", "set.js", "star.js", "sbom.js", "run-script.js", "root.js", "search.js", "repo.js", "restart.js", "rebuild.js", "publish.js", "prune.js", "prefix.js", "pkg.js", "ping.js", "pack.js", "query.js", "outdated.js", "org.js", "owner.js", "logout.js", "ls.js", "ll.js", "login.js", "link.js", "install-ci-test.js", "profile.js", "hook.js", "init.js", "install-test.js", "install.js", "help.js", "explore.js", "fund.js", "explain.js", "help-search.js", "get.js", "edit.js", "docs.js", "doctor.js", "dist-tag.js", "dedupe.js", "deprecate.js", "ci.js", "config.js", "completion.js", "bugs.js", "adduser.js", "exec.js", "audit.js", "access.js", "cache.js", "find-dupes.js", "validate-engines.js", "web-auth.js", "tar.js", "update-notifier.js", "sbom-cyclonedx.js", "replace-info.js", "read-user-info.js", "reify-output.js", "queryable.js", "timers.js", "validate-lockfile.js", "sbom-spdx.js", "otplease.js", "pulse-till-done.js", "log-shim.js", "log-file.js", "npm-usage.js", "get-identity.js", "format-bytes.js", "open-url-prompt.js", "explain-eresolve.js", "explain-dep.js", "exit-handler.js", "open-url.js", "did-you-mean.js", "completion.sh", "completion.fish", "cmd-list.js", "auth.js", "audit-error.js", "is-windows.js", "display.js", "reify-finish.js", "error-message.js", "format-search-stream.js", "installed-shallow.js", "installed-deep.js", "update-workspaces.js", "get-workspaces.js", "npm-view.md", "npm-version.md", "npm-uninstall.md", "npm-token.md", "npx.md", "npm-team.md", "npm-stop.md", "npm-unstar.md", "npm-start.md", "npm-star.md", "npm-test.md", "npm-shrinkwrap.md", "npm-stars.md", "npm-sbom.md", "npm-root.md", "npm-run-script.md", "npm-restart.md", "npm-rebuild.md", "npm-query.md", "npm-search.md", "npm-prune.md", "npm-publish.md", "npm-profile.md", "npm-repo.md", "npm-whoami.md", "npm-pkg.md", "npm-pack.md", "npm-ping.md", "npm-org.md", "npm-owner.md", "npm-prefix.md", "npm-login.md", "npm-logout.md", "npm-link.md", "npm-install-ci-test.md", "npm-install.md", "npm-init.md", "npm-update.md", "npm-help-search.md", "npm-hook.md", "npm-help.md", "npm-find-dupes.md", "npm-explore.md", "npm-unpublish.md", "npm-exec.md", "npm-ls.md", "npm-edit.md", "npm-doctor.md", "npm-fund.md", "npm-outdated.md", "npm-docs.md", "npm-dist-tag.md", "npm-config.md", "npm-diff.md", "npm-ci.md", "npm-cache.md", "npm-bugs.md", "npm-completion.md", "npm-audit.md", "npm-access.md", "npm.md", "npm-install-test.md", "npm-adduser.md", "npm-dedupe.md", "package-lock-json.md", "package-json.md", "npm-shrinkwrap-json.md", "install.md", "npmrc.md", "folders.md", "workspaces.md", "scripts.md", "removal.md", "scope.md", "registry.md", "package-spec.md", "orgs.md", "developers.md", "dependency-selectors.md", "logging.md", "config.md", "node-which", "mkdirp", "qrcode-terminal", "installed-package-contents", "cssesc", "color-support", "arborist", "pacote", "glob", "empty", "xstat (2).py", "zgrep", "xstat.py", "wtmp", "web.py", "vt300", "vt300 (2)", "vt100 (3)", "vt100", "vint.py", "version (2).py", "version.py", "vdecmd", "unmigrate (2).sh", "unmigrate.sh", "tick.py", "termcap (2)", "termcap", "tag.py", "syslinux (2).cfg", "syslog.conf", "syslog (2).conf", "styles.css", "stdcrt (2)", "std (2)", "stage2 (3)", "stage2 (2)", "std", "ssh.py", "source_info.py", "split.py", "slackinstall", "stdcrt", "shells", "shells (2)", "shquote.py", "shadow (2)", "shadow", "setup (2)", "SeTswap (2)", "SeTPKG (2)", "setup", "SeTswap", "SeTpasswd (2)", "SeTpasswd", "SeTnopart (2)", "SeTpartitions (2)", "SeTnopart", "SeTPKG", "SeTmedia (2)", "SeTpartitions", "SeTmedia", "SeTmaketag", "slackinstall (2)", "SeTkeymap (2)", "SeTmaketag (2)", "SeTkernel", "SeTfull (2)", "SeTkernel (2)", "SeTfull", "SeTfdHELP", "SeTfdHELP (2)", "SeTkeymap", "SeTDOS (2)", "SeTconfig (2)", "services (2)", "SeTDOS", "SeTconfig", "services", "sendcmd.rc", "securetty (2)", "securetty", "server.py", "rm.py", "restore.py", "rm (2).py", "save.py", "removepkg", "rescan-scsi-bus", "removepkg (2)", "README (2)", "README", "repo.py", "rc.usb", "rc.inet1", "rc.S", "rc.ieee1394", "random.py", "pwdgrp.py", "PROMPThelp (2)", "profile (2)", "prune_older.py", "profile", "probe (2)", "probe", "pkgtool", "pkgtool (2)", "pcmcia", "path.py", "passwd (2)", "passwd", "OpenSSLConfigVersion.cmake", "options.py", "PROMPThelp", "openssl.pc", "openmachine.rc", "on__server.py", "on.py", "OpenSSLConfig.cmake", "obexstress", "nsswitch (2).conf", "nsswitch.conf", "nopartHELP (2)", "nopartHELP", "networks (2)", "networks", "network", "mux.py", "mtools (2).conf", "mtools.conf", "mtab (2)", "mtab", "motd (2)", "motd", "modules.pcimap", "modules.pnpbiosmap", "modules.parportmap", "modules.usbmap", "modules.isapnpmap", "modules.ieee1394map", "modules.generic_string", "modules.dep", "migrate (2).sh", "migrate.sh", "midx.py", "midx (2).py", "meta.py", "memtest.py", "margin.py", "makedevs (2).sh", "makedevs.sh", "metadata.py", "ls (2).py", "ls.py", "login (2).defs", "main.py", "login.defs", "list_idx.py", "libssl.pc", "libnm-wwan.la", "libnm-ppp-plugin.la", "libnm-device-plugin-wwan.la", "libnm-device-plugin-wifi.la", "libnm-device-plugin-team.la", "libnm-device-plugin-bluetooth.la", "libnm-device-plugin-ovs.la", "libnm-device-plugin-adsl.la", "libcrypto.pc", "libc6-i386_2.31-0ubuntu6_amd64.url", "libc6-i386_2.31-0ubuntu6_amd64.info", "libc6-i386_2.30-4_amd64.url", "libc6-i386_2.31-0ubuntu6_amd64.symbols", "libc6-i386_2.30-4_amd64.info", "libc6-i386_2.30-4_amd64.symbols", "libc6-i386_2.30-0ubuntu2_amd64.url", "libc6-i386_2.30-0ubuntu2_amd64.info", "libc6-i386_2.30-0ubuntu2.1_amd64.url", "libc6-i386_2.30-0ubuntu2_amd64.symbols", "libc6-i386_2.30-0ubuntu2.1_amd64.info", "libc6-i386_2.29-0ubuntu2_amd64.url", "libc6-i386_2.29-0ubuntu2_amd64.symbols", "libc6-i386_2.29-0ubuntu2_amd64.info", "libc6-i386_2.28-10_amd64.url", "libc6-i386_2.28-10_amd64.info", "libc6-i386_2.28-10_amd64.symbols", "libc6-i386_2.28-0ubuntu1_amd64.symbols", "libc6-i386_2.28-0ubuntu1_amd64.info", "libc6-i386_2.27-3ubuntu1_amd64.url", "libc6-i386_2.27-3ubuntu1_amd64.symbols", "libc6-i386_2.28-0ubuntu1_amd64.url", "libc6-i386_2.27-3ubuntu1_amd64.info", "libc6-i386_2.26-0ubuntu2_amd64.url", "libc6-i386_2.26-0ubuntu2_amd64.info", "libc6-i386_2.26-0ubuntu2_amd64.symbols", "libc6-i386_2.26-0ubuntu2.1_amd64.url", "libc6-i386_2.26-0ubuntu2.1_amd64.info", "libc6-i386_2.24-11+deb9u4_amd64.url", "libc6-i386_2.30-0ubuntu2.1_amd64.symbols", "libc6-i386_2.26-0ubuntu2.1_amd64.symbols", "libc6-i386_2.24-9ubuntu2_amd64.symbols", "libc6-i386_2.24-11+deb9u4_amd64.symbols", "libc6-i386_2.24-9ubuntu2_amd64.url", "libc6-i386_2.24-9ubuntu2_amd64.info", "libc6-i386_2.24-9ubuntu2.2_amd64.url", "libc6-i386_2.24-9ubuntu2.2_amd64.symbols", "libc6-i386_2.24-9ubuntu2.2_amd64.info", "libc6-i386_2.24-3ubuntu2.2_amd64.url", "libc6-i386_2.24-3ubuntu2.2_amd64.info", "libc6-i386_2.24-3ubuntu2.2_amd64.symbols", "libc6-i386_2.24-3ubuntu1_amd64.url", "libc6-i386_2.23-0ubuntu11_amd64.url", "libc6-i386_2.24-3ubuntu1_amd64.symbols", "libc6-i386_2.24-3ubuntu1_amd64.info", "libc6-i386_2.23-0ubuntu11_amd64.symbols", "libc6-i386_2.23-0ubuntu11_amd64.info", "libc6-i386_2.23-0ubuntu10_amd64.url", "libc6-i386_2.23-0ubuntu10_amd64.symbols", "libc6-i386_2.23-0ubuntu10_amd64.info", "libc6-i386_2.23-0ubuntu3_amd64.symbols", "libc6-i386_2.23-0ubuntu3_amd64.info", "libc6-i386_2.21-0ubuntu4_amd64.url", "libc6-i386_2.23-0ubuntu3_amd64.url", "libc6-i386_2.21-0ubuntu4_amd64.info", "libc6-i386_2.21-0ubuntu4.3_amd64.url", "libc6-i386_2.21-0ubuntu4_amd64.symbols", "libc6-i386_2.21-0ubuntu4.3_amd64.info", "libc6-i386_2.19-18+deb8u10_amd64.url", "libc6-i386_2.19-18+deb8u10_amd64.symbols", "libc6-i386_2.19-18+deb8u10_amd64.info", "libc6-i386_2.19-10ubuntu2_amd64.url", "libc6-i386_2.19-10ubuntu2_amd64.symbols", "libc6-i386_2.21-0ubuntu4.3_amd64.symbols", "libc6-i386_2.19-10ubuntu2_amd64.info", "libc6-i386_2.19-10ubuntu2.3_amd64.symbols", "libc6-i386_2.24-11+deb9u4_amd64.info", "libc6-i386_2.19-0ubuntu6_amd64.url", "libc6-i386_2.19-10ubuntu2.3_amd64.url", "libc6-i386_2.19-10ubuntu2.3_amd64.info", "libc6-i386_2.19-0ubuntu6_amd64.info", "libc6-i386_2.19-0ubuntu6_amd64.symbols", "libc6-i386_2.19-0ubuntu6.15_amd64.info", "libc6-i386_2.19-0ubuntu6.15_amd64.url", "libc6-i386_2.19-0ubuntu6.15_amd64.symbols", "libc6-i386_2.17-93ubuntu4_amd64.url", "libc6-i386_2.17-93ubuntu4_amd64.info", "libc6-i386_2.17-0ubuntu5_amd64.url", "libc6-i386_2.17-93ubuntu4_amd64.symbols", "libc6-i386_2.17-0ubuntu5_amd64.info", "libc6-i386_2.17-0ubuntu5.1_amd64.url", "libc6-i386_2.17-0ubuntu5_amd64.symbols", "libc6-i386_2.17-0ubuntu5.1_amd64.symbols", "libc6-i386_2.17-0ubuntu5.1_amd64.info", "libc6-i386_2.15-0ubuntu20_amd64.url", "libc6-i386_2.15-0ubuntu20.2_amd64.url", "libc6-i386_2.15-0ubuntu20_amd64.symbols", "libc6-i386_2.15-0ubuntu20.2_amd64.info", "libc6-i386_2.15-0ubuntu20.2_amd64.symbols", "libc6-i386_2.15-0ubuntu10_amd64.info", "libc6-i386_2.15-0ubuntu10_amd64.url", "libc6-i386_2.15-0ubuntu20_amd64.info", "libc6-i386_2.15-0ubuntu10.18_amd64.url", "libc6-i386_2.15-0ubuntu10_amd64.symbols", "libc6-i386_2.15-0ubuntu10.18_amd64.info", "libc6-i386_2.13-20ubuntu5_amd64.url", "libc6-i386_2.13-20ubuntu5_amd64.info", "libc6-i386_2.13-20ubuntu5_amd64.symbols", "libc6-i386_2.13-20ubuntu5.3_amd64.url", "libc6-i386_2.13-20ubuntu5.3_amd64.info", "libc6-i386_2.13-20ubuntu5.2_amd64.url", "libc6-i386_2.13-20ubuntu5.3_amd64.symbols", "libc6-i386_2.15-0ubuntu10.18_amd64.symbols", "libc6-i386_2.13-20ubuntu5.2_amd64.info", "libc6-i386_2.13-0ubuntu13_amd64.url", "libc6-i386_2.13-0ubuntu13_amd64.info", "libc6-i386_2.13-20ubuntu5.2_amd64.symbols", "libc6-i386_2.13-0ubuntu13.2_amd64.url", "libc6-i386_2.13-0ubuntu13_amd64.symbols", "libc6-i386_2.12.1-0ubuntu10.4_amd64.url", "libc6-i386_2.13-0ubuntu13.2_amd64.info", "libc6-i386_2.12.1-0ubuntu10.4_amd64.info", "libc6-i386_2.13-0ubuntu13.2_amd64.symbols", "libc6-i386_2.12.1-0ubuntu6_amd64.info", "libc6-i386_2.11.1-0ubuntu7_amd64.url", "libc6-i386_2.12.1-0ubuntu6_amd64.symbols", "libc6-i386_2.12.1-0ubuntu10.4_amd64.symbols", "libc6-i386_2.12.1-0ubuntu6_amd64.url", "libc6-i386_2.11.1-0ubuntu7_amd64.info", "libc6-i386_2.11.1-0ubuntu7.21_amd64.info", "libc6-i386_2.11.1-0ubuntu7.21_amd64.symbols", "libc6-i386_2.11.1-0ubuntu7.12_amd64.url", "libc6-i386_2.11.1-0ubuntu7_amd64.symbols", "libc6-i386_2.11.1-0ubuntu7.11_amd64.url", "libc6-i386_2.11.1-0ubuntu7.21_amd64.url", "libc6-i386_2.11.1-0ubuntu7.12_amd64.symbols", "libc6-i386_2.11.1-0ubuntu7.11_amd64.info", "libc6-i386_2.11.1-0ubuntu7.11_amd64.symbols", "libc6-i386_2.10.1-0ubuntu19_amd64.url", "libc6-i386_2.10.1-0ubuntu19_amd64.info", "libc6-i386_2.10.1-0ubuntu19_amd64.symbols", "libc6-i386_2.10.1-0ubuntu15_amd64.info", "libc6-i386_2.10.1-0ubuntu15_amd64.symbols", "libc6-i386_2.11.1-0ubuntu7.12_amd64.info", "libc6-i386_2.9-4ubuntu6_amd64.url", "libc6-i386_2.9-4ubuntu6_amd64.info", "libc6-i386_2.9-4ubuntu6_amd64.symbols", "libc6-i386_2.10.1-0ubuntu15_amd64.url", "libc6-i386_2.9-4ubuntu6.3_amd64.info", "libc6-i386_2.8~20080505-0ubuntu9_amd64.url", "libc6-i386_2.9-4ubuntu6.3_amd64.symbols", "libc6-i386_2.9-4ubuntu6.3_amd64.url", "libc6-i386_2.8~20080505-0ubuntu9_amd64.info", "libc6-i386_2.8~20080505-0ubuntu7_amd64.url", "libc6-i386_2.7-10ubuntu8.3_amd64.url", "libc6-i386_2.8~20080505-0ubuntu7_amd64.info", "libc6-i386_2.7-10ubuntu8.3_amd64.info", "libc6-i386_2.7-10ubuntu3_amd64.url", "libc6-i386_2.8~20080505-0ubuntu7_amd64.symbols", "libc6-i386_2.7-10ubuntu3_amd64.symbols", "libc6-i386_2.7-10ubuntu3_amd64.info", "libc6-i386_2.6.1-1ubuntu10_amd64.url", "libc6-i386_2.6.1-1ubuntu10_amd64.symbols", "libc6-i386_2.6.1-1ubuntu10_amd64.info", "libc6-i386_2.7-10ubuntu8.3_amd64.symbols", "libc6-i386_2.6.1-1ubuntu9_amd64.url", "libc6-i386_2.6.1-1ubuntu9_amd64.info", "libc6-i386_2.6.1-1ubuntu9_amd64.symbols", "libc6-i386_2.5-0ubuntu14_amd64.symbols", "libc6-i386_2.5-0ubuntu14_amd64.info", "libc6-i386_2.4-1ubuntu12_amd64.url", "libc6-i386_2.4-1ubuntu12_amd64.symbols", "libc6-i386_2.4-1ubuntu12_amd64.info", "libc6-i386_2.8~20080505-0ubuntu9_amd64.symbols", "libc6-i386_2.4-1ubuntu12.3_amd64.url", "libc6-i386_2.4-1ubuntu12.3_amd64.info", "libc6-i386_2.5-0ubuntu14_amd64.url", "libc6-i386_2.3.6-0ubuntu20_amd64.url", "libc6-i386_2.3.6-0ubuntu20_amd64.symbols", "libc6-i386_2.3.6-0ubuntu20_amd64.info", "libc6-i386_2.3.6-0ubuntu20.6_amd64.url", "libc6-i386_2.3.6-0ubuntu20.6_amd64.info", "libc6-i386_2.3.6-0ubuntu20.6_amd64.symbols", "ldd", "libc6-i386_2.4-1ubuntu12.3_amd64.symbols", "ld.so (2).conf", "ld.so.conf", "join.py", "itl-logo (3).txt", "itl-logo (2).txt", "issue", "issue (2)", "io.py", "installpkg", "INSNFS (2)", "installpkg (2)", "INSNFS", "INShd", "INShd (2)", "INSfd (2)", "INSfd", "INSdir (2)", "INSdir", "INSCD", "INSCD (2)", "inittab (2)", "inittab", "init.py", "__init__ (2).py", "__init__.py", "index (2).py", "index.py", "import_duplicity.py", "hosts (2)", "hosts", "host (2).conf", "host.conf", "HOSTNAME", "hlinkdb.py", "help.py", "helpers.py", "HOSTNAME (2)", "hashsplit.py", "group (2)", "group", "gc (2).py", "git.py", "get.py", "gc.py", "fuse.py", "func.py", "fstab (2)", "fstab", "ftp.py", "fsck (2).ext2", "fsck (2).ext3", "fsck.ext3", "fsck.ext2", "fsck.py", "filesize", "features.py", "fdisk (2)", "fdisk", "FDhelp (2)", "FDhelp", "empty (3)", "empty (2)", "drecurse.py", "dialogrc", "dialogrc (2)", "disk2 (2)", "drecurse (2).py", "disk2", "damage.py", "daemon.py", "compat.py", "closemachine.rc", "checkout_info.py", "cfdisk (2)", "client.py", "cfdisk", "cat_file.py", "bup-import-rsnapshot", "bup-import-rdiff-backup", "brc (2)", "brc", "bloom (2).py", "bloom.py", "asyncrecv.rc", "90-nm-cloud-setup.sh", "vfs.py", "tree.py", "template-WaR2X6", "a1676298638", "a4033901479", ".X1-lock", ".X0-lock", ".X1024-lock", "b3336837578", "MozillaUpdateLock-7A4D7A8EFFB43502", "imurmurhash.min.js", ".X1025-lock", "murmur2", "b529967783", "empty.lock~", "ab.1", "https://hybrid-analysis.com/sample/babc94597eadb83b520d6a46a57ef2ad963683aef1ff2fc6fa9ba5e98e78e008/65fcd2b1519a5f86d60eed63", "https://hybrid-analysis.com/file-collection/6604df33503d4a306e01c776", "https://hybrid-analysis.com/sample/babc94597eadb83b520d6a46a57ef2ad963683aef1ff2fc6fa9ba5e98e78e008/6604e16b6b94878cbb062194", "https://hybrid-analysis.com/file-collection/6604df4bb797f028b4065601", "https://hybrid-analysis.com/sample/2eaba531c48445e241c116f61653649e403d4b1ef07bfc96390e986e1eeb5b83/6604e230edf88ab15b0d83fc", "https://hybrid-analysis.com/file-collection/66057525d9b81759df06c4b5", "https://hybrid-analysis.com/sample/d714e2a850645f9a0f8f3785dd0eedd47a417417bed470b968e0f6a1a2e746e6/652cf1f4243d9d03b90f74a1", "https://www.virustotal.com/gui/file/ea8490563a229b89f2b779217938f9eb2bcf93dd89de9f7fc5c035632f0934b5/relations" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 297, "email": 8, "hostname": 204, "URL": 382, "FileHash-SHA1": 7, "CVE": 2, "FileHash-MD5": 45, "FileHash-SHA256": 5 }, "indicator_count": 950, "is_author": false, "is_subscribing": null, "subscriber_count": 72, "modified_text": "764 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65cdd33681646a5b9719c6d3", "name": "IOC seen targeting public cloud infrastructure : 12-02-2024", "description": "IOCs seen on : https://github.com/unknownhad/CloudIntel/blob/main/2024/02/12-02-2024", "modified": "2024-03-16T09:03:31.705000", "created": "2024-02-15T09:02:46.733000", "tags": [ "license", "cloudintel", "path", "post hnap1", "accept", "devshm", "kwjmfrndd", "kwjmf" ], "references": [ "https://github.com/unknownhad/CloudIntel/blob/main/2024/02/12-02-2024" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "unknown_had", "id": "44741", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 2, "domain": 3 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 32, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65cdd305aa8389f96aeb3cdb", "name": "IOC seen targeting public cloud infrastructure : 13-02-2024", "description": "IOCs seen on : https://github.com/unknownhad/CloudIntel/blob/main/2024/02/13-02-2024", "modified": "2024-03-16T09:03:31.705000", "created": "2024-02-15T09:01:57.589000", "tags": [ "license", "cloudintel", "path", "post hnap1", "accept" ], "references": [ "https://github.com/unknownhad/CloudIntel/blob/main/2024/02/13-02-2024" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "unknown_had", "id": "44741", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 6, "FileHash-SHA256": 8, "URL": 2, "domain": 3 }, "indicator_count": 24, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65cdd2d932ce155b21b8b723", "name": "IOC seen targeting public cloud infrastructure : 14-02-2024", "description": "IOCs seen on : https://github.com/unknownhad/CloudIntel/blob/main/2024/02/14-02-2024", "modified": "2024-03-16T09:03:31.705000", "created": "2024-02-15T09:01:13.332000", "tags": [ "license", "cloudintel", "addportmapping", "accept", "hello", "world" ], "references": [ "https://github.com/unknownhad/CloudIntel/blob/main/2024/02/14-02-2024" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "unknown_had", "id": "44741", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "domain": 2 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 32, "modified_text": "805 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c4eaf3db21321d7f287cf5", "name": "IOC seen targeting public cloud infrastructure : 02-02-2024", "description": "IOCs seen on : https://github.com/unknownhad/CloudIntel/blob/main/2024/02/02-02-2024", "modified": "2024-03-09T14:02:31.570000", "created": "2024-02-08T14:53:39.982000", "tags": [ "tmpcdbkxogdc0", "license", "cloudintel", "datalocaltmp", "o tmpcdbkxogdc0", "x tmpcdbkxogdc0", "eo pid", "rf datalocal", "shell c", "linux", "hello", "accept" ], "references": [ "https://github.com/unknownhad/CloudIntel/blob/main/2024/02/02-02-2024" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "unknown_had", "id": "44741", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 5, "FileHash-SHA256": 6, "URL": 6, "domain": 2 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "812 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c4eb6b40de71d958dbacad", "name": "IOC seen targeting public cloud infrastructure : 01-02-2024", "description": "IOCs seen on : https://github.com/unknownhad/CloudIntel/blob/main/2024/02/01-02-2024", "modified": "2024-03-09T14:02:31.570000", "created": "2024-02-08T14:55:39.388000", "tags": [ "license", "cloudintel", "datalocaltmp", "accept", "eo pid", "rf datalocal", "rf sh", "rf arm", "rf ppc", "rf x86" ], "references": [ "https://github.com/unknownhad/CloudIntel/blob/main/2024/02/01-02-2024" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "unknown_had", "id": "44741", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7, "FileHash-SHA1": 1, "FileHash-SHA256": 3, "domain": 2 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "812 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c4eac51bea6830aef1a1bc", "name": "IOC seen targeting public cloud infrastructure : 03-02-2024", "description": "IOCs seen on : https://github.com/unknownhad/CloudIntel/blob/main/2024/02/03-02-2024", "modified": "2024-03-09T14:02:31.570000", "created": "2024-02-08T14:52:53.875000", "tags": [ "license", "cloudintel", "rf mpsl", "eo pid", "rf datalocal", "datalocaltmp" ], "references": [ "https://github.com/unknownhad/CloudIntel/blob/main/2024/02/03-02-2024" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "unknown_had", "id": "44741", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 3, "domain": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "812 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c4ea941ebc7c280e7f397c", "name": "IOC seen targeting public cloud infrastructure : 04-02-2024", "description": "IOCs seen on : https://github.com/unknownhad/CloudIntel/blob/main/2024/02/04-02-2024", "modified": "2024-03-09T14:02:31.570000", "created": "2024-02-08T14:52:04.626000", "tags": [ "license", "cloudintel", "varrun", "root", "binls ii" ], "references": [ "https://github.com/unknownhad/CloudIntel/blob/main/2024/02/04-02-2024" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "unknown_had", "id": "44741", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "domain": 2 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "812 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c4ea665459fa7c08a922f5", "name": "IOC seen targeting public cloud infrastructure : 05-02-2024", "description": "IOCs seen on : https://github.com/unknownhad/CloudIntel/blob/main/2024/02/05-02-2024", "modified": "2024-03-09T14:02:31.570000", "created": "2024-02-08T14:51:18.830000", "tags": [ "license", "cloudintel", "datalocaltmp", "devshm", "hrfavrndd", "get shell", "accept", "shell" ], "references": [ "https://github.com/unknownhad/CloudIntel/blob/main/2024/02/05-02-2024" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "unknown_had", "id": "44741", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 6, "FileHash-SHA256": 8, "URL": 5, "domain": 2 }, "indicator_count": 26, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "812 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c4ea364b7abec2a1fd72ae", "name": "IOC seen targeting public cloud infrastructure : 106-02-2024", "description": "IOCs seen on : https://github.com/unknownhad/CloudIntel/blob/main/2024/02/06-02-2024", "modified": "2024-03-09T14:02:31.570000", "created": "2024-02-08T14:50:30.733000", "tags": [ "license", "cloudintel", "path", "file name", "datalocaltmp", "rf sh", "rf arm", "rf ppc", "rf x86", "rf mips" ], "references": [ "https://github.com/unknownhad/CloudIntel/blob/main/2024/02/06-02-2024" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "unknown_had", "id": "44741", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7, "FileHash-MD5": 2, "FileHash-SHA1": 3, "FileHash-SHA256": 2, "domain": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "812 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c4ea099e03a44243c22eb1", "name": "IOC seen targeting public cloud infrastructure : 08-02-2024", "description": "IOCs seen on : https://github.com/unknownhad/CloudIntel/blob/main/2024/02/07-02-2024", "modified": "2024-03-09T14:02:31.570000", "created": "2024-02-08T14:49:45.542000", "tags": [ "license", "cloudintel", "datalocaltmp", "file name", "rf arm", "rf arm5", "rf arm6", "rf arm7", "rf m68k", "rf mips" ], "references": [ "https://github.com/unknownhad/CloudIntel/blob/main/2024/02/07-02-2024" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "unknown_had", "id": "44741", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 5, "FileHash-SHA256": 5, "URL": 6, "domain": 2 }, "indicator_count": 22, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "812 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6582ff157ad1b435b65736c6", "name": "IOC seen targeting public cloud infrastructure : 19-12-2023", "description": "IOCs seen on : https://github.com/unknownhad/AWSAttacks/blob/main/2023/12/19-12-2023", "modified": "2024-01-19T14:00:36.219000", "created": "2023-12-20T14:49:57.321000", "tags": [ "hash", "license", "shell", "malware", "hello", "bytes" ], "references": [ "https://github.com/unknownhad/AWSAttacks/blob/main/2023/12/19-12-2023" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "unknown_had", "id": "44741", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "URL": 2, "domain": 2 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 31, "modified_text": "862 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6581a8e35d2342d7284a7ebd", "name": "IOC seen targeting public cloud infrastructure : 17-12-2023", "description": "IOCs seen on : https://github.com/unknownhad/AWSAttacks/blob/main/2023/12/17-12-2023", "modified": "2024-01-18T14:00:02.833000", "created": "2023-12-19T14:29:55.594000", "tags": [ "datalocaltmp", "hash", "license", "malware", "rf armv7l" ], "references": [ "https://github.com/unknownhad/AWSAttacks/blob/main/2023/12/17-12-2023" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "unknown_had", "id": "44741", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "FileHash-MD5": 2, "FileHash-SHA1": 3, "FileHash-SHA256": 3, "domain": 2 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 32, "modified_text": "863 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "reify-output.js", "npm.md", "drecurse.py", "libc6-i386_2.27-3ubuntu1_amd64.url", "help-search.js", "cli.js", ".X1-lock", "clean.js", "libc6-i386_2.10.1-0ubuntu15_amd64.url", "version.py", "empty (2)", "libc6-i386_2.11.1-0ubuntu7_amd64.info", "stage2 (3)", "libc6-i386_2.17-0ubuntu5.1_amd64.symbols", "install-ci-test.js", "https://viz.greynoise.io/analysis/b5c2d562-eee0-46cb-8696-0585e3ce27b8", "libc6-i386_2.11.1-0ubuntu7_amd64.symbols", ".:ads.txt", "libc6-i386_2.24-3ubuntu1_amd64.symbols", "npm-rebuild.md", "package-spec.md", "https://hybrid-analysis.com/sample/2eaba531c48445e241c116f61653649e403d4b1ef07bfc96390e986e1eeb5b83/6604e230edf88ab15b0d83fc", "npm-dist-tag.md", "rc.usb", "libc6-i386_2.19-10ubuntu2_amd64.url", "https://www.virustotal.com/gui/collection/8228434e85241bd42ae063de8cf2ee2afb86f0848675ed11e3f33b967e8c3c7c", "no_ads.txt", "pcmcia", "identifiers.js", "https://tehtris.com/en/blog/legionloader-exposed/", "search.js", "securetty", "npm-ls.md", "node-which", "path.py", "murmur2", "unpublish.js", "SeTkeymap (2)", "libc6-i386_2.15-0ubuntu20_amd64.url", "libc6-i386_2.13-0ubuntu13_amd64.symbols", "restart.js", "libc6-i386_2.15-0ubuntu20.2_amd64.info", "vt100 (3)", "vfs.py", "vt300", "libc6-i386_2.24-3ubuntu2.2_amd64.info", "itl-logo.txt", "dependency-selectors.md", "options.py", "issue (2)", "ssh.py", "outside.js", "unstar.js", "npm-root.md", "npm-prefix.md", "https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/graph", "base-command.js", "INShd", "libc6-i386_2.26-0ubuntu2.1_amd64.info", "color-support", "empty.lock~", "diff.js", "npm-init.md", "https://vtbehaviour.commondatastorage.googleapis.com/e2f820daf9f578d5f3219ae8b3c6391017badf913a68c4aaac4e52c5155c566f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339867&Signature=l%2F%2BDGW7ZLqIfVvi1NOyg4%2FCgXPJBdSweWglJKW7iMb5GfnK0pX4yYYVL3OKkqrzAbMUcR2fqLUXHJfnMwSKBhQxjGR8LGF1nh7TeXxVGIQVh8kAyEZBCuXNHsZfzxR0zVbZfKAIEvC9D8S2%2FwBmpI6xztHiC7vmaJ5OhJD%2BoPDojRqXH2bmBpCz1XTZd7JphPNXRIbefZL4mR%2FrRe7o8WO2JHylOy9rIodNKKPEv5W9Q54%2BaA%2FG926", "issue", "hlinkdb.py", "npm-token.md", "libc6-i386_2.7-10ubuntu3_amd64.symbols", "ld.so (2).conf", "rm (2).py", "libc6-i386_2.24-11+deb9u4_amd64.url", "libc6-i386_2.10.1-0ubuntu19_amd64.info", "motd (2)", "libc6-i386_2.30-0ubuntu2_amd64.info", "vt100", "README", "SeTDOS (2)", "fund.js", "Spy.Bancos.OQI Checkin", "display.js", "midx (2).py", "https://www.virustotal.com/gui/collection/12100cb4982365cfe5122fcedda2c084d60cebe09314846cae980c36fc90fc8c/iocs", "prune.js", "libc6-i386_2.13-20ubuntu5.2_amd64.url", "INSdir (2)", "access.js", "bup-import-rdiff-backup", "libc6-i386_2.13-0ubuntu13.2_amd64.info", "open-url.js", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779340034&Signature=tbq82yoC%2BAKXaH%2F2XjmRWiAbt911K91ltP8zHTYrstzi0i1UKrzJxM48ky9ypV%2B%2FvrYdgBnaOfI9MzgZH0C%2FOFJUaVJ3WB87ULkjglD%2F6GeEDDcPtDX%2BY6aw2%2Bb8WaJU2xLc%2F9JbwoTbPP0n83pJv1qe0KLqckLIjEN4iREH1zU%2FldO5TBRicvB%2BxjeAxpPFZnjNZmyFl%2FNHbavuuvRc%2FMNR0DbjnriB2Mub", "timers.js", "nopartHELP", "npm-prune.md", "web-auth.js", "SeTpasswd (2)", "libc6-i386_2.26-0ubuntu2_amd64.symbols", "explain.js", "SeTfdHELP", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783", "libc6-i386_2.3.6-0ubuntu20.6_amd64.info", "ftp.py", "package-json.md", "host.conf", "libnm-device-plugin-wifi.la", "completion.fish", "libc6-i386_2.15-0ubuntu10_amd64.url", "https://report.netcraft.com/submission/iduhE4oNTsMOSAeOeBjzZdIfCLtefF3P - 07.23.25 - see notes on references*", "ls (2).py", "cmd-list.js", "libc6-i386_2.15-0ubuntu10_amd64.symbols", "cat_file.py", "libc6-i386_2.23-0ubuntu10_amd64.symbols", "ldd", "developers.md", "makedevs.sh", "libc6-i386_2.30-0ubuntu2.1_amd64.symbols", "INSfd (2)", "https://hybrid-analysis.com/sample/babc94597eadb83b520d6a46a57ef2ad963683aef1ff2fc6fa9ba5e98e78e008/6604e16b6b94878cbb062194", "install-test.js", "explore.js", "https://github.com/unknownhad/CloudIntel/blob/main/2024/02/06-02-2024", "modules.usbmap", "publish.js", "npm-profile.md", "libc6-i386_2.7-10ubuntu3_amd64.url", "https://vtbehaviour.commondatastorage.googleapis.com/e6f203e988e7aa801739359c6222dcb181d290fc10de5f61d354d43f8557daa0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583905&Signature=QPgFBr8MN1iCe8SwxWZ4BgTfkaViEC4PHLzUrGQ3Jdndo8Z44osVc0CIRcnkJJtNDFU03AM82A8wJ2jMjaFYoEbthsaxPWWufSulM8nS%2BU8RoCr04jUq5GnAWPVNjxukSTbgD0F7pUSf0pVaFwwvpSWCQ6hedQEwF52DQyViV8u9UDOeLii4rkmRlMfMlGIsxIP4CEwy0Gy8Q7Lw6FX8cxG%2FehoJatyiwaFdwwbbLbnu2lQHDaZuwZ38Oy", "exec.js", "uninstall.js", "npm-publish.md", "disk2", "https://www.virustotal.com/gui/collection/ab283165c61c702e1aed28375718dd2674179c61c517d93baabc2219becf081a/community", "libc6-i386_2.31-0ubuntu6_amd64.url", "README (2)", "removepkg", "https://www.virustotal.com/gui/collection/ab283165c61c702e1aed28375718dd2674179c61c517d93baabc2219becf081a/iocs", "pulse-till-done.js", "libc6-i386_2.23-0ubuntu10_amd64.info", "libc6-i386_2.13-20ubuntu5_amd64.info", "min-satisfying.js", "npm-pkg.md", "git.py", "libc6-i386_2.11.1-0ubuntu7.12_amd64.symbols", "func.py", "openmachine.rc", "npm.js", "https://www.virustotal.com/gui/collection/e03439bc07bcb1908764755571e127ec051193d4cc24cf842ec3179557f533cb/summary", "edit.js", "npm-stop.md", "inittab", "SeTnopart", "libc6-i386_2.28-10_amd64.symbols", "libc6-i386_2.28-0ubuntu1_amd64.symbols", "libc6-i386_2.3.6-0ubuntu20.6_amd64.url", "stage2 (2)", "debug.js", "SeTkeymap", "https://www.virustotal.com/gui/collection/8f89eb9579ca53d15294ec27a4c1e763998ce57d3644ea746621d9fe0cb57e55/iocs", "https://www.virustotal.com/graph/g40f442f2b5d64cba818cac88855ba4ce274d109ce4ef4fb496f1af4efb993886", "pack.js", "libc6-i386_2.6.1-1ubuntu9_amd64.url", "https://vtbehaviour.commondatastorage.googleapis.com/d2cb7cca87c98c4d7a7eb9a40e0f00a231390cfe2f4786e161471a5ca4397a41_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583872&Signature=cfVN9vaAZ5UXUaFiEoATwrbKG2RNxzOu3wiH5KMlXdPxTgtpQ920ONEqOhhUb8MNxJwW3AVsCAahYTLdN3FigRPmjIClNTYz%2BoS%2BDl354Z4ZxefdKjl0HJ4%2FmGuzVTBNtc6pftGk4VMAvjgoerYhBf6Olu3ajrMT3h89lKsdBSGc6ra20Btzd%2BzY3Uh1J2gPZ%2BzZPHkTbR0OUTh3oorvIq9Fue8rDbL6PzZLxfPFEZ%2FFCRUnFo", "libc6-i386_2.11.1-0ubuntu7.12_amd64.info", "SeTPKG (2)", "config.js", "SeTPKG", "vint.py", "90-nm-cloud-setup.sh", "???? ????????.txt", "libc6-i386_2.30-0ubuntu2.1_amd64.url", "libc6-i386_2.11.1-0ubuntu7.21_amd64.symbols", "log-shim.js", "outdated.js", "libc6-i386_2.12.1-0ubuntu6_amd64.url", "hosts", "pkgtool (2)", "libc6-i386_2.4-1ubuntu12.3_amd64.info", ".X1024-lock", "removepkg (2)", "npm-edit.md", "npm-repo.md", "installpkg", "https://matomo.org https://matomo.www.gov.pl/analytics/js/container_68lYTZ79.js", "Double User-Agent (User-Agent User-Agent)", "ll.js", "split.py", "SeTmedia (2)", "b.txt", "libc6-i386_2.12.1-0ubuntu10.4_amd64.symbols", "syslinux (2).cfg", "FDhelp (2)", "bloom.py", "a.txt:ads.txt", "npm-test.md", "package-lock-json.md", "libc6-i386_2.31-0ubuntu6_amd64.info", "login (2).defs", "https://www.virustotal.com/gui/file/ea8490563a229b89f2b779217938f9eb2bcf93dd89de9f7fc5c035632f0934b5/relations", "preload.js", "wtmp", "libc6-i386_2.15-0ubuntu10_amd64.info", "libc6-i386_2.7-10ubuntu8.3_amd64.info", "libc6-i386_2.5-0ubuntu14_amd64.url", "https://www.virustotal.com/gui/collection/86f3d77a28744357c14d92dba7ac6302d57700308c64b641513119d8fcad411f", "obexstress", "docs.js", "OpenSSLConfig.cmake", "SeTfull", "libc6-i386_2.19-10ubuntu2_amd64.symbols", "simplify.js", "cache.js", "libc6-i386_2.13-20ubuntu5.2_amd64.symbols", "brc", "SeTconfig", "libyara.la", "libc6-i386_2.21-0ubuntu4.3_amd64.info", "profile.js", "networks", "npm-logout.md", "https://github.com/unknownhad/CloudIntel/blob/main/2024/02/07-02-2024", "libc6-i386_2.29-0ubuntu2_amd64.url", "libc6-i386_2.4-1ubuntu12.3_amd64.url", "semver.js", "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737365&Signature=S%2B7RcHYjab1hbKlKwFfvUbDirFPJS1A2TJQ3bVIObMcON4PD9pRDvhMtYMCnEBrYsICi0UJCFW5eUDolL5Jlbngsc587kF36vvuhlkPprbkSOY1jOyDTpe3Qsb6jRFz3xwOfZc9S5QervoLnRKb%2FyGSyZE6ZK6TxzBrOPczPtZ7sLf9NfD6E%2B2gMRXaRjEqVwVITLG7YqCiiNuohFOuNlK3uNHFpIk53viKvBSAIqLtSklH9bHW4q1DX", "libc6-i386_2.19-10ubuntu2.3_amd64.url", "scope.md", "libc6-i386_2.4-1ubuntu12_amd64.info", "libnm-device-plugin-ovs.la", "explain-eresolve.js", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph", "libc6-i386_2.28-0ubuntu1_amd64.info", "init.py", "libc6-i386_2.9-4ubuntu6_amd64.info", "fsck.py", "client.py", "npm-restart.md", "https://github.com/unknownhad/CloudIntel/blob/main/2024/02/14-02-2024", "libc6-i386_2.19-10ubuntu2_amd64.info", "libnm-device-plugin-team.la", "libc6-i386_2.28-10_amd64.url", "libc6-i386_2.15-0ubuntu20.2_amd64.url", "a4033901479", "npm-uninstall.md", "https://www.virustotal.com/gui/collection/385f419c1c3733dd9dd151d4403bdb38cb24d12c21f18ce8f4f41d818d7a12a5", "npm-config.md", "libc6-i386_2.5-0ubuntu14_amd64.symbols", "libc6-i386_2.27-3ubuntu1_amd64.symbols", "https://github.com/unknownhad/CloudIntel/blob/main/2024/02/04-02-2024", "star.js", "https://viz.greynoise.io/ip/analysis/ae06b3b5-c746-4b44-b2ac-19bb3aea14a1 [11.23.25 - 1000ipv4]", "securetty (2)", "host (2).conf", "queryable.js", "libc6-i386_2.19-0ubuntu6_amd64.symbols", "libc6-i386_2.8~20080505-0ubuntu7_amd64.info", "installed-deep.js", "npm-run-script.md", "glob", "https://www.virustotal.com/gui/collection/fd8ebe64d72b2ad9e90773791522c3ec5863868dc3b9c58a929c6b4e01bb3042", "prerelease.js", "https://hybrid-analysis.com/sample/d714e2a850645f9a0f8f3785dd0eedd47a417417bed470b968e0f6a1a2e746e6/652cf1f4243d9d03b90f74a1", "SeTconfig (2)", "run-script.js", "motd", ".X0-lock", "85-nm-unmanaged.rules", "https://www.virustotal.com/gui/collection/da35693aa528a682ca91aee332c8155d99ac8e4a13077cc73b2a8921c8fea36b", "prune_older.py", "folders.md", "neq.js", "sendcmd.rc", "npm-star.md", "sbom.js", "slackinstall (2)", "modules.ieee1394map", "libc6-i386_2.11.1-0ubuntu7.12_amd64.url", "bup-import-rsnapshot", "libc6-i386_2.12.1-0ubuntu10.4_amd64.info", "adduser.js", "libc6-i386_2.4-1ubuntu12_amd64.url", "empty.exe", "completion.js", "https://www.virustotal.com/gui/collection/a6a81c8412b19ac6357a7c6e978c31a38d52a75fbb3b2e44f0f1a2bf0deb8a58/iocs", "otplease.js", "a1676298638", "npm-install.md", "https://www.virustotal.com/gui/collection/9220d9375ebb4289fdbc4a7aac232b75a5c1b01e5e27edd965982bc6fe28f0e2", "npm-unstar.md", "libc6-i386_2.10.1-0ubuntu19_amd64.url", "itl-logo (3).txt", "https://vtbehaviour.commondatastorage.googleapis.com/460264c62a85a79d25424920b7b80763354151146da5cba933c198ebbe9a0588_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583501&Signature=igubOWmez%2BKPjBiU2Af7vHhJ5SwgwsKaafuyzobymmqUDs%2F8vkuh1A%2BbsMADWo0B%2FBEZht3BD%2B1%2FvItWrcfBgja57sMCBln9vBXfK7nCclcy9%2BeujGu7wlQLlhyfAeGNd8suRdK8x4WrJJ5bdqfAh7Ns0mOjPliF9uu3UJ9I7qH6N5IAd%2Bkb8h7Xce%2F%2BavnF8jLmHHwwCP5ILzgNRc94rmrWFp5eXzxQ3aHd9btY2D", "compare-loose.js", "view.js", "https://www.virustotal.com/gui/collection/6434f0cf09638991baf3be289834696b46e11c4c6cbe1e7b9548f9ac27372b53", "libc6-i386_2.19-0ubuntu6.15_amd64.url", "satisfies.js", "npm-completion.md", "meta.py", "gt.js", "std (2)", "replace-info.js", "audit-error.js", "sbom-cyclonedx.js", "logging.md", "iterator.js", "libc6-i386_2.15-0ubuntu10.18_amd64.url", "npm-version.md", "cfdisk (2)", "network", "libc6-i386_2.7-10ubuntu8.3_amd64.url", "makedevs (2).sh", "libc6-i386_2.15-0ubuntu10.18_amd64.info", "validate-lockfile.js", "index (2).py", "b529967783", "source_info.py", "help.js", "modules.dep", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602", "https://www.virustotal.com/graph/g38632f8b939b443ab3b69f6a3171d02ffd2696a0f3714325a84b9a5f227a7d1c", "npm-sbom.md", "https://www.virustotal.com/graph/embed/g3b316b58b8c54064b322b2e186d62950d7632add2f3f408f8d8a1706563fd3c0?theme=dark", "memtest.py", "imurmurhash.min.js", "shquote.py", "hosts (2)", "README.md", "SeTpasswd", "shells (2)", "84-nm-drivers.rules", "registry.md", "libc6-i386_2.3.6-0ubuntu20_amd64.info", "margin.py", "mtab (2)", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774998167&Signature=utDs3%2B4MkyePrZxIa4LDJ8Z3xTy%2FSYPrRcuBtMqBNlWIaFR%2Ftqp82I3Dx7z4PG4CFAFUeDx4NGkwUFJd6%2B0u7grbfQ2CJtW2A6CWvczNiq0IEBDF0l5BAPkzE9KXDHRrfI37zeeo7SO%2FOahMZY7sJYqP3CAd2uqFSR57CkDB6vboYMzF8YUM8NWRhKXcEu9QY%2BbbHYQ2iGgjFAIvBKznE7L5oLu6F9UXKzrJ9%2FbyE61pXQduGaVGg1AF", "npm-explore.md", "https://www.virustotal.com/graph/embed/g9219350397134ff3a645319a88b67833077c9cf0f50d4979aa0239a3d0b6ecea?theme=dark", "x.jnlp", "https://www.virustotal.com/gui/collection/4b166c2c1752d85215da951b15a065688bfe24ea92c65228a45ded6f2d94685b/iocs", "lt.js", "SeTfdHELP (2)", "compat.py", "libc6-i386_2.11.1-0ubuntu7.11_amd64.info", "owner.js", "cssesc", "https://www.virustotal.com/gui/collection/1497c56a475d73236c67292964eabd7f8961f88c57fa5a2e3f30720dc29a51e7", "fsck (2).ext3", "https://www.virustotal.com/graph/embed/g4d28c765e54941129dbbf8d4a8dc25bb3b5452f14e0a4886a0af0c2991188611?theme=dark", "npm-login.md", "is-windows.js", "libc6-i386_2.8~20080505-0ubuntu9_amd64.info", "join.py", "io.py", "libc6-i386_2.30-4_amd64.symbols", "__init__.py", "ltr.js", "libc6-i386_2.30-0ubuntu2_amd64.symbols", "https://hybrid-analysis.com/file-collection/6604df4bb797f028b4065601", "https://hybrid-analysis.com/file-collection/6604df33503d4a306e01c776", "libc6-i386_2.24-9ubuntu2.2_amd64.info", "https://www.virustotal.com/gui/collection/ab283165c61c702e1aed28375718dd2674179c61c517d93baabc2219becf081a/summary", "npm-unpublish.md", "unmigrate (2).sh", "libc6-i386_2.15-0ubuntu20_amd64.info", "get.js", "networks (2)", "NetworkManager-wait-online.service", "setup", "installed-package-contents", "re.js", "bugs.js", "npm-whoami.md", "libc6-i386_2.29-0ubuntu2_amd64.symbols", "libc6-i386_2.21-0ubuntu4_amd64.symbols", "b3336837578", "set.js", "dedupe.js", "npm-team.md", "PROMPThelp", "fdisk", "npm-bugs.md", "daemon.py", "libc6-i386_2.12.1-0ubuntu6_amd64.info", "libc6-i386_2.24-11+deb9u4_amd64.symbols", "90-nm-thunderbolt.rules", "mtools.conf", "token.js", "libc6-i386_2.13-20ubuntu5.3_amd64.info", "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376", "inittab (2)", "pwdgrp.py", "libc6-i386_2.5-0ubuntu14_amd64.info", "npm-update.md", "libc6-i386_2.9-4ubuntu6.3_amd64.info", "https://github.com/unknownhad/CloudIntel/blob/main/2024/02/12-02-2024", "team.js", "deprecate.js", "config.md", "vt300 (2)", "xstat.py", "libc6-i386_2.13-0ubuntu13.2_amd64.url", "explain-dep.js", "npm-search.md", "constants.js", "disk2 (2)", "sunjava_map.xml", "libnm-device-plugin-adsl.la", "SeTDOS", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339792&Signature=O6r4LzVdjNFj7wZVT%2B0a4%2BGemB4yEqip9waMS7NlonESXy80tfqV33UBqEEp8i%2B2qOg6S%2Ba4cSwzi3nXOtjSaUaFAI43DmvSsxq5Y5WsA8cMb4Ul6FhGON6Cr0JT1xoEMtACmSdxG8Vo%2Be4PVcu93v6CBeWMZnFb8exU8ku4GUDY8ZEFW%2FJqeu266wn59KD9gFKRwlqx3NuRzMLdwqMA7f9o6QLPcM8WWnB%2BkvJVFk3BnxJAfBn7T2JO", "on.py", "std", "rc.S", "https://www.virustotal.com/graph/g994d0094226240eba65c081dfbc3e4936aa010abf4db48049e3a964e7c5ad076", "npm-shrinkwrap.md", "modules.parportmap", "libc6-i386_2.6.1-1ubuntu10_amd64.symbols", "npm-cache.md", "libc6-i386_2.13-20ubuntu5_amd64.symbols", "libc6-i386_2.19-0ubuntu6.15_amd64.info", "https://www.virustotal.com/graph/embed/gc0d82762363b4aa88991027c391afdbfe9585395bd8d4273bbe09907fbfaf532?theme=light", "hashsplit.py", "compare.js", "libc6-i386_2.17-0ubuntu5.1_amd64.url", "login.js", "probe (2)", "libc6-i386_2.28-0ubuntu1_amd64.url", "SeTswap", "tree.py", "https://www.virustotal.com/graph/embed/g699a7b9bfb324855859555181d01666c372310cf233441e08a095459b3394dea?theme=dark", "Crowdsourced Research from multiple sources", "https://www.virustotal.com/graph/embed/g994d0094226240eba65c081dfbc3e4936aa010abf4db48049e3a964e7c5ad076?theme=dark", "validate-engines.js", "main.py", "help.py", "notes.txt:ads", "helpers.py", "log-file.js", "empty (3)", "SeTmaketag (2)", "minor.js", "migrate.sh", "libc6-i386_2.10.1-0ubuntu15_amd64.symbols", "libc6-i386_2.26-0ubuntu2_amd64.url", "libcrypto.pc", "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98", "rc.ieee1394", "shadow", "metadata.py", "open-url-prompt.js", "root.js", "libc6-i386_2.23-0ubuntu11_amd64.symbols", "workspaces.md", "libc6-i386_2.24-9ubuntu2.2_amd64.symbols", "libc6-i386_2.19-18+deb8u10_amd64.url", "get-workspaces.js", "reify-finish.js", "https://github.com/unknownhad/CloudIntel/blob/main/2024/02/03-02-2024", "npm-outdated.md", "nopartHELP (2)", "libnm-ppp-plugin.la", "npm-link.md", "https://www.virustotal.com/gui/collection/8d65d93130b4775903adbffbb53820d40bb9425dcf1848b806ffee65ee883984", "libc6-i386_2.24-3ubuntu1_amd64.info", "libc6-i386_2.10.1-0ubuntu15_amd64.info", "npm-ping.md", "libc6-i386_2.26-0ubuntu2.1_amd64.symbols", "import_duplicity.py", "libc6-i386_2.24-9ubuntu2_amd64.url", "libc6-i386_2.12.1-0ubuntu6_amd64.symbols", "stop.js", "services", "libc6-i386_2.23-0ubuntu3_amd64.info", "https://github.com/unknownhad/AWSAttacks/blob/main/2023/12/19-12-2023", "syslog.conf", "login.defs", "error-message.js", "checkout_info.py", "https://www.virustotal.com/gui/collection/2cdadbf6aa2ec4f9815c038b0e9375b1475ac7e049fd123861d6e925e7802c6a", "read-user-info.js", "SeTmaketag", "pacote", "libc6-i386_2.13-0ubuntu13_amd64.url", "nm-cloud-setup.timer", "rc.inet1", "intersects.js", "rsort.js", "rescan-scsi-bus", "https://www.virustotal.com/gui/collection/dbf356b0a281fa94308e2e24738d839491491bfb2defa4e6c42662646e52c8f8", "INSfd", "package-url-cmd.js", "probe", "https://www.virustotal.com/gui/collection/bc7e252dcc07855314e153efe890d70e7a7e9b8a743e171eac31e5951260c1b7", "npm-dedupe.md", "did-you-mean.js", "passwd (2)", "INSNFS (2)", "mtab", "NetworkManager-ovs.conf", "damage.py", "lorem.txt", "version.js", "random.py", "notes.txt", "list_idx.py", "libc6-i386_2.8~20080505-0ubuntu7_amd64.symbols", "shells", "libnm.pc", "subset.js", "slackinstall", "ls.py", "nm-shared.xml", "libc6-i386_2.17-93ubuntu4_amd64.symbols", "libc6-i386_2.17-0ubuntu5.1_amd64.info", "closemachine.rc", "libc6-i386_2.26-0ubuntu2_amd64.info", "nsswitch.conf", "unmigrate.sh", "https://github.com/unknownhad/CloudIntel/blob/main/2024/02/01-02-2024", "https://www.virustotal.com/gui/collection/0c9360cb9f8601bd6cdf912eb414d67902487f0c4eec96e952377e300ff4e983/iocs", "https://www.filescan.io/uploads/67619a0f99caec9a276f9efd/reports/92e63ab1-1ebd-41a7-90da-f842f0b90392/details", "openssl.pc", "libc6-i386_2.9-4ubuntu6_amd64.url", "server.py", "fdisk (2)", "PROMPThelp (2)", "libc6-i386_2.19-10ubuntu2.3_amd64.info", "parse-options.js", "libnm-device-plugin-bluetooth.la", "npm-help-search.md", "https://github.com/unknownhad/AWSAttacks/blob/main/2023/12/17-12-2023", "test.js", "https://vtbehaviour.commondatastorage.googleapis.com/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721578339&Signature=fTYUE3KoGSnr2%2BSrv9dZpgk3uXJc2rf%2BQeCyhAVDWiuiHGaYqhFHfgzQD2KheomXUSHne5MCvS9XH1LGW7Xhrg7CIG0gEe5cVjxrkmumne%2B%2Fd%2FBQagomnCKzfbwdExaO45sfA9rz4eQtyfLzFifYoRXDRtJK7P%2BNmISkv0Qz9FGIgXrrPDvmwJevgry%2FaMfiTEa2%2BxSDdWf9e6kdZW5YBVuxEdpGowcPsPEkpbdiSG12pG", "https://www.virustotal.com/gui/collection/02bef6a3cf1a035ad5bfb238cac2e913f4ed9425847d7cec5e7dc4097aa3c352", "a.txt", "orgs.md", "modules.generic_string", "libnm-device-plugin-wwan.la", "https://vtbehaviour.commondatastorage.googleapis.com/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721578437&Signature=HM1ThjLEyrQmeLst3eY3osRWxC6ETs2RVbR4uKhN5emP%2Fe3Jbf6OsLPvmoAyaPTh%2B9RLyjIrqyR3f4rwg%2B4kkyiEZCyCkGKSRvQK4zC8eMuq80kOGYcvFLPwtvcH20xe7%2FPhGk2au3z4GfauzR1s8meGtQYRDlmXZARLTB2G0tno%2FJOq8rNm7NLHvVH1MpMBoQ47RRIwE0ecUUSYXmQGMAOQVAgmigrpydiFzFYN2wYJDkmfVTmEc9kylTmQ", "https://vtbehaviour.commondatastorage.googleapis.com/d2cb7cca87c98c4d7a7eb9a40e0f00a231390cfe2f4786e161471a5ca4397a41_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583838&Signature=dw6B7oYQHQ1CxhfF67YE3TZfvqWvO%2FgErgu9Ms4R462ssOAuET7%2F9guBVvhETqvO7ClziwNXLV%2F31SM7aYXjXEUOmfJtHqf5vpFUCub63bX6a1GILj%2BtbX8EmURT4JftAGT%2BwDdgQnHX3y5MvnWd9NpYE8TTYStcf%2BQOWZLWiMNe%2BSxjpsMyOG2ryZdsm7iCyH%2BWdXrvG%2Bh9ccwxPOnUOwoOxUV3hp1ifVzCkbUtYySGTom29VJ8", "b.txt:ads.txt", "version (2).py", "npm-help.md", "libc6-i386_2.27-3ubuntu1_amd64.info", "https://hybrid-analysis.com/sample/babc94597eadb83b520d6a46a57ef2ad963683aef1ff2fc6fa9ba5e98e78e008/65fcd2b1519a5f86d60eed63", "syslog (2).conf", "libc6-i386_2.7-10ubuntu3_amd64.info", "https://vtbehaviour.commondatastorage.googleapis.com/f839e941d0d2b6d9c5d6fd9b8b9ea9d34629182973bb9cc8af28e1e3ccdbbdd4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339838&Signature=GgSFM3a3czj9g63hY67%2B%2FAyC%2FcGgMmTIqhErAonJ7vV9C8snHKwK0GtHZ6drm%2Fd%2BKaMonYJwSmh1LrRzYF9toBJc5rBwpR%2BPlsrS9EArViMI%2Bd%2Fb8ZZBHgqFsmCiiSWfzz4kIQRPM0RB4osCHqQxKmGW2i1uyWrytYjA4V%2FZREm1%2Bm2EEWx38PebvBFrM9pMznjF6rghFHp8ls6tzuolbXD4WUfR0OSoXjcAaAgihobJ%2FmOd", "https://github.com/unknownhad/CloudIntel/blob/main/2024/02/13-02-2024", "libc6-i386_2.6.1-1ubuntu9_amd64.symbols", "https://www.virustotal.com/gui/collection/86f3d77a28744357c14d92dba7ac6302d57700308c64b641513119d8fcad411f/iocs", "update-notifier.js", "libc6-i386_2.24-9ubuntu2_amd64.info", "https://vtbehaviour.commondatastorage.googleapis.com/3a498e611cdc305e0ce67b68971ebc9e8b8aa575e9de08ae4bb081e1f6b87945_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583388&Signature=L5dgUL09kvWOiINZMa%2FvgcDAW5AFV%2Fqie184iaXQKGccuTzwDYsyx0%2BhI%2FxOXIkON%2Bw0RoRuoasFag44WeapuTjlnv8di%2FZ8iWJdeRGqWOdJ8P4EAPZIICsU%2BxjXP%2BzOSNTz5tcekdSceS%2BkTyDYMO%2F9QxZVwsIV1WnvZaGiR%2BOKIfs4YFXgeGWc23ktkKxbRfeKQY1kFyHTh8Re3lBLC%2Fkq%2FExvl7kqxKIebqquWmo%", "lifecycle-cmd.js", "https://www.virustotal.com/gui/collection/f60b8061133367a1047262a1e90d54cd72de4d59885c267906c6eeb557a35500", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs", "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305", "on__server.py", "https://www.virustotal.com/graph/embed/g78ea5ea9b68b4a4bbcd2bc078e23b321985e72d90da146c19d8d80ede366c1fa?theme=dark", "installed-shallow.js", "npm-adduser.md", "SeTmedia", "npm-exec.md", "syslinux.cfg", "libc6-i386_2.13-20ubuntu5.3_amd64.url", "https://www.virustotal.com/gui/collection/50919d9e9d6d71522b641a3907ed32093293c400a2ae4faaab142f175c48de4b", "npm-install-test.md", "sbom-spdx.js", "libc6-i386_2.13-0ubuntu13_amd64.info", "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737710&Signature=fbsokraSd7lsYmUfaTEl8Phs2K3hp7AtVmQU9axeEBcYmYbrrYrrfpP5lPEQaE%2Fh3%2BEP9Rn8mD8D1haqQVXCN0VVlxJ4sddjWmyC5USsgBsvUb0%2F72h1WHDS2KXHlteZWE%2Bauckabain9D5kX501AnqFY38s77OIqO6SMOkQ%2BvXiDSSRK%2FZhbfradBnei3ZLHsXGxkoshTyvB0%2BC%2F8SiUzdVsqSjik0Bn2r%2BIlLpDQK90GlZTD0N", "ls.js", "get.py", "npm-query.md", "desktop.ini", "npm-install-ci-test.md", "libc6-i386_2.30-4_amd64.url", "group (2)", "https://www.virustotal.com/gui/collection/daab0521ae533cbdfeec047e51a9499aedfd27c8cc05c644950126c1947131f9", "install.md", "nsswitch (2).conf", "xstat (2).py", "SeTswap (2)", "format-search-stream.js", "repo.py", "SeTpartitions (2)", "https://www.virustotal.com/gui/collection/bb0c0633dbe98b659fb06e07acd6e1f51ca43d3a1b4be09b4e9bfe8b3fde0cdb", "modules.pnpbiosmap", "libc6-i386_2.3.6-0ubuntu20_amd64.url", "libc6-i386_2.7-10ubuntu8.3_amd64.symbols", "libc6-i386_2.8~20080505-0ubuntu9_amd64.symbols", "stdcrt (2)", "libc6-i386_2.30-0ubuntu2_amd64.url", "libc6-i386_2.19-18+deb8u10_amd64.symbols", ".zcompdump", ".zcompdump-m1904-5.9", "cfdisk", "index.js", "services (2)", "ab.1", "format-bytes.js", "pkg.js", "restore.py", "https://www.virustotal.com/gui/collection/385f419c1c3733dd9dd151d4403bdb38cb24d12c21f18ce8f4f41d818d7a12a5/summary", "features.py", "shrinkwrap.js", "npm-start.md", "libc6-i386_2.19-0ubuntu6.15_amd64.symbols", "https://vtbehaviour.commondatastorage.googleapis.com/1d8220c8dd21980b3011d4d5f270989e8ec6976bfac43bb68e26210f0132d73a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775517690&Signature=ss9QfKS7opM7i4y0qJTNns2ZH2%2FMJsUYWVIL%2FPE2inms8fNXu%2BbNyyv%2ByYvzfOQeAuk6RLNZDEOhLiGokHWpqZiclVpv8vxLtlqIEAHvgJ%2F4ZIcTgVkGXIXnNvyEEQfE96d0SzSMd2dMGq5%2FychQ%2BT26ZdyxoyTtMSTIUgK9jqBdXfmCaICEp22pfV99slaMlBzNdL7kQ%2BWELMfEtoO72EQxXJQtIZ7ezn3mBEoLa%2BnYqTHCaBbW", "FDhelp", "npm-pack.md", "styles.css", "index.py", "link.js", "gc (2).py", "npmrc", "arborist-cmd.js", "https://www.virustotal.com/graph/embed/g798b5e01446c4711ba22802009d71f5ba78553df16794088a907ae7456e2a017?theme=dark", "npm-find-dupes.md", "npm-org.md", "libc6-i386_2.17-0ubuntu5_amd64.url", ".X1025-lock", "libnm.la", "libc6-i386_2.31-0ubuntu6_amd64.symbols", "patch.js", "INSCD (2)", "https://www.virustotal.com/graph/embed/g6a67af8ffa22446da35d6989d7d0bc47efcd295eb893471e9b4912080c1dddef?theme=dark", "midx.py", "tag.py", "dialogrc (2)", "comparator.js", "range.bnf", "libc6-i386_2.8~20080505-0ubuntu7_amd64.url", "fsck.ext2", "setup (2)", "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9", "modules.isapnpmap", "libnm-wwan.la", "SeTkernel (2)", "rebuild.js", "https://vtbehaviour.commondatastorage.googleapis.com/3a498e611cdc305e0ce67b68971ebc9e8b8aa575e9de08ae4bb081e1f6b87945_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583383&Signature=N7snLsiqkPikwYU0zKl8QxasbcLXiGFXIFaIVT%2FEvzaLWUbnPEkuvuuOAxz9la0bmVndAimDsaexUgrGErDmDbBZ46apRuUnYH3GwBNvZ3YaBIVII4IfP8kDN%2Bi2b3meTPaoyhnWR4UIuYord2Ejg5nAYQ3FJxv4KKyrm8NTlU1cEHTpiBToFL3AVBUOHvCUQ4T1wRMpgO6%2FmyokYYZl8GZa4tjpI%2BncAIOTAfOZePVQ7sAnKHmckU", "libc6-i386_2.13-0ubuntu13.2_amd64.symbols", "save.py", "q\u00e9\u00d5?e\u00ac\u00d2\u00b6.\u000f\u001c\u00cc", "libc6-i386_2.17-93ubuntu4_amd64.info", "npm-view.md", "https://www.virustotal.com/gui/collection/ba238f4d585b87abb85c126f927090cb866facfa9e4e2e0db8e307aff553397d", "npm-audit.md", "libc6-i386_2.17-0ubuntu5_amd64.info", "SeTnopart (2)", "libc6-i386_2.30-4_amd64.info", "https://www.virustotal.com/graph/embed/g36d8fc13d786418ab1d0a75cc331f0eb5bca28d4a4fe4666a84f23e25fb6600b?theme=dark", "max-satisfying.js", "doctor.js", "libc6-i386_2.15-0ubuntu10.18_amd64.symbols", "HOSTNAME", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188", "https://github.com/unknownhad/CloudIntel/blob/main/2024/02/02-02-2024", "parse.js", "libc6-i386_2.11.1-0ubuntu7.21_amd64.info", "libc6-i386_2.10.1-0ubuntu19_amd64.symbols", "eq.js", "completion.sh", "OpenSSLConfigVersion.cmake", "libc6-i386_2.15-0ubuntu20_amd64.symbols", "libc6-i386_2.11.1-0ubuntu7.11_amd64.symbols", "pkgtool", "libc6-i386_2.9-4ubuntu6.3_amd64.url", "MozillaUpdateLock-7A4D7A8EFFB43502", "libc6-i386_2.3.6-0ubuntu20_amd64.symbols", "https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/iocs", "SeTpartitions", "nm-cloud-setup.service", "stage2", "query.js", "migrate (2).sh", "libc6-i386_2.12.1-0ubuntu10.4_amd64.url", "https://www.virustotal.com/gui/collection/6a4e699473879d39e15ed7cd130f2ee9543f842b92c9ad8b78e310968f4b086f", "https://www.virustotal.com/gui/collection/be10f2ed2776b9b4028ac868814ab14bdd576ca5e5bce877ac2954389ba9d328", "libc6-i386_2.13-20ubuntu5.2_amd64.info", "major.js", "libc6-i386_2.13-20ubuntu5_amd64.url", "stdcrt", "whoami.js", "ci.js", "drecurse (2).py", "logout.js", "fsck (2).ext2", "update-workspaces.js", "asyncrecv.rc", "libc6-i386_2.24-11+deb9u4_amd64.info", "mkdirp", "libc6-i386_2.23-0ubuntu3_amd64.url", "libc6-i386_2.11.1-0ubuntu7.11_amd64.url", "shadow (2)", "libc6-i386_2.21-0ubuntu4_amd64.info", "yallist.js", "dist-tag.js", "https://vtbehaviour.commondatastorage.googleapis.com/6c0127433f689c0861355352460f7dc6b6ae3d86aa7db0747e60b3b9a18c4a87_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775517857&Signature=vah2Y1tu1hUAIU2Nzl5Tj42a52U%2F4iHbQMQ97tgsD9m4WS0cP%2FDouswDcCWgQBks1IZNZLNdNIN4zhFGqu5TKTGa%2BfaFH53FyJKTW8qWIWhfzHeg7juIKdf%2Bg31OT2ch6vWmA12PTN5NyGUdyDJXhtiJoJY7fDAnNQevIgYxRXZV4DroufLQPXPwAd3hsBLc4RLDkrtL%2BeuuXcWkZ95SYsHpvwpswlCvj20Pa9nMFjXYgw4%2Bt5k", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339948&Signature=JA8BamPMfn7P8xM9CTv8ndNuaNtng0n%2Btofwj05768pJwsCB6Mgd6GU18%2BpNjCvwwZg%2F%2Bw0a2xOYIsvuqdDQAFzoO3jl3EUYKu7dPoOelD2NPrIcyCAHc8qKhqpPdjZKpo%2B8AJCxvO13OXHoSh94%2B%2Bht9h6mIJs8y7YO2CUo%2FqlV8M0fa5Px90aErgl%2BarD7%2ByQWlt0QD2caFKl%2BHViTViTx", "libc6-i386_2.24-9ubuntu2.2_amd64.url", "libc6-i386_2.28-10_amd64.info", "to-comparators.js", "https://www.verizon.com/business/", "libc6-i386_2.17-93ubuntu4_amd64.url", "libc6-i386_2.4-1ubuntu12_amd64.symbols", "INShd (2)", "fstab", "libc6-i386_2.24-3ubuntu1_amd64.url", "https://hybrid-analysis.com/file-collection/66057525d9b81759df06c4b5", "https://www.virustotal.com/gui/collection/a1866f4c7dbc79920d0c7e914a3bace0d3dc424a2aac06bf30bf724c6c8b0375/iocs", "passwd", "get-identity.js", "gtr.js", "LICENSE", "profile (2)", "npm-diff.md", "dir:ads.txt", "libc6-i386_2.29-0ubuntu2_amd64.info", "nm-priv-helper.service", "rm.py", "profile", "brc (2)", "exit-handler.js", "libc6-i386_2.21-0ubuntu4.3_amd64.url", "libc6-i386_2.9-4ubuntu6_amd64.symbols", "mtools (2).conf", "termcap (2)", "npx.md", "npm-docs.md", "yara.pc", "empty", "installpkg (2)", "https://www.virustotal.com/gui/collection/e03439bc07bcb1908764755571e127ec051193d4cc24cf842ec3179557f533cb/iocs", "SeTkernel", "libc6-i386_2.21-0ubuntu4.3_amd64.symbols", "start.js", "libc6-i386_2.23-0ubuntu11_amd64.url", "https://github.com/unknownhad/CloudIntel/blob/main/2024/02/05-02-2024", "https://www.virustotal.com/graph/embed/g23481631a7c745c6ba19f72ce9f853643d17706c08ab44eb8851eb5c56c0f073?theme=dark", "find-dupes.js", "libc6-i386_2.23-0ubuntu10_amd64.url", "coerce.js", "gte.js", "cli-entry.js", "npm-doctor.md", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339747&Signature=R%2FOTx2wxfF3MkMsUAEbX76dOSFXtiY%2BBtXR6Kl7PxVGTXaylNjmhXaxofJAQ0RP2z7ICeXit4nmXky1HIQZnPX74ZyD16ICTt3%2BAXA6yZSU%2Fw%2Fks9M2Ju1xi3m8IMloiUH7Z9Le5L5Mlfrw5QO4ZO%2FgDHG3ATHUk0qk%2BFUT2gsjT8jS6aztZHjZo4xVQLlmmwWY2%2F8%2FKZejJlFptwLfMZEA%2BDW1ZbssKpkNsXZGu69SkdNPO9c", "mux.py", "compare-build.js", "tick.py", "rcompare.js", "prefix.js", "libc6-i386_2.21-0ubuntu4_amd64.url", "sort.js", "libc6-i386_2.19-0ubuntu6_amd64.url", "template-WaR2X6", "package.json", "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327/summary", "libc6-i386_2.24-3ubuntu2.2_amd64.url", "auth.js", "qrcode-terminal", "libc6-i386_2.24-3ubuntu2.2_amd64.symbols", "https://www.virustotal.com/gui/collection/de4f1959c0d0a3097e7faf50b97413adf8d043804c6f612e5bd19d0852795c5b/iocs", "hook.js", "libc6-i386_2.6.1-1ubuntu10_amd64.url", "lte.js", "NetworkManager.service", "gc.py", "bloom (2).py", "NetworkManager-dispatcher.service", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339770&Signature=tPgwja3MWoODqbVlxhsock2mBa1WfALhB00A%2FSu4klEizmiV6VxM5y6vH%2FGm%2FFf67mLtz5mR6Mt17RKGQUPK11iYmQax86WhcCuxTpR0mDpo12tG4HAI5ht8qM4xgOQcjspEhBgsXPDvw2Np7e9trD0l8MytxvCqOuA7DVNdiUL2xvLNXAG1yCptFpvqyZo7kokLxp4RwsvDJuOrH8%2FGrNAOjdaHFQ8FWGhgkhyO6Q767Szi", "https://vtbehaviour.commondatastorage.googleapis.com/460264c62a85a79d25424920b7b80763354151146da5cba933c198ebbe9a0588_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583790&Signature=K2lWpuyPxZ8FgvBVeyB6hsfMbuIBkRXd522JtGonUcHxxtwoomV2fuuFbXC5edVAoGPuZJ24D%2Fv7rEHOHYCS2347F4Mq0VQr0PQt68rfbA8DBHTGs1XBS3QFLveflOjIkNzmhJWg23fuvM%2F1Ci0jSxKnR5XeURTArrkbf5eYA72p4QUFMKDgYO6kRpNXHLuDocJdXWjM7AiQ7ZBQdx%2F%2FeNZgb7k7s%2FPTzGuZ%2FTgEvxiGAiaV6PghFIIPSj", "fuse.py", "npm-access.md", "update.js", "scripts.md", "libssl.pc", "npm-fund.md", "termcap", "__init__ (2).py", "https://www.virustotal.com/graph/embed/g3dae42eb79cc447182e3a3dd746e462f0903d71c784d4f5cacf970954deea221?theme=dark", "https://www.virustotal.com/gui/collection/da124f42943c08f1cafdc1c42635457b0c69ccce41b4031263af3235717996a2/summary", "removal.md", "libc6-i386_2.23-0ubuntu11_amd64.info", "install.js", "https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e", "npm-ci.md", "modules.pcimap", "libc6-i386_2.23-0ubuntu3_amd64.symbols", "fstab (2)", "valid.js", "range.js", "tar.js", "group", "vdecmd", "ping.js", "libc6-i386_2.4-1ubuntu12.3_amd64.symbols", "npm-hook.md", "libc6-i386_2.30-0ubuntu2.1_amd64.info", "init.js", "npm-owner.md", "zgrep", "nm-pppd-plugin.la", "INSdir", "INSCD", "libc6-i386_2.11.1-0ubuntu7_amd64.url", "libc6-i386_2.9-4ubuntu6.3_amd64.symbols", "inc.js", "itl-logo (2).txt", "audit.js", "arborist", "SeTfull (2)", "min-version.js", "libc6-i386_2.19-10ubuntu2.3_amd64.symbols", "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327", "web.py", "filesize", "repo.js", "npmrc.md", "cmp.js", "ld.so.conf", "org.js", "INSNFS", "npm-usage.js", "libc6-i386_2.6.1-1ubuntu9_amd64.info", "fsck.ext3", "libc6-i386_2.24-9ubuntu2_amd64.symbols", "libc6-i386_2.13-20ubuntu5.3_amd64.symbols", "https://www.virustotal.com/gui/file/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832/relations", "stars.js", "npm-stars.md", "https://www.virustotal.com/gui/collection/ab283165c61c702e1aed28375718dd2674179c61c517d93baabc2219becf081a/graph", "libc6-i386_2.3.6-0ubuntu20.6_amd64.symbols", "https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/summary", "libc6-i386_2.8~20080505-0ubuntu9_amd64.url", "dialogrc", "libc6-i386_2.26-0ubuntu2.1_amd64.url", "https://www.virustotal.com/gui/collection/3bf1c0922ee6f4d041effbf9f72a21a1e9f4b38d0593cfbeaca24851cf712eac", "libc6-i386_2.6.1-1ubuntu10_amd64.info", "libc6-i386_2.17-0ubuntu5_amd64.symbols", "libc6-i386_2.19-0ubuntu6_amd64.info", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "npm-shrinkwrap-json.md", "libc6-i386_2.11.1-0ubuntu7.21_amd64.url", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F", "https://www.virustotal.com/gui/collection/82dc29932b9184d02b037289fd4605c158e96a57f376b08a8b2b94e43d0ae18b/iocs", "libc6-i386_2.19-18+deb8u10_amd64.info", "libc6-i386_2.15-0ubuntu20.2_amd64.symbols", "https://vtbehaviour.commondatastorage.googleapis.com/000033bb30ef26261f53f933a0f21cf4eed370bd987e081e0679898b3a6bddda_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779336524&Signature=O5n0S4aWPfyjTDJc05rzvbBhcbEoG8Ay%2Fz1o8K3hGVa9yUcttzmFeiPiaEhLbNVb9JiGIOIDKYipVl89pWQnYGXvGkFlwlFEXMP7Bk0zMMRedzKnp5vRpurrgLFfTgr%2BB1LVJyMVDEvDnGezrwX3d6OVEfW4XJ1w3he09Vvhr6fmuca3vBNMTc%2F%2BLGyb5JKBbQl06mGcymu8a2NNt8LXHTceDjZdRnfEyCWqn9", "HOSTNAME (2)" ], "related": { "alienvault": { "adversary": [ "LegionLoader" ], "malware_families": [ "Legionloader", "Robotdropper", "Curlygate", "Satacom" ], "industries": [] }, "other": { "adversary": [ "Unknown APT Group(s) / Threat Actor (s)" ], "malware_families": [ "Trojandownloader:win32/tasekjom.a", "Cobalt strike", "Trojandownloader:win32/upatre.a" ], "industries": [ "Healthcare", "Education", "Technology", "Government", "Telecommunications" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "67aa04f81eb91601c0afbef4", "name": "LegionLoader exposed!", "description": "LegionLoader, also known as Satacom, CurlyGate, and RobotDropper, is an active downloader malware that has gained significant traction recently, amassing over 2,000 samples in weeks. The campaign appears to have started on December 19, 2024, with Brazil being the most affected country. The malware is delivered through drive-by downloads from insecure websites, often using the .monster TLD for malicious redirections. It employs anti-sandbox techniques and uses a multi-stage infection process. The initial MSI file extracts and executes a malicious DLL, which then downloads and executes a second stage payload. The final payload communicates with command and control servers to potentially download additional malware.", "modified": "2025-02-10T15:19:05.547000", "created": "2025-02-10T13:54:00.953000", "tags": [ "msi", "legionloader", "robotdropper", "dll injection", "brazil", "downloader", "curlygate", "anti-sandbox", "drive-by download", "multi-stage", "satacom" ], "references": [ "https://tehtris.com/en/blog/legionloader-exposed/" ], "public": 1, "adversary": "LegionLoader", "targeted_countries": [ "Brazil" ], "malware_families": [ { "id": "LegionLoader", "display_name": "LegionLoader", "target": null }, { "id": "Satacom", "display_name": "Satacom", "target": null }, { "id": "CurlyGate", "display_name": "CurlyGate", "target": null }, { "id": "RobotDropper", "display_name": "RobotDropper", "target": null } ], "attack_ids": [ { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1055.002", "name": "Portable Executable Injection", "display_name": "T1055.002 - Portable Executable Injection" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1059.003", "name": "Windows Command Shell", "display_name": "T1059.003 - Windows Command Shell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 39, "URL": 26, "FileHash-MD5": 21, "FileHash-SHA1": 17, "FileHash-SHA256": 43 }, "indicator_count": 146, "is_author": false, "is_subscribing": null, "subscriber_count": 386491, "modified_text": "474 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e936ce3f3ebd4b76fee29", "name": "MAV-en * VirusTotal report for setup-maven-master.zip", "description": "[The full text of the statement on the subject of human rights, as compiled by BBC Radio 4's Panorama, will be published on Wednesday, 27 March.. and will appear on BBC iPlayer]usernotificationsd, \"freeze_skip_reason:\" : \"none\",\n \"pid\" : 851,\n \"cpuTime\" : 0.52999799999999997,\n \"name\" : \"HeuristicInterpreter\",\n country_code\":\"US\",\"agent\":\"parsecd\\/1 (iPhone17,4; iPhone OS 26.3.1 23D8133) parsecd\\/", "modified": "2026-05-21T23:45:08.365000", "created": "2026-05-21T05:09:00.942000", "tags": [ "file type", "ascii", "ascii text", "java source", "json", "unicode text", "utf8 text", "c source", "sgml document", "creates", "persistence", "malicious", "next", "windows sandbox", "calls clear", "png image", "svg scalable", "vector graphics", "rgba", "crlf line", "ms windows", "title", "installer", "template", "pcx ver", "code helper", "helper", "plugin", "renderer", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "screnshots", "mitre attack", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "zip archive" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339747&Signature=R%2FOTx2wxfF3MkMsUAEbX76dOSFXtiY%2BBtXR6Kl7PxVGTXaylNjmhXaxofJAQ0RP2z7ICeXit4nmXky1HIQZnPX74ZyD16ICTt3%2BAXA6yZSU%2Fw%2Fks9M2Ju1xi3m8IMloiUH7Z9Le5L5Mlfrw5QO4ZO%2FgDHG3ATHUk0qk%2BFUT2gsjT8jS6aztZHjZo4xVQLlmmwWY2%2F8%2FKZejJlFptwLfMZEA%2BDW1ZbssKpkNsXZGu69SkdNPO9c", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339770&Signature=tPgwja3MWoODqbVlxhsock2mBa1WfALhB00A%2FSu4klEizmiV6VxM5y6vH%2FGm%2FFf67mLtz5mR6Mt17RKGQUPK11iYmQax86WhcCuxTpR0mDpo12tG4HAI5ht8qM4xgOQcjspEhBgsXPDvw2Np7e9trD0l8MytxvCqOuA7DVNdiUL2xvLNXAG1yCptFpvqyZo7kokLxp4RwsvDJuOrH8%2FGrNAOjdaHFQ8FWGhgkhyO6Q767Szi", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339792&Signature=O6r4LzVdjNFj7wZVT%2B0a4%2BGemB4yEqip9waMS7NlonESXy80tfqV33UBqEEp8i%2B2qOg6S%2Ba4cSwzi3nXOtjSaUaFAI43DmvSsxq5Y5WsA8cMb4Ul6FhGON6Cr0JT1xoEMtACmSdxG8Vo%2Be4PVcu93v6CBeWMZnFb8exU8ku4GUDY8ZEFW%2FJqeu266wn59KD9gFKRwlqx3NuRzMLdwqMA7f9o6QLPcM8WWnB%2BkvJVFk3BnxJAfBn7T2JO", "https://vtbehaviour.commondatastorage.googleapis.com/f839e941d0d2b6d9c5d6fd9b8b9ea9d34629182973bb9cc8af28e1e3ccdbbdd4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339838&Signature=GgSFM3a3czj9g63hY67%2B%2FAyC%2FcGgMmTIqhErAonJ7vV9C8snHKwK0GtHZ6drm%2Fd%2BKaMonYJwSmh1LrRzYF9toBJc5rBwpR%2BPlsrS9EArViMI%2Bd%2Fb8ZZBHgqFsmCiiSWfzz4kIQRPM0RB4osCHqQxKmGW2i1uyWrytYjA4V%2FZREm1%2Bm2EEWx38PebvBFrM9pMznjF6rghFHp8ls6tzuolbXD4WUfR0OSoXjcAaAgihobJ%2FmOd", "https://vtbehaviour.commondatastorage.googleapis.com/e2f820daf9f578d5f3219ae8b3c6391017badf913a68c4aaac4e52c5155c566f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339867&Signature=l%2F%2BDGW7ZLqIfVvi1NOyg4%2FCgXPJBdSweWglJKW7iMb5GfnK0pX4yYYVL3OKkqrzAbMUcR2fqLUXHJfnMwSKBhQxjGR8LGF1nh7TeXxVGIQVh8kAyEZBCuXNHsZfzxR0zVbZfKAIEvC9D8S2%2FwBmpI6xztHiC7vmaJ5OhJD%2BoPDojRqXH2bmBpCz1XTZd7JphPNXRIbefZL4mR%2FrRe7o8WO2JHylOy9rIodNKKPEv5W9Q54%2BaA%2FG926", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339948&Signature=JA8BamPMfn7P8xM9CTv8ndNuaNtng0n%2Btofwj05768pJwsCB6Mgd6GU18%2BpNjCvwwZg%2F%2Bw0a2xOYIsvuqdDQAFzoO3jl3EUYKu7dPoOelD2NPrIcyCAHc8qKhqpPdjZKpo%2B8AJCxvO13OXHoSh94%2B%2Bht9h6mIJs8y7YO2CUo%2FqlV8M0fa5Px90aErgl%2BarD7%2ByQWlt0QD2caFKl%2BHViTViTx", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779340034&Signature=tbq82yoC%2BAKXaH%2F2XjmRWiAbt911K91ltP8zHTYrstzi0i1UKrzJxM48ky9ypV%2B%2FvrYdgBnaOfI9MzgZH0C%2FOFJUaVJ3WB87ULkjglD%2F6GeEDDcPtDX%2BY6aw2%2Bb8WaJU2xLc%2F9JbwoTbPP0n83pJv1qe0KLqckLIjEN4iREH1zU%2FldO5TBRicvB%2BxjeAxpPFZnjNZmyFl%2FNHbavuuvRc%2FMNR0DbjnriB2Mub" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 90, "FileHash-SHA256": 1997, "IPv4": 49, "domain": 34, "hostname": 124, "URL": 429, "URI": 1, "CIDR": 16 }, "indicator_count": 2944, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e9725b323ae1350c36488", "name": "no comment", "description": "", "modified": "2026-05-21T06:52:08.577000", "created": "2026-05-21T05:24:53.947000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 366, "FileHash-SHA1": 366, "FileHash-SHA256": 5078, "IPv4": 44, "URL": 2414, "domain": 1305, "hostname": 366, "CIDR": 1, "email": 2, "Mutex": 1 }, "indicator_count": 9943, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e9725823bc1d6ac78350e", "name": "no comment", "description": "", "modified": "2026-05-21T06:37:36.247000", "created": "2026-05-21T05:24:53.229000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 35, "FileHash-SHA1": 35, "FileHash-SHA256": 679, "IPv4": 15, "URL": 200, "domain": 32, "hostname": 26 }, "indicator_count": 1022, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e891990e460b7c453f3c3", "name": "Spyware: Q. Vashti, VirusTotal Box of Apples Sandbox report", "description": "[Spyware: A complete list of words, phrases, symbols and symbols. and the full text of this page, published by Q.Vashti Public TLP, has been released.] Follow Q.Vashti, excellent researcher.", "modified": "2026-05-21T05:24:25.308000", "created": "2026-05-21T04:24:57.187000", "tags": [ "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "screnshots", "file", "operations", "process open", "write delete", "move time", "url https", "url http", "months ago", "spam author", "spyware created", "modified", "iiiii whoo", "maas", "scan", "iocs", "indicator role", "title added", "active related", "pulses url", "cloudflare", "net104", "net1040000", "cloud14", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "postalcode", "MA", "legal deadlock", "Compliance lock abuse", "Phone carrier interception 9999999999", "Plot", "Coordinated state abuse", "Enemy of the state", "Suppression", "Guard abuse", "the real fake admin of all domains and devices", "Mass", "Ina", "Maassina", "Signet" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/000033bb30ef26261f53f933a0f21cf4eed370bd987e081e0679898b3a6bddda_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779336524&Signature=O5n0S4aWPfyjTDJc05rzvbBhcbEoG8Ay%2Fz1o8K3hGVa9yUcttzmFeiPiaEhLbNVb9JiGIOIDKYipVl89pWQnYGXvGkFlwlFEXMP7Bk0zMMRedzKnp5vRpurrgLFfTgr%2BB1LVJyMVDEvDnGezrwX3d6OVEfW4XJ1w3he09Vvhr6fmuca3vBNMTc%2F%2BLGyb5JKBbQl06mGcymu8a2NNt8LXHTceDjZdRnfEyCWqn9" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4288, "domain": 63, "IPv4": 4, "hostname": 207, "URL": 570, "FileHash-MD5": 39, "FileHash-SHA1": 40, "CIDR": 1, "email": 3 }, "indicator_count": 5215, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e935a4a7df45548fe942d", "name": "MAV-en * VirusTotal report for setup-maven-master.zip", "description": "[The full text of the statement on the subject of human rights, as compiled by BBC Radio 4's Panorama, will be published on Wednesday, 27 March.. and will appear on BBC iPlayer]usernotificationsd, \"freeze_skip_reason:\" : \"none\",\n \"pid\" : 851,\n \"cpuTime\" : 0.52999799999999997,\n \"name\" : \"HeuristicInterpreter\",\n country_code\":\"US\",\"agent\":\"parsecd\\/1 (iPhone17,4; iPhone OS 26.3.1 23D8133) parsecd\\/", "modified": "2026-05-21T05:21:46.242000", "created": "2026-05-21T05:08:42.394000", "tags": [ "file type", "ascii", "ascii text", "java source", "json", "unicode text", "utf8 text", "c source", "sgml document", "creates", "persistence", "malicious", "next", "windows sandbox", "calls clear", "png image", "svg scalable", "vector graphics", "rgba", "crlf line", "ms windows", "title", "installer", "template", "pcx ver", "code helper", "helper", "plugin", "renderer", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "screnshots", "mitre attack", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "zip archive" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339747&Signature=R%2FOTx2wxfF3MkMsUAEbX76dOSFXtiY%2BBtXR6Kl7PxVGTXaylNjmhXaxofJAQ0RP2z7ICeXit4nmXky1HIQZnPX74ZyD16ICTt3%2BAXA6yZSU%2Fw%2Fks9M2Ju1xi3m8IMloiUH7Z9Le5L5Mlfrw5QO4ZO%2FgDHG3ATHUk0qk%2BFUT2gsjT8jS6aztZHjZo4xVQLlmmwWY2%2F8%2FKZejJlFptwLfMZEA%2BDW1ZbssKpkNsXZGu69SkdNPO9c", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339770&Signature=tPgwja3MWoODqbVlxhsock2mBa1WfALhB00A%2FSu4klEizmiV6VxM5y6vH%2FGm%2FFf67mLtz5mR6Mt17RKGQUPK11iYmQax86WhcCuxTpR0mDpo12tG4HAI5ht8qM4xgOQcjspEhBgsXPDvw2Np7e9trD0l8MytxvCqOuA7DVNdiUL2xvLNXAG1yCptFpvqyZo7kokLxp4RwsvDJuOrH8%2FGrNAOjdaHFQ8FWGhgkhyO6Q767Szi", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339792&Signature=O6r4LzVdjNFj7wZVT%2B0a4%2BGemB4yEqip9waMS7NlonESXy80tfqV33UBqEEp8i%2B2qOg6S%2Ba4cSwzi3nXOtjSaUaFAI43DmvSsxq5Y5WsA8cMb4Ul6FhGON6Cr0JT1xoEMtACmSdxG8Vo%2Be4PVcu93v6CBeWMZnFb8exU8ku4GUDY8ZEFW%2FJqeu266wn59KD9gFKRwlqx3NuRzMLdwqMA7f9o6QLPcM8WWnB%2BkvJVFk3BnxJAfBn7T2JO", "https://vtbehaviour.commondatastorage.googleapis.com/f839e941d0d2b6d9c5d6fd9b8b9ea9d34629182973bb9cc8af28e1e3ccdbbdd4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339838&Signature=GgSFM3a3czj9g63hY67%2B%2FAyC%2FcGgMmTIqhErAonJ7vV9C8snHKwK0GtHZ6drm%2Fd%2BKaMonYJwSmh1LrRzYF9toBJc5rBwpR%2BPlsrS9EArViMI%2Bd%2Fb8ZZBHgqFsmCiiSWfzz4kIQRPM0RB4osCHqQxKmGW2i1uyWrytYjA4V%2FZREm1%2Bm2EEWx38PebvBFrM9pMznjF6rghFHp8ls6tzuolbXD4WUfR0OSoXjcAaAgihobJ%2FmOd", "https://vtbehaviour.commondatastorage.googleapis.com/e2f820daf9f578d5f3219ae8b3c6391017badf913a68c4aaac4e52c5155c566f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339867&Signature=l%2F%2BDGW7ZLqIfVvi1NOyg4%2FCgXPJBdSweWglJKW7iMb5GfnK0pX4yYYVL3OKkqrzAbMUcR2fqLUXHJfnMwSKBhQxjGR8LGF1nh7TeXxVGIQVh8kAyEZBCuXNHsZfzxR0zVbZfKAIEvC9D8S2%2FwBmpI6xztHiC7vmaJ5OhJD%2BoPDojRqXH2bmBpCz1XTZd7JphPNXRIbefZL4mR%2FrRe7o8WO2JHylOy9rIodNKKPEv5W9Q54%2BaA%2FG926", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339948&Signature=JA8BamPMfn7P8xM9CTv8ndNuaNtng0n%2Btofwj05768pJwsCB6Mgd6GU18%2BpNjCvwwZg%2F%2Bw0a2xOYIsvuqdDQAFzoO3jl3EUYKu7dPoOelD2NPrIcyCAHc8qKhqpPdjZKpo%2B8AJCxvO13OXHoSh94%2B%2Bht9h6mIJs8y7YO2CUo%2FqlV8M0fa5Px90aErgl%2BarD7%2ByQWlt0QD2caFKl%2BHViTViTx", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779340034&Signature=tbq82yoC%2BAKXaH%2F2XjmRWiAbt911K91ltP8zHTYrstzi0i1UKrzJxM48ky9ypV%2B%2FvrYdgBnaOfI9MzgZH0C%2FOFJUaVJ3WB87ULkjglD%2F6GeEDDcPtDX%2BY6aw2%2Bb8WaJU2xLc%2F9JbwoTbPP0n83pJv1qe0KLqckLIjEN4iREH1zU%2FldO5TBRicvB%2BxjeAxpPFZnjNZmyFl%2FNHbavuuvRc%2FMNR0DbjnriB2Mub" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 216, "FileHash-SHA1": 122, "FileHash-SHA256": 2487, "IPv4": 19, "domain": 47, "hostname": 73, "URL": 205, "URI": 1, "email": 1 }, "indicator_count": 3171, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e936aec67867b0f6d29f3", "name": "MAV-en * VirusTotal report for setup-maven-master.zip", "description": "[The full text of the statement on the subject of human rights, as compiled by BBC Radio 4's Panorama, will be published on Wednesday, 27 March.. and will appear on BBC iPlayer]usernotificationsd, \"freeze_skip_reason:\" : \"none\",\n \"pid\" : 851,\n \"cpuTime\" : 0.52999799999999997,\n \"name\" : \"HeuristicInterpreter\",\n country_code\":\"US\",\"agent\":\"parsecd\\/1 (iPhone17,4; iPhone OS 26.3.1 23D8133) parsecd\\/", "modified": "2026-05-21T05:13:23.417000", "created": "2026-05-21T05:08:58.537000", "tags": [ "file type", "ascii", "ascii text", "java source", "json", "unicode text", "utf8 text", "c source", "sgml document", "creates", "persistence", "malicious", "next", "windows sandbox", "calls clear", "png image", "svg scalable", "vector graphics", "rgba", "crlf line", "ms windows", "title", "installer", "template", "pcx ver", "code helper", "helper", "plugin", "renderer", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "screnshots", "mitre attack", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "zip archive" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339747&Signature=R%2FOTx2wxfF3MkMsUAEbX76dOSFXtiY%2BBtXR6Kl7PxVGTXaylNjmhXaxofJAQ0RP2z7ICeXit4nmXky1HIQZnPX74ZyD16ICTt3%2BAXA6yZSU%2Fw%2Fks9M2Ju1xi3m8IMloiUH7Z9Le5L5Mlfrw5QO4ZO%2FgDHG3ATHUk0qk%2BFUT2gsjT8jS6aztZHjZo4xVQLlmmwWY2%2F8%2FKZejJlFptwLfMZEA%2BDW1ZbssKpkNsXZGu69SkdNPO9c", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339770&Signature=tPgwja3MWoODqbVlxhsock2mBa1WfALhB00A%2FSu4klEizmiV6VxM5y6vH%2FGm%2FFf67mLtz5mR6Mt17RKGQUPK11iYmQax86WhcCuxTpR0mDpo12tG4HAI5ht8qM4xgOQcjspEhBgsXPDvw2Np7e9trD0l8MytxvCqOuA7DVNdiUL2xvLNXAG1yCptFpvqyZo7kokLxp4RwsvDJuOrH8%2FGrNAOjdaHFQ8FWGhgkhyO6Q767Szi", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339792&Signature=O6r4LzVdjNFj7wZVT%2B0a4%2BGemB4yEqip9waMS7NlonESXy80tfqV33UBqEEp8i%2B2qOg6S%2Ba4cSwzi3nXOtjSaUaFAI43DmvSsxq5Y5WsA8cMb4Ul6FhGON6Cr0JT1xoEMtACmSdxG8Vo%2Be4PVcu93v6CBeWMZnFb8exU8ku4GUDY8ZEFW%2FJqeu266wn59KD9gFKRwlqx3NuRzMLdwqMA7f9o6QLPcM8WWnB%2BkvJVFk3BnxJAfBn7T2JO", "https://vtbehaviour.commondatastorage.googleapis.com/f839e941d0d2b6d9c5d6fd9b8b9ea9d34629182973bb9cc8af28e1e3ccdbbdd4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339838&Signature=GgSFM3a3czj9g63hY67%2B%2FAyC%2FcGgMmTIqhErAonJ7vV9C8snHKwK0GtHZ6drm%2Fd%2BKaMonYJwSmh1LrRzYF9toBJc5rBwpR%2BPlsrS9EArViMI%2Bd%2Fb8ZZBHgqFsmCiiSWfzz4kIQRPM0RB4osCHqQxKmGW2i1uyWrytYjA4V%2FZREm1%2Bm2EEWx38PebvBFrM9pMznjF6rghFHp8ls6tzuolbXD4WUfR0OSoXjcAaAgihobJ%2FmOd", "https://vtbehaviour.commondatastorage.googleapis.com/e2f820daf9f578d5f3219ae8b3c6391017badf913a68c4aaac4e52c5155c566f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339867&Signature=l%2F%2BDGW7ZLqIfVvi1NOyg4%2FCgXPJBdSweWglJKW7iMb5GfnK0pX4yYYVL3OKkqrzAbMUcR2fqLUXHJfnMwSKBhQxjGR8LGF1nh7TeXxVGIQVh8kAyEZBCuXNHsZfzxR0zVbZfKAIEvC9D8S2%2FwBmpI6xztHiC7vmaJ5OhJD%2BoPDojRqXH2bmBpCz1XTZd7JphPNXRIbefZL4mR%2FrRe7o8WO2JHylOy9rIodNKKPEv5W9Q54%2BaA%2FG926", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339948&Signature=JA8BamPMfn7P8xM9CTv8ndNuaNtng0n%2Btofwj05768pJwsCB6Mgd6GU18%2BpNjCvwwZg%2F%2Bw0a2xOYIsvuqdDQAFzoO3jl3EUYKu7dPoOelD2NPrIcyCAHc8qKhqpPdjZKpo%2B8AJCxvO13OXHoSh94%2B%2Bht9h6mIJs8y7YO2CUo%2FqlV8M0fa5Px90aErgl%2BarD7%2ByQWlt0QD2caFKl%2BHViTViTx", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779340034&Signature=tbq82yoC%2BAKXaH%2F2XjmRWiAbt911K91ltP8zHTYrstzi0i1UKrzJxM48ky9ypV%2B%2FvrYdgBnaOfI9MzgZH0C%2FOFJUaVJ3WB87ULkjglD%2F6GeEDDcPtDX%2BY6aw2%2Bb8WaJU2xLc%2F9JbwoTbPP0n83pJv1qe0KLqckLIjEN4iREH1zU%2FldO5TBRicvB%2BxjeAxpPFZnjNZmyFl%2FNHbavuuvRc%2FMNR0DbjnriB2Mub" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 88, "FileHash-SHA256": 1993, "IPv4": 19, "domain": 34, "hostname": 60, "URL": 203, "URI": 1 }, "indicator_count": 2602, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e9368acb77419bf65660d", "name": "MAV-en * VirusTotal report for setup-maven-master.zip", "description": "[The full text of the statement on the subject of human rights, as compiled by BBC Radio 4's Panorama, will be published on Wednesday, 27 March.. and will appear on BBC iPlayer]usernotificationsd, \"freeze_skip_reason:\" : \"none\",\n \"pid\" : 851,\n \"cpuTime\" : 0.52999799999999997,\n \"name\" : \"HeuristicInterpreter\",\n country_code\":\"US\",\"agent\":\"parsecd\\/1 (iPhone17,4; iPhone OS 26.3.1 23D8133) parsecd\\/", "modified": "2026-05-21T05:13:16.005000", "created": "2026-05-21T05:08:56.934000", "tags": [ "file type", "ascii", "ascii text", "java source", "json", "unicode text", "utf8 text", "c source", "sgml document", "creates", "persistence", "malicious", "next", "windows sandbox", "calls clear", "png image", "svg scalable", "vector graphics", "rgba", "crlf line", "ms windows", "title", "installer", "template", "pcx ver", "code helper", "helper", "plugin", "renderer", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "screnshots", "mitre attack", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "zip archive" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339747&Signature=R%2FOTx2wxfF3MkMsUAEbX76dOSFXtiY%2BBtXR6Kl7PxVGTXaylNjmhXaxofJAQ0RP2z7ICeXit4nmXky1HIQZnPX74ZyD16ICTt3%2BAXA6yZSU%2Fw%2Fks9M2Ju1xi3m8IMloiUH7Z9Le5L5Mlfrw5QO4ZO%2FgDHG3ATHUk0qk%2BFUT2gsjT8jS6aztZHjZo4xVQLlmmwWY2%2F8%2FKZejJlFptwLfMZEA%2BDW1ZbssKpkNsXZGu69SkdNPO9c", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339770&Signature=tPgwja3MWoODqbVlxhsock2mBa1WfALhB00A%2FSu4klEizmiV6VxM5y6vH%2FGm%2FFf67mLtz5mR6Mt17RKGQUPK11iYmQax86WhcCuxTpR0mDpo12tG4HAI5ht8qM4xgOQcjspEhBgsXPDvw2Np7e9trD0l8MytxvCqOuA7DVNdiUL2xvLNXAG1yCptFpvqyZo7kokLxp4RwsvDJuOrH8%2FGrNAOjdaHFQ8FWGhgkhyO6Q767Szi", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339792&Signature=O6r4LzVdjNFj7wZVT%2B0a4%2BGemB4yEqip9waMS7NlonESXy80tfqV33UBqEEp8i%2B2qOg6S%2Ba4cSwzi3nXOtjSaUaFAI43DmvSsxq5Y5WsA8cMb4Ul6FhGON6Cr0JT1xoEMtACmSdxG8Vo%2Be4PVcu93v6CBeWMZnFb8exU8ku4GUDY8ZEFW%2FJqeu266wn59KD9gFKRwlqx3NuRzMLdwqMA7f9o6QLPcM8WWnB%2BkvJVFk3BnxJAfBn7T2JO", "https://vtbehaviour.commondatastorage.googleapis.com/f839e941d0d2b6d9c5d6fd9b8b9ea9d34629182973bb9cc8af28e1e3ccdbbdd4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339838&Signature=GgSFM3a3czj9g63hY67%2B%2FAyC%2FcGgMmTIqhErAonJ7vV9C8snHKwK0GtHZ6drm%2Fd%2BKaMonYJwSmh1LrRzYF9toBJc5rBwpR%2BPlsrS9EArViMI%2Bd%2Fb8ZZBHgqFsmCiiSWfzz4kIQRPM0RB4osCHqQxKmGW2i1uyWrytYjA4V%2FZREm1%2Bm2EEWx38PebvBFrM9pMznjF6rghFHp8ls6tzuolbXD4WUfR0OSoXjcAaAgihobJ%2FmOd", "https://vtbehaviour.commondatastorage.googleapis.com/e2f820daf9f578d5f3219ae8b3c6391017badf913a68c4aaac4e52c5155c566f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339867&Signature=l%2F%2BDGW7ZLqIfVvi1NOyg4%2FCgXPJBdSweWglJKW7iMb5GfnK0pX4yYYVL3OKkqrzAbMUcR2fqLUXHJfnMwSKBhQxjGR8LGF1nh7TeXxVGIQVh8kAyEZBCuXNHsZfzxR0zVbZfKAIEvC9D8S2%2FwBmpI6xztHiC7vmaJ5OhJD%2BoPDojRqXH2bmBpCz1XTZd7JphPNXRIbefZL4mR%2FrRe7o8WO2JHylOy9rIodNKKPEv5W9Q54%2BaA%2FG926", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339948&Signature=JA8BamPMfn7P8xM9CTv8ndNuaNtng0n%2Btofwj05768pJwsCB6Mgd6GU18%2BpNjCvwwZg%2F%2Bw0a2xOYIsvuqdDQAFzoO3jl3EUYKu7dPoOelD2NPrIcyCAHc8qKhqpPdjZKpo%2B8AJCxvO13OXHoSh94%2B%2Bht9h6mIJs8y7YO2CUo%2FqlV8M0fa5Px90aErgl%2BarD7%2ByQWlt0QD2caFKl%2BHViTViTx", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779340034&Signature=tbq82yoC%2BAKXaH%2F2XjmRWiAbt911K91ltP8zHTYrstzi0i1UKrzJxM48ky9ypV%2B%2FvrYdgBnaOfI9MzgZH0C%2FOFJUaVJ3WB87ULkjglD%2F6GeEDDcPtDX%2BY6aw2%2Bb8WaJU2xLc%2F9JbwoTbPP0n83pJv1qe0KLqckLIjEN4iREH1zU%2FldO5TBRicvB%2BxjeAxpPFZnjNZmyFl%2FNHbavuuvRc%2FMNR0DbjnriB2Mub" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 88, "FileHash-SHA256": 1993, "IPv4": 19, "domain": 34, "hostname": 60, "URL": 203, "URI": 1 }, "indicator_count": 2602, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e936b647274be6ed25227", "name": "MAV-en * VirusTotal report for setup-maven-master.zip", "description": "[The full text of the statement on the subject of human rights, as compiled by BBC Radio 4's Panorama, will be published on Wednesday, 27 March.. and will appear on BBC iPlayer]usernotificationsd, \"freeze_skip_reason:\" : \"none\",\n \"pid\" : 851,\n \"cpuTime\" : 0.52999799999999997,\n \"name\" : \"HeuristicInterpreter\",\n country_code\":\"US\",\"agent\":\"parsecd\\/1 (iPhone17,4; iPhone OS 26.3.1 23D8133) parsecd\\/", "modified": "2026-05-21T05:13:13.100000", "created": "2026-05-21T05:08:59.081000", "tags": [ "file type", "ascii", "ascii text", "java source", "json", "unicode text", "utf8 text", "c source", "sgml document", "creates", "persistence", "malicious", "next", "windows sandbox", "calls clear", "png image", "svg scalable", "vector graphics", "rgba", "crlf line", "ms windows", "title", "installer", "template", "pcx ver", "code helper", "helper", "plugin", "renderer", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "screnshots", "mitre attack", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "zip archive" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339747&Signature=R%2FOTx2wxfF3MkMsUAEbX76dOSFXtiY%2BBtXR6Kl7PxVGTXaylNjmhXaxofJAQ0RP2z7ICeXit4nmXky1HIQZnPX74ZyD16ICTt3%2BAXA6yZSU%2Fw%2Fks9M2Ju1xi3m8IMloiUH7Z9Le5L5Mlfrw5QO4ZO%2FgDHG3ATHUk0qk%2BFUT2gsjT8jS6aztZHjZo4xVQLlmmwWY2%2F8%2FKZejJlFptwLfMZEA%2BDW1ZbssKpkNsXZGu69SkdNPO9c", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339770&Signature=tPgwja3MWoODqbVlxhsock2mBa1WfALhB00A%2FSu4klEizmiV6VxM5y6vH%2FGm%2FFf67mLtz5mR6Mt17RKGQUPK11iYmQax86WhcCuxTpR0mDpo12tG4HAI5ht8qM4xgOQcjspEhBgsXPDvw2Np7e9trD0l8MytxvCqOuA7DVNdiUL2xvLNXAG1yCptFpvqyZo7kokLxp4RwsvDJuOrH8%2FGrNAOjdaHFQ8FWGhgkhyO6Q767Szi", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339792&Signature=O6r4LzVdjNFj7wZVT%2B0a4%2BGemB4yEqip9waMS7NlonESXy80tfqV33UBqEEp8i%2B2qOg6S%2Ba4cSwzi3nXOtjSaUaFAI43DmvSsxq5Y5WsA8cMb4Ul6FhGON6Cr0JT1xoEMtACmSdxG8Vo%2Be4PVcu93v6CBeWMZnFb8exU8ku4GUDY8ZEFW%2FJqeu266wn59KD9gFKRwlqx3NuRzMLdwqMA7f9o6QLPcM8WWnB%2BkvJVFk3BnxJAfBn7T2JO", "https://vtbehaviour.commondatastorage.googleapis.com/f839e941d0d2b6d9c5d6fd9b8b9ea9d34629182973bb9cc8af28e1e3ccdbbdd4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339838&Signature=GgSFM3a3czj9g63hY67%2B%2FAyC%2FcGgMmTIqhErAonJ7vV9C8snHKwK0GtHZ6drm%2Fd%2BKaMonYJwSmh1LrRzYF9toBJc5rBwpR%2BPlsrS9EArViMI%2Bd%2Fb8ZZBHgqFsmCiiSWfzz4kIQRPM0RB4osCHqQxKmGW2i1uyWrytYjA4V%2FZREm1%2Bm2EEWx38PebvBFrM9pMznjF6rghFHp8ls6tzuolbXD4WUfR0OSoXjcAaAgihobJ%2FmOd", "https://vtbehaviour.commondatastorage.googleapis.com/e2f820daf9f578d5f3219ae8b3c6391017badf913a68c4aaac4e52c5155c566f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339867&Signature=l%2F%2BDGW7ZLqIfVvi1NOyg4%2FCgXPJBdSweWglJKW7iMb5GfnK0pX4yYYVL3OKkqrzAbMUcR2fqLUXHJfnMwSKBhQxjGR8LGF1nh7TeXxVGIQVh8kAyEZBCuXNHsZfzxR0zVbZfKAIEvC9D8S2%2FwBmpI6xztHiC7vmaJ5OhJD%2BoPDojRqXH2bmBpCz1XTZd7JphPNXRIbefZL4mR%2FrRe7o8WO2JHylOy9rIodNKKPEv5W9Q54%2BaA%2FG926", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339948&Signature=JA8BamPMfn7P8xM9CTv8ndNuaNtng0n%2Btofwj05768pJwsCB6Mgd6GU18%2BpNjCvwwZg%2F%2Bw0a2xOYIsvuqdDQAFzoO3jl3EUYKu7dPoOelD2NPrIcyCAHc8qKhqpPdjZKpo%2B8AJCxvO13OXHoSh94%2B%2Bht9h6mIJs8y7YO2CUo%2FqlV8M0fa5Px90aErgl%2BarD7%2ByQWlt0QD2caFKl%2BHViTViTx", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779340034&Signature=tbq82yoC%2BAKXaH%2F2XjmRWiAbt911K91ltP8zHTYrstzi0i1UKrzJxM48ky9ypV%2B%2FvrYdgBnaOfI9MzgZH0C%2FOFJUaVJ3WB87ULkjglD%2F6GeEDDcPtDX%2BY6aw2%2Bb8WaJU2xLc%2F9JbwoTbPP0n83pJv1qe0KLqckLIjEN4iREH1zU%2FldO5TBRicvB%2BxjeAxpPFZnjNZmyFl%2FNHbavuuvRc%2FMNR0DbjnriB2Mub" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 88, "FileHash-SHA256": 1993, "IPv4": 19, "domain": 34, "hostname": 60, "URL": 203, "URI": 1 }, "indicator_count": 2602, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e936cb4a9e6db51876ae2", "name": "MAV-en * VirusTotal report for setup-maven-master.zip", "description": "[The full text of the statement on the subject of human rights, as compiled by BBC Radio 4's Panorama, will be published on Wednesday, 27 March.. and will appear on BBC iPlayer]usernotificationsd, \"freeze_skip_reason:\" : \"none\",\n \"pid\" : 851,\n \"cpuTime\" : 0.52999799999999997,\n \"name\" : \"HeuristicInterpreter\",\n country_code\":\"US\",\"agent\":\"parsecd\\/1 (iPhone17,4; iPhone OS 26.3.1 23D8133) parsecd\\/", "modified": "2026-05-21T05:13:12.402000", "created": "2026-05-21T05:09:00.401000", "tags": [ "file type", "ascii", "ascii text", "java source", "json", "unicode text", "utf8 text", "c source", "sgml document", "creates", "persistence", "malicious", "next", "windows sandbox", "calls clear", "png image", "svg scalable", "vector graphics", "rgba", "crlf line", "ms windows", "title", "installer", "template", "pcx ver", "code helper", "helper", "plugin", "renderer", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "screnshots", "mitre attack", "dropped info", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "zip archive" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339747&Signature=R%2FOTx2wxfF3MkMsUAEbX76dOSFXtiY%2BBtXR6Kl7PxVGTXaylNjmhXaxofJAQ0RP2z7ICeXit4nmXky1HIQZnPX74ZyD16ICTt3%2BAXA6yZSU%2Fw%2Fks9M2Ju1xi3m8IMloiUH7Z9Le5L5Mlfrw5QO4ZO%2FgDHG3ATHUk0qk%2BFUT2gsjT8jS6aztZHjZo4xVQLlmmwWY2%2F8%2FKZejJlFptwLfMZEA%2BDW1ZbssKpkNsXZGu69SkdNPO9c", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339770&Signature=tPgwja3MWoODqbVlxhsock2mBa1WfALhB00A%2FSu4klEizmiV6VxM5y6vH%2FGm%2FFf67mLtz5mR6Mt17RKGQUPK11iYmQax86WhcCuxTpR0mDpo12tG4HAI5ht8qM4xgOQcjspEhBgsXPDvw2Np7e9trD0l8MytxvCqOuA7DVNdiUL2xvLNXAG1yCptFpvqyZo7kokLxp4RwsvDJuOrH8%2FGrNAOjdaHFQ8FWGhgkhyO6Q767Szi", "https://vtbehaviour.commondatastorage.googleapis.com/366e8b8ac409bec588ae02fbd3fb9678f1feb43c5fec92670577bbe2c01c2b2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339792&Signature=O6r4LzVdjNFj7wZVT%2B0a4%2BGemB4yEqip9waMS7NlonESXy80tfqV33UBqEEp8i%2B2qOg6S%2Ba4cSwzi3nXOtjSaUaFAI43DmvSsxq5Y5WsA8cMb4Ul6FhGON6Cr0JT1xoEMtACmSdxG8Vo%2Be4PVcu93v6CBeWMZnFb8exU8ku4GUDY8ZEFW%2FJqeu266wn59KD9gFKRwlqx3NuRzMLdwqMA7f9o6QLPcM8WWnB%2BkvJVFk3BnxJAfBn7T2JO", "https://vtbehaviour.commondatastorage.googleapis.com/f839e941d0d2b6d9c5d6fd9b8b9ea9d34629182973bb9cc8af28e1e3ccdbbdd4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339838&Signature=GgSFM3a3czj9g63hY67%2B%2FAyC%2FcGgMmTIqhErAonJ7vV9C8snHKwK0GtHZ6drm%2Fd%2BKaMonYJwSmh1LrRzYF9toBJc5rBwpR%2BPlsrS9EArViMI%2Bd%2Fb8ZZBHgqFsmCiiSWfzz4kIQRPM0RB4osCHqQxKmGW2i1uyWrytYjA4V%2FZREm1%2Bm2EEWx38PebvBFrM9pMznjF6rghFHp8ls6tzuolbXD4WUfR0OSoXjcAaAgihobJ%2FmOd", "https://vtbehaviour.commondatastorage.googleapis.com/e2f820daf9f578d5f3219ae8b3c6391017badf913a68c4aaac4e52c5155c566f_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339867&Signature=l%2F%2BDGW7ZLqIfVvi1NOyg4%2FCgXPJBdSweWglJKW7iMb5GfnK0pX4yYYVL3OKkqrzAbMUcR2fqLUXHJfnMwSKBhQxjGR8LGF1nh7TeXxVGIQVh8kAyEZBCuXNHsZfzxR0zVbZfKAIEvC9D8S2%2FwBmpI6xztHiC7vmaJ5OhJD%2BoPDojRqXH2bmBpCz1XTZd7JphPNXRIbefZL4mR%2FrRe7o8WO2JHylOy9rIodNKKPEv5W9Q54%2BaA%2FG926", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779339948&Signature=JA8BamPMfn7P8xM9CTv8ndNuaNtng0n%2Btofwj05768pJwsCB6Mgd6GU18%2BpNjCvwwZg%2F%2Bw0a2xOYIsvuqdDQAFzoO3jl3EUYKu7dPoOelD2NPrIcyCAHc8qKhqpPdjZKpo%2B8AJCxvO13OXHoSh94%2B%2Bht9h6mIJs8y7YO2CUo%2FqlV8M0fa5Px90aErgl%2BarD7%2ByQWlt0QD2caFKl%2BHViTViTx", "https://vtbehaviour.commondatastorage.googleapis.com/44ea6ddc04caa89b23fb4acec5625975088c6079d823abfd8c77c95d4edc321b_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779340034&Signature=tbq82yoC%2BAKXaH%2F2XjmRWiAbt911K91ltP8zHTYrstzi0i1UKrzJxM48ky9ypV%2B%2FvrYdgBnaOfI9MzgZH0C%2FOFJUaVJ3WB87ULkjglD%2F6GeEDDcPtDX%2BY6aw2%2Bb8WaJU2xLc%2F9JbwoTbPP0n83pJv1qe0KLqckLIjEN4iREH1zU%2FldO5TBRicvB%2BxjeAxpPFZnjNZmyFl%2FNHbavuuvRc%2FMNR0DbjnriB2Mub" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 88, "FileHash-SHA256": 1993, "IPv4": 19, "domain": 34, "hostname": 60, "URL": 203, "URI": 1 }, "indicator_count": 2602, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "contributing.md", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "contributing.md", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780211056.659924 }