{ "type": "Domain", "indicator": "crbug.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/crbug.com", "alexa": "http://www.alexa.com/siteinfo/crbug.com", "indicator": "crbug.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2636204000, "indicator": "crbug.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "6a13d458f27a51876d7949f5", "name": "NOW BOARDING: DARK-ZERO Sheep Tracker * CAPE Sandbox", "description": "Modern threat intelligence requires moving from passive observation to active intervention. In the context of targeted tracking implants, defending civil rights means engineering systems that protect user autonomy against unauthorized data extraction. Architectural Protections:\n0-Trust Telemetry: Designing operating systems where the user owns the cryptographic root of trust.\nHardware-Enforced Isolation: Utilizing Secure Enclaves to process cryptographic keys outside the reach of a compromised kernel.\nExploit Mitigation: Implementing advanced PAC+ Memory Tagging Extensions (MTE) to stop zero-day memory corruption bugs. The holiday serves as a reminder for SOCs to uphold high ethical standards, ensuring defensive tools are never repurposed for unauthorized surveillance. Respect to all.", "modified": "2026-05-27T17:19:19.635000", "created": "2026-05-25T04:47:20.503000", "tags": [ "win32 exe", "mozilla firefox", "zip adobe", "photoshop cc", "rar adobe", "air sdk", "adobe air", "lassa2", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "file size", "mwdb", "accept", "shutdown", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "file type", "json", "ascii", "utf8", "sqlite version", "found", "pe file", "intel", "pe32", "ms windows", "installer", "defense evasion", "window", "title", "template", "next", "united", "performs dns", "grabber honest", "layer protocol", "attack network", "info processes", "extra info", "zenbox macos", "verdict", "guest system", "ascii text", "sigma", "creates", "t1055 process", "info dropped", "malicious", "p2404", "p11718783889", "p4de83ek69hqsh4", "p11718784848", "bazaar", "sha3384", "ssdeep", "checker", "themida", "guard", "property", "adobe device", "property name", "productname", "displayname", "destination", "root", "totalsize", "langpack", "swedish", "win32", "windows sandbox", "calls clear", "sha256", "sha1", "crc32", "size", "flash", "june", "drops pe", "crlf line", "sample", "persistence", "win64", "hook", "instructor", "kids goldadobe", "errstr", "cultureneutral", "license", "error", "code", "service", "vmprotect", "february", "back", "number", "mitre attack", "network info", "processes extra", "fri dec", "database", "initial access", "program", "overview", "overview zenbox", "ultimate file", "info file", "Nullworld", "value", "value lang", "buildinfo", "productinfo", "addremoveinfo", "displayversion", "screnshots", "United", "Swedishvpncarrierenrollment", "calls process", "writes", "png image", "rgba", "guloader", "fraud", "phishing", "install", "pdapp", "urihandler", "us tcp", "product install", "gamma", "updater", "Now boarding", "DarkZero", "Sheep Tracker" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681399&Signature=o4EIDa%2Bu5q7UzJoKBZ3SHIdTRWKGT7HIZyLxFZSLdRJV2Ng655y2X8OLnU2siFeopgWPI6Gd8nE9F9LFBFgwM%2F0ZN0FWsDls8m78y46TmhjHhykfch6G%2Buw3LPxmfbz999yBfELXQDUCNWIiGUPv%2B23aUdHnc0c5jI4Mvlz2HGA%2BHlIMjc1w1S%2BWm%2FI6ftHJdyIAh0SqMbPXqAy%2BIonExlGkoEmMBCJl3r3pfMcYzy4ai0", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681421&Signature=oUYsIo6y2ldihmETch4oPYw5nb4sHZhKRik2zGuv2h9rqu30GcV1xZHlIO9ttFa625EXOlrrILZtAhfM%2FamkTDjXZUTqn2%2BTKmgnxqOOfJU6KrJHPLE9Do7l7MEaPxX4cs8z8tWd0%2FY8sBv8sjGAIdWrT5OPv202LNN%2FiVe6mEIUMkmNr%2BG1S3Pgs6LRTjo%2BgqhEcNXT0MFUgs3I2e4AQ0TQ4FOs%2BVRY", "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681469&Signature=VGjB%2F%2BCQwDtsenSFWX7YNKbe9s%2Fgcpg%2FotVlxRZ6FXuE9VXITP76QQq6L2vlSM7pfQHSnBv%2BUdwMtN3QhCxjF7Zv2PV%2FkWLnwwA3hJciWMAKiLSeKTanNshzLWnmBjN04FASFwNf6kAq4PcunHkHh2PSOGl03eem41DHA6YOIRAjI1C6hAdDvKoAqJJXuGKM%2F5Z5vzfeTaXNgCRutOhVDB4%2FcAcV9zZaRcX9Ii0IFRAZo%2Bzk7rvI", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681490&Signature=bIUDLY2jLaPa0t0OyOiuRlKjk8VM9IFdVTwzJhuTKfuV%2BhwtwcYghSy4186P0qsGEebShI2xNNVBPSd3uQdeXMuYRDJWcyo18c12pLwgcLgaBot06%2Bfys%2BlGp%2FV%2FSCDBvdo3iLaAOesoSo8vbCLNsWAzGM5sztLl%2Beyq9%2F1oSuAvU692EiARhcufOCMFqXCn6MNuSp18gSQwkFRBadsMvHSjfHW645FvLUfiP5Egu1WuMVP2", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681535&Signature=K%2BM%2FPuLQI5kqDYLWjQMD%2BgPbchxwp2sWPPUtfDZYFn5H9w%2BqFPRxh7iZqH4FOPAnwlC0%2BN5TKTqrEuhABL3gWMqHySyweiNPNkJ1MlX29xZdE482pqQSn8rzkPs7CZD63ts4ZRPrK%2Bl06RV13mZf4TUzAD9Sx0m6%2FWhetQETuu6StpVmyzhie%2Fn%2FUdsdFN0SW%2BtLpQE74IVNfszCgKVhF9oNeBiifytanSbIG0SnLff9sXffjS", "https://vtbehaviour.commondatastorage.googleapis.com/087975d5f3c874a6fe9cbfe9d7ee77fb0af138e3c36a6f75e3d000699afc571d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681569&Signature=C286Cg30s1QDg1lkY0jtTLfia8Fs4B%2FdqNMfidFUYXpd2si4N25G7RBqy8LODkWqBQca8rpYyZ7FIYHuRDc0wBLk%2B1rPiEXJckZIdmkyhDkFJ2jrxfNV135BZTTeF6DkLrRfWPgnxciVK%2FJrkueYnjlYhYW08OZkTu9plzgmfR2IocW5ENVaqHbcPAdm2QDCC6VVrNQp%2FP%2FjV6%2Fkm37tinRyXhg1vKSf0TVFMzL1jpYkiS5PIc", "https://vtbehaviour.commondatastorage.googleapis.com/07f5960476ab34754f3e04143caf2d4899cb09e6b271bfd27ef1f1c8977ca050_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681591&Signature=uoP10og17YxXUe0yZ8kll3N15RJJ%2Bf5pJFzW0MUe4fdvXaLlcOfCxs%2B6EyW23FSqTj%2FbNedtUC6z7Y0dgMPBtJC%2F9gOhXEZj5%2BKKwnQbCBe7GuFtEsVMMkQRdiDQxJYZipAId1MwoBChhx%2BSr%2FrboVkDq%2F%2FbNLvWS6keRMn4fa8GX%2BF0lIJepJ98sjwXs48DXBch8974olbyd38VGGp1bLMl7mycstrQ2hIy2MFXWD", "https://vtbehaviour.commondatastorage.googleapis.com/0da371854ec2c04bbee9680dbdabb67a4e4a84add40e5e1877425790f2dfef02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682005&Signature=SyLSFT5xdlAZ5lwNyaeDpqsMTuwGywWruel4fBOIdsyiZ%2FvtOZYr7f%2B%2BIuBmqFMAwMI4L7kB6jRtv8mVn8lmU5MUJBAG6GJdVsEp2SoexU5Yl2kTksey03ZsjBloxlJqDzf8PULDlwjfD1Ydv%2B5QFPoY3%2Fk8TKMlmmpTIw7%2FYcR24%2FHYHw78XVF2cV%2Bnb3GoDaHw%2FnpxLrDwgfZP9dWvP8V264o5l2dDfxQtF0", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682086&Signature=yzXoWEcsMl9wlTGgMQfBKEZWwnDzmua%2FR2suwDMBSqPLhunpHELcj0SzY3czM%2F9HQG9QuvYzhQRVUxR1iDaFz1BQ4YHkXJih3zm%2BcNlDcfXsOZzyYzWUhaPsbSti%2FWbFoL4E14bnS7tIuG9s9R96LkGyGpWIsT%2BPeCNhsCzD7vFRU0cPMr6vNblu%2BBiO3Ki99QSrkF4hzBxkQ7DFgba3qi7kOfal%2F2K8hC1ikcZntmn5IESW", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682105&Signature=DkIw2nRg0%2BHKmd2TpyMzcgrB%2F4s6sIVIpOEEVMqz3Csoj6PPmSGNer%2Bt5X5oYKPZQgJETAHcCRs0mh3Lfa85XEPdYk6PjMimJmKQdBstqdULgs6q7wyZEjHDhQn41ri7eQ16g7pAo9ojfhLUNp4uW2xuYvdBwYhYBsZP3EO1BKz2f3dYxSg%2Bgsn2AnC2%2BDRTIX0Xxd%2Bt44%2BkXfiY32mvDHDNDCcuT5ZDFNrHwDp3HKuuJYy7lRHm8AlK", "https://vtbehaviour.commondatastorage.googleapis.com/1f1db73659fa2fe7a944d20bb4e9a867513a50ee9b51be89dfec30c73f6ed622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682177&Signature=yjgeq7TPzf6M6Pn8mPFgBmhHQbfgGlaadZNsSsDUKq0Da4%2Bb25WhNl6nDIyUDmRBtABod6Itj2EUlbe%2B4U0QYLuJR00aQqsO%2F9pXU4AWeIFUEZhCrwgZ5WuNPpYbdVbOYcVX6oyDXpSjv1QEGmJ1NVVr%2F1esshl3tugyHxp6LFYa9%2BQeoiqsBikKLglNB52vsap%2BkwVPKyXg%2FjduMqTQd%2FhNMM41261XiBOTtUqjpzIm67", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682206&Signature=iCbR7BcpXhfqHIoxTRE%2BvhCqRoHYALCXll0hXveh8IQOJPjxw%2BlLNas6nIvp035t6sdMg9KdOY751XfThil%2FE2mLrvir%2FwKjheK2382r5bhEQFEsa6etlla3TDjlvttEFZDUN7SSLpGao8u7uVNwrPRb0BuwYDemKKVJK6DACPbUZEHk3DZ%2Bi8SxXIdELiXG%2Bozy7oC8Dcj0HqHGYuliXpjT1mV7OsCjFXvmjZPcFH06EzZS5L", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682251&Signature=z6Lrdrr5u6YZdzJaR%2B2Qab%2F%2FVA6%2FL6JaNA4%2BVxLe9wEjL%2B2ARzGBhQdq6RTX5ez3SDTWWmc%2BrOypKxxCsLeXUbjYRoIgcsSzYIxWQWoEl35tFARLVKf%2FVf%2B696U6PYQ%2F1BNWxSfuNOeUVNK2pIiMYCUjLnikvUyj9Ip3MrgKOaV9v9SShCLay93Y7b3GbAUZ2Jzy18PEYf%2FLuk4fDrqITmP2upsysOJq1MhZcJ%2", "https://vtbehaviour.commondatastorage.googleapis.com/105f31af20fdb87d442f81aad0c3a54030b7e214c4796cf2a069bae6aa89dc65_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682395&Signature=oVg82i1yTG%2BGfhoL5FyBdK%2BZKa6wi2iWMpwHyA77jBFtAOZxw%2Bs6z6So26GWDthH7UMEzwZwQC6ENF1TLBEqXukldXMdMg%2FvNylvy7vCdDKDsw53Ibc7vKnu5T0lNumnv%2FD5vnV14QZrzAE8PG3J0S0rtheY8mNCkM6t1w52XYYm5mfnGJXsnjyMEvgURuPhzOIq9%2B%2FG7XUWFK0vK%2BlzKmZU627%2FKYkT9EWHOI8Nyx%2FJUqad%2", "https://vtbehaviour.commondatastorage.googleapis.com/002150c786ae1e04ab2981bf5593d926987b60b9ac699f431ed4568084dd854b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682457&Signature=eWipoH1g7AQ8zq2pd%2BpyAKrKscAY%2FebCATbHE%2FMwdvIfIy%2F4i3OFy%2FKlfaNCXDLDU0OM6JaEF73FAqGhLEb8ZcxTuEfMeU%2F6WxjpgS2SqLZ0xOjAPgPWOOor3uCcdIEZRCcpJe%2BAzPY8jEZJ0aIf49RU85lkIx9yCiXcFnee1pNHHBFwpsBK4FNuTB%2FyDe61M5Htw4fjlf43GTnXFxj0%2Fjc%2Fe32Q7EpVkuSc0I%2F3zTrY0UkC", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682486&Signature=ucigAmI%2BTWYWnZuZjQb7cvSnhC1f6r93NM1kh5fCHjjcUodx6ltePV2QSdyXCnhrdH8ODLugh37CFZxsAmtiMMefuyuh6T8mtuxe7znGqLiJre5YFfSQLkzmz0Ksqekcg0sp1bUaKykXguy%2BKwv6Tg12CIM7xzaDB%2BGcjw6KkBLiD0A1sB6Z9gk9np%2FNtUBHdW7E0eBfvTWOK8F99R1lQdmQab2Vha55GLH6JRBksZ7AbBEdVS8DMtkaZCS9sV", "https://vtbehaviour.commondatastorage.googleapis.com/049c8db974d1830f931d605f6918184d8928c46c74f4152dfde3dc7bdffbf5d5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682585&Signature=z2IzO8oruo5%2BmP%2BuhsnAbNLmy7QRAemblZDUm1KEgUCliIqrtWVkruuMg2tcIokmH12yIvRumIVlk5OcGjVxI%2Bb%2B3Va9LgSnD%2Bwjbe5pAs%2BDuUGTY52XSe7V9xdcRN38UeNFYy2jTLa2KYspIZ0NzHMsL0BzU5pqOWw0bAShHYc9sNx0S7a%2BSD7PiY%2BDR%2Br%2BQll9wUT%2B4EjhHrYYmmdRCa6vbIyTLcHmdw4JzmHHsLy%2Bjf", "https://vtbehaviour.commondatastorage.googleapis.com/27086c4185aa32bbc6674267b947e3f6610554188ac694ce2dbc1191a9525339_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683188&Signature=o0pfi%2Bqzc6KRiLra5kzATI2ROhjWVPHqZ7tOokv%2B9i4HwxX3m%2BpcqtYKMIFJMVk1qNFDyYwnCDfkeiva50iZyrha2F3bacitBdmnSwCEQE5xMG73RGPjQAvPps3tKMm1MDH8Rzpy65y9bdKpTSCL9%2Bt2xAk4%2BXx13XPz2GlU%2BG8Q%2FSPkCW96%2BX6c5xzWpIH%2FlXn7%2Bgl2G9QMGbrbnwD%2FfR58%2FrXIeIEJ%2F9%2BNt2W3Fr", "https://vtbehaviour.commondatastorage.googleapis.com/2c7002510767deb9bbb0d2ee2d47be98828bf5b6e999d6cd882b1c1a1c908510_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683299&Signature=RMRBhdx9cTLEwBYgOaiBV4x03W8laZvNMUtTq68ykLCh0R5toTaD64MdSiBhgsNAZLaS8z9dPsGmVcfMC8U5sPrXXLzAt9CBPoJjT2jV40HyYrW58xs3wjf65936U00bQy9DGFrlU7xInrhEocKiXuD17i5A%2F7tdPgx74I6xY906Ua8hyOe3f5zVmaxE6zpNAonyZtoHtHmnuDLG71DTPwYyiKcGPff7glIXoNalw4ST3jQr3Ma%2Fv1Q3De", "https://vtbehaviour.commondatastorage.googleapis.com/2c98a3b3752939b7c2db76682607e3918dee0edd81998279cb4528cc6c67f715_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683469&Signature=oE7hEU%2FccffwWPye7wmTWT154zCmhX2wBLLWErX6yptBjSn9YXSMLMohlpsjw%2BxO5VxqobuYkMh302JzsMTg4fXVD76S9F6aOL1vRPwZx8fTGOeMoKRTMO7B0xwvo2HQCra8ds7NMqXBpbNxN%2Bi7Ez6ZOyX%2FQUyixg1Ya1G7%2FkF8sEaT8z%2B4QHLhghEUdy4%2FMYbGVFzAKhSDW9Yg%2BcPfxQLt%2BViZ", "https://vtbehaviour.commondatastorage.googleapis.com/5f87d5cb5921df99f335e1a8f044db15187f88aea04ecc073b310a4b9649a5e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683851&Signature=oDNiEuOved3Q5at8LARyePhpQE3%2FjmEYRIWg4Vzp0yzifSrnwMGaujbhYJWqc8BadzAh1AhmrfOaNLGJfe8IO2Izje4ofsfex0DAAfgHm5l1vDeQWFDfgypa9%2F8sHOOgBiUlbdSDYrVdZ2Z9f8MGr8OaswhQwykG5mL3UcUwRD4heOIda%2FFZGhfCLn%2B7ksTMcuD2%2BjT%2F7IuP8kYOTQ0ZqwnDZGNQwopAFpNNouIAx0LKAjPDIO", "https://vtbehaviour.commondatastorage.googleapis.com/5f9b9db4e9200b4576d6e8bc2888d6e7ab28a04e66083366bcde57915eed5078_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683897&Signature=A1uHov9N8mIMBn6lVPETST7i%2F%2F3lKCkTSifHpWYQ8lqnGw3%2FwBD1QhGr1tH%2BYzg4xJYZR1vHPxcGC2biWNZtPF89Sx8FKf%2F18O4PHYJb1n7YfdP24JbV%2BkekQpomFKe66pKsf0gWQQx1zTJDWvam9HuvVTyCV9h22TLG%2FmBDvK4SftnNssRv0EkzKP9dNqTfjJdMh0Y0rIEyQdNLLo%2BLsWQbrx2yxJo6kZD%2FJC", "https://vtbehaviour.commondatastorage.googleapis.com/727dc58bb6aaf24fd82f54a11560f26e38ee0ca6bb823ea70bad33fd7c9378ef_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683965&Signature=tYhGClprbVOZuxQF%2F%2BLWEx6LfO%2Fz4pigFaLvSPYRY%2Fqg92dL8%2BWlaAyT%2FJueBiXJFPkqBYoXk0DmZNj2UfqQiv4Jy9bhRG562tGCoadI7qFVHMBOyAmGj0uMVS%2FoyY00p8UkiUah%2BiG2lZaGt6eVnE1yrGqEIpnAnUxdyxti%2BDm0vFgP5Ust7yR%2F1SAtswsFyfntj2GSgBc5z1NbueSA2uSfZsxWtxmYAm9dk%2FrUPQ47Nb5Q", "https://vtbehaviour.commondatastorage.googleapis.com/7111bb197f77eecf518b22f7a6f269647abc17eda4aaed9ba50212462b9848ed_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684045&Signature=g5SPZe7A95%2FqyMCV3ihh6MGTnXRMjhKIGP6dBCJ3OB%2FCOBrSRTz%2BpnCcdIwsJk%2Fc74E6s1DRbKJn3SszGoP7h%2FNJwXl3BIBK6KeI0zYJeOibOT%2BeU9CnCcwY%2F3bx99X3LvHRwg0Fkdg%2BJoRI620jziRVAW%2FiC1wpzeMqmJNUOHn4NsTYiMD7H8cuBnRzAZQvK2lRO5asaddU11mHkkQ963f3YOOv", "https://vtbehaviour.commondatastorage.googleapis.com/8b10c7238761ba1c98b713c673c452437c4a56794ff0e3d657cff148056c9cf1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684153&Signature=MfmLhMZdg4gtuEoE1eB%2FroqyUo2QXTJ8L6oAmpYIvTmU8BmwS6hwF0opRe4GV3ox8yxCzd2O9fsm4T7dwrkSk8fJBlqrPHibaMNPNs4QpeMOraU4O6Au5EDLlJTtDwp43nz%2FK5tqLXzJpfqCvDEnQOghFLah5YCBj8qdFtGrKfHbvyMGL70BlhpaZsmAn3Jgu6zNXCQGqz3c%2BkATkQ3XNm%2F8FiNTOFzO5TUxHqPE3NUMFglmxAJhEo" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2266, "IPv4": 326, "domain": 179, "hostname": 381, "FileHash-MD5": 811, "FileHash-SHA1": 835, "URL": 815, "email": 2 }, "indicator_count": 5615, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a13d450d1c0f6a31e71cef1", "name": "NOW BOARDING: DARK-ZERO Sheep Tracker * CAPE Sandbox", "description": "Modern threat intelligence requires moving from passive observation to active intervention. In the context of targeted tracking implants, defending civil rights means engineering systems that protect user autonomy against unauthorized data extraction. Architectural Protections:\n0-Trust Telemetry: Designing operating systems where the user owns the cryptographic root of trust.\nHardware-Enforced Isolation: Utilizing Secure Enclaves to process cryptographic keys outside the reach of a compromised kernel.\nExploit Mitigation: Implementing advanced PAC+ Memory Tagging Extensions (MTE) to stop zero-day memory corruption bugs. The holiday serves as a reminder for SOCs to uphold high ethical standards, ensuring defensive tools are never repurposed for unauthorized surveillance. Respect to all.", "modified": "2026-05-27T16:31:09.918000", "created": "2026-05-25T04:47:12.640000", "tags": [ "win32 exe", "mozilla firefox", "zip adobe", "photoshop cc", "rar adobe", "air sdk", "adobe air", "lassa2", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "file size", "mwdb", "accept", "shutdown", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "file type", "json", "ascii", "utf8", "sqlite version", "found", "pe file", "intel", "pe32", "ms windows", "installer", "defense evasion", "window", "title", "template", "next", "united", "performs dns", "grabber honest", "layer protocol", "attack network", "info processes", "extra info", "zenbox macos", "verdict", "guest system", "ascii text", "sigma", "creates", "t1055 process", "info dropped", "malicious", "p2404", "p11718783889", "p4de83ek69hqsh4", "p11718784848", "bazaar", "sha3384", "ssdeep", "checker", "themida", "guard", "property", "adobe device", "property name", "productname", "displayname", "destination", "root", "totalsize", "langpack", "swedish", "win32", "windows sandbox", "calls clear", "sha256", "sha1", "crc32", "size", "flash", "june", "drops pe", "crlf line", "sample", "persistence", "win64", "hook", "instructor", "kids goldadobe", "errstr", "cultureneutral", "license", "error", "code", "service", "vmprotect", "february", "back", "number", "mitre attack", "network info", "processes extra", "fri dec", "database", "initial access", "program", "overview", "overview zenbox", "ultimate file", "info file", "Nullworld", "value", "value lang", "buildinfo", "productinfo", "addremoveinfo", "displayversion", "screnshots", "United", "Swedishvpncarrierenrollment", "calls process", "writes", "png image", "rgba", "guloader", "fraud", "phishing", "install", "pdapp", "urihandler", "us tcp", "product install", "gamma", "updater", "Now boarding", "DarkZero", "Sheep Tracker" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681399&Signature=o4EIDa%2Bu5q7UzJoKBZ3SHIdTRWKGT7HIZyLxFZSLdRJV2Ng655y2X8OLnU2siFeopgWPI6Gd8nE9F9LFBFgwM%2F0ZN0FWsDls8m78y46TmhjHhykfch6G%2Buw3LPxmfbz999yBfELXQDUCNWIiGUPv%2B23aUdHnc0c5jI4Mvlz2HGA%2BHlIMjc1w1S%2BWm%2FI6ftHJdyIAh0SqMbPXqAy%2BIonExlGkoEmMBCJl3r3pfMcYzy4ai0", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681421&Signature=oUYsIo6y2ldihmETch4oPYw5nb4sHZhKRik2zGuv2h9rqu30GcV1xZHlIO9ttFa625EXOlrrILZtAhfM%2FamkTDjXZUTqn2%2BTKmgnxqOOfJU6KrJHPLE9Do7l7MEaPxX4cs8z8tWd0%2FY8sBv8sjGAIdWrT5OPv202LNN%2FiVe6mEIUMkmNr%2BG1S3Pgs6LRTjo%2BgqhEcNXT0MFUgs3I2e4AQ0TQ4FOs%2BVRY", "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681469&Signature=VGjB%2F%2BCQwDtsenSFWX7YNKbe9s%2Fgcpg%2FotVlxRZ6FXuE9VXITP76QQq6L2vlSM7pfQHSnBv%2BUdwMtN3QhCxjF7Zv2PV%2FkWLnwwA3hJciWMAKiLSeKTanNshzLWnmBjN04FASFwNf6kAq4PcunHkHh2PSOGl03eem41DHA6YOIRAjI1C6hAdDvKoAqJJXuGKM%2F5Z5vzfeTaXNgCRutOhVDB4%2FcAcV9zZaRcX9Ii0IFRAZo%2Bzk7rvI", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681490&Signature=bIUDLY2jLaPa0t0OyOiuRlKjk8VM9IFdVTwzJhuTKfuV%2BhwtwcYghSy4186P0qsGEebShI2xNNVBPSd3uQdeXMuYRDJWcyo18c12pLwgcLgaBot06%2Bfys%2BlGp%2FV%2FSCDBvdo3iLaAOesoSo8vbCLNsWAzGM5sztLl%2Beyq9%2F1oSuAvU692EiARhcufOCMFqXCn6MNuSp18gSQwkFRBadsMvHSjfHW645FvLUfiP5Egu1WuMVP2", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681535&Signature=K%2BM%2FPuLQI5kqDYLWjQMD%2BgPbchxwp2sWPPUtfDZYFn5H9w%2BqFPRxh7iZqH4FOPAnwlC0%2BN5TKTqrEuhABL3gWMqHySyweiNPNkJ1MlX29xZdE482pqQSn8rzkPs7CZD63ts4ZRPrK%2Bl06RV13mZf4TUzAD9Sx0m6%2FWhetQETuu6StpVmyzhie%2Fn%2FUdsdFN0SW%2BtLpQE74IVNfszCgKVhF9oNeBiifytanSbIG0SnLff9sXffjS", "https://vtbehaviour.commondatastorage.googleapis.com/087975d5f3c874a6fe9cbfe9d7ee77fb0af138e3c36a6f75e3d000699afc571d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681569&Signature=C286Cg30s1QDg1lkY0jtTLfia8Fs4B%2FdqNMfidFUYXpd2si4N25G7RBqy8LODkWqBQca8rpYyZ7FIYHuRDc0wBLk%2B1rPiEXJckZIdmkyhDkFJ2jrxfNV135BZTTeF6DkLrRfWPgnxciVK%2FJrkueYnjlYhYW08OZkTu9plzgmfR2IocW5ENVaqHbcPAdm2QDCC6VVrNQp%2FP%2FjV6%2Fkm37tinRyXhg1vKSf0TVFMzL1jpYkiS5PIc", "https://vtbehaviour.commondatastorage.googleapis.com/07f5960476ab34754f3e04143caf2d4899cb09e6b271bfd27ef1f1c8977ca050_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681591&Signature=uoP10og17YxXUe0yZ8kll3N15RJJ%2Bf5pJFzW0MUe4fdvXaLlcOfCxs%2B6EyW23FSqTj%2FbNedtUC6z7Y0dgMPBtJC%2F9gOhXEZj5%2BKKwnQbCBe7GuFtEsVMMkQRdiDQxJYZipAId1MwoBChhx%2BSr%2FrboVkDq%2F%2FbNLvWS6keRMn4fa8GX%2BF0lIJepJ98sjwXs48DXBch8974olbyd38VGGp1bLMl7mycstrQ2hIy2MFXWD", "https://vtbehaviour.commondatastorage.googleapis.com/0da371854ec2c04bbee9680dbdabb67a4e4a84add40e5e1877425790f2dfef02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682005&Signature=SyLSFT5xdlAZ5lwNyaeDpqsMTuwGywWruel4fBOIdsyiZ%2FvtOZYr7f%2B%2BIuBmqFMAwMI4L7kB6jRtv8mVn8lmU5MUJBAG6GJdVsEp2SoexU5Yl2kTksey03ZsjBloxlJqDzf8PULDlwjfD1Ydv%2B5QFPoY3%2Fk8TKMlmmpTIw7%2FYcR24%2FHYHw78XVF2cV%2Bnb3GoDaHw%2FnpxLrDwgfZP9dWvP8V264o5l2dDfxQtF0", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682086&Signature=yzXoWEcsMl9wlTGgMQfBKEZWwnDzmua%2FR2suwDMBSqPLhunpHELcj0SzY3czM%2F9HQG9QuvYzhQRVUxR1iDaFz1BQ4YHkXJih3zm%2BcNlDcfXsOZzyYzWUhaPsbSti%2FWbFoL4E14bnS7tIuG9s9R96LkGyGpWIsT%2BPeCNhsCzD7vFRU0cPMr6vNblu%2BBiO3Ki99QSrkF4hzBxkQ7DFgba3qi7kOfal%2F2K8hC1ikcZntmn5IESW", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682105&Signature=DkIw2nRg0%2BHKmd2TpyMzcgrB%2F4s6sIVIpOEEVMqz3Csoj6PPmSGNer%2Bt5X5oYKPZQgJETAHcCRs0mh3Lfa85XEPdYk6PjMimJmKQdBstqdULgs6q7wyZEjHDhQn41ri7eQ16g7pAo9ojfhLUNp4uW2xuYvdBwYhYBsZP3EO1BKz2f3dYxSg%2Bgsn2AnC2%2BDRTIX0Xxd%2Bt44%2BkXfiY32mvDHDNDCcuT5ZDFNrHwDp3HKuuJYy7lRHm8AlK", "https://vtbehaviour.commondatastorage.googleapis.com/1f1db73659fa2fe7a944d20bb4e9a867513a50ee9b51be89dfec30c73f6ed622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682177&Signature=yjgeq7TPzf6M6Pn8mPFgBmhHQbfgGlaadZNsSsDUKq0Da4%2Bb25WhNl6nDIyUDmRBtABod6Itj2EUlbe%2B4U0QYLuJR00aQqsO%2F9pXU4AWeIFUEZhCrwgZ5WuNPpYbdVbOYcVX6oyDXpSjv1QEGmJ1NVVr%2F1esshl3tugyHxp6LFYa9%2BQeoiqsBikKLglNB52vsap%2BkwVPKyXg%2FjduMqTQd%2FhNMM41261XiBOTtUqjpzIm67", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682206&Signature=iCbR7BcpXhfqHIoxTRE%2BvhCqRoHYALCXll0hXveh8IQOJPjxw%2BlLNas6nIvp035t6sdMg9KdOY751XfThil%2FE2mLrvir%2FwKjheK2382r5bhEQFEsa6etlla3TDjlvttEFZDUN7SSLpGao8u7uVNwrPRb0BuwYDemKKVJK6DACPbUZEHk3DZ%2Bi8SxXIdELiXG%2Bozy7oC8Dcj0HqHGYuliXpjT1mV7OsCjFXvmjZPcFH06EzZS5L", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682251&Signature=z6Lrdrr5u6YZdzJaR%2B2Qab%2F%2FVA6%2FL6JaNA4%2BVxLe9wEjL%2B2ARzGBhQdq6RTX5ez3SDTWWmc%2BrOypKxxCsLeXUbjYRoIgcsSzYIxWQWoEl35tFARLVKf%2FVf%2B696U6PYQ%2F1BNWxSfuNOeUVNK2pIiMYCUjLnikvUyj9Ip3MrgKOaV9v9SShCLay93Y7b3GbAUZ2Jzy18PEYf%2FLuk4fDrqITmP2upsysOJq1MhZcJ%2", "https://vtbehaviour.commondatastorage.googleapis.com/105f31af20fdb87d442f81aad0c3a54030b7e214c4796cf2a069bae6aa89dc65_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682395&Signature=oVg82i1yTG%2BGfhoL5FyBdK%2BZKa6wi2iWMpwHyA77jBFtAOZxw%2Bs6z6So26GWDthH7UMEzwZwQC6ENF1TLBEqXukldXMdMg%2FvNylvy7vCdDKDsw53Ibc7vKnu5T0lNumnv%2FD5vnV14QZrzAE8PG3J0S0rtheY8mNCkM6t1w52XYYm5mfnGJXsnjyMEvgURuPhzOIq9%2B%2FG7XUWFK0vK%2BlzKmZU627%2FKYkT9EWHOI8Nyx%2FJUqad%2", "https://vtbehaviour.commondatastorage.googleapis.com/002150c786ae1e04ab2981bf5593d926987b60b9ac699f431ed4568084dd854b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682457&Signature=eWipoH1g7AQ8zq2pd%2BpyAKrKscAY%2FebCATbHE%2FMwdvIfIy%2F4i3OFy%2FKlfaNCXDLDU0OM6JaEF73FAqGhLEb8ZcxTuEfMeU%2F6WxjpgS2SqLZ0xOjAPgPWOOor3uCcdIEZRCcpJe%2BAzPY8jEZJ0aIf49RU85lkIx9yCiXcFnee1pNHHBFwpsBK4FNuTB%2FyDe61M5Htw4fjlf43GTnXFxj0%2Fjc%2Fe32Q7EpVkuSc0I%2F3zTrY0UkC", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682486&Signature=ucigAmI%2BTWYWnZuZjQb7cvSnhC1f6r93NM1kh5fCHjjcUodx6ltePV2QSdyXCnhrdH8ODLugh37CFZxsAmtiMMefuyuh6T8mtuxe7znGqLiJre5YFfSQLkzmz0Ksqekcg0sp1bUaKykXguy%2BKwv6Tg12CIM7xzaDB%2BGcjw6KkBLiD0A1sB6Z9gk9np%2FNtUBHdW7E0eBfvTWOK8F99R1lQdmQab2Vha55GLH6JRBksZ7AbBEdVS8DMtkaZCS9sV", "https://vtbehaviour.commondatastorage.googleapis.com/049c8db974d1830f931d605f6918184d8928c46c74f4152dfde3dc7bdffbf5d5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682585&Signature=z2IzO8oruo5%2BmP%2BuhsnAbNLmy7QRAemblZDUm1KEgUCliIqrtWVkruuMg2tcIokmH12yIvRumIVlk5OcGjVxI%2Bb%2B3Va9LgSnD%2Bwjbe5pAs%2BDuUGTY52XSe7V9xdcRN38UeNFYy2jTLa2KYspIZ0NzHMsL0BzU5pqOWw0bAShHYc9sNx0S7a%2BSD7PiY%2BDR%2Br%2BQll9wUT%2B4EjhHrYYmmdRCa6vbIyTLcHmdw4JzmHHsLy%2Bjf", "https://vtbehaviour.commondatastorage.googleapis.com/27086c4185aa32bbc6674267b947e3f6610554188ac694ce2dbc1191a9525339_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683188&Signature=o0pfi%2Bqzc6KRiLra5kzATI2ROhjWVPHqZ7tOokv%2B9i4HwxX3m%2BpcqtYKMIFJMVk1qNFDyYwnCDfkeiva50iZyrha2F3bacitBdmnSwCEQE5xMG73RGPjQAvPps3tKMm1MDH8Rzpy65y9bdKpTSCL9%2Bt2xAk4%2BXx13XPz2GlU%2BG8Q%2FSPkCW96%2BX6c5xzWpIH%2FlXn7%2Bgl2G9QMGbrbnwD%2FfR58%2FrXIeIEJ%2F9%2BNt2W3Fr", "https://vtbehaviour.commondatastorage.googleapis.com/2c7002510767deb9bbb0d2ee2d47be98828bf5b6e999d6cd882b1c1a1c908510_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683299&Signature=RMRBhdx9cTLEwBYgOaiBV4x03W8laZvNMUtTq68ykLCh0R5toTaD64MdSiBhgsNAZLaS8z9dPsGmVcfMC8U5sPrXXLzAt9CBPoJjT2jV40HyYrW58xs3wjf65936U00bQy9DGFrlU7xInrhEocKiXuD17i5A%2F7tdPgx74I6xY906Ua8hyOe3f5zVmaxE6zpNAonyZtoHtHmnuDLG71DTPwYyiKcGPff7glIXoNalw4ST3jQr3Ma%2Fv1Q3De", "https://vtbehaviour.commondatastorage.googleapis.com/2c98a3b3752939b7c2db76682607e3918dee0edd81998279cb4528cc6c67f715_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683469&Signature=oE7hEU%2FccffwWPye7wmTWT154zCmhX2wBLLWErX6yptBjSn9YXSMLMohlpsjw%2BxO5VxqobuYkMh302JzsMTg4fXVD76S9F6aOL1vRPwZx8fTGOeMoKRTMO7B0xwvo2HQCra8ds7NMqXBpbNxN%2Bi7Ez6ZOyX%2FQUyixg1Ya1G7%2FkF8sEaT8z%2B4QHLhghEUdy4%2FMYbGVFzAKhSDW9Yg%2BcPfxQLt%2BViZ", "https://vtbehaviour.commondatastorage.googleapis.com/5f87d5cb5921df99f335e1a8f044db15187f88aea04ecc073b310a4b9649a5e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683851&Signature=oDNiEuOved3Q5at8LARyePhpQE3%2FjmEYRIWg4Vzp0yzifSrnwMGaujbhYJWqc8BadzAh1AhmrfOaNLGJfe8IO2Izje4ofsfex0DAAfgHm5l1vDeQWFDfgypa9%2F8sHOOgBiUlbdSDYrVdZ2Z9f8MGr8OaswhQwykG5mL3UcUwRD4heOIda%2FFZGhfCLn%2B7ksTMcuD2%2BjT%2F7IuP8kYOTQ0ZqwnDZGNQwopAFpNNouIAx0LKAjPDIO", "https://vtbehaviour.commondatastorage.googleapis.com/5f9b9db4e9200b4576d6e8bc2888d6e7ab28a04e66083366bcde57915eed5078_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683897&Signature=A1uHov9N8mIMBn6lVPETST7i%2F%2F3lKCkTSifHpWYQ8lqnGw3%2FwBD1QhGr1tH%2BYzg4xJYZR1vHPxcGC2biWNZtPF89Sx8FKf%2F18O4PHYJb1n7YfdP24JbV%2BkekQpomFKe66pKsf0gWQQx1zTJDWvam9HuvVTyCV9h22TLG%2FmBDvK4SftnNssRv0EkzKP9dNqTfjJdMh0Y0rIEyQdNLLo%2BLsWQbrx2yxJo6kZD%2FJC", "https://vtbehaviour.commondatastorage.googleapis.com/727dc58bb6aaf24fd82f54a11560f26e38ee0ca6bb823ea70bad33fd7c9378ef_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683965&Signature=tYhGClprbVOZuxQF%2F%2BLWEx6LfO%2Fz4pigFaLvSPYRY%2Fqg92dL8%2BWlaAyT%2FJueBiXJFPkqBYoXk0DmZNj2UfqQiv4Jy9bhRG562tGCoadI7qFVHMBOyAmGj0uMVS%2FoyY00p8UkiUah%2BiG2lZaGt6eVnE1yrGqEIpnAnUxdyxti%2BDm0vFgP5Ust7yR%2F1SAtswsFyfntj2GSgBc5z1NbueSA2uSfZsxWtxmYAm9dk%2FrUPQ47Nb5Q", "https://vtbehaviour.commondatastorage.googleapis.com/7111bb197f77eecf518b22f7a6f269647abc17eda4aaed9ba50212462b9848ed_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684045&Signature=g5SPZe7A95%2FqyMCV3ihh6MGTnXRMjhKIGP6dBCJ3OB%2FCOBrSRTz%2BpnCcdIwsJk%2Fc74E6s1DRbKJn3SszGoP7h%2FNJwXl3BIBK6KeI0zYJeOibOT%2BeU9CnCcwY%2F3bx99X3LvHRwg0Fkdg%2BJoRI620jziRVAW%2FiC1wpzeMqmJNUOHn4NsTYiMD7H8cuBnRzAZQvK2lRO5asaddU11mHkkQ963f3YOOv", "https://vtbehaviour.commondatastorage.googleapis.com/8b10c7238761ba1c98b713c673c452437c4a56794ff0e3d657cff148056c9cf1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684153&Signature=MfmLhMZdg4gtuEoE1eB%2FroqyUo2QXTJ8L6oAmpYIvTmU8BmwS6hwF0opRe4GV3ox8yxCzd2O9fsm4T7dwrkSk8fJBlqrPHibaMNPNs4QpeMOraU4O6Au5EDLlJTtDwp43nz%2FK5tqLXzJpfqCvDEnQOghFLah5YCBj8qdFtGrKfHbvyMGL70BlhpaZsmAn3Jgu6zNXCQGqz3c%2BkATkQ3XNm%2F8FiNTOFzO5TUxHqPE3NUMFglmxAJhEo" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2266, "IPv4": 327, "domain": 178, "hostname": 372, "FileHash-MD5": 805, "FileHash-SHA1": 833, "URL": 812, "email": 2 }, "indicator_count": 5595, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a13d455f52a1c3acb3904b6", "name": "NOW BOARDING: DARK-ZERO Sheep Tracker * CAPE Sandbox", "description": "Modern threat intelligence requires moving from passive observation to active intervention. In the context of targeted tracking implants, defending civil rights means engineering systems that protect user autonomy against unauthorized data extraction. Architectural Protections:\n0-Trust Telemetry: Designing operating systems where the user owns the cryptographic root of trust.\nHardware-Enforced Isolation: Utilizing Secure Enclaves to process cryptographic keys outside the reach of a compromised kernel.\nExploit Mitigation: Implementing advanced PAC+ Memory Tagging Extensions (MTE) to stop zero-day memory corruption bugs. The holiday serves as a reminder for SOCs to uphold high ethical standards, ensuring defensive tools are never repurposed for unauthorized surveillance. Respect to all.", "modified": "2026-05-27T16:29:42.941000", "created": "2026-05-25T04:47:17.194000", "tags": [ "win32 exe", "mozilla firefox", "zip adobe", "photoshop cc", "rar adobe", "air sdk", "adobe air", "lassa2", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "file size", "mwdb", "accept", "shutdown", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "file type", "json", "ascii", "utf8", "sqlite version", "found", "pe file", "intel", "pe32", "ms windows", "installer", "defense evasion", "window", "title", "template", "next", "united", "performs dns", "grabber honest", "layer protocol", "attack network", "info processes", "extra info", "zenbox macos", "verdict", "guest system", "ascii text", "sigma", "creates", "t1055 process", "info dropped", "malicious", "p2404", "p11718783889", "p4de83ek69hqsh4", "p11718784848", "bazaar", "sha3384", "ssdeep", "checker", "themida", "guard", "property", "adobe device", "property name", "productname", "displayname", "destination", "root", "totalsize", "langpack", "swedish", "win32", "windows sandbox", "calls clear", "sha256", "sha1", "crc32", "size", "flash", "june", "drops pe", "crlf line", "sample", "persistence", "win64", "hook", "instructor", "kids goldadobe", "errstr", "cultureneutral", "license", "error", "code", "service", "vmprotect", "february", "back", "number", "mitre attack", "network info", "processes extra", "fri dec", "database", "initial access", "program", "overview", "overview zenbox", "ultimate file", "info file", "Nullworld", "value", "value lang", "buildinfo", "productinfo", "addremoveinfo", "displayversion", "screnshots", "United", "Swedishvpncarrierenrollment", "calls process", "writes", "png image", "rgba", "guloader", "fraud", "phishing", "install", "pdapp", "urihandler", "us tcp", "product install", "gamma", "updater", "Now boarding", "DarkZero", "Sheep Tracker" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681399&Signature=o4EIDa%2Bu5q7UzJoKBZ3SHIdTRWKGT7HIZyLxFZSLdRJV2Ng655y2X8OLnU2siFeopgWPI6Gd8nE9F9LFBFgwM%2F0ZN0FWsDls8m78y46TmhjHhykfch6G%2Buw3LPxmfbz999yBfELXQDUCNWIiGUPv%2B23aUdHnc0c5jI4Mvlz2HGA%2BHlIMjc1w1S%2BWm%2FI6ftHJdyIAh0SqMbPXqAy%2BIonExlGkoEmMBCJl3r3pfMcYzy4ai0", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681421&Signature=oUYsIo6y2ldihmETch4oPYw5nb4sHZhKRik2zGuv2h9rqu30GcV1xZHlIO9ttFa625EXOlrrILZtAhfM%2FamkTDjXZUTqn2%2BTKmgnxqOOfJU6KrJHPLE9Do7l7MEaPxX4cs8z8tWd0%2FY8sBv8sjGAIdWrT5OPv202LNN%2FiVe6mEIUMkmNr%2BG1S3Pgs6LRTjo%2BgqhEcNXT0MFUgs3I2e4AQ0TQ4FOs%2BVRY", "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681469&Signature=VGjB%2F%2BCQwDtsenSFWX7YNKbe9s%2Fgcpg%2FotVlxRZ6FXuE9VXITP76QQq6L2vlSM7pfQHSnBv%2BUdwMtN3QhCxjF7Zv2PV%2FkWLnwwA3hJciWMAKiLSeKTanNshzLWnmBjN04FASFwNf6kAq4PcunHkHh2PSOGl03eem41DHA6YOIRAjI1C6hAdDvKoAqJJXuGKM%2F5Z5vzfeTaXNgCRutOhVDB4%2FcAcV9zZaRcX9Ii0IFRAZo%2Bzk7rvI", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681490&Signature=bIUDLY2jLaPa0t0OyOiuRlKjk8VM9IFdVTwzJhuTKfuV%2BhwtwcYghSy4186P0qsGEebShI2xNNVBPSd3uQdeXMuYRDJWcyo18c12pLwgcLgaBot06%2Bfys%2BlGp%2FV%2FSCDBvdo3iLaAOesoSo8vbCLNsWAzGM5sztLl%2Beyq9%2F1oSuAvU692EiARhcufOCMFqXCn6MNuSp18gSQwkFRBadsMvHSjfHW645FvLUfiP5Egu1WuMVP2", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681535&Signature=K%2BM%2FPuLQI5kqDYLWjQMD%2BgPbchxwp2sWPPUtfDZYFn5H9w%2BqFPRxh7iZqH4FOPAnwlC0%2BN5TKTqrEuhABL3gWMqHySyweiNPNkJ1MlX29xZdE482pqQSn8rzkPs7CZD63ts4ZRPrK%2Bl06RV13mZf4TUzAD9Sx0m6%2FWhetQETuu6StpVmyzhie%2Fn%2FUdsdFN0SW%2BtLpQE74IVNfszCgKVhF9oNeBiifytanSbIG0SnLff9sXffjS", "https://vtbehaviour.commondatastorage.googleapis.com/087975d5f3c874a6fe9cbfe9d7ee77fb0af138e3c36a6f75e3d000699afc571d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681569&Signature=C286Cg30s1QDg1lkY0jtTLfia8Fs4B%2FdqNMfidFUYXpd2si4N25G7RBqy8LODkWqBQca8rpYyZ7FIYHuRDc0wBLk%2B1rPiEXJckZIdmkyhDkFJ2jrxfNV135BZTTeF6DkLrRfWPgnxciVK%2FJrkueYnjlYhYW08OZkTu9plzgmfR2IocW5ENVaqHbcPAdm2QDCC6VVrNQp%2FP%2FjV6%2Fkm37tinRyXhg1vKSf0TVFMzL1jpYkiS5PIc", "https://vtbehaviour.commondatastorage.googleapis.com/07f5960476ab34754f3e04143caf2d4899cb09e6b271bfd27ef1f1c8977ca050_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681591&Signature=uoP10og17YxXUe0yZ8kll3N15RJJ%2Bf5pJFzW0MUe4fdvXaLlcOfCxs%2B6EyW23FSqTj%2FbNedtUC6z7Y0dgMPBtJC%2F9gOhXEZj5%2BKKwnQbCBe7GuFtEsVMMkQRdiDQxJYZipAId1MwoBChhx%2BSr%2FrboVkDq%2F%2FbNLvWS6keRMn4fa8GX%2BF0lIJepJ98sjwXs48DXBch8974olbyd38VGGp1bLMl7mycstrQ2hIy2MFXWD", "https://vtbehaviour.commondatastorage.googleapis.com/0da371854ec2c04bbee9680dbdabb67a4e4a84add40e5e1877425790f2dfef02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682005&Signature=SyLSFT5xdlAZ5lwNyaeDpqsMTuwGywWruel4fBOIdsyiZ%2FvtOZYr7f%2B%2BIuBmqFMAwMI4L7kB6jRtv8mVn8lmU5MUJBAG6GJdVsEp2SoexU5Yl2kTksey03ZsjBloxlJqDzf8PULDlwjfD1Ydv%2B5QFPoY3%2Fk8TKMlmmpTIw7%2FYcR24%2FHYHw78XVF2cV%2Bnb3GoDaHw%2FnpxLrDwgfZP9dWvP8V264o5l2dDfxQtF0", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682086&Signature=yzXoWEcsMl9wlTGgMQfBKEZWwnDzmua%2FR2suwDMBSqPLhunpHELcj0SzY3czM%2F9HQG9QuvYzhQRVUxR1iDaFz1BQ4YHkXJih3zm%2BcNlDcfXsOZzyYzWUhaPsbSti%2FWbFoL4E14bnS7tIuG9s9R96LkGyGpWIsT%2BPeCNhsCzD7vFRU0cPMr6vNblu%2BBiO3Ki99QSrkF4hzBxkQ7DFgba3qi7kOfal%2F2K8hC1ikcZntmn5IESW", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682105&Signature=DkIw2nRg0%2BHKmd2TpyMzcgrB%2F4s6sIVIpOEEVMqz3Csoj6PPmSGNer%2Bt5X5oYKPZQgJETAHcCRs0mh3Lfa85XEPdYk6PjMimJmKQdBstqdULgs6q7wyZEjHDhQn41ri7eQ16g7pAo9ojfhLUNp4uW2xuYvdBwYhYBsZP3EO1BKz2f3dYxSg%2Bgsn2AnC2%2BDRTIX0Xxd%2Bt44%2BkXfiY32mvDHDNDCcuT5ZDFNrHwDp3HKuuJYy7lRHm8AlK", "https://vtbehaviour.commondatastorage.googleapis.com/1f1db73659fa2fe7a944d20bb4e9a867513a50ee9b51be89dfec30c73f6ed622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682177&Signature=yjgeq7TPzf6M6Pn8mPFgBmhHQbfgGlaadZNsSsDUKq0Da4%2Bb25WhNl6nDIyUDmRBtABod6Itj2EUlbe%2B4U0QYLuJR00aQqsO%2F9pXU4AWeIFUEZhCrwgZ5WuNPpYbdVbOYcVX6oyDXpSjv1QEGmJ1NVVr%2F1esshl3tugyHxp6LFYa9%2BQeoiqsBikKLglNB52vsap%2BkwVPKyXg%2FjduMqTQd%2FhNMM41261XiBOTtUqjpzIm67", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682206&Signature=iCbR7BcpXhfqHIoxTRE%2BvhCqRoHYALCXll0hXveh8IQOJPjxw%2BlLNas6nIvp035t6sdMg9KdOY751XfThil%2FE2mLrvir%2FwKjheK2382r5bhEQFEsa6etlla3TDjlvttEFZDUN7SSLpGao8u7uVNwrPRb0BuwYDemKKVJK6DACPbUZEHk3DZ%2Bi8SxXIdELiXG%2Bozy7oC8Dcj0HqHGYuliXpjT1mV7OsCjFXvmjZPcFH06EzZS5L", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682251&Signature=z6Lrdrr5u6YZdzJaR%2B2Qab%2F%2FVA6%2FL6JaNA4%2BVxLe9wEjL%2B2ARzGBhQdq6RTX5ez3SDTWWmc%2BrOypKxxCsLeXUbjYRoIgcsSzYIxWQWoEl35tFARLVKf%2FVf%2B696U6PYQ%2F1BNWxSfuNOeUVNK2pIiMYCUjLnikvUyj9Ip3MrgKOaV9v9SShCLay93Y7b3GbAUZ2Jzy18PEYf%2FLuk4fDrqITmP2upsysOJq1MhZcJ%2", "https://vtbehaviour.commondatastorage.googleapis.com/105f31af20fdb87d442f81aad0c3a54030b7e214c4796cf2a069bae6aa89dc65_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682395&Signature=oVg82i1yTG%2BGfhoL5FyBdK%2BZKa6wi2iWMpwHyA77jBFtAOZxw%2Bs6z6So26GWDthH7UMEzwZwQC6ENF1TLBEqXukldXMdMg%2FvNylvy7vCdDKDsw53Ibc7vKnu5T0lNumnv%2FD5vnV14QZrzAE8PG3J0S0rtheY8mNCkM6t1w52XYYm5mfnGJXsnjyMEvgURuPhzOIq9%2B%2FG7XUWFK0vK%2BlzKmZU627%2FKYkT9EWHOI8Nyx%2FJUqad%2", "https://vtbehaviour.commondatastorage.googleapis.com/002150c786ae1e04ab2981bf5593d926987b60b9ac699f431ed4568084dd854b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682457&Signature=eWipoH1g7AQ8zq2pd%2BpyAKrKscAY%2FebCATbHE%2FMwdvIfIy%2F4i3OFy%2FKlfaNCXDLDU0OM6JaEF73FAqGhLEb8ZcxTuEfMeU%2F6WxjpgS2SqLZ0xOjAPgPWOOor3uCcdIEZRCcpJe%2BAzPY8jEZJ0aIf49RU85lkIx9yCiXcFnee1pNHHBFwpsBK4FNuTB%2FyDe61M5Htw4fjlf43GTnXFxj0%2Fjc%2Fe32Q7EpVkuSc0I%2F3zTrY0UkC", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682486&Signature=ucigAmI%2BTWYWnZuZjQb7cvSnhC1f6r93NM1kh5fCHjjcUodx6ltePV2QSdyXCnhrdH8ODLugh37CFZxsAmtiMMefuyuh6T8mtuxe7znGqLiJre5YFfSQLkzmz0Ksqekcg0sp1bUaKykXguy%2BKwv6Tg12CIM7xzaDB%2BGcjw6KkBLiD0A1sB6Z9gk9np%2FNtUBHdW7E0eBfvTWOK8F99R1lQdmQab2Vha55GLH6JRBksZ7AbBEdVS8DMtkaZCS9sV", "https://vtbehaviour.commondatastorage.googleapis.com/049c8db974d1830f931d605f6918184d8928c46c74f4152dfde3dc7bdffbf5d5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682585&Signature=z2IzO8oruo5%2BmP%2BuhsnAbNLmy7QRAemblZDUm1KEgUCliIqrtWVkruuMg2tcIokmH12yIvRumIVlk5OcGjVxI%2Bb%2B3Va9LgSnD%2Bwjbe5pAs%2BDuUGTY52XSe7V9xdcRN38UeNFYy2jTLa2KYspIZ0NzHMsL0BzU5pqOWw0bAShHYc9sNx0S7a%2BSD7PiY%2BDR%2Br%2BQll9wUT%2B4EjhHrYYmmdRCa6vbIyTLcHmdw4JzmHHsLy%2Bjf", "https://vtbehaviour.commondatastorage.googleapis.com/27086c4185aa32bbc6674267b947e3f6610554188ac694ce2dbc1191a9525339_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683188&Signature=o0pfi%2Bqzc6KRiLra5kzATI2ROhjWVPHqZ7tOokv%2B9i4HwxX3m%2BpcqtYKMIFJMVk1qNFDyYwnCDfkeiva50iZyrha2F3bacitBdmnSwCEQE5xMG73RGPjQAvPps3tKMm1MDH8Rzpy65y9bdKpTSCL9%2Bt2xAk4%2BXx13XPz2GlU%2BG8Q%2FSPkCW96%2BX6c5xzWpIH%2FlXn7%2Bgl2G9QMGbrbnwD%2FfR58%2FrXIeIEJ%2F9%2BNt2W3Fr", "https://vtbehaviour.commondatastorage.googleapis.com/2c7002510767deb9bbb0d2ee2d47be98828bf5b6e999d6cd882b1c1a1c908510_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683299&Signature=RMRBhdx9cTLEwBYgOaiBV4x03W8laZvNMUtTq68ykLCh0R5toTaD64MdSiBhgsNAZLaS8z9dPsGmVcfMC8U5sPrXXLzAt9CBPoJjT2jV40HyYrW58xs3wjf65936U00bQy9DGFrlU7xInrhEocKiXuD17i5A%2F7tdPgx74I6xY906Ua8hyOe3f5zVmaxE6zpNAonyZtoHtHmnuDLG71DTPwYyiKcGPff7glIXoNalw4ST3jQr3Ma%2Fv1Q3De", "https://vtbehaviour.commondatastorage.googleapis.com/2c98a3b3752939b7c2db76682607e3918dee0edd81998279cb4528cc6c67f715_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683469&Signature=oE7hEU%2FccffwWPye7wmTWT154zCmhX2wBLLWErX6yptBjSn9YXSMLMohlpsjw%2BxO5VxqobuYkMh302JzsMTg4fXVD76S9F6aOL1vRPwZx8fTGOeMoKRTMO7B0xwvo2HQCra8ds7NMqXBpbNxN%2Bi7Ez6ZOyX%2FQUyixg1Ya1G7%2FkF8sEaT8z%2B4QHLhghEUdy4%2FMYbGVFzAKhSDW9Yg%2BcPfxQLt%2BViZ", "https://vtbehaviour.commondatastorage.googleapis.com/5f87d5cb5921df99f335e1a8f044db15187f88aea04ecc073b310a4b9649a5e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683851&Signature=oDNiEuOved3Q5at8LARyePhpQE3%2FjmEYRIWg4Vzp0yzifSrnwMGaujbhYJWqc8BadzAh1AhmrfOaNLGJfe8IO2Izje4ofsfex0DAAfgHm5l1vDeQWFDfgypa9%2F8sHOOgBiUlbdSDYrVdZ2Z9f8MGr8OaswhQwykG5mL3UcUwRD4heOIda%2FFZGhfCLn%2B7ksTMcuD2%2BjT%2F7IuP8kYOTQ0ZqwnDZGNQwopAFpNNouIAx0LKAjPDIO", "https://vtbehaviour.commondatastorage.googleapis.com/5f9b9db4e9200b4576d6e8bc2888d6e7ab28a04e66083366bcde57915eed5078_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683897&Signature=A1uHov9N8mIMBn6lVPETST7i%2F%2F3lKCkTSifHpWYQ8lqnGw3%2FwBD1QhGr1tH%2BYzg4xJYZR1vHPxcGC2biWNZtPF89Sx8FKf%2F18O4PHYJb1n7YfdP24JbV%2BkekQpomFKe66pKsf0gWQQx1zTJDWvam9HuvVTyCV9h22TLG%2FmBDvK4SftnNssRv0EkzKP9dNqTfjJdMh0Y0rIEyQdNLLo%2BLsWQbrx2yxJo6kZD%2FJC", "https://vtbehaviour.commondatastorage.googleapis.com/727dc58bb6aaf24fd82f54a11560f26e38ee0ca6bb823ea70bad33fd7c9378ef_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683965&Signature=tYhGClprbVOZuxQF%2F%2BLWEx6LfO%2Fz4pigFaLvSPYRY%2Fqg92dL8%2BWlaAyT%2FJueBiXJFPkqBYoXk0DmZNj2UfqQiv4Jy9bhRG562tGCoadI7qFVHMBOyAmGj0uMVS%2FoyY00p8UkiUah%2BiG2lZaGt6eVnE1yrGqEIpnAnUxdyxti%2BDm0vFgP5Ust7yR%2F1SAtswsFyfntj2GSgBc5z1NbueSA2uSfZsxWtxmYAm9dk%2FrUPQ47Nb5Q", "https://vtbehaviour.commondatastorage.googleapis.com/7111bb197f77eecf518b22f7a6f269647abc17eda4aaed9ba50212462b9848ed_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684045&Signature=g5SPZe7A95%2FqyMCV3ihh6MGTnXRMjhKIGP6dBCJ3OB%2FCOBrSRTz%2BpnCcdIwsJk%2Fc74E6s1DRbKJn3SszGoP7h%2FNJwXl3BIBK6KeI0zYJeOibOT%2BeU9CnCcwY%2F3bx99X3LvHRwg0Fkdg%2BJoRI620jziRVAW%2FiC1wpzeMqmJNUOHn4NsTYiMD7H8cuBnRzAZQvK2lRO5asaddU11mHkkQ963f3YOOv", "https://vtbehaviour.commondatastorage.googleapis.com/8b10c7238761ba1c98b713c673c452437c4a56794ff0e3d657cff148056c9cf1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684153&Signature=MfmLhMZdg4gtuEoE1eB%2FroqyUo2QXTJ8L6oAmpYIvTmU8BmwS6hwF0opRe4GV3ox8yxCzd2O9fsm4T7dwrkSk8fJBlqrPHibaMNPNs4QpeMOraU4O6Au5EDLlJTtDwp43nz%2FK5tqLXzJpfqCvDEnQOghFLah5YCBj8qdFtGrKfHbvyMGL70BlhpaZsmAn3Jgu6zNXCQGqz3c%2BkATkQ3XNm%2F8FiNTOFzO5TUxHqPE3NUMFglmxAJhEo" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2266, "IPv4": 327, "domain": 178, "hostname": 382, "FileHash-MD5": 805, "FileHash-SHA1": 833, "URL": 816, "email": 2 }, "indicator_count": 5609, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a13c3532971d5af060e0b77", "name": "Adob|eAIR * CAPE Sandbox", "description": "IP- 199.232.210.172\n199.232.214.172\n\nDNS- bg.microsoft.map.fastly.net\nNo cert data.\n\nDrops: \nZenbox -bg.microsoft.map.fastly.net active reputation: high\t199.232.210.172\t\nIP Info (1)\n\nIP\tCountry\n192.168.122.1\tunknown\nDropped Info\nNon malicious dropped files (156) \nProcesses Extra Info\nOther Drops- VT: 57\n29 mitre-25 OTHER 1 PE_EXE 1 TEXT 1 SWF 1 MSI 1 JAVASCRIPT\nNetwork comms\n1 DNS 2 JA3. rec: review version for safety, recall certs expired. Unsubscribe from tracking [if able] as it has shown to be a watering hole of cryptographic non integrity [not suggestive here, but the potential exists]", "modified": "2026-05-26T11:49:30.571000", "created": "2026-05-25T03:34:43.204000", "tags": [ "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "file size", "mwdb", "accept", "shutdown", "file type", "json", "ascii", "utf8", "sqlite version", "found", "pe file", "intel", "pe32", "ms windows", "installer", "defense evasion", "window", "title", "template", "next", "ascii text", "Adobe AIR", "bg.microsoft.map.fastly.net", "No certificate data", "Remoted" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779679450&Signature=Xsh6GXCTvOkupXYUUQGiHNgx%2FWmCftYcZVdWxsZHvLRN%2FB6NnyiBI7GU7MIIp%2BWK9bAgMazFDSG%2BuFE5DhyKycaRjrO%2FvO8BdtjfsiNwq%2FOCo%2B0zhhNqe%2BONe79ktGFAo08vKEnOCs5jHG7AxZH07bzAUjvvdK9iUvMsNsmiCWU05%2Bgn1KMjU2Tk9%2Brbbwy0HgEMK4jBH8u8hHNsV1FFHVLWckRu%2FQ7QM19y6kEq", "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779679610&Signature=CFTzWPXcfKua6uilDSrmKC177u7eSQdDxWa1Sqd5eaP1s%2B4xUAW73v1uovAfukRKPolFfRM1MxR%2F%2FRuE0RYh91RlLjNLYqJFXkGVCvuSzn9TzvGRPP2H6ngGcA%2B2XK4mvcVZOXLPMF1EcYDmbC9CTZyaqkUF3bun9LQv9j%2BQ9cz1xsNyGkCjrF2OVvBfR%2FBsE4fxBcBPSMret5BpGFOf4fn3jbrsEmDvet4tyz2SkZJeKhZL7dlOERabun", "bg.microsoft.map.fastly.net", "199.232.210.172 199.232.214.172" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 24, "FileHash-SHA256": 111, "IPv4": 24, "hostname": 84, "domain": 7, "URI": 1, "URL": 97 }, "indicator_count": 374, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a13c33839fd2deaaf00ca73", "name": "Adob|eAIR * CAPE Sandbox", "description": "IP- 199.232.210.172\n199.232.214.172\n\nDNS- bg.microsoft.map.fastly.net\nNo cert data.\n\nDrops: \nZenbox -bg.microsoft.map.fastly.net active reputation: high\t199.232.210.172\t\nIP Info (1)\n\nIP\tCountry\n192.168.122.1\tunknown\nDropped Info\nNon malicious dropped files (156) \nProcesses Extra Info\nOther Drops- VT: 57\n29 mitre-25 OTHER 1 PE_EXE 1 TEXT 1 SWF 1 MSI 1 JAVASCRIPT\nNetwork comms\n1 DNS 2 JA3. rec: review version for safety, recall certs expired. Unsubscribe from tracking [if able] as it has shown to be a watering hole of cryptographic non integrity [not suggestive here, but the potential exists]", "modified": "2026-05-26T11:49:29.775000", "created": "2026-05-25T03:34:16.186000", "tags": [ "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "file size", "mwdb", "accept", "shutdown", "file type", "json", "ascii", "utf8", "sqlite version", "found", "pe file", "intel", "pe32", "ms windows", "installer", "defense evasion", "window", "title", "template", "next", "ascii text", "Adobe AIR", "bg.microsoft.map.fastly.net", "No certificate data", "Remoted" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779679450&Signature=Xsh6GXCTvOkupXYUUQGiHNgx%2FWmCftYcZVdWxsZHvLRN%2FB6NnyiBI7GU7MIIp%2BWK9bAgMazFDSG%2BuFE5DhyKycaRjrO%2FvO8BdtjfsiNwq%2FOCo%2B0zhhNqe%2BONe79ktGFAo08vKEnOCs5jHG7AxZH07bzAUjvvdK9iUvMsNsmiCWU05%2Bgn1KMjU2Tk9%2Brbbwy0HgEMK4jBH8u8hHNsV1FFHVLWckRu%2FQ7QM19y6kEq", "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779679610&Signature=CFTzWPXcfKua6uilDSrmKC177u7eSQdDxWa1Sqd5eaP1s%2B4xUAW73v1uovAfukRKPolFfRM1MxR%2F%2FRuE0RYh91RlLjNLYqJFXkGVCvuSzn9TzvGRPP2H6ngGcA%2B2XK4mvcVZOXLPMF1EcYDmbC9CTZyaqkUF3bun9LQv9j%2BQ9cz1xsNyGkCjrF2OVvBfR%2FBsE4fxBcBPSMret5BpGFOf4fn3jbrsEmDvet4tyz2SkZJeKhZL7dlOERabun", "bg.microsoft.map.fastly.net", "199.232.210.172 199.232.214.172" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 24, "FileHash-SHA256": 111, "IPv4": 26, "hostname": 84, "domain": 7, "URI": 1, "URL": 97 }, "indicator_count": 376, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a126fcffc60a71dfab01f24", "name": "credit scoreblue - clone of another researchers post [Google Spy engine | Tracking, Malware Repository CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue] + added 10 iocs", "description": "", "modified": "2026-05-24T03:32:22.109000", "created": "2026-05-24T03:26:07.144000", "tags": [ "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "expired", "acceptencoding", "html info", "title home", "tags viewport", "trackers google", "tag manager", "gsddf3d2bzf", "historical ssl", "referrer", "december", "formbook", "round", "apple ios", "tsara brashears", "unlocker", "collection", "vt graph", "socgholish", "blister", "hacktool", "hiddentear", "gootloader", "agent tesla", "crypto", "installer", "life", "malware", "open", "korplug", "tofsee", "date", "name servers", "status", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "no data", "tag count", "analyzer threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "alexa top", "million", "site", "alexa", "maltiverse", "xcnfe", "safe site", "phishing", "remcos", "malicious", "miner", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "trojan", "detplock", "artemis", "networm", "win64", "redline stealer", "limerat", "venom rat", "trojanspy", "tld count", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "united", "jfif", "sha1", "core", "general", "starfield", "hybrid", "local", "encrypt", "click", "strings", "adobea", "daga", "as30148 sucuri", "td tr", "search", "span td", "as44273 host", "creation date", "a domains", "xtra", "meta", "back", "verdict", "domain", "aaaa", "as15169 google", "asnone united", "nxdomain", "sucuri security", "a li", "span", "class", "body", "sucuri website", "a div", "authority", "record value", "showing", "gmt content", "x sucuri", "high", "related pulses", "show", "guard", "entries", "win32", "west domains", "next", "ipv4", "asnone germany", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "formbook cnc", "checkin", "found", "error", "code", "create c", "read c", "delete", "write", "default", "dock", "execution", "copy", "xport", "firewall", "body doctype", "section", "dcrat", "analyzer paste", "iocs", "hostnames", "url https", "blacklist", "cl0p ransomware", "zbot", "malware site", "team memscan", "cl0p", "algorithm", "data", "v3 serial", "number", "cus starizona", "cngo daddy", "g2 validity", "subject public", "key info", "certificate", "whois lookup", "netrange", "nethandle", "net192", "net1920000", "as174", "as3257", "sucuri", "sucur2", "verisign", "whois database", "server", "registrar abuse", "icann whois", "whois status", "registrar iana", "form", "temple", "first", "android", "win32 exe", "html", "bobby fischer", "office open", "detections type", "name", "pdf dealer", "price list", "pdf my", "crime", "taiwan unknown", "as3462", "as131148 bank", "as21342", "all search", "otx scoreblue", "pulse pulses", "cname", "as22612", "as43350 nforce", "win32upatre jun", "expiration date", "hostname", "lowfi", "date hash", "avast avg", "date checked", "url hostname", "server response", "google safe", "results jun", "files show", "registrar", "china unknown", "title", "network", "fakedout threat", "urls http", "maltiverse safe", "malicious url", "team", "phishtank", "services", "botnet command", "control server", "mining", "betabot", "team malware", "engineering", "stealer", "service", "vawtrak", "virut", "emotet", "simda", "redline", "fri oct", "media sharing", "known infection source", "bot networks", "malware", "malware repository", "spyware" ], "references": [ "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/", "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,", "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "IP\u2019s Contacted: 192.124.249.187", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile", "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=", "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "6688e0ffb31d4881f3238713", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4130, "URL": 11958, "hostname": 4644, "domain": 4304, "FileHash-MD5": 2256, "FileHash-SHA1": 1161, "CVE": 8, "SSLCertFingerprint": 20, "email": 8, "CIDR": 1, "IPv6": 4, "IPv4": 6 }, "indicator_count": 28500, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a126fcc3620af2edeb95e57", "name": "credit scoreblue - clone of another researchers post [Google Spy engine | Tracking, Malware Repository CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue] + added 10 iocs", "description": "", "modified": "2026-05-24T03:26:04.439000", "created": "2026-05-24T03:26:04.439000", "tags": [ "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "expired", "acceptencoding", "html info", "title home", "tags viewport", "trackers google", "tag manager", "gsddf3d2bzf", "historical ssl", "referrer", "december", "formbook", "round", "apple ios", "tsara brashears", "unlocker", "collection", "vt graph", "socgholish", "blister", "hacktool", "hiddentear", "gootloader", "agent tesla", "crypto", "installer", "life", "malware", "open", "korplug", "tofsee", "date", "name servers", "status", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "no data", "tag count", "analyzer threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "alexa top", "million", "site", "alexa", "maltiverse", "xcnfe", "safe site", "phishing", "remcos", "malicious", "miner", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "trojan", "detplock", "artemis", "networm", "win64", "redline stealer", "limerat", "venom rat", "trojanspy", "tld count", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "united", "jfif", "sha1", "core", "general", "starfield", "hybrid", "local", "encrypt", "click", "strings", "adobea", "daga", "as30148 sucuri", "td tr", "search", "span td", "as44273 host", "creation date", "a domains", "xtra", "meta", "back", "verdict", "domain", "aaaa", "as15169 google", "asnone united", "nxdomain", "sucuri security", "a li", "span", "class", "body", "sucuri website", "a div", "authority", "record value", "showing", "gmt content", "x sucuri", "high", "related pulses", "show", "guard", "entries", "win32", "west domains", "next", "ipv4", "asnone germany", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "formbook cnc", "checkin", "found", "error", "code", "create c", "read c", "delete", "write", "default", "dock", "execution", "copy", "xport", "firewall", "body doctype", "section", "dcrat", "analyzer paste", "iocs", "hostnames", "url https", "blacklist", "cl0p ransomware", "zbot", "malware site", "team memscan", "cl0p", "algorithm", "data", "v3 serial", "number", "cus starizona", "cngo daddy", "g2 validity", "subject public", "key info", "certificate", "whois lookup", "netrange", "nethandle", "net192", "net1920000", "as174", "as3257", "sucuri", "sucur2", "verisign", "whois database", "server", "registrar abuse", "icann whois", "whois status", "registrar iana", "form", "temple", "first", "android", "win32 exe", "html", "bobby fischer", "office open", "detections type", "name", "pdf dealer", "price list", "pdf my", "crime", "taiwan unknown", "as3462", "as131148 bank", "as21342", "all search", "otx scoreblue", "pulse pulses", "cname", "as22612", "as43350 nforce", "win32upatre jun", "expiration date", "hostname", "lowfi", "date hash", "avast avg", "date checked", "url hostname", "server response", "google safe", "results jun", "files show", "registrar", "china unknown", "title", "network", "fakedout threat", "urls http", "maltiverse safe", "malicious url", "team", "phishtank", "services", "botnet command", "control server", "mining", "betabot", "team malware", "engineering", "stealer", "service", "vawtrak", "virut", "emotet", "simda", "redline", "fri oct", "media sharing", "known infection source", "bot networks", "malware", "malware repository", "spyware" ], "references": [ "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/", "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,", "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "IP\u2019s Contacted: 192.124.249.187", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile", "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=", "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "6688e0ffb31d4881f3238713", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4080, "URL": 11952, "hostname": 4638, "domain": 4301, "FileHash-MD5": 2236, "FileHash-SHA1": 1140, "CVE": 8, "SSLCertFingerprint": 20, "email": 8, "CIDR": 1 }, "indicator_count": 28384, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a11810e7bc0d9d7652b4fcb", "name": "* ghostware * CAPE Sandbox", "description": "[Results of an analysis of a KVM operating system, conducted by the MIT Research Institute (MIT), are published on the web. \u00c2\u00a32.5m.com (\u20ac3.4m; $4.6m).] pretext. a deeper follow up on impression domain from the last post shared. this is some of the evasive 2019-2020 attached malware in a sandbox. this is not easy to track or flag. Lb, cape, zenbox, vt are exceptional at this. Interesting string: preload js notes, \"fired\". this sha indicator won't run a sandbox despite all the flags: [a57ac7b63c282739aa...] though it now appears revoked - attached the certs in any event. (1 exp2 valid) exp:cosmina beteringhe\nStatus\nCertificate out of its validity period\nIssuer\nApple Inc.\nValid From\n02:08 PM 04/02/2019\nValid To\n02:08 PM 04/02/2024\nAlgorithm\nsha256WithRSAEncryption\nThumbprint\nB60CA526B0B84F7FF9B9CACC70702C5C10985B2C\nSerial Number\n6D E1 8E C8 70 AC A3 3E team identity:HYC4353YBE", "modified": "2026-05-23T10:44:37.782000", "created": "2026-05-23T10:27:26.040000", "tags": [ "token", "instance id", "date", "request", "version", "start", "callback", "indicate", "send instance", "id token", "default", "cname", "accept", "shell folders", "folders", "gmt ifnonematch", "cape sandbox", "bootkit", "t1055", "t1542", "shutdown", "defense evasion", "filename", "userclass", "source", "adprovider", "pair", "count", "null", "newtab", "result", "chrome web", "file type", "file size", "sha1", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "adknowledge", "guard", "loads", "back", "typeof", "catch", "impression", "none", "xmlhttprequest", "signaturehz", "mitre attack", "network info", "sigma", "program", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "ultimate file", "next", "has permission", "t1430 location", "zenbox android", "persistence", "issuer apple", "valid from", "valid", "serial number", "ac a3", "apple inc", "status valid", "thumbprint", "mac os", "x executable", "info file", "info", "a9 a8" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530336&Signature=p6VwVgKhapyzo9Qdy2STgvqVBCILyIVDELmCCzKAI3VnzeLfXf8kMElRnqtXzyceHxnFobEu5%2Bzot74n2%2FKVdQLGgjSNmpbV1vxI4qIMW44TnqKJz7q%2Bzl9L2qPXk2Xd24irnPUYT4Z6b52nITm3rElixM%2FxW5B7cYrEPVdMEQQ3axn7fZMtVXkHyakt5UbZUnglSc97W7kjMO7OSb6qTfAhWNZuFLn0hPzN3JeCVc6eH2VaF8qrMW", "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530360&Signature=IoNgUEkiuiM2X4a2ueL9rEQPSxM3pwV%2Fg9ppA8C%2BBjHNorpe2t8rUBwA%2BU0UhSwLHm3J9bx4il%2Buly8trboaDKTDgdTvpIFdsHRjkQYF%2F8P2ot8tg5AnQeLV9Q8ddUazck3uN2LTNyDFCh5HiWfU%2FJ4BytbiANmLC8gGyCjX%2FX5Y%2FkYYJwEtsw0W90i9lyhlbNX%2FbAor8c1%2FRyPwUh8klvuYGDxvlbeal0nSXVYLSy", "https://vtbehaviour.commondatastorage.googleapis.com/59bd2b3f9e4fbc79518a31738080bc4b9b35b42f6e5a3b5c3a306e0b9aae7f2c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530394&Signature=EFtQdaqkkeNu27kPO7Zob0bl261oVyzlQmNL5Z9HnrD%2FemHBUX4%2BsRO8wGhrK9e53idu5dP%2FqFvjC3fYYvXzyeKs6x0kO0IqPs5Pp6y422zCXP9gKR7xBfnQIQtmWDVaBb4znOzF35Jd76v4D1Y4btKPazPqsa2hq38U%2F2BTS2Fjqng%2BtZLtgjXCV7Qy1iJuoL4wZxus6aU6uyk4Gt4%2FwQOFSxhXM9Sg6EzneRhhFzAhHkOWzW", "https://vtbehaviour.commondatastorage.googleapis.com/8203df818e55602f58e12749c5f43ef382d5829c540953ef5acd613e9339bbfa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530419&Signature=UGGjvrHysNTHqCP%2F98o%2Bwr%2BBuUURMkCiQxj24hY6gaY6O3Jzu8n5c1DTGQyxmFDLTNd%2BVEq%2BLjiAQEKKja33wGAeycq9H84UiQaOgy5xch0rQRhWlH9BAU1XQopkUIfjd%2F%2FjszJyY9f5GeBUviWGN0fk%2Fjf%2Bu70ZC8sViEooYie0vbqyBBZF4n4kjfdDoEDUXKU9hjk4W9PIBcH1Y8tyFonohbjbq7%2BZwzERUsYwo2", "https://vtbehaviour.commondatastorage.googleapis.com/8203df818e55602f58e12749c5f43ef382d5829c540953ef5acd613e9339bbfa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530508&Signature=GssLnauiY160oyi8Jf10sDf4bL46z5UIfcX%2F1jMAIWwy97%2Fw9GjbHzS38wt5ybxoiMkSIsTN%2BYE7Vd7kc7zHkudP8K6D2g6bTFX%2B%2Bao4FK6e0OYbJXqb%2BPeNSgeqrHMrCeXIW1H8RCC5QXuEjkQrE4TPFja5Gc790vYMvsT5oAuxbnFAzjQM%2BTwMcjJ1k9dWR0Hoh694C2boFVdHy3LxQkv7vk6CSmjQcZ4bBbHmEMC%2FNd", "https://vtbehaviour.commondatastorage.googleapis.com/7f9899e42bccdd1d6479b573fb1bb9277b4bd42e8f6ef73c5456f606949e7cf5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530727&Signature=xFLQpUtdhw77th%2BADVS4Sl3y8VCEFYpShlfIJ6D6zJme%2BtY0lUlxv2N7hvxGbwSTYKBYQSyu735BqpgvSUc5e%2BC%2B9XseD6ERlB2kCJmvUPalqCOgZABMyb6mGaG5MMGgxP19UjM1qrUOxI2iJSjEQQ4LLmmkLf7%2B6XGhtqkIG4O2hZ5ABCrdbqytgJkuVl7VMDYelEnoYLLma9GDq1ytLfUObtoINW48v1xg1Mykxldjv6gV2DWr", "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530784&Signature=CYyyJeKkeGqnH6T6m5Xruegrlkv2udvHSUC4MgjgnkaJP2%2BkZUvTfdoh5S5uXQZbk0By%2Bg1akNr3AALQqY%2B0SNoOJdW5fHCOavOpIuNkgM4efnxQQyuhR%2F6eccAejXvy0cFPKDUhdhvbItcx7lkgLwM3MhWL%2FzNneeST7yUf3g8Pad72u7BrItBCkJ23R2quBuKT3G22OMfreYhprgO398iL0htbNTBKh4csLc9QtPI%2FabWco3", "https://vtbehaviour.commondatastorage.googleapis.com/e068d8d9f9dae873ec78bd5a88df561893c18b1df6200a958a864c34d27e0a3d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530824&Signature=oRifg%2BGsx5SCY%2B4rLdvAqryqS3Xlu3DCrHZifO%2Bh9YOQAM4528P%2Bi6LzgYdE0hyDe8HlrfIhswkzkUOf8K4%2FzdoebqTYkwrHmPiJeW4cetq5F2qEeUU7RVbiXVUvLGYwThftr3BuB%2FtW3u%2Fl9v9AyS38ZTrk3B%2BjdQI5OqLikCMwV9lO%2B3lOB05pg6dpqHO3ycZUK2sMy5MgMqqyj%2FY2HLFVTv4wp4ea8PF%2Fswj4", "https://vtbehaviour.commondatastorage.googleapis.com/1b153c384510546d105b067e8b1be208f0686914841758441e857d7ffb18fa72_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531163&Signature=ymkpXNrWILdVetVt90LhjbwNPIy4I%2FXM%2B0jq5xPK4FE6N61CBJ0ZKsP%2FbvZXOM5lKJdG6ltKQtldTuXskK26NlEwbRlzn90t1KGmXS6%2FkK7pgbFTNlA9BWYrDLciKwIZJJeFn46IMGSClXk0BXzcveuQWp4G%2BnIJwwWw0EjgU6ONUydOZW4DhKFhmEvNGfqPrEd6apNA3C39kZP%2Bql4tWV7ma8oAP9cHc7RyoO%2Fw4zbcJKmP", "https://vtbehaviour.commondatastorage.googleapis.com/1b153c384510546d105b067e8b1be208f0686914841758441e857d7ffb18fa72_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531236&Signature=hz%2BT6I69NdrwImMGk8kcXqNnwp7K7z5sLWg7P7JvUVEckT5yV9zVAooLzjLyQGgNBxh%2Bw35npaMota9ooiK%2Bd3BWFd%2Bzr%2BUm76cQbsuLV5NH2LWXQFw1YzoSEXeXl4wmdHCWX4%2BP9tulqXFWpRQ4oOvqHWV10QWM4ubzWdft4N%2FCy4fQ90Iubm%2F1ywQ%2FuG66nNIy6ArwArpf2Md9Wb2k%2BVSwvmrPJqDUAM868u1jznd8SeGkYX", "https://vtbehaviour.commondatastorage.googleapis.com/23671e33d82282324fc51576616dbb92814adc4d17eb7014dc4e2f891ea7f4ae_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531342&Signature=MsuL%2B3SZcdwh8PtkojSZiAkej0M%2FX59YS9DllA%2BRLg6Z%2FV43R4XBkqKm%2BsQjDvTRdh%2BFRjO2rtuvYPHG%2By1RpurAOIjZEBs3F2ZYmv6mE62mgf4bDqgnUZS5myKTtlD%2BnuWRL7up%2B197%2F4VEXIqM8hxzhGDo7jmUeU0HERH%2FUnTThLnOjAWlGHNITZ7ffU0tKlYMKo%2BHqAkV9AerG5R%2FZdAh7nZidUf8wYpV", "https://vtbehaviour.commondatastorage.googleapis.com/79b0e5df7c5ebe1b2967a3d161ec0283531f20beb58cd8eb8e343f7ecbf0e142_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531881&Signature=J%2FX46%2BkQxXt0avuUofAv2FrDA2NcHoY81F%2F%2FCOybzM72s9GqDbl34Hk6nMuCyVJ9cyKFYU4dKZ5PGnS5MZLN7tzYDYnGF6tmsCd56oCgYS4IN8%2Ffm7xi81ELi3QsBaKZaSKBYTcBzQZOzBgTX%2BjFL%2FH291KDNrb5QKNV0OYNHKzFrKXUZzUNPTZgDw2%2B2XVV4tQzxtRNdm0kQW19OOOv29%2FY0E9CK9qRsl4Nu2otAW" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "FileHash-MD5": 63, "FileHash-SHA1": 65, "FileHash-SHA256": 456, "domain": 116, "hostname": 495, "URL": 862, "email": 1 }, "indicator_count": 2252, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1181104aab1e5b6484a6d2", "name": "* ghostware * CAPE Sandbox", "description": "[Results of an analysis of a KVM operating system, conducted by the MIT Research Institute (MIT), are published on the web. \u00c2\u00a32.5m.com (\u20ac3.4m; $4.6m).] pretext. a deeper follow up on impression domain from the last post shared. this is some of the evasive 2019-2020 attached malware in a sandbox. this is not easy to track or flag. Lb, cape, zenbox, vt are exceptional at this. Interesting string: preload js notes, \"fired\". this sha indicator won't run a sandbox despite all the flags: [a57ac7b63c282739aa...] though it now appears revoked - attached the certs in any event. (1 exp2 valid) exp:cosmina beteringhe\nStatus\nCertificate out of its validity period\nIssuer\nApple Inc.\nValid From\n02:08 PM 04/02/2019\nValid To\n02:08 PM 04/02/2024\nAlgorithm\nsha256WithRSAEncryption\nThumbprint\nB60CA526B0B84F7FF9B9CACC70702C5C10985B2C\nSerial Number\n6D E1 8E C8 70 AC A3 3E team identity:HYC4353YBE", "modified": "2026-05-23T10:34:56.494000", "created": "2026-05-23T10:27:28.048000", "tags": [ "token", "instance id", "date", "request", "version", "start", "callback", "indicate", "send instance", "id token", "default", "cname", "accept", "shell folders", "folders", "gmt ifnonematch", "cape sandbox", "bootkit", "t1055", "t1542", "shutdown", "defense evasion", "filename", "userclass", "source", "adprovider", "pair", "count", "null", "newtab", "result", "chrome web", "file type", "file size", "sha1", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "adknowledge", "guard", "loads", "back", "typeof", "catch", "impression", "none", "xmlhttprequest", "signaturehz", "mitre attack", "network info", "sigma", "program", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "ultimate file", "next", "has permission", "t1430 location", "zenbox android", "persistence", "issuer apple", "valid from", "valid", "serial number", "ac a3", "apple inc", "status valid", "thumbprint", "mac os", "x executable", "info file", "info", "a9 a8" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530336&Signature=p6VwVgKhapyzo9Qdy2STgvqVBCILyIVDELmCCzKAI3VnzeLfXf8kMElRnqtXzyceHxnFobEu5%2Bzot74n2%2FKVdQLGgjSNmpbV1vxI4qIMW44TnqKJz7q%2Bzl9L2qPXk2Xd24irnPUYT4Z6b52nITm3rElixM%2FxW5B7cYrEPVdMEQQ3axn7fZMtVXkHyakt5UbZUnglSc97W7kjMO7OSb6qTfAhWNZuFLn0hPzN3JeCVc6eH2VaF8qrMW", "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530360&Signature=IoNgUEkiuiM2X4a2ueL9rEQPSxM3pwV%2Fg9ppA8C%2BBjHNorpe2t8rUBwA%2BU0UhSwLHm3J9bx4il%2Buly8trboaDKTDgdTvpIFdsHRjkQYF%2F8P2ot8tg5AnQeLV9Q8ddUazck3uN2LTNyDFCh5HiWfU%2FJ4BytbiANmLC8gGyCjX%2FX5Y%2FkYYJwEtsw0W90i9lyhlbNX%2FbAor8c1%2FRyPwUh8klvuYGDxvlbeal0nSXVYLSy", "https://vtbehaviour.commondatastorage.googleapis.com/59bd2b3f9e4fbc79518a31738080bc4b9b35b42f6e5a3b5c3a306e0b9aae7f2c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530394&Signature=EFtQdaqkkeNu27kPO7Zob0bl261oVyzlQmNL5Z9HnrD%2FemHBUX4%2BsRO8wGhrK9e53idu5dP%2FqFvjC3fYYvXzyeKs6x0kO0IqPs5Pp6y422zCXP9gKR7xBfnQIQtmWDVaBb4znOzF35Jd76v4D1Y4btKPazPqsa2hq38U%2F2BTS2Fjqng%2BtZLtgjXCV7Qy1iJuoL4wZxus6aU6uyk4Gt4%2FwQOFSxhXM9Sg6EzneRhhFzAhHkOWzW", "https://vtbehaviour.commondatastorage.googleapis.com/8203df818e55602f58e12749c5f43ef382d5829c540953ef5acd613e9339bbfa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530419&Signature=UGGjvrHysNTHqCP%2F98o%2Bwr%2BBuUURMkCiQxj24hY6gaY6O3Jzu8n5c1DTGQyxmFDLTNd%2BVEq%2BLjiAQEKKja33wGAeycq9H84UiQaOgy5xch0rQRhWlH9BAU1XQopkUIfjd%2F%2FjszJyY9f5GeBUviWGN0fk%2Fjf%2Bu70ZC8sViEooYie0vbqyBBZF4n4kjfdDoEDUXKU9hjk4W9PIBcH1Y8tyFonohbjbq7%2BZwzERUsYwo2", "https://vtbehaviour.commondatastorage.googleapis.com/8203df818e55602f58e12749c5f43ef382d5829c540953ef5acd613e9339bbfa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530508&Signature=GssLnauiY160oyi8Jf10sDf4bL46z5UIfcX%2F1jMAIWwy97%2Fw9GjbHzS38wt5ybxoiMkSIsTN%2BYE7Vd7kc7zHkudP8K6D2g6bTFX%2B%2Bao4FK6e0OYbJXqb%2BPeNSgeqrHMrCeXIW1H8RCC5QXuEjkQrE4TPFja5Gc790vYMvsT5oAuxbnFAzjQM%2BTwMcjJ1k9dWR0Hoh694C2boFVdHy3LxQkv7vk6CSmjQcZ4bBbHmEMC%2FNd", "https://vtbehaviour.commondatastorage.googleapis.com/7f9899e42bccdd1d6479b573fb1bb9277b4bd42e8f6ef73c5456f606949e7cf5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530727&Signature=xFLQpUtdhw77th%2BADVS4Sl3y8VCEFYpShlfIJ6D6zJme%2BtY0lUlxv2N7hvxGbwSTYKBYQSyu735BqpgvSUc5e%2BC%2B9XseD6ERlB2kCJmvUPalqCOgZABMyb6mGaG5MMGgxP19UjM1qrUOxI2iJSjEQQ4LLmmkLf7%2B6XGhtqkIG4O2hZ5ABCrdbqytgJkuVl7VMDYelEnoYLLma9GDq1ytLfUObtoINW48v1xg1Mykxldjv6gV2DWr", "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530784&Signature=CYyyJeKkeGqnH6T6m5Xruegrlkv2udvHSUC4MgjgnkaJP2%2BkZUvTfdoh5S5uXQZbk0By%2Bg1akNr3AALQqY%2B0SNoOJdW5fHCOavOpIuNkgM4efnxQQyuhR%2F6eccAejXvy0cFPKDUhdhvbItcx7lkgLwM3MhWL%2FzNneeST7yUf3g8Pad72u7BrItBCkJ23R2quBuKT3G22OMfreYhprgO398iL0htbNTBKh4csLc9QtPI%2FabWco3", "https://vtbehaviour.commondatastorage.googleapis.com/e068d8d9f9dae873ec78bd5a88df561893c18b1df6200a958a864c34d27e0a3d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530824&Signature=oRifg%2BGsx5SCY%2B4rLdvAqryqS3Xlu3DCrHZifO%2Bh9YOQAM4528P%2Bi6LzgYdE0hyDe8HlrfIhswkzkUOf8K4%2FzdoebqTYkwrHmPiJeW4cetq5F2qEeUU7RVbiXVUvLGYwThftr3BuB%2FtW3u%2Fl9v9AyS38ZTrk3B%2BjdQI5OqLikCMwV9lO%2B3lOB05pg6dpqHO3ycZUK2sMy5MgMqqyj%2FY2HLFVTv4wp4ea8PF%2Fswj4", "https://vtbehaviour.commondatastorage.googleapis.com/1b153c384510546d105b067e8b1be208f0686914841758441e857d7ffb18fa72_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531163&Signature=ymkpXNrWILdVetVt90LhjbwNPIy4I%2FXM%2B0jq5xPK4FE6N61CBJ0ZKsP%2FbvZXOM5lKJdG6ltKQtldTuXskK26NlEwbRlzn90t1KGmXS6%2FkK7pgbFTNlA9BWYrDLciKwIZJJeFn46IMGSClXk0BXzcveuQWp4G%2BnIJwwWw0EjgU6ONUydOZW4DhKFhmEvNGfqPrEd6apNA3C39kZP%2Bql4tWV7ma8oAP9cHc7RyoO%2Fw4zbcJKmP", "https://vtbehaviour.commondatastorage.googleapis.com/1b153c384510546d105b067e8b1be208f0686914841758441e857d7ffb18fa72_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531236&Signature=hz%2BT6I69NdrwImMGk8kcXqNnwp7K7z5sLWg7P7JvUVEckT5yV9zVAooLzjLyQGgNBxh%2Bw35npaMota9ooiK%2Bd3BWFd%2Bzr%2BUm76cQbsuLV5NH2LWXQFw1YzoSEXeXl4wmdHCWX4%2BP9tulqXFWpRQ4oOvqHWV10QWM4ubzWdft4N%2FCy4fQ90Iubm%2F1ywQ%2FuG66nNIy6ArwArpf2Md9Wb2k%2BVSwvmrPJqDUAM868u1jznd8SeGkYX", "https://vtbehaviour.commondatastorage.googleapis.com/23671e33d82282324fc51576616dbb92814adc4d17eb7014dc4e2f891ea7f4ae_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531342&Signature=MsuL%2B3SZcdwh8PtkojSZiAkej0M%2FX59YS9DllA%2BRLg6Z%2FV43R4XBkqKm%2BsQjDvTRdh%2BFRjO2rtuvYPHG%2By1RpurAOIjZEBs3F2ZYmv6mE62mgf4bDqgnUZS5myKTtlD%2BnuWRL7up%2B197%2F4VEXIqM8hxzhGDo7jmUeU0HERH%2FUnTThLnOjAWlGHNITZ7ffU0tKlYMKo%2BHqAkV9AerG5R%2FZdAh7nZidUf8wYpV", "https://vtbehaviour.commondatastorage.googleapis.com/79b0e5df7c5ebe1b2967a3d161ec0283531f20beb58cd8eb8e343f7ecbf0e142_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531881&Signature=J%2FX46%2BkQxXt0avuUofAv2FrDA2NcHoY81F%2F%2FCOybzM72s9GqDbl34Hk6nMuCyVJ9cyKFYU4dKZ5PGnS5MZLN7tzYDYnGF6tmsCd56oCgYS4IN8%2Ffm7xi81ELi3QsBaKZaSKBYTcBzQZOzBgTX%2BjFL%2FH291KDNrb5QKNV0OYNHKzFrKXUZzUNPTZgDw2%2B2XVV4tQzxtRNdm0kQW19OOOv29%2FY0E9CK9qRsl4Nu2otAW" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 70, "FileHash-MD5": 19, "FileHash-SHA1": 18, "FileHash-SHA256": 412, "domain": 96, "hostname": 409, "URL": 810, "email": 1 }, "indicator_count": 1835, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e6b5db72b21e3d8990ad72", "name": "private", "description": "", "modified": "2026-05-20T23:09:29.909000", "created": "2026-04-20T23:25:15.465000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 212, "URL": 283, "hostname": 192, "FileHash-SHA256": 136, "FileHash-MD5": 121, "FileHash-SHA1": 117, "email": 13, "URI": 3 }, "indicator_count": 1077, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a07250fb9562ea208d26946", "name": "Credit *Q.Vashti* Clone [\u2022 Virus Total | P.S Banker | Attacked/Blocked \u2022] ", "description": "", "modified": "2026-05-16T05:47:36.553000", "created": "2026-05-15T13:52:15.176000", "tags": [ "indicator role", "active related", "ck ids", "files", "information", "discovery", "mitre att", "pattern match", "ck id", "ck matrix", "ascii text", "united", "binary file", "april", "hybrid", "apikey", "general", "local", "path", "iframe", "click", "protocol", "learn", "suspicious", "informative", "command", "adversaries", "spawns", "execution att", "related pulses", "dll read", "function read", "icmp traffic", "machineguid", "systembiosdate", "total", "read", "write", "network_icmp", "js_eval", "recon_fingerprint", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "tls handshake", "execution", "dock", "persistence", "malware", "unknown", "neue", "certificate", "error", "scans show", "record value", "title site", "servers", "emails", "all hostname", "dnsadmin", "data upload", "extraction", "failed", "include review", "exclude sugges", "find s", "typ no", "active", "urls", "ip address", "asn as54113", "registrar", "wscript", "united states", "stcalifornia", "lmountain view", "ogoogle llc", "ogoogle trust", "cngts ca", "whitelisted", "as15169", "hostile", "crash", "contacted", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "detections alf", "hostile yara", "detections none", "less ip", "domains", "ms windows", "intel", "pe32", "regsetvalueexa", "langturkish", "sublangdefault", "port", "destination", "entries", "worm", "delphi", "win32", "body", "explorer", "defender", "regdword", "false", "true", "end sub", "object", "createobject", "sheetschanged", "private sub", "string", "boolean", "cancel", "trojan", "copy", "query", "dns update", "useragent", "myapp", "delphi alerts", "alerts deadhost", "women who code", "tulach", "114.114.114.114", "samuel", "brian sabey" ], "references": [ "https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file", "this.target", "c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1", "amazon.com \u2022 pki.goog \u2022 google-analytics.com", "authrootstl.cab common file extension", "dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell", "https://securityaffairs.com/144927/cyber-crime~#", "https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html", "virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com", "https://clockoutbox.es/password", "http://cr-malware.testpanw.com/url", "IDS Detections: Query to a *.pw domain - Likely Hostile", "Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer", "Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows", "Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_", "Alerts: windows_utilities antivm_memory_available pe_features raises_exception", "IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227", "IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94", "Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog", "Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com", "Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw", "Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections compromised_site_redirector_fromcharcode , Delphi", "Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad", "Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx", "IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29", "Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org", "Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com", "114.114.114.114 = Tulach" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:Trojan:Win64/PsBanker", "display_name": "ALF:Trojan:Win64/PsBanker", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Trojan:O97M/Madeba.A!det", "display_name": "Trojan:O97M/Madeba.A!det", "target": "/malware/Trojan:O97M/Madeba.A!det" }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": "69dc04c12782d2d76c111a93", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1114, "hostname": 594, "domain": 200, "FileHash-SHA256": 2379, "FileHash-MD5": 426, "FileHash-SHA1": 259, "SSLCertFingerprint": 24, "email": 2, "IPv4": 1 }, "indicator_count": 4999, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a056cacb981e6f3b2dd4647", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware clone credit scoreblue", "description": "", "modified": "2026-05-14T07:28:01.780000", "created": "2026-05-14T06:33:16.946000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": "66eb3ef6d765187a437767e4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1521, "FileHash-SHA1": 1395, "FileHash-SHA256": 6084, "URL": 1499, "domain": 1947, "hostname": 1361, "email": 18, "CVE": 1 }, "indicator_count": 13826, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a056cac80d9b80eb1a97e29", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware clone credit scoreblue", "description": "", "modified": "2026-05-14T07:14:09.098000", "created": "2026-05-14T06:33:16.505000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": "66eb3ef6d765187a437767e4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1493, "FileHash-SHA1": 1393, "FileHash-SHA256": 5881, "URL": 1499, "domain": 1947, "hostname": 1360, "email": 18, "CVE": 1 }, "indicator_count": 13592, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69dc04c12782d2d76c111a93", "name": "VirusTotal \u2022 PsBanker \u2022 Attacked / Blocked", "description": "", "modified": "2026-05-12T20:40:08.152000", "created": "2026-04-12T20:46:57.338000", "tags": [ "indicator role", "active related", "ck ids", "files", "information", "discovery", "mitre att", "pattern match", "ck id", "ck matrix", "ascii text", "united", "binary file", "april", "hybrid", "apikey", "general", "local", "path", "iframe", "click", "protocol", "learn", "suspicious", "informative", "command", "adversaries", "spawns", "execution att", "related pulses", "dll read", "function read", "icmp traffic", "machineguid", "systembiosdate", "total", "read", "write", "network_icmp", "js_eval", "recon_fingerprint", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "tls handshake", "execution", "dock", "persistence", "malware", "unknown", "neue", "certificate", "error", "scans show", "record value", "title site", "servers", "emails", "all hostname", "dnsadmin", "data upload", "extraction", "failed", "include review", "exclude sugges", "find s", "typ no", "active", "urls", "ip address", "asn as54113", "registrar", "wscript", "united states", "stcalifornia", "lmountain view", "ogoogle llc", "ogoogle trust", "cngts ca", "whitelisted", "as15169", "hostile", "crash", "contacted", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "detections alf", "hostile yara", "detections none", "less ip", "domains", "ms windows", "intel", "pe32", "regsetvalueexa", "langturkish", "sublangdefault", "port", "destination", "entries", "worm", "delphi", "win32", "body", "explorer", "defender", "regdword", "false", "true", "end sub", "object", "createobject", "sheetschanged", "private sub", "string", "boolean", "cancel", "trojan", "copy", "query", "dns update", "useragent", "myapp", "delphi alerts", "alerts deadhost", "women who code", "tulach", "114.114.114.114", "samuel", "brian sabey" ], "references": [ "https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file", "this.target", "c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1", "amazon.com \u2022 pki.goog \u2022 google-analytics.com", "authrootstl.cab common file extension", "dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell", "https://securityaffairs.com/144927/cyber-crime~#", "https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html", "virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com", "https://clockoutbox.es/password", "http://cr-malware.testpanw.com/url", "IDS Detections: Query to a *.pw domain - Likely Hostile", "Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer", "Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows", "Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_", "Alerts: windows_utilities antivm_memory_available pe_features raises_exception", "IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227", "IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94", "Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog", "Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com", "Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw", "Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara Detections compromised_site_redirector_fromcharcode , Delphi", "Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad", "Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx", "IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29", "Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org", "Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com", "114.114.114.114 = Tulach" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "ALF:Trojan:Win64/PsBanker", "display_name": "ALF:Trojan:Win64/PsBanker", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Trojan:O97M/Madeba.A!det", "display_name": "Trojan:O97M/Madeba.A!det", "target": "/malware/Trojan:O97M/Madeba.A!det" }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1114, "hostname": 594, "domain": 200, "FileHash-SHA256": 2379, "FileHash-MD5": 426, "FileHash-SHA1": 259, "SSLCertFingerprint": 24, "email": 2 }, "indicator_count": 4998, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d8a665177b8f64c7ce5fca", "name": "LibraryLoader \u2022 Samuel Tulach | Abuse of malicious sssets engineered by DevOp & Security Researcher", "description": "Samuel Tulach is involved in various projects related to government work, particularly in areas like DevSecOps and app modernization. \nOverview of Samuel Tulach's \"uploader.exe\"\nThe file \"uploader.exe\" created by Samuel Tulach has been identified as malicious by several security engines. This classification indicates that the file poses a potential threat to users' systems.\nSecurity Engine Flags. Several security engines have flagged \"uploader.exe\" as malicious.\nSecureAge APEX\tMalicious\nSentinelOne\tMalicious\nImplications of Malicious Flags\nPotential Risks: Files flagged as malicious can lead to various security issues, including data theft, unauthorized access, or system damage.\nRecommended Actions: Users should avoid downloading or executing this file. If already downloaded, it is advisable to delete it and run a full system scan using reputable antivirus software.", "modified": "2026-05-10T06:16:04.519000", "created": "2026-04-10T07:27:33.587000", "tags": [ "x vercel", "united", "america", "germany malware", "family", "ck ids", "packing", "tulach", "ocsp", "extraction", "data upload", "enter sc", "extra data", "include review", "exclude sugges", "find s", "failed", "typ no", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "defense evasion", "pattern match", "mitre att", "ascii text", "span", "title", "meta", "path", "april", "hybrid", "general", "local", "encrypt", "click", "strings", "main", "footer", "pcsb", "naga", "magda", "no expiration", "url https", "domain", "github pages", "a domains", "passive dns", "mtb jan", "class", "sea x", "accept encoding", "trojanspy", "accept", "otx logo", "all ipv4", "urls", "files", "america flag", "space", "ck matrix", "handle", "winvmaddress", "cdecl crashpad", "null", "software", "comment", "entity", "internal", "blank", "magic", "infinity", "first", "valentine", "error", "webview", "front", "patched", "root", "tristate", "libraryloader", "packing t1045", "icmp traffic", "memcommit", "pe section", "low software", "pe resource", "filehash", "win32", "malware", "write", "backdoor", "present apr", "lowfi", "aaaa", "lowfijavazkm", "x.com", "dynamicloader", "crlf line", "unicode text", "utf8", "ee fc", "ff d5", "yara rule", "f0 ff", "eb e1", "unknown", "trojan", "zeppelin", "autorun", "united states", "china unknown", "div div", "ip address", "record value", "samuel tulach", "czechia unknown", "italy unknown", "gmt server", "all domain", "next associated", "reverse dns", "location czech", "all filehash", "md5 add", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "file type", "telfhash", "virustotal api", "vendor finding", "notes clamav", "files matching", "number", "t1045", "search", "directui", "element", "medium", "classinfobase", "value", "write c", "hwndhost", "sapeav12", "worm", "explorer", "insert", "movie", "mtb apr", "mtb mar", "trojandropper", "displayname", "windows", "high", "delete c", "tofsee", "stream", "push", "url http", "c mar", "virtool", "c jan", "c dec", "toolbar", "ransom", "article", "windows nt", "gmtvia", "html", "bad traffic", "et info", "tls handshake", "belgium", "present dec", "present feb", "intel", "elf upx", "medium risk", "info", "moved", "hostname add", "whois registrar", "media", "delphi", "guard", "code", "devsecops", "github", "github internet", "archive samuel", "tulach", "government work", "key areas", "devops process", "security engine", "flags", "apex malicious", "implications", "malicious flags", "potential risks", "name servers", "apple id", "script urls", "show process", "secure", "win64", "khtml", "gecko", "programfiles", "cookie", "comspec", "model", "june", "spawns", "id name", "malicious", "gui", "anti cheats", "game tech", "c++" ], "references": [ "https://nextcloud.tulach.cc/ \u2022 https://nextcloud.tulach.cc/", "bleepingcomputer.com \u2022 CliffsNotes", "x.com - Malware Packed", "nr-data.net \u2022 www.youtube.com", "Alerts network_icmp allocates_rwx packer_entropy pe_features pe_unknown_resource_name Related Pulses", "https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8", "discord.com \u2022 discord.gg", "api.item.yixun.com", "Unix.Trojan.Mirai-9441505-0 Yara Detections is__elf \u2022 217.11.249.145", "Domains Contacted: fenbushijujuefuwu.com", "angryblackwomyn.com", "https://medium.com/the-pink/how-a-white-womans-anger-makes-her-racism-spill-out-563853905a42", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/41ad1d349716b3e62f914c0907323ae8e0a37198d237a02d71a0d5e05ffaa727", "https://www.forpsi.com domain forpsi.com\t Domain asp.net", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "www.youtube.com/watch?v=GyuMozsVyYs (why would targets channel be controlled by Tulach)", "https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw", "x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290", "cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz", "porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop", "https://api.w.org/ \u2022 api.w.org", "remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png", "https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-assets-Twitter.b90ee19de735e00fb4a0.js", "developer.x.com \u2022 https://twitter.com/githubstatus", "https://twitter.com/juvlarN", "appleid.cdn-apple.com", "https://static.digitecgalaxus.ch/Files/communication/app-download-badges/apple_email_rasterized_2x/fr.png", "Samuel Tulach , an engineer writes about game security, Unity engine, and anti-cheat systems on his blog at tulach.cc", "Mr. Tulach \u2022 known for his work in cybersecurity, particularly in reverse engineering & malware analysis", "\"uploader.exe\" created by Samuel Tulach has been identified as malicious by several security engines", "Due to Samuel Tulach\u2019s good reputation , assume his assets are being abused by threat actors targeting", "I haven\u2019t yet concluded why Tulach.cc is deeply interwoven in a malicious media campaign", "Samuel Tulach\u2019s assets have been tightly connected to M. Brian Sabey, Esq", "The next pulse will show Apple IoC\u2019s related to Tulach.cc" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "LibraryLoader", "display_name": "LibraryLoader", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Azorult.FW!rfn", "display_name": "ALF:HeraklezEval:Trojan:Win32/Azorult.FW!rfn", "target": null }, { "id": "Win.Packed.Botx-10021462-0", "display_name": "Win.Packed.Botx-10021462-0", "target": null }, { "id": "Win.Malware.Cymt-10023133-0", "display_name": "Win.Malware.Cymt-10023133-0", "target": null }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "Win.Trojan.VBGeneric-6735875-0", "display_name": "Win.Trojan.VBGeneric-6735875-0", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Win.Malware.Generickdz-9937235-0", "display_name": "Win.Malware.Generickdz-9937235-0", "target": null }, { "id": "Win.Malware.Razy-6979265-0", "display_name": "Win.Malware.Razy-6979265-0", "target": null }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "TrojanSpy:Win32/Nivdort.DE", "display_name": "TrojanSpy:Win32/Nivdort.DE", "target": "/malware/TrojanSpy:Win32/Nivdort.DE" }, { "id": "SLF:Win32/Elenquay.A", "display_name": "SLF:Win32/Elenquay.A", "target": "/malware/SLF:Win32/Elenquay.A" }, { "id": "Win.Dropper.QuasarRAT-10023124-0", "display_name": "Win.Dropper.QuasarRAT-10023124-0", "target": null }, { "id": "Win.Trojan.Zegost-9769410-0", "display_name": "Win.Trojan.Zegost-9769410-0", "target": null }, { "id": "ALF:HSTR:VirTool:Win32/Obfuscator!PECancer", "display_name": "ALF:HSTR:VirTool:Win32/Obfuscator!PECancer", "target": null }, { "id": "Win.Malware.Moonlight-9919383-0", "display_name": "Win.Malware.Moonlight-9919383-0", "target": null }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" }, { "id": "Backdoor:Win32/Tofsee.", "display_name": "Backdoor:Win32/Tofsee.", "target": "/malware/Backdoor:Win32/Tofsee." }, { "id": "#LowfiJavaZKM", "display_name": "#LowfiJavaZKM", "target": null }, { "id": "Win.Malware.Swisyn-7610494-0", "display_name": "Win.Malware.Swisyn-7610494-0", "target": null }, { "id": "PWS:Win32/Ymacco.AA50", "display_name": "PWS:Win32/Ymacco.AA50", "target": "/malware/PWS:Win32/Ymacco.AA50" }, { "id": "Win.Packed.Stealerc-10017074-0", "display_name": "Win.Packed.Stealerc-10017074-0", "target": null }, { "id": "#Lowfi:Win32/AutoIt", "display_name": "#Lowfi:Win32/AutoIt", "target": "/malware/#Lowfi:Win32/AutoIt" }, { "id": "Html.Trojan.Ascii212_44_64_202-1", "display_name": "Html.Trojan.Ascii212_44_64_202-1", "target": null }, { "id": "ALFPER:HSTR:WizremURL.A1", "display_name": "ALFPER:HSTR:WizremURL.A1", "target": null }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win.Malware.Jaik-9968280-0", "display_name": "Win.Malware.Jaik-9968280-0", "target": null }, { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Win.Malware.Midie-6847893-0", "display_name": "Win.Malware.Midie-6847893-0", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win.Malware.Aauto-9839281-0", "display_name": "Win.Malware.Aauto-9839281-0", "target": null }, { "id": "Win.Trojan.Agent-1371484", "display_name": "Win.Trojan.Agent-1371484", "target": null }, { "id": "SLFPER:SoftwareBundler:Win32/ICLoader.A", "display_name": "SLFPER:SoftwareBundler:Win32/ICLoader.A", "target": null }, { "id": "ALF:Trojan:Win32/Cassini_412f60c8!ibt", "display_name": "ALF:Trojan:Win32/Cassini_412f60c8!ibt", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Win.Packed.Generic-9967832-0", "display_name": "Win.Packed.Generic-9967832-0", "target": null }, { "id": "Win.Trojan.Barys-10005825-0", "display_name": "Win.Trojan.Barys-10005825-0", "target": null }, { "id": "Unix.Trojan.Mirai-9441505-0", "display_name": "Unix.Trojan.Mirai-9441505-0", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2710, "domain": 1227, "hostname": 1206, "FileHash-SHA256": 3867, "FileHash-MD5": 593, "FileHash-SHA1": 459, "SSLCertFingerprint": 19, "email": 20, "CVE": 1 }, "indicator_count": 10102, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d79c38e0a059039b475ebe", "name": "CAPE Sandbox", "description": "Email today from them on my line. Very wild things happening here. trying to close my line", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T12:31:52.495000", "tags": [ "html document", "unicode text", "utf8 text", "crlf", "lf line", "site", "meta", "verizon", "wireless", "internet", "phone services", "official", "shop verizon", "lte network", "get fios", "title", "code", "error", "utc na", "utc google", "tag manager", "gtmw2vn2cq", "utc dc9849921", "utc dc685973", "utc g12r1dx1lx7", "utc aw647962234", "utc aw2761768", "utc aw685973", "verizon business", "verizon for business", "verizon business account", "verizon business phone", "verizon wireless for business", "verizon business service", "verizon business plan", "business internet services", "learn", "gartner", "contact", "find", "discover", "support", "close log", "shop", "upgrade", "small", "voice", "chat", "mitre attack", "network info", "program", "html page", "t1055 process", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "phishing", "next", "ver2", "msclkidn", "utc amazon", "analytics na", "utc bing", "vids1", "vids0", "gdlname" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737365&Signature=S%2B7RcHYjab1hbKlKwFfvUbDirFPJS1A2TJQ3bVIObMcON4PD9pRDvhMtYMCnEBrYsICi0UJCFW5eUDolL5Jlbngsc587kF36vvuhlkPprbkSOY1jOyDTpe3Qsb6jRFz3xwOfZc9S5QervoLnRKb%2FyGSyZE6ZK6TxzBrOPczPtZ7sLf9NfD6E%2B2gMRXaRjEqVwVITLG7YqCiiNuohFOuNlK3uNHFpIk53viKvBSAIqLtSklH9bHW4q1DX", "https://www.verizon.com/business/", "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737710&Signature=fbsokraSd7lsYmUfaTEl8Phs2K3hp7AtVmQU9axeEBcYmYbrrYrrfpP5lPEQaE%2Fh3%2BEP9Rn8mD8D1haqQVXCN0VVlxJ4sddjWmyC5USsgBsvUb0%2F72h1WHDS2KXHlteZWE%2Bauckabain9D5kX501AnqFY38s77OIqO6SMOkQ%2BvXiDSSRK%2FZhbfradBnei3ZLHsXGxkoshTyvB0%2BC%2F8SiUzdVsqSjik0Bn2r%2BIlLpDQK90GlZTD0N" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 772, "hostname": 706, "domain": 875, "FileHash-SHA256": 2348, "FileHash-MD5": 2237, "FileHash-SHA1": 2260, "CVE": 1, "email": 9 }, "indicator_count": 9208, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f4d72c30f9586634b9", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:52.444000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 220, "FileHash-MD5": 562, "FileHash-SHA1": 566, "FileHash-SHA256": 1011, "URL": 125, "hostname": 139, "email": 4 }, "indicator_count": 2627, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f511d0121d253b753d", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:53.436000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 224, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 140, "hostname": 166, "email": 2, "CVE": 8 }, "indicator_count": 2220, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f6657dd0c212d8344a", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.060000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 217, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 118, "hostname": 133, "email": 2 }, "indicator_count": 2150, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f683111bbbe1c9ae35", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.775000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 218, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 119, "hostname": 133, "email": 4 }, "indicator_count": 2154, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d7a3f6f81dc2388c0fa027", "name": "VirusTotal report\n for flow-browser-main.zip", "description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #", "modified": "2026-05-09T12:10:59.635000", "created": "2026-04-09T13:04:54.563000", "tags": [ "file type", "png image", "ascii", "ascii text", "java source", "json", "rgba", "creates", "crlf line", "mac os", "date", "malicious", "next", "button", "span", "edit3icon", "rotateccwicon", "xicon", "htmldivelement", "react", "saveicon", "null", "shortcutitem", "click", "zip archive", "png multimedia", "graphics" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 218, "FileHash-MD5": 558, "FileHash-SHA1": 564, "FileHash-SHA256": 558, "URL": 119, "hostname": 133, "email": 4 }, "indicator_count": 2154, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4f2d9ce86a445b484593b", "name": "VirusTotal report\n for sample.crx", "description": "A small sample of malware has been identified by researchers at the University of Oregon in the US, and the results are published on the web, as well as on Google's Chrome extension and other sites.", "modified": "2026-05-07T12:05:50.774000", "created": "2026-04-07T12:04:41.097000", "tags": [ "file type", "json", "ascii text", "png image", "crlf line", "ascii", "rgba", "unicode text", "utf8 text", "defense evasion", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 668, "FileHash-MD5": 668, "FileHash-SHA1": 675, "URL": 153, "domain": 230, "hostname": 177, "email": 2 }, "indicator_count": 2573, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4f2db0b3448671adcce16", "name": "VirusTotal report\n for sample.crx", "description": "A small sample of malware has been identified by researchers at the University of Oregon in the US, and the results are published on the web, as well as on Google's Chrome extension and other sites.", "modified": "2026-05-07T12:05:50.774000", "created": "2026-04-07T12:04:43.156000", "tags": [ "file type", "json", "ascii text", "png image", "crlf line", "ascii", "rgba", "unicode text", "utf8 text", "defense evasion", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 668, "FileHash-MD5": 668, "FileHash-SHA1": 675, "URL": 153, "domain": 230, "hostname": 177, "email": 2 }, "indicator_count": 2573, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4f2dd828bbf0ac5efaa23", "name": "VirusTotal report\n for sample.crx", "description": "A small sample of malware has been identified by researchers at the University of Oregon in the US, and the results are published on the web, as well as on Google's Chrome extension and other sites.", "modified": "2026-05-07T12:05:50.774000", "created": "2026-04-07T12:04:44.957000", "tags": [ "file type", "json", "ascii text", "png image", "crlf line", "ascii", "rgba", "unicode text", "utf8 text", "defense evasion", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 668, "FileHash-MD5": 668, "FileHash-SHA1": 675, "URL": 153, "domain": 230, "hostname": 177, "email": 2 }, "indicator_count": 2573, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4ddf1680e25f8a35479af", "name": "VirusTotal report\n for atom.exe", "description": "i have a iphone.", "modified": "2026-05-07T10:14:20.933000", "created": "2026-04-07T10:35:29.819000", "tags": [ "file type", "ascii", "json", "ms windows", "pe file", "ascii text", "utf8", "sqlite version", "openpgp secret", "file", "code", "persistence", "fraud", "next", "windows sandbox", "calls process", "has permission", "mitre attack", "network info", "accesses", "overview", "zenbox android", "verdict", "guest system", "ultimate file", "info file", "cloud", "calls clear" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/07f7d05d67f46df46aa037ae72dbdb01b4c793b0efa97b3b606eb7c804bc9ac8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775557919&Signature=NmXnt5UXEu97u6S%2Fl1pR8Dj1wOV48%2BMQtA7itY%2FDaMxeTZKYWQG8Sc1yQ8Anau89lP6pFBfYLFKcZlXLyh0lxedEOnLubJoX%2FPdHFRwhsnXHKf9Paue%2FYfp2f3Xa3eCtAdjiZ%2FYtizogath35T7lFE%2FyYG10vWJI%2FID8Xpk55duyBuJFvI5UISNatR%2BriUlSjGvUurWgm62dXOPlBxRQvwk1ndbIS79tzUBzFcGe7A3RnhURjWI1", "https://vtbehaviour.commondatastorage.googleapis.com/dbd82852eb5958675f889c452fc71bae5cce8ddad596bd15d2a4a6700739f741_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775558174&Signature=SmpbnWta3giCZS997kqTvAF%2BZOmsy8guJi08oXMRbv9twEwYq0zHV5x5EgkJeE1uK593UWjmIyGGPmZZAznd5G9GmDLWpTBpm6AalirZIWVXEGKYqWW%2FcXP6AP4kPvUKQffGRRra22oorMkIGVUd4OSbUBHzjeXYtzRalcJNh00ErxP2ckokNZ%2BA6k7O42Vano2SrEQ6QXeQ%2BVWhBicFEaYV3BEDA%2Fn%2BNlMqbe6dzaU%", "https://vtbehaviour.commondatastorage.googleapis.com/00497722a5a78f54380688c2f4e13f3ef6ae5ba3179e181842bc5f293931d249_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775558242&Signature=xZKVbPHnvq1qTJXNwiztrGD6NGaXqXZy2F7iZE8F8ZA5SQ2b0AHWfcMuFzBPL4S56%2Br1mdkSivnRKw4PtqmKSlmum59RFVyQrmIK25bmB%2FhGIdrtS0FEJHREeu2idOIA89pmPV7lOHS%2B%2BYVZ8CGGt7LqRG1WFqYY%2FsUuOmWwLyVT%2F8O9trgNAEO49TvZ9ce8AC5yY9pOagSk46K9CfKH%2BRUtwl1lKVpVFcS8P9OO0VKPNZJEs7AiA%2F", "https://vtbehaviour.commondatastorage.googleapis.com/d5bf2e0581ad7dca4e49e58e379107bf01ab36ae8e0900692e5782bfe7e86aba_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775558351&Signature=y1XPW6XWHz4cFiInU2H1MRXTtywNvzuP6qP%2BVIkFaZMsxldmbqUekc%2Fp3b1VId4O3UC3ckTmGqsRuznTxQLfWOOnxRXlD4QK4HFzPpTpKHXqWlrtdznOpHY%2Bv7wTzMzremLNFsxERoSd3zbAhEhirVop5Px%2BL937P9ywZuKM2DctbhUyiBzYXg%2FMjeVExwS%2FNlP8Sn%2BCx5tVuOIsiQoaZM%2FLak%2BsYPZVGDXZZn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 19, "FileHash-SHA256": 165, "URL": 101, "domain": 9, "hostname": 37 }, "indicator_count": 351, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4ddf1828f3eeb138474ef", "name": "VirusTotal report\n for atom.exe", "description": "i have a iphone.", "modified": "2026-05-07T10:14:20.933000", "created": "2026-04-07T10:35:29.004000", "tags": [ "file type", "ascii", "json", "ms windows", "pe file", "ascii text", "utf8", "sqlite version", "openpgp secret", "file", "code", "persistence", "fraud", "next", "windows sandbox", "calls process", "has permission", "mitre attack", "network info", "accesses", "overview", "zenbox android", "verdict", "guest system", "ultimate file", "info file", "cloud", "calls clear" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/07f7d05d67f46df46aa037ae72dbdb01b4c793b0efa97b3b606eb7c804bc9ac8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775557919&Signature=NmXnt5UXEu97u6S%2Fl1pR8Dj1wOV48%2BMQtA7itY%2FDaMxeTZKYWQG8Sc1yQ8Anau89lP6pFBfYLFKcZlXLyh0lxedEOnLubJoX%2FPdHFRwhsnXHKf9Paue%2FYfp2f3Xa3eCtAdjiZ%2FYtizogath35T7lFE%2FyYG10vWJI%2FID8Xpk55duyBuJFvI5UISNatR%2BriUlSjGvUurWgm62dXOPlBxRQvwk1ndbIS79tzUBzFcGe7A3RnhURjWI1", "https://vtbehaviour.commondatastorage.googleapis.com/dbd82852eb5958675f889c452fc71bae5cce8ddad596bd15d2a4a6700739f741_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775558174&Signature=SmpbnWta3giCZS997kqTvAF%2BZOmsy8guJi08oXMRbv9twEwYq0zHV5x5EgkJeE1uK593UWjmIyGGPmZZAznd5G9GmDLWpTBpm6AalirZIWVXEGKYqWW%2FcXP6AP4kPvUKQffGRRra22oorMkIGVUd4OSbUBHzjeXYtzRalcJNh00ErxP2ckokNZ%2BA6k7O42Vano2SrEQ6QXeQ%2BVWhBicFEaYV3BEDA%2Fn%2BNlMqbe6dzaU%", "https://vtbehaviour.commondatastorage.googleapis.com/00497722a5a78f54380688c2f4e13f3ef6ae5ba3179e181842bc5f293931d249_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775558242&Signature=xZKVbPHnvq1qTJXNwiztrGD6NGaXqXZy2F7iZE8F8ZA5SQ2b0AHWfcMuFzBPL4S56%2Br1mdkSivnRKw4PtqmKSlmum59RFVyQrmIK25bmB%2FhGIdrtS0FEJHREeu2idOIA89pmPV7lOHS%2B%2BYVZ8CGGt7LqRG1WFqYY%2FsUuOmWwLyVT%2F8O9trgNAEO49TvZ9ce8AC5yY9pOagSk46K9CfKH%2BRUtwl1lKVpVFcS8P9OO0VKPNZJEs7AiA%2F", "https://vtbehaviour.commondatastorage.googleapis.com/d5bf2e0581ad7dca4e49e58e379107bf01ab36ae8e0900692e5782bfe7e86aba_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775558351&Signature=y1XPW6XWHz4cFiInU2H1MRXTtywNvzuP6qP%2BVIkFaZMsxldmbqUekc%2Fp3b1VId4O3UC3ckTmGqsRuznTxQLfWOOnxRXlD4QK4HFzPpTpKHXqWlrtdznOpHY%2Bv7wTzMzremLNFsxERoSd3zbAhEhirVop5Px%2BL937P9ywZuKM2DctbhUyiBzYXg%2FMjeVExwS%2FNlP8Sn%2BCx5tVuOIsiQoaZM%2FLak%2BsYPZVGDXZZn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 20, "FileHash-SHA1": 19, "FileHash-SHA256": 165, "URL": 101, "domain": 9, "hostname": 37 }, "indicator_count": 351, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43ac218b1452b90077c29", "name": "VirusTotal report\n for addon.crx", "description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>", "modified": "2026-05-06T22:12:40.990000", "created": "2026-04-06T22:59:14.467000", "tags": [ "zip archive", "opera widget", "vym mind", "sweet home", "design", "mozilla firefox", "mozilla archive", "format", "file type", "php script", "ascii", "ascii text", "unicode text", "utf8 text", "crlf line", "json", "java source", "extra info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 316, "FileHash-SHA1": 314, "FileHash-SHA256": 1415, "hostname": 132, "domain": 50, "URL": 86 }, "indicator_count": 2313, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43acb355ea778bf740a6d", "name": "VirusTotal report\n for addon.crx", "description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>", "modified": "2026-05-06T22:12:40.990000", "created": "2026-04-06T22:59:23.936000", "tags": [ "zip archive", "opera widget", "vym mind", "sweet home", "design", "mozilla firefox", "mozilla archive", "format", "file type", "php script", "ascii", "ascii text", "unicode text", "utf8 text", "crlf line", "json", "java source", "extra info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 316, "FileHash-SHA1": 314, "FileHash-SHA256": 1415, "hostname": 132, "domain": 50, "URL": 86 }, "indicator_count": 2313, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43ad5128bbd414bbd946f", "name": "VirusTotal report\n for addon.crx", "description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>", "modified": "2026-05-06T22:12:40.990000", "created": "2026-04-06T22:59:33.569000", "tags": [ "zip archive", "opera widget", "vym mind", "sweet home", "design", "mozilla firefox", "mozilla archive", "format", "file type", "php script", "ascii", "ascii text", "unicode text", "utf8 text", "crlf line", "json", "java source", "extra info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 316, "FileHash-SHA1": 314, "FileHash-SHA256": 1415, "hostname": 132, "domain": 50, "URL": 86 }, "indicator_count": 2313, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43ad5541cf4a7ee45cef5", "name": "VirusTotal report\n for addon.crx", "description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>", "modified": "2026-05-06T22:12:40.990000", "created": "2026-04-06T22:59:33.577000", "tags": [ "zip archive", "opera widget", "vym mind", "sweet home", "design", "mozilla firefox", "mozilla archive", "format", "file type", "php script", "ascii", "ascii text", "unicode text", "utf8 text", "crlf line", "json", "java source", "extra info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 316, "FileHash-SHA1": 314, "FileHash-SHA256": 1415, "hostname": 132, "domain": 50, "URL": 86 }, "indicator_count": 2313, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43ada131daf14003078c7", "name": "VirusTotal report\n for addon.crx", "description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>", "modified": "2026-05-06T22:12:40.990000", "created": "2026-04-06T22:59:38.191000", "tags": [ "zip archive", "opera widget", "vym mind", "sweet home", "design", "mozilla firefox", "mozilla archive", "format", "file type", "php script", "ascii", "ascii text", "unicode text", "utf8 text", "crlf line", "json", "java source", "extra info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 316, "FileHash-SHA1": 314, "FileHash-SHA256": 1415, "hostname": 132, "domain": 50, "URL": 86 }, "indicator_count": 2313, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43adaef39c73f026077c0", "name": "VirusTotal report\n for addon.crx", "description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>", "modified": "2026-05-06T22:12:40.990000", "created": "2026-04-06T22:59:38.174000", "tags": [ "zip archive", "opera widget", "vym mind", "sweet home", "design", "mozilla firefox", "mozilla archive", "format", "file type", "php script", "ascii", "ascii text", "unicode text", "utf8 text", "crlf line", "json", "java source", "extra info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 316, "FileHash-SHA1": 314, "FileHash-SHA256": 1415, "hostname": 132, "domain": 50, "URL": 86 }, "indicator_count": 2313, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d43adce952052db1643eb1", "name": "VirusTotal report\n for addon.crx", "description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>", "modified": "2026-05-06T22:12:40.990000", "created": "2026-04-06T22:59:40.683000", "tags": [ "zip archive", "opera widget", "vym mind", "sweet home", "design", "mozilla firefox", "mozilla archive", "format", "file type", "php script", "ascii", "ascii text", "unicode text", "utf8 text", "crlf line", "json", "java source", "extra info" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 316, "FileHash-SHA1": 314, "FileHash-SHA256": 1415, "hostname": 132, "domain": 50, "URL": 86 }, "indicator_count": 2313, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cefd455bb5b78f3a3644bd", "name": "VirusTotal report\n for ul Business Intelligence. Moving Beyond the Obvious 2007.pdf", "description": "Researchers have identified the source of a malware that has infected more than 100,000 computers in the past month and is believed to have been linked to a network known as the \"Pulses\".", "modified": "2026-05-02T23:03:52.163000", "created": "2026-04-02T23:35:33.326000", "tags": [ "filehash", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "malicious ids", "query", "united", "as4249", "location united", "america flag", "america asn", "dns resolutions", "domain", "pulses", "related tags", "indicator facts", "creation date", "name servers", "ddos mitigation", "expiration date", "ip address", "asn as4249", "whois registrar", "rethem hosting", "date", "name", "billing city", "billing country", "billing email", "billing state", "create date", "expiry date", "query time", "available from", "code", "registry tech", "server", "registrar abuse", "email", "admin country", "registry domain", "registrar iana", "thumbprint", "ipv4", "active related", "pulses ipv4", "unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 25, "FileHash-SHA256": 769, "domain": 116, "hostname": 248, "URL": 351, "email": 4, "CVE": 1 }, "indicator_count": 1533, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cefd4604a91bf7ca712de4", "name": "VirusTotal report\n for ul Business Intelligence. Moving Beyond the Obvious 2007.pdf", "description": "Researchers have identified the source of a malware that has infected more than 100,000 computers in the past month and is believed to have been linked to a network known as the \"Pulses\".", "modified": "2026-05-02T23:03:52.163000", "created": "2026-04-02T23:35:34.946000", "tags": [ "filehash", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "malicious ids", "query", "united", "as4249", "location united", "america flag", "america asn", "dns resolutions", "domain", "pulses", "related tags", "indicator facts", "creation date", "name servers", "ddos mitigation", "expiration date", "ip address", "asn as4249", "whois registrar", "rethem hosting", "date", "name", "billing city", "billing country", "billing email", "billing state", "create date", "expiry date", "query time", "available from", "code", "registry tech", "server", "registrar abuse", "email", "admin country", "registry domain", "registrar iana", "thumbprint", "ipv4", "active related", "pulses ipv4", "unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 25, "FileHash-SHA256": 769, "domain": 116, "hostname": 248, "URL": 351, "email": 4, "CVE": 1 }, "indicator_count": 1533, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cec0fd4e0b04227b505a5f", "name": "VirusTotal report\n for AccountingAll-in-OneForDummiesPDFDrive.pdf", "description": "Researchers at Researchgate.com have published their findings in a series of articles on the subject of cyber-security, security and privacy. and the use of OTX, also known as \"Pulses\".> A little bird finch and its fingerprint.", "modified": "2026-05-02T19:36:13.629000", "created": "2026-04-02T19:18:21.797000", "tags": [ "united", "as14061", "present apr", "script urls", "as13335", "as13768 aptum", "singapore", "aaaa", "as31898 oracle", "united kingdom", "date", "win32", "body", "title", "fury", "file type", "chrome cache", "entry", "cache entry", "jpeg image", "jfif", "gif image", "png image", "ascii text", "malicious", "next", "windows sandbox", "calls process", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "win1", "acrongl integ", "adc4240758", "accept", "shutdown", "json", "code", "persistence", "phishing", "value a", "pdf document", "adobe portable", "document format", "algorithm", "key identifier", "number", "cus ogoogle", "trust", "cnwe1 validity", "subject public", "key info", "key algorithm", "ec oid", "germany create", "domain", "expiry date", "name", "germany update", "researchgate", "discover", "research jobs", "gate", "find", "access", "join", "login", "email", "password", "x509v3 subject", "v3 serial", "issuer", "cbe cnalphassl", "sha256", "g2 oglobalsign", "validity", "public key", "info" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00355f383cdfd3953bdb773247bcb38864e00fbc02f21c99bc85b9ae8a8de83c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775156982&Signature=znZpp83KdT%2FL36sTf3QDOLLEWAh8ItKSUewNDuebW619kEzy7PG1q%2FF6ZK6IuxQU10CCVqA3cCW1MIaTpquBgPPjimEvkDVxx048Qv1%2FKzCnW00QhsQIQADWcfKI698TukLc8c3aCnBN%2BFMdkbsjgO4S6oFCJM5E9pIb9VJOdL6TDfSSIOQNyAYAL%2FCcOxwKRPBIY6l5X%2Bmxgvz5VObSKoxZWT7JmNyorS%2BPVLPOPtXbOJhdlDwk8aZ%", "https://vtbehaviour.commondatastorage.googleapis.com/00355f383cdfd3953bdb773247bcb38864e00fbc02f21c99bc85b9ae8a8de83c_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775157018&Signature=W6qmB2oXejWMekcxPwU%2BM2fTZ5XRnQ6InXQPfLl7OncG%2Bm3HPNHB%2FE6ygE96KZy32X4QvwY6orT3%2FSHlwBzQ3ckqedAXsZhwPNwVPN1eTjUL7BWQCVX7GFYabhv9AzqEnPZYWIUOa2P939ct2GWgfgTEtbesebRwyMue5ihDtUAV6qU1l2OuJfoS8C8GD%2FSlNeMBOTUymlaK4UmL9nmgOTq1McS%2BuJtgWwgJbI3sN9bR", "https://vtbehaviour.commondatastorage.googleapis.com/00355f383cdfd3953bdb773247bcb38864e00fbc02f21c99bc85b9ae8a8de83c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775157047&Signature=yuzPVsphC0bG%2Bv9BmK3MOvfpxh2YUvj6B1ka6wchodQJMU0J7e6vH%2FwYLHWFiCIN7j4R6UxFeJ3ThZWdjJpObTpbPOwGZXiMlrPzB92hnLu9glo0Nxb3vEs2ztzgdkEKdSbu9SiyFyYZxQ4iwu6gfvEjT9bmVEcbVLcQEpNIevi9TPnEv%2B5D4yDqAalQb40r%2BCw%2FskC1Scj3bYgWKAGigIanlWXa0tIUmOIyNMnl6Oiq%2FRCzi7", "https://vtbehaviour.commondatastorage.googleapis.com/000ea1a97119456bc0d73d6f04298896bcf8a014015dd5a3854db979acc33ba4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775157115&Signature=IGbBEZp40pDgcnEOLyVLG6NGd0gM9ah6hwV8nmKkZpUvBN%2Fjn1v5XN0%2FGEFFk20komfUqhGI4zwklt2Bb3VyRLNwH5yCYd80ojWWC2ZPFlaKaLhRXD4OzOrLnAG4GyZ21SRFjULCGxXx6RaUuwulye8wG52yQ5yk0cXHuHPcowCLNbfY9ZWAQs6buavYGnYInBF0LCu3CboQBrgkhANmTmmtyrV9vDfS0Bz6fsJz%2BgmmwlGNpV0NA4IJTJeZmXCh", "https://vtbehaviour.commondatastorage.googleapis.com/000ea1a97119456bc0d73d6f04298896bcf8a014015dd5a3854db979acc33ba4_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775157142&Signature=YUKsrID6gK5Kkp3Ztlp37D19a5zJHrHMGp%2Bp3gyGO0BDcTOWmIH2IIADOlf7ZwEyxpzvT8ZH%2Bbv2TFx8h6B1n9NuatpuXqxe%2FVfKTCmILqh1vZsKMh8%2BTSQQu0uemPproGACNc8JtbCaAHd7gAzuT9xa01vD4Yzcag%2Bm2nc3OjhRI0359dkuzw5Z5%2BRRcM80c0kY6Z%2FSDz4nFU9x8Gxbbcq6adN4uDjcooa9W%2F%2", "https://vtbehaviour.commondatastorage.googleapis.com/00355f383cdfd3953bdb773247bcb38864e00fbc02f21c99bc85b9ae8a8de83c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775157171&Signature=wFaORSlZpOsDwaGFds40nh57Lh3vd%2BvFdqSDta%2BWapU98lkn38TsyUct5yym%2BseDovUqyvdVIXZauUtEnGqxpvYZximpwbeAbVtdc6MMBncoC78dOKoQbxtA3BT%2BzwKOs8jR1Cx7UYScBA2n%2BKi%2FUFE%2Fl3GvZGMSh8ekSTJNnrypI82Qa2rexteHlB8MZEdOGi15TMATCoi5SOQkKul2b5wy62%2BDaZblJEMMeN9AJYTgVYyUOZe6vM" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 272, "FileHash-MD5": 149, "FileHash-SHA1": 151, "FileHash-SHA256": 783, "domain": 140, "email": 4, "hostname": 144 }, "indicator_count": 1643, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cec10621c1502a529923bb", "name": "VirusTotal report\n for AccountingAll-in-OneForDummiesPDFDrive.pdf", "description": "Researchers at Researchgate.com have published their findings in a series of articles on the subject of cyber-security, security and privacy. and the use of OTX, also known as \"Pulses\".> A little bird finch and its fingerprint.", "modified": "2026-05-02T19:36:13.629000", "created": "2026-04-02T19:18:30.126000", "tags": [ "united", "as14061", "present apr", "script urls", "as13335", "as13768 aptum", "singapore", "aaaa", "as31898 oracle", "united kingdom", "date", "win32", "body", "title", "fury", "file type", "chrome cache", "entry", "cache entry", "jpeg image", "jfif", "gif image", "png image", "ascii text", "malicious", "next", "windows sandbox", "calls process", "default", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "win1", "acrongl integ", "adc4240758", "accept", "shutdown", "json", "code", "persistence", "phishing", "value a", "pdf document", "adobe portable", "document format", "algorithm", "key identifier", "number", "cus ogoogle", "trust", "cnwe1 validity", "subject public", "key info", "key algorithm", "ec oid", "germany create", "domain", "expiry date", "name", "germany update", "researchgate", "discover", "research jobs", "gate", "find", "access", "join", "login", "email", "password", "x509v3 subject", "v3 serial", "issuer", "cbe cnalphassl", "sha256", "g2 oglobalsign", "validity", "public key", "info" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/00355f383cdfd3953bdb773247bcb38864e00fbc02f21c99bc85b9ae8a8de83c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775156982&Signature=znZpp83KdT%2FL36sTf3QDOLLEWAh8ItKSUewNDuebW619kEzy7PG1q%2FF6ZK6IuxQU10CCVqA3cCW1MIaTpquBgPPjimEvkDVxx048Qv1%2FKzCnW00QhsQIQADWcfKI698TukLc8c3aCnBN%2BFMdkbsjgO4S6oFCJM5E9pIb9VJOdL6TDfSSIOQNyAYAL%2FCcOxwKRPBIY6l5X%2Bmxgvz5VObSKoxZWT7JmNyorS%2BPVLPOPtXbOJhdlDwk8aZ%", "https://vtbehaviour.commondatastorage.googleapis.com/00355f383cdfd3953bdb773247bcb38864e00fbc02f21c99bc85b9ae8a8de83c_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775157018&Signature=W6qmB2oXejWMekcxPwU%2BM2fTZ5XRnQ6InXQPfLl7OncG%2Bm3HPNHB%2FE6ygE96KZy32X4QvwY6orT3%2FSHlwBzQ3ckqedAXsZhwPNwVPN1eTjUL7BWQCVX7GFYabhv9AzqEnPZYWIUOa2P939ct2GWgfgTEtbesebRwyMue5ihDtUAV6qU1l2OuJfoS8C8GD%2FSlNeMBOTUymlaK4UmL9nmgOTq1McS%2BuJtgWwgJbI3sN9bR", "https://vtbehaviour.commondatastorage.googleapis.com/00355f383cdfd3953bdb773247bcb38864e00fbc02f21c99bc85b9ae8a8de83c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775157047&Signature=yuzPVsphC0bG%2Bv9BmK3MOvfpxh2YUvj6B1ka6wchodQJMU0J7e6vH%2FwYLHWFiCIN7j4R6UxFeJ3ThZWdjJpObTpbPOwGZXiMlrPzB92hnLu9glo0Nxb3vEs2ztzgdkEKdSbu9SiyFyYZxQ4iwu6gfvEjT9bmVEcbVLcQEpNIevi9TPnEv%2B5D4yDqAalQb40r%2BCw%2FskC1Scj3bYgWKAGigIanlWXa0tIUmOIyNMnl6Oiq%2FRCzi7", "https://vtbehaviour.commondatastorage.googleapis.com/000ea1a97119456bc0d73d6f04298896bcf8a014015dd5a3854db979acc33ba4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775157115&Signature=IGbBEZp40pDgcnEOLyVLG6NGd0gM9ah6hwV8nmKkZpUvBN%2Fjn1v5XN0%2FGEFFk20komfUqhGI4zwklt2Bb3VyRLNwH5yCYd80ojWWC2ZPFlaKaLhRXD4OzOrLnAG4GyZ21SRFjULCGxXx6RaUuwulye8wG52yQ5yk0cXHuHPcowCLNbfY9ZWAQs6buavYGnYInBF0LCu3CboQBrgkhANmTmmtyrV9vDfS0Bz6fsJz%2BgmmwlGNpV0NA4IJTJeZmXCh", "https://vtbehaviour.commondatastorage.googleapis.com/000ea1a97119456bc0d73d6f04298896bcf8a014015dd5a3854db979acc33ba4_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775157142&Signature=YUKsrID6gK5Kkp3Ztlp37D19a5zJHrHMGp%2Bp3gyGO0BDcTOWmIH2IIADOlf7ZwEyxpzvT8ZH%2Bbv2TFx8h6B1n9NuatpuXqxe%2FVfKTCmILqh1vZsKMh8%2BTSQQu0uemPproGACNc8JtbCaAHd7gAzuT9xa01vD4Yzcag%2Bm2nc3OjhRI0359dkuzw5Z5%2BRRcM80c0kY6Z%2FSDz4nFU9x8Gxbbcq6adN4uDjcooa9W%2F%2", "https://vtbehaviour.commondatastorage.googleapis.com/00355f383cdfd3953bdb773247bcb38864e00fbc02f21c99bc85b9ae8a8de83c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775157171&Signature=wFaORSlZpOsDwaGFds40nh57Lh3vd%2BvFdqSDta%2BWapU98lkn38TsyUct5yym%2BseDovUqyvdVIXZauUtEnGqxpvYZximpwbeAbVtdc6MMBncoC78dOKoQbxtA3BT%2BzwKOs8jR1Cx7UYScBA2n%2BKi%2FUFE%2Fl3GvZGMSh8ekSTJNnrypI82Qa2rexteHlB8MZEdOGi15TMATCoi5SOQkKul2b5wy62%2BDaZblJEMMeN9AJYTgVYyUOZe6vM" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 272, "FileHash-MD5": 149, "FileHash-SHA1": 151, "FileHash-SHA256": 783, "domain": 140, "email": 4, "hostname": 144 }, "indicator_count": 1643, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cec51c08c81128a8e46bd9", "name": "VirusTotal report\n for ul Business Intelligence. Moving Beyond the Obvious 2007.pdf", "description": "The full text of this page, which contains the following text, has been published on the website of Civicplus.com, the social networking site, for the first time since its launch in 2008.", "modified": "2026-05-02T19:36:13.629000", "created": "2026-04-02T19:35:56.216000", "tags": [ "file type", "chrome cache", "entry", "cache entry", "jpeg image", "jfif", "png image", "ascii text", "json", "united", "malicious", "code", "persistence", "phishing", "next", "10px", "ad code", "please", "antiddos", "firewall", "helvetica", "noscript", "request", "doctype html", "ieedge", "title", "body", "span", "android", "gmt p3p", "idc dsp", "cor adm", "devi taii", "psa psd", "ivai ivdi", "coni his", "our ind", "data", "contenttype", "performs dns", "https", "mitre attack", "network info", "processes extra", "html page", "t1055 process", "layer protocol", "overview", "overview zenbox" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/000ea1a97119456bc0d73d6f04298896bcf8a014015dd5a3854db979acc33ba4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775158226&Signature=3QddteTdwd75BU6tgEH4xfsAlwIG9pwNTU%2B8HvPznGKaEJfuEtDcpYQyXWaSVlGW29PwL%2Fps1Qfqzxq9FuYI6MpYw3Bx7KqBKoEqzG%2BfIDblZaHtF%2Bq57ipRLnJbyvLR8w%2B1bXr7vwOsQlnBMQPRzC9hK4UR1xQRt%2BFkGma5x53fb1ICCz4wT7DcsKUsrwBYrNpWD3InFukyHR38M91oretTmUAb2PGAKNugUwaY22shu94UubqcBJGvmX", "https://vtbehaviour.commondatastorage.googleapis.com/9ca5c168d3a3b77403a468a247b08f3987c9baee621bc93a1330d4343d5167e6_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775158347&Signature=sEbgpIc1%2BiCg1xj63drTjLA1epwJeKE9CT6C%2FnPtDvvNsLwbXXgIXmkAt2dKfK5cqb2MQ6rWSIcBDnierzZWQvJ%2F%2BpnBcvgW3mwnRqcrPKCIDaXkVSOfCziQhhgU%2F0YIEehdmBIxg%2BcMlXk6Ub0B3YYdlFlz4c%2Ft13IcN1R6g1%2FPy4zGIhnQQvcGI78vhrb0VqY48%2BeoY5%2FROErUXojoI%2Bi8IP%2FrmkiUEspZnd", "https://vtbehaviour.commondatastorage.googleapis.com/9ca5c168d3a3b77403a468a247b08f3987c9baee621bc93a1330d4343d5167e6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775158717&Signature=0%2FgP6zQY0JvD44dS9aqwH0bqe9ln9c3valuyOk8IADGwNXhOIDcXq6ivyb5hcITWzdHmiMnds3LC6HH6Dw9JXfM47tiL9OKF%2BbTQPz9B8Fr2JanaTSCRjOV2H%2FXW1wZjSdhhcSQyWhw97q4rqKyI%2F1VEbewxt2wrLP0TazgfCoHOCU2Qh08l7nSN%2F1idGUl5yUkmlHE60kQxe%2BHjcktoYejJf6exwwI9QED8MFrrm%2BGEwdmILRQtAbLe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 281, "URL": 91, "FileHash-MD5": 9, "FileHash-SHA1": 8, "domain": 8, "hostname": 102 }, "indicator_count": 499, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cec51dc2c14c906bce0b67", "name": "VirusTotal report\n for ul Business Intelligence. Moving Beyond the Obvious 2007.pdf", "description": "The full text of this page, which contains the following text, has been published on the website of Civicplus.com, the social networking site, for the first time since its launch in 2008.", "modified": "2026-05-02T19:36:13.629000", "created": "2026-04-02T19:35:57.899000", "tags": [ "file type", "chrome cache", "entry", "cache entry", "jpeg image", "jfif", "png image", "ascii text", "json", "united", "malicious", "code", "persistence", "phishing", "next", "10px", "ad code", "please", "antiddos", "firewall", "helvetica", "noscript", "request", "doctype html", "ieedge", "title", "body", "span", "android", "gmt p3p", "idc dsp", "cor adm", "devi taii", "psa psd", "ivai ivdi", "coni his", "our ind", "data", "contenttype", "performs dns", "https", "mitre attack", "network info", "processes extra", "html page", "t1055 process", "layer protocol", "overview", "overview zenbox" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/000ea1a97119456bc0d73d6f04298896bcf8a014015dd5a3854db979acc33ba4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775158226&Signature=3QddteTdwd75BU6tgEH4xfsAlwIG9pwNTU%2B8HvPznGKaEJfuEtDcpYQyXWaSVlGW29PwL%2Fps1Qfqzxq9FuYI6MpYw3Bx7KqBKoEqzG%2BfIDblZaHtF%2Bq57ipRLnJbyvLR8w%2B1bXr7vwOsQlnBMQPRzC9hK4UR1xQRt%2BFkGma5x53fb1ICCz4wT7DcsKUsrwBYrNpWD3InFukyHR38M91oretTmUAb2PGAKNugUwaY22shu94UubqcBJGvmX", "https://vtbehaviour.commondatastorage.googleapis.com/9ca5c168d3a3b77403a468a247b08f3987c9baee621bc93a1330d4343d5167e6_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775158347&Signature=sEbgpIc1%2BiCg1xj63drTjLA1epwJeKE9CT6C%2FnPtDvvNsLwbXXgIXmkAt2dKfK5cqb2MQ6rWSIcBDnierzZWQvJ%2F%2BpnBcvgW3mwnRqcrPKCIDaXkVSOfCziQhhgU%2F0YIEehdmBIxg%2BcMlXk6Ub0B3YYdlFlz4c%2Ft13IcN1R6g1%2FPy4zGIhnQQvcGI78vhrb0VqY48%2BeoY5%2FROErUXojoI%2Bi8IP%2FrmkiUEspZnd", "https://vtbehaviour.commondatastorage.googleapis.com/9ca5c168d3a3b77403a468a247b08f3987c9baee621bc93a1330d4343d5167e6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775158717&Signature=0%2FgP6zQY0JvD44dS9aqwH0bqe9ln9c3valuyOk8IADGwNXhOIDcXq6ivyb5hcITWzdHmiMnds3LC6HH6Dw9JXfM47tiL9OKF%2BbTQPz9B8Fr2JanaTSCRjOV2H%2FXW1wZjSdhhcSQyWhw97q4rqKyI%2F1VEbewxt2wrLP0TazgfCoHOCU2Qh08l7nSN%2F1idGUl5yUkmlHE60kQxe%2BHjcktoYejJf6exwwI9QED8MFrrm%2BGEwdmILRQtAbLe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 281, "URL": 91, "FileHash-MD5": 9, "FileHash-SHA1": 8, "domain": 8, "hostname": 102 }, "indicator_count": 499, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cec51dd4caf951207fb1a8", "name": "VirusTotal report\n for ul Business Intelligence. Moving Beyond the Obvious 2007.pdf", "description": "The full text of this page, which contains the following text, has been published on the website of Civicplus.com, the social networking site, for the first time since its launch in 2008.", "modified": "2026-05-02T19:36:13.629000", "created": "2026-04-02T19:35:57.845000", "tags": [ "file type", "chrome cache", "entry", "cache entry", "jpeg image", "jfif", "png image", "ascii text", "json", "united", "malicious", "code", "persistence", "phishing", "next", "10px", "ad code", "please", "antiddos", "firewall", "helvetica", "noscript", "request", "doctype html", "ieedge", "title", "body", "span", "android", "gmt p3p", "idc dsp", "cor adm", "devi taii", "psa psd", "ivai ivdi", "coni his", "our ind", "data", "contenttype", "performs dns", "https", "mitre attack", "network info", "processes extra", "html page", "t1055 process", "layer protocol", "overview", "overview zenbox" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/000ea1a97119456bc0d73d6f04298896bcf8a014015dd5a3854db979acc33ba4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775158226&Signature=3QddteTdwd75BU6tgEH4xfsAlwIG9pwNTU%2B8HvPznGKaEJfuEtDcpYQyXWaSVlGW29PwL%2Fps1Qfqzxq9FuYI6MpYw3Bx7KqBKoEqzG%2BfIDblZaHtF%2Bq57ipRLnJbyvLR8w%2B1bXr7vwOsQlnBMQPRzC9hK4UR1xQRt%2BFkGma5x53fb1ICCz4wT7DcsKUsrwBYrNpWD3InFukyHR38M91oretTmUAb2PGAKNugUwaY22shu94UubqcBJGvmX", "https://vtbehaviour.commondatastorage.googleapis.com/9ca5c168d3a3b77403a468a247b08f3987c9baee621bc93a1330d4343d5167e6_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775158347&Signature=sEbgpIc1%2BiCg1xj63drTjLA1epwJeKE9CT6C%2FnPtDvvNsLwbXXgIXmkAt2dKfK5cqb2MQ6rWSIcBDnierzZWQvJ%2F%2BpnBcvgW3mwnRqcrPKCIDaXkVSOfCziQhhgU%2F0YIEehdmBIxg%2BcMlXk6Ub0B3YYdlFlz4c%2Ft13IcN1R6g1%2FPy4zGIhnQQvcGI78vhrb0VqY48%2BeoY5%2FROErUXojoI%2Bi8IP%2FrmkiUEspZnd", "https://vtbehaviour.commondatastorage.googleapis.com/9ca5c168d3a3b77403a468a247b08f3987c9baee621bc93a1330d4343d5167e6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775158717&Signature=0%2FgP6zQY0JvD44dS9aqwH0bqe9ln9c3valuyOk8IADGwNXhOIDcXq6ivyb5hcITWzdHmiMnds3LC6HH6Dw9JXfM47tiL9OKF%2BbTQPz9B8Fr2JanaTSCRjOV2H%2FXW1wZjSdhhcSQyWhw97q4rqKyI%2F1VEbewxt2wrLP0TazgfCoHOCU2Qh08l7nSN%2F1idGUl5yUkmlHE60kQxe%2BHjcktoYejJf6exwwI9QED8MFrrm%2BGEwdmILRQtAbLe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 281, "URL": 91, "FileHash-MD5": 9, "FileHash-SHA1": 8, "domain": 8, "hostname": 102 }, "indicator_count": 499, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cc5323b73b229c433015b3", "name": "CAPE Sandbox", "description": "tmptigu40dy", "modified": "2026-04-30T23:10:15.978000", "created": "2026-03-31T23:05:07.234000", "tags": [ "eaaa", "maaa", "kaca", "kaaa", "eaca", "uaaa", "yaaa", "iaca", "eaei", "waaa", "dino", "cheat", "twitter", "null", "span", "title", "roboto", "false", "error", "kerm", "import", "click", "mono", "cloud", "accept", "manipulator", "restart", "runner", "factory", "checkbox", "star", "egdi", "canvas", "window", "shutdown", "win64", "small", "override", "install", "meta", "body", "project", "outer", "scroll", "speed", "score" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0e93e52376dcfb8eab491737c187ad68d786fab0005bbf9d2ffab78ba19db907_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774998466&Signature=Y4QdGLgX1a6Ct5CMRDpH9RdwtjTzLLVBFFtxY64ZOhJ4cyy5f3YP7kNt%2Bu9euHjYaM5LUKHRWbswYwhD%2BbmD8KZT57GNGNGF4xYoyqPgzPY1AQodW%2BZx5f3iJqPbAZq9pUjOzXtm22B%2FEx7BVn5qcm86M9I6BaNp8%2FJW2vSfzsewT0w5WhMAjuB84fIG4LrKD2X46mnchNmREfC3GQtUPwzIIkj7IIv7xyHtwbu%2Fwyg8Ib1VFz" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 141, "FileHash-SHA1": 141, "FileHash-SHA256": 142, "URL": 26, "domain": 19, "hostname": 69 }, "indicator_count": 538, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cc5324a3e01fc39bd2905c", "name": "CAPE Sandbox", "description": "tmptigu40dy", "modified": "2026-04-30T23:10:15.978000", "created": "2026-03-31T23:05:08.976000", "tags": [ "eaaa", "maaa", "kaca", "kaaa", "eaca", "uaaa", "yaaa", "iaca", "eaei", "waaa", "dino", "cheat", "twitter", "null", "span", "title", "roboto", "false", "error", "kerm", "import", "click", "mono", "cloud", "accept", "manipulator", "restart", "runner", "factory", "checkbox", "star", "egdi", "canvas", "window", "shutdown", "win64", "small", "override", "install", "meta", "body", "project", "outer", "scroll", "speed", "score" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0e93e52376dcfb8eab491737c187ad68d786fab0005bbf9d2ffab78ba19db907_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774998466&Signature=Y4QdGLgX1a6Ct5CMRDpH9RdwtjTzLLVBFFtxY64ZOhJ4cyy5f3YP7kNt%2Bu9euHjYaM5LUKHRWbswYwhD%2BbmD8KZT57GNGNGF4xYoyqPgzPY1AQodW%2BZx5f3iJqPbAZq9pUjOzXtm22B%2FEx7BVn5qcm86M9I6BaNp8%2FJW2vSfzsewT0w5WhMAjuB84fIG4LrKD2X46mnchNmREfC3GQtUPwzIIkj7IIv7xyHtwbu%2Fwyg8Ib1VFz" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 141, "FileHash-SHA1": 141, "FileHash-SHA256": 142, "URL": 26, "domain": 19, "hostname": 69 }, "indicator_count": 538, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cc5ded52dc76b20579fd67", "name": "VirusTotal report\n for sample.crx", "description": "The full text of the text and characters below:-1-2-3-4-7 January 2017:.com/1/18:00 BST.-9:30 GMT.", "modified": "2026-04-30T23:10:15.978000", "created": "2026-03-31T23:51:09.089000", "tags": [ "file type", "json", "ascii text", "png image", "crlf line", "ascii", "rgba", "unicode text", "utf8 text", "html document", "mitre attack", "malicious", "next" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0e93e52376dcfb8eab491737c187ad68d786fab0005bbf9d2ffab78ba19db907_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775001268&Signature=YBUj6DKVhfcrBcdkki8xfcRH%2F%2FP32FDK7Zizn8pLHZ3D6s3E7isdEd2LROfkC1lKu2qP4ZcDMm8av3%2BUajeevjxBnk%2FJLOrW%2Fcl%2FG1jKYFVsw9yQm7CXUYgYjHS2JPx%2B910377bbnD7%2FQjxuptI22kTDC%2FK4Kxn6e9yDWXa7P9r63qwHoncRKLSca%2FQDZtmttEQ0ZlmTWhu5tKz%2F8hSVLfvFkZpPRcKYX%2BQoYiNdQ4wAoK" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 14, "FileHash-SHA1": 14, "FileHash-SHA256": 141, "hostname": 28, "URL": 25, "domain": 7 }, "indicator_count": 229, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ca4a306066375786947f52", "name": "Who is safe?", "description": "<.>\nhttps://www.virustotal.com/gui/file/c656b145ce73a997b6d95ec21dcfbee1ded90d7fff2ca0bc48765c4bb671d58c/behavior", "modified": "2026-04-30T15:30:17.242000", "created": "2026-03-30T10:02:24.092000", "tags": [ "pulse analysis", "pulses otx", "pulses", "related tags", "email domain", "withheld", "privacy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 170, "domain": 88, "email": 5, "FileHash-SHA1": 170, "FileHash-SHA256": 1028, "URL": 288, "hostname": 76 }, "indicator_count": 1825, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c2972ecff7f021de5be0d9", "name": "CAPE Sandbox", "description": "traffic manager atm", "modified": "2026-04-23T13:04:04.453000", "created": "2026-03-24T13:52:46.060000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 141, "FileHash-SHA1": 141, "FileHash-SHA256": 142, "URL": 26, "domain": 19, "hostname": 69 }, "indicator_count": 538, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ada5c09d976c064313bde6", "name": "CAPE Sandbox &tv", "description": "", "modified": "2026-04-07T16:31:49.011000", "created": "2026-03-08T16:37:20.937000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 285, "FileHash-SHA1": 64, "FileHash-SHA256": 256, "URL": 139, "domain": 14, "email": 309, "hostname": 82 }, "indicator_count": 1149, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "53 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b49ad5dd40a24d83cd6a72", "name": "Chris P. Ahmann \u2022 PRIVATE PROPERTY Colorado State Fixer!", "description": "", "modified": "2026-03-13T23:16:37.716000", "created": "2026-03-13T23:16:37.716000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "69631fbd16e306ee2b76c4da", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "78 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b496396ca4987e95ad37d1", "name": "Chris Buzz by QVashni (wow)", "description": "", "modified": "2026-03-13T22:56:57.314000", "created": "2026-03-13T22:56:57.314000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "69482caa00d327da8f0a87bc", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "78 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b49587dd104e342dda1628", "name": "C Ahman Attorney Clone by Top Tier, Q.Vashti", "description": "", "modified": "2026-03-13T22:53:59.112000", "created": "2026-03-13T22:53:59.112000", "tags": [ "related pulses", "p1377925676", "gaz1", "sid1696503456", "sct1", "active", "dynamicloader", "medium", "write c", "search", "show", "high", "program gateway", "http traffic", "http", "write", "malware", "nivdort", "serving ip", "address", "status code", "kb body", "sha256", "gw5hjz7t975", "url https", "url http", "indicator role", "pulses url", "hostname", "poland unknown", "present sep", "present jul", "present may", "present apr", "present dec", "present jan", "moved", "passive dns", "ip address", "title", "location poland", "asn as29522", "gmt content", "accept encoding", "ipv4 add", "urls", "files", "reverse dns", "united", "record value", "aaaa", "mtb oct", "found", "error", "read c", "memcommit", "module load", "next", "showing", "trojan", "execution", "unknown", "entries", "ms windows", "intel", "as15169", "codeoverlap", "yara detections", "delphi", "worm", "win32", "win64", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "script urls", "treece alfrey", "meta", "germany unknown", "for privacy", "title added", "active related", "pulses", "asnone", "named pipe", "type indicator", "role title", "added active", "filehashsha256", "ally", "melika", "information", "law christopher", "https", "fake pinterest", "tsara", "traceback man", "expiro", "capture", "domain", "types of", "germany", "poland", "netherlands", "cve cve20178977", "boobs130432 nov", "learn more", "filehashmd5", "utmsourceawin", "pe32", "head microsoft", "delete", "main", "backdoor", "next associated", "gmt connection", "control", "content type", "twitter", "certificate", "redirect date", "cache", "unknown ns", "hostname add", "ipv4", "pulse pulses", "location united", "america flag", "america asn", "windows", "total", "ids detections", "url add", "related nids", "files location", "flag united", "win32mydoom nov", "domain add", "yara rule", "ee fc", "ff d5", "f0 ff", "eb e1", "ff ff", "c1 e8", "c1 c0", "eb e8", "mpress", "cache control", "x cache", "date", "name servers", "arial", "present aug", "present jun", "may god", "hall render", "palantir doing", "jeffrey scott", "jeffrey reimer", "brian sabey", "butt pirates", "scott reimer", "colorado", "quasi government", "workers compensation", "eva lisa", "eva reimer", "sammie", "montano mark", "death threats", "tulach", "hired hit men", "gay man", "gay porn", "concentra", "corruption", "palantir", "foundry", "grifter", "warning", "illegal", "apple", "contacted", "ransom", "dead", "denver" ], "references": [ "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "pornhub-e.com \u2022 www.pornhub.com \u2022", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.sweetheartvideo.com/scenes?models=63710", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/favicon.ico", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "http://watchhers.net/index.php", "remotewd.com device local", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://browntubeporn.com/tsara-brashearsAccept-Language", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Jaik", "display_name": "Jaik", "target": null }, { "id": "Trojan:Win32/Qshell", "display_name": "Trojan:Win32/Qshell", "target": "/malware/Trojan:Win32/Qshell" }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1197", "name": "BITS Jobs", "display_name": "T1197 - BITS Jobs" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": "691f4d4ef0a2a570b8b21cd2", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8897, "domain": 2102, "hostname": 2867, "FileHash-SHA256": 3886, "FileHash-MD5": 619, "FileHash-SHA1": 555, "CVE": 3, "email": 5, "SSLCertFingerprint": 8 }, "indicator_count": 18942, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "78 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ad9e6f5bc9e8d69ad1f7c6", "name": "VirusTotal report\n for DevKinsta-2.13.4-arm64.zip", "description": "", "modified": "2026-03-08T16:06:07.250000", "created": "2026-03-08T16:06:07.250000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 99, "FileHash-MD5": 28, "FileHash-SHA1": 28, "FileHash-SHA256": 223, "domain": 10, "hostname": 12 }, "indicator_count": 400, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "83 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "https://www.sweetheartvideo.com/en/dvds \u2022 https://www.sweetheartvideo.com/en/login", "https://vtbehaviour.commondatastorage.googleapis.com/07f5960476ab34754f3e04143caf2d4899cb09e6b271bfd27ef1f1c8977ca050_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681591&Signature=uoP10og17YxXUe0yZ8kll3N15RJJ%2Bf5pJFzW0MUe4fdvXaLlcOfCxs%2B6EyW23FSqTj%2FbNedtUC6z7Y0dgMPBtJC%2F9gOhXEZj5%2BKKwnQbCBe7GuFtEsVMMkQRdiDQxJYZipAId1MwoBChhx%2BSr%2FrboVkDq%2F%2FbNLvWS6keRMn4fa8GX%2BF0lIJepJ98sjwXs48DXBch8974olbyd38VGGp1bLMl7mycstrQ2hIy2MFXWD", "Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://www.verizon.com/business/", "ttps://www.milehighmedia.com/scene/4404473/creampie-adventures-scene-2-sneaky-melanie", "https://www.milehighmedia.com/en/login/index/aHR0cHMlM0ElMkYlMkZtZW1iZXJzLm1pbGVoaWdobWVkaWEuY29tJTJGZW4lMkZ2aWRlb3MlMkZzd2VldGhlYXJ0dmlkZW8lM0ZhbHVwJTNEQURqeF9ITjhfd1oweU96UnpsU3NNNUZLaVVxSzBXNEN0X3NmTFpKTGVJc3M2b0RVUzkwVmp6VllNVko5eFpmdENYcFNKd3IzOTNaMG1mOEpXeVhVeVZpLTJZYVRsaGd3M25DSDRpYnRwZ25BRC1zUFhDQVUycjZJOXo2WWtRMzNVWVFhMFZyWC1YckxvcnRkVjJZdEgxSDYxZ1lhMTFNS3RZSkEzY3FlSXhFQzhtSlAzSk1tbloySURMQXlMZndPcHozSFFiTzF4T0FseXJIQ0xYem1ldFElMkE=\t \thttp://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNz", "https://vtbehaviour.commondatastorage.googleapis.com/0e93e52376dcfb8eab491737c187ad68d786fab0005bbf9d2ffab78ba19db907_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775001268&Signature=YBUj6DKVhfcrBcdkki8xfcRH%2F%2FP32FDK7Zizn8pLHZ3D6s3E7isdEd2LROfkC1lKu2qP4ZcDMm8av3%2BUajeevjxBnk%2FJLOrW%2Fcl%2FG1jKYFVsw9yQm7CXUYgYjHS2JPx%2B910377bbnD7%2FQjxuptI22kTDC%2FK4Kxn6e9yDWXa7P9r63qwHoncRKLSca%2FQDZtmttEQ0ZlmTWhu5tKz%2F8hSVLfvFkZpPRcKYX%2BQoYiNdQ4wAoK", "pornhub-e.com \u2022 www.pornhub.com \u2022", "x.com \u2022 https://x.com/BastionMediaFR/status/2042194819397673290", "Mr. Tulach \u2022 known for his work in cybersecurity, particularly in reverse engineering & malware analysis", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "https://www.sweetheartvideo.com/model/63710/brandi-love", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F", "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779679450&Signature=Xsh6GXCTvOkupXYUUQGiHNgx%2FWmCftYcZVdWxsZHvLRN%2FB6NnyiBI7GU7MIIp%2BWK9bAgMazFDSG%2BuFE5DhyKycaRjrO%2FvO8BdtjfsiNwq%2FOCo%2B0zhhNqe%2BONe79ktGFAo08vKEnOCs5jHG7AxZH07bzAUjvvdK9iUvMsNsmiCWU05%2Bgn1KMjU2Tk9%2Brbbwy0HgEMK4jBH8u8hHNsV1FFHVLWckRu%2FQ7QM19y6kEq", "https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432", "https://www.vgt.pl/font/roboto/Roboto-Medium.ttf", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "https://www.vgt.pl/static/js/bootstrap-typeahead.js.179.252.2", "https://securityaffairs.com/144927/cyber-crime~#", "https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html", "www.happylifehappywife.com \u2022 http://www.happylifehappywife.com/2010/02/'>", "https://twitter.com/PORNO_SEXYBABES \u2022 girlsdoporn.com", "Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows", "http://watchhers.net/index.php", "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile", "bleepingcomputer.com \u2022 CliffsNotes", "remote.poc-2.com \u2022 https://otx.alienvault.com/indicator/url/https://tulach.cc/assets/img/ogp.png", "https://vtbehaviour.commondatastorage.googleapis.com/2c7002510767deb9bbb0d2ee2d47be98828bf5b6e999d6cd882b1c1a1c908510_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683299&Signature=RMRBhdx9cTLEwBYgOaiBV4x03W8laZvNMUtTq68ykLCh0R5toTaD64MdSiBhgsNAZLaS8z9dPsGmVcfMC8U5sPrXXLzAt9CBPoJjT2jV40HyYrW58xs3wjf65936U00bQy9DGFrlU7xInrhEocKiXuD17i5A%2F7tdPgx74I6xY906Ua8hyOe3f5zVmaxE6zpNAonyZtoHtHmnuDLG71DTPwYyiKcGPff7glIXoNalw4ST3jQr3Ma%2Fv1Q3De", "Due to Samuel Tulach\u2019s good reputation , assume his assets are being abused by threat actors targeting", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022", "pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://vtbehaviour.commondatastorage.googleapis.com/105f31af20fdb87d442f81aad0c3a54030b7e214c4796cf2a069bae6aa89dc65_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682395&Signature=oVg82i1yTG%2BGfhoL5FyBdK%2BZKa6wi2iWMpwHyA77jBFtAOZxw%2Bs6z6So26GWDthH7UMEzwZwQC6ENF1TLBEqXukldXMdMg%2FvNylvy7vCdDKDsw53Ibc7vKnu5T0lNumnv%2FD5vnV14QZrzAE8PG3J0S0rtheY8mNCkM6t1w52XYYm5mfnGJXsnjyMEvgURuPhzOIq9%2B%2FG7XUWFK0vK%2BlzKmZU627%2FKYkT9EWHOI8Nyx%2FJUqad%2", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://vtbehaviour.commondatastorage.googleapis.com/d5bf2e0581ad7dca4e49e58e379107bf01ab36ae8e0900692e5782bfe7e86aba_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775558351&Signature=y1XPW6XWHz4cFiInU2H1MRXTtywNvzuP6qP%2BVIkFaZMsxldmbqUekc%2Fp3b1VId4O3UC3ckTmGqsRuznTxQLfWOOnxRXlD4QK4HFzPpTpKHXqWlrtdznOpHY%2Bv7wTzMzremLNFsxERoSd3zbAhEhirVop5Px%2BL937P9ywZuKM2DctbhUyiBzYXg%2FMjeVExwS%2FNlP8Sn%2BCx5tVuOIsiQoaZM%2FLak%2BsYPZVGDXZZn", "https://vtbehaviour.commondatastorage.googleapis.com/23671e33d82282324fc51576616dbb92814adc4d17eb7014dc4e2f891ea7f4ae_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531342&Signature=MsuL%2B3SZcdwh8PtkojSZiAkej0M%2FX59YS9DllA%2BRLg6Z%2FV43R4XBkqKm%2BsQjDvTRdh%2BFRjO2rtuvYPHG%2By1RpurAOIjZEBs3F2ZYmv6mE62mgf4bDqgnUZS5myKTtlD%2BnuWRL7up%2B197%2F4VEXIqM8hxzhGDo7jmUeU0HERH%2FUnTThLnOjAWlGHNITZ7ffU0tKlYMKo%2BHqAkV9AerG5R%2FZdAh7nZidUf8wYpV", "Alerts: windows_utilities antivm_memory_available pe_features raises_exception", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682251&Signature=z6Lrdrr5u6YZdzJaR%2B2Qab%2F%2FVA6%2FL6JaNA4%2BVxLe9wEjL%2B2ARzGBhQdq6RTX5ez3SDTWWmc%2BrOypKxxCsLeXUbjYRoIgcsSzYIxWQWoEl35tFARLVKf%2FVf%2B696U6PYQ%2F1BNWxSfuNOeUVNK2pIiMYCUjLnikvUyj9Ip3MrgKOaV9v9SShCLay93Y7b3GbAUZ2Jzy18PEYf%2FLuk4fDrqITmP2upsysOJq1MhZcJ%2", "http://www.happylifehappywife.com/wp-content/themes/theme78222/images/top-right.jpg", "8-25-220-162-static.reverse.queryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t5\t domain\tqueryfoundry.net\t\t\tNov 1, 2025, 9:34:14 AM\t\t8\t URL\thttp://117-114-251-162-static.reverse.queryfoundry.net/", "https://pornokind.vgt.pl \u2022 https://sip.vgt.pl \u2022 https://smtp-qa.vgt.pl \u2022 https://www.vgt.pl/94.152.156.22/logo.png", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn", "https://vtbehaviour.commondatastorage.googleapis.com/5f9b9db4e9200b4576d6e8bc2888d6e7ab28a04e66083366bcde57915eed5078_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683897&Signature=A1uHov9N8mIMBn6lVPETST7i%2F%2F3lKCkTSifHpWYQ8lqnGw3%2FwBD1QhGr1tH%2BYzg4xJYZR1vHPxcGC2biWNZtPF89Sx8FKf%2F18O4PHYJb1n7YfdP24JbV%2BkekQpomFKe66pKsf0gWQQx1zTJDWvam9HuvVTyCV9h22TLG%2FmBDvK4SftnNssRv0EkzKP9dNqTfjJdMh0Y0rIEyQdNLLo%2BLsWQbrx2yxJo6kZD%2FJC", "https://www.vgt.pl/font/roboto/Roboto-Regular.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Thin.eot", "https://vtbehaviour.commondatastorage.googleapis.com/9ca5c168d3a3b77403a468a247b08f3987c9baee621bc93a1330d4343d5167e6_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775158347&Signature=sEbgpIc1%2BiCg1xj63drTjLA1epwJeKE9CT6C%2FnPtDvvNsLwbXXgIXmkAt2dKfK5cqb2MQ6rWSIcBDnierzZWQvJ%2F%2BpnBcvgW3mwnRqcrPKCIDaXkVSOfCziQhhgU%2F0YIEehdmBIxg%2BcMlXk6Ub0B3YYdlFlz4c%2Ft13IcN1R6g1%2FPy4zGIhnQQvcGI78vhrb0VqY48%2BeoY5%2FROErUXojoI%2Bi8IP%2FrmkiUEspZnd", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "https://vtbehaviour.commondatastorage.googleapis.com/e068d8d9f9dae873ec78bd5a88df561893c18b1df6200a958a864c34d27e0a3d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530824&Signature=oRifg%2BGsx5SCY%2B4rLdvAqryqS3Xlu3DCrHZifO%2Bh9YOQAM4528P%2Bi6LzgYdE0hyDe8HlrfIhswkzkUOf8K4%2FzdoebqTYkwrHmPiJeW4cetq5F2qEeUU7RVbiXVUvLGYwThftr3BuB%2FtW3u%2Fl9v9AyS38ZTrk3B%2BjdQI5OqLikCMwV9lO%2B3lOB05pg6dpqHO3ycZUK2sMy5MgMqqyj%2FY2HLFVTv4wp4ea8PF%2Fswj4", "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779679610&Signature=CFTzWPXcfKua6uilDSrmKC177u7eSQdDxWa1Sqd5eaP1s%2B4xUAW73v1uovAfukRKPolFfRM1MxR%2F%2FRuE0RYh91RlLjNLYqJFXkGVCvuSzn9TzvGRPP2H6ngGcA%2B2XK4mvcVZOXLPMF1EcYDmbC9CTZyaqkUF3bun9LQv9j%2BQ9cz1xsNyGkCjrF2OVvBfR%2FBsE4fxBcBPSMret5BpGFOf4fn3jbrsEmDvet4tyz2SkZJeKhZL7dlOERabun", "Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org", "https://vtbehaviour.commondatastorage.googleapis.com/7f9899e42bccdd1d6479b573fb1bb9277b4bd42e8f6ef73c5456f606949e7cf5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530727&Signature=xFLQpUtdhw77th%2BADVS4Sl3y8VCEFYpShlfIJ6D6zJme%2BtY0lUlxv2N7hvxGbwSTYKBYQSyu735BqpgvSUc5e%2BC%2B9XseD6ERlB2kCJmvUPalqCOgZABMyb6mGaG5MMGgxP19UjM1qrUOxI2iJSjEQQ4LLmmkLf7%2B6XGhtqkIG4O2hZ5ABCrdbqytgJkuVl7VMDYelEnoYLLma9GDq1ytLfUObtoINW48v1xg1Mykxldjv6gV2DWr", "https://vtbehaviour.commondatastorage.googleapis.com/00497722a5a78f54380688c2f4e13f3ef6ae5ba3179e181842bc5f293931d249_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775558242&Signature=xZKVbPHnvq1qTJXNwiztrGD6NGaXqXZy2F7iZE8F8ZA5SQ2b0AHWfcMuFzBPL4S56%2Br1mdkSivnRKw4PtqmKSlmum59RFVyQrmIK25bmB%2FhGIdrtS0FEJHREeu2idOIA89pmPV7lOHS%2B%2BYVZ8CGGt7LqRG1WFqYY%2FsUuOmWwLyVT%2F8O9trgNAEO49TvZ9ce8AC5yY9pOagSk46K9CfKH%2BRUtwl1lKVpVFcS8P9OO0VKPNZJEs7AiA%2F", "https://vtbehaviour.commondatastorage.googleapis.com/1f1db73659fa2fe7a944d20bb4e9a867513a50ee9b51be89dfec30c73f6ed622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682177&Signature=yjgeq7TPzf6M6Pn8mPFgBmhHQbfgGlaadZNsSsDUKq0Da4%2Bb25WhNl6nDIyUDmRBtABod6Itj2EUlbe%2B4U0QYLuJR00aQqsO%2F9pXU4AWeIFUEZhCrwgZ5WuNPpYbdVbOYcVX6oyDXpSjv1QEGmJ1NVVr%2F1esshl3tugyHxp6LFYa9%2BQeoiqsBikKLglNB52vsap%2BkwVPKyXg%2FjduMqTQd%2FhNMM41261XiBOTtUqjpzIm67", "https://vtbehaviour.commondatastorage.googleapis.com/9ca5c168d3a3b77403a468a247b08f3987c9baee621bc93a1330d4343d5167e6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775158717&Signature=0%2FgP6zQY0JvD44dS9aqwH0bqe9ln9c3valuyOk8IADGwNXhOIDcXq6ivyb5hcITWzdHmiMnds3LC6HH6Dw9JXfM47tiL9OKF%2BbTQPz9B8Fr2JanaTSCRjOV2H%2FXW1wZjSdhhcSQyWhw97q4rqKyI%2F1VEbewxt2wrLP0TazgfCoHOCU2Qh08l7nSN%2F1idGUl5yUkmlHE60kQxe%2BHjcktoYejJf6exwwI9QED8MFrrm%2BGEwdmILRQtAbLe", "Treece Alfrey Musat P.C. Attorneys at Law Christopher P. Ahmann | https://TamLegal.com", "remotewd.com device local", "https://vtbehaviour.commondatastorage.googleapis.com/8203df818e55602f58e12749c5f43ef382d5829c540953ef5acd613e9339bbfa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530419&Signature=UGGjvrHysNTHqCP%2F98o%2Bwr%2BBuUURMkCiQxj24hY6gaY6O3Jzu8n5c1DTGQyxmFDLTNd%2BVEq%2BLjiAQEKKja33wGAeycq9H84UiQaOgy5xch0rQRhWlH9BAU1XQopkUIfjd%2F%2FjszJyY9f5GeBUviWGN0fk%2Fjf%2Bu70ZC8sViEooYie0vbqyBBZF4n4kjfdDoEDUXKU9hjk4W9PIBcH1Y8tyFonohbjbq7%2BZwzERUsYwo2", "https://vtbehaviour.commondatastorage.googleapis.com/07f7d05d67f46df46aa037ae72dbdb01b4c793b0efa97b3b606eb7c804bc9ac8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775557919&Signature=NmXnt5UXEu97u6S%2Fl1pR8Dj1wOV48%2BMQtA7itY%2FDaMxeTZKYWQG8Sc1yQ8Anau89lP6pFBfYLFKcZlXLyh0lxedEOnLubJoX%2FPdHFRwhsnXHKf9Paue%2FYfp2f3Xa3eCtAdjiZ%2FYtizogath35T7lFE%2FyYG10vWJI%2FID8Xpk55duyBuJFvI5UISNatR%2BriUlSjGvUurWgm62dXOPlBxRQvwk1ndbIS79tzUBzFcGe7A3RnhURjWI1", "https://www.milehighmedia.com/join \u2022 https://www.milehighmedia.com/models \u2022 https://www.milehighmedia.com/movies", "vgt.pl \u2022 www.hak.vgt.pl \u2022 www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 aristocrat.vgt.pl", "https://nextcloud.tulach.cc/ \u2022 https://nextcloud.tulach.cc/", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682105&Signature=DkIw2nRg0%2BHKmd2TpyMzcgrB%2F4s6sIVIpOEEVMqz3Csoj6PPmSGNer%2Bt5X5oYKPZQgJETAHcCRs0mh3Lfa85XEPdYk6PjMimJmKQdBstqdULgs6q7wyZEjHDhQn41ri7eQ16g7pAo9ojfhLUNp4uW2xuYvdBwYhYBsZP3EO1BKz2f3dYxSg%2Bgsn2AnC2%2BDRTIX0Xxd%2Bt44%2BkXfiY32mvDHDNDCcuT5ZDFNrHwDp3HKuuJYy7lRHm8AlK", "https://vtbehaviour.commondatastorage.googleapis.com/087975d5f3c874a6fe9cbfe9d7ee77fb0af138e3c36a6f75e3d000699afc571d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681569&Signature=C286Cg30s1QDg1lkY0jtTLfia8Fs4B%2FdqNMfidFUYXpd2si4N25G7RBqy8LODkWqBQca8rpYyZ7FIYHuRDc0wBLk%2B1rPiEXJckZIdmkyhDkFJ2jrxfNV135BZTTeF6DkLrRfWPgnxciVK%2FJrkueYnjlYhYW08OZkTu9plzgmfR2IocW5ENVaqHbcPAdm2QDCC6VVrNQp%2FP%2FjV6%2Fkm37tinRyXhg1vKSf0TVFMzL1jpYkiS5PIc", "c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1", "https://www.vgt.pl/ phishing \u2022 https://vgt.pl/ \u2022www.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "http://www.pornokind.vgt.pl \u2022 https://dbkuewww.m.vgt.pl \u2022 https://lokalnyhost.vgt.pl \u2022 www.xn--twj-hna.pedofil.vgt.pl", "The next pulse will show Apple IoC\u2019s related to Tulach.cc", "https://cg864.myhotzpic.com phishing \u2022 http://dashboard.myhotzpic.com/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 https://videolal.com/videos/tsara-brashears-dead-by-daylight.html", "IP\u2019s Contacted: 192.124.249.187", "http://www.happylifehappywife.com/2010/04/'> \u2022 http://www.happylifehappywife.com/2010/05/'>", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681490&Signature=bIUDLY2jLaPa0t0OyOiuRlKjk8VM9IFdVTwzJhuTKfuV%2BhwtwcYghSy4186P0qsGEebShI2xNNVBPSd3uQdeXMuYRDJWcyo18c12pLwgcLgaBot06%2Bfys%2BlGp%2FV%2FSCDBvdo3iLaAOesoSo8vbCLNsWAzGM5sztLl%2Beyq9%2F1oSuAvU692EiARhcufOCMFqXCn6MNuSp18gSQwkFRBadsMvHSjfHW645FvLUfiP5Egu1WuMVP2", "https://vtbehaviour.commondatastorage.googleapis.com/2c98a3b3752939b7c2db76682607e3918dee0edd81998279cb4528cc6c67f715_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683469&Signature=oE7hEU%2FccffwWPye7wmTWT154zCmhX2wBLLWErX6yptBjSn9YXSMLMohlpsjw%2BxO5VxqobuYkMh302JzsMTg4fXVD76S9F6aOL1vRPwZx8fTGOeMoKRTMO7B0xwvo2HQCra8ds7NMqXBpbNxN%2Bi7Ez6ZOyX%2FQUyixg1Ya1G7%2FkF8sEaT8z%2B4QHLhghEUdy4%2FMYbGVFzAKhSDW9Yg%2BcPfxQLt%2BViZ", "http://www.milehighmedia.com/?ats=eyJhIjoyOTYzMTgsImMiOjU3OTYzNzc1LCJuIjo3NiwicyI6NT...", "IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94", "https://assets.msn.com/bundles/v1/edgeChromium/latest/svg-assets-Twitter.b90ee19de735e00fb4a0.js", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682086&Signature=yzXoWEcsMl9wlTGgMQfBKEZWwnDzmua%2FR2suwDMBSqPLhunpHELcj0SzY3czM%2F9HQG9QuvYzhQRVUxR1iDaFz1BQ4YHkXJih3zm%2BcNlDcfXsOZzyYzWUhaPsbSti%2FWbFoL4E14bnS7tIuG9s9R96LkGyGpWIsT%2BPeCNhsCzD7vFRU0cPMr6vNblu%2BBiO3Ki99QSrkF4hzBxkQ7DFgba3qi7kOfal%2F2K8hC1ikcZntmn5IESW", "https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "https://www.sweetheartvideo.com/en/?s=1?s=1&utm_source=272160&utm_medium=affiliate&utm_campaign=lovelezzies", "Domains Contacted: fenbushijujuefuwu.com", "https://www.vgt.pl/static/js/bootstrap-typeahead.jstic/js/bootstrap-typeahead.js", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Samuel Tulach\u2019s assets have been tightly connected to M. Brian Sabey, Esq", "https://www.milehighmedia.com/legal/2257 \u2022 https://www.milehighmedia", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682486&Signature=ucigAmI%2BTWYWnZuZjQb7cvSnhC1f6r93NM1kh5fCHjjcUodx6ltePV2QSdyXCnhrdH8ODLugh37CFZxsAmtiMMefuyuh6T8mtuxe7znGqLiJre5YFfSQLkzmz0Ksqekcg0sp1bUaKykXguy%2BKwv6Tg12CIM7xzaDB%2BGcjw6KkBLiD0A1sB6Z9gk9np%2FNtUBHdW7E0eBfvTWOK8F99R1lQdmQab2Vha55GLH6JRBksZ7AbBEdVS8DMtkaZCS9sV", "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "compromised_site_redirector_fromcharcode fromCharCode", "cdn777.pussyporn.pro \u2022 https://tubepornstars.co/ \u2022 porneramix.xyz", "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/", "http://www.happylifehappywife.com/2011/06/'> \u2022 http://www.happylifehappywife.com/2011/08/'", "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=", "api.item.yixun.com", "IP Address 94.152.58.192 Location Poland ASN AS29522 h88 s.a. Nameservers ns1.kei.pl. , ns2.kei.pl.", "114.114.114.114 = Tulach", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://tamlegal.com/attorneys/christopher-p-ahmann/#breadcrumb \u2022 https://www.milehighmedia.com/en/movies", "www.localhost.vgt.pl \u2022 www.certyfikat.vgt.pl \u2022 https://www.vgt.pl/94.152.152.233/images/logo.png", "x.com - Malware Packed", "Samuel Tulach , an engineer writes about game security, Unity engine, and anti-cheat systems on his blog at tulach.cc", "https://vtbehaviour.commondatastorage.googleapis.com/0da371854ec2c04bbee9680dbdabb67a4e4a84add40e5e1877425790f2dfef02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682005&Signature=SyLSFT5xdlAZ5lwNyaeDpqsMTuwGywWruel4fBOIdsyiZ%2FvtOZYr7f%2B%2BIuBmqFMAwMI4L7kB6jRtv8mVn8lmU5MUJBAG6GJdVsEp2SoexU5Yl2kTksey03ZsjBloxlJqDzf8PULDlwjfD1Ydv%2B5QFPoY3%2Fk8TKMlmmpTIw7%2FYcR24%2FHYHw78XVF2cV%2Bnb3GoDaHw%2FnpxLrDwgfZP9dWvP8V264o5l2dDfxQtF0", "\"uploader.exe\" created by Samuel Tulach has been identified as malicious by several security engines", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "https://vtbehaviour.commondatastorage.googleapis.com/00355f383cdfd3953bdb773247bcb38864e00fbc02f21c99bc85b9ae8a8de83c_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775157018&Signature=W6qmB2oXejWMekcxPwU%2BM2fTZ5XRnQ6InXQPfLl7OncG%2Bm3HPNHB%2FE6ygE96KZy32X4QvwY6orT3%2FSHlwBzQ3ckqedAXsZhwPNwVPN1eTjUL7BWQCVX7GFYabhv9AzqEnPZYWIUOa2P939ct2GWgfgTEtbesebRwyMue5ihDtUAV6qU1l2OuJfoS8C8GD%2FSlNeMBOTUymlaK4UmL9nmgOTq1McS%2BuJtgWwgJbI3sN9bR", "http://www.hak.vgt.pl \u2022 http://pornokind.vgt.pl \u2022 http://sip.vgt.pl \u2022 http://smtp-qa.vgt.pl \u2022 http://vgt.pl/*.", "https://myhotzpic.com/tsara-brashears-hardcore-lesbian-sex/anime-studio.org*thumbs-fa...", "porneramix.xyz \u2022 porntubner.online \u2022 pornhubhd.shop", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Yara Detections compromised_site_redirector_fromcharcode , Delphi", "nr-data.net \u2022 www.youtube.com", "http://cr-malware.testpanw.com/url", "Alerts network_icmp allocates_rwx packer_entropy pe_features pe_unknown_resource_name Related Pulses", "https://www.vgt.pl/font/roboto/Roboto-Thin.ttf \u2022 https://www.vgt.pl/static/js/bootstrap-typeahead.js", "nr-data.net \u2022 applemusic-spotlight.myunidays.com \u2022 init.ess.apple.com \u2022 tv.apple.com", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682206&Signature=iCbR7BcpXhfqHIoxTRE%2BvhCqRoHYALCXll0hXveh8IQOJPjxw%2BlLNas6nIvp035t6sdMg9KdOY751XfThil%2FE2mLrvir%2FwKjheK2382r5bhEQFEsa6etlla3TDjlvttEFZDUN7SSLpGao8u7uVNwrPRb0BuwYDemKKVJK6DACPbUZEHk3DZ%2Bi8SxXIdELiXG%2Bozy7oC8Dcj0HqHGYuliXpjT1mV7OsCjFXvmjZPcFH06EzZS5L", "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "IDS Detections: Query to a *.pw domain - Likely Hostile", "https://www.milehighmedia.com/en/photo/milehighmedia/The-Mother-I-Cant-Resist/52380", "https://vtbehaviour.commondatastorage.googleapis.com/8b10c7238761ba1c98b713c673c452437c4a56794ff0e3d657cff148056c9cf1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684153&Signature=MfmLhMZdg4gtuEoE1eB%2FroqyUo2QXTJ8L6oAmpYIvTmU8BmwS6hwF0opRe4GV3ox8yxCzd2O9fsm4T7dwrkSk8fJBlqrPHibaMNPNs4QpeMOraU4O6Au5EDLlJTtDwp43nz%2FK5tqLXzJpfqCvDEnQOghFLah5YCBj8qdFtGrKfHbvyMGL70BlhpaZsmAn3Jgu6zNXCQGqz3c%2BkATkQ3XNm%2F8FiNTOFzO5TUxHqPE3NUMFglmxAJhEo", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681421&Signature=oUYsIo6y2ldihmETch4oPYw5nb4sHZhKRik2zGuv2h9rqu30GcV1xZHlIO9ttFa625EXOlrrILZtAhfM%2FamkTDjXZUTqn2%2BTKmgnxqOOfJU6KrJHPLE9Do7l7MEaPxX4cs8z8tWd0%2FY8sBv8sjGAIdWrT5OPv202LNN%2FiVe6mEIUMkmNr%2BG1S3Pgs6LRTjo%2BgqhEcNXT0MFUgs3I2e4AQ0TQ4FOs%2BVRY", "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "https://www.vgt.pl/font/roboto/Roboto-Regular.eot \u2022 https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://www.vgt.pl/css/ \u2022 https://www.vgt.pl/favicon.ico \u2022 https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "http://www.happylifehappywife.com/2010/07/'> \u2022 http://www.happylifehappywife.com/2010/09/'>", "angryblackwomyn.com", "Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer", "https://www.milehighmedia.com/model/59136/avi-love \u2022https://www.milehighmedia.com/model/60418/Justin-Hunt \u2022", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Unix.Trojan.Mirai-9441505-0 Yara Detections is__elf \u2022 217.11.249.145", "https://vtbehaviour.commondatastorage.googleapis.com/000ea1a97119456bc0d73d6f04298896bcf8a014015dd5a3854db979acc33ba4_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775157142&Signature=YUKsrID6gK5Kkp3Ztlp37D19a5zJHrHMGp%2Bp3gyGO0BDcTOWmIH2IIADOlf7ZwEyxpzvT8ZH%2Bbv2TFx8h6B1n9NuatpuXqxe%2FVfKTCmILqh1vZsKMh8%2BTSQQu0uemPproGACNc8JtbCaAHd7gAzuT9xa01vD4Yzcag%2Bm2nc3OjhRI0359dkuzw5Z5%2BRRcM80c0kY6Z%2FSDz4nFU9x8Gxbbcq6adN4uDjcooa9W%2F%2", "https://browntubeporn.com/tsara-brashearsAccept-Language", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "https://www.milehighmedia.com/de/MileHighMedia/scene/129689?utm_source=271174&utm_medium=affiliate&utm_campaign=", "virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com", "https://www.vgt.pl/font/roboto/Roboto-Light.ttf \u2022", "amazon.com \u2022 pki.goog \u2022 google-analytics.com", "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]", "http://pixelrz.com/lists/keywords/tsara-brashears-dead/360 \u2022 http://pixelrz.com/lists/keywords/tsara-brashears-dead/360] No Expiration\t4\t Domain tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://www.vgt.pl/94.152.152.233/images/logo.png", "199.232.210.172 199.232.214.172", "Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw", "https://amp.mypornvid.fun/videos/8/AhxS-ej1myg/gf-18-com/\ud83c\udf81-i39m-your-present-\ud83c\udf81-girlfriend-surprises-you-for-christmas-reunion-soft-kisses-amp-cuddles", "https://vtbehaviour.commondatastorage.googleapis.com/00355f383cdfd3953bdb773247bcb38864e00fbc02f21c99bc85b9ae8a8de83c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775156982&Signature=znZpp83KdT%2FL36sTf3QDOLLEWAh8ItKSUewNDuebW619kEzy7PG1q%2FF6ZK6IuxQU10CCVqA3cCW1MIaTpquBgPPjimEvkDVxx048Qv1%2FKzCnW00QhsQIQADWcfKI698TukLc8c3aCnBN%2BFMdkbsjgO4S6oFCJM5E9pIb9VJOdL6TDfSSIOQNyAYAL%2FCcOxwKRPBIY6l5X%2Bmxgvz5VObSKoxZWT7JmNyorS%2BPVLPOPtXbOJhdlDwk8aZ%", "Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681469&Signature=VGjB%2F%2BCQwDtsenSFWX7YNKbe9s%2Fgcpg%2FotVlxRZ6FXuE9VXITP76QQq6L2vlSM7pfQHSnBv%2BUdwMtN3QhCxjF7Zv2PV%2FkWLnwwA3hJciWMAKiLSeKTanNshzLWnmBjN04FASFwNf6kAq4PcunHkHh2PSOGl03eem41DHA6YOIRAjI1C6hAdDvKoAqJJXuGKM%2F5Z5vzfeTaXNgCRutOhVDB4%2FcAcV9zZaRcX9Ii0IFRAZo%2Bzk7rvI", "https://www.youtube.com/youtubei/v1/log_event?alt=json&key=AIzaSyAO_FJ2SlqU8Q4STEHLGCilw_Y9_11qcW8", "developer.x.com \u2022 https://twitter.com/githubstatus", "https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file", "https://vtbehaviour.commondatastorage.googleapis.com/000ea1a97119456bc0d73d6f04298896bcf8a014015dd5a3854db979acc33ba4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775157115&Signature=IGbBEZp40pDgcnEOLyVLG6NGd0gM9ah6hwV8nmKkZpUvBN%2Fjn1v5XN0%2FGEFFk20komfUqhGI4zwklt2Bb3VyRLNwH5yCYd80ojWWC2ZPFlaKaLhRXD4OzOrLnAG4GyZ21SRFjULCGxXx6RaUuwulye8wG52yQ5yk0cXHuHPcowCLNbfY9ZWAQs6buavYGnYInBF0LCu3CboQBrgkhANmTmmtyrV9vDfS0Bz6fsJz%2BgmmwlGNpV0NA4IJTJeZmXCh", "https://static.digitecgalaxus.ch/Files/communication/app-download-badges/apple_email_rasterized_2x/fr.png", "https://vtbehaviour.commondatastorage.googleapis.com/5f87d5cb5921df99f335e1a8f044db15187f88aea04ecc073b310a4b9649a5e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683851&Signature=oDNiEuOved3Q5at8LARyePhpQE3%2FjmEYRIWg4Vzp0yzifSrnwMGaujbhYJWqc8BadzAh1AhmrfOaNLGJfe8IO2Izje4ofsfex0DAAfgHm5l1vDeQWFDfgypa9%2F8sHOOgBiUlbdSDYrVdZ2Z9f8MGr8OaswhQwykG5mL3UcUwRD4heOIda%2FFZGhfCLn%2B7ksTMcuD2%2BjT%2F7IuP8kYOTQ0ZqwnDZGNQwopAFpNNouIAx0LKAjPDIO", "https://urlscan.io/screenshots/e931bb02-80dc-46db-92f0-43d5afa258be.png", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681535&Signature=K%2BM%2FPuLQI5kqDYLWjQMD%2BgPbchxwp2sWPPUtfDZYFn5H9w%2BqFPRxh7iZqH4FOPAnwlC0%2BN5TKTqrEuhABL3gWMqHySyweiNPNkJ1MlX29xZdE482pqQSn8rzkPs7CZD63ts4ZRPrK%2Bl06RV13mZf4TUzAD9Sx0m6%2FWhetQETuu6StpVmyzhie%2Fn%2FUdsdFN0SW%2BtLpQE74IVNfszCgKVhF9oNeBiifytanSbIG0SnLff9sXffjS", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737365&Signature=S%2B7RcHYjab1hbKlKwFfvUbDirFPJS1A2TJQ3bVIObMcON4PD9pRDvhMtYMCnEBrYsICi0UJCFW5eUDolL5Jlbngsc587kF36vvuhlkPprbkSOY1jOyDTpe3Qsb6jRFz3xwOfZc9S5QervoLnRKb%2FyGSyZE6ZK6TxzBrOPczPtZ7sLf9NfD6E%2B2gMRXaRjEqVwVITLG7YqCiiNuohFOuNlK3uNHFpIk53viKvBSAIqLtSklH9bHW4q1DX", "https://vtbehaviour.commondatastorage.googleapis.com/002150c786ae1e04ab2981bf5593d926987b60b9ac699f431ed4568084dd854b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682457&Signature=eWipoH1g7AQ8zq2pd%2BpyAKrKscAY%2FebCATbHE%2FMwdvIfIy%2F4i3OFy%2FKlfaNCXDLDU0OM6JaEF73FAqGhLEb8ZcxTuEfMeU%2F6WxjpgS2SqLZ0xOjAPgPWOOor3uCcdIEZRCcpJe%2BAzPY8jEZJ0aIf49RU85lkIx9yCiXcFnee1pNHHBFwpsBK4FNuTB%2FyDe61M5Htw4fjlf43GTnXFxj0%2Fjc%2Fe32Q7EpVkuSc0I%2F3zTrY0UkC", "https://medium.com/the-pink/how-a-white-womans-anger-makes-her-racism-spill-out-563853905a42", "https://vtbehaviour.commondatastorage.googleapis.com/1b153c384510546d105b067e8b1be208f0686914841758441e857d7ffb18fa72_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531236&Signature=hz%2BT6I69NdrwImMGk8kcXqNnwp7K7z5sLWg7P7JvUVEckT5yV9zVAooLzjLyQGgNBxh%2Bw35npaMota9ooiK%2Bd3BWFd%2Bzr%2BUm76cQbsuLV5NH2LWXQFw1YzoSEXeXl4wmdHCWX4%2BP9tulqXFWpRQ4oOvqHWV10QWM4ubzWdft4N%2FCy4fQ90Iubm%2F1ywQ%2FuG66nNIy6ArwArpf2Md9Wb2k%2BVSwvmrPJqDUAM868u1jznd8SeGkYX", "https://www.vgt.pl/style/style.css \u2022 https://www.vgt.pl/font/roboto/Roboto-Medium.eot", "appleid.cdn-apple.com", "https://vtbehaviour.commondatastorage.googleapis.com/59bd2b3f9e4fbc79518a31738080bc4b9b35b42f6e5a3b5c3a306e0b9aae7f2c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530394&Signature=EFtQdaqkkeNu27kPO7Zob0bl261oVyzlQmNL5Z9HnrD%2FemHBUX4%2BsRO8wGhrK9e53idu5dP%2FqFvjC3fYYvXzyeKs6x0kO0IqPs5Pp6y422zCXP9gKR7xBfnQIQtmWDVaBb4znOzF35Jd76v4D1Y4btKPazPqsa2hq38U%2F2BTS2Fjqng%2BtZLtgjXCV7Qy1iJuoL4wZxus6aU6uyk4Gt4%2FwQOFSxhXM9Sg6EzneRhhFzAhHkOWzW", "https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO", "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530336&Signature=p6VwVgKhapyzo9Qdy2STgvqVBCILyIVDELmCCzKAI3VnzeLfXf8kMElRnqtXzyceHxnFobEu5%2Bzot74n2%2FKVdQLGgjSNmpbV1vxI4qIMW44TnqKJz7q%2Bzl9L2qPXk2Xd24irnPUYT4Z6b52nITm3rElixM%2FxW5B7cYrEPVdMEQQ3axn7fZMtVXkHyakt5UbZUnglSc97W7kjMO7OSb6qTfAhWNZuFLn0hPzN3JeCVc6eH2VaF8qrMW", "authrootstl.cab common file extension", "https://www.milehighmedia.com/en/movies \u2022 https://www.milehighmedia.com/join", "https://vtbehaviour.commondatastorage.googleapis.com/7111bb197f77eecf518b22f7a6f269647abc17eda4aaed9ba50212462b9848ed_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684045&Signature=g5SPZe7A95%2FqyMCV3ihh6MGTnXRMjhKIGP6dBCJ3OB%2FCOBrSRTz%2BpnCcdIwsJk%2Fc74E6s1DRbKJn3SszGoP7h%2FNJwXl3BIBK6KeI0zYJeOibOT%2BeU9CnCcwY%2F3bx99X3LvHRwg0Fkdg%2BJoRI620jziRVAW%2FiC1wpzeMqmJNUOHn4NsTYiMD7H8cuBnRzAZQvK2lRO5asaddU11mHkkQ963f3YOOv", "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530784&Signature=CYyyJeKkeGqnH6T6m5Xruegrlkv2udvHSUC4MgjgnkaJP2%2BkZUvTfdoh5S5uXQZbk0By%2Bg1akNr3AALQqY%2B0SNoOJdW5fHCOavOpIuNkgM4efnxQQyuhR%2F6eccAejXvy0cFPKDUhdhvbItcx7lkgLwM3MhWL%2FzNneeST7yUf3g8Pad72u7BrItBCkJ23R2quBuKT3G22OMfreYhprgO398iL0htbNTBKh4csLc9QtPI%2FabWco3", "https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737710&Signature=fbsokraSd7lsYmUfaTEl8Phs2K3hp7AtVmQU9axeEBcYmYbrrYrrfpP5lPEQaE%2Fh3%2BEP9Rn8mD8D1haqQVXCN0VVlxJ4sddjWmyC5USsgBsvUb0%2F72h1WHDS2KXHlteZWE%2Bauckabain9D5kX501AnqFY38s77OIqO6SMOkQ%2BvXiDSSRK%2FZhbfradBnei3ZLHsXGxkoshTyvB0%2BC%2F8SiUzdVsqSjik0Bn2r%2BIlLpDQK90GlZTD0N", "https://vtbehaviour.commondatastorage.googleapis.com/000ea1a97119456bc0d73d6f04298896bcf8a014015dd5a3854db979acc33ba4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775158226&Signature=3QddteTdwd75BU6tgEH4xfsAlwIG9pwNTU%2B8HvPznGKaEJfuEtDcpYQyXWaSVlGW29PwL%2Fps1Qfqzxq9FuYI6MpYw3Bx7KqBKoEqzG%2BfIDblZaHtF%2Bq57ipRLnJbyvLR8w%2B1bXr7vwOsQlnBMQPRzC9hK4UR1xQRt%2BFkGma5x53fb1ICCz4wT7DcsKUsrwBYrNpWD3InFukyHR38M91oretTmUAb2PGAKNugUwaY22shu94UubqcBJGvmX", "http://www.happylifehappywife.com/2011/08/'> \u2022 http://www.happylifehappywife.com/2012/07/'>", "https://vtbehaviour.commondatastorage.googleapis.com/049c8db974d1830f931d605f6918184d8928c46c74f4152dfde3dc7bdffbf5d5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682585&Signature=z2IzO8oruo5%2BmP%2BuhsnAbNLmy7QRAemblZDUm1KEgUCliIqrtWVkruuMg2tcIokmH12yIvRumIVlk5OcGjVxI%2Bb%2B3Va9LgSnD%2Bwjbe5pAs%2BDuUGTY52XSe7V9xdcRN38UeNFYy2jTLa2KYspIZ0NzHMsL0BzU5pqOWw0bAShHYc9sNx0S7a%2BSD7PiY%2BDR%2Br%2BQll9wUT%2B4EjhHrYYmmdRCa6vbIyTLcHmdw4JzmHHsLy%2Bjf", "https://www.forpsi.com domain forpsi.com\t Domain asp.net", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "https://www.sweetheartvideo.com/tsara-brashears/ \u2022 www.sweetheartvideo.com", "this.target", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "www.youtube.com/watch?v=GyuMozsVyYs (why would targets channel be controlled by Tulach)", "https://vtbehaviour.commondatastorage.googleapis.com/dbd82852eb5958675f889c452fc71bae5cce8ddad596bd15d2a4a6700739f741_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775558174&Signature=SmpbnWta3giCZS997kqTvAF%2BZOmsy8guJi08oXMRbv9twEwYq0zHV5x5EgkJeE1uK593UWjmIyGGPmZZAznd5G9GmDLWpTBpm6AalirZIWVXEGKYqWW%2FcXP6AP4kPvUKQffGRRra22oorMkIGVUd4OSbUBHzjeXYtzRalcJNh00ErxP2ckokNZ%2BA6k7O42Vano2SrEQ6QXeQ%2BVWhBicFEaYV3BEDA%2Fn%2BNlMqbe6dzaU%", "https://x.com/Atlassian__;JS8!!J7H9jp7aFkU!OInVM0IrDSAR1lXf8KzR9vKsmEOVrBkg1M6QqughgO13mcAOawaxDaclQnhkyp3JvPbgCZX33l1xnRdvb4OxVqJcCz2cn9HcSw", "https://clockoutbox.es/password", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "www.milehighmedia.com \u2022 https://www.milehighmedia.com/en/Charlie-Dean/pornstar/49512", "http://www.milehighmedia.com/legal\t \u2022 https://www.milehighmedia.com/en/pornstar/milehighmedia/Justin-Hunt/51017", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/41ad1d349716b3e62f914c0907323ae8e0a37198d237a02d71a0d5e05ffaa727", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "https://www.vgt.pl/font/roboto/Roboto-Bold.eot \u2022 https://www.vgt.pl/font/roboto/Roboto-Bold.ttf \u2022 https://www.vgt.pl/font/roboto/Roboto-Light.eot", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead \u2022 http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/", "https://twitter.com/juvlarN", "I haven\u2019t yet concluded why Tulach.cc is deeply interwoven in a malicious media campaign", "https://vtbehaviour.commondatastorage.googleapis.com/27086c4185aa32bbc6674267b947e3f6610554188ac694ce2dbc1191a9525339_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683188&Signature=o0pfi%2Bqzc6KRiLra5kzATI2ROhjWVPHqZ7tOokv%2B9i4HwxX3m%2BpcqtYKMIFJMVk1qNFDyYwnCDfkeiva50iZyrha2F3bacitBdmnSwCEQE5xMG73RGPjQAvPps3tKMm1MDH8Rzpy65y9bdKpTSCL9%2Bt2xAk4%2BXx13XPz2GlU%2BG8Q%2FSPkCW96%2BX6c5xzWpIH%2FlXn7%2Bgl2G9QMGbrbnwD%2FfR58%2FrXIeIEJ%2F9%2BNt2W3Fr", "https://vtbehaviour.commondatastorage.googleapis.com/79b0e5df7c5ebe1b2967a3d161ec0283531f20beb58cd8eb8e343f7ecbf0e142_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531881&Signature=J%2FX46%2BkQxXt0avuUofAv2FrDA2NcHoY81F%2F%2FCOybzM72s9GqDbl34Hk6nMuCyVJ9cyKFYU4dKZ5PGnS5MZLN7tzYDYnGF6tmsCd56oCgYS4IN8%2Ffm7xi81ELi3QsBaKZaSKBYTcBzQZOzBgTX%2BjFL%2FH291KDNrb5QKNV0OYNHKzFrKXUZzUNPTZgDw2%2B2XVV4tQzxtRNdm0kQW19OOOv29%2FY0E9CK9qRsl4Nu2otAW", "https://www.sweetheartvideo.com/scenes?models=63710", "discord.com \u2022 discord.gg", "https://www.sweetheartvideo.com/en/model/Mona-Wales/49601 \u2022 https://www.sweetheartvideo.com/en/scene/Truth-Dare--Boobs/130432 No Expiration\t0\t URL https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432 \u2022 https://www.sweetheartvideo.com/model/63710/brandi-love", "https://www.vgt.pl/94.152.156.22/logo.png \u2022 https://www.vgt.pl/css/", "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681399&Signature=o4EIDa%2Bu5q7UzJoKBZ3SHIdTRWKGT7HIZyLxFZSLdRJV2Ng655y2X8OLnU2siFeopgWPI6Gd8nE9F9LFBFgwM%2F0ZN0FWsDls8m78y46TmhjHhykfch6G%2Buw3LPxmfbz999yBfELXQDUCNWIiGUPv%2B23aUdHnc0c5jI4Mvlz2HGA%2BHlIMjc1w1S%2BWm%2FI6ftHJdyIAh0SqMbPXqAy%2BIonExlGkoEmMBCJl3r3pfMcYzy4ai0", "https://www.vgt.pl/font/fa/fontawesome-webfont.eot", "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530360&Signature=IoNgUEkiuiM2X4a2ueL9rEQPSxM3pwV%2Fg9ppA8C%2BBjHNorpe2t8rUBwA%2BU0UhSwLHm3J9bx4il%2Buly8trboaDKTDgdTvpIFdsHRjkQYF%2F8P2ot8tg5AnQeLV9Q8ddUazck3uN2LTNyDFCh5HiWfU%2FJ4BytbiANmLC8gGyCjX%2FX5Y%2FkYYJwEtsw0W90i9lyhlbNX%2FbAor8c1%2FRyPwUh8klvuYGDxvlbeal0nSXVYLSy", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "https://vtbehaviour.commondatastorage.googleapis.com/0e93e52376dcfb8eab491737c187ad68d786fab0005bbf9d2ffab78ba19db907_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774998466&Signature=Y4QdGLgX1a6Ct5CMRDpH9RdwtjTzLLVBFFtxY64ZOhJ4cyy5f3YP7kNt%2Bu9euHjYaM5LUKHRWbswYwhD%2BbmD8KZT57GNGNGF4xYoyqPgzPY1AQodW%2BZx5f3iJqPbAZq9pUjOzXtm22B%2FEx7BVn5qcm86M9I6BaNp8%2FJW2vSfzsewT0w5WhMAjuB84fIG4LrKD2X46mnchNmREfC3GQtUPwzIIkj7IIv7xyHtwbu%2Fwyg8Ib1VFz", "https://vtbehaviour.commondatastorage.googleapis.com/00355f383cdfd3953bdb773247bcb38864e00fbc02f21c99bc85b9ae8a8de83c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775157171&Signature=wFaORSlZpOsDwaGFds40nh57Lh3vd%2BvFdqSDta%2BWapU98lkn38TsyUct5yym%2BseDovUqyvdVIXZauUtEnGqxpvYZximpwbeAbVtdc6MMBncoC78dOKoQbxtA3BT%2BzwKOs8jR1Cx7UYScBA2n%2BKi%2FUFE%2Fl3GvZGMSh8ekSTJNnrypI82Qa2rexteHlB8MZEdOGi15TMATCoi5SOQkKul2b5wy62%2BDaZblJEMMeN9AJYTgVYyUOZe6vM", "https://www.sweetheartvideo.com/en/dvd/Lesbian-Massage/49895", "https://www.vgt.pl/favicon.ico", "http://www.happylifehappywife.com/2013/03/'> \u2022 http://www.happylifehappywife.com/index.php", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell", "IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29", "https://api.w.org/ \u2022 api.w.org", "Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_", "Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog", "https://www.sweetheartvideo.com/it/model/Kristen-Scott/50432", "bg.microsoft.map.fastly.net", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "https://vtbehaviour.commondatastorage.googleapis.com/00355f383cdfd3953bdb773247bcb38864e00fbc02f21c99bc85b9ae8a8de83c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775157047&Signature=yuzPVsphC0bG%2Bv9BmK3MOvfpxh2YUvj6B1ka6wchodQJMU0J7e6vH%2FwYLHWFiCIN7j4R6UxFeJ3ThZWdjJpObTpbPOwGZXiMlrPzB92hnLu9glo0Nxb3vEs2ztzgdkEKdSbu9SiyFyYZxQ4iwu6gfvEjT9bmVEcbVLcQEpNIevi9TPnEv%2B5D4yDqAalQb40r%2BCw%2FskC1Scj3bYgWKAGigIanlWXa0tIUmOIyNMnl6Oiq%2FRCzi7", "IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227", "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/", "https://vtbehaviour.commondatastorage.googleapis.com/8203df818e55602f58e12749c5f43ef382d5829c540953ef5acd613e9339bbfa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530508&Signature=GssLnauiY160oyi8Jf10sDf4bL46z5UIfcX%2F1jMAIWwy97%2Fw9GjbHzS38wt5ybxoiMkSIsTN%2BYE7Vd7kc7zHkudP8K6D2g6bTFX%2B%2Bao4FK6e0OYbJXqb%2BPeNSgeqrHMrCeXIW1H8RCC5QXuEjkQrE4TPFja5Gc790vYMvsT5oAuxbnFAzjQM%2BTwMcjJ1k9dWR0Hoh694C2boFVdHy3LxQkv7vk6CSmjQcZ4bBbHmEMC%2FNd", "https://vtbehaviour.commondatastorage.googleapis.com/727dc58bb6aaf24fd82f54a11560f26e38ee0ca6bb823ea70bad33fd7c9378ef_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683965&Signature=tYhGClprbVOZuxQF%2F%2BLWEx6LfO%2Fz4pigFaLvSPYRY%2Fqg92dL8%2BWlaAyT%2FJueBiXJFPkqBYoXk0DmZNj2UfqQiv4Jy9bhRG562tGCoadI7qFVHMBOyAmGj0uMVS%2FoyY00p8UkiUah%2BiG2lZaGt6eVnE1yrGqEIpnAnUxdyxti%2BDm0vFgP5Ust7yR%2F1SAtswsFyfntj2GSgBc5z1NbueSA2uSfZsxWtxmYAm9dk%2FrUPQ47Nb5Q", "Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com", "https://vtbehaviour.commondatastorage.googleapis.com/1b153c384510546d105b067e8b1be208f0686914841758441e857d7ffb18fa72_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531163&Signature=ymkpXNrWILdVetVt90LhjbwNPIy4I%2FXM%2B0jq5xPK4FE6N61CBJ0ZKsP%2FbvZXOM5lKJdG6ltKQtldTuXskK26NlEwbRlzn90t1KGmXS6%2FkK7pgbFTNlA9BWYrDLciKwIZJJeFn46IMGSClXk0BXzcveuQWp4G%2BnIJwwWw0EjgU6ONUydOZW4DhKFhmEvNGfqPrEd6apNA3C39kZP%2Bql4tWV7ma8oAP9cHc7RyoO%2Fw4zbcJKmP", "Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Tulach", "Alf:trojan:win64/psbanker", "Trojanspy:win32/nivdort.de", "Worm:win32/macoute.a", "Win.trojan.tofsee-7102058-0", "Win.packed.generic-9967832-0", "Tofsee", "Trojan:win32/mydoom", "Alfper:hstr:wizremurl.a1", "Worm:win32/mofksys.rnd!mtb", "Mal/generic-s", "Win.malware.jaik-9968280-0", "Win.malware.moonlight-9919383-0", "Win.packer.pkr_ce1a-9980177-0", "Trojanspy", "Worm:win32/lightmoon.h", "Cl0p", "Trojan:win32/qshell", "Win.trojan.agent-1371484", "Win.packed.botx-10021462-0", "Unix.trojan.mirai-9441505-0", "Win.trojan.zegost-9769410-0", "Html.trojan.ascii212_44_64_202-1", "#lowfijavazkm", "Backdoor:win32/tofsee.", "Win.malware.swisyn-7610494-0", "Upackv037dwing", "Cryp_xed-12", "Win.malware.cymt-10023133-0", "Win.trojan.vbgeneric-6735875-0", "Libraryloader", "Jaik", "Trojanspy:win32/nivdort", "Win.malware.razy-6979265-0", "#lowfi:win32/autoit", "Win.malware.generickdz-9937235-0", "Worm:win32/fesber.a", "Pws:win32/ymacco.aa50", "Win.packed.stealerc-10017074-0", "Slfper:softwarebundler:win32/icloader.a", "Trojandropper:win32/muldrop.v!mtb", "Trojan:o97m/madeba.a!det", "Trojandownloader:win32/nemucod", "Alf:trojan:win32/cassini_412f60c8!ibt", "Win.dropper.quasarrat-10023124-0", "Win.malware.midie-6847893-0", "Win.malware.aauto-9839281-0", "Slf:win32/elenquay.a", "Redline", "Worm:win32/autorun", "Worm:win32/autorun!atmn", "Alf:heraklezeval:rogue:win32/fakerean", "Backdoor:win32/tofsee.t", "Win.trojan.barys-10005825-0", "Alf:hstr:virtool:win32/obfuscator!pecancer", "Alf:heraklezeval:trojan:win32/azorult.fw!rfn", "Ransom:win32/eniqma.a" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "6a13d458f27a51876d7949f5", "name": "NOW BOARDING: DARK-ZERO Sheep Tracker * CAPE Sandbox", "description": "Modern threat intelligence requires moving from passive observation to active intervention. In the context of targeted tracking implants, defending civil rights means engineering systems that protect user autonomy against unauthorized data extraction. Architectural Protections:\n0-Trust Telemetry: Designing operating systems where the user owns the cryptographic root of trust.\nHardware-Enforced Isolation: Utilizing Secure Enclaves to process cryptographic keys outside the reach of a compromised kernel.\nExploit Mitigation: Implementing advanced PAC+ Memory Tagging Extensions (MTE) to stop zero-day memory corruption bugs. The holiday serves as a reminder for SOCs to uphold high ethical standards, ensuring defensive tools are never repurposed for unauthorized surveillance. Respect to all.", "modified": "2026-05-27T17:19:19.635000", "created": "2026-05-25T04:47:20.503000", "tags": [ "win32 exe", "mozilla firefox", "zip adobe", "photoshop cc", "rar adobe", "air sdk", "adobe air", "lassa2", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "file size", "mwdb", "accept", "shutdown", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "file type", "json", "ascii", "utf8", "sqlite version", "found", "pe file", "intel", "pe32", "ms windows", "installer", "defense evasion", "window", "title", "template", "next", "united", "performs dns", "grabber honest", "layer protocol", "attack network", "info processes", "extra info", "zenbox macos", "verdict", "guest system", "ascii text", "sigma", "creates", "t1055 process", "info dropped", "malicious", "p2404", "p11718783889", "p4de83ek69hqsh4", "p11718784848", "bazaar", "sha3384", "ssdeep", "checker", "themida", "guard", "property", "adobe device", "property name", "productname", "displayname", "destination", "root", "totalsize", "langpack", "swedish", "win32", "windows sandbox", "calls clear", "sha256", "sha1", "crc32", "size", "flash", "june", "drops pe", "crlf line", "sample", "persistence", "win64", "hook", "instructor", "kids goldadobe", "errstr", "cultureneutral", "license", "error", "code", "service", "vmprotect", "february", "back", "number", "mitre attack", "network info", "processes extra", "fri dec", "database", "initial access", "program", "overview", "overview zenbox", "ultimate file", "info file", "Nullworld", "value", "value lang", "buildinfo", "productinfo", "addremoveinfo", "displayversion", "screnshots", "United", "Swedishvpncarrierenrollment", "calls process", "writes", "png image", "rgba", "guloader", "fraud", "phishing", "install", "pdapp", "urihandler", "us tcp", "product install", "gamma", "updater", "Now boarding", "DarkZero", "Sheep Tracker" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681399&Signature=o4EIDa%2Bu5q7UzJoKBZ3SHIdTRWKGT7HIZyLxFZSLdRJV2Ng655y2X8OLnU2siFeopgWPI6Gd8nE9F9LFBFgwM%2F0ZN0FWsDls8m78y46TmhjHhykfch6G%2Buw3LPxmfbz999yBfELXQDUCNWIiGUPv%2B23aUdHnc0c5jI4Mvlz2HGA%2BHlIMjc1w1S%2BWm%2FI6ftHJdyIAh0SqMbPXqAy%2BIonExlGkoEmMBCJl3r3pfMcYzy4ai0", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681421&Signature=oUYsIo6y2ldihmETch4oPYw5nb4sHZhKRik2zGuv2h9rqu30GcV1xZHlIO9ttFa625EXOlrrILZtAhfM%2FamkTDjXZUTqn2%2BTKmgnxqOOfJU6KrJHPLE9Do7l7MEaPxX4cs8z8tWd0%2FY8sBv8sjGAIdWrT5OPv202LNN%2FiVe6mEIUMkmNr%2BG1S3Pgs6LRTjo%2BgqhEcNXT0MFUgs3I2e4AQ0TQ4FOs%2BVRY", "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681469&Signature=VGjB%2F%2BCQwDtsenSFWX7YNKbe9s%2Fgcpg%2FotVlxRZ6FXuE9VXITP76QQq6L2vlSM7pfQHSnBv%2BUdwMtN3QhCxjF7Zv2PV%2FkWLnwwA3hJciWMAKiLSeKTanNshzLWnmBjN04FASFwNf6kAq4PcunHkHh2PSOGl03eem41DHA6YOIRAjI1C6hAdDvKoAqJJXuGKM%2F5Z5vzfeTaXNgCRutOhVDB4%2FcAcV9zZaRcX9Ii0IFRAZo%2Bzk7rvI", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681490&Signature=bIUDLY2jLaPa0t0OyOiuRlKjk8VM9IFdVTwzJhuTKfuV%2BhwtwcYghSy4186P0qsGEebShI2xNNVBPSd3uQdeXMuYRDJWcyo18c12pLwgcLgaBot06%2Bfys%2BlGp%2FV%2FSCDBvdo3iLaAOesoSo8vbCLNsWAzGM5sztLl%2Beyq9%2F1oSuAvU692EiARhcufOCMFqXCn6MNuSp18gSQwkFRBadsMvHSjfHW645FvLUfiP5Egu1WuMVP2", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681535&Signature=K%2BM%2FPuLQI5kqDYLWjQMD%2BgPbchxwp2sWPPUtfDZYFn5H9w%2BqFPRxh7iZqH4FOPAnwlC0%2BN5TKTqrEuhABL3gWMqHySyweiNPNkJ1MlX29xZdE482pqQSn8rzkPs7CZD63ts4ZRPrK%2Bl06RV13mZf4TUzAD9Sx0m6%2FWhetQETuu6StpVmyzhie%2Fn%2FUdsdFN0SW%2BtLpQE74IVNfszCgKVhF9oNeBiifytanSbIG0SnLff9sXffjS", "https://vtbehaviour.commondatastorage.googleapis.com/087975d5f3c874a6fe9cbfe9d7ee77fb0af138e3c36a6f75e3d000699afc571d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681569&Signature=C286Cg30s1QDg1lkY0jtTLfia8Fs4B%2FdqNMfidFUYXpd2si4N25G7RBqy8LODkWqBQca8rpYyZ7FIYHuRDc0wBLk%2B1rPiEXJckZIdmkyhDkFJ2jrxfNV135BZTTeF6DkLrRfWPgnxciVK%2FJrkueYnjlYhYW08OZkTu9plzgmfR2IocW5ENVaqHbcPAdm2QDCC6VVrNQp%2FP%2FjV6%2Fkm37tinRyXhg1vKSf0TVFMzL1jpYkiS5PIc", "https://vtbehaviour.commondatastorage.googleapis.com/07f5960476ab34754f3e04143caf2d4899cb09e6b271bfd27ef1f1c8977ca050_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681591&Signature=uoP10og17YxXUe0yZ8kll3N15RJJ%2Bf5pJFzW0MUe4fdvXaLlcOfCxs%2B6EyW23FSqTj%2FbNedtUC6z7Y0dgMPBtJC%2F9gOhXEZj5%2BKKwnQbCBe7GuFtEsVMMkQRdiDQxJYZipAId1MwoBChhx%2BSr%2FrboVkDq%2F%2FbNLvWS6keRMn4fa8GX%2BF0lIJepJ98sjwXs48DXBch8974olbyd38VGGp1bLMl7mycstrQ2hIy2MFXWD", "https://vtbehaviour.commondatastorage.googleapis.com/0da371854ec2c04bbee9680dbdabb67a4e4a84add40e5e1877425790f2dfef02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682005&Signature=SyLSFT5xdlAZ5lwNyaeDpqsMTuwGywWruel4fBOIdsyiZ%2FvtOZYr7f%2B%2BIuBmqFMAwMI4L7kB6jRtv8mVn8lmU5MUJBAG6GJdVsEp2SoexU5Yl2kTksey03ZsjBloxlJqDzf8PULDlwjfD1Ydv%2B5QFPoY3%2Fk8TKMlmmpTIw7%2FYcR24%2FHYHw78XVF2cV%2Bnb3GoDaHw%2FnpxLrDwgfZP9dWvP8V264o5l2dDfxQtF0", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682086&Signature=yzXoWEcsMl9wlTGgMQfBKEZWwnDzmua%2FR2suwDMBSqPLhunpHELcj0SzY3czM%2F9HQG9QuvYzhQRVUxR1iDaFz1BQ4YHkXJih3zm%2BcNlDcfXsOZzyYzWUhaPsbSti%2FWbFoL4E14bnS7tIuG9s9R96LkGyGpWIsT%2BPeCNhsCzD7vFRU0cPMr6vNblu%2BBiO3Ki99QSrkF4hzBxkQ7DFgba3qi7kOfal%2F2K8hC1ikcZntmn5IESW", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682105&Signature=DkIw2nRg0%2BHKmd2TpyMzcgrB%2F4s6sIVIpOEEVMqz3Csoj6PPmSGNer%2Bt5X5oYKPZQgJETAHcCRs0mh3Lfa85XEPdYk6PjMimJmKQdBstqdULgs6q7wyZEjHDhQn41ri7eQ16g7pAo9ojfhLUNp4uW2xuYvdBwYhYBsZP3EO1BKz2f3dYxSg%2Bgsn2AnC2%2BDRTIX0Xxd%2Bt44%2BkXfiY32mvDHDNDCcuT5ZDFNrHwDp3HKuuJYy7lRHm8AlK", "https://vtbehaviour.commondatastorage.googleapis.com/1f1db73659fa2fe7a944d20bb4e9a867513a50ee9b51be89dfec30c73f6ed622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682177&Signature=yjgeq7TPzf6M6Pn8mPFgBmhHQbfgGlaadZNsSsDUKq0Da4%2Bb25WhNl6nDIyUDmRBtABod6Itj2EUlbe%2B4U0QYLuJR00aQqsO%2F9pXU4AWeIFUEZhCrwgZ5WuNPpYbdVbOYcVX6oyDXpSjv1QEGmJ1NVVr%2F1esshl3tugyHxp6LFYa9%2BQeoiqsBikKLglNB52vsap%2BkwVPKyXg%2FjduMqTQd%2FhNMM41261XiBOTtUqjpzIm67", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682206&Signature=iCbR7BcpXhfqHIoxTRE%2BvhCqRoHYALCXll0hXveh8IQOJPjxw%2BlLNas6nIvp035t6sdMg9KdOY751XfThil%2FE2mLrvir%2FwKjheK2382r5bhEQFEsa6etlla3TDjlvttEFZDUN7SSLpGao8u7uVNwrPRb0BuwYDemKKVJK6DACPbUZEHk3DZ%2Bi8SxXIdELiXG%2Bozy7oC8Dcj0HqHGYuliXpjT1mV7OsCjFXvmjZPcFH06EzZS5L", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682251&Signature=z6Lrdrr5u6YZdzJaR%2B2Qab%2F%2FVA6%2FL6JaNA4%2BVxLe9wEjL%2B2ARzGBhQdq6RTX5ez3SDTWWmc%2BrOypKxxCsLeXUbjYRoIgcsSzYIxWQWoEl35tFARLVKf%2FVf%2B696U6PYQ%2F1BNWxSfuNOeUVNK2pIiMYCUjLnikvUyj9Ip3MrgKOaV9v9SShCLay93Y7b3GbAUZ2Jzy18PEYf%2FLuk4fDrqITmP2upsysOJq1MhZcJ%2", "https://vtbehaviour.commondatastorage.googleapis.com/105f31af20fdb87d442f81aad0c3a54030b7e214c4796cf2a069bae6aa89dc65_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682395&Signature=oVg82i1yTG%2BGfhoL5FyBdK%2BZKa6wi2iWMpwHyA77jBFtAOZxw%2Bs6z6So26GWDthH7UMEzwZwQC6ENF1TLBEqXukldXMdMg%2FvNylvy7vCdDKDsw53Ibc7vKnu5T0lNumnv%2FD5vnV14QZrzAE8PG3J0S0rtheY8mNCkM6t1w52XYYm5mfnGJXsnjyMEvgURuPhzOIq9%2B%2FG7XUWFK0vK%2BlzKmZU627%2FKYkT9EWHOI8Nyx%2FJUqad%2", "https://vtbehaviour.commondatastorage.googleapis.com/002150c786ae1e04ab2981bf5593d926987b60b9ac699f431ed4568084dd854b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682457&Signature=eWipoH1g7AQ8zq2pd%2BpyAKrKscAY%2FebCATbHE%2FMwdvIfIy%2F4i3OFy%2FKlfaNCXDLDU0OM6JaEF73FAqGhLEb8ZcxTuEfMeU%2F6WxjpgS2SqLZ0xOjAPgPWOOor3uCcdIEZRCcpJe%2BAzPY8jEZJ0aIf49RU85lkIx9yCiXcFnee1pNHHBFwpsBK4FNuTB%2FyDe61M5Htw4fjlf43GTnXFxj0%2Fjc%2Fe32Q7EpVkuSc0I%2F3zTrY0UkC", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682486&Signature=ucigAmI%2BTWYWnZuZjQb7cvSnhC1f6r93NM1kh5fCHjjcUodx6ltePV2QSdyXCnhrdH8ODLugh37CFZxsAmtiMMefuyuh6T8mtuxe7znGqLiJre5YFfSQLkzmz0Ksqekcg0sp1bUaKykXguy%2BKwv6Tg12CIM7xzaDB%2BGcjw6KkBLiD0A1sB6Z9gk9np%2FNtUBHdW7E0eBfvTWOK8F99R1lQdmQab2Vha55GLH6JRBksZ7AbBEdVS8DMtkaZCS9sV", "https://vtbehaviour.commondatastorage.googleapis.com/049c8db974d1830f931d605f6918184d8928c46c74f4152dfde3dc7bdffbf5d5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682585&Signature=z2IzO8oruo5%2BmP%2BuhsnAbNLmy7QRAemblZDUm1KEgUCliIqrtWVkruuMg2tcIokmH12yIvRumIVlk5OcGjVxI%2Bb%2B3Va9LgSnD%2Bwjbe5pAs%2BDuUGTY52XSe7V9xdcRN38UeNFYy2jTLa2KYspIZ0NzHMsL0BzU5pqOWw0bAShHYc9sNx0S7a%2BSD7PiY%2BDR%2Br%2BQll9wUT%2B4EjhHrYYmmdRCa6vbIyTLcHmdw4JzmHHsLy%2Bjf", "https://vtbehaviour.commondatastorage.googleapis.com/27086c4185aa32bbc6674267b947e3f6610554188ac694ce2dbc1191a9525339_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683188&Signature=o0pfi%2Bqzc6KRiLra5kzATI2ROhjWVPHqZ7tOokv%2B9i4HwxX3m%2BpcqtYKMIFJMVk1qNFDyYwnCDfkeiva50iZyrha2F3bacitBdmnSwCEQE5xMG73RGPjQAvPps3tKMm1MDH8Rzpy65y9bdKpTSCL9%2Bt2xAk4%2BXx13XPz2GlU%2BG8Q%2FSPkCW96%2BX6c5xzWpIH%2FlXn7%2Bgl2G9QMGbrbnwD%2FfR58%2FrXIeIEJ%2F9%2BNt2W3Fr", "https://vtbehaviour.commondatastorage.googleapis.com/2c7002510767deb9bbb0d2ee2d47be98828bf5b6e999d6cd882b1c1a1c908510_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683299&Signature=RMRBhdx9cTLEwBYgOaiBV4x03W8laZvNMUtTq68ykLCh0R5toTaD64MdSiBhgsNAZLaS8z9dPsGmVcfMC8U5sPrXXLzAt9CBPoJjT2jV40HyYrW58xs3wjf65936U00bQy9DGFrlU7xInrhEocKiXuD17i5A%2F7tdPgx74I6xY906Ua8hyOe3f5zVmaxE6zpNAonyZtoHtHmnuDLG71DTPwYyiKcGPff7glIXoNalw4ST3jQr3Ma%2Fv1Q3De", "https://vtbehaviour.commondatastorage.googleapis.com/2c98a3b3752939b7c2db76682607e3918dee0edd81998279cb4528cc6c67f715_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683469&Signature=oE7hEU%2FccffwWPye7wmTWT154zCmhX2wBLLWErX6yptBjSn9YXSMLMohlpsjw%2BxO5VxqobuYkMh302JzsMTg4fXVD76S9F6aOL1vRPwZx8fTGOeMoKRTMO7B0xwvo2HQCra8ds7NMqXBpbNxN%2Bi7Ez6ZOyX%2FQUyixg1Ya1G7%2FkF8sEaT8z%2B4QHLhghEUdy4%2FMYbGVFzAKhSDW9Yg%2BcPfxQLt%2BViZ", "https://vtbehaviour.commondatastorage.googleapis.com/5f87d5cb5921df99f335e1a8f044db15187f88aea04ecc073b310a4b9649a5e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683851&Signature=oDNiEuOved3Q5at8LARyePhpQE3%2FjmEYRIWg4Vzp0yzifSrnwMGaujbhYJWqc8BadzAh1AhmrfOaNLGJfe8IO2Izje4ofsfex0DAAfgHm5l1vDeQWFDfgypa9%2F8sHOOgBiUlbdSDYrVdZ2Z9f8MGr8OaswhQwykG5mL3UcUwRD4heOIda%2FFZGhfCLn%2B7ksTMcuD2%2BjT%2F7IuP8kYOTQ0ZqwnDZGNQwopAFpNNouIAx0LKAjPDIO", "https://vtbehaviour.commondatastorage.googleapis.com/5f9b9db4e9200b4576d6e8bc2888d6e7ab28a04e66083366bcde57915eed5078_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683897&Signature=A1uHov9N8mIMBn6lVPETST7i%2F%2F3lKCkTSifHpWYQ8lqnGw3%2FwBD1QhGr1tH%2BYzg4xJYZR1vHPxcGC2biWNZtPF89Sx8FKf%2F18O4PHYJb1n7YfdP24JbV%2BkekQpomFKe66pKsf0gWQQx1zTJDWvam9HuvVTyCV9h22TLG%2FmBDvK4SftnNssRv0EkzKP9dNqTfjJdMh0Y0rIEyQdNLLo%2BLsWQbrx2yxJo6kZD%2FJC", "https://vtbehaviour.commondatastorage.googleapis.com/727dc58bb6aaf24fd82f54a11560f26e38ee0ca6bb823ea70bad33fd7c9378ef_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683965&Signature=tYhGClprbVOZuxQF%2F%2BLWEx6LfO%2Fz4pigFaLvSPYRY%2Fqg92dL8%2BWlaAyT%2FJueBiXJFPkqBYoXk0DmZNj2UfqQiv4Jy9bhRG562tGCoadI7qFVHMBOyAmGj0uMVS%2FoyY00p8UkiUah%2BiG2lZaGt6eVnE1yrGqEIpnAnUxdyxti%2BDm0vFgP5Ust7yR%2F1SAtswsFyfntj2GSgBc5z1NbueSA2uSfZsxWtxmYAm9dk%2FrUPQ47Nb5Q", "https://vtbehaviour.commondatastorage.googleapis.com/7111bb197f77eecf518b22f7a6f269647abc17eda4aaed9ba50212462b9848ed_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684045&Signature=g5SPZe7A95%2FqyMCV3ihh6MGTnXRMjhKIGP6dBCJ3OB%2FCOBrSRTz%2BpnCcdIwsJk%2Fc74E6s1DRbKJn3SszGoP7h%2FNJwXl3BIBK6KeI0zYJeOibOT%2BeU9CnCcwY%2F3bx99X3LvHRwg0Fkdg%2BJoRI620jziRVAW%2FiC1wpzeMqmJNUOHn4NsTYiMD7H8cuBnRzAZQvK2lRO5asaddU11mHkkQ963f3YOOv", "https://vtbehaviour.commondatastorage.googleapis.com/8b10c7238761ba1c98b713c673c452437c4a56794ff0e3d657cff148056c9cf1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684153&Signature=MfmLhMZdg4gtuEoE1eB%2FroqyUo2QXTJ8L6oAmpYIvTmU8BmwS6hwF0opRe4GV3ox8yxCzd2O9fsm4T7dwrkSk8fJBlqrPHibaMNPNs4QpeMOraU4O6Au5EDLlJTtDwp43nz%2FK5tqLXzJpfqCvDEnQOghFLah5YCBj8qdFtGrKfHbvyMGL70BlhpaZsmAn3Jgu6zNXCQGqz3c%2BkATkQ3XNm%2F8FiNTOFzO5TUxHqPE3NUMFglmxAJhEo" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2266, "IPv4": 326, "domain": 179, "hostname": 381, "FileHash-MD5": 811, "FileHash-SHA1": 835, "URL": 815, "email": 2 }, "indicator_count": 5615, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a13d450d1c0f6a31e71cef1", "name": "NOW BOARDING: DARK-ZERO Sheep Tracker * CAPE Sandbox", "description": "Modern threat intelligence requires moving from passive observation to active intervention. In the context of targeted tracking implants, defending civil rights means engineering systems that protect user autonomy against unauthorized data extraction. Architectural Protections:\n0-Trust Telemetry: Designing operating systems where the user owns the cryptographic root of trust.\nHardware-Enforced Isolation: Utilizing Secure Enclaves to process cryptographic keys outside the reach of a compromised kernel.\nExploit Mitigation: Implementing advanced PAC+ Memory Tagging Extensions (MTE) to stop zero-day memory corruption bugs. The holiday serves as a reminder for SOCs to uphold high ethical standards, ensuring defensive tools are never repurposed for unauthorized surveillance. Respect to all.", "modified": "2026-05-27T16:31:09.918000", "created": "2026-05-25T04:47:12.640000", "tags": [ "win32 exe", "mozilla firefox", "zip adobe", "photoshop cc", "rar adobe", "air sdk", "adobe air", "lassa2", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "file size", "mwdb", "accept", "shutdown", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "file type", "json", "ascii", "utf8", "sqlite version", "found", "pe file", "intel", "pe32", "ms windows", "installer", "defense evasion", "window", "title", "template", "next", "united", "performs dns", "grabber honest", "layer protocol", "attack network", "info processes", "extra info", "zenbox macos", "verdict", "guest system", "ascii text", "sigma", "creates", "t1055 process", "info dropped", "malicious", "p2404", "p11718783889", "p4de83ek69hqsh4", "p11718784848", "bazaar", "sha3384", "ssdeep", "checker", "themida", "guard", "property", "adobe device", "property name", "productname", "displayname", "destination", "root", "totalsize", "langpack", "swedish", "win32", "windows sandbox", "calls clear", "sha256", "sha1", "crc32", "size", "flash", "june", "drops pe", "crlf line", "sample", "persistence", "win64", "hook", "instructor", "kids goldadobe", "errstr", "cultureneutral", "license", "error", "code", "service", "vmprotect", "february", "back", "number", "mitre attack", "network info", "processes extra", "fri dec", "database", "initial access", "program", "overview", "overview zenbox", "ultimate file", "info file", "Nullworld", "value", "value lang", "buildinfo", "productinfo", "addremoveinfo", "displayversion", "screnshots", "United", "Swedishvpncarrierenrollment", "calls process", "writes", "png image", "rgba", "guloader", "fraud", "phishing", "install", "pdapp", "urihandler", "us tcp", "product install", "gamma", "updater", "Now boarding", "DarkZero", "Sheep Tracker" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681399&Signature=o4EIDa%2Bu5q7UzJoKBZ3SHIdTRWKGT7HIZyLxFZSLdRJV2Ng655y2X8OLnU2siFeopgWPI6Gd8nE9F9LFBFgwM%2F0ZN0FWsDls8m78y46TmhjHhykfch6G%2Buw3LPxmfbz999yBfELXQDUCNWIiGUPv%2B23aUdHnc0c5jI4Mvlz2HGA%2BHlIMjc1w1S%2BWm%2FI6ftHJdyIAh0SqMbPXqAy%2BIonExlGkoEmMBCJl3r3pfMcYzy4ai0", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681421&Signature=oUYsIo6y2ldihmETch4oPYw5nb4sHZhKRik2zGuv2h9rqu30GcV1xZHlIO9ttFa625EXOlrrILZtAhfM%2FamkTDjXZUTqn2%2BTKmgnxqOOfJU6KrJHPLE9Do7l7MEaPxX4cs8z8tWd0%2FY8sBv8sjGAIdWrT5OPv202LNN%2FiVe6mEIUMkmNr%2BG1S3Pgs6LRTjo%2BgqhEcNXT0MFUgs3I2e4AQ0TQ4FOs%2BVRY", "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681469&Signature=VGjB%2F%2BCQwDtsenSFWX7YNKbe9s%2Fgcpg%2FotVlxRZ6FXuE9VXITP76QQq6L2vlSM7pfQHSnBv%2BUdwMtN3QhCxjF7Zv2PV%2FkWLnwwA3hJciWMAKiLSeKTanNshzLWnmBjN04FASFwNf6kAq4PcunHkHh2PSOGl03eem41DHA6YOIRAjI1C6hAdDvKoAqJJXuGKM%2F5Z5vzfeTaXNgCRutOhVDB4%2FcAcV9zZaRcX9Ii0IFRAZo%2Bzk7rvI", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681490&Signature=bIUDLY2jLaPa0t0OyOiuRlKjk8VM9IFdVTwzJhuTKfuV%2BhwtwcYghSy4186P0qsGEebShI2xNNVBPSd3uQdeXMuYRDJWcyo18c12pLwgcLgaBot06%2Bfys%2BlGp%2FV%2FSCDBvdo3iLaAOesoSo8vbCLNsWAzGM5sztLl%2Beyq9%2F1oSuAvU692EiARhcufOCMFqXCn6MNuSp18gSQwkFRBadsMvHSjfHW645FvLUfiP5Egu1WuMVP2", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681535&Signature=K%2BM%2FPuLQI5kqDYLWjQMD%2BgPbchxwp2sWPPUtfDZYFn5H9w%2BqFPRxh7iZqH4FOPAnwlC0%2BN5TKTqrEuhABL3gWMqHySyweiNPNkJ1MlX29xZdE482pqQSn8rzkPs7CZD63ts4ZRPrK%2Bl06RV13mZf4TUzAD9Sx0m6%2FWhetQETuu6StpVmyzhie%2Fn%2FUdsdFN0SW%2BtLpQE74IVNfszCgKVhF9oNeBiifytanSbIG0SnLff9sXffjS", "https://vtbehaviour.commondatastorage.googleapis.com/087975d5f3c874a6fe9cbfe9d7ee77fb0af138e3c36a6f75e3d000699afc571d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681569&Signature=C286Cg30s1QDg1lkY0jtTLfia8Fs4B%2FdqNMfidFUYXpd2si4N25G7RBqy8LODkWqBQca8rpYyZ7FIYHuRDc0wBLk%2B1rPiEXJckZIdmkyhDkFJ2jrxfNV135BZTTeF6DkLrRfWPgnxciVK%2FJrkueYnjlYhYW08OZkTu9plzgmfR2IocW5ENVaqHbcPAdm2QDCC6VVrNQp%2FP%2FjV6%2Fkm37tinRyXhg1vKSf0TVFMzL1jpYkiS5PIc", "https://vtbehaviour.commondatastorage.googleapis.com/07f5960476ab34754f3e04143caf2d4899cb09e6b271bfd27ef1f1c8977ca050_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681591&Signature=uoP10og17YxXUe0yZ8kll3N15RJJ%2Bf5pJFzW0MUe4fdvXaLlcOfCxs%2B6EyW23FSqTj%2FbNedtUC6z7Y0dgMPBtJC%2F9gOhXEZj5%2BKKwnQbCBe7GuFtEsVMMkQRdiDQxJYZipAId1MwoBChhx%2BSr%2FrboVkDq%2F%2FbNLvWS6keRMn4fa8GX%2BF0lIJepJ98sjwXs48DXBch8974olbyd38VGGp1bLMl7mycstrQ2hIy2MFXWD", "https://vtbehaviour.commondatastorage.googleapis.com/0da371854ec2c04bbee9680dbdabb67a4e4a84add40e5e1877425790f2dfef02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682005&Signature=SyLSFT5xdlAZ5lwNyaeDpqsMTuwGywWruel4fBOIdsyiZ%2FvtOZYr7f%2B%2BIuBmqFMAwMI4L7kB6jRtv8mVn8lmU5MUJBAG6GJdVsEp2SoexU5Yl2kTksey03ZsjBloxlJqDzf8PULDlwjfD1Ydv%2B5QFPoY3%2Fk8TKMlmmpTIw7%2FYcR24%2FHYHw78XVF2cV%2Bnb3GoDaHw%2FnpxLrDwgfZP9dWvP8V264o5l2dDfxQtF0", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682086&Signature=yzXoWEcsMl9wlTGgMQfBKEZWwnDzmua%2FR2suwDMBSqPLhunpHELcj0SzY3czM%2F9HQG9QuvYzhQRVUxR1iDaFz1BQ4YHkXJih3zm%2BcNlDcfXsOZzyYzWUhaPsbSti%2FWbFoL4E14bnS7tIuG9s9R96LkGyGpWIsT%2BPeCNhsCzD7vFRU0cPMr6vNblu%2BBiO3Ki99QSrkF4hzBxkQ7DFgba3qi7kOfal%2F2K8hC1ikcZntmn5IESW", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682105&Signature=DkIw2nRg0%2BHKmd2TpyMzcgrB%2F4s6sIVIpOEEVMqz3Csoj6PPmSGNer%2Bt5X5oYKPZQgJETAHcCRs0mh3Lfa85XEPdYk6PjMimJmKQdBstqdULgs6q7wyZEjHDhQn41ri7eQ16g7pAo9ojfhLUNp4uW2xuYvdBwYhYBsZP3EO1BKz2f3dYxSg%2Bgsn2AnC2%2BDRTIX0Xxd%2Bt44%2BkXfiY32mvDHDNDCcuT5ZDFNrHwDp3HKuuJYy7lRHm8AlK", "https://vtbehaviour.commondatastorage.googleapis.com/1f1db73659fa2fe7a944d20bb4e9a867513a50ee9b51be89dfec30c73f6ed622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682177&Signature=yjgeq7TPzf6M6Pn8mPFgBmhHQbfgGlaadZNsSsDUKq0Da4%2Bb25WhNl6nDIyUDmRBtABod6Itj2EUlbe%2B4U0QYLuJR00aQqsO%2F9pXU4AWeIFUEZhCrwgZ5WuNPpYbdVbOYcVX6oyDXpSjv1QEGmJ1NVVr%2F1esshl3tugyHxp6LFYa9%2BQeoiqsBikKLglNB52vsap%2BkwVPKyXg%2FjduMqTQd%2FhNMM41261XiBOTtUqjpzIm67", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682206&Signature=iCbR7BcpXhfqHIoxTRE%2BvhCqRoHYALCXll0hXveh8IQOJPjxw%2BlLNas6nIvp035t6sdMg9KdOY751XfThil%2FE2mLrvir%2FwKjheK2382r5bhEQFEsa6etlla3TDjlvttEFZDUN7SSLpGao8u7uVNwrPRb0BuwYDemKKVJK6DACPbUZEHk3DZ%2Bi8SxXIdELiXG%2Bozy7oC8Dcj0HqHGYuliXpjT1mV7OsCjFXvmjZPcFH06EzZS5L", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682251&Signature=z6Lrdrr5u6YZdzJaR%2B2Qab%2F%2FVA6%2FL6JaNA4%2BVxLe9wEjL%2B2ARzGBhQdq6RTX5ez3SDTWWmc%2BrOypKxxCsLeXUbjYRoIgcsSzYIxWQWoEl35tFARLVKf%2FVf%2B696U6PYQ%2F1BNWxSfuNOeUVNK2pIiMYCUjLnikvUyj9Ip3MrgKOaV9v9SShCLay93Y7b3GbAUZ2Jzy18PEYf%2FLuk4fDrqITmP2upsysOJq1MhZcJ%2", "https://vtbehaviour.commondatastorage.googleapis.com/105f31af20fdb87d442f81aad0c3a54030b7e214c4796cf2a069bae6aa89dc65_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682395&Signature=oVg82i1yTG%2BGfhoL5FyBdK%2BZKa6wi2iWMpwHyA77jBFtAOZxw%2Bs6z6So26GWDthH7UMEzwZwQC6ENF1TLBEqXukldXMdMg%2FvNylvy7vCdDKDsw53Ibc7vKnu5T0lNumnv%2FD5vnV14QZrzAE8PG3J0S0rtheY8mNCkM6t1w52XYYm5mfnGJXsnjyMEvgURuPhzOIq9%2B%2FG7XUWFK0vK%2BlzKmZU627%2FKYkT9EWHOI8Nyx%2FJUqad%2", "https://vtbehaviour.commondatastorage.googleapis.com/002150c786ae1e04ab2981bf5593d926987b60b9ac699f431ed4568084dd854b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682457&Signature=eWipoH1g7AQ8zq2pd%2BpyAKrKscAY%2FebCATbHE%2FMwdvIfIy%2F4i3OFy%2FKlfaNCXDLDU0OM6JaEF73FAqGhLEb8ZcxTuEfMeU%2F6WxjpgS2SqLZ0xOjAPgPWOOor3uCcdIEZRCcpJe%2BAzPY8jEZJ0aIf49RU85lkIx9yCiXcFnee1pNHHBFwpsBK4FNuTB%2FyDe61M5Htw4fjlf43GTnXFxj0%2Fjc%2Fe32Q7EpVkuSc0I%2F3zTrY0UkC", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682486&Signature=ucigAmI%2BTWYWnZuZjQb7cvSnhC1f6r93NM1kh5fCHjjcUodx6ltePV2QSdyXCnhrdH8ODLugh37CFZxsAmtiMMefuyuh6T8mtuxe7znGqLiJre5YFfSQLkzmz0Ksqekcg0sp1bUaKykXguy%2BKwv6Tg12CIM7xzaDB%2BGcjw6KkBLiD0A1sB6Z9gk9np%2FNtUBHdW7E0eBfvTWOK8F99R1lQdmQab2Vha55GLH6JRBksZ7AbBEdVS8DMtkaZCS9sV", "https://vtbehaviour.commondatastorage.googleapis.com/049c8db974d1830f931d605f6918184d8928c46c74f4152dfde3dc7bdffbf5d5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682585&Signature=z2IzO8oruo5%2BmP%2BuhsnAbNLmy7QRAemblZDUm1KEgUCliIqrtWVkruuMg2tcIokmH12yIvRumIVlk5OcGjVxI%2Bb%2B3Va9LgSnD%2Bwjbe5pAs%2BDuUGTY52XSe7V9xdcRN38UeNFYy2jTLa2KYspIZ0NzHMsL0BzU5pqOWw0bAShHYc9sNx0S7a%2BSD7PiY%2BDR%2Br%2BQll9wUT%2B4EjhHrYYmmdRCa6vbIyTLcHmdw4JzmHHsLy%2Bjf", "https://vtbehaviour.commondatastorage.googleapis.com/27086c4185aa32bbc6674267b947e3f6610554188ac694ce2dbc1191a9525339_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683188&Signature=o0pfi%2Bqzc6KRiLra5kzATI2ROhjWVPHqZ7tOokv%2B9i4HwxX3m%2BpcqtYKMIFJMVk1qNFDyYwnCDfkeiva50iZyrha2F3bacitBdmnSwCEQE5xMG73RGPjQAvPps3tKMm1MDH8Rzpy65y9bdKpTSCL9%2Bt2xAk4%2BXx13XPz2GlU%2BG8Q%2FSPkCW96%2BX6c5xzWpIH%2FlXn7%2Bgl2G9QMGbrbnwD%2FfR58%2FrXIeIEJ%2F9%2BNt2W3Fr", "https://vtbehaviour.commondatastorage.googleapis.com/2c7002510767deb9bbb0d2ee2d47be98828bf5b6e999d6cd882b1c1a1c908510_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683299&Signature=RMRBhdx9cTLEwBYgOaiBV4x03W8laZvNMUtTq68ykLCh0R5toTaD64MdSiBhgsNAZLaS8z9dPsGmVcfMC8U5sPrXXLzAt9CBPoJjT2jV40HyYrW58xs3wjf65936U00bQy9DGFrlU7xInrhEocKiXuD17i5A%2F7tdPgx74I6xY906Ua8hyOe3f5zVmaxE6zpNAonyZtoHtHmnuDLG71DTPwYyiKcGPff7glIXoNalw4ST3jQr3Ma%2Fv1Q3De", "https://vtbehaviour.commondatastorage.googleapis.com/2c98a3b3752939b7c2db76682607e3918dee0edd81998279cb4528cc6c67f715_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683469&Signature=oE7hEU%2FccffwWPye7wmTWT154zCmhX2wBLLWErX6yptBjSn9YXSMLMohlpsjw%2BxO5VxqobuYkMh302JzsMTg4fXVD76S9F6aOL1vRPwZx8fTGOeMoKRTMO7B0xwvo2HQCra8ds7NMqXBpbNxN%2Bi7Ez6ZOyX%2FQUyixg1Ya1G7%2FkF8sEaT8z%2B4QHLhghEUdy4%2FMYbGVFzAKhSDW9Yg%2BcPfxQLt%2BViZ", "https://vtbehaviour.commondatastorage.googleapis.com/5f87d5cb5921df99f335e1a8f044db15187f88aea04ecc073b310a4b9649a5e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683851&Signature=oDNiEuOved3Q5at8LARyePhpQE3%2FjmEYRIWg4Vzp0yzifSrnwMGaujbhYJWqc8BadzAh1AhmrfOaNLGJfe8IO2Izje4ofsfex0DAAfgHm5l1vDeQWFDfgypa9%2F8sHOOgBiUlbdSDYrVdZ2Z9f8MGr8OaswhQwykG5mL3UcUwRD4heOIda%2FFZGhfCLn%2B7ksTMcuD2%2BjT%2F7IuP8kYOTQ0ZqwnDZGNQwopAFpNNouIAx0LKAjPDIO", "https://vtbehaviour.commondatastorage.googleapis.com/5f9b9db4e9200b4576d6e8bc2888d6e7ab28a04e66083366bcde57915eed5078_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683897&Signature=A1uHov9N8mIMBn6lVPETST7i%2F%2F3lKCkTSifHpWYQ8lqnGw3%2FwBD1QhGr1tH%2BYzg4xJYZR1vHPxcGC2biWNZtPF89Sx8FKf%2F18O4PHYJb1n7YfdP24JbV%2BkekQpomFKe66pKsf0gWQQx1zTJDWvam9HuvVTyCV9h22TLG%2FmBDvK4SftnNssRv0EkzKP9dNqTfjJdMh0Y0rIEyQdNLLo%2BLsWQbrx2yxJo6kZD%2FJC", "https://vtbehaviour.commondatastorage.googleapis.com/727dc58bb6aaf24fd82f54a11560f26e38ee0ca6bb823ea70bad33fd7c9378ef_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683965&Signature=tYhGClprbVOZuxQF%2F%2BLWEx6LfO%2Fz4pigFaLvSPYRY%2Fqg92dL8%2BWlaAyT%2FJueBiXJFPkqBYoXk0DmZNj2UfqQiv4Jy9bhRG562tGCoadI7qFVHMBOyAmGj0uMVS%2FoyY00p8UkiUah%2BiG2lZaGt6eVnE1yrGqEIpnAnUxdyxti%2BDm0vFgP5Ust7yR%2F1SAtswsFyfntj2GSgBc5z1NbueSA2uSfZsxWtxmYAm9dk%2FrUPQ47Nb5Q", "https://vtbehaviour.commondatastorage.googleapis.com/7111bb197f77eecf518b22f7a6f269647abc17eda4aaed9ba50212462b9848ed_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684045&Signature=g5SPZe7A95%2FqyMCV3ihh6MGTnXRMjhKIGP6dBCJ3OB%2FCOBrSRTz%2BpnCcdIwsJk%2Fc74E6s1DRbKJn3SszGoP7h%2FNJwXl3BIBK6KeI0zYJeOibOT%2BeU9CnCcwY%2F3bx99X3LvHRwg0Fkdg%2BJoRI620jziRVAW%2FiC1wpzeMqmJNUOHn4NsTYiMD7H8cuBnRzAZQvK2lRO5asaddU11mHkkQ963f3YOOv", "https://vtbehaviour.commondatastorage.googleapis.com/8b10c7238761ba1c98b713c673c452437c4a56794ff0e3d657cff148056c9cf1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684153&Signature=MfmLhMZdg4gtuEoE1eB%2FroqyUo2QXTJ8L6oAmpYIvTmU8BmwS6hwF0opRe4GV3ox8yxCzd2O9fsm4T7dwrkSk8fJBlqrPHibaMNPNs4QpeMOraU4O6Au5EDLlJTtDwp43nz%2FK5tqLXzJpfqCvDEnQOghFLah5YCBj8qdFtGrKfHbvyMGL70BlhpaZsmAn3Jgu6zNXCQGqz3c%2BkATkQ3XNm%2F8FiNTOFzO5TUxHqPE3NUMFglmxAJhEo" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2266, "IPv4": 327, "domain": 178, "hostname": 372, "FileHash-MD5": 805, "FileHash-SHA1": 833, "URL": 812, "email": 2 }, "indicator_count": 5595, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a13d455f52a1c3acb3904b6", "name": "NOW BOARDING: DARK-ZERO Sheep Tracker * CAPE Sandbox", "description": "Modern threat intelligence requires moving from passive observation to active intervention. In the context of targeted tracking implants, defending civil rights means engineering systems that protect user autonomy against unauthorized data extraction. Architectural Protections:\n0-Trust Telemetry: Designing operating systems where the user owns the cryptographic root of trust.\nHardware-Enforced Isolation: Utilizing Secure Enclaves to process cryptographic keys outside the reach of a compromised kernel.\nExploit Mitigation: Implementing advanced PAC+ Memory Tagging Extensions (MTE) to stop zero-day memory corruption bugs. The holiday serves as a reminder for SOCs to uphold high ethical standards, ensuring defensive tools are never repurposed for unauthorized surveillance. Respect to all.", "modified": "2026-05-27T16:29:42.941000", "created": "2026-05-25T04:47:17.194000", "tags": [ "win32 exe", "mozilla firefox", "zip adobe", "photoshop cc", "rar adobe", "air sdk", "adobe air", "lassa2", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "file size", "mwdb", "accept", "shutdown", "ip address", "virustotal box", "apples sandbox", "sandbox sha256", "analysis date", "file", "operations", "process open", "write delete", "move time", "file type", "json", "ascii", "utf8", "sqlite version", "found", "pe file", "intel", "pe32", "ms windows", "installer", "defense evasion", "window", "title", "template", "next", "united", "performs dns", "grabber honest", "layer protocol", "attack network", "info processes", "extra info", "zenbox macos", "verdict", "guest system", "ascii text", "sigma", "creates", "t1055 process", "info dropped", "malicious", "p2404", "p11718783889", "p4de83ek69hqsh4", "p11718784848", "bazaar", "sha3384", "ssdeep", "checker", "themida", "guard", "property", "adobe device", "property name", "productname", "displayname", "destination", "root", "totalsize", "langpack", "swedish", "win32", "windows sandbox", "calls clear", "sha256", "sha1", "crc32", "size", "flash", "june", "drops pe", "crlf line", "sample", "persistence", "win64", "hook", "instructor", "kids goldadobe", "errstr", "cultureneutral", "license", "error", "code", "service", "vmprotect", "february", "back", "number", "mitre attack", "network info", "processes extra", "fri dec", "database", "initial access", "program", "overview", "overview zenbox", "ultimate file", "info file", "Nullworld", "value", "value lang", "buildinfo", "productinfo", "addremoveinfo", "displayversion", "screnshots", "United", "Swedishvpncarrierenrollment", "calls process", "writes", "png image", "rgba", "guloader", "fraud", "phishing", "install", "pdapp", "urihandler", "us tcp", "product install", "gamma", "updater", "Now boarding", "DarkZero", "Sheep Tracker" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681399&Signature=o4EIDa%2Bu5q7UzJoKBZ3SHIdTRWKGT7HIZyLxFZSLdRJV2Ng655y2X8OLnU2siFeopgWPI6Gd8nE9F9LFBFgwM%2F0ZN0FWsDls8m78y46TmhjHhykfch6G%2Buw3LPxmfbz999yBfELXQDUCNWIiGUPv%2B23aUdHnc0c5jI4Mvlz2HGA%2BHlIMjc1w1S%2BWm%2FI6ftHJdyIAh0SqMbPXqAy%2BIonExlGkoEmMBCJl3r3pfMcYzy4ai0", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681421&Signature=oUYsIo6y2ldihmETch4oPYw5nb4sHZhKRik2zGuv2h9rqu30GcV1xZHlIO9ttFa625EXOlrrILZtAhfM%2FamkTDjXZUTqn2%2BTKmgnxqOOfJU6KrJHPLE9Do7l7MEaPxX4cs8z8tWd0%2FY8sBv8sjGAIdWrT5OPv202LNN%2FiVe6mEIUMkmNr%2BG1S3Pgs6LRTjo%2BgqhEcNXT0MFUgs3I2e4AQ0TQ4FOs%2BVRY", "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681469&Signature=VGjB%2F%2BCQwDtsenSFWX7YNKbe9s%2Fgcpg%2FotVlxRZ6FXuE9VXITP76QQq6L2vlSM7pfQHSnBv%2BUdwMtN3QhCxjF7Zv2PV%2FkWLnwwA3hJciWMAKiLSeKTanNshzLWnmBjN04FASFwNf6kAq4PcunHkHh2PSOGl03eem41DHA6YOIRAjI1C6hAdDvKoAqJJXuGKM%2F5Z5vzfeTaXNgCRutOhVDB4%2FcAcV9zZaRcX9Ii0IFRAZo%2Bzk7rvI", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681490&Signature=bIUDLY2jLaPa0t0OyOiuRlKjk8VM9IFdVTwzJhuTKfuV%2BhwtwcYghSy4186P0qsGEebShI2xNNVBPSd3uQdeXMuYRDJWcyo18c12pLwgcLgaBot06%2Bfys%2BlGp%2FV%2FSCDBvdo3iLaAOesoSo8vbCLNsWAzGM5sztLl%2Beyq9%2F1oSuAvU692EiARhcufOCMFqXCn6MNuSp18gSQwkFRBadsMvHSjfHW645FvLUfiP5Egu1WuMVP2", "https://vtbehaviour.commondatastorage.googleapis.com/05eff75186e681b14135ce2945d124664260e5a88e0d14f138050d622d82745a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681535&Signature=K%2BM%2FPuLQI5kqDYLWjQMD%2BgPbchxwp2sWPPUtfDZYFn5H9w%2BqFPRxh7iZqH4FOPAnwlC0%2BN5TKTqrEuhABL3gWMqHySyweiNPNkJ1MlX29xZdE482pqQSn8rzkPs7CZD63ts4ZRPrK%2Bl06RV13mZf4TUzAD9Sx0m6%2FWhetQETuu6StpVmyzhie%2Fn%2FUdsdFN0SW%2BtLpQE74IVNfszCgKVhF9oNeBiifytanSbIG0SnLff9sXffjS", "https://vtbehaviour.commondatastorage.googleapis.com/087975d5f3c874a6fe9cbfe9d7ee77fb0af138e3c36a6f75e3d000699afc571d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681569&Signature=C286Cg30s1QDg1lkY0jtTLfia8Fs4B%2FdqNMfidFUYXpd2si4N25G7RBqy8LODkWqBQca8rpYyZ7FIYHuRDc0wBLk%2B1rPiEXJckZIdmkyhDkFJ2jrxfNV135BZTTeF6DkLrRfWPgnxciVK%2FJrkueYnjlYhYW08OZkTu9plzgmfR2IocW5ENVaqHbcPAdm2QDCC6VVrNQp%2FP%2FjV6%2Fkm37tinRyXhg1vKSf0TVFMzL1jpYkiS5PIc", "https://vtbehaviour.commondatastorage.googleapis.com/07f5960476ab34754f3e04143caf2d4899cb09e6b271bfd27ef1f1c8977ca050_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779681591&Signature=uoP10og17YxXUe0yZ8kll3N15RJJ%2Bf5pJFzW0MUe4fdvXaLlcOfCxs%2B6EyW23FSqTj%2FbNedtUC6z7Y0dgMPBtJC%2F9gOhXEZj5%2BKKwnQbCBe7GuFtEsVMMkQRdiDQxJYZipAId1MwoBChhx%2BSr%2FrboVkDq%2F%2FbNLvWS6keRMn4fa8GX%2BF0lIJepJ98sjwXs48DXBch8974olbyd38VGGp1bLMl7mycstrQ2hIy2MFXWD", "https://vtbehaviour.commondatastorage.googleapis.com/0da371854ec2c04bbee9680dbdabb67a4e4a84add40e5e1877425790f2dfef02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682005&Signature=SyLSFT5xdlAZ5lwNyaeDpqsMTuwGywWruel4fBOIdsyiZ%2FvtOZYr7f%2B%2BIuBmqFMAwMI4L7kB6jRtv8mVn8lmU5MUJBAG6GJdVsEp2SoexU5Yl2kTksey03ZsjBloxlJqDzf8PULDlwjfD1Ydv%2B5QFPoY3%2Fk8TKMlmmpTIw7%2FYcR24%2FHYHw78XVF2cV%2Bnb3GoDaHw%2FnpxLrDwgfZP9dWvP8V264o5l2dDfxQtF0", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682086&Signature=yzXoWEcsMl9wlTGgMQfBKEZWwnDzmua%2FR2suwDMBSqPLhunpHELcj0SzY3czM%2F9HQG9QuvYzhQRVUxR1iDaFz1BQ4YHkXJih3zm%2BcNlDcfXsOZzyYzWUhaPsbSti%2FWbFoL4E14bnS7tIuG9s9R96LkGyGpWIsT%2BPeCNhsCzD7vFRU0cPMr6vNblu%2BBiO3Ki99QSrkF4hzBxkQ7DFgba3qi7kOfal%2F2K8hC1ikcZntmn5IESW", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682105&Signature=DkIw2nRg0%2BHKmd2TpyMzcgrB%2F4s6sIVIpOEEVMqz3Csoj6PPmSGNer%2Bt5X5oYKPZQgJETAHcCRs0mh3Lfa85XEPdYk6PjMimJmKQdBstqdULgs6q7wyZEjHDhQn41ri7eQ16g7pAo9ojfhLUNp4uW2xuYvdBwYhYBsZP3EO1BKz2f3dYxSg%2Bgsn2AnC2%2BDRTIX0Xxd%2Bt44%2BkXfiY32mvDHDNDCcuT5ZDFNrHwDp3HKuuJYy7lRHm8AlK", "https://vtbehaviour.commondatastorage.googleapis.com/1f1db73659fa2fe7a944d20bb4e9a867513a50ee9b51be89dfec30c73f6ed622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682177&Signature=yjgeq7TPzf6M6Pn8mPFgBmhHQbfgGlaadZNsSsDUKq0Da4%2Bb25WhNl6nDIyUDmRBtABod6Itj2EUlbe%2B4U0QYLuJR00aQqsO%2F9pXU4AWeIFUEZhCrwgZ5WuNPpYbdVbOYcVX6oyDXpSjv1QEGmJ1NVVr%2F1esshl3tugyHxp6LFYa9%2BQeoiqsBikKLglNB52vsap%2BkwVPKyXg%2FjduMqTQd%2FhNMM41261XiBOTtUqjpzIm67", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682206&Signature=iCbR7BcpXhfqHIoxTRE%2BvhCqRoHYALCXll0hXveh8IQOJPjxw%2BlLNas6nIvp035t6sdMg9KdOY751XfThil%2FE2mLrvir%2FwKjheK2382r5bhEQFEsa6etlla3TDjlvttEFZDUN7SSLpGao8u7uVNwrPRb0BuwYDemKKVJK6DACPbUZEHk3DZ%2Bi8SxXIdELiXG%2Bozy7oC8Dcj0HqHGYuliXpjT1mV7OsCjFXvmjZPcFH06EzZS5L", "https://vtbehaviour.commondatastorage.googleapis.com/17c1908439bc7132f6a7c496c68d39b0c0cee504fe9020c920a2d1d04685fb5b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682251&Signature=z6Lrdrr5u6YZdzJaR%2B2Qab%2F%2FVA6%2FL6JaNA4%2BVxLe9wEjL%2B2ARzGBhQdq6RTX5ez3SDTWWmc%2BrOypKxxCsLeXUbjYRoIgcsSzYIxWQWoEl35tFARLVKf%2FVf%2B696U6PYQ%2F1BNWxSfuNOeUVNK2pIiMYCUjLnikvUyj9Ip3MrgKOaV9v9SShCLay93Y7b3GbAUZ2Jzy18PEYf%2FLuk4fDrqITmP2upsysOJq1MhZcJ%2", "https://vtbehaviour.commondatastorage.googleapis.com/105f31af20fdb87d442f81aad0c3a54030b7e214c4796cf2a069bae6aa89dc65_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682395&Signature=oVg82i1yTG%2BGfhoL5FyBdK%2BZKa6wi2iWMpwHyA77jBFtAOZxw%2Bs6z6So26GWDthH7UMEzwZwQC6ENF1TLBEqXukldXMdMg%2FvNylvy7vCdDKDsw53Ibc7vKnu5T0lNumnv%2FD5vnV14QZrzAE8PG3J0S0rtheY8mNCkM6t1w52XYYm5mfnGJXsnjyMEvgURuPhzOIq9%2B%2FG7XUWFK0vK%2BlzKmZU627%2FKYkT9EWHOI8Nyx%2FJUqad%2", "https://vtbehaviour.commondatastorage.googleapis.com/002150c786ae1e04ab2981bf5593d926987b60b9ac699f431ed4568084dd854b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682457&Signature=eWipoH1g7AQ8zq2pd%2BpyAKrKscAY%2FebCATbHE%2FMwdvIfIy%2F4i3OFy%2FKlfaNCXDLDU0OM6JaEF73FAqGhLEb8ZcxTuEfMeU%2F6WxjpgS2SqLZ0xOjAPgPWOOor3uCcdIEZRCcpJe%2BAzPY8jEZJ0aIf49RU85lkIx9yCiXcFnee1pNHHBFwpsBK4FNuTB%2FyDe61M5Htw4fjlf43GTnXFxj0%2Fjc%2Fe32Q7EpVkuSc0I%2F3zTrY0UkC", "https://vtbehaviour.commondatastorage.googleapis.com/492dc39e7752dccfd15f588054991277e6548b794b28a03f42b9cee132eebd2e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682486&Signature=ucigAmI%2BTWYWnZuZjQb7cvSnhC1f6r93NM1kh5fCHjjcUodx6ltePV2QSdyXCnhrdH8ODLugh37CFZxsAmtiMMefuyuh6T8mtuxe7znGqLiJre5YFfSQLkzmz0Ksqekcg0sp1bUaKykXguy%2BKwv6Tg12CIM7xzaDB%2BGcjw6KkBLiD0A1sB6Z9gk9np%2FNtUBHdW7E0eBfvTWOK8F99R1lQdmQab2Vha55GLH6JRBksZ7AbBEdVS8DMtkaZCS9sV", "https://vtbehaviour.commondatastorage.googleapis.com/049c8db974d1830f931d605f6918184d8928c46c74f4152dfde3dc7bdffbf5d5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779682585&Signature=z2IzO8oruo5%2BmP%2BuhsnAbNLmy7QRAemblZDUm1KEgUCliIqrtWVkruuMg2tcIokmH12yIvRumIVlk5OcGjVxI%2Bb%2B3Va9LgSnD%2Bwjbe5pAs%2BDuUGTY52XSe7V9xdcRN38UeNFYy2jTLa2KYspIZ0NzHMsL0BzU5pqOWw0bAShHYc9sNx0S7a%2BSD7PiY%2BDR%2Br%2BQll9wUT%2B4EjhHrYYmmdRCa6vbIyTLcHmdw4JzmHHsLy%2Bjf", "https://vtbehaviour.commondatastorage.googleapis.com/27086c4185aa32bbc6674267b947e3f6610554188ac694ce2dbc1191a9525339_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683188&Signature=o0pfi%2Bqzc6KRiLra5kzATI2ROhjWVPHqZ7tOokv%2B9i4HwxX3m%2BpcqtYKMIFJMVk1qNFDyYwnCDfkeiva50iZyrha2F3bacitBdmnSwCEQE5xMG73RGPjQAvPps3tKMm1MDH8Rzpy65y9bdKpTSCL9%2Bt2xAk4%2BXx13XPz2GlU%2BG8Q%2FSPkCW96%2BX6c5xzWpIH%2FlXn7%2Bgl2G9QMGbrbnwD%2FfR58%2FrXIeIEJ%2F9%2BNt2W3Fr", "https://vtbehaviour.commondatastorage.googleapis.com/2c7002510767deb9bbb0d2ee2d47be98828bf5b6e999d6cd882b1c1a1c908510_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683299&Signature=RMRBhdx9cTLEwBYgOaiBV4x03W8laZvNMUtTq68ykLCh0R5toTaD64MdSiBhgsNAZLaS8z9dPsGmVcfMC8U5sPrXXLzAt9CBPoJjT2jV40HyYrW58xs3wjf65936U00bQy9DGFrlU7xInrhEocKiXuD17i5A%2F7tdPgx74I6xY906Ua8hyOe3f5zVmaxE6zpNAonyZtoHtHmnuDLG71DTPwYyiKcGPff7glIXoNalw4ST3jQr3Ma%2Fv1Q3De", "https://vtbehaviour.commondatastorage.googleapis.com/2c98a3b3752939b7c2db76682607e3918dee0edd81998279cb4528cc6c67f715_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683469&Signature=oE7hEU%2FccffwWPye7wmTWT154zCmhX2wBLLWErX6yptBjSn9YXSMLMohlpsjw%2BxO5VxqobuYkMh302JzsMTg4fXVD76S9F6aOL1vRPwZx8fTGOeMoKRTMO7B0xwvo2HQCra8ds7NMqXBpbNxN%2Bi7Ez6ZOyX%2FQUyixg1Ya1G7%2FkF8sEaT8z%2B4QHLhghEUdy4%2FMYbGVFzAKhSDW9Yg%2BcPfxQLt%2BViZ", "https://vtbehaviour.commondatastorage.googleapis.com/5f87d5cb5921df99f335e1a8f044db15187f88aea04ecc073b310a4b9649a5e1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683851&Signature=oDNiEuOved3Q5at8LARyePhpQE3%2FjmEYRIWg4Vzp0yzifSrnwMGaujbhYJWqc8BadzAh1AhmrfOaNLGJfe8IO2Izje4ofsfex0DAAfgHm5l1vDeQWFDfgypa9%2F8sHOOgBiUlbdSDYrVdZ2Z9f8MGr8OaswhQwykG5mL3UcUwRD4heOIda%2FFZGhfCLn%2B7ksTMcuD2%2BjT%2F7IuP8kYOTQ0ZqwnDZGNQwopAFpNNouIAx0LKAjPDIO", "https://vtbehaviour.commondatastorage.googleapis.com/5f9b9db4e9200b4576d6e8bc2888d6e7ab28a04e66083366bcde57915eed5078_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683897&Signature=A1uHov9N8mIMBn6lVPETST7i%2F%2F3lKCkTSifHpWYQ8lqnGw3%2FwBD1QhGr1tH%2BYzg4xJYZR1vHPxcGC2biWNZtPF89Sx8FKf%2F18O4PHYJb1n7YfdP24JbV%2BkekQpomFKe66pKsf0gWQQx1zTJDWvam9HuvVTyCV9h22TLG%2FmBDvK4SftnNssRv0EkzKP9dNqTfjJdMh0Y0rIEyQdNLLo%2BLsWQbrx2yxJo6kZD%2FJC", "https://vtbehaviour.commondatastorage.googleapis.com/727dc58bb6aaf24fd82f54a11560f26e38ee0ca6bb823ea70bad33fd7c9378ef_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779683965&Signature=tYhGClprbVOZuxQF%2F%2BLWEx6LfO%2Fz4pigFaLvSPYRY%2Fqg92dL8%2BWlaAyT%2FJueBiXJFPkqBYoXk0DmZNj2UfqQiv4Jy9bhRG562tGCoadI7qFVHMBOyAmGj0uMVS%2FoyY00p8UkiUah%2BiG2lZaGt6eVnE1yrGqEIpnAnUxdyxti%2BDm0vFgP5Ust7yR%2F1SAtswsFyfntj2GSgBc5z1NbueSA2uSfZsxWtxmYAm9dk%2FrUPQ47Nb5Q", "https://vtbehaviour.commondatastorage.googleapis.com/7111bb197f77eecf518b22f7a6f269647abc17eda4aaed9ba50212462b9848ed_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684045&Signature=g5SPZe7A95%2FqyMCV3ihh6MGTnXRMjhKIGP6dBCJ3OB%2FCOBrSRTz%2BpnCcdIwsJk%2Fc74E6s1DRbKJn3SszGoP7h%2FNJwXl3BIBK6KeI0zYJeOibOT%2BeU9CnCcwY%2F3bx99X3LvHRwg0Fkdg%2BJoRI620jziRVAW%2FiC1wpzeMqmJNUOHn4NsTYiMD7H8cuBnRzAZQvK2lRO5asaddU11mHkkQ963f3YOOv", "https://vtbehaviour.commondatastorage.googleapis.com/8b10c7238761ba1c98b713c673c452437c4a56794ff0e3d657cff148056c9cf1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779684153&Signature=MfmLhMZdg4gtuEoE1eB%2FroqyUo2QXTJ8L6oAmpYIvTmU8BmwS6hwF0opRe4GV3ox8yxCzd2O9fsm4T7dwrkSk8fJBlqrPHibaMNPNs4QpeMOraU4O6Au5EDLlJTtDwp43nz%2FK5tqLXzJpfqCvDEnQOghFLah5YCBj8qdFtGrKfHbvyMGL70BlhpaZsmAn3Jgu6zNXCQGqz3c%2BkATkQ3XNm%2F8FiNTOFzO5TUxHqPE3NUMFglmxAJhEo" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1569", "name": "System Services", "display_name": "T1569 - System Services" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2266, "IPv4": 327, "domain": 178, "hostname": 382, "FileHash-MD5": 805, "FileHash-SHA1": 833, "URL": 816, "email": 2 }, "indicator_count": 5609, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a13c3532971d5af060e0b77", "name": "Adob|eAIR * CAPE Sandbox", "description": "IP- 199.232.210.172\n199.232.214.172\n\nDNS- bg.microsoft.map.fastly.net\nNo cert data.\n\nDrops: \nZenbox -bg.microsoft.map.fastly.net active reputation: high\t199.232.210.172\t\nIP Info (1)\n\nIP\tCountry\n192.168.122.1\tunknown\nDropped Info\nNon malicious dropped files (156) \nProcesses Extra Info\nOther Drops- VT: 57\n29 mitre-25 OTHER 1 PE_EXE 1 TEXT 1 SWF 1 MSI 1 JAVASCRIPT\nNetwork comms\n1 DNS 2 JA3. rec: review version for safety, recall certs expired. Unsubscribe from tracking [if able] as it has shown to be a watering hole of cryptographic non integrity [not suggestive here, but the potential exists]", "modified": "2026-05-26T11:49:30.571000", "created": "2026-05-25T03:34:43.204000", "tags": [ "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "file size", "mwdb", "accept", "shutdown", "file type", "json", "ascii", "utf8", "sqlite version", "found", "pe file", "intel", "pe32", "ms windows", "installer", "defense evasion", "window", "title", "template", "next", "ascii text", "Adobe AIR", "bg.microsoft.map.fastly.net", "No certificate data", "Remoted" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779679450&Signature=Xsh6GXCTvOkupXYUUQGiHNgx%2FWmCftYcZVdWxsZHvLRN%2FB6NnyiBI7GU7MIIp%2BWK9bAgMazFDSG%2BuFE5DhyKycaRjrO%2FvO8BdtjfsiNwq%2FOCo%2B0zhhNqe%2BONe79ktGFAo08vKEnOCs5jHG7AxZH07bzAUjvvdK9iUvMsNsmiCWU05%2Bgn1KMjU2Tk9%2Brbbwy0HgEMK4jBH8u8hHNsV1FFHVLWckRu%2FQ7QM19y6kEq", "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779679610&Signature=CFTzWPXcfKua6uilDSrmKC177u7eSQdDxWa1Sqd5eaP1s%2B4xUAW73v1uovAfukRKPolFfRM1MxR%2F%2FRuE0RYh91RlLjNLYqJFXkGVCvuSzn9TzvGRPP2H6ngGcA%2B2XK4mvcVZOXLPMF1EcYDmbC9CTZyaqkUF3bun9LQv9j%2BQ9cz1xsNyGkCjrF2OVvBfR%2FBsE4fxBcBPSMret5BpGFOf4fn3jbrsEmDvet4tyz2SkZJeKhZL7dlOERabun", "bg.microsoft.map.fastly.net", "199.232.210.172 199.232.214.172" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 24, "FileHash-SHA256": 111, "IPv4": 24, "hostname": 84, "domain": 7, "URI": 1, "URL": 97 }, "indicator_count": 374, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a13c33839fd2deaaf00ca73", "name": "Adob|eAIR * CAPE Sandbox", "description": "IP- 199.232.210.172\n199.232.214.172\n\nDNS- bg.microsoft.map.fastly.net\nNo cert data.\n\nDrops: \nZenbox -bg.microsoft.map.fastly.net active reputation: high\t199.232.210.172\t\nIP Info (1)\n\nIP\tCountry\n192.168.122.1\tunknown\nDropped Info\nNon malicious dropped files (156) \nProcesses Extra Info\nOther Drops- VT: 57\n29 mitre-25 OTHER 1 PE_EXE 1 TEXT 1 SWF 1 MSI 1 JAVASCRIPT\nNetwork comms\n1 DNS 2 JA3. rec: review version for safety, recall certs expired. Unsubscribe from tracking [if able] as it has shown to be a watering hole of cryptographic non integrity [not suggestive here, but the potential exists]", "modified": "2026-05-26T11:49:29.775000", "created": "2026-05-25T03:34:16.186000", "tags": [ "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "file size", "mwdb", "accept", "shutdown", "file type", "json", "ascii", "utf8", "sqlite version", "found", "pe file", "intel", "pe32", "ms windows", "installer", "defense evasion", "window", "title", "template", "next", "ascii text", "Adobe AIR", "bg.microsoft.map.fastly.net", "No certificate data", "Remoted" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779679450&Signature=Xsh6GXCTvOkupXYUUQGiHNgx%2FWmCftYcZVdWxsZHvLRN%2FB6NnyiBI7GU7MIIp%2BWK9bAgMazFDSG%2BuFE5DhyKycaRjrO%2FvO8BdtjfsiNwq%2FOCo%2B0zhhNqe%2BONe79ktGFAo08vKEnOCs5jHG7AxZH07bzAUjvvdK9iUvMsNsmiCWU05%2Bgn1KMjU2Tk9%2Brbbwy0HgEMK4jBH8u8hHNsV1FFHVLWckRu%2FQ7QM19y6kEq", "https://vtbehaviour.commondatastorage.googleapis.com/036d1a174e3ef9a15c8075248958c4f36d8817573ef3f6f12c62850976b32737_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779679610&Signature=CFTzWPXcfKua6uilDSrmKC177u7eSQdDxWa1Sqd5eaP1s%2B4xUAW73v1uovAfukRKPolFfRM1MxR%2F%2FRuE0RYh91RlLjNLYqJFXkGVCvuSzn9TzvGRPP2H6ngGcA%2B2XK4mvcVZOXLPMF1EcYDmbC9CTZyaqkUF3bun9LQv9j%2BQ9cz1xsNyGkCjrF2OVvBfR%2FBsE4fxBcBPSMret5BpGFOf4fn3jbrsEmDvet4tyz2SkZJeKhZL7dlOERabun", "bg.microsoft.map.fastly.net", "199.232.210.172 199.232.214.172" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 26, "FileHash-SHA1": 24, "FileHash-SHA256": 111, "IPv4": 26, "hostname": 84, "domain": 7, "URI": 1, "URL": 97 }, "indicator_count": 376, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a126fcffc60a71dfab01f24", "name": "credit scoreblue - clone of another researchers post [Google Spy engine | Tracking, Malware Repository CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue] + added 10 iocs", "description": "", "modified": "2026-05-24T03:32:22.109000", "created": "2026-05-24T03:26:07.144000", "tags": [ "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "expired", "acceptencoding", "html info", "title home", "tags viewport", "trackers google", "tag manager", "gsddf3d2bzf", "historical ssl", "referrer", "december", "formbook", "round", "apple ios", "tsara brashears", "unlocker", "collection", "vt graph", "socgholish", "blister", "hacktool", "hiddentear", "gootloader", "agent tesla", "crypto", "installer", "life", "malware", "open", "korplug", "tofsee", "date", "name servers", "status", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "no data", "tag count", "analyzer threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "alexa top", "million", "site", "alexa", "maltiverse", "xcnfe", "safe site", "phishing", "remcos", "malicious", "miner", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "trojan", "detplock", "artemis", "networm", "win64", "redline stealer", "limerat", "venom rat", "trojanspy", "tld count", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "united", "jfif", "sha1", "core", "general", "starfield", "hybrid", "local", "encrypt", "click", "strings", "adobea", "daga", "as30148 sucuri", "td tr", "search", "span td", "as44273 host", "creation date", "a domains", "xtra", "meta", "back", "verdict", "domain", "aaaa", "as15169 google", "asnone united", "nxdomain", "sucuri security", "a li", "span", "class", "body", "sucuri website", "a div", "authority", "record value", "showing", "gmt content", "x sucuri", "high", "related pulses", "show", "guard", "entries", "win32", "west domains", "next", "ipv4", "asnone germany", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "formbook cnc", "checkin", "found", "error", "code", "create c", "read c", "delete", "write", "default", "dock", "execution", "copy", "xport", "firewall", "body doctype", "section", "dcrat", "analyzer paste", "iocs", "hostnames", "url https", "blacklist", "cl0p ransomware", "zbot", "malware site", "team memscan", "cl0p", "algorithm", "data", "v3 serial", "number", "cus starizona", "cngo daddy", "g2 validity", "subject public", "key info", "certificate", "whois lookup", "netrange", "nethandle", "net192", "net1920000", "as174", "as3257", "sucuri", "sucur2", "verisign", "whois database", "server", "registrar abuse", "icann whois", "whois status", "registrar iana", "form", "temple", "first", "android", "win32 exe", "html", "bobby fischer", "office open", "detections type", "name", "pdf dealer", "price list", "pdf my", "crime", "taiwan unknown", "as3462", "as131148 bank", "as21342", "all search", "otx scoreblue", "pulse pulses", "cname", "as22612", "as43350 nforce", "win32upatre jun", "expiration date", "hostname", "lowfi", "date hash", "avast avg", "date checked", "url hostname", "server response", "google safe", "results jun", "files show", "registrar", "china unknown", "title", "network", "fakedout threat", "urls http", "maltiverse safe", "malicious url", "team", "phishtank", "services", "botnet command", "control server", "mining", "betabot", "team malware", "engineering", "stealer", "service", "vawtrak", "virut", "emotet", "simda", "redline", "fri oct", "media sharing", "known infection source", "bot networks", "malware", "malware repository", "spyware" ], "references": [ "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/", "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,", "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "IP\u2019s Contacted: 192.124.249.187", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile", "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=", "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "6688e0ffb31d4881f3238713", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4130, "URL": 11958, "hostname": 4644, "domain": 4304, "FileHash-MD5": 2256, "FileHash-SHA1": 1161, "CVE": 8, "SSLCertFingerprint": 20, "email": 8, "CIDR": 1, "IPv6": 4, "IPv4": 6 }, "indicator_count": 28500, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a126fcc3620af2edeb95e57", "name": "credit scoreblue - clone of another researchers post [Google Spy engine | Tracking, Malware Repository CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue] + added 10 iocs", "description": "", "modified": "2026-05-24T03:26:04.439000", "created": "2026-05-24T03:26:04.439000", "tags": [ "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "expired", "acceptencoding", "html info", "title home", "tags viewport", "trackers google", "tag manager", "gsddf3d2bzf", "historical ssl", "referrer", "december", "formbook", "round", "apple ios", "tsara brashears", "unlocker", "collection", "vt graph", "socgholish", "blister", "hacktool", "hiddentear", "gootloader", "agent tesla", "crypto", "installer", "life", "malware", "open", "korplug", "tofsee", "date", "name servers", "status", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "no data", "tag count", "analyzer threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "alexa top", "million", "site", "alexa", "maltiverse", "xcnfe", "safe site", "phishing", "remcos", "malicious", "miner", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "trojan", "detplock", "artemis", "networm", "win64", "redline stealer", "limerat", "venom rat", "trojanspy", "tld count", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "united", "jfif", "sha1", "core", "general", "starfield", "hybrid", "local", "encrypt", "click", "strings", "adobea", "daga", "as30148 sucuri", "td tr", "search", "span td", "as44273 host", "creation date", "a domains", "xtra", "meta", "back", "verdict", "domain", "aaaa", "as15169 google", "asnone united", "nxdomain", "sucuri security", "a li", "span", "class", "body", "sucuri website", "a div", "authority", "record value", "showing", "gmt content", "x sucuri", "high", "related pulses", "show", "guard", "entries", "win32", "west domains", "next", "ipv4", "asnone germany", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "formbook cnc", "checkin", "found", "error", "code", "create c", "read c", "delete", "write", "default", "dock", "execution", "copy", "xport", "firewall", "body doctype", "section", "dcrat", "analyzer paste", "iocs", "hostnames", "url https", "blacklist", "cl0p ransomware", "zbot", "malware site", "team memscan", "cl0p", "algorithm", "data", "v3 serial", "number", "cus starizona", "cngo daddy", "g2 validity", "subject public", "key info", "certificate", "whois lookup", "netrange", "nethandle", "net192", "net1920000", "as174", "as3257", "sucuri", "sucur2", "verisign", "whois database", "server", "registrar abuse", "icann whois", "whois status", "registrar iana", "form", "temple", "first", "android", "win32 exe", "html", "bobby fischer", "office open", "detections type", "name", "pdf dealer", "price list", "pdf my", "crime", "taiwan unknown", "as3462", "as131148 bank", "as21342", "all search", "otx scoreblue", "pulse pulses", "cname", "as22612", "as43350 nforce", "win32upatre jun", "expiration date", "hostname", "lowfi", "date hash", "avast avg", "date checked", "url hostname", "server response", "google safe", "results jun", "files show", "registrar", "china unknown", "title", "network", "fakedout threat", "urls http", "maltiverse safe", "malicious url", "team", "phishtank", "services", "botnet command", "control server", "mining", "betabot", "team malware", "engineering", "stealer", "service", "vawtrak", "virut", "emotet", "simda", "redline", "fri oct", "media sharing", "known infection source", "bot networks", "malware", "malware repository", "spyware" ], "references": [ "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/", "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,", "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "IP\u2019s Contacted: 192.124.249.187", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile", "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=", "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "6688e0ffb31d4881f3238713", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4080, "URL": 11952, "hostname": 4638, "domain": 4301, "FileHash-MD5": 2236, "FileHash-SHA1": 1140, "CVE": 8, "SSLCertFingerprint": 20, "email": 8, "CIDR": 1 }, "indicator_count": 28384, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a11810e7bc0d9d7652b4fcb", "name": "* ghostware * CAPE Sandbox", "description": "[Results of an analysis of a KVM operating system, conducted by the MIT Research Institute (MIT), are published on the web. \u00c2\u00a32.5m.com (\u20ac3.4m; $4.6m).] pretext. a deeper follow up on impression domain from the last post shared. this is some of the evasive 2019-2020 attached malware in a sandbox. this is not easy to track or flag. Lb, cape, zenbox, vt are exceptional at this. Interesting string: preload js notes, \"fired\". this sha indicator won't run a sandbox despite all the flags: [a57ac7b63c282739aa...] though it now appears revoked - attached the certs in any event. (1 exp2 valid) exp:cosmina beteringhe\nStatus\nCertificate out of its validity period\nIssuer\nApple Inc.\nValid From\n02:08 PM 04/02/2019\nValid To\n02:08 PM 04/02/2024\nAlgorithm\nsha256WithRSAEncryption\nThumbprint\nB60CA526B0B84F7FF9B9CACC70702C5C10985B2C\nSerial Number\n6D E1 8E C8 70 AC A3 3E team identity:HYC4353YBE", "modified": "2026-05-23T10:44:37.782000", "created": "2026-05-23T10:27:26.040000", "tags": [ "token", "instance id", "date", "request", "version", "start", "callback", "indicate", "send instance", "id token", "default", "cname", "accept", "shell folders", "folders", "gmt ifnonematch", "cape sandbox", "bootkit", "t1055", "t1542", "shutdown", "defense evasion", "filename", "userclass", "source", "adprovider", "pair", "count", "null", "newtab", "result", "chrome web", "file type", "file size", "sha1", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "adknowledge", "guard", "loads", "back", "typeof", "catch", "impression", "none", "xmlhttprequest", "signaturehz", "mitre attack", "network info", "sigma", "program", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "ultimate file", "next", "has permission", "t1430 location", "zenbox android", "persistence", "issuer apple", "valid from", "valid", "serial number", "ac a3", "apple inc", "status valid", "thumbprint", "mac os", "x executable", "info file", "info", "a9 a8" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530336&Signature=p6VwVgKhapyzo9Qdy2STgvqVBCILyIVDELmCCzKAI3VnzeLfXf8kMElRnqtXzyceHxnFobEu5%2Bzot74n2%2FKVdQLGgjSNmpbV1vxI4qIMW44TnqKJz7q%2Bzl9L2qPXk2Xd24irnPUYT4Z6b52nITm3rElixM%2FxW5B7cYrEPVdMEQQ3axn7fZMtVXkHyakt5UbZUnglSc97W7kjMO7OSb6qTfAhWNZuFLn0hPzN3JeCVc6eH2VaF8qrMW", "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530360&Signature=IoNgUEkiuiM2X4a2ueL9rEQPSxM3pwV%2Fg9ppA8C%2BBjHNorpe2t8rUBwA%2BU0UhSwLHm3J9bx4il%2Buly8trboaDKTDgdTvpIFdsHRjkQYF%2F8P2ot8tg5AnQeLV9Q8ddUazck3uN2LTNyDFCh5HiWfU%2FJ4BytbiANmLC8gGyCjX%2FX5Y%2FkYYJwEtsw0W90i9lyhlbNX%2FbAor8c1%2FRyPwUh8klvuYGDxvlbeal0nSXVYLSy", "https://vtbehaviour.commondatastorage.googleapis.com/59bd2b3f9e4fbc79518a31738080bc4b9b35b42f6e5a3b5c3a306e0b9aae7f2c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530394&Signature=EFtQdaqkkeNu27kPO7Zob0bl261oVyzlQmNL5Z9HnrD%2FemHBUX4%2BsRO8wGhrK9e53idu5dP%2FqFvjC3fYYvXzyeKs6x0kO0IqPs5Pp6y422zCXP9gKR7xBfnQIQtmWDVaBb4znOzF35Jd76v4D1Y4btKPazPqsa2hq38U%2F2BTS2Fjqng%2BtZLtgjXCV7Qy1iJuoL4wZxus6aU6uyk4Gt4%2FwQOFSxhXM9Sg6EzneRhhFzAhHkOWzW", "https://vtbehaviour.commondatastorage.googleapis.com/8203df818e55602f58e12749c5f43ef382d5829c540953ef5acd613e9339bbfa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530419&Signature=UGGjvrHysNTHqCP%2F98o%2Bwr%2BBuUURMkCiQxj24hY6gaY6O3Jzu8n5c1DTGQyxmFDLTNd%2BVEq%2BLjiAQEKKja33wGAeycq9H84UiQaOgy5xch0rQRhWlH9BAU1XQopkUIfjd%2F%2FjszJyY9f5GeBUviWGN0fk%2Fjf%2Bu70ZC8sViEooYie0vbqyBBZF4n4kjfdDoEDUXKU9hjk4W9PIBcH1Y8tyFonohbjbq7%2BZwzERUsYwo2", "https://vtbehaviour.commondatastorage.googleapis.com/8203df818e55602f58e12749c5f43ef382d5829c540953ef5acd613e9339bbfa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530508&Signature=GssLnauiY160oyi8Jf10sDf4bL46z5UIfcX%2F1jMAIWwy97%2Fw9GjbHzS38wt5ybxoiMkSIsTN%2BYE7Vd7kc7zHkudP8K6D2g6bTFX%2B%2Bao4FK6e0OYbJXqb%2BPeNSgeqrHMrCeXIW1H8RCC5QXuEjkQrE4TPFja5Gc790vYMvsT5oAuxbnFAzjQM%2BTwMcjJ1k9dWR0Hoh694C2boFVdHy3LxQkv7vk6CSmjQcZ4bBbHmEMC%2FNd", "https://vtbehaviour.commondatastorage.googleapis.com/7f9899e42bccdd1d6479b573fb1bb9277b4bd42e8f6ef73c5456f606949e7cf5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530727&Signature=xFLQpUtdhw77th%2BADVS4Sl3y8VCEFYpShlfIJ6D6zJme%2BtY0lUlxv2N7hvxGbwSTYKBYQSyu735BqpgvSUc5e%2BC%2B9XseD6ERlB2kCJmvUPalqCOgZABMyb6mGaG5MMGgxP19UjM1qrUOxI2iJSjEQQ4LLmmkLf7%2B6XGhtqkIG4O2hZ5ABCrdbqytgJkuVl7VMDYelEnoYLLma9GDq1ytLfUObtoINW48v1xg1Mykxldjv6gV2DWr", "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530784&Signature=CYyyJeKkeGqnH6T6m5Xruegrlkv2udvHSUC4MgjgnkaJP2%2BkZUvTfdoh5S5uXQZbk0By%2Bg1akNr3AALQqY%2B0SNoOJdW5fHCOavOpIuNkgM4efnxQQyuhR%2F6eccAejXvy0cFPKDUhdhvbItcx7lkgLwM3MhWL%2FzNneeST7yUf3g8Pad72u7BrItBCkJ23R2quBuKT3G22OMfreYhprgO398iL0htbNTBKh4csLc9QtPI%2FabWco3", "https://vtbehaviour.commondatastorage.googleapis.com/e068d8d9f9dae873ec78bd5a88df561893c18b1df6200a958a864c34d27e0a3d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530824&Signature=oRifg%2BGsx5SCY%2B4rLdvAqryqS3Xlu3DCrHZifO%2Bh9YOQAM4528P%2Bi6LzgYdE0hyDe8HlrfIhswkzkUOf8K4%2FzdoebqTYkwrHmPiJeW4cetq5F2qEeUU7RVbiXVUvLGYwThftr3BuB%2FtW3u%2Fl9v9AyS38ZTrk3B%2BjdQI5OqLikCMwV9lO%2B3lOB05pg6dpqHO3ycZUK2sMy5MgMqqyj%2FY2HLFVTv4wp4ea8PF%2Fswj4", "https://vtbehaviour.commondatastorage.googleapis.com/1b153c384510546d105b067e8b1be208f0686914841758441e857d7ffb18fa72_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531163&Signature=ymkpXNrWILdVetVt90LhjbwNPIy4I%2FXM%2B0jq5xPK4FE6N61CBJ0ZKsP%2FbvZXOM5lKJdG6ltKQtldTuXskK26NlEwbRlzn90t1KGmXS6%2FkK7pgbFTNlA9BWYrDLciKwIZJJeFn46IMGSClXk0BXzcveuQWp4G%2BnIJwwWw0EjgU6ONUydOZW4DhKFhmEvNGfqPrEd6apNA3C39kZP%2Bql4tWV7ma8oAP9cHc7RyoO%2Fw4zbcJKmP", "https://vtbehaviour.commondatastorage.googleapis.com/1b153c384510546d105b067e8b1be208f0686914841758441e857d7ffb18fa72_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531236&Signature=hz%2BT6I69NdrwImMGk8kcXqNnwp7K7z5sLWg7P7JvUVEckT5yV9zVAooLzjLyQGgNBxh%2Bw35npaMota9ooiK%2Bd3BWFd%2Bzr%2BUm76cQbsuLV5NH2LWXQFw1YzoSEXeXl4wmdHCWX4%2BP9tulqXFWpRQ4oOvqHWV10QWM4ubzWdft4N%2FCy4fQ90Iubm%2F1ywQ%2FuG66nNIy6ArwArpf2Md9Wb2k%2BVSwvmrPJqDUAM868u1jznd8SeGkYX", "https://vtbehaviour.commondatastorage.googleapis.com/23671e33d82282324fc51576616dbb92814adc4d17eb7014dc4e2f891ea7f4ae_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531342&Signature=MsuL%2B3SZcdwh8PtkojSZiAkej0M%2FX59YS9DllA%2BRLg6Z%2FV43R4XBkqKm%2BsQjDvTRdh%2BFRjO2rtuvYPHG%2By1RpurAOIjZEBs3F2ZYmv6mE62mgf4bDqgnUZS5myKTtlD%2BnuWRL7up%2B197%2F4VEXIqM8hxzhGDo7jmUeU0HERH%2FUnTThLnOjAWlGHNITZ7ffU0tKlYMKo%2BHqAkV9AerG5R%2FZdAh7nZidUf8wYpV", "https://vtbehaviour.commondatastorage.googleapis.com/79b0e5df7c5ebe1b2967a3d161ec0283531f20beb58cd8eb8e343f7ecbf0e142_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531881&Signature=J%2FX46%2BkQxXt0avuUofAv2FrDA2NcHoY81F%2F%2FCOybzM72s9GqDbl34Hk6nMuCyVJ9cyKFYU4dKZ5PGnS5MZLN7tzYDYnGF6tmsCd56oCgYS4IN8%2Ffm7xi81ELi3QsBaKZaSKBYTcBzQZOzBgTX%2BjFL%2FH291KDNrb5QKNV0OYNHKzFrKXUZzUNPTZgDw2%2B2XVV4tQzxtRNdm0kQW19OOOv29%2FY0E9CK9qRsl4Nu2otAW" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "FileHash-MD5": 63, "FileHash-SHA1": 65, "FileHash-SHA256": 456, "domain": 116, "hostname": 495, "URL": 862, "email": 1 }, "indicator_count": 2252, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1181104aab1e5b6484a6d2", "name": "* ghostware * CAPE Sandbox", "description": "[Results of an analysis of a KVM operating system, conducted by the MIT Research Institute (MIT), are published on the web. \u00c2\u00a32.5m.com (\u20ac3.4m; $4.6m).] pretext. a deeper follow up on impression domain from the last post shared. this is some of the evasive 2019-2020 attached malware in a sandbox. this is not easy to track or flag. Lb, cape, zenbox, vt are exceptional at this. Interesting string: preload js notes, \"fired\". this sha indicator won't run a sandbox despite all the flags: [a57ac7b63c282739aa...] though it now appears revoked - attached the certs in any event. (1 exp2 valid) exp:cosmina beteringhe\nStatus\nCertificate out of its validity period\nIssuer\nApple Inc.\nValid From\n02:08 PM 04/02/2019\nValid To\n02:08 PM 04/02/2024\nAlgorithm\nsha256WithRSAEncryption\nThumbprint\nB60CA526B0B84F7FF9B9CACC70702C5C10985B2C\nSerial Number\n6D E1 8E C8 70 AC A3 3E team identity:HYC4353YBE", "modified": "2026-05-23T10:34:56.494000", "created": "2026-05-23T10:27:28.048000", "tags": [ "token", "instance id", "date", "request", "version", "start", "callback", "indicate", "send instance", "id token", "default", "cname", "accept", "shell folders", "folders", "gmt ifnonematch", "cape sandbox", "bootkit", "t1055", "t1542", "shutdown", "defense evasion", "filename", "userclass", "source", "adprovider", "pair", "count", "null", "newtab", "result", "chrome web", "file type", "file size", "sha1", "mwdb", "bazaar", "sha3384", "ssdeep", "virtual address", "adknowledge", "guard", "loads", "back", "typeof", "catch", "impression", "none", "xmlhttprequest", "signaturehz", "mitre attack", "network info", "sigma", "program", "overview", "processes extra", "overview zenbox", "verdict", "guest system", "ultimate file", "next", "has permission", "t1430 location", "zenbox android", "persistence", "issuer apple", "valid from", "valid", "serial number", "ac a3", "apple inc", "status valid", "thumbprint", "mac os", "x executable", "info file", "info", "a9 a8" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530336&Signature=p6VwVgKhapyzo9Qdy2STgvqVBCILyIVDELmCCzKAI3VnzeLfXf8kMElRnqtXzyceHxnFobEu5%2Bzot74n2%2FKVdQLGgjSNmpbV1vxI4qIMW44TnqKJz7q%2Bzl9L2qPXk2Xd24irnPUYT4Z6b52nITm3rElixM%2FxW5B7cYrEPVdMEQQ3axn7fZMtVXkHyakt5UbZUnglSc97W7kjMO7OSb6qTfAhWNZuFLn0hPzN3JeCVc6eH2VaF8qrMW", "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530360&Signature=IoNgUEkiuiM2X4a2ueL9rEQPSxM3pwV%2Fg9ppA8C%2BBjHNorpe2t8rUBwA%2BU0UhSwLHm3J9bx4il%2Buly8trboaDKTDgdTvpIFdsHRjkQYF%2F8P2ot8tg5AnQeLV9Q8ddUazck3uN2LTNyDFCh5HiWfU%2FJ4BytbiANmLC8gGyCjX%2FX5Y%2FkYYJwEtsw0W90i9lyhlbNX%2FbAor8c1%2FRyPwUh8klvuYGDxvlbeal0nSXVYLSy", "https://vtbehaviour.commondatastorage.googleapis.com/59bd2b3f9e4fbc79518a31738080bc4b9b35b42f6e5a3b5c3a306e0b9aae7f2c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530394&Signature=EFtQdaqkkeNu27kPO7Zob0bl261oVyzlQmNL5Z9HnrD%2FemHBUX4%2BsRO8wGhrK9e53idu5dP%2FqFvjC3fYYvXzyeKs6x0kO0IqPs5Pp6y422zCXP9gKR7xBfnQIQtmWDVaBb4znOzF35Jd76v4D1Y4btKPazPqsa2hq38U%2F2BTS2Fjqng%2BtZLtgjXCV7Qy1iJuoL4wZxus6aU6uyk4Gt4%2FwQOFSxhXM9Sg6EzneRhhFzAhHkOWzW", "https://vtbehaviour.commondatastorage.googleapis.com/8203df818e55602f58e12749c5f43ef382d5829c540953ef5acd613e9339bbfa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530419&Signature=UGGjvrHysNTHqCP%2F98o%2Bwr%2BBuUURMkCiQxj24hY6gaY6O3Jzu8n5c1DTGQyxmFDLTNd%2BVEq%2BLjiAQEKKja33wGAeycq9H84UiQaOgy5xch0rQRhWlH9BAU1XQopkUIfjd%2F%2FjszJyY9f5GeBUviWGN0fk%2Fjf%2Bu70ZC8sViEooYie0vbqyBBZF4n4kjfdDoEDUXKU9hjk4W9PIBcH1Y8tyFonohbjbq7%2BZwzERUsYwo2", "https://vtbehaviour.commondatastorage.googleapis.com/8203df818e55602f58e12749c5f43ef382d5829c540953ef5acd613e9339bbfa_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530508&Signature=GssLnauiY160oyi8Jf10sDf4bL46z5UIfcX%2F1jMAIWwy97%2Fw9GjbHzS38wt5ybxoiMkSIsTN%2BYE7Vd7kc7zHkudP8K6D2g6bTFX%2B%2Bao4FK6e0OYbJXqb%2BPeNSgeqrHMrCeXIW1H8RCC5QXuEjkQrE4TPFja5Gc790vYMvsT5oAuxbnFAzjQM%2BTwMcjJ1k9dWR0Hoh694C2boFVdHy3LxQkv7vk6CSmjQcZ4bBbHmEMC%2FNd", "https://vtbehaviour.commondatastorage.googleapis.com/7f9899e42bccdd1d6479b573fb1bb9277b4bd42e8f6ef73c5456f606949e7cf5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530727&Signature=xFLQpUtdhw77th%2BADVS4Sl3y8VCEFYpShlfIJ6D6zJme%2BtY0lUlxv2N7hvxGbwSTYKBYQSyu735BqpgvSUc5e%2BC%2B9XseD6ERlB2kCJmvUPalqCOgZABMyb6mGaG5MMGgxP19UjM1qrUOxI2iJSjEQQ4LLmmkLf7%2B6XGhtqkIG4O2hZ5ABCrdbqytgJkuVl7VMDYelEnoYLLma9GDq1ytLfUObtoINW48v1xg1Mykxldjv6gV2DWr", "https://vtbehaviour.commondatastorage.googleapis.com/37dcea337208645ad344413d9a8350033fe2264c91cc91a5a2bf50045d92a67c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530784&Signature=CYyyJeKkeGqnH6T6m5Xruegrlkv2udvHSUC4MgjgnkaJP2%2BkZUvTfdoh5S5uXQZbk0By%2Bg1akNr3AALQqY%2B0SNoOJdW5fHCOavOpIuNkgM4efnxQQyuhR%2F6eccAejXvy0cFPKDUhdhvbItcx7lkgLwM3MhWL%2FzNneeST7yUf3g8Pad72u7BrItBCkJ23R2quBuKT3G22OMfreYhprgO398iL0htbNTBKh4csLc9QtPI%2FabWco3", "https://vtbehaviour.commondatastorage.googleapis.com/e068d8d9f9dae873ec78bd5a88df561893c18b1df6200a958a864c34d27e0a3d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779530824&Signature=oRifg%2BGsx5SCY%2B4rLdvAqryqS3Xlu3DCrHZifO%2Bh9YOQAM4528P%2Bi6LzgYdE0hyDe8HlrfIhswkzkUOf8K4%2FzdoebqTYkwrHmPiJeW4cetq5F2qEeUU7RVbiXVUvLGYwThftr3BuB%2FtW3u%2Fl9v9AyS38ZTrk3B%2BjdQI5OqLikCMwV9lO%2B3lOB05pg6dpqHO3ycZUK2sMy5MgMqqyj%2FY2HLFVTv4wp4ea8PF%2Fswj4", "https://vtbehaviour.commondatastorage.googleapis.com/1b153c384510546d105b067e8b1be208f0686914841758441e857d7ffb18fa72_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531163&Signature=ymkpXNrWILdVetVt90LhjbwNPIy4I%2FXM%2B0jq5xPK4FE6N61CBJ0ZKsP%2FbvZXOM5lKJdG6ltKQtldTuXskK26NlEwbRlzn90t1KGmXS6%2FkK7pgbFTNlA9BWYrDLciKwIZJJeFn46IMGSClXk0BXzcveuQWp4G%2BnIJwwWw0EjgU6ONUydOZW4DhKFhmEvNGfqPrEd6apNA3C39kZP%2Bql4tWV7ma8oAP9cHc7RyoO%2Fw4zbcJKmP", "https://vtbehaviour.commondatastorage.googleapis.com/1b153c384510546d105b067e8b1be208f0686914841758441e857d7ffb18fa72_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531236&Signature=hz%2BT6I69NdrwImMGk8kcXqNnwp7K7z5sLWg7P7JvUVEckT5yV9zVAooLzjLyQGgNBxh%2Bw35npaMota9ooiK%2Bd3BWFd%2Bzr%2BUm76cQbsuLV5NH2LWXQFw1YzoSEXeXl4wmdHCWX4%2BP9tulqXFWpRQ4oOvqHWV10QWM4ubzWdft4N%2FCy4fQ90Iubm%2F1ywQ%2FuG66nNIy6ArwArpf2Md9Wb2k%2BVSwvmrPJqDUAM868u1jznd8SeGkYX", "https://vtbehaviour.commondatastorage.googleapis.com/23671e33d82282324fc51576616dbb92814adc4d17eb7014dc4e2f891ea7f4ae_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531342&Signature=MsuL%2B3SZcdwh8PtkojSZiAkej0M%2FX59YS9DllA%2BRLg6Z%2FV43R4XBkqKm%2BsQjDvTRdh%2BFRjO2rtuvYPHG%2By1RpurAOIjZEBs3F2ZYmv6mE62mgf4bDqgnUZS5myKTtlD%2BnuWRL7up%2B197%2F4VEXIqM8hxzhGDo7jmUeU0HERH%2FUnTThLnOjAWlGHNITZ7ffU0tKlYMKo%2BHqAkV9AerG5R%2FZdAh7nZidUf8wYpV", "https://vtbehaviour.commondatastorage.googleapis.com/79b0e5df7c5ebe1b2967a3d161ec0283531f20beb58cd8eb8e343f7ecbf0e142_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779531881&Signature=J%2FX46%2BkQxXt0avuUofAv2FrDA2NcHoY81F%2F%2FCOybzM72s9GqDbl34Hk6nMuCyVJ9cyKFYU4dKZ5PGnS5MZLN7tzYDYnGF6tmsCd56oCgYS4IN8%2Ffm7xi81ELi3QsBaKZaSKBYTcBzQZOzBgTX%2BjFL%2FH291KDNrb5QKNV0OYNHKzFrKXUZzUNPTZgDw2%2B2XVV4tQzxtRNdm0kQW19OOOv29%2FY0E9CK9qRsl4Nu2otAW" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 70, "FileHash-MD5": 19, "FileHash-SHA1": 18, "FileHash-SHA256": 412, "domain": 96, "hostname": 409, "URL": 810, "email": 1 }, "indicator_count": 1835, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69e6b5db72b21e3d8990ad72", "name": "private", "description": "", "modified": "2026-05-20T23:09:29.909000", "created": "2026-04-20T23:25:15.465000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 212, "URL": 283, "hostname": 192, "FileHash-SHA256": 136, "FileHash-MD5": 121, "FileHash-SHA1": 117, "email": 13, "URI": 3 }, "indicator_count": 1077, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "crbug.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "crbug.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780236641.6199183 }