{
"type": "Domain",
"indicator": "dns.google",
"general": {
"sections": [
"general",
"geo",
"url_list",
"passive_dns",
"malware",
"whois",
"http_scans"
],
"whois": "http://whois.domaintools.com/dns.google",
"alexa": "http://www.alexa.com/siteinfo/dns.google",
"indicator": "dns.google",
"type": "domain",
"type_title": "Domain",
"validation": [
{
"source": "akamai",
"message": "Akamai rank: #801",
"name": "Akamai Popular Domain"
},
{
"source": "majestic",
"message": "Whitelisted domain dns.google",
"name": "Whitelisted domain"
}
],
"base_indicator": {
"id": 2128226933,
"indicator": "dns.google",
"type": "domain",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 50,
"pulses": [
{
"id": "69df607b31f6ed471c32d4e3",
"name": "CAPE Sandbox- Very Evasive and Aggressive 'bot?'.......",
"description": "A full report on the Microsoft Office malware, published on 3 February 2026, has been published online by the University of California, Los Angeles, and the National Security Agency (NSA) in New York.> This is malicious.",
"modified": "2026-04-15T09:59:19.058000",
"created": "2026-04-15T09:55:07.649000",
"tags": [
"settings",
"first counter",
"default",
"toolspanose",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"file size",
"mbisslshort",
"accept",
"bridge",
"info",
"date",
"light",
"agent",
"shutdown",
"root",
"performs dns",
"extra info",
"attack network",
"info dropped",
"info processes",
"zenbox verdict",
"guest system",
"ultimate file",
"info file",
"ascii text",
"malicious",
"next",
"mitre attack",
"network info",
"processes extra",
"overview",
"overview zenbox",
"verdict",
"unknown"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776246714&Signature=jA8ZNQzdLZfCMA%2BeZdzBjB3xA0B7xKtgmBMmVGhpCsbkEU53LPuuNVLyugFpe7diOUDoR55j7HbDl9qcOHkMPamkpv3i44NiD46yJbU4LSQkaP1qPkrF0YTWKn4PkEnuUYIAEr6z6J76c33VYseiQzUFAb%2F2EmiSrP2P0B%2BTV3lvRclFr%2FAxEVTCCZcmWffeMujO3jhC9czl3rYy9DQH1v23x4tcX0%2BcVcRjvTPUjfACcx8trhtm",
"https://vtbehaviour.commondatastorage.googleapis.com/7ee979e976acf8f47699717010a1a0259a991b62d6690571d8b68dd16b294b2b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776246777&Signature=yNFSBGy%2Bm8tg5Sl9XzqsISl5kfgoB4%2Fnf%2FJn6WTRwmAZFUp51dt85ONZCzDMwEPqIoiUXlYybE4s09saW5RxfASOPh2spHs6dyCMsXnDPX%2Bk97XShYdomVvaBJsmRZDzDF1inptzQCRTtdDSe9IeE0ZE0Sr7AlXrkR1sVf151d4nyK3gdcwxaojAALetWrh%2Fx%2BjcpJYEo7D5hlba1zTfWJ57CQVjWvixx1vFyzw%2B8s59JIuuvTK25JI2",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776246967&Signature=Ir5y9DGvGgNLFUDY8U6XR53N35ujwlwfUYKT1GK9MfB1XTAtJk8qVigh7fO1EPVnJQP%2BkVNsUCkx1JjW9L03u0PfThYXwIBYbjulP7glaB%2BqBIqGVjsKq%2BlOwN0MLlSG408dZWbdUekl6p8wKR8L4Y1wXpN5UU%2F6gKv2dm9WFA9aHsBZd3K33gYAJ0cjsJEz%2BY4WITcbYvW0eJDyk7JGmMa1c4VaL6Wqud26xKwdeyOExz3D472vYkEAROfQ",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776246921&Signature=X1jzLW3418s%2FQ18Krko%2B307kskS6d2hv1BEZN918A03%2BgNR7LtEHC48e5%2F3mRCz0n3H1wrLvbc3pB9GFSEcPI1iYWIN2YZa8TRUv8pk%2BTsrfc0GlUPG1JwElP67v80tNQVAvFXYkI00vaXUyTEIAWltRkZnJCH1iOD%2BnGOcmzDsQ28fJBY6ZXAoee8pz1CL%2B95j7wn8%2FdET4YQdhduJj0x3M%2BM5oon%2FgzuHLI70rvQ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 69,
"FileHash-MD5": 254,
"FileHash-SHA1": 43,
"FileHash-SHA256": 49,
"URL": 80,
"hostname": 117,
"IPv6": 1,
"email": 1,
"domain": 10
},
"indicator_count": 624,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 46,
"modified_text": "1 hour ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69df607ced5dad90593b17cb",
"name": "CAPE Sandbox- Very Evasive and Aggressive 'bot?'.......",
"description": "A full report on the Microsoft Office malware, published on 3 February 2026, has been published online by the University of California, Los Angeles, and the National Security Agency (NSA) in New York.> This is malicious.",
"modified": "2026-04-15T09:57:56.379000",
"created": "2026-04-15T09:55:08.935000",
"tags": [
"settings",
"first counter",
"default",
"toolspanose",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"file size",
"mbisslshort",
"accept",
"bridge",
"info",
"date",
"light",
"agent",
"shutdown",
"root",
"performs dns",
"extra info",
"attack network",
"info dropped",
"info processes",
"zenbox verdict",
"guest system",
"ultimate file",
"info file",
"ascii text",
"malicious",
"next",
"mitre attack",
"network info",
"processes extra",
"overview",
"overview zenbox",
"verdict",
"unknown"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776246714&Signature=jA8ZNQzdLZfCMA%2BeZdzBjB3xA0B7xKtgmBMmVGhpCsbkEU53LPuuNVLyugFpe7diOUDoR55j7HbDl9qcOHkMPamkpv3i44NiD46yJbU4LSQkaP1qPkrF0YTWKn4PkEnuUYIAEr6z6J76c33VYseiQzUFAb%2F2EmiSrP2P0B%2BTV3lvRclFr%2FAxEVTCCZcmWffeMujO3jhC9czl3rYy9DQH1v23x4tcX0%2BcVcRjvTPUjfACcx8trhtm",
"https://vtbehaviour.commondatastorage.googleapis.com/7ee979e976acf8f47699717010a1a0259a991b62d6690571d8b68dd16b294b2b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776246777&Signature=yNFSBGy%2Bm8tg5Sl9XzqsISl5kfgoB4%2Fnf%2FJn6WTRwmAZFUp51dt85ONZCzDMwEPqIoiUXlYybE4s09saW5RxfASOPh2spHs6dyCMsXnDPX%2Bk97XShYdomVvaBJsmRZDzDF1inptzQCRTtdDSe9IeE0ZE0Sr7AlXrkR1sVf151d4nyK3gdcwxaojAALetWrh%2Fx%2BjcpJYEo7D5hlba1zTfWJ57CQVjWvixx1vFyzw%2B8s59JIuuvTK25JI2",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776246967&Signature=Ir5y9DGvGgNLFUDY8U6XR53N35ujwlwfUYKT1GK9MfB1XTAtJk8qVigh7fO1EPVnJQP%2BkVNsUCkx1JjW9L03u0PfThYXwIBYbjulP7glaB%2BqBIqGVjsKq%2BlOwN0MLlSG408dZWbdUekl6p8wKR8L4Y1wXpN5UU%2F6gKv2dm9WFA9aHsBZd3K33gYAJ0cjsJEz%2BY4WITcbYvW0eJDyk7JGmMa1c4VaL6Wqud26xKwdeyOExz3D472vYkEAROfQ",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776246921&Signature=X1jzLW3418s%2FQ18Krko%2B307kskS6d2hv1BEZN918A03%2BgNR7LtEHC48e5%2F3mRCz0n3H1wrLvbc3pB9GFSEcPI1iYWIN2YZa8TRUv8pk%2BTsrfc0GlUPG1JwElP67v80tNQVAvFXYkI00vaXUyTEIAWltRkZnJCH1iOD%2BnGOcmzDsQ28fJBY6ZXAoee8pz1CL%2B95j7wn8%2FdET4YQdhduJj0x3M%2BM5oon%2FgzuHLI70rvQ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 69,
"FileHash-MD5": 254,
"FileHash-SHA1": 43,
"FileHash-SHA256": 49,
"URL": 80,
"hostname": 117,
"IPv6": 1,
"email": 1,
"domain": 10
},
"indicator_count": 624,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 46,
"modified_text": "1 hour ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69df292b85c74fec867e4ed2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'",
"modified": "2026-04-15T09:20:24.856000",
"created": "2026-04-15T05:59:07.274000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/37f12bc75b877cf1823020f35dfc55ecde4dd992020b7059b13cbc2a59a1602b_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776233810&Signature=RD85gBCBa6ClHHnNqywd6%2FYlQHrUais%2BuABeaQrUngJuiQTTEyzmUagxx2k2VZ0tgbmEb%2Fdh9lTTFZXkRC4cQ18iE4OIl6IKM5Yzxmd8vDT6dmCvEzCiRUxmplXzVUHTJFz1dNIy0zvMDzEuAWEpKf2wo823yU%2F4PaxOceMkJ%2Ftq5Jehb6pUn6ILf%2B5FOEGJpxjXrbtWS%2BT%2BA5ScNml2cc8140P9mQ%2BmMx2EAW",
"",
"https://vtbehaviour.commondatastorage.googleapis.com/db9d8c125c0e5a440719875d01365c7c5423bcc8df55e54cb228ac2aa30bc969_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235167&Signature=c%2F4wKBu3gsuZInxjqfgg8MbdYRlJ5EYYEV%2Fkl1g3Nx%2Fp%2B7lCYKGrilDgDTTqlooVjs8pyDi58Yi2SSs40L5JzExM18zVXhiUs1SYZNyy3OWKiAZ5QMH69N8R8XHmOd2L6lwfLVy9x%2F%2Fu29ji02gGj0W7eFht2uGb3Hnhegtt%2BNxNhOOCcD8LDnTvh%2Fhm9RYmW40LG5q238yRggg3TFrumeG2RHO9czdiobkRrsAD8eIohj",
"x-amzn-trace-id Root=1-69df501d-7e46547e623628d85631dc6b;Parent=0bf4ea1fded328b1;Sampled=0;Lineage=1:6afe1924:0",
"Nextron: Thank you for the YARA rules. Yara and LB, too.",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776243461&Signature=Dz1357rbtfS3ulmmu8c%2BhYCsFXq5j6Rkafb9W6C2Rp8K9C3NfbpUuCN1TORawK7%2BnEJXGNb7r2PQThu1hU64xqNTi6I7KNZcOwC5SHIDUgioEm6FoK%2F68BF%2Fj9tn3trLgKetrPx2zuy%2BP9gjqBMe5T2fAtNa%2FJi4uZYhdDQhKIZB1JmXDjEcFMhp6PLdPqEVVUh6nwevWaLhJ1z%2BPVhc9atSdnbwiXbJ7Cp%2BKrfR1xH8OQ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 3012,
"IPv4": 342,
"URL": 3824,
"FileHash-MD5": 734,
"FileHash-SHA1": 453,
"domain": 862,
"hostname": 1629,
"email": 25,
"CVE": 1
},
"indicator_count": 10882,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "1 hour ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69df292dac938e1d181a38e2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'\n\nObservations: Unplugged, Airbook, flashed wrote or write javascript in red around 2:45am EST when trying to upload and took me to a google screen.",
"modified": "2026-04-15T08:40:44.402000",
"created": "2026-04-15T05:59:09.898000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235521&Signature=XyL%2BziErEMLdDGzpkOrsFWzF%2Bs8%2F%2BHa%2Ft1S5%2FfgkdYZVZNUoI9ouy4IwZLiV4Fi2woIHU9YMnGYvqC6u0SHx0R%2FTbBYsAWIRLcS0jXCiNEz33EKRDTLcQqaAqg1bgEzbagC8RvfUjg5sQp8chQSkn3nYGGovJ1W9KDWu39peg7l0wU95LMSY%2BtbjEdzA0ghSq8IG%2BBSGkETgfJdXrKjyTRw1x5DEwN%2BENKfa54%2FmxDHO7iP3",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235484&Signature=hjxNiAS7V%2Bsk78jk2ksTamwBDr%2Bbip09k8w%2FY%2FkvqfB676c53pmH%2Fwa7Py9BXy9tIptTKWA5SsC3Zck6ghdFqW3CcffOr0qRIsUIFknMfbuE3oC4UsaSuLoa%2B54UO0%2FJMTN9B5Y1HSbWJqFkxVX1WVQ5ry5yt9yJUK3m0DTRx9bsJ%2FoCKT3ionJdg5tZcst941SNesx3DRgpuAQmN9UVlNpRNCEwutgqN8XoC4EnI5l6Nt"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 5178,
"IPv4": 571,
"URL": 5163,
"FileHash-MD5": 1546,
"FileHash-SHA1": 381,
"domain": 1818,
"hostname": 3413,
"email": 22,
"URI": 2,
"IPv6": 15,
"CVE": 1
},
"indicator_count": 18110,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 46,
"modified_text": "2 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de69fe42542016114edaeb",
"name": "VirusTotal report\n for document.html",
"description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).",
"modified": "2026-04-15T07:18:09.038000",
"created": "2026-04-14T16:23:26.071000",
"tags": [
"license",
"performs dns",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"phishing",
"next",
"script",
"adobe",
"apache license",
"version",
"unless",
"as is",
"basis",
"any kind",
"doctype html",
"meta",
"body",
"pe file",
"binary",
"aslr",
"ole file",
"cname",
"strong",
"library",
"accept",
"cape sandbox",
"pdb path",
"name",
"address virtual",
"ip address",
"shutdown",
"pe32",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"pe64 compiler",
"ltcgc",
"linker",
"windows third",
"party component",
"valid from",
"valid",
"valid usage",
"whql crypto",
"code signing",
"algorithm",
"thumbprint",
"serial number",
"more"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr",
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 16,
"FileHash-SHA1": 3,
"FileHash-SHA256": 175,
"IPv4": 47,
"URL": 113,
"hostname": 130,
"domain": 43
},
"indicator_count": 527,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 46,
"modified_text": "3 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de69e81ae5bd040f77c01f",
"name": "VirusTotal report\n for document.html",
"description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).",
"modified": "2026-04-15T04:32:57.563000",
"created": "2026-04-14T16:23:04.494000",
"tags": [
"license",
"performs dns",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"phishing",
"next",
"script",
"adobe",
"apache license",
"version",
"unless",
"as is",
"basis",
"any kind",
"doctype html",
"meta",
"body",
"pe file",
"binary",
"aslr",
"ole file",
"cname",
"strong",
"library",
"accept",
"cape sandbox",
"pdb path",
"name",
"address virtual",
"ip address",
"shutdown",
"pe32",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"pe64 compiler",
"ltcgc",
"linker",
"windows third",
"party component",
"valid from",
"valid",
"valid usage",
"whql crypto",
"code signing",
"algorithm",
"thumbprint",
"serial number",
"more"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr",
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 16,
"FileHash-SHA1": 3,
"FileHash-SHA256": 175,
"IPv4": 46,
"URL": 113,
"hostname": 130,
"domain": 43
},
"indicator_count": 526,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 46,
"modified_text": "6 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de69d60272ee6be0b6be75",
"name": "VirusTotal report\n for document.html",
"description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).",
"modified": "2026-04-15T04:32:43.593000",
"created": "2026-04-14T16:22:46.679000",
"tags": [
"license",
"performs dns",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"phishing",
"next",
"script",
"adobe",
"apache license",
"version",
"unless",
"as is",
"basis",
"any kind",
"doctype html",
"meta",
"body",
"pe file",
"binary",
"aslr",
"ole file",
"cname",
"strong",
"library",
"accept",
"cape sandbox",
"pdb path",
"name",
"address virtual",
"ip address",
"shutdown",
"pe32",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"pe64 compiler",
"ltcgc",
"linker",
"windows third",
"party component",
"valid from",
"valid",
"valid usage",
"whql crypto",
"code signing",
"algorithm",
"thumbprint",
"serial number",
"more"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr",
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 16,
"FileHash-SHA1": 3,
"FileHash-SHA256": 175,
"IPv4": 45,
"URL": 111,
"hostname": 130,
"domain": 42
},
"indicator_count": 522,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 46,
"modified_text": "6 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de69d6c23c1920ae49419b",
"name": "VirusTotal report\n for document.html",
"description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).",
"modified": "2026-04-15T04:32:41.929000",
"created": "2026-04-14T16:22:46.723000",
"tags": [
"license",
"performs dns",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"phishing",
"next",
"script",
"adobe",
"apache license",
"version",
"unless",
"as is",
"basis",
"any kind",
"doctype html",
"meta",
"body",
"pe file",
"binary",
"aslr",
"ole file",
"cname",
"strong",
"library",
"accept",
"cape sandbox",
"pdb path",
"name",
"address virtual",
"ip address",
"shutdown",
"pe32",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"pe64 compiler",
"ltcgc",
"linker",
"windows third",
"party component",
"valid from",
"valid",
"valid usage",
"whql crypto",
"code signing",
"algorithm",
"thumbprint",
"serial number",
"more"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr",
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 16,
"FileHash-SHA1": 3,
"FileHash-SHA256": 175,
"IPv4": 46,
"URL": 114,
"hostname": 130,
"domain": 44
},
"indicator_count": 528,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 46,
"modified_text": "6 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de69d63c6bc7ab66605f86",
"name": "VirusTotal report\n for document.html",
"description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).",
"modified": "2026-04-15T04:31:49.137000",
"created": "2026-04-14T16:22:46.502000",
"tags": [
"license",
"performs dns",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"phishing",
"next",
"script",
"adobe",
"apache license",
"version",
"unless",
"as is",
"basis",
"any kind",
"doctype html",
"meta",
"body",
"pe file",
"binary",
"aslr",
"ole file",
"cname",
"strong",
"library",
"accept",
"cape sandbox",
"pdb path",
"name",
"address virtual",
"ip address",
"shutdown",
"pe32",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"pe64 compiler",
"ltcgc",
"linker",
"windows third",
"party component",
"valid from",
"valid",
"valid usage",
"whql crypto",
"code signing",
"algorithm",
"thumbprint",
"serial number",
"more"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr",
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 16,
"FileHash-SHA1": 3,
"FileHash-SHA256": 175,
"IPv4": 43,
"URL": 110,
"hostname": 130,
"domain": 41
},
"indicator_count": 518,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "6 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de69d5a54cff2f8c80ba0b",
"name": "VirusTotal report\n for document.html",
"description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).",
"modified": "2026-04-15T02:26:49.492000",
"created": "2026-04-14T16:22:45.821000",
"tags": [
"license",
"performs dns",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"phishing",
"next",
"script",
"adobe",
"apache license",
"version",
"unless",
"as is",
"basis",
"any kind",
"doctype html",
"meta",
"body",
"pe file",
"binary",
"aslr",
"ole file",
"cname",
"strong",
"library",
"accept",
"cape sandbox",
"pdb path",
"name",
"address virtual",
"ip address",
"shutdown",
"pe32",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"pe64 compiler",
"ltcgc",
"linker",
"windows third",
"party component",
"valid from",
"valid",
"valid usage",
"whql crypto",
"code signing",
"algorithm",
"thumbprint",
"serial number",
"more"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr",
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 16,
"FileHash-SHA1": 3,
"FileHash-SHA256": 175,
"IPv4": 44,
"URL": 109,
"hostname": 130,
"domain": 41
},
"indicator_count": 518,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "8 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69a02837827feb0b78fa3ad2",
"name": "The Belasco Chain",
"description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.",
"modified": "2026-04-15T02:26:33.948000",
"created": "2026-02-26T11:02:15.932000",
"tags": [
"file size",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"file type",
"sha1",
"sha256",
"crc32",
"filenames c"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2265,
"FileHash-SHA1": 2325,
"FileHash-SHA256": 6721,
"domain": 1774,
"hostname": 1219,
"URL": 910,
"email": 45,
"CVE": 34,
"CIDR": 3,
"YARA": 7,
"IPv4": 1
},
"indicator_count": 15304,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 52,
"modified_text": "8 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d967590f40c612c90ce84f",
"name": "TTB-Chained (Tehran-Transversal Belasco Chain) - Clone of My Own Post. Updated",
"description": "TTB-Chained executes a systemic collapse of the cryptographic chain of trust. Exploiting DNSSEC-unsigned protocols and .net edge nodes, it injects C++ payloads into the resolution chain prior to verification. Remediating via certificate expiration is ineffective; the architecture leverages systemic flaws in DMARC/SPF/DKIM and cryptographic handshake protocols to lock \"Hollow Library\" assets into the environment pre-enforcement, ensuring total detection evasion. The conduit utilizes a multi-umbrella transit strategy: Lumen (AS3356) + RIPE (37.97.254.27) + Fastly (151.101.130.159). These 63.16 KB \"hollowed\" assets masquerade as signed updates for total penetration. TTB-chained executes high-speed wipers targeting firmware/boot sectors, triggering complete corruption of hardware beyond restore. Once the root hosted in IP {53.xxx] is compromised and the pre-verified environment is saturated, the hardware is physically neutralized. -msudosos. See Belasco Chain for more.",
"modified": "2026-04-15T02:26:30.188000",
"created": "2026-04-10T21:10:49.749000",
"tags": [
"malicious",
"Microsoft",
"intent: reckless",
"wiper",
"Transip",
"bankers document gone rogue",
"Tehran",
"pdfkit.net",
"United",
"broken Docusign seal",
"esign violation",
"us lawyers",
"Iran",
"IP Abuse US",
"Spreader",
"corruption that spread",
"52.123.250.180",
"Mass Data Loss and exfiltration",
"Docusign exploited by insecure workflows",
"Adobe exploited by insecure workflows",
"threat map",
"Infra / healthcare / more at risk from this negligence",
"remediation: long. expire the certs. block 53..",
"accountability, NOW.",
"Burned",
"Kitplay",
"iOS",
"Watering hole",
"Webkit",
"Religious Regime",
"MS Office",
"Compliance Hold Purgatory",
"WIN EXE.32",
"Firmware neutral",
"Trusted Insider",
"DKIM, SPF, DMARC Failures",
"APKmirror",
"ILOVEYOUBABY",
"No Problems",
"Christmas Tree EXEC Code Red worm Computer virus Nimda",
"Wanna Cry",
"APK",
"DC RAT",
"Emotnet",
"Redline Swiper",
"Open Door",
"Bankers Document",
"Y2K",
"wsscript.exe, VBE",
"Compliance Lock Trap",
"Globalsign 2020 (potentially exploited)",
"Heuristic Smear",
"Gatsby Library Loader DLL",
"w31999",
"UofA"
],
"references": [
"The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov] for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.",
"People who exploit this put the US at risk. Bottom line.",
"Further threat mapping indicates the root of this lies at 52.123.250.[180]. The",
"For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.",
"This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader",
"",
"IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815",
"This document might expose someone, more than another.",
"Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.",
"Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there.",
"Micro - Dates to look for specific: April/May/June 2025",
"Sectigo- Check abnormal patterns Sept 8, 2025 and ADT check alarms that went off",
"Amazon- Check new cert subscribers on or around Sept 15 2025",
"Entrust to Sectigo- Review vendors",
"Apple: Look at Devs around Aug 20-sept 15 2025 abnormalities",
"CA DMV- 2020 exploits, if even exist in your records, may be related.",
"Digi/Global Sign - audit 2020 digital intersect",
"Proton.me/Zenbox: Audit July 2025",
"Google- look at 202 to Icloud docs likely feb 2025 but possible Dec 24, jan 25 up until June 2025",
"APKMirror https://www.apkmirror.com",
"Google Docs 1.25.202.02 APK Download by Google LLC",
"The ILOVEYOU virus, released on May 4, 2000, - PDKIT.net May 4, 2025.",
"Y2K",
"US, Philippines, Ukraine, Iran, China. Alberta.",
"France",
"Germany, Austria, and Switzerland GmbH",
"Gatsby Library Loader, DLL",
"Spellbinding! Indeed. SpellEditor.exe"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [
"Government",
"Telecommunications"
],
"TLP": "green",
"cloned_from": "69a82c54067ca1d502b1eb6c",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 2278,
"hostname": 816,
"CVE": 7,
"URL": 1197,
"domain": 830,
"IPv4": 493,
"FileHash-MD5": 685,
"FileHash-SHA1": 683,
"CIDR": 4,
"email": 27,
"IPv6": 2,
"JA3": 1
},
"indicator_count": 7023,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "8 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d98d5e88461ed06547690c",
"name": "CAPE ***** GRAMMERsoft. Love Letter ****",
"description": "A Cuckoo has been running on Microsoft's Windows operating system for the past two years. the last time it did so, and the first time in the history of the Windows platform.\n\nUser Notes a Cryptic Message: Killing Eve, Vanishing Triangle. Recent Comment on Belasco Chain is of interest given spellbound.exe...\nUR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N4XT.txt",
"modified": "2026-04-15T02:26:28.642000",
"created": "2026-04-10T23:53:02.973000",
"tags": [
"cname",
"p2404",
"accept",
"default",
"host",
"strong",
"library",
"p11776139675",
"gmt range",
"p11776090280",
"shutdown",
"generic",
"bits",
"next ur",
"file type",
"ascii text",
"crlf line",
"ms windows",
"pe32",
"drops pe",
"intel",
"yara",
"sigma",
"njrat",
"malicious",
"darkcomet",
"code",
"delphi",
"dbatloader",
"loader",
"fraud",
"notpetya",
"killmbr",
"trojanransom",
"ransomware",
"next",
"settings",
"parent pid",
"full path",
"command line",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"format",
"shell",
"payload",
"kevin",
"revengerat",
"aspack",
"vmprotect",
"meteorite",
"petya",
"infinitylock",
"redline",
"remcos",
"javadropper",
"lokibot",
"guard",
"mono",
"eternalromance",
"exploit",
"badrabbit",
"windows sandbox",
"calls process",
"vbcrlf",
"error resume",
"next dim",
"page",
"loveletter",
"script",
"createobject",
"html",
"meta",
"name",
"title",
"body",
"iloveyou",
"generator",
"philippines",
"loop",
"@grammersoft",
"calls clear",
"ip address",
"cape sandbox",
"bootkit",
"t1055",
"t1497",
"error",
"back",
"pe file",
"network info",
"processes extra",
"sample",
"aslr",
"performs dns",
"t1055 process",
"overview",
"mitre attack",
"overview zenbox",
"none rticon",
"pattern",
"none image",
"file size",
"entity",
"winmm",
"dword",
"locale",
"screensaver",
"alexa",
"stars",
"crypt32",
"ddraw",
"winsta",
"ip traffic",
"lockfile"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864018&Signature=fW5cvq8BOIX%2B2wxwBzAnPprHnokOWVWFu4uUJExK8GQG4mwnYf4GO7RCTnuImm3XpXxgU8V7gYbsu%2BSquaGgkh2o8me6vmt8Y%2BhL0j%2BUgRrp8B0qJtHMkSgtfk6doVdGoZ%2FqES823Eiqebeb3NlVMD6tixYW2GDpyliHNL6uGNgIyf2BQZppexftzMN9M2BQhralGJjFZ9Q4XeAi1DalrEfIsb7erXBxVINEYJUbRaapAeQ0Aff8",
"https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864214&Signature=Vf0JKebhqo0MUHhpU%2B3Xut2g8SN7IheaL%2FNfOTLj1y8v1aHrjA6QI2jq%2BIVJeWXo8%2Fzpj%2Bd3DpryffdQjNsuRSSn06dSJy%2FvNi5F67wa1RiaanLuxRRK0cWKKrWO9ZQGXVWal8%2BNCVTaMRdhHmkbFou6FA67a1owXMn0IdsdZYIAwgumeuvrMsbnKKkOcd4GucEGy0d9oj63SbZGI%2BwjT5BPH2Tq3O%2BQM%2BPv3XWuZ71sfOOGgD",
"https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864361&Signature=veuhxaGctQeo8%2Fn4rw%2B0WB9QOIg%2BQ1N8MB7v3DwF%2B62SjERN%2FRvB6TDfvUUTTliDHAoHz3fjS19CbwtV1Unc1am%2B%2BFc7y%2FvbN%2FI2hV89mw0rCJH%2FQO9AEkKW%2BarXuvgc%2FhRwTho4ZnesEmMpmyTKqbGVDug%2BytkzAr9LluXTWzriWnG1JT1EudSc4CRQEorYeNyPlA7BPaIKmulDdM5whcIEVDFq4ZCywyfT",
"https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864415&Signature=yAuZC%2F0HyuJxAQj5f%2FwTa1Eqod6JZKHa9bO0gU6Ir2r2sU2JlNQAvQ0O%2BFC6DWExjg2voi81c%2BEzsk9tDAFyL3WwgJgMTlIvg%2FNT9PRWENEAYOilGjGtzrdzRhMpMzKw7NL5oxGr6hAdndZJ5lY7UvJoIjDp7nDn85EoO4RRNxFKeP4qCsczXGv2%2B9bnOXeGn0HHTaDp8I7UEq7FDpEPmij1KfxHmftv85TcFdOHNt0L",
"https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864574&Signature=bMyayDFFBh9o7SKCdDEmOXLxG1DU4rSM%2FUEOzGrynPSC%2BtV0OxoHoTrSpk4WhCDb9aQtdHkWrbkt3dDAaYhnHSbvWbBqT%2BVfVwWUnst5sI142wOEd2vg4qTum281LBoJ295gTb%2BQKnfTPGXmTW5k9G5L%2FAV%2BegT4neE2xS%2Ba0Daru1OpFYTEq2Cyb0sH66jGRSTHDjHVJaHtZyYTLXjj5Q8rrEBxbDSD0Eh1XqpNLKqoMXQ7",
"https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864647&Signature=mDHtSOi0zOPuqTTrMsZZ%2BVpqtKq5cnDBge5WCtUppoR8EfcB14tzbezXHfWuEIyjLzT5N3b8WzssT3rIN76R8yEfCMMe32RXWxX3B5Tz%2FF%2BmLQ95M2ysgIHlBEnV4ndYMRbPmJgfEV8X1at%2BQxGaOWCwifeB%2Fjd9hGk0jPWA9aLGj4Lleu%2FzV%2FyljXp2Ncxquv54TyDh55F0W1W0QD9R4i1VpZqh2UpnvpCi8RSM16",
"https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864769&Signature=OXXYebSn84nlH1%2FBD4aluVAmCHvma4vurcZhV0H%2B7L8wRtgwWjBRClGbWiS8DnrNVxrwDxScAikU0APxe3iZCU90GclmHDodIz%2BlHFaDkBxBXUt9uyLA9BJmMbRGCKuRj4Vm7MMGUwm7WUwB1UNLqYgq41X0c%2BIhgFvAjtxWMyGnXjvvbgLGXYNo7MTwWLWshQg%2B3UXSqVmivHQAKBmQD75nvfJkl9SPx5GQ5GzjVY8pdgtPv0Ij",
"https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864790&Signature=QkiaGhOWFVTMnStxmaJJIVM9Z8cz0n2iUzL%2FmuCfsmMoY%2FI3LrqCLHlcuXzKKyDez5hRYK0DX3OkzaB4F89LFeO6CNQkxxgGBDkjCpg%2Fuyr2HtCZjkFFbEJONHPDJBkBB7JsVRdhR7RveUC2dBG7Wyna%2BF7NYrB3F8lJxQQCwlkFSUiIeF1H6fHA71w3QHiuw61QRe8qkpUK%2BNQfyAeYiLvIhNFj5g4j%2BRVk13k44QjeCxKog1rRZkdp%2",
"https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864829&Signature=SlvEBwegwTfog2bK9svG1CeSSKC94GD98%2FQ7qpBXL7TuHOZt2HhMLd7y8IOgotXMqWiH73xWxbA4jinuUaR5MXolnKuxM86Yy3LSmhMX0S2ZRoWHqqnWIwt02ajTrF%2Bgua0LjZ46ax%2Bqo86h%2Bpme2xYRpZXKhZpVUZBzvDkXraQGdqF1BQ7keV47Y5qESgu16FuxAkm0XbuzS8tqBeq7qAS0r8STul%2BnjFmFMq3OUE68K%2BSmAp",
"https://vtbehaviour.commondatastorage.googleapis.com/3e8cba5ce163a9275fe8d4e3f70fbc9815423b9a56b12e7fb03693731e359168_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864913&Signature=IouqGht2TIixfjPtpgKYXJa3ScKi4POLcjQ5l1QIvD%2FFa5zZyHMSYcu%2BxmFWI7uYljRPLlgpgSkRCmIw8EC4uFBI30ISHg83%2F50%2BiqTogu3I4rUpYoX3AQ7hXJwj%2Bz4YoYTt9SoS7jb9WfTUcNYHoIzY9ISoBzndPQfvv5155GpqsCvDXCT2Fd%2Byks95PB9FEdHE1SKYmlWsxPctfAYSIT2mOmBRTrxWO%2BrAUwTATD3cQts0",
"https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865192&Signature=BypXbESJ8I4kqzj5KlF3FCin0434BxGjxXXofwkjyqQfBwNvYJTJGPpRPHnvqmntGoukqmPBezQdcv67hZUXulr885cbljCP90Y6P75SdRtlYOqDEOYGAVgLKOUxW3BGjKy%2FAqS6M0GC9KNsMLw%2FjOyC%2B2N%2F0AlIAyOTl0pX2Pbv6GgplZAbATne%2FCbkvUjwdxaeRv5iLmVrYtOdTVlljzdECcRiQ9rvqI3Aj27UR1qfuhS8vc%2",
"https://vtbehaviour.commondatastorage.googleapis.com/00143c38c4f0e4642e956235dac0f589c05c54100015c6f59d4825e9e8400eca_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865231&Signature=wOONPZI5bCeW4bmQtYa7YV2UQnoPlndg3PkyxqT8OnVSk223qDWubHicrXJAcOXLFj%2FSynVv96i7h1PMkfbz2Ui0lcpPZUjU7sQhWM8wkR2WVoS3YjGgvTEi9pM1ugWhFqDaoNTlaPgNWTVjffc5d%2FPGpVtT6N45P0D2K0%2BEpNuScgpy64%2BrivKYv1pak5OuNuz9mQczkvh4JqLEna59MjTGN9sd5yDBto4EgIoaLYqnBpg8Zn9s2t"
],
"public": 1,
"adversary": "@GRAMMERSoft",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1091",
"name": "Replication Through Removable Media",
"display_name": "T1091 - Replication Through Removable Media"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1120",
"name": "Peripheral Device Discovery",
"display_name": "T1120 - Peripheral Device Discovery"
},
{
"id": "T1219",
"name": "Remote Access Software",
"display_name": "T1219 - Remote Access Software"
},
{
"id": "T1486",
"name": "Data Encrypted for Impact",
"display_name": "T1486 - Data Encrypted for Impact"
},
{
"id": "T1490",
"name": "Inhibit System Recovery",
"display_name": "T1490 - Inhibit System Recovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1529",
"name": "System Shutdown/Reboot",
"display_name": "T1529 - System Shutdown/Reboot"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 513,
"FileHash-MD5": 613,
"FileHash-SHA1": 373,
"FileHash-SHA256": 569,
"URL": 465,
"hostname": 575,
"domain": 60,
"email": 3,
"CVE": 2,
"JA3": 1
},
"indicator_count": 3174,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "8 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b7241a63b7527ac2b04d60",
"name": "DoD_Cyber_Strategy | Umbald.A | Patched3_c.AKRV | DoD | Navy.mil extensions | Adult Content distribution [msudosos IoCs connects to]",
"description": "I became curious about an IoC found in a Pulse labeled \u2018undefined\u2019 by msudosos notated in references and in parenthesis below this text. I did deep research on msudosos IoC. \nhttps://www.cybercom.mil/Portals/56/Document\ns/Strategy/DoD_Cyber_Strategy_2023.pdf | Apparent cyber warfare. Distribution of pornography potentially. The only use I have seen the type of attacks used for is reputation damage. | I am going to stick with the \u2018undefined\u2019 label given by msudosos because I don\u2019t know the purpose for the alleged Navy. mil & DoD for porn distribution. It\u2019s not to ensnare child predators. Possibly quasi government access to deter potential claimants. Possible hacker involvement. Going with \u2018undefined\u2019 for the moment.\n\n[444ea032708bb0d940de0ef72b944244 | credit msudosos || Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244]",
"modified": "2026-04-14T18:06:37.524000",
"created": "2026-03-15T21:26:50.218000",
"tags": [
"man software",
"destination",
"port",
"united",
"delete",
"read c",
"virustotal",
"patched3_c.akrv",
"armadillov171",
"dod",
"thinkman",
"win32",
"trojan",
"present mar",
"backdoor",
"urls",
"files",
"unknown",
"search",
"china as23724",
"asnone",
"artemis",
"zeppelin",
"drweb",
"vipre",
"panda",
"malware",
"suspicious",
"cloud",
"logic",
"et trojan",
"et info",
"download",
"windows",
"embeddedwb",
"shellexecuteexw",
"msie",
"windows nt",
"writeconsolew",
"displayname",
"service",
"ids detections",
"yara detections",
"crypt",
"medium",
"whitelisted",
"passive dns",
"worm",
"mtb may",
"mtb aug",
"otx logo",
"all ipv4",
"pulse pulses",
"dynamicloader",
"yara rule",
"ff d5",
"high",
"reg add",
"regsz d",
"write",
"file type",
"pexe",
"pe32",
"intel",
"ms windows",
"pe packer",
"pm size",
"pehash",
"richhash",
"learn",
"ck id",
"name tactics",
"informative",
"adversaries",
"command",
"defense evasion",
"spawns",
"found",
"over",
"sha256",
"sha1",
"ascii text",
"size",
"mitre att",
"pattern match",
"null",
"span",
"error",
"body",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"refresh",
"tools",
"title",
"show technique",
"look",
"verify",
"restart",
"t1480 execution",
"navy",
"reputation",
"adult content",
"cyber warfare"
],
"references": [
"AVDetections: Patched3_c.AKRV",
"Yara Detections: Armadillov171",
"Alerts: antiav_servicestop persistence_autorun network_bind antivirus_virustotal network_http",
"IP\u2019s Contacted: 8.8.8.8 78.46.218.253 74.208.229.157 192.5.41.40",
"Contacted Domains: tick.usno.navy.mil www.thinkman.com",
"AS27064 DOD Network Information Center? | 192.5.41.40 | tick.usno.navy.mil tick.usno.navy.mil | United States",
"AS8560 1&1 ionos se | 74.208.229.157 | www.thinkman.com\twww.thinkman.com | United States",
"AS24940 hetzner online gmbh |78.46.218.253\t | static.253.218.46.78.clients.your-server.de | Germany",
"AS15169 google llc | 8.8.8.8\t| dns.google | United States",
"Email: d4@thinkman.com",
"Domain: navy.mil DNS Files IP Address: 192.5.41.40 Location: United States",
"ASN AS27064 dod network information center",
"Nameservers: dns5.disa.mil. , dns4.disa.mil. , squad.navo.mil. , crnaone.navy.mil. , dns1.disa.mil.",
"Nameservers: squid.navo. , squid.navo.mil. , dns2.disa.mil. , minnow.navo. , navy.mil. , dns3.disa.mil.",
"tick.usno.navy.mil , navy.mil: trojan:Win32/Tiggre!rfn Win.Trojan.Rootkit-4668 Win32:Agent-ALXE\\ [Rtk] Win32:Malware-gen",
"TrojanDownloader:Win32/Umbald.A\tMalware infection",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check",
"Alerts: nolookup_communication persistence_autorun bypass_firewall network_http p2p_cnc",
"Alerts: allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process",
"Alerts: stealth_window packer_entropy uses_windows_utilities",
"Alerts: console_output antivm_memory_available pe_features",
"Yara Detections: MS_Visual_Basic_6_0",
"Alerts: process_creation_suspicious_location injection_write_exe_process persistence_autorun",
"Alerts: procmem_yara static_pe_anomaly deletes_executed_files injection_runpe",
"Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process",
"Alerts: injection_write_process reads_self stealth_window injection_rwx uses_windows_utilities",
"Alerts: queries_user_name queries_keyboard_layout queries_locale_api",
"Alerts: antidebug_setunhandledexceptionfilter dll_load_uncommon_file_types",
"porn.nonstopvideos.pl \u2022 xxx-xvideo.com \u2022 essexmetals.com",
"http://www.aerix.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/latex-porn/",
"navy.mil \u2022 http://acts.navair.navy.mil \u2022 http://logistics.navair.navy.mil/rcm/",
"https://www.cloud.mil/CVRC:/Users/joshua.colliflower/OneDrive/OneDrive%20-%20United%20States%20Department%20of%20the%20Navy/Documents/Archive%20Miscellaneous",
"192.5.41.40 scanning_host\t\u2022 74.208.229.157 scanning_host",
"444ea032708bb0d940de0ef72b944244 | credit msudosos",
"Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244",
"https://otx.alienvault.com/pulse/69b65d6a27024117a4cd3540 [credit msudosos]",
"https://www.cybercom.mil/Portals/56/Documents/Strategy/DoD_Cyber_Strategy_2023.pdf",
"DoD related: 192.5.41.40 scanning_host\t140.19.33.126 \u2022 199.9.2.136 \u2022 214.23.15.26",
"https://encore360.omeclk.com/portal/wts/ug^cnOmfy6edod--a.gif",
"https://encore360.omeclk.com/portal/wts/ug^cnOmfy6efyLw9|dod--a | (205.162.40.0/21) (Omeda Communications )",
"205.162.42.171 (205.162.40.0/21) AS 53866 ( Omeda Communications )",
"https://exchange.simply.ms/owa/auth/logon.aspx?url=https://exchange.simply.ms/owa/&reason=0",
"mailbox.co.za",
"fmx32.aig.com \u2022 167.230.105.81",
"https://otx.alienvault.com/indicator/url/https://gossip.thedirty.com/cdn-cgi/l/chk_jschl?s=04e9c17f33a895764287ae3918f54f016b353177-1551745661-1800-AWU4eGCIAWcUFRuFo2RAigESClCdCQ/9FJquPKplzHISR2zmIZSTluV/jEDBqANqdDORIXIACOwCScDYumaSt5kRHUKVAK4z6Wlo0HzAhetn"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Patched3_c.AKRV",
"display_name": "Patched3_c.AKRV",
"target": null
},
{
"id": "Win32:Agent-ALXE\\ [Rtk]",
"display_name": "Win32:Agent-ALXE\\ [Rtk]",
"target": null
},
{
"id": "Win.Trojan.Rootkit-4668",
"display_name": "Win.Trojan.Rootkit-4668",
"target": null
},
{
"id": "Trojan:Win32/Tiggre!rfn",
"display_name": "Trojan:Win32/Tiggre!rfn",
"target": "/malware/Trojan:Win32/Tiggre!rfn"
},
{
"id": "Win32:Malware-gen",
"display_name": "Win32:Malware-gen",
"target": null
},
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "Backdoor:Win32/Tofsee.T",
"display_name": "Backdoor:Win32/Tofsee.T",
"target": "/malware/Backdoor:Win32/Tofsee.T"
},
{
"id": "Inject2.BIVE",
"display_name": "Inject2.BIVE",
"target": null
},
{
"id": "Crypt3.CHZW",
"display_name": "Crypt3.CHZW",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Crypt3.BXMJ",
"display_name": "Crypt3.BXMJ",
"target": null
},
{
"id": "Crypt3.BOQD\t\t Inject2.BHBW",
"display_name": "Crypt3.BOQD\t\t Inject2.BHBW",
"target": null
},
{
"id": "Crypt3.BMVU",
"display_name": "Crypt3.BMVU",
"target": null
},
{
"id": "Trojan.DownLoader12.43161",
"display_name": "Trojan.DownLoader12.43161",
"target": null
},
{
"id": "HEUR/UnSec",
"display_name": "HEUR/UnSec",
"target": null
},
{
"id": "ET Trojan",
"display_name": "ET Trojan",
"target": null
},
{
"id": "Win32:Trojan-gen",
"display_name": "Win32:Trojan-gen",
"target": null
},
{
"id": "TrojanDownloader:Win32/Umbald.A",
"display_name": "TrojanDownloader:Win32/Umbald.A",
"target": "/malware/TrojanDownloader:Win32/Umbald.A"
}
],
"attack_ids": [
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1156",
"name": "Malicious Shell Modification",
"display_name": "T1156 - Malicious Shell Modification"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1001",
"name": "Data Obfuscation",
"display_name": "T1001 - Data Obfuscation"
},
{
"id": "T1048",
"name": "Exfiltration Over Alternative Protocol",
"display_name": "T1048 - Exfiltration Over Alternative Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1048.003",
"name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
"display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1048.001",
"name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol",
"display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
}
],
"industries": [
"Government",
"Military",
"Defense",
"Insurance"
],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 165,
"FileHash-SHA1": 165,
"FileHash-SHA256": 3524,
"URL": 11424,
"email": 1,
"hostname": 3954,
"domain": 2523
},
"indicator_count": 21756,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "16 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de69d5c691473d692fac54",
"name": "VirusTotal report\n for document.html",
"description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).",
"modified": "2026-04-14T16:22:45.160000",
"created": "2026-04-14T16:22:45.160000",
"tags": [
"license",
"performs dns",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"phishing",
"next",
"script",
"adobe",
"apache license",
"version",
"unless",
"as is",
"basis",
"any kind",
"doctype html",
"meta",
"body",
"pe file",
"binary",
"aslr",
"ole file",
"cname",
"strong",
"library",
"accept",
"cape sandbox",
"pdb path",
"name",
"address virtual",
"ip address",
"shutdown",
"pe32",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"pe64 compiler",
"ltcgc",
"linker",
"windows third",
"party component",
"valid from",
"valid",
"valid usage",
"whql crypto",
"code signing",
"algorithm",
"thumbprint",
"serial number",
"more"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr",
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 16,
"FileHash-SHA1": 3,
"FileHash-SHA256": 175,
"IPv4": 43,
"URL": 109,
"hostname": 130,
"domain": 41
},
"indicator_count": 517,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "18 hours ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de6531bfca82db8c335ebb",
"name": "CAPE Sandbox",
"description": "A sample of Google updateSetup.exe has been found on a Windows operating system. \u00c2\u00a31.5m (US$2.4m) in the first half of the year.",
"modified": "2026-04-14T16:14:12.855000",
"created": "2026-04-14T16:02:57.171000",
"tags": [
"parent pid",
"full path",
"command line",
"sessionid",
"files c",
"registry keys",
"mutexes globalg",
"globalg",
"commands",
"read files",
"pe file",
"file type",
"pe32",
"ms windows",
"intel",
"found",
"drops pe",
"aslr",
"ole file",
"contains",
"title",
"installer",
"template",
"code",
"persistence",
"malicious",
"next",
"error",
"google",
"meta",
"style",
"sans",
"woff2",
"u0131",
"u01520153",
"u02bb02bc",
"success",
"deletefilew",
"createfilew",
"genericwrite",
"readfile",
"genericread",
"regopenkeyexw",
"programfilesdir",
"shimcachemutex",
"copyfileexw",
"detail info",
"behaviour",
"processid",
"threadid",
"startaddress",
"parameter",
"offset",
"socket",
"filename",
"window",
"class",
"shell",
"find",
"windows sandbox",
"calls process",
"performs dns",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"ultimate file",
"phishing"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182210&Signature=v%2Fh1wL%2BRqA6ODz%2BCtJphjW%2BDUpdO%2F68AGOQiHd%2Be57uK7rMu6S9s9l8R7XteebRHwmiQnBDXOOns7VLwWQ00hHcNwEmbQKruEeJXn%2F2RZMYnzuTEbBMt2RuB9%2FrCQMUMo55FqSuXeY%2FsydSKysRi%2F4yxX55NU5uLfx%2FhZQRtjTgQticy0YGUTCqqY3HzJd7A8bc1PNd%2Fb6mTJ2S5iod1uNc17yFnn2UDVXHCJV",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182405&Signature=ZMUm29yvOSEjo0LQQD1asxG2sdFlK5%2F4y2UHODrULP%2B6HqNNjMHfmfRv%2BVxnED4359E6L9MXV4n6tEBGdnia8EvQYzZQJ58Ros6%2F%2FfYr9WoRACqGslsG%2BHVMKGMGX62YA2UlrAH35OCDgUTwdGIHtpLgXfOd%2B46e6wzXuB1t8GANSgN4v5xv3S83gd7W14KQ2aD95Q0vZt%2F7Ue48%2B53m2JvkcBosiH2AxKaRxQIN%2BXz6cshh6p",
"https://vtbehaviour.commondatastorage.googleapis.com/264a5fc8205c3ca76d186e04238055427de9d189709bbc4b1844599d498d05d2_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182430&Signature=dN0pX9yoqvCitnZXnkVEon6PzscVdKCHo9%2BUUZnv%2BJW5HH1B0IOfrsGiMX87NmcyM8XAqYVzFRNmrjIUnlP3rF5KPV0ZOtwlbL8mMIVCmrmQGuIPFB7QRfWpfjMPq41IbMb3yAdxVIpw5dEn%2BSrkIKgkCLVaDG0B69qjr%2FCR2ZNYpHIeR5Duwn%2BFgQxdFB2%2BwLQCyLAmPP5xsWgLCvmNM%2Fb1SoMUHKytZTY%2BPXKlThbjrh",
"https://vtcuckoo.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182459&Signature=LC2D3TixRgdru1j51oquFRwzr%2BlKJQyHmkjrFbrD9AxRvZsqhwceRAcEEGhjpqbDfW%2BbsgyFvpG0re3VebM3vlaRaFk7nZYgSJVcbEdapmTOrCrzVGT4Ajtbfi0%2B0W4gjSG1fOa9RsxdcT0f%2FwscG2zKqSVZYOhNjlaCWjVWD65MvQpKbDqOdRhIgL5Bu6oG2MiYwAr2UWZECS53O8AHYr8UnWqzXy1DPzHyG9rl4xG8elXsHkFhuo4X9w%2BHyAnudZvoF4XgyBi",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182484&Signature=ZhGulxlaniGue38b6AlCfXFOolhEEd1LRl1zQL4iS7pgld1GcOA1rAFnLpPUfTa7QbYt2XYl%2B69trqlFhS56HAJodeHJl8hLN1ZSe2yD56hBs5FNe45OeTzGmGRCvB23eCa6%2BFf7lkBEMPU7P6T4BylmHDskYtaXGm8%2B4J65yK3h3rEBYG7%2FzfMCeIqLzMARAW%2BGN%2B9skhx5nFTl5z9mYcTJpsJWUVIM6gdkzdOt8rkSI4WTZU",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182551&Signature=pFmSgFS63F9nD5idScNlwrNQf0IwHGZXagtahm%2BCtBwvWshbJt7BHIwYHPaLKabmBSfvP4qNSVA9sCNWl6uMcrJDL6vNnebIQXG5N3C2UXzWC2GBLt6xa13F6jEnHnc8w7XgMnC2qixReqfUzmKH11llWvimieI7YNlY%2BWO91jTSdiqFyCnd95VovUDx2kK%2BF%2BM0clx89XmZRfU9PfWIReaDleGU%2Bho9t0vqCx0Fkz%2Fa",
"https://vtbehaviour.commondatastorage.googleapis.com/264a5fc8205c3ca76d186e04238055427de9d189709bbc4b1844599d498d05d2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182568&Signature=oG3sKCviFlcMT0QiFuQ05ebZkwPVvz5I5HUTNiUwfN2ldGBghRVLc5N9lUiV%2F4Chnoqg2dtvRlBGdNJ9erW0jueVM%2FY6DerZ2%2BVfd4bJos9epiFLxlHY%2BIaL5pRHeWIfcZ%2FaTK%2BhCSACOVOCRPHlchcUIKNH2Qqwsk9qWywx3k%2BuYq9lkq6bHRqrSWRveTrqVd559kMHuKds6IWr3IHQ83cnniAy%2BrXs2PzbfQWr8YqSn1%2FvvDyM",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182603&Signature=P0yyclxoQLoZnvz37jWwZuw0aXUqKjhJmU3DLNGWvQc4OC6Xy1j%2FbtcEu%2BI9cYC3WKX6VyZKHliOMTv1yNar%2BVbIdYQ2PxzSYs7C8x4wcrhQ8Nq0FonreLyqkxdQ6BUO5WJ6vYVdHfY26X4wRftbfQYABiSyzCYAjcJm3X5xjQf9AN8iSukP8exig452BLXD3poZe3p5xx1HPXTohtMXnvUyJV7uM7EuFzFtWultkOCOwsTodS8HhJ4I%2BfMU1M"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 66,
"FileHash-SHA1": 39,
"FileHash-SHA256": 323,
"IPv4": 121,
"URL": 126,
"hostname": 255,
"domain": 87
},
"indicator_count": 1017,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "18 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de6532d8458a36f68ce083",
"name": "CAPE Sandbox",
"description": "A sample of Google updateSetup.exe has been found on a Windows operating system. \u00c2\u00a31.5m (US$2.4m) in the first half of the year.",
"modified": "2026-04-14T16:02:58.015000",
"created": "2026-04-14T16:02:58.015000",
"tags": [
"parent pid",
"full path",
"command line",
"sessionid",
"files c",
"registry keys",
"mutexes globalg",
"globalg",
"commands",
"read files",
"pe file",
"file type",
"pe32",
"ms windows",
"intel",
"found",
"drops pe",
"aslr",
"ole file",
"contains",
"title",
"installer",
"template",
"code",
"persistence",
"malicious",
"next",
"error",
"google",
"meta",
"style",
"sans",
"woff2",
"u0131",
"u01520153",
"u02bb02bc",
"success",
"deletefilew",
"createfilew",
"genericwrite",
"readfile",
"genericread",
"regopenkeyexw",
"programfilesdir",
"shimcachemutex",
"copyfileexw",
"detail info",
"behaviour",
"processid",
"threadid",
"startaddress",
"parameter",
"offset",
"socket",
"filename",
"window",
"class",
"shell",
"find",
"windows sandbox",
"calls process",
"performs dns",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"ultimate file",
"phishing"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182210&Signature=v%2Fh1wL%2BRqA6ODz%2BCtJphjW%2BDUpdO%2F68AGOQiHd%2Be57uK7rMu6S9s9l8R7XteebRHwmiQnBDXOOns7VLwWQ00hHcNwEmbQKruEeJXn%2F2RZMYnzuTEbBMt2RuB9%2FrCQMUMo55FqSuXeY%2FsydSKysRi%2F4yxX55NU5uLfx%2FhZQRtjTgQticy0YGUTCqqY3HzJd7A8bc1PNd%2Fb6mTJ2S5iod1uNc17yFnn2UDVXHCJV",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182405&Signature=ZMUm29yvOSEjo0LQQD1asxG2sdFlK5%2F4y2UHODrULP%2B6HqNNjMHfmfRv%2BVxnED4359E6L9MXV4n6tEBGdnia8EvQYzZQJ58Ros6%2F%2FfYr9WoRACqGslsG%2BHVMKGMGX62YA2UlrAH35OCDgUTwdGIHtpLgXfOd%2B46e6wzXuB1t8GANSgN4v5xv3S83gd7W14KQ2aD95Q0vZt%2F7Ue48%2B53m2JvkcBosiH2AxKaRxQIN%2BXz6cshh6p",
"https://vtbehaviour.commondatastorage.googleapis.com/264a5fc8205c3ca76d186e04238055427de9d189709bbc4b1844599d498d05d2_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182430&Signature=dN0pX9yoqvCitnZXnkVEon6PzscVdKCHo9%2BUUZnv%2BJW5HH1B0IOfrsGiMX87NmcyM8XAqYVzFRNmrjIUnlP3rF5KPV0ZOtwlbL8mMIVCmrmQGuIPFB7QRfWpfjMPq41IbMb3yAdxVIpw5dEn%2BSrkIKgkCLVaDG0B69qjr%2FCR2ZNYpHIeR5Duwn%2BFgQxdFB2%2BwLQCyLAmPP5xsWgLCvmNM%2Fb1SoMUHKytZTY%2BPXKlThbjrh",
"https://vtcuckoo.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182459&Signature=LC2D3TixRgdru1j51oquFRwzr%2BlKJQyHmkjrFbrD9AxRvZsqhwceRAcEEGhjpqbDfW%2BbsgyFvpG0re3VebM3vlaRaFk7nZYgSJVcbEdapmTOrCrzVGT4Ajtbfi0%2B0W4gjSG1fOa9RsxdcT0f%2FwscG2zKqSVZYOhNjlaCWjVWD65MvQpKbDqOdRhIgL5Bu6oG2MiYwAr2UWZECS53O8AHYr8UnWqzXy1DPzHyG9rl4xG8elXsHkFhuo4X9w%2BHyAnudZvoF4XgyBi",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182484&Signature=ZhGulxlaniGue38b6AlCfXFOolhEEd1LRl1zQL4iS7pgld1GcOA1rAFnLpPUfTa7QbYt2XYl%2B69trqlFhS56HAJodeHJl8hLN1ZSe2yD56hBs5FNe45OeTzGmGRCvB23eCa6%2BFf7lkBEMPU7P6T4BylmHDskYtaXGm8%2B4J65yK3h3rEBYG7%2FzfMCeIqLzMARAW%2BGN%2B9skhx5nFTl5z9mYcTJpsJWUVIM6gdkzdOt8rkSI4WTZU",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182551&Signature=pFmSgFS63F9nD5idScNlwrNQf0IwHGZXagtahm%2BCtBwvWshbJt7BHIwYHPaLKabmBSfvP4qNSVA9sCNWl6uMcrJDL6vNnebIQXG5N3C2UXzWC2GBLt6xa13F6jEnHnc8w7XgMnC2qixReqfUzmKH11llWvimieI7YNlY%2BWO91jTSdiqFyCnd95VovUDx2kK%2BF%2BM0clx89XmZRfU9PfWIReaDleGU%2Bho9t0vqCx0Fkz%2Fa",
"https://vtbehaviour.commondatastorage.googleapis.com/264a5fc8205c3ca76d186e04238055427de9d189709bbc4b1844599d498d05d2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182568&Signature=oG3sKCviFlcMT0QiFuQ05ebZkwPVvz5I5HUTNiUwfN2ldGBghRVLc5N9lUiV%2F4Chnoqg2dtvRlBGdNJ9erW0jueVM%2FY6DerZ2%2BVfd4bJos9epiFLxlHY%2BIaL5pRHeWIfcZ%2FaTK%2BhCSACOVOCRPHlchcUIKNH2Qqwsk9qWywx3k%2BuYq9lkq6bHRqrSWRveTrqVd559kMHuKds6IWr3IHQ83cnniAy%2BrXs2PzbfQWr8YqSn1%2FvvDyM",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182603&Signature=P0yyclxoQLoZnvz37jWwZuw0aXUqKjhJmU3DLNGWvQc4OC6Xy1j%2FbtcEu%2BI9cYC3WKX6VyZKHliOMTv1yNar%2BVbIdYQ2PxzSYs7C8x4wcrhQ8Nq0FonreLyqkxdQ6BUO5WJ6vYVdHfY26X4wRftbfQYABiSyzCYAjcJm3X5xjQf9AN8iSukP8exig452BLXD3poZe3p5xx1HPXTohtMXnvUyJV7uM7EuFzFtWultkOCOwsTodS8HhJ4I%2BfMU1M"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 46,
"FileHash-SHA1": 23,
"FileHash-SHA256": 198,
"IPv4": 53,
"URL": 94,
"hostname": 107,
"domain": 79
},
"indicator_count": 600,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "19 hours ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de653101bee17699c7d1e8",
"name": "CAPE Sandbox",
"description": "A sample of Google updateSetup.exe has been found on a Windows operating system. \u00c2\u00a31.5m (US$2.4m) in the first half of the year.",
"modified": "2026-04-14T16:02:57.690000",
"created": "2026-04-14T16:02:57.690000",
"tags": [
"parent pid",
"full path",
"command line",
"sessionid",
"files c",
"registry keys",
"mutexes globalg",
"globalg",
"commands",
"read files",
"pe file",
"file type",
"pe32",
"ms windows",
"intel",
"found",
"drops pe",
"aslr",
"ole file",
"contains",
"title",
"installer",
"template",
"code",
"persistence",
"malicious",
"next",
"error",
"google",
"meta",
"style",
"sans",
"woff2",
"u0131",
"u01520153",
"u02bb02bc",
"success",
"deletefilew",
"createfilew",
"genericwrite",
"readfile",
"genericread",
"regopenkeyexw",
"programfilesdir",
"shimcachemutex",
"copyfileexw",
"detail info",
"behaviour",
"processid",
"threadid",
"startaddress",
"parameter",
"offset",
"socket",
"filename",
"window",
"class",
"shell",
"find",
"windows sandbox",
"calls process",
"performs dns",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"ultimate file",
"phishing"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182210&Signature=v%2Fh1wL%2BRqA6ODz%2BCtJphjW%2BDUpdO%2F68AGOQiHd%2Be57uK7rMu6S9s9l8R7XteebRHwmiQnBDXOOns7VLwWQ00hHcNwEmbQKruEeJXn%2F2RZMYnzuTEbBMt2RuB9%2FrCQMUMo55FqSuXeY%2FsydSKysRi%2F4yxX55NU5uLfx%2FhZQRtjTgQticy0YGUTCqqY3HzJd7A8bc1PNd%2Fb6mTJ2S5iod1uNc17yFnn2UDVXHCJV",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182405&Signature=ZMUm29yvOSEjo0LQQD1asxG2sdFlK5%2F4y2UHODrULP%2B6HqNNjMHfmfRv%2BVxnED4359E6L9MXV4n6tEBGdnia8EvQYzZQJ58Ros6%2F%2FfYr9WoRACqGslsG%2BHVMKGMGX62YA2UlrAH35OCDgUTwdGIHtpLgXfOd%2B46e6wzXuB1t8GANSgN4v5xv3S83gd7W14KQ2aD95Q0vZt%2F7Ue48%2B53m2JvkcBosiH2AxKaRxQIN%2BXz6cshh6p",
"https://vtbehaviour.commondatastorage.googleapis.com/264a5fc8205c3ca76d186e04238055427de9d189709bbc4b1844599d498d05d2_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182430&Signature=dN0pX9yoqvCitnZXnkVEon6PzscVdKCHo9%2BUUZnv%2BJW5HH1B0IOfrsGiMX87NmcyM8XAqYVzFRNmrjIUnlP3rF5KPV0ZOtwlbL8mMIVCmrmQGuIPFB7QRfWpfjMPq41IbMb3yAdxVIpw5dEn%2BSrkIKgkCLVaDG0B69qjr%2FCR2ZNYpHIeR5Duwn%2BFgQxdFB2%2BwLQCyLAmPP5xsWgLCvmNM%2Fb1SoMUHKytZTY%2BPXKlThbjrh",
"https://vtcuckoo.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182459&Signature=LC2D3TixRgdru1j51oquFRwzr%2BlKJQyHmkjrFbrD9AxRvZsqhwceRAcEEGhjpqbDfW%2BbsgyFvpG0re3VebM3vlaRaFk7nZYgSJVcbEdapmTOrCrzVGT4Ajtbfi0%2B0W4gjSG1fOa9RsxdcT0f%2FwscG2zKqSVZYOhNjlaCWjVWD65MvQpKbDqOdRhIgL5Bu6oG2MiYwAr2UWZECS53O8AHYr8UnWqzXy1DPzHyG9rl4xG8elXsHkFhuo4X9w%2BHyAnudZvoF4XgyBi",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182484&Signature=ZhGulxlaniGue38b6AlCfXFOolhEEd1LRl1zQL4iS7pgld1GcOA1rAFnLpPUfTa7QbYt2XYl%2B69trqlFhS56HAJodeHJl8hLN1ZSe2yD56hBs5FNe45OeTzGmGRCvB23eCa6%2BFf7lkBEMPU7P6T4BylmHDskYtaXGm8%2B4J65yK3h3rEBYG7%2FzfMCeIqLzMARAW%2BGN%2B9skhx5nFTl5z9mYcTJpsJWUVIM6gdkzdOt8rkSI4WTZU",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182551&Signature=pFmSgFS63F9nD5idScNlwrNQf0IwHGZXagtahm%2BCtBwvWshbJt7BHIwYHPaLKabmBSfvP4qNSVA9sCNWl6uMcrJDL6vNnebIQXG5N3C2UXzWC2GBLt6xa13F6jEnHnc8w7XgMnC2qixReqfUzmKH11llWvimieI7YNlY%2BWO91jTSdiqFyCnd95VovUDx2kK%2BF%2BM0clx89XmZRfU9PfWIReaDleGU%2Bho9t0vqCx0Fkz%2Fa",
"https://vtbehaviour.commondatastorage.googleapis.com/264a5fc8205c3ca76d186e04238055427de9d189709bbc4b1844599d498d05d2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182568&Signature=oG3sKCviFlcMT0QiFuQ05ebZkwPVvz5I5HUTNiUwfN2ldGBghRVLc5N9lUiV%2F4Chnoqg2dtvRlBGdNJ9erW0jueVM%2FY6DerZ2%2BVfd4bJos9epiFLxlHY%2BIaL5pRHeWIfcZ%2FaTK%2BhCSACOVOCRPHlchcUIKNH2Qqwsk9qWywx3k%2BuYq9lkq6bHRqrSWRveTrqVd559kMHuKds6IWr3IHQ83cnniAy%2BrXs2PzbfQWr8YqSn1%2FvvDyM",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182603&Signature=P0yyclxoQLoZnvz37jWwZuw0aXUqKjhJmU3DLNGWvQc4OC6Xy1j%2FbtcEu%2BI9cYC3WKX6VyZKHliOMTv1yNar%2BVbIdYQ2PxzSYs7C8x4wcrhQ8Nq0FonreLyqkxdQ6BUO5WJ6vYVdHfY26X4wRftbfQYABiSyzCYAjcJm3X5xjQf9AN8iSukP8exig452BLXD3poZe3p5xx1HPXTohtMXnvUyJV7uM7EuFzFtWultkOCOwsTodS8HhJ4I%2BfMU1M"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 46,
"FileHash-SHA1": 23,
"FileHash-SHA256": 198,
"IPv4": 53,
"URL": 94,
"hostname": 107,
"domain": 79
},
"indicator_count": 600,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "19 hours ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de5661aa69bc26fcc67ca5",
"name": "VirusTotal report\n for document.html",
"description": "The full text of the full report on this year's EU Referendum, which will take place on 26 May 2017, will be published on 23 June.. and will appear on BBC One.",
"modified": "2026-04-14T15:46:10.139000",
"created": "2026-04-14T14:59:45.579000",
"tags": [
"thumbprint",
"server",
"domain status",
"not available",
"combell",
"fri oct",
"domain name",
"mitre attack",
"network info",
"performs dns",
"found",
"t1055 process",
"overview",
"processes extra",
"overview zenbox",
"verdict",
"guest system",
"next",
"cauliflower",
"ardo",
"script",
"green",
"grey",
"doctype html",
"head",
"ieedge",
"meta",
"noscript",
"generator",
"title",
"fri jan",
"value a",
"cname",
"file type",
"unix",
"dropped info",
"linux verdict",
"persistence",
"malicious",
"pe file",
"pe32",
"ms windows",
"crlf line",
"ascii text",
"drops pe",
"intel",
"json",
"info",
"windows sandbox",
"calls process",
"algorithm",
"key identifier",
"x509v3 subject",
"full name",
"v3 serial",
"number",
"cus odigicert",
"inc cndigicert",
"global g3",
"tls ecc"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177598&Signature=3OaXWi9Bxykp1wiOQNdwBhSVh8X4mMPRcbHBESETUx1dPXdeEb1wMVgkjjvnvvnZ14XzPuL4vMeT%2BM6%2B8cU0CciC2%2B%2BGT%2Fb9mRX1cN%2FXaafCIMjd8vWaqZtK1dawDuh8iKwPBAcYgi6vCnMgp28hPTUgniT1p0WNyIRU3CJvLwPSEU28quYE2LfQp6%2FL8YplQb8mVS%2FgoyB71aRRbadnyiAysuNsHN1pdEaY402DuI5QYpc9B1odu5",
"https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177637&Signature=BUiivmwCPsrCikfAjB28LBQHMVx%2FgTbehNpsMuz2VuoKMd%2FiRN1rhKYa8lS%2BTYZ1RNXXVqAR3ISVvI%2FmBIiPXTCg267f4DupHMvxLnZmQ7N0KqABTuh43x9kfuureCni9NLunQFSSWJwdt0KNQS3%2F57kVbeEOIzP7%2BcwyvyzuUpwFQR0d5Z6FniQUM0OXkWdAQwOXY3K%2FZlOIpXUtbyYLoXFI2SxAVG0cSF%2F5LRfI%2BqV",
"https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178045&Signature=hfNfMWMWKlkR0dmNZ4tTVvmgM0aQ3daOKDfK8yNihejr3kujfb37wAq3LmH7qtp%2BoiIbsDP06zGcG8dlexlRIuv37dwHofiSildpsN54e2zZ%2F%2Fn25cvnS2OqCOrlkZKLS4HfUQG4uDxTT6nCFFjtk1d88D7GRghUOiDYdLgbVfBW5DFTJ5bmDWA%2F%2FQn7%2BGjfOnnJonkxYfKJ0NAUYmESIbbNs2z4ZohntfXj28HJ8ofBVh09Vk",
"https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178084&Signature=l9VaaMtAu36gwPzacEQuEKIUtylRuocPeqapPjRJQlHLBAGzVaxtTG4tKKub3yjMoWmZ2pKMlpvNWm3hp0Fnvoj9c1RoQqis7Bza5ZkPbTWPic23pN64nADTtHu%2FpwsHeBc5e7ODzJiPCloc2E7y8Fc0OyaCv%2BRvL9Cp746CDgls39HfPWI4ukTSy5F2TsRUo36dz76PT%2FubK3HFHzUNnsFLj%2BZ8iif%2BgE9FpwabJT5WlgvUiqpqna6tcVHl",
"https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178098&Signature=uIxrV8sFHqQAjkRjYKVDQ1S%2FeWLsS9K%2F9PqMGOdk9nETeHOFarhSPqnYVH3z5vORlVnlvKrk10heyaF9Ks%2BfMnudJoqDG6UjXULyT5HbpHKXvdQItgfeAH6ZSHI%2FRRvWIw%2BEJoYnPVIn3gczV1o5LnA5flIbFyXVb%2BwulQMPJnSdhvsQx7PFkAY%2Bukjs4CYlC%2FrL3k8ouSPhJezZgJX3oMBL%2Bgxl15NF20wkj3"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 581,
"domain": 706,
"IPv4": 42,
"hostname": 577,
"URL": 386,
"FileHash-SHA256": 1620,
"FileHash-MD5": 537,
"CVE": 6
},
"indicator_count": 4455,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "19 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de5660177cfb2b911d0416",
"name": "VirusTotal report\n for document.html",
"description": "The full text of the full report on this year's EU Referendum, which will take place on 26 May 2017, will be published on 23 June.. and will appear on BBC One.",
"modified": "2026-04-14T15:41:54.244000",
"created": "2026-04-14T14:59:44.158000",
"tags": [
"thumbprint",
"server",
"domain status",
"not available",
"combell",
"fri oct",
"domain name",
"mitre attack",
"network info",
"performs dns",
"found",
"t1055 process",
"overview",
"processes extra",
"overview zenbox",
"verdict",
"guest system",
"next",
"cauliflower",
"ardo",
"script",
"green",
"grey",
"doctype html",
"head",
"ieedge",
"meta",
"noscript",
"generator",
"title",
"fri jan",
"value a",
"cname",
"file type",
"unix",
"dropped info",
"linux verdict",
"persistence",
"malicious",
"pe file",
"pe32",
"ms windows",
"crlf line",
"ascii text",
"drops pe",
"intel",
"json",
"info",
"windows sandbox",
"calls process",
"algorithm",
"key identifier",
"x509v3 subject",
"full name",
"v3 serial",
"number",
"cus odigicert",
"inc cndigicert",
"global g3",
"tls ecc"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177598&Signature=3OaXWi9Bxykp1wiOQNdwBhSVh8X4mMPRcbHBESETUx1dPXdeEb1wMVgkjjvnvvnZ14XzPuL4vMeT%2BM6%2B8cU0CciC2%2B%2BGT%2Fb9mRX1cN%2FXaafCIMjd8vWaqZtK1dawDuh8iKwPBAcYgi6vCnMgp28hPTUgniT1p0WNyIRU3CJvLwPSEU28quYE2LfQp6%2FL8YplQb8mVS%2FgoyB71aRRbadnyiAysuNsHN1pdEaY402DuI5QYpc9B1odu5",
"https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177637&Signature=BUiivmwCPsrCikfAjB28LBQHMVx%2FgTbehNpsMuz2VuoKMd%2FiRN1rhKYa8lS%2BTYZ1RNXXVqAR3ISVvI%2FmBIiPXTCg267f4DupHMvxLnZmQ7N0KqABTuh43x9kfuureCni9NLunQFSSWJwdt0KNQS3%2F57kVbeEOIzP7%2BcwyvyzuUpwFQR0d5Z6FniQUM0OXkWdAQwOXY3K%2FZlOIpXUtbyYLoXFI2SxAVG0cSF%2F5LRfI%2BqV",
"https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178045&Signature=hfNfMWMWKlkR0dmNZ4tTVvmgM0aQ3daOKDfK8yNihejr3kujfb37wAq3LmH7qtp%2BoiIbsDP06zGcG8dlexlRIuv37dwHofiSildpsN54e2zZ%2F%2Fn25cvnS2OqCOrlkZKLS4HfUQG4uDxTT6nCFFjtk1d88D7GRghUOiDYdLgbVfBW5DFTJ5bmDWA%2F%2FQn7%2BGjfOnnJonkxYfKJ0NAUYmESIbbNs2z4ZohntfXj28HJ8ofBVh09Vk",
"https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178084&Signature=l9VaaMtAu36gwPzacEQuEKIUtylRuocPeqapPjRJQlHLBAGzVaxtTG4tKKub3yjMoWmZ2pKMlpvNWm3hp0Fnvoj9c1RoQqis7Bza5ZkPbTWPic23pN64nADTtHu%2FpwsHeBc5e7ODzJiPCloc2E7y8Fc0OyaCv%2BRvL9Cp746CDgls39HfPWI4ukTSy5F2TsRUo36dz76PT%2FubK3HFHzUNnsFLj%2BZ8iif%2BgE9FpwabJT5WlgvUiqpqna6tcVHl",
"https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178098&Signature=uIxrV8sFHqQAjkRjYKVDQ1S%2FeWLsS9K%2F9PqMGOdk9nETeHOFarhSPqnYVH3z5vORlVnlvKrk10heyaF9Ks%2BfMnudJoqDG6UjXULyT5HbpHKXvdQItgfeAH6ZSHI%2FRRvWIw%2BEJoYnPVIn3gczV1o5LnA5flIbFyXVb%2BwulQMPJnSdhvsQx7PFkAY%2Bukjs4CYlC%2FrL3k8ouSPhJezZgJX3oMBL%2Bgxl15NF20wkj3"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 118,
"domain": 361,
"IPv4": 41,
"hostname": 462,
"URL": 290,
"FileHash-SHA256": 968,
"FileHash-MD5": 83,
"CVE": 3
},
"indicator_count": 2326,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "19 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de565b32d80c2973c2fd77",
"name": "VirusTotal report\n for document.html",
"description": "The full text of the full report on this year's EU Referendum, which will take place on 26 May 2017, will be published on 23 June.. and will appear on BBC One.",
"modified": "2026-04-14T15:41:53.909000",
"created": "2026-04-14T14:59:39.743000",
"tags": [
"thumbprint",
"server",
"domain status",
"not available",
"combell",
"fri oct",
"domain name",
"mitre attack",
"network info",
"performs dns",
"found",
"t1055 process",
"overview",
"processes extra",
"overview zenbox",
"verdict",
"guest system",
"next",
"cauliflower",
"ardo",
"script",
"green",
"grey",
"doctype html",
"head",
"ieedge",
"meta",
"noscript",
"generator",
"title",
"fri jan",
"value a",
"cname",
"file type",
"unix",
"dropped info",
"linux verdict",
"persistence",
"malicious",
"pe file",
"pe32",
"ms windows",
"crlf line",
"ascii text",
"drops pe",
"intel",
"json",
"info",
"windows sandbox",
"calls process",
"algorithm",
"key identifier",
"x509v3 subject",
"full name",
"v3 serial",
"number",
"cus odigicert",
"inc cndigicert",
"global g3",
"tls ecc"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177598&Signature=3OaXWi9Bxykp1wiOQNdwBhSVh8X4mMPRcbHBESETUx1dPXdeEb1wMVgkjjvnvvnZ14XzPuL4vMeT%2BM6%2B8cU0CciC2%2B%2BGT%2Fb9mRX1cN%2FXaafCIMjd8vWaqZtK1dawDuh8iKwPBAcYgi6vCnMgp28hPTUgniT1p0WNyIRU3CJvLwPSEU28quYE2LfQp6%2FL8YplQb8mVS%2FgoyB71aRRbadnyiAysuNsHN1pdEaY402DuI5QYpc9B1odu5",
"https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177637&Signature=BUiivmwCPsrCikfAjB28LBQHMVx%2FgTbehNpsMuz2VuoKMd%2FiRN1rhKYa8lS%2BTYZ1RNXXVqAR3ISVvI%2FmBIiPXTCg267f4DupHMvxLnZmQ7N0KqABTuh43x9kfuureCni9NLunQFSSWJwdt0KNQS3%2F57kVbeEOIzP7%2BcwyvyzuUpwFQR0d5Z6FniQUM0OXkWdAQwOXY3K%2FZlOIpXUtbyYLoXFI2SxAVG0cSF%2F5LRfI%2BqV",
"https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178045&Signature=hfNfMWMWKlkR0dmNZ4tTVvmgM0aQ3daOKDfK8yNihejr3kujfb37wAq3LmH7qtp%2BoiIbsDP06zGcG8dlexlRIuv37dwHofiSildpsN54e2zZ%2F%2Fn25cvnS2OqCOrlkZKLS4HfUQG4uDxTT6nCFFjtk1d88D7GRghUOiDYdLgbVfBW5DFTJ5bmDWA%2F%2FQn7%2BGjfOnnJonkxYfKJ0NAUYmESIbbNs2z4ZohntfXj28HJ8ofBVh09Vk",
"https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178084&Signature=l9VaaMtAu36gwPzacEQuEKIUtylRuocPeqapPjRJQlHLBAGzVaxtTG4tKKub3yjMoWmZ2pKMlpvNWm3hp0Fnvoj9c1RoQqis7Bza5ZkPbTWPic23pN64nADTtHu%2FpwsHeBc5e7ODzJiPCloc2E7y8Fc0OyaCv%2BRvL9Cp746CDgls39HfPWI4ukTSy5F2TsRUo36dz76PT%2FubK3HFHzUNnsFLj%2BZ8iif%2BgE9FpwabJT5WlgvUiqpqna6tcVHl",
"https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178098&Signature=uIxrV8sFHqQAjkRjYKVDQ1S%2FeWLsS9K%2F9PqMGOdk9nETeHOFarhSPqnYVH3z5vORlVnlvKrk10heyaF9Ks%2BfMnudJoqDG6UjXULyT5HbpHKXvdQItgfeAH6ZSHI%2FRRvWIw%2BEJoYnPVIn3gczV1o5LnA5flIbFyXVb%2BwulQMPJnSdhvsQx7PFkAY%2Bukjs4CYlC%2FrL3k8ouSPhJezZgJX3oMBL%2Bgxl15NF20wkj3"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 154,
"domain": 367,
"IPv4": 79,
"hostname": 474,
"URL": 292,
"FileHash-SHA256": 1010,
"FileHash-MD5": 119,
"CVE": 11
},
"indicator_count": 2506,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "19 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de5661607a80dbfa9f35c8",
"name": "VirusTotal report\n for document.html",
"description": "The full text of the full report on this year's EU Referendum, which will take place on 26 May 2017, will be published on 23 June.. and will appear on BBC One.",
"modified": "2026-04-14T15:05:34.538000",
"created": "2026-04-14T14:59:45.223000",
"tags": [
"thumbprint",
"server",
"domain status",
"not available",
"combell",
"fri oct",
"domain name",
"mitre attack",
"network info",
"performs dns",
"found",
"t1055 process",
"overview",
"processes extra",
"overview zenbox",
"verdict",
"guest system",
"next",
"cauliflower",
"ardo",
"script",
"green",
"grey",
"doctype html",
"head",
"ieedge",
"meta",
"noscript",
"generator",
"title",
"fri jan",
"value a",
"cname",
"file type",
"unix",
"dropped info",
"linux verdict",
"persistence",
"malicious",
"pe file",
"pe32",
"ms windows",
"crlf line",
"ascii text",
"drops pe",
"intel",
"json",
"info",
"windows sandbox",
"calls process",
"algorithm",
"key identifier",
"x509v3 subject",
"full name",
"v3 serial",
"number",
"cus odigicert",
"inc cndigicert",
"global g3",
"tls ecc"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177598&Signature=3OaXWi9Bxykp1wiOQNdwBhSVh8X4mMPRcbHBESETUx1dPXdeEb1wMVgkjjvnvvnZ14XzPuL4vMeT%2BM6%2B8cU0CciC2%2B%2BGT%2Fb9mRX1cN%2FXaafCIMjd8vWaqZtK1dawDuh8iKwPBAcYgi6vCnMgp28hPTUgniT1p0WNyIRU3CJvLwPSEU28quYE2LfQp6%2FL8YplQb8mVS%2FgoyB71aRRbadnyiAysuNsHN1pdEaY402DuI5QYpc9B1odu5",
"https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177637&Signature=BUiivmwCPsrCikfAjB28LBQHMVx%2FgTbehNpsMuz2VuoKMd%2FiRN1rhKYa8lS%2BTYZ1RNXXVqAR3ISVvI%2FmBIiPXTCg267f4DupHMvxLnZmQ7N0KqABTuh43x9kfuureCni9NLunQFSSWJwdt0KNQS3%2F57kVbeEOIzP7%2BcwyvyzuUpwFQR0d5Z6FniQUM0OXkWdAQwOXY3K%2FZlOIpXUtbyYLoXFI2SxAVG0cSF%2F5LRfI%2BqV",
"https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178045&Signature=hfNfMWMWKlkR0dmNZ4tTVvmgM0aQ3daOKDfK8yNihejr3kujfb37wAq3LmH7qtp%2BoiIbsDP06zGcG8dlexlRIuv37dwHofiSildpsN54e2zZ%2F%2Fn25cvnS2OqCOrlkZKLS4HfUQG4uDxTT6nCFFjtk1d88D7GRghUOiDYdLgbVfBW5DFTJ5bmDWA%2F%2FQn7%2BGjfOnnJonkxYfKJ0NAUYmESIbbNs2z4ZohntfXj28HJ8ofBVh09Vk",
"https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178084&Signature=l9VaaMtAu36gwPzacEQuEKIUtylRuocPeqapPjRJQlHLBAGzVaxtTG4tKKub3yjMoWmZ2pKMlpvNWm3hp0Fnvoj9c1RoQqis7Bza5ZkPbTWPic23pN64nADTtHu%2FpwsHeBc5e7ODzJiPCloc2E7y8Fc0OyaCv%2BRvL9Cp746CDgls39HfPWI4ukTSy5F2TsRUo36dz76PT%2FubK3HFHzUNnsFLj%2BZ8iif%2BgE9FpwabJT5WlgvUiqpqna6tcVHl",
"https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178098&Signature=uIxrV8sFHqQAjkRjYKVDQ1S%2FeWLsS9K%2F9PqMGOdk9nETeHOFarhSPqnYVH3z5vORlVnlvKrk10heyaF9Ks%2BfMnudJoqDG6UjXULyT5HbpHKXvdQItgfeAH6ZSHI%2FRRvWIw%2BEJoYnPVIn3gczV1o5LnA5flIbFyXVb%2BwulQMPJnSdhvsQx7PFkAY%2Bukjs4CYlC%2FrL3k8ouSPhJezZgJX3oMBL%2Bgxl15NF20wkj3"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 118,
"domain": 360,
"IPv4": 41,
"hostname": 462,
"URL": 290,
"FileHash-SHA256": 968,
"FileHash-MD5": 83,
"CVE": 3
},
"indicator_count": 2325,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "20 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b68051eebac972de50c5fc",
"name": "VirusTotal report\n for raSUyvhOTnrqCCsjtkeO.exe",
"description": "",
"modified": "2026-04-14T09:17:15.658000",
"created": "2026-03-15T09:48:01.405000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1548",
"name": "Abuse Elevation Control Mechanism",
"display_name": "T1548 - Abuse Elevation Control Mechanism"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2,
"FileHash-SHA1": 2,
"FileHash-SHA256": 16,
"URL": 44,
"hostname": 16,
"domain": 2
},
"indicator_count": 82,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69ddc6c9f25c71625fb0b9e6",
"name": "CAPE Sandbox",
"description": "<>",
"modified": "2026-04-14T04:52:47.333000",
"created": "2026-04-14T04:47:05.317000",
"tags": [
"network info",
"url info",
"domain info",
"domain ip",
"performs dns"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv6": 2,
"IPv4": 42,
"hostname": 461,
"FileHash-SHA256": 603,
"domain": 128,
"FileHash-MD5": 63,
"FileHash-SHA1": 74,
"URL": 721
},
"indicator_count": 2094,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69ddc674d6814ef6ff10b49a",
"name": "CAPE Sandbox",
"description": "<>",
"modified": "2026-04-14T04:52:36.465000",
"created": "2026-04-14T04:45:40.694000",
"tags": [
"network info",
"url info",
"domain info",
"domain ip",
"performs dns"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv6": 10,
"IPv4": 58,
"hostname": 513,
"FileHash-SHA256": 807,
"domain": 136,
"FileHash-MD5": 335,
"FileHash-SHA1": 278,
"URL": 721
},
"indicator_count": 2858,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69ddc67ab71a32bb4cd407ca",
"name": "CAPE Sandbox",
"description": "<>",
"modified": "2026-04-14T04:52:32.943000",
"created": "2026-04-14T04:45:46.815000",
"tags": [
"network info",
"url info",
"domain info",
"domain ip",
"performs dns"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv6": 2,
"IPv4": 42,
"hostname": 461,
"FileHash-SHA256": 603,
"domain": 128,
"FileHash-MD5": 63,
"FileHash-SHA1": 74,
"URL": 721
},
"indicator_count": 2094,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b6292a2d6a84ad6d2491d7",
"name": "CAPE Sandbox",
"description": "registry filesystem process threading services device network synchronization crypto",
"modified": "2026-04-14T03:27:17.345000",
"created": "2026-03-15T03:36:09.998000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 85,
"FileHash-SHA1": 84,
"FileHash-SHA256": 72,
"hostname": 48,
"URL": 18,
"domain": 3
},
"indicator_count": 310,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69cc876e1a85eb578af3460c",
"name": "Gatsby.",
"description": "The results of an analysis of data gathered from a single web address are published on the website of the University of California, San Francisco, as part of its 2016/17 Research into Open Access. A collection from U or Oreg. - thanks to the tipster. While the dates askew from cert. abuse the overall Month/day appear aligned, however the diff year predated to invalid certs (suspect- more than a theory). Interesting, research subjects pii on pdx flight aligns.\nConsistent \"Research time signed outside timestamp\" burden of proof has been met, goodnight. \nSecond Write- Can read a malicious pdf docs quicker than anyone. Thank you Second Write Sandbox",
"modified": "2026-04-12T16:05:58.378000",
"created": "2026-04-12T12:51:59.240000",
"tags": [
"file type",
"united",
"json",
"com executable",
"network info",
"malicious",
"urls",
"t1055 process",
"ascii",
"mitre attack",
"phishing",
"next",
"windows sandbox",
"calls process",
"foxpro fpt",
"links file",
"152 x",
"sqlite version",
"utf8",
"sqlite rollback",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"strong",
"library",
"win1",
"cultureneutral",
"accept",
"shutdown",
"back",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"get http",
"type annot",
"subtype link",
"rect",
"stream",
"xport",
"possible",
"matrix",
"packer",
"strings",
"enterprise",
"sandbox",
"title",
"core",
"agent",
"snort",
"context",
"destination ip",
"http requests",
"dns resolutions",
"acrongl integ",
"adc4240758",
"sha1",
"potential pdx intersect",
"spellbound. librarian things"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997378&Signature=KsJYbpoN6hteGv0hQe%2B7MgknKi2y7G9y%2Bv0JJZqMcuUdnf3gyNBPBzyKTVuoWOtaG8ix3%2BctGPzbrSe5UI3cg4Z0gK%2B6X75apikmjWPqBKofhIc5BqSpHspjoDYtiKLxroPreiitG4QqViG8yPq7ZCkMLfT71MSIE9dJ9XhV4fO2MSLHJA0qzdykwolGgi0i5r12p1nNsE1eHXJY0HwJl%2Fqka%2FKRtekjeEG1K1qHo6QJlzKhiCRubQwgU7",
"https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997612&Signature=l%2FoIF7cZSCGanh2IyxGroiq3YNwdCp9oVTfF02Zi7d4yp4LMuvnnLFWqVzfWbvIHB94EaU0ICQHP6MwgUb5Z4bF2OVcHxdHieB3iTKEX6sGurBIeKYNAPuakGTzCRv%2FSnZJHpZbsoH11i%2F%2BIwHQLGAKerBuNCuq%2FDi8tvVKCDiF9JQGxOYhQsjlzQJtUBiVEVnBTKbjIdeg9iAMES8qHj0eAglff6gxDk1t%2FU5HmKB1T",
"https://vtbehaviour.commondatastorage.googleapis.com/26b3bfa810cd37fe4046221ab2269b360e9a6c51961db6fd95e7499e2d76d544_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997821&Signature=IjR3qiuvOqpJ0ChD%2FQ%2B0QKlCAsWejT6Ei8KIh27ZO2t%2BnO1oDrCrR7D3x3lf6xKLr93CFw7bU1IUQONv3WbJ%2BJ0oyQ0yhyalr5VTTy1mHEphjCvObM%2B8PPv6o5cjYXYDpKVcQjBFrkgGvJxrleE5kQvx6irIRcFMTUdnDVuNEcV6sALKN3oYRo%2B%2Fvk7TA%2FfAVTtpBhUfsC4dvVAJnRQgBC4gEzEYuZN3oaDzlYUCoghsW5",
"https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997952&Signature=Pc%2FXTIxysZhpywMxwwW%2BrBcX9VHIrYH%2BL3sUsVHUCm1TUbCCtQe7ZIpfTtqIl%2FWLsaehPWv%2FBt4Q6PbZH1IFYbFrKet6C2NOwwOh9WtZQ0cak9wRRun6IjZTU33hWBk4GyEAh%2FpE5nF4ND%2BQSOQuZ5DiMtHeXRlWjRI6KwJ8ApdtNpccNlYGYGKmqj%2BLK7CZTI%2FmpO8GkbS2UkwUwBa6TFoYFvBiQ5SHdRUJ2MT7t3RzWvn8hGyb",
"https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775998043&Signature=atj43IFZmS1xhCQtPEtGr1gjAzp5YJ5SAqKqPXrExtpioezLoyIJKw91Cc1EPO9Ff86CNaeS%2BNKNidgGEvFkAFNQpY8CEvbl7dcNVj3FUVUS3ybBoI8xLShMhwUy%2F0aYbXdMfYG3KdE%2FXDvt56Et6LjAj6N0lh1mp0m48Zz2hNTlghpHTSGlP3SY1VjfKxBYwh%2BWAJOSrHiXvzeVhuN5Qj6JWU%2FLg824mJRsUPe7iyNe2u",
"https://vtbehaviour.commondatastorage.googleapis.com/3aefe8dfb9c99f3a84f5f74b15afeaeca682c8c50f18fa59b2e0b06da9619f1d_SecondWrite.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775998118&Signature=oZItRZYU06S7GWIVhygTK0XUPoeDlmpVWee4ri8K1nSYOFjKP7WjYTzw03EoC6pzqFjdjNKm2lQytBKbv%2BcMJT%2F%2BWZ7nF71PUUmExKgSsvfD6PXKzUcX8vuHnJwcu3NlTOuhNKNfed2iOEAGybINfsgUO6DFzlTsGd51hjV3I%2BT4t%2FTn1aszBeDzRu01gkhvTI5%2BmXmxZfhYmVTFVADNEociZ8DSGmafzUamrXrSTRcAurmFTNmC4",
"https://vtbehaviour.commondatastorage.googleapis.com/3aefe8dfb9c99f3a84f5f74b15afeaeca682c8c50f18fa59b2e0b06da9619f1d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775998463&Signature=qYYMHcxIAT2xuxsg%2F5YbX%2B0y0xuq1Bdd9afbiFWSZHWHsm16y4KPWqE8YDY6heMDu8H6K1bmLZjUn59Bei5cJgnVJtX4Qv6%2FJ9i%2FJXNS6kxDf5xDJvv%2FF%2FcK%2FVKyZS%2BVYzAwJ2OLrXxw4BNVIrT4nxtE34M2lc%2FjwH6H%2FLWNBighCC1k8cvWNbNJkBtGmfWtAfK%2FueAgi5glMRbAmq7xAC5XJGlhgUzo%2Fu2U9N",
""
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1548",
"name": "Abuse Elevation Control Mechanism",
"display_name": "T1548 - Abuse Elevation Control Mechanism"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 458,
"FileHash-MD5": 575,
"FileHash-SHA1": 478,
"FileHash-SHA256": 1401,
"domain": 96,
"hostname": 235,
"IPv4": 130,
"email": 6,
"CVE": 3
},
"indicator_count": 3382,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "2 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69db4698d0cd0d278dc7ebac",
"name": "VirusTotal report\n for base.apk",
"description": "A sample of malicious code has been found on an Android phone running on the operating system, and it is believed to have been installed on a device that is currently running in the UK and Ireland.",
"modified": "2026-04-12T11:31:40.754000",
"created": "2026-04-12T07:15:36.900000",
"tags": [
"mitre attack",
"network info",
"file type",
"loads",
"has permission",
"accesses",
"sim provider",
"mccmnc",
"mobile",
"t1430 location",
"persistence",
"fraud",
"cloud",
"malicious",
"next",
"performs dns",
"processes extra",
"sigma",
"overview",
"overview zenbox",
"verdict",
"guest system",
"ultimate file",
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"hybrid analysis",
"api key",
"vetting process",
"please note",
"please",
"script",
"navigation",
"doctype html",
"public",
"w3cdtd html",
"transitionalen",
"canceled",
"title",
"head",
"body",
"span",
"refresh",
"urls",
"https",
"united",
"may check",
"tls version",
"xffxf0 xffxf0",
"xffxee xffxee",
"xffxef xffxef",
"xffxeb xffxeb",
"px9d",
"xe4x84",
"fxf8",
"x94 x94",
"xc1 xc1",
"xffxf1 xffxf1",
"info",
"file size",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"text",
"json",
"in a",
"accept",
"estonia",
"shutdown",
"back"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/0000d7e596a5738d6310974ef61ee238316ed03bc97d4cb358617932ad8d1ef2_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775977719&Signature=nkKRbhcDpxdw98on7aVclCyF9iaYOrdx7xghDa6jjq48R1HK6lCpP2H%2Fv6rxdPNWs11JoBFgE3MwA1ZYRN8Agx6yaHEpe7UOXVn2H3IXFXu5iRM5sSelXe0sVXAZNiCnIpmLyM8VdDWBLCF6TJhhCNb%2BA7JeJFY4BXuE0JCylFC6IfrK2KyhsCqwoOPL%2BxBN22zBWM88MDh7fIROoVS%2BgBZTK6Ae1KM9I0JmsvqNh%2BZskj06IC",
"https://vtbehaviour.commondatastorage.googleapis.com/d45818a5cd5d41133eeb2bb915b70591823526786936d1ff425c82957057a080_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775977759&Signature=NBaN%2BKLt4kQxB6lxMAKf0PJGXB22KDgo54085YsLIZeKYr%2FZMbLuFYa65quTdyB8OT20aOMsT%2Bx7n2Nv%2BpBu9tlcAvqR27Q83JBzoWGOiDxS79sdgdFXXcK1fvBAY1%2BjtLvoBhQMAK7BZO3%2BuKbWEabvTF9p9Cwjhp%2FMQXMHRl%2BuPqE6REp29LQImSxPlNb5PmpRdhhhBX877q%2F6YPIpViq1j4uEa5xeFaF%2BLHuli03Gs93pzj",
"https://hybrid-analysis.com/sample/4e4fa68c1c4d2cfee133c31432dd303bb5746f7094b5a6832a25e47e6279171c",
"https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775977932&Signature=PwcvGhj2aoTTZWuXQAV%2Fk5iqc79LFl%2F4vKRmiwCg0lEljeWcXw48JPCdvRXB9d8jKJ3YlawrM8K3jVgBiRkawNtXHGkhIZp3kMOBGXmjii0zJ%2B%2BFryjqy3dSwsNCbzYOZqPvS38JrUto12cWGOcLXru%2F%2FaLJkK%2F5LZojEPdv487hPxxjaJl3q6IRjJ7RCeN6j7Rm9uA2EA2m0Di4VgQGK9uqgl04AslRkB8MiwSQ4TaGSHjp",
"https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978086&Signature=WBIzRJW%2FxjBBOf%2F0opd6hlj72t0fu7SbhJLmf%2FDLtoe3li5SgoZEYUg2Ogq0NvkC4WzbpRmzXeV1QmUY%2BooYwl%2BVNRjyw6fZqkbp%2FboMFSfQmgHU%2FQfi99Ch5BqGcNZge1bx9lbHBAP%2BY3QDDA3xzFU9c9aMJAaBlGjFT4TeXALcU00PEYHA95tX7zddbMc5uQhfHfn7fKlyKlmRq25jp6vA4xQImQFJc3s3pQ7WePxp",
"https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978167&Signature=ukCrMHPUqB9sAvA3sCKxfTpKsnpIxfU1vyE1t7AsEZ2JBslXLn0KOjAMFlqSS33UscXS2xVpcOB1wOgX5ZbIlIX0m19OZ79aq1QXdbgZcRdsQ%2B07tzoo82jk6i7wuXsvtA8Lg1oPdLiq15X99Ey1Q4Qu%2F0YpJnHHOQ8zJCsmJIL%2BCV7ZRaam44zjH9hrfu2RFHKg7UN%2F%2BePHS%2FGSY3JiZ4dG10ymuI%2BSbNuvxnx4LIP9iAnFi",
"https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978199&Signature=N0Ry%2FbV%2BEAaGir5ToqgdLRpeg4LWS2qRlbG%2BPBgtoRM6IQyD7i%2FhtGHNcbCN9KZuxWP1kCJkqKu4dA%2BNcMjY450Zs5KmCD%2B78YZCte4YHq%2F3f2T0AuO7ero3nBCqlX8fVA62q8eDZQiroHG4hX0gMIaxBXDwUeQa0F%2FQpNa72K2aN4rAajClR%2BuBVPy1fnaokrr7bsvK6JvnhFwrTdLQq6%2Fd%2BulnVIbTCK1oSGXF",
"https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978364&Signature=yFKLOW7cLGxEDj33tw1mRKNjyzUXQUuQpv%2FrA3D2X5q8rw9kMCREsBLs%2F%2FNYRFxARS3RB5Lk4O6CmSWhNnG3A6HL18Gz6MgwskKshWmxISeMPsHS3bV%2F%2FfnGBWAext5N5I8M1E3kyouF%2FSW3NwXOVYP%2FTI%2BQ1I%2FDzIIYwu8Da44roDqJL3wQaxKZjyUAXa6fTXFaFor%2FO9DxLhb3cHkFxY9PbZuvVGjWowadR80d"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1406",
"name": "Obfuscated Files or Information",
"display_name": "T1406 - Obfuscated Files or Information"
},
{
"id": "T1421",
"name": "System Network Connections Discovery",
"display_name": "T1421 - System Network Connections Discovery"
},
{
"id": "T1422",
"name": "System Network Configuration Discovery",
"display_name": "T1422 - System Network Configuration Discovery"
},
{
"id": "T1424",
"name": "Process Discovery",
"display_name": "T1424 - Process Discovery"
},
{
"id": "T1426",
"name": "System Information Discovery",
"display_name": "T1426 - System Information Discovery"
},
{
"id": "T1430",
"name": "Location Tracking",
"display_name": "T1430 - Location Tracking"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1409",
"name": "Access Stored Application Data",
"display_name": "T1409 - Access Stored Application Data"
},
{
"id": "T1418",
"name": "Application Discovery",
"display_name": "T1418 - Application Discovery"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 91,
"FileHash-SHA1": 86,
"FileHash-SHA256": 101,
"URL": 271,
"domain": 43,
"IPv4": 165,
"hostname": 306
},
"indicator_count": 1063,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "2 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69db469af0e341420764ab93",
"name": "VirusTotal report\n for base.apk",
"description": "A sample of malicious code has been found on an Android phone running on the operating system, and it is believed to have been installed on a device that is currently running in the UK and Ireland.",
"modified": "2026-04-12T07:15:38.372000",
"created": "2026-04-12T07:15:38.372000",
"tags": [
"mitre attack",
"network info",
"file type",
"loads",
"has permission",
"accesses",
"sim provider",
"mccmnc",
"mobile",
"t1430 location",
"persistence",
"fraud",
"cloud",
"malicious",
"next",
"performs dns",
"processes extra",
"sigma",
"overview",
"overview zenbox",
"verdict",
"guest system",
"ultimate file",
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"hybrid analysis",
"api key",
"vetting process",
"please note",
"please",
"script",
"navigation",
"doctype html",
"public",
"w3cdtd html",
"transitionalen",
"canceled",
"title",
"head",
"body",
"span",
"refresh",
"urls",
"https",
"united",
"may check",
"tls version",
"xffxf0 xffxf0",
"xffxee xffxee",
"xffxef xffxef",
"xffxeb xffxeb",
"px9d",
"xe4x84",
"fxf8",
"x94 x94",
"xc1 xc1",
"xffxf1 xffxf1",
"info",
"file size",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"text",
"json",
"in a",
"accept",
"estonia",
"shutdown",
"back"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/0000d7e596a5738d6310974ef61ee238316ed03bc97d4cb358617932ad8d1ef2_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775977719&Signature=nkKRbhcDpxdw98on7aVclCyF9iaYOrdx7xghDa6jjq48R1HK6lCpP2H%2Fv6rxdPNWs11JoBFgE3MwA1ZYRN8Agx6yaHEpe7UOXVn2H3IXFXu5iRM5sSelXe0sVXAZNiCnIpmLyM8VdDWBLCF6TJhhCNb%2BA7JeJFY4BXuE0JCylFC6IfrK2KyhsCqwoOPL%2BxBN22zBWM88MDh7fIROoVS%2BgBZTK6Ae1KM9I0JmsvqNh%2BZskj06IC",
"https://vtbehaviour.commondatastorage.googleapis.com/d45818a5cd5d41133eeb2bb915b70591823526786936d1ff425c82957057a080_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775977759&Signature=NBaN%2BKLt4kQxB6lxMAKf0PJGXB22KDgo54085YsLIZeKYr%2FZMbLuFYa65quTdyB8OT20aOMsT%2Bx7n2Nv%2BpBu9tlcAvqR27Q83JBzoWGOiDxS79sdgdFXXcK1fvBAY1%2BjtLvoBhQMAK7BZO3%2BuKbWEabvTF9p9Cwjhp%2FMQXMHRl%2BuPqE6REp29LQImSxPlNb5PmpRdhhhBX877q%2F6YPIpViq1j4uEa5xeFaF%2BLHuli03Gs93pzj",
"https://hybrid-analysis.com/sample/4e4fa68c1c4d2cfee133c31432dd303bb5746f7094b5a6832a25e47e6279171c",
"https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775977932&Signature=PwcvGhj2aoTTZWuXQAV%2Fk5iqc79LFl%2F4vKRmiwCg0lEljeWcXw48JPCdvRXB9d8jKJ3YlawrM8K3jVgBiRkawNtXHGkhIZp3kMOBGXmjii0zJ%2B%2BFryjqy3dSwsNCbzYOZqPvS38JrUto12cWGOcLXru%2F%2FaLJkK%2F5LZojEPdv487hPxxjaJl3q6IRjJ7RCeN6j7Rm9uA2EA2m0Di4VgQGK9uqgl04AslRkB8MiwSQ4TaGSHjp",
"https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978086&Signature=WBIzRJW%2FxjBBOf%2F0opd6hlj72t0fu7SbhJLmf%2FDLtoe3li5SgoZEYUg2Ogq0NvkC4WzbpRmzXeV1QmUY%2BooYwl%2BVNRjyw6fZqkbp%2FboMFSfQmgHU%2FQfi99Ch5BqGcNZge1bx9lbHBAP%2BY3QDDA3xzFU9c9aMJAaBlGjFT4TeXALcU00PEYHA95tX7zddbMc5uQhfHfn7fKlyKlmRq25jp6vA4xQImQFJc3s3pQ7WePxp",
"https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978167&Signature=ukCrMHPUqB9sAvA3sCKxfTpKsnpIxfU1vyE1t7AsEZ2JBslXLn0KOjAMFlqSS33UscXS2xVpcOB1wOgX5ZbIlIX0m19OZ79aq1QXdbgZcRdsQ%2B07tzoo82jk6i7wuXsvtA8Lg1oPdLiq15X99Ey1Q4Qu%2F0YpJnHHOQ8zJCsmJIL%2BCV7ZRaam44zjH9hrfu2RFHKg7UN%2F%2BePHS%2FGSY3JiZ4dG10ymuI%2BSbNuvxnx4LIP9iAnFi",
"https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978199&Signature=N0Ry%2FbV%2BEAaGir5ToqgdLRpeg4LWS2qRlbG%2BPBgtoRM6IQyD7i%2FhtGHNcbCN9KZuxWP1kCJkqKu4dA%2BNcMjY450Zs5KmCD%2B78YZCte4YHq%2F3f2T0AuO7ero3nBCqlX8fVA62q8eDZQiroHG4hX0gMIaxBXDwUeQa0F%2FQpNa72K2aN4rAajClR%2BuBVPy1fnaokrr7bsvK6JvnhFwrTdLQq6%2Fd%2BulnVIbTCK1oSGXF",
"https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978364&Signature=yFKLOW7cLGxEDj33tw1mRKNjyzUXQUuQpv%2FrA3D2X5q8rw9kMCREsBLs%2F%2FNYRFxARS3RB5Lk4O6CmSWhNnG3A6HL18Gz6MgwskKshWmxISeMPsHS3bV%2F%2FfnGBWAext5N5I8M1E3kyouF%2FSW3NwXOVYP%2FTI%2BQ1I%2FDzIIYwu8Da44roDqJL3wQaxKZjyUAXa6fTXFaFor%2FO9DxLhb3cHkFxY9PbZuvVGjWowadR80d"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1406",
"name": "Obfuscated Files or Information",
"display_name": "T1406 - Obfuscated Files or Information"
},
{
"id": "T1421",
"name": "System Network Connections Discovery",
"display_name": "T1421 - System Network Connections Discovery"
},
{
"id": "T1422",
"name": "System Network Configuration Discovery",
"display_name": "T1422 - System Network Configuration Discovery"
},
{
"id": "T1424",
"name": "Process Discovery",
"display_name": "T1424 - Process Discovery"
},
{
"id": "T1426",
"name": "System Information Discovery",
"display_name": "T1426 - System Information Discovery"
},
{
"id": "T1430",
"name": "Location Tracking",
"display_name": "T1430 - Location Tracking"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1409",
"name": "Access Stored Application Data",
"display_name": "T1409 - Access Stored Application Data"
},
{
"id": "T1418",
"name": "Application Discovery",
"display_name": "T1418 - Application Discovery"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 91,
"FileHash-SHA1": 86,
"FileHash-SHA256": 101,
"URL": 271,
"domain": 43,
"IPv4": 165,
"hostname": 306
},
"indicator_count": 1063,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "3 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69daf535597472533079e5f6",
"name": "VirusTotal report\n for base.apk",
"description": "A sample of malicious code has been found on an Android phone running on the operating system, and it is believed to have been installed on a device that is currently running in the UK and Ireland.",
"modified": "2026-04-12T03:27:13.698000",
"created": "2026-04-12T01:28:21.713000",
"tags": [
"mitre attack",
"network info",
"file type",
"loads",
"has permission",
"accesses",
"sim provider",
"mccmnc",
"mobile",
"t1430 location",
"persistence",
"fraud",
"cloud",
"malicious",
"next",
"windows sandbox",
"clear filters",
"performs dns",
"processes extra",
"sigma",
"overview",
"overview zenbox",
"verdict",
"guest system",
"ultimate file",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"win1",
"acrongl integ",
"adc4240758",
"accept",
"shutdown",
"program",
"date"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/0000d7e596a5738d6310974ef61ee238316ed03bc97d4cb358617932ad8d1ef2_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775957388&Signature=j7mXlx0GVb0TDeeeaHo0qwgZHxnVi4UTmmhgRk3wlp6IEw2ck926P9kdu9Bwyl5LaXy%2FYq3ymJRelUPUI7aCjoJFuGfYD8I7mw7EGYakeIUiWZYxhXK0JlufPqPnve%2FTHZC4XGtctnsv6V7oK3Qelm67Z1%2Fp1QbDgdl0oRB3JQ5cJs5%2BQhbBsphLhRc72Rvb3TCG6FhBlplf06D9RYxzJjXWoh3nCTN%2FCLpspJxyoVqlBlFyuN",
"https://vtbehaviour.commondatastorage.googleapis.com/0000d7e596a5738d6310974ef61ee238316ed03bc97d4cb358617932ad8d1ef2_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775957405&Signature=jmT3CGVytjqR42R8NEdcnfLU2JfSqYRjGKmSOeTIeyM9zjC9SUc2kprtucDQyXxFQrY0aWlR5hpDk3ZhyivJ%2FWtzlSUgIPb%2BsD4I4iRT5lbhHsts9vvdB4gJ74TyMsaHv6yNq1Z5UMtXvu6kPXrDl4WsIFDKpzbKPFhkASB76qeXEEAqD6j%2Bxl8Lheyr7S6sS%2Fgcjh4VUmKvPDoXtavRuNyN3YJ6u4E%2BsfuJXw2zo0wiJOk",
"https://vtbehaviour.commondatastorage.googleapis.com/d45818a5cd5d41133eeb2bb915b70591823526786936d1ff425c82957057a080_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775957451&Signature=N2m2sK3XauqRFF3owN9CyW5oH4lW7mCTJC7JDPU4MBjdP9gjHB9u85xL9mfPmTng%2BipCBg7JmSxzAxBzlUHptzenijHka8MDBJ796vBsZ%2Bhf9LGPH8EVYbWTKjlz2eIj3GN4JzKOZa9EQFyZqUbLnR1U2Wsyv0mDXZA1sJtNZKH9fiCn5ywME8YL5w3m6CSem2hdKubPx%2BuC3px0Ln6qwsRV9fAsLV5pmFtLJVdUbNOJ5kXc6e4hc0ohlpRbP27W",
"https://vtbehaviour.commondatastorage.googleapis.com/59ab46ed842430175dd343634a4832a8ee326620f572ce6136847ce1ba8cd662_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775957494&Signature=UWODW7HArkGZy47J4shCBEE1miTB7G8oVfL98Pw0EcTRZ%2F5tHlFR4FscqBu0h11ell3iLxmgTk%2BVVk6P%2FKLVmhtL8jsFv9TgyY09W0SHHs%2Fd%2BzIzrOZVxeoV3U38ea0NyAdYTQyqu0iYCXCYgK06ML7ILo5aWLIzZINJR1dpRsAwA6uwJSYZ8Zvu5pMSdNF3fBIFVo86ElhKTEk%2F9mXzQCpBu0h9tzUggruaLOAo7S0eTw5JD8",
"https://vtbehaviour.commondatastorage.googleapis.com/fb087f42790328af4e77c319f2cba27555061293eaff1776f08a52d1d6a3b842_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775957524&Signature=uYl%2BWEuvmmRW4mWz7rkBPJbR6%2B%2Fk2opmif8T16J37itEzu%2Ba9Lx%2FD1xixRy0rucm6zCSI6Yhhq34qv%2FPc3vbJe29oov%2B0vPaVeyDvjDc7dNeBeTOfuauhCWFfaVW6oDvyWLOXVL1glPM8kCxcJHAhWXpS4t36D6nuKhNF4kiEu%2FDaqpON29XxvuYu1DPEdjaYfEkS8Ekofo5n52W2g7cDMyp6MvreGZ3gInElrum1ueOVAEiSWog7g"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1406",
"name": "Obfuscated Files or Information",
"display_name": "T1406 - Obfuscated Files or Information"
},
{
"id": "T1421",
"name": "System Network Connections Discovery",
"display_name": "T1421 - System Network Connections Discovery"
},
{
"id": "T1422",
"name": "System Network Configuration Discovery",
"display_name": "T1422 - System Network Configuration Discovery"
},
{
"id": "T1424",
"name": "Process Discovery",
"display_name": "T1424 - Process Discovery"
},
{
"id": "T1426",
"name": "System Information Discovery",
"display_name": "T1426 - System Information Discovery"
},
{
"id": "T1430",
"name": "Location Tracking",
"display_name": "T1430 - Location Tracking"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 97,
"FileHash-SHA1": 91,
"FileHash-SHA256": 107,
"URL": 538,
"domain": 29,
"hostname": 256,
"IPv4": 39
},
"indicator_count": 1157,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "3 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b28cce81e382b09cb58012",
"name": "VirusTotal report\n for universityform.xlsm",
"description": "outdated Excel form. origin 1980. doc 2007",
"modified": "2026-04-11T09:07:52.141000",
"created": "2026-03-12T09:52:14.899000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1406",
"name": "Obfuscated Files or Information",
"display_name": "T1406 - Obfuscated Files or Information"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2,
"FileHash-SHA1": 2,
"FileHash-SHA256": 4,
"hostname": 17,
"URL": 2,
"domain": 2
},
"indicator_count": 29,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "4 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d7a3f511d0121d253b753d",
"name": "VirusTotal report\n for flow-browser-main.zip",
"description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #",
"modified": "2026-04-11T05:35:43.116000",
"created": "2026-04-09T13:04:53.436000",
"tags": [
"file type",
"png image",
"ascii",
"ascii text",
"java source",
"json",
"rgba",
"creates",
"crlf line",
"mac os",
"date",
"malicious",
"next",
"button",
"span",
"edit3icon",
"rotateccwicon",
"xicon",
"htmldivelement",
"react",
"saveicon",
"null",
"shortcutitem",
"click",
"zip archive",
"png multimedia",
"graphics"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO",
"https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 224,
"FileHash-MD5": 558,
"FileHash-SHA1": 564,
"FileHash-SHA256": 558,
"IPv4": 88,
"URL": 140,
"hostname": 166,
"email": 2,
"CVE": 8
},
"indicator_count": 2308,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "4 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b1fe81a036fb6a5d7fe16c",
"name": "VirusTotal report\n for executable.exe",
"description": "",
"modified": "2026-04-10T23:06:53.889000",
"created": "2026-03-11T23:45:05.153000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1,
"FileHash-SHA1": 1,
"FileHash-SHA256": 1,
"URL": 14,
"hostname": 7,
"domain": 4
},
"indicator_count": 28,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "4 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b0f7ac95dc7083708d2091",
"name": "ALBERTA clone arek- btc - same virus.",
"description": "",
"modified": "2026-04-10T05:02:49.470000",
"created": "2026-03-11T05:03:40.599000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "68346e8e3280aa271c02ec21",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 100,
"FileHash-MD5": 178,
"FileHash-SHA1": 178,
"FileHash-SHA256": 1009,
"domain": 129,
"hostname": 321,
"email": 3
},
"indicator_count": 1918,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "5 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d7a3f4d72c30f9586634b9",
"name": "VirusTotal report\n for flow-browser-main.zip",
"description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #",
"modified": "2026-04-10T04:41:57.755000",
"created": "2026-04-09T13:04:52.444000",
"tags": [
"file type",
"png image",
"ascii",
"ascii text",
"java source",
"json",
"rgba",
"creates",
"crlf line",
"mac os",
"date",
"malicious",
"next",
"button",
"span",
"edit3icon",
"rotateccwicon",
"xicon",
"htmldivelement",
"react",
"saveicon",
"null",
"shortcutitem",
"click",
"zip archive",
"png multimedia",
"graphics"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO",
"https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 220,
"FileHash-MD5": 562,
"FileHash-SHA1": 566,
"FileHash-SHA256": 1011,
"IPv4": 88,
"URL": 125,
"hostname": 139,
"email": 4
},
"indicator_count": 2715,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "5 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d7a3f6f81dc2388c0fa027",
"name": "VirusTotal report\n for flow-browser-main.zip",
"description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #",
"modified": "2026-04-10T04:37:51.196000",
"created": "2026-04-09T13:04:54.563000",
"tags": [
"file type",
"png image",
"ascii",
"ascii text",
"java source",
"json",
"rgba",
"creates",
"crlf line",
"mac os",
"date",
"malicious",
"next",
"button",
"span",
"edit3icon",
"rotateccwicon",
"xicon",
"htmldivelement",
"react",
"saveicon",
"null",
"shortcutitem",
"click",
"zip archive",
"png multimedia",
"graphics"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO",
"https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 218,
"FileHash-MD5": 558,
"FileHash-SHA1": 564,
"FileHash-SHA256": 558,
"IPv4": 88,
"URL": 119,
"hostname": 133,
"email": 4
},
"indicator_count": 2242,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "5 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69afaca79dddf98b72dd06b1",
"name": "kitplay + breaktime :(",
"description": "all the kits connect. weather map pdf book health calendar the intersect of the apple product webkit aligning with edge node kits is a problem. I have reached 1 mil iocs in a month manually by phone. My ears ring, my hands burn, and my soul is as corrupt as my hollow root. Ive reported this as a whistleblower and ive reported to apple etc. I must take a break after I scan some CVEs until something is done, my lymph nodes in my neck are large and sore, though I hope I could help some. :/ stay well all. sos is because my phone doesnt work in emergency situations despite 30 devices between routers phones conputers being full factory reset. Ive lost everything. month 10.",
"modified": "2026-04-09T21:16:02.645000",
"created": "2026-03-10T05:31:19.353000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 268,
"hostname": 123,
"CVE": 11,
"FileHash-MD5": 135,
"FileHash-SHA1": 51,
"FileHash-SHA256": 203,
"email": 4,
"URL": 48
},
"indicator_count": 843,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "5 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d7a3f683111bbbe1c9ae35",
"name": "VirusTotal report\n for flow-browser-main.zip",
"description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #",
"modified": "2026-04-09T13:25:35.050000",
"created": "2026-04-09T13:04:54.775000",
"tags": [
"file type",
"png image",
"ascii",
"ascii text",
"java source",
"json",
"rgba",
"creates",
"crlf line",
"mac os",
"date",
"malicious",
"next",
"button",
"span",
"edit3icon",
"rotateccwicon",
"xicon",
"htmldivelement",
"react",
"saveicon",
"null",
"shortcutitem",
"click",
"zip archive",
"png multimedia",
"graphics"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO",
"https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 218,
"FileHash-MD5": 558,
"FileHash-SHA1": 564,
"FileHash-SHA256": 558,
"IPv4": 88,
"URL": 119,
"hostname": 133,
"email": 4
},
"indicator_count": 2242,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "5 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d7a3f6657dd0c212d8344a",
"name": "VirusTotal report\n for flow-browser-main.zip",
"description": "A sample of flow-browser-main, an unauthorised version of the web browser, has been detected by researchers at the University of California, Los Angeles, and the National Security Agency (NSA). myvzw.com after an email on ending a #",
"modified": "2026-04-09T13:04:54.060000",
"created": "2026-04-09T13:04:54.060000",
"tags": [
"file type",
"png image",
"ascii",
"ascii text",
"java source",
"json",
"rgba",
"creates",
"crlf line",
"mac os",
"date",
"malicious",
"next",
"button",
"span",
"edit3icon",
"rotateccwicon",
"xicon",
"htmldivelement",
"react",
"saveicon",
"null",
"shortcutitem",
"click",
"zip archive",
"png multimedia",
"graphics"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO",
"https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 217,
"FileHash-MD5": 558,
"FileHash-SHA1": 564,
"FileHash-SHA256": 558,
"IPv4": 88,
"URL": 118,
"hostname": 133,
"email": 2
},
"indicator_count": 2238,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "5 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d79c38e0a059039b475ebe",
"name": "CAPE Sandbox",
"description": "Email today from them on my line. Very wild things happening here. trying to close my line",
"modified": "2026-04-09T12:55:23.059000",
"created": "2026-04-09T12:31:52.495000",
"tags": [
"html document",
"unicode text",
"utf8 text",
"crlf",
"lf line",
"site",
"meta",
"verizon",
"wireless",
"internet",
"phone services",
"official",
"shop verizon",
"lte network",
"get fios",
"title",
"code",
"error",
"utc na",
"utc google",
"tag manager",
"gtmw2vn2cq",
"utc dc9849921",
"utc dc685973",
"utc g12r1dx1lx7",
"utc aw647962234",
"utc aw2761768",
"utc aw685973",
"verizon business",
"verizon for business",
"verizon business account",
"verizon business phone",
"verizon wireless for business",
"verizon business service",
"verizon business plan",
"business internet services",
"learn",
"gartner",
"contact",
"find",
"discover",
"support",
"close log",
"shop",
"upgrade",
"small",
"voice",
"chat",
"mitre attack",
"network info",
"program",
"html page",
"t1055 process",
"overview",
"processes extra",
"overview zenbox",
"verdict",
"guest system",
"phishing",
"next",
"ver2",
"msclkidn",
"utc amazon",
"analytics na",
"utc bing",
"vids1",
"vids0",
"gdlname"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737365&Signature=S%2B7RcHYjab1hbKlKwFfvUbDirFPJS1A2TJQ3bVIObMcON4PD9pRDvhMtYMCnEBrYsICi0UJCFW5eUDolL5Jlbngsc587kF36vvuhlkPprbkSOY1jOyDTpe3Qsb6jRFz3xwOfZc9S5QervoLnRKb%2FyGSyZE6ZK6TxzBrOPczPtZ7sLf9NfD6E%2B2gMRXaRjEqVwVITLG7YqCiiNuohFOuNlK3uNHFpIk53viKvBSAIqLtSklH9bHW4q1DX",
"https://www.verizon.com/business/",
"https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737710&Signature=fbsokraSd7lsYmUfaTEl8Phs2K3hp7AtVmQU9axeEBcYmYbrrYrrfpP5lPEQaE%2Fh3%2BEP9Rn8mD8D1haqQVXCN0VVlxJ4sddjWmyC5USsgBsvUb0%2F72h1WHDS2KXHlteZWE%2Bauckabain9D5kX501AnqFY38s77OIqO6SMOkQ%2BvXiDSSRK%2FZhbfradBnei3ZLHsXGxkoshTyvB0%2BC%2F8SiUzdVsqSjik0Bn2r%2BIlLpDQK90GlZTD0N"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 772,
"hostname": 706,
"domain": 875,
"FileHash-SHA256": 2348,
"FileHash-MD5": 2237,
"FileHash-SHA1": 2260,
"IPv4": 442,
"CVE": 1,
"email": 9
},
"indicator_count": 9650,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "5 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69af997214b4fa5419296e9f",
"name": "CAPE Sandbox",
"description": "",
"modified": "2026-04-09T04:21:15.538000",
"created": "2026-03-10T04:09:22.889000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 88,
"FileHash-SHA1": 85,
"FileHash-SHA256": 73,
"hostname": 40,
"URL": 16,
"domain": 3
},
"indicator_count": 305,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "6 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69af9a937ef402d973c083d4",
"name": "CAPE Sandbox- please review my VT threat gragh same name",
"description": "refer to my VT threat graph!",
"modified": "2026-04-09T04:21:15.538000",
"created": "2026-03-10T04:14:11.847000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 88,
"FileHash-SHA1": 85,
"FileHash-SHA256": 73,
"hostname": 40,
"URL": 16,
"domain": 3
},
"indicator_count": 305,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "6 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"references": [
"",
"https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739700&Signature=bOTo%2FxCpGDGOsIKJDZjBBhLZRg8UiOGi%2FvVr47Xpmh7tOh9dez7911bi%2F9SUdu4ATLhzRVog%2BdVP%2BUPwTuEfIdEcPuGRGVc1KOSP3fTQrKhRjF3x2dqykxVCH%2B1iqBmCgod%2B1uAdlraxqSOeOgst1l%2Bk250uXff4axktE%2BfGjeNDeGJao%2FfOMktqIL7zU8%2BIQYTObwelnnYx45FBSiXI1bWM4vhdgIX4cs2cT%2F",
"https://otx.alienvault.com/pulse/69b65d6a27024117a4cd3540 [credit msudosos]",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182405&Signature=ZMUm29yvOSEjo0LQQD1asxG2sdFlK5%2F4y2UHODrULP%2B6HqNNjMHfmfRv%2BVxnED4359E6L9MXV4n6tEBGdnia8EvQYzZQJ58Ros6%2F%2FfYr9WoRACqGslsG%2BHVMKGMGX62YA2UlrAH35OCDgUTwdGIHtpLgXfOd%2B46e6wzXuB1t8GANSgN4v5xv3S83gd7W14KQ2aD95Q0vZt%2F7Ue48%2B53m2JvkcBosiH2AxKaRxQIN%2BXz6cshh6p",
"For Record: This is not singular blame, while the origin of this root is the problem. It is not isolated.",
"https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865192&Signature=BypXbESJ8I4kqzj5KlF3FCin0434BxGjxXXofwkjyqQfBwNvYJTJGPpRPHnvqmntGoukqmPBezQdcv67hZUXulr885cbljCP90Y6P75SdRtlYOqDEOYGAVgLKOUxW3BGjKy%2FAqS6M0GC9KNsMLw%2FjOyC%2B2N%2F0AlIAyOTl0pX2Pbv6GgplZAbATne%2FCbkvUjwdxaeRv5iLmVrYtOdTVlljzdECcRiQ9rvqI3Aj27UR1qfuhS8vc%2",
"Domain: navy.mil DNS Files IP Address: 192.5.41.40 Location: United States",
"Alerts: network_http nids_alert suspicious_tld allocates_rwx antisandbox_foregroundwindows",
"Alerts: antiav_servicestop persistence_autorun network_bind antivirus_virustotal network_http",
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr",
"https://vtbehaviour.commondatastorage.googleapis.com/264a5fc8205c3ca76d186e04238055427de9d189709bbc4b1844599d498d05d2_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182568&Signature=oG3sKCviFlcMT0QiFuQ05ebZkwPVvz5I5HUTNiUwfN2ldGBghRVLc5N9lUiV%2F4Chnoqg2dtvRlBGdNJ9erW0jueVM%2FY6DerZ2%2BVfd4bJos9epiFLxlHY%2BIaL5pRHeWIfcZ%2FaTK%2BhCSACOVOCRPHlchcUIKNH2Qqwsk9qWywx3k%2BuYq9lkq6bHRqrSWRveTrqVd559kMHuKds6IWr3IHQ83cnniAy%2BrXs2PzbfQWr8YqSn1%2FvvDyM",
"https://clockoutbox.es/password",
"Digi/Global Sign - audit 2020 digital intersect",
"Gatsby Library Loader, DLL",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182484&Signature=ZhGulxlaniGue38b6AlCfXFOolhEEd1LRl1zQL4iS7pgld1GcOA1rAFnLpPUfTa7QbYt2XYl%2B69trqlFhS56HAJodeHJl8hLN1ZSe2yD56hBs5FNe45OeTzGmGRCvB23eCa6%2BFf7lkBEMPU7P6T4BylmHDskYtaXGm8%2B4J65yK3h3rEBYG7%2FzfMCeIqLzMARAW%2BGN%2B9skhx5nFTl5z9mYcTJpsJWUVIM6gdkzdOt8rkSI4WTZU",
"Yara Detections: Armadillov171",
"https://vtbehaviour.commondatastorage.googleapis.com/26b3bfa810cd37fe4046221ab2269b360e9a6c51961db6fd95e7499e2d76d544_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997821&Signature=IjR3qiuvOqpJ0ChD%2FQ%2B0QKlCAsWejT6Ei8KIh27ZO2t%2BnO1oDrCrR7D3x3lf6xKLr93CFw7bU1IUQONv3WbJ%2BJ0oyQ0yhyalr5VTTy1mHEphjCvObM%2B8PPv6o5cjYXYDpKVcQjBFrkgGvJxrleE5kQvx6irIRcFMTUdnDVuNEcV6sALKN3oYRo%2B%2Fvk7TA%2FfAVTtpBhUfsC4dvVAJnRQgBC4gEzEYuZN3oaDzlYUCoghsW5",
"https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737710&Signature=fbsokraSd7lsYmUfaTEl8Phs2K3hp7AtVmQU9axeEBcYmYbrrYrrfpP5lPEQaE%2Fh3%2BEP9Rn8mD8D1haqQVXCN0VVlxJ4sddjWmyC5USsgBsvUb0%2F72h1WHDS2KXHlteZWE%2Bauckabain9D5kX501AnqFY38s77OIqO6SMOkQ%2BvXiDSSRK%2FZhbfradBnei3ZLHsXGxkoshTyvB0%2BC%2F8SiUzdVsqSjik0Bn2r%2BIlLpDQK90GlZTD0N",
"Yara Detections compromised_site_redirector_fromcharcode , Delphi",
"https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978364&Signature=yFKLOW7cLGxEDj33tw1mRKNjyzUXQUuQpv%2FrA3D2X5q8rw9kMCREsBLs%2F%2FNYRFxARS3RB5Lk4O6CmSWhNnG3A6HL18Gz6MgwskKshWmxISeMPsHS3bV%2F%2FfnGBWAext5N5I8M1E3kyouF%2FSW3NwXOVYP%2FTI%2BQ1I%2FDzIIYwu8Da44roDqJL3wQaxKZjyUAXa6fTXFaFor%2FO9DxLhb3cHkFxY9PbZuvVGjWowadR80d",
"https://vtbehaviour.commondatastorage.googleapis.com/d45818a5cd5d41133eeb2bb915b70591823526786936d1ff425c82957057a080_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775977759&Signature=NBaN%2BKLt4kQxB6lxMAKf0PJGXB22KDgo54085YsLIZeKYr%2FZMbLuFYa65quTdyB8OT20aOMsT%2Bx7n2Nv%2BpBu9tlcAvqR27Q83JBzoWGOiDxS79sdgdFXXcK1fvBAY1%2BjtLvoBhQMAK7BZO3%2BuKbWEabvTF9p9Cwjhp%2FMQXMHRl%2BuPqE6REp29LQImSxPlNb5PmpRdhhhBX877q%2F6YPIpViq1j4uEa5xeFaF%2BLHuli03Gs93pzj",
"IDS Detections: Query to a *.pw domain - Likely Hostile",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/3e8cba5ce163a9275fe8d4e3f70fbc9815423b9a56b12e7fb03693731e359168_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864913&Signature=IouqGht2TIixfjPtpgKYXJa3ScKi4POLcjQ5l1QIvD%2FFa5zZyHMSYcu%2BxmFWI7uYljRPLlgpgSkRCmIw8EC4uFBI30ISHg83%2F50%2BiqTogu3I4rUpYoX3AQ7hXJwj%2Bz4YoYTt9SoS7jb9WfTUcNYHoIzY9ISoBzndPQfvv5155GpqsCvDXCT2Fd%2Byks95PB9FEdHE1SKYmlWsxPctfAYSIT2mOmBRTrxWO%2BrAUwTATD3cQts0",
"Email: d4@thinkman.com",
"https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978167&Signature=ukCrMHPUqB9sAvA3sCKxfTpKsnpIxfU1vyE1t7AsEZ2JBslXLn0KOjAMFlqSS33UscXS2xVpcOB1wOgX5ZbIlIX0m19OZ79aq1QXdbgZcRdsQ%2B07tzoo82jk6i7wuXsvtA8Lg1oPdLiq15X99Ey1Q4Qu%2F0YpJnHHOQ8zJCsmJIL%2BCV7ZRaam44zjH9hrfu2RFHKg7UN%2F%2BePHS%2FGSY3JiZ4dG10ymuI%2BSbNuvxnx4LIP9iAnFi",
"https://vtbehaviour.commondatastorage.googleapis.com/d45818a5cd5d41133eeb2bb915b70591823526786936d1ff425c82957057a080_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775957451&Signature=N2m2sK3XauqRFF3owN9CyW5oH4lW7mCTJC7JDPU4MBjdP9gjHB9u85xL9mfPmTng%2BipCBg7JmSxzAxBzlUHptzenijHka8MDBJ796vBsZ%2Bhf9LGPH8EVYbWTKjlz2eIj3GN4JzKOZa9EQFyZqUbLnR1U2Wsyv0mDXZA1sJtNZKH9fiCn5ywME8YL5w3m6CSem2hdKubPx%2BuC3px0Ln6qwsRV9fAsLV5pmFtLJVdUbNOJ5kXc6e4hc0ohlpRbP27W",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182551&Signature=pFmSgFS63F9nD5idScNlwrNQf0IwHGZXagtahm%2BCtBwvWshbJt7BHIwYHPaLKabmBSfvP4qNSVA9sCNWl6uMcrJDL6vNnebIQXG5N3C2UXzWC2GBLt6xa13F6jEnHnc8w7XgMnC2qixReqfUzmKH11llWvimieI7YNlY%2BWO91jTSdiqFyCnd95VovUDx2kK%2BF%2BM0clx89XmZRfU9PfWIReaDleGU%2Bho9t0vqCx0Fkz%2Fa",
"amazon.com \u2022 pki.goog \u2022 google-analytics.com",
"tick.usno.navy.mil , navy.mil: trojan:Win32/Tiggre!rfn Win.Trojan.Rootkit-4668 Win32:Agent-ALXE\\ [Rtk] Win32:Malware-gen",
"Google- look at 202 to Icloud docs likely feb 2025 but possible Dec 24, jan 25 up until June 2025",
"Alerts: stealth_window packer_entropy uses_windows_utilities",
"TrojanDownloader:Win32/Umbald.A\tMalware infection",
"https://www.virustotal.com/gui/search/maxsecure:%22virus.webtoolbar.w32.searchsuite.gen_227097%22%20entity:file",
"Sectigo- Check abnormal patterns Sept 8, 2025 and ADT check alarms that went off",
"Domains Contacted: www.virustotal.com www.gstatic.com fonts.googleapis.com",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235484&Signature=hjxNiAS7V%2Bsk78jk2ksTamwBDr%2Bbip09k8w%2FY%2FkvqfB676c53pmH%2Fwa7Py9BXy9tIptTKWA5SsC3Zck6ghdFqW3CcffOr0qRIsUIFknMfbuE3oC4UsaSuLoa%2B54UO0%2FJMTN9B5Y1HSbWJqFkxVX1WVQ5ry5yt9yJUK3m0DTRx9bsJ%2FoCKT3ionJdg5tZcst941SNesx3DRgpuAQmN9UVlNpRNCEwutgqN8XoC4EnI5l6Nt",
"Yara Detections: MS_Visual_Basic_6_0",
"This is reckless. This is dangerous. Us actors should be ashamed of themselves. #spreader",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"France",
"IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)",
"https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775977932&Signature=PwcvGhj2aoTTZWuXQAV%2Fk5iqc79LFl%2F4vKRmiwCg0lEljeWcXw48JPCdvRXB9d8jKJ3YlawrM8K3jVgBiRkawNtXHGkhIZp3kMOBGXmjii0zJ%2B%2BFryjqy3dSwsNCbzYOZqPvS38JrUto12cWGOcLXru%2F%2FaLJkK%2F5LZojEPdv487hPxxjaJl3q6IRjJ7RCeN6j7Rm9uA2EA2m0Di4VgQGK9uqgl04AslRkB8MiwSQ4TaGSHjp",
"US, Philippines, Ukraine, Iran, China. Alberta.",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776246921&Signature=X1jzLW3418s%2FQ18Krko%2B307kskS6d2hv1BEZN918A03%2BgNR7LtEHC48e5%2F3mRCz0n3H1wrLvbc3pB9GFSEcPI1iYWIN2YZa8TRUv8pk%2BTsrfc0GlUPG1JwElP67v80tNQVAvFXYkI00vaXUyTEIAWltRkZnJCH1iOD%2BnGOcmzDsQ28fJBY6ZXAoee8pz1CL%2B95j7wn8%2FdET4YQdhduJj0x3M%2BM5oon%2FgzuHLI70rvQ",
"https://exchange.simply.ms/owa/auth/logon.aspx?url=https://exchange.simply.ms/owa/&reason=0",
"AS8560 1&1 ionos se | 74.208.229.157 | www.thinkman.com\twww.thinkman.com | United States",
"IMPACT: https://www.virustotal.com/graph/g92989765f2d44094a4f25307e33fdef026650fe364c640f894bef43f2646a815",
"Alerts: allocates_rwx antivm_disk_size creates_exe creates_service suspicious_process",
"APKMirror https://www.apkmirror.com",
"https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864574&Signature=bMyayDFFBh9o7SKCdDEmOXLxG1DU4rSM%2FUEOzGrynPSC%2BtV0OxoHoTrSpk4WhCDb9aQtdHkWrbkt3dDAaYhnHSbvWbBqT%2BVfVwWUnst5sI142wOEd2vg4qTum281LBoJ295gTb%2BQKnfTPGXmTW5k9G5L%2FAV%2BegT4neE2xS%2Ba0Daru1OpFYTEq2Cyb0sH66jGRSTHDjHVJaHtZyYTLXjj5Q8rrEBxbDSD0Eh1XqpNLKqoMXQ7",
"Remediation: Long. Expire the certs. Block the IP for exfiltration 53. Audit 'badge' usage, ASAP.",
"Proton.me/Zenbox: Audit July 2025",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"AS27064 DOD Network Information Center? | 192.5.41.40 | tick.usno.navy.mil tick.usno.navy.mil | United States",
"Alerts: console_output antivm_memory_available pe_features",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/37f12bc75b877cf1823020f35dfc55ecde4dd992020b7059b13cbc2a59a1602b_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776233810&Signature=RD85gBCBa6ClHHnNqywd6%2FYlQHrUais%2BuABeaQrUngJuiQTTEyzmUagxx2k2VZ0tgbmEb%2Fdh9lTTFZXkRC4cQ18iE4OIl6IKM5Yzxmd8vDT6dmCvEzCiRUxmplXzVUHTJFz1dNIy0zvMDzEuAWEpKf2wo823yU%2F4PaxOceMkJ%2Ftq5Jehb6pUn6ILf%2B5FOEGJpxjXrbtWS%2BT%2BA5ScNml2cc8140P9mQ%2BmMx2EAW",
"http://www.aerix.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/latex-porn/",
"https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864361&Signature=veuhxaGctQeo8%2Fn4rw%2B0WB9QOIg%2BQ1N8MB7v3DwF%2B62SjERN%2FRvB6TDfvUUTTliDHAoHz3fjS19CbwtV1Unc1am%2B%2BFc7y%2FvbN%2FI2hV89mw0rCJH%2FQO9AEkKW%2BarXuvgc%2FhRwTho4ZnesEmMpmyTKqbGVDug%2BytkzAr9LluXTWzriWnG1JT1EudSc4CRQEorYeNyPlA7BPaIKmulDdM5whcIEVDFq4ZCywyfT",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178045&Signature=hfNfMWMWKlkR0dmNZ4tTVvmgM0aQ3daOKDfK8yNihejr3kujfb37wAq3LmH7qtp%2BoiIbsDP06zGcG8dlexlRIuv37dwHofiSildpsN54e2zZ%2F%2Fn25cvnS2OqCOrlkZKLS4HfUQG4uDxTT6nCFFjtk1d88D7GRghUOiDYdLgbVfBW5DFTJ5bmDWA%2F%2FQn7%2BGjfOnnJonkxYfKJ0NAUYmESIbbNs2z4ZohntfXj28HJ8ofBVh09Vk",
"Alerts: multiple_useragents dumped_buffer networkdyndns_checkip network_http allocates_rwx",
"Alerts: nolookup_communication persistence_autorun bypass_firewall network_http p2p_cnc",
"Win32:Crypt-SKC\\ [Trj] , Win.Malware.Delf-6899401-0 , Worm:Win32/AutoRun!atmn",
"https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864647&Signature=mDHtSOi0zOPuqTTrMsZZ%2BVpqtKq5cnDBge5WCtUppoR8EfcB14tzbezXHfWuEIyjLzT5N3b8WzssT3rIN76R8yEfCMMe32RXWxX3B5Tz%2FF%2BmLQ95M2ysgIHlBEnV4ndYMRbPmJgfEV8X1at%2BQxGaOWCwifeB%2Fjd9hGk0jPWA9aLGj4Lleu%2FzV%2FyljXp2Ncxquv54TyDh55F0W1W0QD9R4i1VpZqh2UpnvpCi8RSM16",
"Amazon- Check new cert subscribers on or around Sept 15 2025",
"https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864829&Signature=SlvEBwegwTfog2bK9svG1CeSSKC94GD98%2FQ7qpBXL7TuHOZt2HhMLd7y8IOgotXMqWiH73xWxbA4jinuUaR5MXolnKuxM86Yy3LSmhMX0S2ZRoWHqqnWIwt02ajTrF%2Bgua0LjZ46ax%2Bqo86h%2Bpme2xYRpZXKhZpVUZBzvDkXraQGdqF1BQ7keV47Y5qESgu16FuxAkm0XbuzS8tqBeq7qAS0r8STul%2BnjFmFMq3OUE68K%2BSmAp",
"192.5.41.40 scanning_host\t\u2022 74.208.229.157 scanning_host",
"fmx32.aig.com \u2022 167.230.105.81",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/00143c38c4f0e4642e956235dac0f589c05c54100015c6f59d4825e9e8400eca_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775865231&Signature=wOONPZI5bCeW4bmQtYa7YV2UQnoPlndg3PkyxqT8OnVSk223qDWubHicrXJAcOXLFj%2FSynVv96i7h1PMkfbz2Ui0lcpPZUjU7sQhWM8wkR2WVoS3YjGgvTEi9pM1ugWhFqDaoNTlaPgNWTVjffc5d%2FPGpVtT6N45P0D2K0%2BEpNuScgpy64%2BrivKYv1pak5OuNuz9mQczkvh4JqLEna59MjTGN9sd5yDBto4EgIoaLYqnBpg8Zn9s2t",
"Alerts: dead_host network_icmp persistence_autorun modifies_certificates modifies_proxy_wpad",
"https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997612&Signature=l%2FoIF7cZSCGanh2IyxGroiq3YNwdCp9oVTfF02Zi7d4yp4LMuvnnLFWqVzfWbvIHB94EaU0ICQHP6MwgUb5Z4bF2OVcHxdHieB3iTKEX6sGurBIeKYNAPuakGTzCRv%2FSnZJHpZbsoH11i%2F%2BIwHQLGAKerBuNCuq%2FDi8tvVKCDiF9JQGxOYhQsjlzQJtUBiVEVnBTKbjIdeg9iAMES8qHj0eAglff6gxDk1t%2FU5HmKB1T",
"The ILOVEYOU virus, released on May 4, 2000, - PDKIT.net May 4, 2025.",
"This document might expose someone, more than another.",
"CA DMV- 2020 exploits, if even exist in your records, may be related.",
"https://vtbehaviour.commondatastorage.googleapis.com/3aefe8dfb9c99f3a84f5f74b15afeaeca682c8c50f18fa59b2e0b06da9619f1d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775998463&Signature=qYYMHcxIAT2xuxsg%2F5YbX%2B0y0xuq1Bdd9afbiFWSZHWHsm16y4KPWqE8YDY6heMDu8H6K1bmLZjUn59Bei5cJgnVJtX4Qv6%2FJ9i%2FJXNS6kxDf5xDJvv%2FF%2FcK%2FVKyZS%2BVYzAwJ2OLrXxw4BNVIrT4nxtE34M2lc%2FjwH6H%2FLWNBighCC1k8cvWNbNJkBtGmfWtAfK%2FueAgi5glMRbAmq7xAC5XJGlhgUzo%2Fu2U9N",
"https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775998043&Signature=atj43IFZmS1xhCQtPEtGr1gjAzp5YJ5SAqKqPXrExtpioezLoyIJKw91Cc1EPO9Ff86CNaeS%2BNKNidgGEvFkAFNQpY8CEvbl7dcNVj3FUVUS3ybBoI8xLShMhwUy%2F0aYbXdMfYG3KdE%2FXDvt56Et6LjAj6N0lh1mp0m48Zz2hNTlghpHTSGlP3SY1VjfKxBYwh%2BWAJOSrHiXvzeVhuN5Qj6JWU%2FLg824mJRsUPe7iyNe2u",
"IP\u2019s Contacted: 104.97.41.163 142.251.33.67 142.251.33.78 209.197.3.8 216.239.32.29",
"https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864415&Signature=yAuZC%2F0HyuJxAQj5f%2FwTa1Eqod6JZKHa9bO0gU6Ir2r2sU2JlNQAvQ0O%2BFC6DWExjg2voi81c%2BEzsk9tDAFyL3WwgJgMTlIvg%2FNT9PRWENEAYOilGjGtzrdzRhMpMzKw7NL5oxGr6hAdndZJ5lY7UvJoIjDp7nDn85EoO4RRNxFKeP4qCsczXGv2%2B9bnOXeGn0HHTaDp8I7UEq7FDpEPmij1KfxHmftv85TcFdOHNt0L",
"https://vtcuckoo.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182459&Signature=LC2D3TixRgdru1j51oquFRwzr%2BlKJQyHmkjrFbrD9AxRvZsqhwceRAcEEGhjpqbDfW%2BbsgyFvpG0re3VebM3vlaRaFk7nZYgSJVcbEdapmTOrCrzVGT4Ajtbfi0%2B0W4gjSG1fOa9RsxdcT0f%2FwscG2zKqSVZYOhNjlaCWjVWD65MvQpKbDqOdRhIgL5Bu6oG2MiYwAr2UWZECS53O8AHYr8UnWqzXy1DPzHyG9rl4xG8elXsHkFhuo4X9w%2BHyAnudZvoF4XgyBi",
"Apple: Look at Devs around Aug 20-sept 15 2025 abnormalities",
"DoD related: 192.5.41.40 scanning_host\t140.19.33.126 \u2022 199.9.2.136 \u2022 214.23.15.26",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"Domains Contacted: www.youtube.com www.google.co.ck www.google.com ocsp.pki.goog",
"https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997378&Signature=KsJYbpoN6hteGv0hQe%2B7MgknKi2y7G9y%2Bv0JJZqMcuUdnf3gyNBPBzyKTVuoWOtaG8ix3%2BctGPzbrSe5UI3cg4Z0gK%2B6X75apikmjWPqBKofhIc5BqSpHspjoDYtiKLxroPreiitG4QqViG8yPq7ZCkMLfT71MSIE9dJ9XhV4fO2MSLHJA0qzdykwolGgi0i5r12p1nNsE1eHXJY0HwJl%2Fqka%2FKRtekjeEG1K1qHo6QJlzKhiCRubQwgU7",
"https://vtbehaviour.commondatastorage.googleapis.com/998cd8dcaf876dc66946e1c5f22ef7b8e3ea8de99cd8332d088a9b285fb2f1f7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864769&Signature=OXXYebSn84nlH1%2FBD4aluVAmCHvma4vurcZhV0H%2B7L8wRtgwWjBRClGbWiS8DnrNVxrwDxScAikU0APxe3iZCU90GclmHDodIz%2BlHFaDkBxBXUt9uyLA9BJmMbRGCKuRj4Vm7MMGUwm7WUwB1UNLqYgq41X0c%2BIhgFvAjtxWMyGnXjvvbgLGXYNo7MTwWLWshQg%2B3UXSqVmivHQAKBmQD75nvfJkl9SPx5GQ5GzjVY8pdgtPv0Ij",
"Spellbinding! Indeed. SpellEditor.exe",
"Nameservers: squid.navo. , squid.navo.mil. , dns2.disa.mil. , minnow.navo. , navy.mil. , dns3.disa.mil.",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM",
"Micro - Dates to look for specific: April/May/June 2025",
"Domains Contacted: xred.mooo.com www.download.windowsupdate.com docs.google.com",
"https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178084&Signature=l9VaaMtAu36gwPzacEQuEKIUtylRuocPeqapPjRJQlHLBAGzVaxtTG4tKKub3yjMoWmZ2pKMlpvNWm3hp0Fnvoj9c1RoQqis7Bza5ZkPbTWPic23pN64nADTtHu%2FpwsHeBc5e7ODzJiPCloc2E7y8Fc0OyaCv%2BRvL9Cp746CDgls39HfPWI4ukTSy5F2TsRUo36dz76PT%2FubK3HFHzUNnsFLj%2BZ8iif%2BgE9FpwabJT5WlgvUiqpqna6tcVHl",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"Entrust to Sectigo- Review vendors",
"IP\u2019s Contacted: 8.8.8.8 78.46.218.253 74.208.229.157 192.5.41.40",
"https://vtbehaviour.commondatastorage.googleapis.com/0000d7e596a5738d6310974ef61ee238316ed03bc97d4cb358617932ad8d1ef2_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775977719&Signature=nkKRbhcDpxdw98on7aVclCyF9iaYOrdx7xghDa6jjq48R1HK6lCpP2H%2Fv6rxdPNWs11JoBFgE3MwA1ZYRN8Agx6yaHEpe7UOXVn2H3IXFXu5iRM5sSelXe0sVXAZNiCnIpmLyM8VdDWBLCF6TJhhCNb%2BA7JeJFY4BXuE0JCylFC6IfrK2KyhsCqwoOPL%2BxBN22zBWM88MDh7fIROoVS%2BgBZTK6Ae1KM9I0JmsvqNh%2BZskj06IC",
"https://vtbehaviour.commondatastorage.googleapis.com/0000d7e596a5738d6310974ef61ee238316ed03bc97d4cb358617932ad8d1ef2_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775957388&Signature=j7mXlx0GVb0TDeeeaHo0qwgZHxnVi4UTmmhgRk3wlp6IEw2ck926P9kdu9Bwyl5LaXy%2FYq3ymJRelUPUI7aCjoJFuGfYD8I7mw7EGYakeIUiWZYxhXK0JlufPqPnve%2FTHZC4XGtctnsv6V7oK3Qelm67Z1%2Fp1QbDgdl0oRB3JQ5cJs5%2BQhbBsphLhRc72Rvb3TCG6FhBlplf06D9RYxzJjXWoh3nCTN%2FCLpspJxyoVqlBlFyuN",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182603&Signature=P0yyclxoQLoZnvz37jWwZuw0aXUqKjhJmU3DLNGWvQc4OC6Xy1j%2FbtcEu%2BI9cYC3WKX6VyZKHliOMTv1yNar%2BVbIdYQ2PxzSYs7C8x4wcrhQ8Nq0FonreLyqkxdQ6BUO5WJ6vYVdHfY26X4wRftbfQYABiSyzCYAjcJm3X5xjQf9AN8iSukP8exig452BLXD3poZe3p5xx1HPXTohtMXnvUyJV7uM7EuFzFtWultkOCOwsTodS8HhJ4I%2BfMU1M",
"Domains Contacted:: i.ytimg.com encrypted-tbn0.gstatic.com cponline.pw",
"IDS Detections: Win32/Tofsee.AX google.com connectivity check",
"https://encore360.omeclk.com/portal/wts/ug^cnOmfy6efyLw9|dod--a | (205.162.40.0/21) (Omeda Communications )",
"Alerts: procmem_yara static_pe_anomaly deletes_executed_files injection_runpe",
"Alerts: mouse_movement_detect dynamic_function_loading resumethread_remote_process",
"https://www.verizon.com/business/",
"dlvr.it \u2022 securityaffairs.com \u2022 wscript.shell",
"https://vtbehaviour.commondatastorage.googleapis.com/fb087f42790328af4e77c319f2cba27555061293eaff1776f08a52d1d6a3b842_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775957524&Signature=uYl%2BWEuvmmRW4mWz7rkBPJbR6%2B%2Fk2opmif8T16J37itEzu%2Ba9Lx%2FD1xixRy0rucm6zCSI6Yhhq34qv%2FPc3vbJe29oov%2B0vPaVeyDvjDc7dNeBeTOfuauhCWFfaVW6oDvyWLOXVL1glPM8kCxcJHAhWXpS4t36D6nuKhNF4kiEu%2FDaqpON29XxvuYu1DPEdjaYfEkS8Ekofo5n52W2g7cDMyp6MvreGZ3gInElrum1ueOVAEiSWog7g",
"AS24940 hetzner online gmbh |78.46.218.253\t | static.253.218.46.78.clients.your-server.de | Germany",
"https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864018&Signature=fW5cvq8BOIX%2B2wxwBzAnPprHnokOWVWFu4uUJExK8GQG4mwnYf4GO7RCTnuImm3XpXxgU8V7gYbsu%2BSquaGgkh2o8me6vmt8Y%2BhL0j%2BUgRrp8B0qJtHMkSgtfk6doVdGoZ%2FqES823Eiqebeb3NlVMD6tixYW2GDpyliHNL6uGNgIyf2BQZppexftzMN9M2BQhralGJjFZ9Q4XeAi1DalrEfIsb7erXBxVINEYJUbRaapAeQ0Aff8",
"https://vtbehaviour.commondatastorage.googleapis.com/edb4c21d60daa44b3429e7ba9bfa342759ebef23c136c934f74aef145453ce19_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775737365&Signature=S%2B7RcHYjab1hbKlKwFfvUbDirFPJS1A2TJQ3bVIObMcON4PD9pRDvhMtYMCnEBrYsICi0UJCFW5eUDolL5Jlbngsc587kF36vvuhlkPprbkSOY1jOyDTpe3Qsb6jRFz3xwOfZc9S5QervoLnRKb%2FyGSyZE6ZK6TxzBrOPczPtZ7sLf9NfD6E%2B2gMRXaRjEqVwVITLG7YqCiiNuohFOuNlK3uNHFpIk53viKvBSAIqLtSklH9bHW4q1DX",
"https://securityaffairs.com/144927/cyber-crime/qbot-campaign-april-2023.html",
"https://vtbehaviour.commondatastorage.googleapis.com/087797e64cf016f13eac46473b4150d49c7eba564c894300f69bc643b059c980_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775739500&Signature=r1pLCgJf%2FQK8TvenCwXy9bnghFzjJ5QssdQSLP37SLv6EkA3WXuFUIvKrsXKokco7bMfQUy%2FArk8F6aP%2Bhaj16Jv7P%2FGB%2Blf7mPvs47VjwfBJRCP8AZLlWvO45%2BjC68v798csdJFPTP31O4yDOE3pXZ3EThm4nSrIwLPhTSPfi3cPlEh2wLSzcySW7BYLw%2BqCoawFCxeLUz7hIV0vC89Mlwi3DeS%2BEnWFF%2FsvT9lVJjdbLoJLEeO",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"Nextron: Thank you for the YARA rules. Yara and LB, too.",
"https://vtbehaviour.commondatastorage.googleapis.com/3b145ee102848506dc7551758ee869b43a1753f06fabcbcf9ca574cb7843d60e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978199&Signature=N0Ry%2FbV%2BEAaGir5ToqgdLRpeg4LWS2qRlbG%2BPBgtoRM6IQyD7i%2FhtGHNcbCN9KZuxWP1kCJkqKu4dA%2BNcMjY450Zs5KmCD%2B78YZCte4YHq%2F3f2T0AuO7ero3nBCqlX8fVA62q8eDZQiroHG4hX0gMIaxBXDwUeQa0F%2FQpNa72K2aN4rAajClR%2BuBVPy1fnaokrr7bsvK6JvnhFwrTdLQq6%2Fd%2BulnVIbTCK1oSGXF",
"Nameservers: dns5.disa.mil. , dns4.disa.mil. , squad.navo.mil. , crnaone.navy.mil. , dns1.disa.mil.",
"205.162.42.171 (205.162.40.0/21) AS 53866 ( Omeda Communications )",
"https://www.cloud.mil/CVRC:/Users/joshua.colliflower/OneDrive/OneDrive%20-%20United%20States%20Department%20of%20the%20Navy/Documents/Archive%20Miscellaneous",
"https://vtbehaviour.commondatastorage.googleapis.com/b5cbc5fb20fb38eeec1be1b9befddfb1fb4e74ebd6393c5a284600b4fd8edd72_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776178098&Signature=uIxrV8sFHqQAjkRjYKVDQ1S%2FeWLsS9K%2F9PqMGOdk9nETeHOFarhSPqnYVH3z5vORlVnlvKrk10heyaF9Ks%2BfMnudJoqDG6UjXULyT5HbpHKXvdQItgfeAH6ZSHI%2FRRvWIw%2BEJoYnPVIn3gczV1o5LnA5flIbFyXVb%2BwulQMPJnSdhvsQx7PFkAY%2Bukjs4CYlC%2FrL3k8ouSPhJezZgJX3oMBL%2Bgxl15NF20wkj3",
"People who exploit this put the US at risk. Bottom line.",
"https://otx.alienvault.com/indicator/url/https://gossip.thedirty.com/cdn-cgi/l/chk_jschl?s=04e9c17f33a895764287ae3918f54f016b353177-1551745661-1800-AWU4eGCIAWcUFRuFo2RAigESClCdCQ/9FJquPKplzHISR2zmIZSTluV/jEDBqANqdDORIXIACOwCScDYumaSt5kRHUKVAK4z6Wlo0HzAhetn",
"authrootstl.cab common file extension",
"https://hybrid-analysis.com/sample/4e4fa68c1c4d2cfee133c31432dd303bb5746f7094b5a6832a25e47e6279171c",
"porn.nonstopvideos.pl \u2022 xxx-xvideo.com \u2022 essexmetals.com",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"Domains Contacted: pki.goog www.microsoft.com ocsp.pki.goog freedns.afraid.org",
"navy.mil \u2022 http://acts.navair.navy.mil \u2022 http://logistics.navair.navy.mil/rcm/",
"444ea032708bb0d940de0ef72b944244 | credit msudosos",
"Alerts: applcation_raises_exception creates_exe suspicious_process stealth_window uses_",
"https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177637&Signature=BUiivmwCPsrCikfAjB28LBQHMVx%2FgTbehNpsMuz2VuoKMd%2FiRN1rhKYa8lS%2BTYZ1RNXXVqAR3ISVvI%2FmBIiPXTCg267f4DupHMvxLnZmQ7N0KqABTuh43x9kfuureCni9NLunQFSSWJwdt0KNQS3%2F57kVbeEOIzP7%2BcwyvyzuUpwFQR0d5Z6FniQUM0OXkWdAQwOXY3K%2FZlOIpXUtbyYLoXFI2SxAVG0cSF%2F5LRfI%2BqV",
"114.114.114.114 = Tulach",
"Google Docs 1.25.202.02 APK Download by Google LLC",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776246714&Signature=jA8ZNQzdLZfCMA%2BeZdzBjB3xA0B7xKtgmBMmVGhpCsbkEU53LPuuNVLyugFpe7diOUDoR55j7HbDl9qcOHkMPamkpv3i44NiD46yJbU4LSQkaP1qPkrF0YTWKn4PkEnuUYIAEr6z6J76c33VYseiQzUFAb%2F2EmiSrP2P0B%2BTV3lvRclFr%2FAxEVTCCZcmWffeMujO3jhC9czl3rYy9DQH1v23x4tcX0%2BcVcRjvTPUjfACcx8trhtm",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"AS15169 google llc | 8.8.8.8\t| dns.google | United States",
"https://vtbehaviour.commondatastorage.googleapis.com/c171805ee886339a1f5ee75f7ebfbb030d316f6ada7dd2dc6c795c0de6000a34_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776177598&Signature=3OaXWi9Bxykp1wiOQNdwBhSVh8X4mMPRcbHBESETUx1dPXdeEb1wMVgkjjvnvvnZ14XzPuL4vMeT%2BM6%2B8cU0CciC2%2B%2BGT%2Fb9mRX1cN%2FXaafCIMjd8vWaqZtK1dawDuh8iKwPBAcYgi6vCnMgp28hPTUgniT1p0WNyIRU3CJvLwPSEU28quYE2LfQp6%2FL8YplQb8mVS%2FgoyB71aRRbadnyiAysuNsHN1pdEaY402DuI5QYpc9B1odu5",
"Y2K",
"https://vtbehaviour.commondatastorage.googleapis.com/00000722ff984d5cd9cd766d12c70eecc7a2ad7502999c5a99d582c79b92c1a6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775978086&Signature=WBIzRJW%2FxjBBOf%2F0opd6hlj72t0fu7SbhJLmf%2FDLtoe3li5SgoZEYUg2Ogq0NvkC4WzbpRmzXeV1QmUY%2BooYwl%2BVNRjyw6fZqkbp%2FboMFSfQmgHU%2FQfi99Ch5BqGcNZge1bx9lbHBAP%2BY3QDDA3xzFU9c9aMJAaBlGjFT4TeXALcU00PEYHA95tX7zddbMc5uQhfHfn7fKlyKlmRq25jp6vA4xQImQFJc3s3pQ7WePxp",
"Alerts: process_creation_suspicious_location injection_write_exe_process persistence_autorun",
"http://cr-malware.testpanw.com/url",
"Further threat mapping indicates the root of this lies at 52.123.250.[180]. The",
"Alerts: antidebug_setunhandledexceptionfilter dll_load_uncommon_file_types",
"c6pPVZhf.exe FileHash-SHA256 99e60fbd12fa9cffb9e84b4f8fa53169cd9eb965f083337de1995926a5ed83f1",
"https://vtbehaviour.commondatastorage.googleapis.com/7ee979e976acf8f47699717010a1a0259a991b62d6690571d8b68dd16b294b2b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776246777&Signature=yNFSBGy%2Bm8tg5Sl9XzqsISl5kfgoB4%2Fnf%2FJn6WTRwmAZFUp51dt85ONZCzDMwEPqIoiUXlYybE4s09saW5RxfASOPh2spHs6dyCMsXnDPX%2Bk97XShYdomVvaBJsmRZDzDF1inptzQCRTtdDSe9IeE0ZE0Sr7AlXrkR1sVf151d4nyK3gdcwxaojAALetWrh%2Fx%2BjcpJYEo7D5hlba1zTfWJ57CQVjWvixx1vFyzw%2B8s59JIuuvTK25JI2",
"Alerts: queries_user_name queries_keyboard_layout queries_locale_api",
"this.target",
"https://vtbehaviour.commondatastorage.googleapis.com/59ab46ed842430175dd343634a4832a8ee326620f572ce6136847ce1ba8cd662_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775957494&Signature=UWODW7HArkGZy47J4shCBEE1miTB7G8oVfL98Pw0EcTRZ%2F5tHlFR4FscqBu0h11ell3iLxmgTk%2BVVk6P%2FKLVmhtL8jsFv9TgyY09W0SHHs%2Fd%2BzIzrOZVxeoV3U38ea0NyAdYTQyqu0iYCXCYgK06ML7ILo5aWLIzZINJR1dpRsAwA6uwJSYZ8Zvu5pMSdNF3fBIFVo86ElhKTEk%2F9mXzQCpBu0h9tzUggruaLOAo7S0eTw5JD8",
"Alerts: network_icmp deletes_executed_files injection_resumethread dumped_buffer",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"IP\u2019s Contacted: 104.16.132.229 104.31.4.167 108.177.126.101 108.177.126.94 13.107.21.200 172.217.14.227",
"Other Recs: Pull every Micro Compliance Hold Email. This is a trap. The problem likely resides there.",
"https://www.cybercom.mil/Portals/56/Documents/Strategy/DoD_Cyber_Strategy_2023.pdf",
"Patched3_c.AKRV -> https://otx.alienvault.com/indicator/file/444ea032708bb0d940de0ef72b944244",
"https://vtbehaviour.commondatastorage.googleapis.com/00002a21db1b687c9d78890d13e48ac1a96a9bf2a4c1b55423f4003ce96e7561_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182210&Signature=v%2Fh1wL%2BRqA6ODz%2BCtJphjW%2BDUpdO%2F68AGOQiHd%2Be57uK7rMu6S9s9l8R7XteebRHwmiQnBDXOOns7VLwWQ00hHcNwEmbQKruEeJXn%2F2RZMYnzuTEbBMt2RuB9%2FrCQMUMo55FqSuXeY%2FsydSKysRi%2F4yxX55NU5uLfx%2FhZQRtjTgQticy0YGUTCqqY3HzJd7A8bc1PNd%2Fb6mTJ2S5iod1uNc17yFnn2UDVXHCJV",
"https://securityaffairs.com/144927/cyber-crime~#",
"Contacted Domains: tick.usno.navy.mil www.thinkman.com",
"https://vtbehaviour.commondatastorage.googleapis.com/db9d8c125c0e5a440719875d01365c7c5423bcc8df55e54cb228ac2aa30bc969_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235167&Signature=c%2F4wKBu3gsuZInxjqfgg8MbdYRlJ5EYYEV%2Fkl1g3Nx%2Fp%2B7lCYKGrilDgDTTqlooVjs8pyDi58Yi2SSs40L5JzExM18zVXhiUs1SYZNyy3OWKiAZ5QMH69N8R8XHmOd2L6lwfLVy9x%2F%2Fu29ji02gGj0W7eFht2uGb3Hnhegtt%2BNxNhOOCcD8LDnTvh%2Fhm9RYmW40LG5q238yRggg3TFrumeG2RHO9czdiobkRrsAD8eIohj",
"https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997952&Signature=Pc%2FXTIxysZhpywMxwwW%2BrBcX9VHIrYH%2BL3sUsVHUCm1TUbCCtQe7ZIpfTtqIl%2FWLsaehPWv%2FBt4Q6PbZH1IFYbFrKet6C2NOwwOh9WtZQ0cak9wRRun6IjZTU33hWBk4GyEAh%2FpE5nF4ND%2BQSOQuZ5DiMtHeXRlWjRI6KwJ8ApdtNpccNlYGYGKmqj%2BLK7CZTI%2FmpO8GkbS2UkwUwBa6TFoYFvBiQ5SHdRUJ2MT7t3RzWvn8hGyb",
"IP\u2019s Contacted: 172.217.3.163 172.217.3.202 172.217.3.206 173.194.69.94",
"x-amzn-trace-id Root=1-69df501d-7e46547e623628d85631dc6b;Parent=0bf4ea1fded328b1;Sampled=0;Lineage=1:6afe1924:0",
"https://vtbehaviour.commondatastorage.googleapis.com/264a5fc8205c3ca76d186e04238055427de9d189709bbc4b1844599d498d05d2_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776182430&Signature=dN0pX9yoqvCitnZXnkVEon6PzscVdKCHo9%2BUUZnv%2BJW5HH1B0IOfrsGiMX87NmcyM8XAqYVzFRNmrjIUnlP3rF5KPV0ZOtwlbL8mMIVCmrmQGuIPFB7QRfWpfjMPq41IbMb3yAdxVIpw5dEn%2BSrkIKgkCLVaDG0B69qjr%2FCR2ZNYpHIeR5Duwn%2BFgQxdFB2%2BwLQCyLAmPP5xsWgLCvmNM%2Fb1SoMUHKytZTY%2BPXKlThbjrh",
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776243461&Signature=Dz1357rbtfS3ulmmu8c%2BhYCsFXq5j6Rkafb9W6C2Rp8K9C3NfbpUuCN1TORawK7%2BnEJXGNb7r2PQThu1hU64xqNTi6I7KNZcOwC5SHIDUgioEm6FoK%2F68BF%2Fj9tn3trLgKetrPx2zuy%2BP9gjqBMe5T2fAtNa%2FJi4uZYhdDQhKIZB1JmXDjEcFMhp6PLdPqEVVUh6nwevWaLhJ1z%2BPVhc9atSdnbwiXbJ7Cp%2BKrfR1xH8OQ",
"https://vtbehaviour.commondatastorage.googleapis.com/7395f24f709e2c947593e7124f0107a17bf71f9eff782433f00e9aae27edf6fc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864790&Signature=QkiaGhOWFVTMnStxmaJJIVM9Z8cz0n2iUzL%2FmuCfsmMoY%2FI3LrqCLHlcuXzKKyDez5hRYK0DX3OkzaB4F89LFeO6CNQkxxgGBDkjCpg%2Fuyr2HtCZjkFFbEJONHPDJBkBB7JsVRdhR7RveUC2dBG7Wyna%2BF7NYrB3F8lJxQQCwlkFSUiIeF1H6fHA71w3QHiuw61QRe8qkpUK%2BNQfyAeYiLvIhNFj5g4j%2BRVk13k44QjeCxKog1rRZkdp%2",
"Germany, Austria, and Switzerland GmbH",
"https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775864214&Signature=Vf0JKebhqo0MUHhpU%2B3Xut2g8SN7IheaL%2FNfOTLj1y8v1aHrjA6QI2jq%2BIVJeWXo8%2Fzpj%2Bd3DpryffdQjNsuRSSn06dSJy%2FvNi5F67wa1RiaanLuxRRK0cWKKrWO9ZQGXVWal8%2BNCVTaMRdhHmkbFou6FA67a1owXMn0IdsdZYIAwgumeuvrMsbnKKkOcd4GucEGy0d9oj63SbZGI%2BwjT5BPH2Tq3O%2BQM%2BPv3XWuZ71sfOOGgD",
"https://vtbehaviour.commondatastorage.googleapis.com/0000d7e596a5738d6310974ef61ee238316ed03bc97d4cb358617932ad8d1ef2_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775957405&Signature=jmT3CGVytjqR42R8NEdcnfLU2JfSqYRjGKmSOeTIeyM9zjC9SUc2kprtucDQyXxFQrY0aWlR5hpDk3ZhyivJ%2FWtzlSUgIPb%2BsD4I4iRT5lbhHsts9vvdB4gJ74TyMsaHv6yNq1Z5UMtXvu6kPXrDl4WsIFDKpzbKPFhkASB76qeXEEAqD6j%2Bxl8Lheyr7S6sS%2Fgcjh4VUmKvPDoXtavRuNyN3YJ6u4E%2BsfuJXw2zo0wiJOk",
"mailbox.co.za",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235521&Signature=XyL%2BziErEMLdDGzpkOrsFWzF%2Bs8%2F%2BHa%2Ft1S5%2FfgkdYZVZNUoI9ouy4IwZLiV4Fi2woIHU9YMnGYvqC6u0SHx0R%2FTbBYsAWIRLcS0jXCiNEz33EKRDTLcQqaAqg1bgEzbagC8RvfUjg5sQp8chQSkn3nYGGovJ1W9KDWu39peg7l0wU95LMSY%2BtbjEdzA0ghSq8IG%2BBSGkETgfJdXrKjyTRw1x5DEwN%2BENKfa54%2FmxDHO7iP3",
"https://encore360.omeclk.com/portal/wts/ug^cnOmfy6edod--a.gif",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"Alerts: windows_utilities antivm_memory_available pe_features raises_exception",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776246967&Signature=Ir5y9DGvGgNLFUDY8U6XR53N35ujwlwfUYKT1GK9MfB1XTAtJk8qVigh7fO1EPVnJQP%2BkVNsUCkx1JjW9L03u0PfThYXwIBYbjulP7glaB%2BqBIqGVjsKq%2BlOwN0MLlSG408dZWbdUekl6p8wKR8L4Y1wXpN5UU%2F6gKv2dm9WFA9aHsBZd3K33gYAJ0cjsJEz%2BY4WITcbYvW0eJDyk7JGmMa1c4VaL6Wqud26xKwdeyOExz3D472vYkEAROfQ",
"Alerts: injection_write_process reads_self stealth_window injection_rwx uses_windows_utilities",
"https://vtbehaviour.commondatastorage.googleapis.com/3aefe8dfb9c99f3a84f5f74b15afeaeca682c8c50f18fa59b2e0b06da9619f1d_SecondWrite.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775998118&Signature=oZItRZYU06S7GWIVhygTK0XUPoeDlmpVWee4ri8K1nSYOFjKP7WjYTzw03EoC6pzqFjdjNKm2lQytBKbv%2BcMJT%2F%2BWZ7nF71PUUmExKgSsvfD6PXKzUcX8vuHnJwcu3NlTOuhNKNfed2iOEAGybINfsgUO6DFzlTsGd51hjV3I%2BT4t%2FTn1aszBeDzRu01gkhvTI5%2BmXmxZfhYmVTFVADNEociZ8DSGmafzUamrXrSTRcAurmFTNmC4",
"AVDetections: Patched3_c.AKRV",
"ASN AS27064 dod network information center",
"The source of corruption stems from a US wiper/trust bypass doc resting an in Iranian node for C+C. Prelim Data supports this 'may' be misused by [some US lawyer, lower gov] for suppression and sale to Iran. I want to be explicit in saying, this is a few bad apples, not the majority.",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W",
"virustotalcloud.firebaseapp.com \u2022 firebaseapp.com \u2022 firebase.google.com \u2022 dns-admin@google.com"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": []
},
"other": {
"adversary": [
"@GRAMMERSoft"
],
"malware_families": [
"Trojan.downloader12.43161",
"Heur/unsec",
"Crypt3.boqd\t\t inject2.bhbw",
"Crypt3.bmvu",
"Crypt3.chzw",
"Backdoor:win32/tofsee.t",
"Inject2.bive",
"Tulach",
"Crypt3.bxvc",
"Trojan:win32/tiggre!rfn",
"Win32:malware-gen",
"Win.trojan.rootkit-4668",
"Patched3_c.akrv",
"Trojan:o97m/madeba.a!det",
"Alf:trojan:win64/psbanker",
"Worm:win32/autorun!atmn",
"Win32:agent-alxe\\ [rtk]",
"Win32:trojan-gen",
"Trojandownloader:win32/umbald.a",
"Crypt3.bxmj",
"Et trojan"
],
"industries": [
"Defense",
"Insurance",
"Military",
"Telecommunications",
"Government"
]
}
}
},
"false_positive": []
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 50,
"pulses": [
{
"id": "69df607b31f6ed471c32d4e3",
"name": "CAPE Sandbox- Very Evasive and Aggressive 'bot?'.......",
"description": "A full report on the Microsoft Office malware, published on 3 February 2026, has been published online by the University of California, Los Angeles, and the National Security Agency (NSA) in New York.> This is malicious.",
"modified": "2026-04-15T09:59:19.058000",
"created": "2026-04-15T09:55:07.649000",
"tags": [
"settings",
"first counter",
"default",
"toolspanose",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"file size",
"mbisslshort",
"accept",
"bridge",
"info",
"date",
"light",
"agent",
"shutdown",
"root",
"performs dns",
"extra info",
"attack network",
"info dropped",
"info processes",
"zenbox verdict",
"guest system",
"ultimate file",
"info file",
"ascii text",
"malicious",
"next",
"mitre attack",
"network info",
"processes extra",
"overview",
"overview zenbox",
"verdict",
"unknown"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776246714&Signature=jA8ZNQzdLZfCMA%2BeZdzBjB3xA0B7xKtgmBMmVGhpCsbkEU53LPuuNVLyugFpe7diOUDoR55j7HbDl9qcOHkMPamkpv3i44NiD46yJbU4LSQkaP1qPkrF0YTWKn4PkEnuUYIAEr6z6J76c33VYseiQzUFAb%2F2EmiSrP2P0B%2BTV3lvRclFr%2FAxEVTCCZcmWffeMujO3jhC9czl3rYy9DQH1v23x4tcX0%2BcVcRjvTPUjfACcx8trhtm",
"https://vtbehaviour.commondatastorage.googleapis.com/7ee979e976acf8f47699717010a1a0259a991b62d6690571d8b68dd16b294b2b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776246777&Signature=yNFSBGy%2Bm8tg5Sl9XzqsISl5kfgoB4%2Fnf%2FJn6WTRwmAZFUp51dt85ONZCzDMwEPqIoiUXlYybE4s09saW5RxfASOPh2spHs6dyCMsXnDPX%2Bk97XShYdomVvaBJsmRZDzDF1inptzQCRTtdDSe9IeE0ZE0Sr7AlXrkR1sVf151d4nyK3gdcwxaojAALetWrh%2Fx%2BjcpJYEo7D5hlba1zTfWJ57CQVjWvixx1vFyzw%2B8s59JIuuvTK25JI2",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776246967&Signature=Ir5y9DGvGgNLFUDY8U6XR53N35ujwlwfUYKT1GK9MfB1XTAtJk8qVigh7fO1EPVnJQP%2BkVNsUCkx1JjW9L03u0PfThYXwIBYbjulP7glaB%2BqBIqGVjsKq%2BlOwN0MLlSG408dZWbdUekl6p8wKR8L4Y1wXpN5UU%2F6gKv2dm9WFA9aHsBZd3K33gYAJ0cjsJEz%2BY4WITcbYvW0eJDyk7JGmMa1c4VaL6Wqud26xKwdeyOExz3D472vYkEAROfQ",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776246921&Signature=X1jzLW3418s%2FQ18Krko%2B307kskS6d2hv1BEZN918A03%2BgNR7LtEHC48e5%2F3mRCz0n3H1wrLvbc3pB9GFSEcPI1iYWIN2YZa8TRUv8pk%2BTsrfc0GlUPG1JwElP67v80tNQVAvFXYkI00vaXUyTEIAWltRkZnJCH1iOD%2BnGOcmzDsQ28fJBY6ZXAoee8pz1CL%2B95j7wn8%2FdET4YQdhduJj0x3M%2BM5oon%2FgzuHLI70rvQ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 69,
"FileHash-MD5": 254,
"FileHash-SHA1": 43,
"FileHash-SHA256": 49,
"URL": 80,
"hostname": 117,
"IPv6": 1,
"email": 1,
"domain": 10
},
"indicator_count": 624,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 46,
"modified_text": "1 hour ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69df607ced5dad90593b17cb",
"name": "CAPE Sandbox- Very Evasive and Aggressive 'bot?'.......",
"description": "A full report on the Microsoft Office malware, published on 3 February 2026, has been published online by the University of California, Los Angeles, and the National Security Agency (NSA) in New York.> This is malicious.",
"modified": "2026-04-15T09:57:56.379000",
"created": "2026-04-15T09:55:08.935000",
"tags": [
"settings",
"first counter",
"default",
"toolspanose",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"file size",
"mbisslshort",
"accept",
"bridge",
"info",
"date",
"light",
"agent",
"shutdown",
"root",
"performs dns",
"extra info",
"attack network",
"info dropped",
"info processes",
"zenbox verdict",
"guest system",
"ultimate file",
"info file",
"ascii text",
"malicious",
"next",
"mitre attack",
"network info",
"processes extra",
"overview",
"overview zenbox",
"verdict",
"unknown"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776246714&Signature=jA8ZNQzdLZfCMA%2BeZdzBjB3xA0B7xKtgmBMmVGhpCsbkEU53LPuuNVLyugFpe7diOUDoR55j7HbDl9qcOHkMPamkpv3i44NiD46yJbU4LSQkaP1qPkrF0YTWKn4PkEnuUYIAEr6z6J76c33VYseiQzUFAb%2F2EmiSrP2P0B%2BTV3lvRclFr%2FAxEVTCCZcmWffeMujO3jhC9czl3rYy9DQH1v23x4tcX0%2BcVcRjvTPUjfACcx8trhtm",
"https://vtbehaviour.commondatastorage.googleapis.com/7ee979e976acf8f47699717010a1a0259a991b62d6690571d8b68dd16b294b2b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776246777&Signature=yNFSBGy%2Bm8tg5Sl9XzqsISl5kfgoB4%2Fnf%2FJn6WTRwmAZFUp51dt85ONZCzDMwEPqIoiUXlYybE4s09saW5RxfASOPh2spHs6dyCMsXnDPX%2Bk97XShYdomVvaBJsmRZDzDF1inptzQCRTtdDSe9IeE0ZE0Sr7AlXrkR1sVf151d4nyK3gdcwxaojAALetWrh%2Fx%2BjcpJYEo7D5hlba1zTfWJ57CQVjWvixx1vFyzw%2B8s59JIuuvTK25JI2",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776246967&Signature=Ir5y9DGvGgNLFUDY8U6XR53N35ujwlwfUYKT1GK9MfB1XTAtJk8qVigh7fO1EPVnJQP%2BkVNsUCkx1JjW9L03u0PfThYXwIBYbjulP7glaB%2BqBIqGVjsKq%2BlOwN0MLlSG408dZWbdUekl6p8wKR8L4Y1wXpN5UU%2F6gKv2dm9WFA9aHsBZd3K33gYAJ0cjsJEz%2BY4WITcbYvW0eJDyk7JGmMa1c4VaL6Wqud26xKwdeyOExz3D472vYkEAROfQ",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776246921&Signature=X1jzLW3418s%2FQ18Krko%2B307kskS6d2hv1BEZN918A03%2BgNR7LtEHC48e5%2F3mRCz0n3H1wrLvbc3pB9GFSEcPI1iYWIN2YZa8TRUv8pk%2BTsrfc0GlUPG1JwElP67v80tNQVAvFXYkI00vaXUyTEIAWltRkZnJCH1iOD%2BnGOcmzDsQ28fJBY6ZXAoee8pz1CL%2B95j7wn8%2FdET4YQdhduJj0x3M%2BM5oon%2FgzuHLI70rvQ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 69,
"FileHash-MD5": 254,
"FileHash-SHA1": 43,
"FileHash-SHA256": 49,
"URL": 80,
"hostname": 117,
"IPv6": 1,
"email": 1,
"domain": 10
},
"indicator_count": 624,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 46,
"modified_text": "1 hour ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69df292b85c74fec867e4ed2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'",
"modified": "2026-04-15T09:20:24.856000",
"created": "2026-04-15T05:59:07.274000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/37f12bc75b877cf1823020f35dfc55ecde4dd992020b7059b13cbc2a59a1602b_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776233810&Signature=RD85gBCBa6ClHHnNqywd6%2FYlQHrUais%2BuABeaQrUngJuiQTTEyzmUagxx2k2VZ0tgbmEb%2Fdh9lTTFZXkRC4cQ18iE4OIl6IKM5Yzxmd8vDT6dmCvEzCiRUxmplXzVUHTJFz1dNIy0zvMDzEuAWEpKf2wo823yU%2F4PaxOceMkJ%2Ftq5Jehb6pUn6ILf%2B5FOEGJpxjXrbtWS%2BT%2BA5ScNml2cc8140P9mQ%2BmMx2EAW",
"",
"https://vtbehaviour.commondatastorage.googleapis.com/db9d8c125c0e5a440719875d01365c7c5423bcc8df55e54cb228ac2aa30bc969_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235167&Signature=c%2F4wKBu3gsuZInxjqfgg8MbdYRlJ5EYYEV%2Fkl1g3Nx%2Fp%2B7lCYKGrilDgDTTqlooVjs8pyDi58Yi2SSs40L5JzExM18zVXhiUs1SYZNyy3OWKiAZ5QMH69N8R8XHmOd2L6lwfLVy9x%2F%2Fu29ji02gGj0W7eFht2uGb3Hnhegtt%2BNxNhOOCcD8LDnTvh%2Fhm9RYmW40LG5q238yRggg3TFrumeG2RHO9czdiobkRrsAD8eIohj",
"x-amzn-trace-id Root=1-69df501d-7e46547e623628d85631dc6b;Parent=0bf4ea1fded328b1;Sampled=0;Lineage=1:6afe1924:0",
"Nextron: Thank you for the YARA rules. Yara and LB, too.",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776243461&Signature=Dz1357rbtfS3ulmmu8c%2BhYCsFXq5j6Rkafb9W6C2Rp8K9C3NfbpUuCN1TORawK7%2BnEJXGNb7r2PQThu1hU64xqNTi6I7KNZcOwC5SHIDUgioEm6FoK%2F68BF%2Fj9tn3trLgKetrPx2zuy%2BP9gjqBMe5T2fAtNa%2FJi4uZYhdDQhKIZB1JmXDjEcFMhp6PLdPqEVVUh6nwevWaLhJ1z%2BPVhc9atSdnbwiXbJ7Cp%2BKrfR1xH8OQ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 3012,
"IPv4": 342,
"URL": 3824,
"FileHash-MD5": 734,
"FileHash-SHA1": 453,
"domain": 862,
"hostname": 1629,
"email": 25,
"CVE": 1
},
"indicator_count": 10882,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "1 hour ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69df292dac938e1d181a38e2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'\n\nObservations: Unplugged, Airbook, flashed wrote or write javascript in red around 2:45am EST when trying to upload and took me to a google screen.",
"modified": "2026-04-15T08:40:44.402000",
"created": "2026-04-15T05:59:09.898000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235521&Signature=XyL%2BziErEMLdDGzpkOrsFWzF%2Bs8%2F%2BHa%2Ft1S5%2FfgkdYZVZNUoI9ouy4IwZLiV4Fi2woIHU9YMnGYvqC6u0SHx0R%2FTbBYsAWIRLcS0jXCiNEz33EKRDTLcQqaAqg1bgEzbagC8RvfUjg5sQp8chQSkn3nYGGovJ1W9KDWu39peg7l0wU95LMSY%2BtbjEdzA0ghSq8IG%2BBSGkETgfJdXrKjyTRw1x5DEwN%2BENKfa54%2FmxDHO7iP3",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235484&Signature=hjxNiAS7V%2Bsk78jk2ksTamwBDr%2Bbip09k8w%2FY%2FkvqfB676c53pmH%2Fwa7Py9BXy9tIptTKWA5SsC3Zck6ghdFqW3CcffOr0qRIsUIFknMfbuE3oC4UsaSuLoa%2B54UO0%2FJMTN9B5Y1HSbWJqFkxVX1WVQ5ry5yt9yJUK3m0DTRx9bsJ%2FoCKT3ionJdg5tZcst941SNesx3DRgpuAQmN9UVlNpRNCEwutgqN8XoC4EnI5l6Nt"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 5178,
"IPv4": 571,
"URL": 5163,
"FileHash-MD5": 1546,
"FileHash-SHA1": 381,
"domain": 1818,
"hostname": 3413,
"email": 22,
"URI": 2,
"IPv6": 15,
"CVE": 1
},
"indicator_count": 18110,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 46,
"modified_text": "2 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de69fe42542016114edaeb",
"name": "VirusTotal report\n for document.html",
"description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).",
"modified": "2026-04-15T07:18:09.038000",
"created": "2026-04-14T16:23:26.071000",
"tags": [
"license",
"performs dns",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"phishing",
"next",
"script",
"adobe",
"apache license",
"version",
"unless",
"as is",
"basis",
"any kind",
"doctype html",
"meta",
"body",
"pe file",
"binary",
"aslr",
"ole file",
"cname",
"strong",
"library",
"accept",
"cape sandbox",
"pdb path",
"name",
"address virtual",
"ip address",
"shutdown",
"pe32",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"pe64 compiler",
"ltcgc",
"linker",
"windows third",
"party component",
"valid from",
"valid",
"valid usage",
"whql crypto",
"code signing",
"algorithm",
"thumbprint",
"serial number",
"more"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr",
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 16,
"FileHash-SHA1": 3,
"FileHash-SHA256": 175,
"IPv4": 47,
"URL": 113,
"hostname": 130,
"domain": 43
},
"indicator_count": 527,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 46,
"modified_text": "3 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de69e81ae5bd040f77c01f",
"name": "VirusTotal report\n for document.html",
"description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).",
"modified": "2026-04-15T04:32:57.563000",
"created": "2026-04-14T16:23:04.494000",
"tags": [
"license",
"performs dns",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"phishing",
"next",
"script",
"adobe",
"apache license",
"version",
"unless",
"as is",
"basis",
"any kind",
"doctype html",
"meta",
"body",
"pe file",
"binary",
"aslr",
"ole file",
"cname",
"strong",
"library",
"accept",
"cape sandbox",
"pdb path",
"name",
"address virtual",
"ip address",
"shutdown",
"pe32",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"pe64 compiler",
"ltcgc",
"linker",
"windows third",
"party component",
"valid from",
"valid",
"valid usage",
"whql crypto",
"code signing",
"algorithm",
"thumbprint",
"serial number",
"more"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr",
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 16,
"FileHash-SHA1": 3,
"FileHash-SHA256": 175,
"IPv4": 46,
"URL": 113,
"hostname": 130,
"domain": 43
},
"indicator_count": 526,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 46,
"modified_text": "6 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de69d60272ee6be0b6be75",
"name": "VirusTotal report\n for document.html",
"description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).",
"modified": "2026-04-15T04:32:43.593000",
"created": "2026-04-14T16:22:46.679000",
"tags": [
"license",
"performs dns",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"phishing",
"next",
"script",
"adobe",
"apache license",
"version",
"unless",
"as is",
"basis",
"any kind",
"doctype html",
"meta",
"body",
"pe file",
"binary",
"aslr",
"ole file",
"cname",
"strong",
"library",
"accept",
"cape sandbox",
"pdb path",
"name",
"address virtual",
"ip address",
"shutdown",
"pe32",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"pe64 compiler",
"ltcgc",
"linker",
"windows third",
"party component",
"valid from",
"valid",
"valid usage",
"whql crypto",
"code signing",
"algorithm",
"thumbprint",
"serial number",
"more"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr",
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 16,
"FileHash-SHA1": 3,
"FileHash-SHA256": 175,
"IPv4": 45,
"URL": 111,
"hostname": 130,
"domain": 42
},
"indicator_count": 522,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 46,
"modified_text": "6 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de69d6c23c1920ae49419b",
"name": "VirusTotal report\n for document.html",
"description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).",
"modified": "2026-04-15T04:32:41.929000",
"created": "2026-04-14T16:22:46.723000",
"tags": [
"license",
"performs dns",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"phishing",
"next",
"script",
"adobe",
"apache license",
"version",
"unless",
"as is",
"basis",
"any kind",
"doctype html",
"meta",
"body",
"pe file",
"binary",
"aslr",
"ole file",
"cname",
"strong",
"library",
"accept",
"cape sandbox",
"pdb path",
"name",
"address virtual",
"ip address",
"shutdown",
"pe32",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"pe64 compiler",
"ltcgc",
"linker",
"windows third",
"party component",
"valid from",
"valid",
"valid usage",
"whql crypto",
"code signing",
"algorithm",
"thumbprint",
"serial number",
"more"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr",
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 16,
"FileHash-SHA1": 3,
"FileHash-SHA256": 175,
"IPv4": 46,
"URL": 114,
"hostname": 130,
"domain": 44
},
"indicator_count": 528,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 46,
"modified_text": "6 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de69d63c6bc7ab66605f86",
"name": "VirusTotal report\n for document.html",
"description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).",
"modified": "2026-04-15T04:31:49.137000",
"created": "2026-04-14T16:22:46.502000",
"tags": [
"license",
"performs dns",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"phishing",
"next",
"script",
"adobe",
"apache license",
"version",
"unless",
"as is",
"basis",
"any kind",
"doctype html",
"meta",
"body",
"pe file",
"binary",
"aslr",
"ole file",
"cname",
"strong",
"library",
"accept",
"cape sandbox",
"pdb path",
"name",
"address virtual",
"ip address",
"shutdown",
"pe32",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"pe64 compiler",
"ltcgc",
"linker",
"windows third",
"party component",
"valid from",
"valid",
"valid usage",
"whql crypto",
"code signing",
"algorithm",
"thumbprint",
"serial number",
"more"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr",
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 16,
"FileHash-SHA1": 3,
"FileHash-SHA256": 175,
"IPv4": 43,
"URL": 110,
"hostname": 130,
"domain": 41
},
"indicator_count": 518,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "6 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69de69d5a54cff2f8c80ba0b",
"name": "VirusTotal report\n for document.html",
"description": "A full report on malicious code found in an HTML file, compiled by Adobe, has been published by the University of California, San Francisco, at \u00c2\u00a31.5m (US$2.3m).",
"modified": "2026-04-15T02:26:49.492000",
"created": "2026-04-14T16:22:45.821000",
"tags": [
"license",
"performs dns",
"mitre attack",
"network info",
"processes extra",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"phishing",
"next",
"script",
"adobe",
"apache license",
"version",
"unless",
"as is",
"basis",
"any kind",
"doctype html",
"meta",
"body",
"pe file",
"binary",
"aslr",
"ole file",
"cname",
"strong",
"library",
"accept",
"cape sandbox",
"pdb path",
"name",
"address virtual",
"ip address",
"shutdown",
"pe32",
"ms windows",
"win16 ne",
"os2 executable",
"generic windos",
"executable",
"dos executable",
"pe64 compiler",
"ltcgc",
"linker",
"windows third",
"party component",
"valid from",
"valid",
"valid usage",
"whql crypto",
"code signing",
"algorithm",
"thumbprint",
"serial number",
"more"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183621&Signature=uQSwwOzpii%2FcKjaUt3UZ%2FKZ3C4DkSr3t5dURsz2pP4Es9CFMIWEz6oIAcURcfVri02K%2BedntrmLkvOs6c3g0yFcdgd9a82ARJF9jS5mDQGPXq9y54iiFvjgN98zNT%2BgoGoBF3IxeSAWO47BNwqYPY%2FzaVM0Pv14iXCBltAIH2Ss8R0OYrQytKcQLW48ggBvdA6fDl9x78WtpptMgs9Eu85KAN0wwHvtcrRpd1notnOQZYiYBk1qaAWD4HSrr",
"https://vtbehaviour.commondatastorage.googleapis.com/d11869fdfbf4bd87085e351b24d2c0e2ba5813fa267b05d969d9d2e46685d113_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183658&Signature=tGjgj1F2qTBNB3zHOFjuVYbUuozwv%2FUH29aF5d5gmEhofNVf4N5DfD%2BmI9DjozB0MrJ96DeCjGEoPRo7i9Whr%2BThEkSnRgHkjV%2FPWe7tUL3zkNeuKXjs4bWH8BIxmdFyqGSy4cKx99ymtQAp%2F8AWxhqd15coMoLM31YqCpn8PnzvKtYQnIORJQjfhTUdyhha%2FmWvy7gaHGpZvJpaXiyF4IlYWdn9uYy%2FOSAR5Sh3f4F8fX3v",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183676&Signature=IqbnhkkWYeM6kbjfuoTYF2bD3VY52MzFCe5v2P6L5%2FvT66S4ZUFYI3vDp1VG9lGc%2BD%2FJ2J3U67VgV%2BLYeRFGqnQdkctuODu7CXIAc%2FhcLsIB1HWqR9qge57%2FDpdeQUbM%2BjuZ5TWqdfA%2Bqhc1jioTcgrPNBR3JE6M97q%2BxKrz4CUb3WIOfl1mIP91XjXy2cReTAKc%2FsLCnmEvrIFVXx%2BaFUCpCCMCRxF8QOMb67WRJ8hD0iaM",
"https://vtbehaviour.commondatastorage.googleapis.com/000020331380e6110b5beba407728730579ebf170517913cc364e7dcb114187b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776183694&Signature=ZUnl%2FqTfn6nD5eHS7RvwcH%2Fv5Vtm4wB5Yc0hpeinjJ4Mk3V9%2FRkc6%2BJNireFTPFGSOwaLYwemKQwQA0okh9hYBN5ncSDlB6OSnED3OnM3iZUQDEdLBwgYUEP3M%2Bsg0s2XOV36s1V20ivPLzQVUrRM7CkuEyCsyWm7CCJQGdJBRcsNfR1BsgAOtLpiC6WPKr4xFa5QUh6PSgoGNXSDtj1Mk6Gs9iyav6G%2FtZYVoM%2FBUfcGg8W"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1218",
"name": "Signed Binary Proxy Execution",
"display_name": "T1218 - Signed Binary Proxy Execution"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 16,
"FileHash-SHA1": 3,
"FileHash-SHA256": 175,
"IPv4": 44,
"URL": 109,
"hostname": 130,
"domain": 41
},
"indicator_count": 518,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 47,
"modified_text": "8 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "dns.google",
"type": "Domain"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "dns.google",
"found": false,
"verdict": "clean",
"urls": [],
"error": null
},
"from_cache": true,
"_cached_at": 1776251199.4828558
}