{
  "type": "Domain",
  "indicator": "google.li",
  "general": {
    "sections": [
      "general",
      "geo",
      "url_list",
      "passive_dns",
      "malware",
      "whois",
      "http_scans"
    ],
    "whois": "http://whois.domaintools.com/google.li",
    "alexa": "http://www.alexa.com/siteinfo/google.li",
    "indicator": "google.li",
    "type": "domain",
    "type_title": "Domain",
    "validation": [
      {
        "source": "akamai",
        "message": "Akamai rank: #8270",
        "name": "Akamai Popular Domain"
      },
      {
        "source": "majestic",
        "message": "Whitelisted domain google.li",
        "name": "Whitelisted domain"
      },
      {
        "source": "whitelist",
        "message": "Whitelisted domain google.li",
        "name": "Whitelisted domain"
      }
    ],
    "base_indicator": {
      "id": 9504554,
      "indicator": "google.li",
      "type": "domain",
      "title": "",
      "description": "",
      "content": "",
      "access_type": "public",
      "access_reason": ""
    },
    "pulse_info": {
      "count": 7,
      "pulses": [
        {
          "id": "6a0fec7257bc32c037c9be08",
          "name": "research part 3 * CAPE Sandbox",
          "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C",
          "modified": "2026-05-22T06:18:07.234000",
          "created": "2026-05-22T05:41:06.053000",
          "tags": [
            "string id",
            "x5173x95ed",
            "control",
            "wixbundlename",
            "x53d6x6d88",
            "copyright",
            "width",
            "height",
            "helptext",
            "repair",
            "detail info",
            "tickcount",
            "filename",
            "behaviour",
            "imagepath",
            "cmdline",
            "offset",
            "targetprocess",
            "writeaddress",
            "size",
            "write",
            "shell",
            "open",
            "pe32",
            "ms windows",
            "microsoft input",
            "method editor",
            "ms visual",
            "win32 dynamic",
            "link library",
            "pe64 compiler",
            "ltcgc",
            "linker",
            "windows sandbox",
            "clear filters",
            "algorithm",
            "key identifier",
            "x509v3 subject",
            "full name",
            "v3 serial",
            "number",
            "cus odigicert",
            "inc cndigicert",
            "sha2 secure",
            "server ca",
            "performs dns",
            "pe file",
            "sample",
            "sigma",
            "instance",
            "spawns",
            "aslr",
            "urls",
            "t1055 process",
            "attack network",
            "phishing",
            "info",
            "next",
            "status code",
            "body length",
            "kb body",
            "default",
            "parent pid",
            "full path",
            "command line",
            "inprocserver32",
            "data",
            "datacrashpad",
            "k localservice",
            "s ngcsvc",
            "s ngcctnrsvc",
            "cname",
            "strong",
            "library",
            "accept",
            "address virtual",
            "file type",
            "shutdown",
            "file size",
            "mwdb",
            "bazaar",
            "sha3384",
            "ssdeep",
            "virtual address",
            "guard",
            "back",
            "studio build",
            "tools",
            "linkid2179911",
            "visual c",
            "visual studio",
            "ccli",
            "studio",
            "studio ide",
            "msbuild",
            "dev17",
            "false",
            "ascii text",
            "https",
            "svg scalable",
            "vector graphics",
            "elite",
            "tls version",
            "unicode text",
            "persistence",
            "malicious",
            "ip address",
            "mb body",
            "windows",
            "reads",
            "network info",
            "processes extra",
            "intel",
            "delphi",
            "code",
            "microsoft code",
            "signing pca",
            "valid from",
            "valid usage",
            "code signing",
            "thumbprint",
            "thumbprint md5",
            "c9 f6",
            "bc ed",
            "service issuer",
            "usage ff",
            "authority",
            "sha256",
            "serial number",
            "none rticon",
            "tofsee",
            "stream",
            "mitre attack",
            "chrome cache",
            "entry",
            "web open",
            "font format",
            "truetype",
            "version",
            "t1574",
            "execution flow",
            "found",
            "drops pe",
            "window",
            "Avalon",
            "dmca https",
            "versionnt",
            "and not",
            "versionnt64",
            "and versionnt64",
            "majorupgrade",
            "service pack",
            "redistributable",
            "detect",
            "windows81x86",
            "script",
            "cohassethingham",
            "title",
            "rent",
            "pendo",
            "userinfo",
            "doctype html",
            "head",
            "optanonwrapper",
            "date",
            "meta",
            "strings",
            "null",
            "layer protocol",
            "overview",
            "overview zenbox",
            "verdict"
          ],
          "references": [
            "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd",
            "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D",
            "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx",
            "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi",
            "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8",
            "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%",
            "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3",
            "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY",
            "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi",
            "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f",
            "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu",
            "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B",
            "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk",
            "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg",
            "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL",
            "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A",
            "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z",
            "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO",
            "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu",
            "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR",
            "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1012",
              "name": "Query Registry",
              "display_name": "T1012 - Query Registry"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1070",
              "name": "Indicator Removal on Host",
              "display_name": "T1070 - Indicator Removal on Host"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1485",
              "name": "Data Destruction",
              "display_name": "T1485 - Data Destruction"
            },
            {
              "id": "T1486",
              "name": "Data Encrypted for Impact",
              "display_name": "T1486 - Data Encrypted for Impact"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1548",
              "name": "Abuse Elevation Control Mechanism",
              "display_name": "T1548 - Abuse Elevation Control Mechanism"
            },
            {
              "id": "T1564",
              "name": "Hide Artifacts",
              "display_name": "T1564 - Hide Artifacts"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1574",
              "name": "Hijack Execution Flow",
              "display_name": "T1574 - Hijack Execution Flow"
            },
            {
              "id": "T1539",
              "name": "Steal Web Session Cookie",
              "display_name": "T1539 - Steal Web Session Cookie"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1014",
              "name": "Rootkit",
              "display_name": "T1014 - Rootkit"
            },
            {
              "id": "T1202",
              "name": "Indirect Command Execution",
              "display_name": "T1202 - Indirect Command Execution"
            },
            {
              "id": "T1496",
              "name": "Resource Hijacking",
              "display_name": "T1496 - Resource Hijacking"
            },
            {
              "id": "T1542",
              "name": "Pre-OS Boot",
              "display_name": "T1542 - Pre-OS Boot"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1033",
              "name": "System Owner/User Discovery",
              "display_name": "T1033 - System Owner/User Discovery"
            },
            {
              "id": "T1547",
              "name": "Boot or Logon Autostart Execution",
              "display_name": "T1547 - Boot or Logon Autostart Execution"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1010",
              "name": "Application Window Discovery",
              "display_name": "T1010 - Application Window Discovery"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 638,
            "FileHash-SHA1": 366,
            "FileHash-SHA256": 1441,
            "IPv4": 377,
            "URL": 1697,
            "domain": 404,
            "hostname": 873,
            "CIDR": 1,
            "Mutex": 1,
            "IPv6": 19,
            "email": 9
          },
          "indicator_count": 5826,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "9 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6692440efac39f5213329f13",
          "name": "Mustang Panda: Oxypumper | Ransom Suspicious verifier SpyTox",
          "description": "Mustang Panda is an alleged;China-based' non-governmental cyber espionage threat actor that was first observed in 2017. Targeting non-governmental civilians. Likely target is in many bot networks. Potential HoneyPot, this tool makes itself visible to target when researching the validity of an email or phone number. Notable for Gand Crane ransomware text embedded in SpyTox page image. Injection process observed. Affects most types of devices including iOS and Android. Critical issues found. IP's registrar's, domains 'not' contacted.\n\nHackers, harassment, cybercrime, cyber espionage.",
          "modified": "2024-08-12T08:04:00.041000",
          "created": "2024-07-13T09:08:30.431000",
          "tags": [
            "historical ssl",
            "referrer",
            "june",
            "october",
            "july",
            "hacker",
            "pe resource",
            "mustang panda",
            "plugx",
            "cryptbot",
            "threat roundup",
            "december",
            "process32nextw",
            "regsetvalueexa",
            "x00x00",
            "regdword",
            "memcommit",
            "high",
            "regbinary",
            "okrnserver",
            "regsetvalueexw",
            "download",
            "copy",
            "as15169 google",
            "united",
            "aaaa",
            "unknown",
            "gmt path",
            "passive dns",
            "search",
            "cname",
            "showing",
            "cookie",
            "ascii text",
            "pattern match",
            "error",
            "null",
            "typeerror",
            "sha1",
            "mitre att",
            "et tor",
            "known tor",
            "date",
            "infinity",
            "onload",
            "trident",
            "android",
            "void",
            "hybrid",
            "local",
            "encrypt",
            "click",
            "strings",
            "generator",
            "third-party-cookies",
            "text/html",
            "trackers",
            "external-resources",
            "iframes",
            "entries",
            "status",
            "name servers",
            "urls",
            "next",
            "nxdomain",
            "susp",
            "a nxdomain",
            "domain",
            "win32",
            "as62597",
            "france unknown",
            "for privacy",
            "moved",
            "a domains",
            "meta",
            "gmt cache",
            "trojan",
            "creation date",
            "record value",
            "script urls",
            "as55293 a2",
            "as44273 host",
            "canada unknown",
            "scan endpoints",
            "all scoreblue",
            "pulse pulses",
            "files",
            "ip address",
            "location canada",
            "443 ma2592000",
            "code",
            "trojanspy",
            "type",
            "ipv4",
            "twitter",
            "trojandropper",
            "find",
            "form",
            "less see",
            "formbook cnc",
            "checkin",
            "a li",
            "li ul",
            "cycbot",
            "emails",
            "as20940",
            "as54113",
            "asnone denmark",
            "worm",
            "asnone",
            "as4230 claro",
            "refloadapihash",
            "salicode",
            "div div",
            "wi fi",
            "orion wi",
            "orion",
            "a div",
            "div section",
            "orion logo",
            "target",
            "fast",
            "contact",
            "open",
            "virtool",
            "content type",
            "found",
            "http response",
            "final url",
            "status code",
            "body length",
            "kb body",
            "sha256",
            "headers",
            "ubuntu",
            "accept",
            "keepalive",
            "site",
            "find people",
            "numbers",
            "sptox",
            "utc google",
            "html info",
            "title spytox",
            "emails meta",
            "tags viewport",
            "spytox og",
            "type win32",
            "exe size",
            "mb first",
            "seen",
            "file name",
            "avg win32",
            "fortinet",
            "double click",
            "solutions",
            "domains",
            "sneaky server",
            "replacement",
            "unauthorized",
            "malware http",
            "core",
            "sim unlock",
            "emotet",
            "ta569",
            "critical",
            "pe32",
            "intel",
            "ms windows",
            "ms visual",
            "win32 dynamic",
            "link library",
            "win16 ne",
            "pe32 protector",
            "confuser",
            "confuserex",
            "checker",
            "samplename",
            "bonusbitcoin",
            "xslayer",
            "samplepath",
            "names",
            "details",
            "header intel",
            "name md5",
            "language",
            "contained",
            "rticon neutral",
            "ico rtgroupicon",
            "neutral",
            "assembly common",
            "clr version",
            "assembly name",
            "metadata header",
            "entry point",
            "rva entry",
            "strong name",
            "streams size",
            "entropy chi2",
            "ip detections",
            "country",
            "executable",
            "info header",
            "allmul vbaget4",
            "adjfprem ord",
            "data rtversion",
            "generic",
            "file type",
            "win32 exe",
            "kb file",
            "graph",
            "user",
            "windir",
            "downloads",
            "written c",
            "files deleted",
            "dropped c",
            "process",
            "logistics",
            "cyber defense",
            "brazzers",
            "tsara brashears",
            "gpt analyzer",
            "apple private",
            "data collection",
            "twitter andor",
            "snatch",
            "ransomware",
            "default",
            "rticon english",
            "type name",
            "data",
            "getfilesize",
            "getdc copyimage",
            "rticon russian",
            "pe32 executable",
            "borland delphi",
            "delphi generic",
            "dos borland",
            "hkcuclsid",
            "registry keys",
            "hkcrclsid",
            "file system",
            "settings c",
            "files c",
            "shared c",
            "sharedink c",
            "hostname",
            "as29791",
            "as8426 claranet",
            "malware",
            "network",
            "apple ios",
            "apple",
            "tmobile metro",
            "apeaksoft ios",
            "spybanker",
            "remcos",
            "adwind",
            "njrat",
            "guloader",
            "banload",
            "asyncrat",
            "arkeistealer",
            "danabot",
            "nordvpnsetup",
            "kb graph",
            "summary",
            "sharedinkarsa c",
            "sharedinkbgbg c",
            "sharedinkcscz c",
            "sharedinkdadk c",
            "gmt etag",
            "x amz",
            "body",
            "body html",
            "bq jul",
            "et trojan",
            "v4inhxvlhx0",
            "medium",
            "memreserve",
            "checks amount",
            "t1082",
            "module load",
            "e weowe64e",
            "edelepexe",
            "e rev",
            "weinedoewse net",
            "ransom",
            "show",
            "filehash",
            "related",
            "reverse dns",
            "haut",
            "servers",
            "pulse submit",
            "as3215 orange",
            "france",
            "backdoor",
            "paris",
            "honeypot",
            "python",
            "callback phishing",
            "teams",
            "porn related",
            "harassment"
          ],
          "references": [
            "https://www.spytox.com/ | Malicious Phone number & eMail verifier. HoneyPotNetBot?",
            "Alerts: disables_security network_icmp modifies_certificates modifies_proxy_wpad multiple_useragents injection_resumethread",
            "Antivirus Detections: Win.Malware.Oxypumper-6900445-0",
            "IDS Detections: Win32/QwertMiner CoinMiner Dropper CnC Checkin M2 | IDS Detections: Terse Named Filename EXE Download - Possibly Hostile",
            "IDS Detections: HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)",
            "IDS Detections: DNS Query for Suspicious .ml Domain | DNS Query for Suspicious .ga Domain | Domain External IP Lookup ip-api.com | Win32/QwertMiner Suspicious UA (jdlnb)",
            "Win.Malware.Oxypumper-6900445-0: FileHash-SHA1  05e520126ee1100c98263bfbd5a6ff0ce6ace4f7",
            "Win.Malware.Oxypumper-6900445-0: FileHash-MD5 2d84a619d4bd339f860cb48af0c9b6c8",
            "Win.Malware.Oxypumper-6900445-0: FileHash-SHA 256365ffde7df914840eb21c96f34c39912a4b031e3814b8e902b67acee6dff65a1",
            "Interesting: https://otx.alienvault.com/indicator/url/http://google.com.ge/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCoQFjAA&url=http%3A%2F%2Ft1t.us%2F&ei=9H0XU4rwPKXOygP_8IL4Bw&usg=AFQjCNEgQ29Mke-UahuBZ5wqWav04lFYvA&sig2=9-57Skjm2Hu4tg-e8iysQA&bvm=bv.62286460,d.bGQ",
            "google.com.ge , google.kiteflier.top, google.pf, google.com.ht, http://philsinstallation.com/, www.orion.area120.com ?, https://degoogle.xyz/feed/",
            "https://hybrid-analysis.com/sample/89fb2bccca6342d8fe50bd8b9763a6c829fd1bfe4fe2eccb251bd7e060f0d168/6691b5695751a70ec9041622",
            "Ransomware Detected: text artifact in screenshot indicates file may be ransomware details \"Antivirus\" (Source: screen_11.png, Indicator: \"virus\")",
            "scanning_hosts:  138.197.217.6,  IPv4 142.251.18.103, IPv4 142.251.31.99",
            "Backdoor:Win32/Plugx: FileHash-SHA256 a3ff97a0d338fd47e0af6822c4ee762491fc39028af984fe7ff8a1b6948fafe9",
            "Backdoor:Win32/Plugx: FileHash-MD5 63ebfbad26a529929927b9b485faa18a",
            "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Malware.Generickdz-6914893-0, Backdoor:Win32/Plugx",
            "Yara Detections: SUSP_NET_NAME_ConfuserEx , Delphi Alerts: network_icmp",
            "iPhone: 8.0.1.iphone.com.nextradiotv.bfmtv.adsenseformobileapps.com",
            "iPhone: 5.100.3.iphone.com.tranzmate.tranzmate1.adsenseformobileapps.com",
            "iPhone: 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com",
            "iPhone: 1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com",
            "iOS: http://www.au-petit-cafe-hollywood.com/guestbook/index.php?_sm_byp=iVVJNj4pQQp0ZsWB%3Eshowbox%20install%20iphone%3C/a%3E",
            "Interesting: www1.xxx.ddns.info | https://sgpelvicfloor.in/wp-admin/ZDCpqfZDmM5x9MxAaxxX/",
            "DotNET_Crypto_Obfuscator",
            "Antivirus Detections: ALF:HSTR:Adware:Win32/iBryte!bit ,  ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47 ,  PWS:Win32/QQpass.B!MTB ,",
            "Antivirus Detections: Trojan:Win32/Bulta!rfn ,  TrojanDownloader:Win32/Cutwail ,  TrojanDropper:Win32/Loring ,  TrojanSpy:Win32/Nivdort.CB ,",
            "Antivirus Detections: TrojanSpy:Win32/Nivdort.CW ,  TrojanSpy:Win32/Nivdort.DA ,  TrojanSpy:Win32/Nivdort.DB ... ,  TrojanSpy:Win32/Nivdort.CB ,  TrojanSpy:Win32/Nivdort.CW ,  TrojanSpy:Win32/Nivdort.DA",
            "IDS Detections: Adware.iBryte.Z Checkin W32/iBryte.Adware Installer Download, Kazy/Kryptor/Cycbot Trojan Checkin 2,",
            "IDS Detections: FormBook CnC Checkin (GET) W32/iBryte.Adware Affiliate Campaign Executable Download ...",
            "https://otx.alienvault.com/indicator/ip/216.40.34.41",
            "Checker By X-SLAYER.exe: 74ca7f6f723a57dc22625eb26214f85689216859388c1f93503728dae8929b97",
            "ns2.tsaratsovo.net",
            "FormBook: FileHash-SHA256 d329608064b13006e73309a6f6a819b6bc1392b80ad01946d04719da0b680955",
            "FormBook: FileHash-SHA1 205a7931e145b05ac6040690d7a2b862b4a1ec79",
            "FormBook: FileHash-MD5 FileHash-MD5 60b8487a9ddc166fbae45d611a0b6848",
            "DotNET_Crypto_Obfuscator",
            "Antivirus Detections: Win32:MalwareX-gen\\ [Trj]",
            "IDS Detections: FormBook CnC Checkin (GET) 403 Forbidden Yara Detections: MAL_RANSOM_COVID19_Apr20_1 ,  DotNET_DotFuscator",
            "Alerts: nids_malware_alert injection_runpe network_icmp network_cnc_http network_http allocates_rwx",
            "Alerts: antisandbox_sleep creates_exe privilege_luid_check checks_debugger",
            "https://otx.alienvault.com/indicator/file/1c954b67c62b161d839434243ebe4b9dfe2b790a91eb968ecbfbfae53a414e29",
            "Antivirus Detections: Win32:MalwareX-gen\\ [Trj] ,  Win.Ransomware.Gandcrab-9967304-0 ,  Ransom:Win32/GandCrab.AE",
            "Yara Detections ReflectiveLoader ,  Win32_Ransomware_GandCrab ,  stack_string",
            "Ransom:Win32/GandCrab.AE: FileHash-SHA256 941ea65563f1b06080075ccafa8180118f65f3c8a4cca038654f0aba5cd0f5fc",
            "Ransom:Win32/GandCrab.AE: FileHash-SHA1 fe29cb8324de15bccfe5055a65ea36141fb794c9",
            "Ransom:Win32/GandCrab.AE: FileHash-MD5 f72bcc0d841008c1e8250a3df1182fd5",
            "1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com. 2.android.com.vance.advanced.tubevanced.adsenseformobileapps.com",
            "mobileview.page, 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com,",
            "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled",
            "https://www.YouTube.com/polebote"
          ],
          "public": 1,
          "adversary": "Mustang Panda",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Win.Malware.Oxypumper-6900445-0",
              "display_name": "Win.Malware.Oxypumper-6900445-0",
              "target": null
            },
            {
              "id": "Backdoor:Win32/Plugx",
              "display_name": "Backdoor:Win32/Plugx",
              "target": "/malware/Backdoor:Win32/Plugx"
            },
            {
              "id": "TrojanSpy",
              "display_name": "TrojanSpy",
              "target": null
            },
            {
              "id": "Cycbot",
              "display_name": "Cycbot",
              "target": null
            },
            {
              "id": "Ransom:Win32/GandCrab.AE",
              "display_name": "Ransom:Win32/GandCrab.AE",
              "target": "/malware/Ransom:Win32/GandCrab.AE"
            },
            {
              "id": "Backdoor:Win32/Tofsee.T",
              "display_name": "Backdoor:Win32/Tofsee.T",
              "target": "/malware/Backdoor:Win32/Tofsee.T"
            },
            {
              "id": "TrojanDropper:Win32/Tofsee",
              "display_name": "TrojanDropper:Win32/Tofsee",
              "target": "/malware/TrojanDropper:Win32/Tofsee"
            }
          ],
          "attack_ids": [
            {
              "id": "T1047",
              "name": "Windows Management Instrumentation",
              "display_name": "T1047 - Windows Management Instrumentation"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "T1583.001",
              "name": "Domains",
              "display_name": "T1583.001 - Domains"
            },
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1553.002",
              "name": "Code Signing",
              "display_name": "T1553.002 - Code Signing"
            },
            {
              "id": "T1518.001",
              "name": "Security Software Discovery",
              "display_name": "T1518.001 - Security Software Discovery"
            },
            {
              "id": "T1568.002",
              "name": "Domain Generation Algorithms",
              "display_name": "T1568.002 - Domain Generation Algorithms"
            },
            {
              "id": "T1595",
              "name": "Active Scanning",
              "display_name": "T1595 - Active Scanning"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1583.005",
              "name": "Botnet",
              "display_name": "T1583.005 - Botnet"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1598",
              "name": "Phishing for Information",
              "display_name": "T1598 - Phishing for Information"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 71,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 568,
            "FileHash-SHA1": 537,
            "FileHash-SHA256": 4887,
            "URL": 4773,
            "domain": 2346,
            "hostname": 1884,
            "SSLCertFingerprint": 15,
            "email": 16,
            "CVE": 1
          },
          "indicator_count": 15027,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 238,
          "modified_text": "657 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66141ecabe8f1ab189351dd3",
          "name": "Tofsee Botnet: Google.com.uy | Install | Injection | Pegasus Monitoring",
          "description": "Installed remotely by nefarious actor by Trojan dropper. Typically not install via PlayStore/AppStore; can be with severe compromise/ VPNs will be fake. Examples: 1.1.1.1, 1.1.1.4, Proton AG or Proton.ch. Not visible: [.uy.]. All data, monitored, manipulated, tracked, location,  vehicle tracking, webcams, IP track, data cryptocurrency mining, tracked 24/7, collection, DDoS attacks, ransom, full CnC.\nTweakers.net, .bv , etc., observed, pegasus related",
          "modified": "2024-05-08T16:00:34.588000",
          "created": "2024-04-08T16:43:54.908000",
          "tags": [
            "installer",
            "tofsee",
            "trojan",
            "dropper",
            "dns",
            "as20940",
            "united",
            "aaaa",
            "as15703",
            "search",
            "servers",
            "as8455 schuberg",
            "a domains",
            "encrypt",
            "code",
            "tweakers",
            "unknown",
            "ransom",
            "body",
            "webcams",
            "banker",
            "location tracking",
            "vehicle tracking",
            "device tracking",
            "exploitation",
            "redirects",
            "ip tracking",
            "vpn nullify",
            "vehicle keycodes",
            "search threat",
            "analyzer feeds",
            "panel platform",
            "search platform",
            "profile user",
            "iocs",
            "redacted for",
            "passive dns",
            "all scoreblue",
            "hostname",
            "next",
            "cnc",
            "scanning host",
            "milesone",
            "virtual currency mining",
            "crypto",
            "regsetvalueexa",
            "regdword",
            "default",
            "show",
            "regbinary",
            "read c",
            "settingswpad",
            "as15169",
            "malware",
            "copy",
            "write",
            "upatre",
            "ids detections",
            "scan endpoints",
            "filehash",
            "av detections",
            "yara detections",
            "alerts",
            "analysis date",
            "file score",
            "ransom",
            "related pulses",
            "entries",
            "icmp traffic",
            "packing t1045",
            "t1045",
            "pe resource",
            "august",
            "win32",
            "for privacy",
            "creation date",
            "name servers",
            "urls",
            "date",
            "status",
            "as15169 google",
            "as44273 host",
            "ipv4",
            "pulse submit",
            "url analysis",
            "msie",
            "chrome",
            "moved",
            "title",
            "gmt content",
            "apple",
            "invalidate_gift_cards",
            "tulach rebranded",
            "hallrender rebranded",
            "as8075",
            "verdana",
            "td tr",
            "domain",
            "germany unknown",
            "as34011 host",
            "etag",
            "medium",
            "module load",
            "invalidate_google_play",
            "algorithm",
            "v3 serial",
            "number",
            "key algorithm",
            "key identifier",
            "subject key",
            "identifier",
            "x509v3 key",
            "usage",
            "x509v3 extended",
            "info",
            "first",
            "win32 exe",
            "win32 dll",
            "javascript",
            "mozilla firefox",
            "edition",
            "detections type",
            "name",
            "keeweb",
            "setup",
            "firefox setup",
            "record type",
            "ttl value",
            "android",
            "files",
            "formbook",
            "critical cmd",
            "tracker",
            "tsara brashears",
            "remote",
            "historical ssl",
            "referrer",
            "march",
            "body html",
            "head meta",
            "moved title",
            "head body",
            "pegasus",
            "nemtih",
            "hit",
            "men",
            "gift_card_mining",
            "google_play_card_mining",
            "miner",
            "htmladodb may",
            "twitter",
            "win64",
            "as21342",
            "as2914 ntt",
            "as15334",
            "error",
            "certificate",
            "checkbox",
            "accept",
            "record value",
            "emails",
            "domain name"
          ],
          "references": [
            "Virustotal  - google.com.uy",
            "https://hybrid-analysis.com/sample/79c5841a534b53013389ba76326a067895bdf5e41ad279d82b2002f6c8f2cda6",
            "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key>Mercedes+benz+Key+programmer",
            "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key",
            "http://www.50calpaintballshop.com/phpinfo.php?a[]=webcam+models+livecambabes.webcam>korean+webcam+models",
            "http://www.50calpaintballshop.com/phpinfo.php?a[]=www.livecambabes.Webcam>sexy+girls+dildoing",
            "http://www.50calpaintballshop.com/phpinfo.php?a[]=avon+representative>50calpaintballshop.com>avon+representative+directory [Beware: redirects]",
            "http://www.50calpaintballshop.com/phpinfo.php?a[]=how+to+join+avon+uk>how+do+i+join+avon+online [redirects to fraud representatives]",
            "Reports of victims meeting fraud direct sales reps in home/coffee shops. Reps store PII, financial, SSN# on device. Orders in victims name. ID theft ring",
            "https://www.herbgordonsubaru.com/?ddcref=careconnect_NM102-01&utm_campaign=newsconnect&utm_medium=email&utm_source=careconnect",
            "https://www.herbgordonsubaru.com/new-inventory/index?search=&model=Outback&utm_source=careconnect&utm_medium=email&utm_campaign=marketdriver-sales&ddcref=careconnect_marketdriversales",
            "nr-data.net [Apple Private Data Collection]",
            "checkip.dyndns.org [command and control]",
            "checkip.dyndns.org Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad packer_polymorphic recon_beacon",
            "144.76.108.82 [scanning host]",
            "Yara Detections PEtite24",
            "FormBook IP: 142.251.211.243",
            "https://pegasusm2.bullsbikesusa.com",
            "https://microcenterinsider.com/pub/cc?_ri_=X0Gzc2X=AQpglLjHJlTQG0amRRrN1tkKAFGSTzdEjURWMTwh5gzdnK5Wo4uRBMFITdmoHEE1NzdwpzaEqrzcUkeItzbfVXtpKX=BATA"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Netherlands"
          ],
          "malware_families": [
            {
              "id": "Tofsee",
              "display_name": "Tofsee",
              "target": null
            },
            {
              "id": "Trojan:MSIL/TrojanDropper",
              "display_name": "Trojan:MSIL/TrojanDropper",
              "target": "/malware/Trojan:MSIL/TrojanDropper"
            },
            {
              "id": "Installer",
              "display_name": "Installer",
              "target": null
            },
            {
              "id": "Sf:Agent-DQ\\ [Trj]",
              "display_name": "Sf:Agent-DQ\\ [Trj]",
              "target": null
            },
            {
              "id": "TrojanDownloader:Win32/Upatre!rfn",
              "display_name": "TrojanDownloader:Win32/Upatre!rfn",
              "target": "/malware/TrojanDownloader:Win32/Upatre!rfn"
            },
            {
              "id": "Win32:DropperX-gen\\ [Drp]",
              "display_name": "Win32:DropperX-gen\\ [Drp]",
              "target": null
            },
            {
              "id": "Win.Trojan.Tofsee-9770082-1",
              "display_name": "Win.Trojan.Tofsee-9770082-1",
              "target": null
            },
            {
              "id": "Ransom:Win32/StopCrypt.AK!MTB",
              "display_name": "Ransom:Win32/StopCrypt.AK!MTB",
              "target": "/malware/Ransom:Win32/StopCrypt.AK!MTB"
            }
          ],
          "attack_ids": [
            {
              "id": "T1059.007",
              "name": "JavaScript",
              "display_name": "T1059.007 - JavaScript"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1100",
              "name": "Web Shell",
              "display_name": "T1100 - Web Shell"
            },
            {
              "id": "T1583.005",
              "name": "Botnet",
              "display_name": "T1583.005 - Botnet"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1574.005",
              "name": "Executable Installer File Permissions Weakness",
              "display_name": "T1574.005 - Executable Installer File Permissions Weakness"
            },
            {
              "id": "T1449",
              "name": "Exploit SS7 to Redirect Phone Calls/SMS",
              "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
            },
            {
              "id": "T1493",
              "name": "Transmitted Data Manipulation",
              "display_name": "T1493 - Transmitted Data Manipulation"
            },
            {
              "id": "T1029",
              "name": "Scheduled Transfer",
              "display_name": "T1029 - Scheduled Transfer"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            },
            {
              "id": "T1013",
              "name": "Port Monitors",
              "display_name": "T1013 - Port Monitors"
            },
            {
              "id": "T1430",
              "name": "Location Tracking",
              "display_name": "T1430 - Location Tracking"
            },
            {
              "id": "T1468",
              "name": "Remotely Track Device Without Authorization",
              "display_name": "T1468 - Remotely Track Device Without Authorization"
            },
            {
              "id": "T1450",
              "name": "Exploit SS7 to Track Device Location",
              "display_name": "T1450 - Exploit SS7 to Track Device Location"
            },
            {
              "id": "T1553.002",
              "name": "Code Signing",
              "display_name": "T1553.002 - Code Signing"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1483",
              "name": "Domain Generation Algorithms",
              "display_name": "T1483 - Domain Generation Algorithms"
            },
            {
              "id": "T1071.003",
              "name": "Mail Protocols",
              "display_name": "T1071.003 - Mail Protocols"
            },
            {
              "id": "T1448",
              "name": "Carrier Billing Fraud",
              "display_name": "T1448 - Carrier Billing Fraud"
            },
            {
              "id": "T1472",
              "name": "Generate Fraudulent Advertising Revenue",
              "display_name": "T1472 - Generate Fraudulent Advertising Revenue"
            },
            {
              "id": "T1040",
              "name": "Network Sniffing",
              "display_name": "T1040 - Network Sniffing"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 40,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 392,
            "FileHash-SHA1": 468,
            "FileHash-SHA256": 3233,
            "URL": 8667,
            "domain": 2219,
            "hostname": 3480,
            "email": 8
          },
          "indicator_count": 18467,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 235,
          "modified_text": "752 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "657091100e9f5aa6eb534fb4",
          "name": "vmt/geosite.dat at main \u00b7 wegare123/vmt \u00b7 GitHub -  brocaproject.com - hmmm  cert ca issue",
          "description": "",
          "modified": "2023-12-06T15:19:44.839000",
          "created": "2023-12-06T15:19:44.839000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 5,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "api",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "StreamMiningEx",
            "id": "262917",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 2410,
            "hostname": 3653,
            "domain": 2723,
            "URL": 442
          },
          "indicator_count": 9228,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 110,
          "modified_text": "906 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "62ef13ad6547ed183dba3f3c",
          "name": "vmt/geosite.dat at main \u00b7 wegare123/vmt \u00b7 GitHub -  brocaproject.com - hmmm  cert ca issue",
          "description": "see im reading that domain as bro ca project",
          "modified": "2022-08-07T01:21:49.761000",
          "created": "2022-08-07T01:21:49.761000",
          "tags": [
            "strong",
            "github",
            "jump",
            "github desktop",
            "sign",
            "iosrulescript",
            "quantumult",
            "boxjs",
            "chouchoui",
            "code issues",
            "contact",
            "star",
            "desktop",
            "stars",
            "footer",
            "view",
            "pull",
            "wiki security",
            "unicode",
            "copy",
            "wegare123vmt",
            "phoenix",
            "jquery",
            "discord",
            "ruby",
            "chinaz",
            "startpage"
          ],
          "references": [
            "geosite.dat.html",
            "https://github.com/blackmatrix7/ios_rule_script"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1010",
              "name": "Application Window Discovery",
              "display_name": "T1010 - Application Window Discovery"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 11,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "dorkingbeauty1",
            "id": "80137",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 2410,
            "hostname": 3653,
            "URL": 442,
            "domain": 2723
          },
          "indicator_count": 9228,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 395,
          "modified_text": "1393 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6265af4c6414d087b17443cc",
          "name": "google gmail account login source code for UK teenage account",
          "description": "",
          "modified": "2022-05-25T00:04:03.622000",
          "created": "2022-04-24T20:13:00.304000",
          "tags": [],
          "references": [
            "<html><head><meta charset=%22UTF-8%22><meta content=%22width=device-width\u2026.pdf"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 3,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "dorkingbeauty1",
            "id": "80137",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 393,
            "domain": 26,
            "hostname": 102,
            "URL": 250
          },
          "indicator_count": 771,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 393,
          "modified_text": "1467 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6265af6f8b7642ed2c060cda",
          "name": "google gmail account login source code for UK teenage account",
          "description": "",
          "modified": "2022-04-24T20:13:35.115000",
          "created": "2022-04-24T20:13:35.115000",
          "tags": [],
          "references": [
            "<html><head><meta charset=%22UTF-8%22><meta content=%22width=device-width\u2026.pdf"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 3,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "dorkingbeauty1",
            "id": "80137",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 2,
            "domain": 6,
            "hostname": 2,
            "URL": 4
          },
          "indicator_count": 14,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 393,
          "modified_text": "1497 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        }
      ],
      "references": [
        "Win.Malware.Oxypumper-6900445-0: FileHash-SHA1  05e520126ee1100c98263bfbd5a6ff0ce6ace4f7",
        "Win.Malware.Oxypumper-6900445-0: FileHash-SHA 256365ffde7df914840eb21c96f34c39912a4b031e3814b8e902b67acee6dff65a1",
        "Antivirus Detections: TrojanSpy:Win32/Nivdort.CW ,  TrojanSpy:Win32/Nivdort.DA ,  TrojanSpy:Win32/Nivdort.DB ... ,  TrojanSpy:Win32/Nivdort.CB ,  TrojanSpy:Win32/Nivdort.CW ,  TrojanSpy:Win32/Nivdort.DA",
        "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd",
        "Backdoor:Win32/Plugx: FileHash-MD5 63ebfbad26a529929927b9b485faa18a",
        "https://www.spytox.com/ | Malicious Phone number & eMail verifier. HoneyPotNetBot?",
        "Reports of victims meeting fraud direct sales reps in home/coffee shops. Reps store PII, financial, SSN# on device. Orders in victims name. ID theft ring",
        "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled",
        "IDS Detections: FormBook CnC Checkin (GET) 403 Forbidden Yara Detections: MAL_RANSOM_COVID19_Apr20_1 ,  DotNET_DotFuscator",
        "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi",
        "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Malware.Generickdz-6914893-0, Backdoor:Win32/Plugx",
        "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb",
        "Virustotal  - google.com.uy",
        "Backdoor:Win32/Plugx: FileHash-SHA256 a3ff97a0d338fd47e0af6822c4ee762491fc39028af984fe7ff8a1b6948fafe9",
        "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu",
        "Win.Malware.Oxypumper-6900445-0: FileHash-MD5 2d84a619d4bd339f860cb48af0c9b6c8",
        "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk",
        "Interesting: https://otx.alienvault.com/indicator/url/http://google.com.ge/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCoQFjAA&url=http%3A%2F%2Ft1t.us%2F&ei=9H0XU4rwPKXOygP_8IL4Bw&usg=AFQjCNEgQ29Mke-UahuBZ5wqWav04lFYvA&sig2=9-57Skjm2Hu4tg-e8iysQA&bvm=bv.62286460,d.bGQ",
        "Ransom:Win32/GandCrab.AE: FileHash-MD5 f72bcc0d841008c1e8250a3df1182fd5",
        "iPhone: 5.100.3.iphone.com.tranzmate.tranzmate1.adsenseformobileapps.com",
        "http://www.50calpaintballshop.com/phpinfo.php?a[]=www.livecambabes.Webcam>sexy+girls+dildoing",
        "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key",
        "IDS Detections: DNS Query for Suspicious .ml Domain | DNS Query for Suspicious .ga Domain | Domain External IP Lookup ip-api.com | Win32/QwertMiner Suspicious UA (jdlnb)",
        "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8",
        "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx",
        "scanning_hosts:  138.197.217.6,  IPv4 142.251.18.103, IPv4 142.251.31.99",
        "IDS Detections: Adware.iBryte.Z Checkin W32/iBryte.Adware Installer Download, Kazy/Kryptor/Cycbot Trojan Checkin 2,",
        "https://microcenterinsider.com/pub/cc?_ri_=X0Gzc2X=AQpglLjHJlTQG0amRRrN1tkKAFGSTzdEjURWMTwh5gzdnK5Wo4uRBMFITdmoHEE1NzdwpzaEqrzcUkeItzbfVXtpKX=BATA",
        "checkip.dyndns.org Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad packer_polymorphic recon_beacon",
        "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3",
        "https://pegasusm2.bullsbikesusa.com",
        "iOS: http://www.au-petit-cafe-hollywood.com/guestbook/index.php?_sm_byp=iVVJNj4pQQp0ZsWB%3Eshowbox%20install%20iphone%3C/a%3E",
        "ns2.tsaratsovo.net",
        "Ransom:Win32/GandCrab.AE: FileHash-SHA256 941ea65563f1b06080075ccafa8180118f65f3c8a4cca038654f0aba5cd0f5fc",
        "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A",
        "IDS Detections: Win32/QwertMiner CoinMiner Dropper CnC Checkin M2 | IDS Detections: Terse Named Filename EXE Download - Possibly Hostile",
        "checkip.dyndns.org [command and control]",
        "https://www.YouTube.com/polebote",
        "Interesting: www1.xxx.ddns.info | https://sgpelvicfloor.in/wp-admin/ZDCpqfZDmM5x9MxAaxxX/",
        "http://www.50calpaintballshop.com/phpinfo.php?a[]=webcam+models+livecambabes.webcam>korean+webcam+models",
        "mobileview.page, 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com,",
        "iPhone: 1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com",
        "Checker By X-SLAYER.exe: 74ca7f6f723a57dc22625eb26214f85689216859388c1f93503728dae8929b97",
        "FormBook: FileHash-SHA256 d329608064b13006e73309a6f6a819b6bc1392b80ad01946d04719da0b680955",
        "Alerts: nids_malware_alert injection_runpe network_icmp network_cnc_http network_http allocates_rwx",
        "FormBook: FileHash-SHA1 205a7931e145b05ac6040690d7a2b862b4a1ec79",
        "144.76.108.82 [scanning host]",
        "1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com. 2.android.com.vance.advanced.tubevanced.adsenseformobileapps.com",
        "Yara Detections: SUSP_NET_NAME_ConfuserEx , Delphi Alerts: network_icmp",
        "Antivirus Detections: Win.Malware.Oxypumper-6900445-0",
        "<html><head><meta charset=%22UTF-8%22><meta content=%22width=device-width\u2026.pdf",
        "https://hybrid-analysis.com/sample/79c5841a534b53013389ba76326a067895bdf5e41ad279d82b2002f6c8f2cda6",
        "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi",
        "Alerts: antisandbox_sleep creates_exe privilege_luid_check checks_debugger",
        "IDS Detections: HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)",
        "Yara Detections ReflectiveLoader ,  Win32_Ransomware_GandCrab ,  stack_string",
        "https://www.herbgordonsubaru.com/?ddcref=careconnect_NM102-01&utm_campaign=newsconnect&utm_medium=email&utm_source=careconnect",
        "https://github.com/blackmatrix7/ios_rule_script",
        "https://www.herbgordonsubaru.com/new-inventory/index?search=&model=Outback&utm_source=careconnect&utm_medium=email&utm_campaign=marketdriver-sales&ddcref=careconnect_marketdriversales",
        "Antivirus Detections: ALF:HSTR:Adware:Win32/iBryte!bit ,  ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47 ,  PWS:Win32/QQpass.B!MTB ,",
        "DotNET_Crypto_Obfuscator",
        "https://otx.alienvault.com/indicator/file/1c954b67c62b161d839434243ebe4b9dfe2b790a91eb968ecbfbfae53a414e29",
        "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%",
        "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B",
        "Ransom:Win32/GandCrab.AE: FileHash-SHA1 fe29cb8324de15bccfe5055a65ea36141fb794c9",
        "Yara Detections PEtite24",
        "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f",
        "iPhone: 8.0.1.iphone.com.nextradiotv.bfmtv.adsenseformobileapps.com",
        "nr-data.net [Apple Private Data Collection]",
        "https://otx.alienvault.com/indicator/ip/216.40.34.41",
        "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key>Mercedes+benz+Key+programmer",
        "http://www.50calpaintballshop.com/phpinfo.php?a[]=avon+representative>50calpaintballshop.com>avon+representative+directory [Beware: redirects]",
        "iPhone: 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com",
        "Antivirus Detections: Win32:MalwareX-gen\\ [Trj]",
        "geosite.dat.html",
        "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR",
        "FormBook IP: 142.251.211.243",
        "https://hybrid-analysis.com/sample/89fb2bccca6342d8fe50bd8b9763a6c829fd1bfe4fe2eccb251bd7e060f0d168/6691b5695751a70ec9041622",
        "Ransomware Detected: text artifact in screenshot indicates file may be ransomware details \"Antivirus\" (Source: screen_11.png, Indicator: \"virus\")",
        "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z",
        "Alerts: disables_security network_icmp modifies_certificates modifies_proxy_wpad multiple_useragents injection_resumethread",
        "IDS Detections: FormBook CnC Checkin (GET) W32/iBryte.Adware Affiliate Campaign Executable Download ...",
        "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg",
        "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu",
        "google.com.ge , google.kiteflier.top, google.pf, google.com.ht, http://philsinstallation.com/, www.orion.area120.com ?, https://degoogle.xyz/feed/",
        "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY",
        "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D",
        "Antivirus Detections: Trojan:Win32/Bulta!rfn ,  TrojanDownloader:Win32/Cutwail ,  TrojanDropper:Win32/Loring ,  TrojanSpy:Win32/Nivdort.CB ,",
        "FormBook: FileHash-MD5 FileHash-MD5 60b8487a9ddc166fbae45d611a0b6848",
        "http://www.50calpaintballshop.com/phpinfo.php?a[]=how+to+join+avon+uk>how+do+i+join+avon+online [redirects to fraud representatives]",
        "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL",
        "Antivirus Detections: Win32:MalwareX-gen\\ [Trj] ,  Win.Ransomware.Gandcrab-9967304-0 ,  Ransom:Win32/GandCrab.AE",
        "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO"
      ],
      "related": {
        "alienvault": {
          "adversary": [],
          "malware_families": [],
          "industries": []
        },
        "other": {
          "adversary": [
            "Mustang Panda"
          ],
          "malware_families": [
            "Installer",
            "Tofsee",
            "Sf:agent-dq\\ [trj]",
            "Ransom:win32/stopcrypt.ak!mtb",
            "Ransom:win32/gandcrab.ae",
            "Trojandropper:win32/tofsee",
            "Cycbot",
            "Win.malware.oxypumper-6900445-0",
            "Trojandownloader:win32/upatre!rfn",
            "Backdoor:win32/plugx",
            "Trojan:msil/trojandropper",
            "Win32:dropperx-gen\\ [drp]",
            "Backdoor:win32/tofsee.t",
            "Win.trojan.tofsee-9770082-1",
            "Trojanspy"
          ],
          "industries": []
        }
      }
    },
    "false_positive": []
  },
  "geo": {},
  "geo_ipapicom": {},
  "pulse_count": 7,
  "pulses": [
    {
      "id": "6a0fec7257bc32c037c9be08",
      "name": "research part 3 * CAPE Sandbox",
      "description": "NET\nIssuer\nMicrosoft Code Signing PCA 2011\nValid From\n2023-05-11 19:03:32\nValid To\n2024-05-08 19:03:32\nValid Usage\n0.4.1.311.76.8, Code Signing\nAlgorithm\nsha384RSA\nThumbprint\n50A04FFE627F8E21FD61AF1B73E5D03B4ADB100D\nThumbprint MD5\n97762F82B14E28F4E97F0A97D81F280B\nThumbprint SHA256\nC5C2879E3551DA2FA5B8B2576FB7567F2BBEF79DDA388C45D137B0EE62F8F62C\nSerial Number\n33 00 00 03 7C C9 F6 BC ED 07 59 AE 08 00 00 00 00 03 7C",
      "modified": "2026-05-22T06:18:07.234000",
      "created": "2026-05-22T05:41:06.053000",
      "tags": [
        "string id",
        "x5173x95ed",
        "control",
        "wixbundlename",
        "x53d6x6d88",
        "copyright",
        "width",
        "height",
        "helptext",
        "repair",
        "detail info",
        "tickcount",
        "filename",
        "behaviour",
        "imagepath",
        "cmdline",
        "offset",
        "targetprocess",
        "writeaddress",
        "size",
        "write",
        "shell",
        "open",
        "pe32",
        "ms windows",
        "microsoft input",
        "method editor",
        "ms visual",
        "win32 dynamic",
        "link library",
        "pe64 compiler",
        "ltcgc",
        "linker",
        "windows sandbox",
        "clear filters",
        "algorithm",
        "key identifier",
        "x509v3 subject",
        "full name",
        "v3 serial",
        "number",
        "cus odigicert",
        "inc cndigicert",
        "sha2 secure",
        "server ca",
        "performs dns",
        "pe file",
        "sample",
        "sigma",
        "instance",
        "spawns",
        "aslr",
        "urls",
        "t1055 process",
        "attack network",
        "phishing",
        "info",
        "next",
        "status code",
        "body length",
        "kb body",
        "default",
        "parent pid",
        "full path",
        "command line",
        "inprocserver32",
        "data",
        "datacrashpad",
        "k localservice",
        "s ngcsvc",
        "s ngcctnrsvc",
        "cname",
        "strong",
        "library",
        "accept",
        "address virtual",
        "file type",
        "shutdown",
        "file size",
        "mwdb",
        "bazaar",
        "sha3384",
        "ssdeep",
        "virtual address",
        "guard",
        "back",
        "studio build",
        "tools",
        "linkid2179911",
        "visual c",
        "visual studio",
        "ccli",
        "studio",
        "studio ide",
        "msbuild",
        "dev17",
        "false",
        "ascii text",
        "https",
        "svg scalable",
        "vector graphics",
        "elite",
        "tls version",
        "unicode text",
        "persistence",
        "malicious",
        "ip address",
        "mb body",
        "windows",
        "reads",
        "network info",
        "processes extra",
        "intel",
        "delphi",
        "code",
        "microsoft code",
        "signing pca",
        "valid from",
        "valid usage",
        "code signing",
        "thumbprint",
        "thumbprint md5",
        "c9 f6",
        "bc ed",
        "service issuer",
        "usage ff",
        "authority",
        "sha256",
        "serial number",
        "none rticon",
        "tofsee",
        "stream",
        "mitre attack",
        "chrome cache",
        "entry",
        "web open",
        "font format",
        "truetype",
        "version",
        "t1574",
        "execution flow",
        "found",
        "drops pe",
        "window",
        "Avalon",
        "dmca https",
        "versionnt",
        "and not",
        "versionnt64",
        "and versionnt64",
        "majorupgrade",
        "service pack",
        "redistributable",
        "detect",
        "windows81x86",
        "script",
        "cohassethingham",
        "title",
        "rent",
        "pendo",
        "userinfo",
        "doctype html",
        "head",
        "optanonwrapper",
        "date",
        "meta",
        "strings",
        "null",
        "layer protocol",
        "overview",
        "overview zenbox",
        "verdict"
      ],
      "references": [
        "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425168&Signature=g5GBSyA0yAUEvdoIOge%2BpfDJHbEytZxyvD3%2FuIcPelmvG2YCD8XkTO52d2p6QEigdTHcudK90Dn1hnWcxTw6zW0f0taTQ152R0ivuwKsnjkdiGmEzEda3oomEw1S48VFEpo1FuPOBhJtSmOjTuz9nVjcf3CdYabNfv8w000uClW3ho3WHUKSKqaM5pz0Z6Xu2n5VBrPgbxrhGhcNzUYi9LdeW6OcRYQBHN5EqStdWH%2FvxKQ%2FaFWjFd",
        "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425246&Signature=fNaUBAJEmKllb5%2BKYH8bOQO1PzuFIiqEarnmkfx0gTO3Zcux7EpGxLoFPLchiYgrfzVfRPXLYR87MrSmbNYjWg1htJNnnaFqRSG4aNch9NFulAeCq1Z%2Fs3nHKMh2SoYATCaXKkGC1KMoX4mFFftGFebHxq1M2D6aTdpIXnzI3HywXD8RMRRqM%2BJ%2BHAiuK%2B6FibY2SRG6%2B9sr7guEPsUOTIwiBxKX9Gbagoh14UqeIlUtMED61D",
        "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425341&Signature=aiKp8TxOFSCG510XO0p8MMtzOWTr180htkSKvZu7%2B%2B7TV3TUxMnUm8O4WkkPJsIy0hXEHz3SRFf%2BNX2NpE5T7Akl4MMr9SaooFFtTImZIFRBXxMzzBkd6u4aNRTmAryhVrbtk4kTjCi0E3OpH3F3u5QIMQ33o2Puktbg4XX61XQWt4YaLOFUYMamfulIpUzpOHeVs%2Fkth06S%2FWrPDLvcNkaYRX3DPH8f4gl%2F9TOPklWx",
        "https://vtbehaviour.commondatastorage.googleapis.com/002362f9547b518f561f460bed033d3012cb5129491df95049825e5fb397be6e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425469&Signature=gf1ylsIZ1FiwQfafpFPWlt2AP1PARebq7RGsb2lQJjPNRddkHG%2BNaDO44Op2YPyEC3JC9zlMUS25qA16XdMFGyeWpb8VMUpENtMxuen3x7q3DqkJoaCjH9ZGAt9Aak00PlI4MJbauwW4QCaTMqZcv%2Bs5scZuf29QSN0dJR4znOWHr48ryot1YP5O8TwsVbpaQxFRNkUt1AyiuPjaPUNxIlcuMMDVePvGwkqamMmQVCxksE1tXMgTA4chz2ehGL1BZi",
        "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425908&Signature=PF22eOYOsUk8SONoBlJI8S81qygM4SRaTxPjXl%2BCjQ72N47ponTTU3Ysuv4BzsixckMJSY4E2jO2BgC0FVvrrCqEk%2FTr%2BOqDIJ5VkLruDQg58W3Z4gY8TGtXjbcIyp5hIZfbbCwRf4q%2BbzA9FxSTDXd9GvVO9T%2FMLfy8fTEPq1x%2BxKuOXDo0wQmtYWTB7ljw7tWexq4FlRTU%2B7iu1JYO%2FMlylQPvdMDAy9so15FLIiqxR8",
        "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779425966&Signature=smUTi069ww4c03xNnWiAdPUZUaGaxehukFdqKEVMCUD%2BbA%2BMmuQJo%2B3TBJ8g3pT884gYvzxRo88GpCPJTMoT54SwAzTcUD6vNx8IJxw2khWcNWb1lVYvE%2FoCguT0IJYm7wiTEjWDpeLz5amfhrPftnPjBIP1ITo9VIOc%2FK%2F%2F5EQMFcv%2FyNZhKMHzvda0LGCp6BHK0n03SMwluqFYlaGrkcE2y0buTDk2fFmt8YwN%2Bp6%",
        "https://vtbehaviour.commondatastorage.googleapis.com/e1473cc8cff4b1be7da44681ffa0371e603c6202e97b31b204b88e0b4cd16f6e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426024&Signature=Mn%2BWGa6Bwgj%2B7Wvu84ha8YpIKBeSUTbuDj5UoPu6SjBglPGllKI8zGujdrSeUWSakmCrXC6ynTHKW%2FCe0Mtbri1ObLWlzLI2MOBUa1yvFAedeuv%2F64ht%2BZjOHazy%2FNRoLbLO2wNd5WqlfQ3rNN%2BS%2FKqw3NxoYEZmZZhAR4NHgiElwdY%2BIT6lKyUMlku3DlyVKntVZPwyrzmP3YZUPyHbpMTZxXMmtYB8eG%2FQaUfDA3",
        "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426074&Signature=qsu4LRTHFbUwe%2BwGeH1wThGz%2Fef3HYKxkFl1vMVQNvSHHHWd5C6FYUJ%2FBAGx%2BPx5JPbhWS2o9hfGQ4PWjcZ%2BEqleuPjTEfvCl96m9na%2BKTfO%2B15rn0TppIYdJJ5htoNwO2lJ%2FvSyMqLFt4Ql5RobZ9%2Bwtn7dUblGvh54wFvGpuu1oDoPvM4FYh6srDJwWsDLVi9u30Uk5nk5vqIHQH9XClZDjz13oBECBSZskns55zdY",
        "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426262&Signature=avYnViHhTCOzYcoQ9ZoWQXm888gYkFImwUY0aRhd7oc1noQzp0745QvRAtZCzRHg%2BVUbbKfpoRjOdPiXYw9FjrUllbNInvvGXIqN7Vtt6LC%2BxdGOhf7dLa6Uz%2B4LKhHlMM9d8xQ8jjMB48wG8FndhOesYOX2tjxz91IrsOQV%2Fu3rAp8bXq4TWxnLb2IfPWr4pG0y4o57hz%2F8dV%2B%2Fu7EoTWk5RmbMKFLNREVh3JRX1DofdLJi",
        "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426428&Signature=ZMUnHqhcQ0e3Y7e7YGilNtksz7XM2Vy8N0nLj%2Fq7zprOG9An%2FoSgolS4cNDYtYSr9l3zZBGHdB43Oc9M4nz2aeg5WDyzle7o3jBBwQWsXIuS7HrXDH3wJPpINzb%2FlcYkpv8GJyWjJSUPZJPOV7bj32rGnh3ZOr%2BwqEA%2BOx78h9d66QzN%2FaVtc6Mg6%2F673L1JfHuXBAOSrc5TXgSNfTd0jYXHEuus8QfD3ocALihLDkkwz4tTjvcb4y6f",
        "https://vtbehaviour.commondatastorage.googleapis.com/5e5f874a1eedb61097a11ae64bd9c49b5f31af66e85930a66e7373e0f0484034_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779426881&Signature=1FEszGc%2F5G396F8wJFd3wgCtHXg3oxedxnO7D7aWCkWs6d4k4i2%2Bp%2FehCdoJHrRy%2BJ7T4NZNupkx%2FLaxFRAwo%2BfTRBiFEwifjfN7zL2zunSZf%2FfWtXiVPftdFJynEYsHNiLxKclxy1ARhFeet3pCpGDAv70BgmRez08V1p4Qi8IG9RdOdvM6eiVmQ9AUp8LIwuJVMAQHFkKTOgCT2y01MhOpqVjtDSEIvVHBH2kInDwo7juUKj7hmudu",
        "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427393&Signature=Y1SIIdbfZ13laS6E1kUpDYc3bEcZnQ7kw%2Fr%2FySc758jCzvRyB08531PJ9iIMMOMiupAUPfD3E1JfLbApE2HLnQ4ijkDHqFUPUrV4NrHU9QGGgJoj%2BJWZRNL2LFzbZoktG317lOAXVsRcZiqK9ps%2Bi%2B9q8K%2BDDNRE0Widdz0r9jJ8yUeyykgyWeZy3ljccHWcdlokMiJ4bRN6RQpwollIZ1IJBCRNewd%2FPKBJwI%2FEoFf%2B",
        "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427457&Signature=qOgcBOyqA4YSh6lf9Vqs0UkKhwe0uotFK%2FBY4A2zWmCw%2FHzm2zZPrXINH1IFwPYSCmtm%2Fp15%2F9Qo%2FqhjC7vIq5yHz0oQjOU9Q41Oym%2F3Uea1SLp8gDBbnHKGJM1BYk88nOQOAzSporsAI6HsjZe6s7l%2B%2Buz2eFXF%2Bwkbj%2FwSSEb%2BAntmQo7dsjK90hkww2aZA9K4zdSsnT62hSdsoWJ5Xp4NS9Rv9hechWc8xqNk",
        "https://vtbehaviour.commondatastorage.googleapis.com/72959b40065fe77303aaf1b1ef7639481e8081374d194ee7bdca70d4145c280c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427538&Signature=o6aSYMUzoDKb3m0W3lZulI%2Bc%2BcvifozmlN72ZSSxcWMU3DjzK%2FH515TFuFdkccTfkm8PO%2FlxgBrpamg%2B5bAcBaYvVJ3lga385BWvoGzETcXayv%2FRl2EffIIOhDUa9yPodQ13tYE1C8gE34LQPdK02WTjxunaKFa6nQmtd4h2qgf7IRve6UEZGMbiDkUlu9muuvpS6Aw1TQ8d%2BltZZJ9mPp5lmoTbra5oKX8mvHQmfzKhBFUYfckzn6Qg",
        "https://vtbehaviour.commondatastorage.googleapis.com/d0dc95ec6184b0d79326d7ef70955d143e94215b332d869cbaf4482f34741216_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427641&Signature=WFnkeBZrEnGt9bxaBIROfEvcDg7woGYh2z9eElPx22u7UrFNBNzuaClc6Zl5jeius8pWGrlc7WTma3KN7lY%2BtUaCClyPnnoe%2FvUr7AZI6%2Bxp6mNDoTeMsn9xu7Qw9UtFwiOXagOocenXZ1jF2RgbnGvUyQHHfkymVZIYy9QGNX6kKek3Vfpx%2FtZbK5eMyv9smQ4%2BMIb6MKyloiWF%2BPe8TsKv00dULjDyhC7QyyJEy5heiyWfU9LnviZTFL",
        "https://vtbehaviour.commondatastorage.googleapis.com/dfc3a78d8aa1b8c02a6f66ef9d96192b569e9af8d43291940eee5e0d11925e83_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427738&Signature=gFp6kB0oxeyNHL6GzyKaaCGqK8SMwnZKibR150oaqlNN6FVzXLLL1xM5%2BOssqN1VObuGVYC8rGfsRuYZrrRg1vAfyLSAnpYp4Eo%2B%2FXiVFRZN%2FQSNqP%2BnOrVnXcGgr5GZfnAUvRqlC3op%2Bxq1j3a9eZoEKexYzFm0cgrNoa1gKtifgvWutOVwZdJ58fJglF%2FTB3qBH5QE6EgIetjtRIMOFZrfeTaI0QpOlyFexAmuJlBy633A",
        "https://vtbehaviour.commondatastorage.googleapis.com/e3b4e56eb9d0af4fa92f811c8433517d1e3b0a500e626441fc3388ec5c89c38c_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779427874&Signature=Mka3TdgNgNwtOsGI7QSeJXzEbXBcGM7vApf4fqs1N89fN8dlAkV6RGqkQoTiYd9PjEUORagcZEFpfKD86fjqieTKGkkB0mdpW1LEfGyums9GH822QupXFD8%2FVCbbeowKDnRuvd0ZOT%2FWo0YOVLMzjQRc6HHaXTwmD30iqz08ClcMhnaTGnW%2BL1VFSUV0QOoUTPfotLBvZBzSqvMOjkppXhsU1e7zn%2BzQK8JUajgHKx7RViqsMVuA8Qlt9jy48z",
        "https://vtbehaviour.commondatastorage.googleapis.com/e32c3637b93d17e560587a039f5c5958b8b81c1397a6d638163dd4566fdfac4d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428327&Signature=CKFTYt6ArIXnni2OBMePdc%2BoH7kRmZPKkiafFzNYrWXp%2FJELva1Jl%2Fh%2BAPz2FyN1cXlsmQQI2zESw%2F5RN07RU%2F%2FgUL5LhkXqgs592Rqd60w3NRL0Syuh1bXYUy6zXlqQLg1MRwYvryPVKsV0v93ldWr%2BHwcGR3VXqtUGT7JB7YrAk0vkPyAznWMvStz%2F6jZnaVlEEYGqnCMx%2FA8O0i9yH5R0X47OY0U1B%2BHBsDKO",
        "https://vtbehaviour.commondatastorage.googleapis.com/013026abaf363129613d63f7a80bd5f1007d3a123442447b298e74631a86b6b9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428392&Signature=0fuLnRY7OihvxaAAPVTWWy1rHjerWWMNx%2BVogBBBqrD3gYysT0fj7z9yXH0ciZv48Vzbl12zYunAvcOrZmlhWRayUlGVpmLUMUixVInEpEUagrezUUQW8L%2FaK7MLeJRak3FTNR73YGL8ce%2BEwpUNCoTwlXYndc6GGpjbXjOHEjyuW1DrhR%2BQui94xj%2F%2FUk5EnrRIl2HS7SgRoiwpozKBamKdin2TzeP0%2FKV2O0QDII05A0Qu",
        "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428474&Signature=uql0wTbjXQwkaToIAACxI%2Fw60EJ4vo2N07Siqp0dhXPVMJkxDeYFF6ZedokBsmnThvTAhc2yXpV%2BJgGaV5BSeKresSym3g6XQ4nRY9Q6S%2F7OabrFLu5yiEKKbRgi8%2Fvc8xj0sz79D43XxY99BwYqBZtXoSvWU1T%2B2c0KSbnsNj7VB2U6rcHd0JmQWlVb2tZlzOHvdlxx6GBoKE6E4Z3cYi1OYi7TV9jZkiEGTeQFP3VmeI6pXzMR",
        "https://vtbehaviour.commondatastorage.googleapis.com/26635326e74a93872df8e8c2cb62d97975d4b8fecc47f1fb095f5edaea35d24e_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779428517&Signature=DU4VOy7yITJdQXs7DOFeKHRKp%2Br9mKpD9h%2BzEGEaWFaglZT%2BclhwHRdwBHsCzL3esOya6J8S6kTLGWityOyu9TZDMqfQCfMp2jrPQX0U11wTs9NTbFlQVPiFCuOcmW%2BCNCN6h3I6vc5O5HfqTq6Hbpn1lI4N5nYcPJqVw993JXQDQ6o00cH6Txboc9yIeqp31lJFhP75yloqdbqBtVFTI3bqPTd4C83AS0015IRL8zpZo%2BKa1nuGpj7FIFXb"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1012",
          "name": "Query Registry",
          "display_name": "T1012 - Query Registry"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1070",
          "name": "Indicator Removal on Host",
          "display_name": "T1070 - Indicator Removal on Host"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1112",
          "name": "Modify Registry",
          "display_name": "T1112 - Modify Registry"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1485",
          "name": "Data Destruction",
          "display_name": "T1485 - Data Destruction"
        },
        {
          "id": "T1486",
          "name": "Data Encrypted for Impact",
          "display_name": "T1486 - Data Encrypted for Impact"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1548",
          "name": "Abuse Elevation Control Mechanism",
          "display_name": "T1548 - Abuse Elevation Control Mechanism"
        },
        {
          "id": "T1564",
          "name": "Hide Artifacts",
          "display_name": "T1564 - Hide Artifacts"
        },
        {
          "id": "T1573",
          "name": "Encrypted Channel",
          "display_name": "T1573 - Encrypted Channel"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1095",
          "name": "Non-Application Layer Protocol",
          "display_name": "T1095 - Non-Application Layer Protocol"
        },
        {
          "id": "T1574",
          "name": "Hijack Execution Flow",
          "display_name": "T1574 - Hijack Execution Flow"
        },
        {
          "id": "T1539",
          "name": "Steal Web Session Cookie",
          "display_name": "T1539 - Steal Web Session Cookie"
        },
        {
          "id": "T1106",
          "name": "Native API",
          "display_name": "T1106 - Native API"
        },
        {
          "id": "T1014",
          "name": "Rootkit",
          "display_name": "T1014 - Rootkit"
        },
        {
          "id": "T1202",
          "name": "Indirect Command Execution",
          "display_name": "T1202 - Indirect Command Execution"
        },
        {
          "id": "T1496",
          "name": "Resource Hijacking",
          "display_name": "T1496 - Resource Hijacking"
        },
        {
          "id": "T1542",
          "name": "Pre-OS Boot",
          "display_name": "T1542 - Pre-OS Boot"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1033",
          "name": "System Owner/User Discovery",
          "display_name": "T1033 - System Owner/User Discovery"
        },
        {
          "id": "T1547",
          "name": "Boot or Logon Autostart Execution",
          "display_name": "T1547 - Boot or Logon Autostart Execution"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1010",
          "name": "Application Window Discovery",
          "display_name": "T1010 - Application Window Discovery"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 638,
        "FileHash-SHA1": 366,
        "FileHash-SHA256": 1441,
        "IPv4": 377,
        "URL": 1697,
        "domain": 404,
        "hostname": 873,
        "CIDR": 1,
        "Mutex": 1,
        "IPv6": 19,
        "email": 9
      },
      "indicator_count": 5826,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 66,
      "modified_text": "9 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "6692440efac39f5213329f13",
      "name": "Mustang Panda: Oxypumper | Ransom Suspicious verifier SpyTox",
      "description": "Mustang Panda is an alleged;China-based' non-governmental cyber espionage threat actor that was first observed in 2017. Targeting non-governmental civilians. Likely target is in many bot networks. Potential HoneyPot, this tool makes itself visible to target when researching the validity of an email or phone number. Notable for Gand Crane ransomware text embedded in SpyTox page image. Injection process observed. Affects most types of devices including iOS and Android. Critical issues found. IP's registrar's, domains 'not' contacted.\n\nHackers, harassment, cybercrime, cyber espionage.",
      "modified": "2024-08-12T08:04:00.041000",
      "created": "2024-07-13T09:08:30.431000",
      "tags": [
        "historical ssl",
        "referrer",
        "june",
        "october",
        "july",
        "hacker",
        "pe resource",
        "mustang panda",
        "plugx",
        "cryptbot",
        "threat roundup",
        "december",
        "process32nextw",
        "regsetvalueexa",
        "x00x00",
        "regdword",
        "memcommit",
        "high",
        "regbinary",
        "okrnserver",
        "regsetvalueexw",
        "download",
        "copy",
        "as15169 google",
        "united",
        "aaaa",
        "unknown",
        "gmt path",
        "passive dns",
        "search",
        "cname",
        "showing",
        "cookie",
        "ascii text",
        "pattern match",
        "error",
        "null",
        "typeerror",
        "sha1",
        "mitre att",
        "et tor",
        "known tor",
        "date",
        "infinity",
        "onload",
        "trident",
        "android",
        "void",
        "hybrid",
        "local",
        "encrypt",
        "click",
        "strings",
        "generator",
        "third-party-cookies",
        "text/html",
        "trackers",
        "external-resources",
        "iframes",
        "entries",
        "status",
        "name servers",
        "urls",
        "next",
        "nxdomain",
        "susp",
        "a nxdomain",
        "domain",
        "win32",
        "as62597",
        "france unknown",
        "for privacy",
        "moved",
        "a domains",
        "meta",
        "gmt cache",
        "trojan",
        "creation date",
        "record value",
        "script urls",
        "as55293 a2",
        "as44273 host",
        "canada unknown",
        "scan endpoints",
        "all scoreblue",
        "pulse pulses",
        "files",
        "ip address",
        "location canada",
        "443 ma2592000",
        "code",
        "trojanspy",
        "type",
        "ipv4",
        "twitter",
        "trojandropper",
        "find",
        "form",
        "less see",
        "formbook cnc",
        "checkin",
        "a li",
        "li ul",
        "cycbot",
        "emails",
        "as20940",
        "as54113",
        "asnone denmark",
        "worm",
        "asnone",
        "as4230 claro",
        "refloadapihash",
        "salicode",
        "div div",
        "wi fi",
        "orion wi",
        "orion",
        "a div",
        "div section",
        "orion logo",
        "target",
        "fast",
        "contact",
        "open",
        "virtool",
        "content type",
        "found",
        "http response",
        "final url",
        "status code",
        "body length",
        "kb body",
        "sha256",
        "headers",
        "ubuntu",
        "accept",
        "keepalive",
        "site",
        "find people",
        "numbers",
        "sptox",
        "utc google",
        "html info",
        "title spytox",
        "emails meta",
        "tags viewport",
        "spytox og",
        "type win32",
        "exe size",
        "mb first",
        "seen",
        "file name",
        "avg win32",
        "fortinet",
        "double click",
        "solutions",
        "domains",
        "sneaky server",
        "replacement",
        "unauthorized",
        "malware http",
        "core",
        "sim unlock",
        "emotet",
        "ta569",
        "critical",
        "pe32",
        "intel",
        "ms windows",
        "ms visual",
        "win32 dynamic",
        "link library",
        "win16 ne",
        "pe32 protector",
        "confuser",
        "confuserex",
        "checker",
        "samplename",
        "bonusbitcoin",
        "xslayer",
        "samplepath",
        "names",
        "details",
        "header intel",
        "name md5",
        "language",
        "contained",
        "rticon neutral",
        "ico rtgroupicon",
        "neutral",
        "assembly common",
        "clr version",
        "assembly name",
        "metadata header",
        "entry point",
        "rva entry",
        "strong name",
        "streams size",
        "entropy chi2",
        "ip detections",
        "country",
        "executable",
        "info header",
        "allmul vbaget4",
        "adjfprem ord",
        "data rtversion",
        "generic",
        "file type",
        "win32 exe",
        "kb file",
        "graph",
        "user",
        "windir",
        "downloads",
        "written c",
        "files deleted",
        "dropped c",
        "process",
        "logistics",
        "cyber defense",
        "brazzers",
        "tsara brashears",
        "gpt analyzer",
        "apple private",
        "data collection",
        "twitter andor",
        "snatch",
        "ransomware",
        "default",
        "rticon english",
        "type name",
        "data",
        "getfilesize",
        "getdc copyimage",
        "rticon russian",
        "pe32 executable",
        "borland delphi",
        "delphi generic",
        "dos borland",
        "hkcuclsid",
        "registry keys",
        "hkcrclsid",
        "file system",
        "settings c",
        "files c",
        "shared c",
        "sharedink c",
        "hostname",
        "as29791",
        "as8426 claranet",
        "malware",
        "network",
        "apple ios",
        "apple",
        "tmobile metro",
        "apeaksoft ios",
        "spybanker",
        "remcos",
        "adwind",
        "njrat",
        "guloader",
        "banload",
        "asyncrat",
        "arkeistealer",
        "danabot",
        "nordvpnsetup",
        "kb graph",
        "summary",
        "sharedinkarsa c",
        "sharedinkbgbg c",
        "sharedinkcscz c",
        "sharedinkdadk c",
        "gmt etag",
        "x amz",
        "body",
        "body html",
        "bq jul",
        "et trojan",
        "v4inhxvlhx0",
        "medium",
        "memreserve",
        "checks amount",
        "t1082",
        "module load",
        "e weowe64e",
        "edelepexe",
        "e rev",
        "weinedoewse net",
        "ransom",
        "show",
        "filehash",
        "related",
        "reverse dns",
        "haut",
        "servers",
        "pulse submit",
        "as3215 orange",
        "france",
        "backdoor",
        "paris",
        "honeypot",
        "python",
        "callback phishing",
        "teams",
        "porn related",
        "harassment"
      ],
      "references": [
        "https://www.spytox.com/ | Malicious Phone number & eMail verifier. HoneyPotNetBot?",
        "Alerts: disables_security network_icmp modifies_certificates modifies_proxy_wpad multiple_useragents injection_resumethread",
        "Antivirus Detections: Win.Malware.Oxypumper-6900445-0",
        "IDS Detections: Win32/QwertMiner CoinMiner Dropper CnC Checkin M2 | IDS Detections: Terse Named Filename EXE Download - Possibly Hostile",
        "IDS Detections: HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)",
        "IDS Detections: DNS Query for Suspicious .ml Domain | DNS Query for Suspicious .ga Domain | Domain External IP Lookup ip-api.com | Win32/QwertMiner Suspicious UA (jdlnb)",
        "Win.Malware.Oxypumper-6900445-0: FileHash-SHA1  05e520126ee1100c98263bfbd5a6ff0ce6ace4f7",
        "Win.Malware.Oxypumper-6900445-0: FileHash-MD5 2d84a619d4bd339f860cb48af0c9b6c8",
        "Win.Malware.Oxypumper-6900445-0: FileHash-SHA 256365ffde7df914840eb21c96f34c39912a4b031e3814b8e902b67acee6dff65a1",
        "Interesting: https://otx.alienvault.com/indicator/url/http://google.com.ge/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&ved=0CCoQFjAA&url=http%3A%2F%2Ft1t.us%2F&ei=9H0XU4rwPKXOygP_8IL4Bw&usg=AFQjCNEgQ29Mke-UahuBZ5wqWav04lFYvA&sig2=9-57Skjm2Hu4tg-e8iysQA&bvm=bv.62286460,d.bGQ",
        "google.com.ge , google.kiteflier.top, google.pf, google.com.ht, http://philsinstallation.com/, www.orion.area120.com ?, https://degoogle.xyz/feed/",
        "https://hybrid-analysis.com/sample/89fb2bccca6342d8fe50bd8b9763a6c829fd1bfe4fe2eccb251bd7e060f0d168/6691b5695751a70ec9041622",
        "Ransomware Detected: text artifact in screenshot indicates file may be ransomware details \"Antivirus\" (Source: screen_11.png, Indicator: \"virus\")",
        "scanning_hosts:  138.197.217.6,  IPv4 142.251.18.103, IPv4 142.251.31.99",
        "Backdoor:Win32/Plugx: FileHash-SHA256 a3ff97a0d338fd47e0af6822c4ee762491fc39028af984fe7ff8a1b6948fafe9",
        "Backdoor:Win32/Plugx: FileHash-MD5 63ebfbad26a529929927b9b485faa18a",
        "Antivirus Detections: Win32:TrojanX-gen\\ [Trj] , Win.Malware.Generickdz-6914893-0, Backdoor:Win32/Plugx",
        "Yara Detections: SUSP_NET_NAME_ConfuserEx , Delphi Alerts: network_icmp",
        "iPhone: 8.0.1.iphone.com.nextradiotv.bfmtv.adsenseformobileapps.com",
        "iPhone: 5.100.3.iphone.com.tranzmate.tranzmate1.adsenseformobileapps.com",
        "iPhone: 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com",
        "iPhone: 1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com",
        "iOS: http://www.au-petit-cafe-hollywood.com/guestbook/index.php?_sm_byp=iVVJNj4pQQp0ZsWB%3Eshowbox%20install%20iphone%3C/a%3E",
        "Interesting: www1.xxx.ddns.info | https://sgpelvicfloor.in/wp-admin/ZDCpqfZDmM5x9MxAaxxX/",
        "DotNET_Crypto_Obfuscator",
        "Antivirus Detections: ALF:HSTR:Adware:Win32/iBryte!bit ,  ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47 ,  PWS:Win32/QQpass.B!MTB ,",
        "Antivirus Detections: Trojan:Win32/Bulta!rfn ,  TrojanDownloader:Win32/Cutwail ,  TrojanDropper:Win32/Loring ,  TrojanSpy:Win32/Nivdort.CB ,",
        "Antivirus Detections: TrojanSpy:Win32/Nivdort.CW ,  TrojanSpy:Win32/Nivdort.DA ,  TrojanSpy:Win32/Nivdort.DB ... ,  TrojanSpy:Win32/Nivdort.CB ,  TrojanSpy:Win32/Nivdort.CW ,  TrojanSpy:Win32/Nivdort.DA",
        "IDS Detections: Adware.iBryte.Z Checkin W32/iBryte.Adware Installer Download, Kazy/Kryptor/Cycbot Trojan Checkin 2,",
        "IDS Detections: FormBook CnC Checkin (GET) W32/iBryte.Adware Affiliate Campaign Executable Download ...",
        "https://otx.alienvault.com/indicator/ip/216.40.34.41",
        "Checker By X-SLAYER.exe: 74ca7f6f723a57dc22625eb26214f85689216859388c1f93503728dae8929b97",
        "ns2.tsaratsovo.net",
        "FormBook: FileHash-SHA256 d329608064b13006e73309a6f6a819b6bc1392b80ad01946d04719da0b680955",
        "FormBook: FileHash-SHA1 205a7931e145b05ac6040690d7a2b862b4a1ec79",
        "FormBook: FileHash-MD5 FileHash-MD5 60b8487a9ddc166fbae45d611a0b6848",
        "DotNET_Crypto_Obfuscator",
        "Antivirus Detections: Win32:MalwareX-gen\\ [Trj]",
        "IDS Detections: FormBook CnC Checkin (GET) 403 Forbidden Yara Detections: MAL_RANSOM_COVID19_Apr20_1 ,  DotNET_DotFuscator",
        "Alerts: nids_malware_alert injection_runpe network_icmp network_cnc_http network_http allocates_rwx",
        "Alerts: antisandbox_sleep creates_exe privilege_luid_check checks_debugger",
        "https://otx.alienvault.com/indicator/file/1c954b67c62b161d839434243ebe4b9dfe2b790a91eb968ecbfbfae53a414e29",
        "Antivirus Detections: Win32:MalwareX-gen\\ [Trj] ,  Win.Ransomware.Gandcrab-9967304-0 ,  Ransom:Win32/GandCrab.AE",
        "Yara Detections ReflectiveLoader ,  Win32_Ransomware_GandCrab ,  stack_string",
        "Ransom:Win32/GandCrab.AE: FileHash-SHA256 941ea65563f1b06080075ccafa8180118f65f3c8a4cca038654f0aba5cd0f5fc",
        "Ransom:Win32/GandCrab.AE: FileHash-SHA1 fe29cb8324de15bccfe5055a65ea36141fb794c9",
        "Ransom:Win32/GandCrab.AE: FileHash-MD5 f72bcc0d841008c1e8250a3df1182fd5",
        "1.2.6.iphone.com.qijitech.themes.adsenseformobileapps.com. 2.android.com.vance.advanced.tubevanced.adsenseformobileapps.com",
        "mobileview.page, 3.65.0.iphone.com.shotzoom.tourcaddie.adsenseformobileapps.com,",
        "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled",
        "https://www.YouTube.com/polebote"
      ],
      "public": 1,
      "adversary": "Mustang Panda",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "Win.Malware.Oxypumper-6900445-0",
          "display_name": "Win.Malware.Oxypumper-6900445-0",
          "target": null
        },
        {
          "id": "Backdoor:Win32/Plugx",
          "display_name": "Backdoor:Win32/Plugx",
          "target": "/malware/Backdoor:Win32/Plugx"
        },
        {
          "id": "TrojanSpy",
          "display_name": "TrojanSpy",
          "target": null
        },
        {
          "id": "Cycbot",
          "display_name": "Cycbot",
          "target": null
        },
        {
          "id": "Ransom:Win32/GandCrab.AE",
          "display_name": "Ransom:Win32/GandCrab.AE",
          "target": "/malware/Ransom:Win32/GandCrab.AE"
        },
        {
          "id": "Backdoor:Win32/Tofsee.T",
          "display_name": "Backdoor:Win32/Tofsee.T",
          "target": "/malware/Backdoor:Win32/Tofsee.T"
        },
        {
          "id": "TrojanDropper:Win32/Tofsee",
          "display_name": "TrojanDropper:Win32/Tofsee",
          "target": "/malware/TrojanDropper:Win32/Tofsee"
        }
      ],
      "attack_ids": [
        {
          "id": "T1047",
          "name": "Windows Management Instrumentation",
          "display_name": "T1047 - Windows Management Instrumentation"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1119",
          "name": "Automated Collection",
          "display_name": "T1119 - Automated Collection"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        },
        {
          "id": "T1583.001",
          "name": "Domains",
          "display_name": "T1583.001 - Domains"
        },
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1553.002",
          "name": "Code Signing",
          "display_name": "T1553.002 - Code Signing"
        },
        {
          "id": "T1518.001",
          "name": "Security Software Discovery",
          "display_name": "T1518.001 - Security Software Discovery"
        },
        {
          "id": "T1568.002",
          "name": "Domain Generation Algorithms",
          "display_name": "T1568.002 - Domain Generation Algorithms"
        },
        {
          "id": "T1595",
          "name": "Active Scanning",
          "display_name": "T1595 - Active Scanning"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1583.005",
          "name": "Botnet",
          "display_name": "T1583.005 - Botnet"
        },
        {
          "id": "T1566",
          "name": "Phishing",
          "display_name": "T1566 - Phishing"
        },
        {
          "id": "T1598",
          "name": "Phishing for Information",
          "display_name": "T1598 - Phishing for Information"
        }
      ],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 71,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "scoreblue",
        "id": "254100",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 568,
        "FileHash-SHA1": 537,
        "FileHash-SHA256": 4887,
        "URL": 4773,
        "domain": 2346,
        "hostname": 1884,
        "SSLCertFingerprint": 15,
        "email": 16,
        "CVE": 1
      },
      "indicator_count": 15027,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 238,
      "modified_text": "657 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "66141ecabe8f1ab189351dd3",
      "name": "Tofsee Botnet: Google.com.uy | Install | Injection | Pegasus Monitoring",
      "description": "Installed remotely by nefarious actor by Trojan dropper. Typically not install via PlayStore/AppStore; can be with severe compromise/ VPNs will be fake. Examples: 1.1.1.1, 1.1.1.4, Proton AG or Proton.ch. Not visible: [.uy.]. All data, monitored, manipulated, tracked, location,  vehicle tracking, webcams, IP track, data cryptocurrency mining, tracked 24/7, collection, DDoS attacks, ransom, full CnC.\nTweakers.net, .bv , etc., observed, pegasus related",
      "modified": "2024-05-08T16:00:34.588000",
      "created": "2024-04-08T16:43:54.908000",
      "tags": [
        "installer",
        "tofsee",
        "trojan",
        "dropper",
        "dns",
        "as20940",
        "united",
        "aaaa",
        "as15703",
        "search",
        "servers",
        "as8455 schuberg",
        "a domains",
        "encrypt",
        "code",
        "tweakers",
        "unknown",
        "ransom",
        "body",
        "webcams",
        "banker",
        "location tracking",
        "vehicle tracking",
        "device tracking",
        "exploitation",
        "redirects",
        "ip tracking",
        "vpn nullify",
        "vehicle keycodes",
        "search threat",
        "analyzer feeds",
        "panel platform",
        "search platform",
        "profile user",
        "iocs",
        "redacted for",
        "passive dns",
        "all scoreblue",
        "hostname",
        "next",
        "cnc",
        "scanning host",
        "milesone",
        "virtual currency mining",
        "crypto",
        "regsetvalueexa",
        "regdword",
        "default",
        "show",
        "regbinary",
        "read c",
        "settingswpad",
        "as15169",
        "malware",
        "copy",
        "write",
        "upatre",
        "ids detections",
        "scan endpoints",
        "filehash",
        "av detections",
        "yara detections",
        "alerts",
        "analysis date",
        "file score",
        "ransom",
        "related pulses",
        "entries",
        "icmp traffic",
        "packing t1045",
        "t1045",
        "pe resource",
        "august",
        "win32",
        "for privacy",
        "creation date",
        "name servers",
        "urls",
        "date",
        "status",
        "as15169 google",
        "as44273 host",
        "ipv4",
        "pulse submit",
        "url analysis",
        "msie",
        "chrome",
        "moved",
        "title",
        "gmt content",
        "apple",
        "invalidate_gift_cards",
        "tulach rebranded",
        "hallrender rebranded",
        "as8075",
        "verdana",
        "td tr",
        "domain",
        "germany unknown",
        "as34011 host",
        "etag",
        "medium",
        "module load",
        "invalidate_google_play",
        "algorithm",
        "v3 serial",
        "number",
        "key algorithm",
        "key identifier",
        "subject key",
        "identifier",
        "x509v3 key",
        "usage",
        "x509v3 extended",
        "info",
        "first",
        "win32 exe",
        "win32 dll",
        "javascript",
        "mozilla firefox",
        "edition",
        "detections type",
        "name",
        "keeweb",
        "setup",
        "firefox setup",
        "record type",
        "ttl value",
        "android",
        "files",
        "formbook",
        "critical cmd",
        "tracker",
        "tsara brashears",
        "remote",
        "historical ssl",
        "referrer",
        "march",
        "body html",
        "head meta",
        "moved title",
        "head body",
        "pegasus",
        "nemtih",
        "hit",
        "men",
        "gift_card_mining",
        "google_play_card_mining",
        "miner",
        "htmladodb may",
        "twitter",
        "win64",
        "as21342",
        "as2914 ntt",
        "as15334",
        "error",
        "certificate",
        "checkbox",
        "accept",
        "record value",
        "emails",
        "domain name"
      ],
      "references": [
        "Virustotal  - google.com.uy",
        "https://hybrid-analysis.com/sample/79c5841a534b53013389ba76326a067895bdf5e41ad279d82b2002f6c8f2cda6",
        "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key>Mercedes+benz+Key+programmer",
        "http://www.50calpaintballshop.com/phpinfo.php?a[]=lost+my+mercedes+key",
        "http://www.50calpaintballshop.com/phpinfo.php?a[]=webcam+models+livecambabes.webcam>korean+webcam+models",
        "http://www.50calpaintballshop.com/phpinfo.php?a[]=www.livecambabes.Webcam>sexy+girls+dildoing",
        "http://www.50calpaintballshop.com/phpinfo.php?a[]=avon+representative>50calpaintballshop.com>avon+representative+directory [Beware: redirects]",
        "http://www.50calpaintballshop.com/phpinfo.php?a[]=how+to+join+avon+uk>how+do+i+join+avon+online [redirects to fraud representatives]",
        "Reports of victims meeting fraud direct sales reps in home/coffee shops. Reps store PII, financial, SSN# on device. Orders in victims name. ID theft ring",
        "https://www.herbgordonsubaru.com/?ddcref=careconnect_NM102-01&utm_campaign=newsconnect&utm_medium=email&utm_source=careconnect",
        "https://www.herbgordonsubaru.com/new-inventory/index?search=&model=Outback&utm_source=careconnect&utm_medium=email&utm_campaign=marketdriver-sales&ddcref=careconnect_marketdriversales",
        "nr-data.net [Apple Private Data Collection]",
        "checkip.dyndns.org [command and control]",
        "checkip.dyndns.org Alerts: dead_host network_icmp nolookup_communication modifies_proxy_wpad packer_polymorphic recon_beacon",
        "144.76.108.82 [scanning host]",
        "Yara Detections PEtite24",
        "FormBook IP: 142.251.211.243",
        "https://pegasusm2.bullsbikesusa.com",
        "https://microcenterinsider.com/pub/cc?_ri_=X0Gzc2X=AQpglLjHJlTQG0amRRrN1tkKAFGSTzdEjURWMTwh5gzdnK5Wo4uRBMFITdmoHEE1NzdwpzaEqrzcUkeItzbfVXtpKX=BATA"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America",
        "Netherlands"
      ],
      "malware_families": [
        {
          "id": "Tofsee",
          "display_name": "Tofsee",
          "target": null
        },
        {
          "id": "Trojan:MSIL/TrojanDropper",
          "display_name": "Trojan:MSIL/TrojanDropper",
          "target": "/malware/Trojan:MSIL/TrojanDropper"
        },
        {
          "id": "Installer",
          "display_name": "Installer",
          "target": null
        },
        {
          "id": "Sf:Agent-DQ\\ [Trj]",
          "display_name": "Sf:Agent-DQ\\ [Trj]",
          "target": null
        },
        {
          "id": "TrojanDownloader:Win32/Upatre!rfn",
          "display_name": "TrojanDownloader:Win32/Upatre!rfn",
          "target": "/malware/TrojanDownloader:Win32/Upatre!rfn"
        },
        {
          "id": "Win32:DropperX-gen\\ [Drp]",
          "display_name": "Win32:DropperX-gen\\ [Drp]",
          "target": null
        },
        {
          "id": "Win.Trojan.Tofsee-9770082-1",
          "display_name": "Win.Trojan.Tofsee-9770082-1",
          "target": null
        },
        {
          "id": "Ransom:Win32/StopCrypt.AK!MTB",
          "display_name": "Ransom:Win32/StopCrypt.AK!MTB",
          "target": "/malware/Ransom:Win32/StopCrypt.AK!MTB"
        }
      ],
      "attack_ids": [
        {
          "id": "T1059.007",
          "name": "JavaScript",
          "display_name": "T1059.007 - JavaScript"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1100",
          "name": "Web Shell",
          "display_name": "T1100 - Web Shell"
        },
        {
          "id": "T1583.005",
          "name": "Botnet",
          "display_name": "T1583.005 - Botnet"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1574.005",
          "name": "Executable Installer File Permissions Weakness",
          "display_name": "T1574.005 - Executable Installer File Permissions Weakness"
        },
        {
          "id": "T1449",
          "name": "Exploit SS7 to Redirect Phone Calls/SMS",
          "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
        },
        {
          "id": "T1493",
          "name": "Transmitted Data Manipulation",
          "display_name": "T1493 - Transmitted Data Manipulation"
        },
        {
          "id": "T1029",
          "name": "Scheduled Transfer",
          "display_name": "T1029 - Scheduled Transfer"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "TA0011",
          "name": "Command and Control",
          "display_name": "TA0011 - Command and Control"
        },
        {
          "id": "T1013",
          "name": "Port Monitors",
          "display_name": "T1013 - Port Monitors"
        },
        {
          "id": "T1430",
          "name": "Location Tracking",
          "display_name": "T1430 - Location Tracking"
        },
        {
          "id": "T1468",
          "name": "Remotely Track Device Without Authorization",
          "display_name": "T1468 - Remotely Track Device Without Authorization"
        },
        {
          "id": "T1450",
          "name": "Exploit SS7 to Track Device Location",
          "display_name": "T1450 - Exploit SS7 to Track Device Location"
        },
        {
          "id": "T1553.002",
          "name": "Code Signing",
          "display_name": "T1553.002 - Code Signing"
        },
        {
          "id": "T1114",
          "name": "Email Collection",
          "display_name": "T1114 - Email Collection"
        },
        {
          "id": "T1483",
          "name": "Domain Generation Algorithms",
          "display_name": "T1483 - Domain Generation Algorithms"
        },
        {
          "id": "T1071.003",
          "name": "Mail Protocols",
          "display_name": "T1071.003 - Mail Protocols"
        },
        {
          "id": "T1448",
          "name": "Carrier Billing Fraud",
          "display_name": "T1448 - Carrier Billing Fraud"
        },
        {
          "id": "T1472",
          "name": "Generate Fraudulent Advertising Revenue",
          "display_name": "T1472 - Generate Fraudulent Advertising Revenue"
        },
        {
          "id": "T1040",
          "name": "Network Sniffing",
          "display_name": "T1040 - Network Sniffing"
        },
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1119",
          "name": "Automated Collection",
          "display_name": "T1119 - Automated Collection"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 40,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "scoreblue",
        "id": "254100",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 392,
        "FileHash-SHA1": 468,
        "FileHash-SHA256": 3233,
        "URL": 8667,
        "domain": 2219,
        "hostname": 3480,
        "email": 8
      },
      "indicator_count": 18467,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 235,
      "modified_text": "752 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "657091100e9f5aa6eb534fb4",
      "name": "vmt/geosite.dat at main \u00b7 wegare123/vmt \u00b7 GitHub -  brocaproject.com - hmmm  cert ca issue",
      "description": "",
      "modified": "2023-12-06T15:19:44.839000",
      "created": "2023-12-06T15:19:44.839000",
      "tags": [],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 5,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "api",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "StreamMiningEx",
        "id": "262917",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 2410,
        "hostname": 3653,
        "domain": 2723,
        "URL": 442
      },
      "indicator_count": 9228,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 110,
      "modified_text": "906 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "62ef13ad6547ed183dba3f3c",
      "name": "vmt/geosite.dat at main \u00b7 wegare123/vmt \u00b7 GitHub -  brocaproject.com - hmmm  cert ca issue",
      "description": "see im reading that domain as bro ca project",
      "modified": "2022-08-07T01:21:49.761000",
      "created": "2022-08-07T01:21:49.761000",
      "tags": [
        "strong",
        "github",
        "jump",
        "github desktop",
        "sign",
        "iosrulescript",
        "quantumult",
        "boxjs",
        "chouchoui",
        "code issues",
        "contact",
        "star",
        "desktop",
        "stars",
        "footer",
        "view",
        "pull",
        "wiki security",
        "unicode",
        "copy",
        "wegare123vmt",
        "phoenix",
        "jquery",
        "discord",
        "ruby",
        "chinaz",
        "startpage"
      ],
      "references": [
        "geosite.dat.html",
        "https://github.com/blackmatrix7/ios_rule_script"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1010",
          "name": "Application Window Discovery",
          "display_name": "T1010 - Application Window Discovery"
        }
      ],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 11,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "dorkingbeauty1",
        "id": "80137",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 2410,
        "hostname": 3653,
        "URL": 442,
        "domain": 2723
      },
      "indicator_count": 9228,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 395,
      "modified_text": "1393 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "6265af4c6414d087b17443cc",
      "name": "google gmail account login source code for UK teenage account",
      "description": "",
      "modified": "2022-05-25T00:04:03.622000",
      "created": "2022-04-24T20:13:00.304000",
      "tags": [],
      "references": [
        "<html><head><meta charset=%22UTF-8%22><meta content=%22width=device-width\u2026.pdf"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 3,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "dorkingbeauty1",
        "id": "80137",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 393,
        "domain": 26,
        "hostname": 102,
        "URL": 250
      },
      "indicator_count": 771,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 393,
      "modified_text": "1467 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "6265af6f8b7642ed2c060cda",
      "name": "google gmail account login source code for UK teenage account",
      "description": "",
      "modified": "2022-04-24T20:13:35.115000",
      "created": "2022-04-24T20:13:35.115000",
      "tags": [],
      "references": [
        "<html><head><meta charset=%22UTF-8%22><meta content=%22width=device-width\u2026.pdf"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 3,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "dorkingbeauty1",
        "id": "80137",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 2,
        "domain": 6,
        "hostname": 2,
        "URL": 4
      },
      "indicator_count": 14,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 393,
      "modified_text": "1497 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    }
  ],
  "error": null,
  "vt": {
    "error": "VirusTotal rate limit reached. Try again shortly.",
    "indicator": "google.li",
    "type": "Domain"
  },
  "abuseipdb": null,
  "urlhaus": {
    "indicator": "google.li",
    "found": false,
    "verdict": "clean",
    "urls": [],
    "error": null
  },
  "from_cache": true,
  "_cached_at": 1780237561.981064
}