{
  "type": "URL",
  "indicator": "http://drupal.org",
  "general": {
    "sections": [
      "general",
      "url_list",
      "http_scans",
      "screenshot"
    ],
    "indicator": "http://drupal.org",
    "type": "url",
    "type_title": "URL",
    "validation": [
      {
        "source": "whitelist",
        "message": "Whitelisted domain drupal.org",
        "name": "Whitelisted domain"
      },
      {
        "source": "majestic",
        "message": "Whitelisted domain drupal.org",
        "name": "Whitelisted domain"
      }
    ],
    "base_indicator": {
      "id": 2603725462,
      "indicator": "http://drupal.org",
      "type": "URL",
      "title": "",
      "description": "",
      "content": "",
      "access_type": "public",
      "access_reason": ""
    },
    "pulse_info": {
      "count": 26,
      "pulses": [
        {
          "id": "6a1172cd479d8218e859db0c",
          "name": "Rain + Acid; Questionable Civil Rights Violations.",
          "description": "[The full list of names and addresses for Akamai, the world's largest web hosting company, has been released..and it is not clear how many of them have been registered or used] <the first time I agree with pretext.",
          "modified": "2026-05-23T09:36:11.136000",
          "created": "2026-05-23T09:26:37.608000",
          "tags": [
            "akamai",
            "orgid",
            "akamai ref",
            "net173",
            "net1730000",
            "orgtechhandle",
            "steven jay",
            "orgname",
            "cidr",
            "noc united",
            "orgabusehandle",
            "nethandle",
            "key identifier",
            "x509v3 subject",
            "full name",
            "v3 serial",
            "number",
            "cus cndigicert",
            "tls rsa",
            "sha256",
            "ca1 odigicert",
            "inc validity",
            "city",
            "kam sze",
            "verisign",
            "date",
            "server",
            "data",
            "whois database",
            "whois",
            "registrar abuse",
            "repackaging",
            "registrars",
            "icann whois",
            "form",
            "email",
            "request email",
            "stateprovince",
            "whois status",
            "tech",
            "address range",
            "network name",
            "type",
            "status",
            "whois server",
            "entity akamai",
            "handle",
            "orgtechref",
            "akamai address",
            "broadway city",
            "postalcode",
            "orgtechphone",
            "label akamai",
            "arin country",
            "us continent",
            "services",
            "net192",
            "net1920000",
            "as14153",
            "as15133",
            "edgec25",
            "w jefferson",
            "blvd",
            "algorithm",
            "cus odigicert",
            "cngeotrust tls",
            "rsa ca",
            "g1 validity",
            "subject public",
            "serving ip",
            "address",
            "status code",
            "body length",
            "kb body",
            "responsibility",
            "learn",
            "citizen verizon",
            "drupal",
            "corporate",
            "utc google",
            "tag manager",
            "gtmpz6697q",
            "utc g22l6jkpfvc",
            "utc linkedin",
            "insight tag",
            "utc adobe",
            "dynamic tag",
            "sameorigin",
            "date wed",
            "miss setcookie",
            "secure",
            "httponly",
            "unix",
            "cachecontrol",
            "html info",
            "title",
            "ip address",
            "stworld",
            "stworld og",
            "uetsid",
            "sctr",
            "pinunauth",
            "awsalb",
            "udnsntcsession",
            "tdid",
            "qplatform mfapp",
            "adrollfpc",
            "arv4",
            "udnsntcs",
            "interim sim",
            "newegg",
            "verizon",
            "buy verizon",
            "card",
            "newegg shopping",
            "ver2",
            "vids1",
            "msclkidn"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "CIDR": 3,
            "FileHash-SHA256": 316,
            "FileHash-SHA1": 4,
            "domain": 96,
            "hostname": 279,
            "URL": 267,
            "IPv4": 8,
            "email": 11,
            "FileHash-MD5": 12,
            "Mutex": 1,
            "URI": 1
          },
          "indicator_count": 998,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "8 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "6a1172cb47ba739f26d5dbd6",
          "name": "Rain + Acid; Questionable Civil Rights Violations.",
          "description": "[The full list of names and addresses for Akamai, the world's largest web hosting company, has been released..and it is not clear how many of them have been registered or used] <the first time I agree with pretext.",
          "modified": "2026-05-23T09:28:45.751000",
          "created": "2026-05-23T09:26:35.365000",
          "tags": [
            "akamai",
            "orgid",
            "akamai ref",
            "net173",
            "net1730000",
            "orgtechhandle",
            "steven jay",
            "orgname",
            "cidr",
            "noc united",
            "orgabusehandle",
            "nethandle",
            "key identifier",
            "x509v3 subject",
            "full name",
            "v3 serial",
            "number",
            "cus cndigicert",
            "tls rsa",
            "sha256",
            "ca1 odigicert",
            "inc validity",
            "city",
            "kam sze",
            "verisign",
            "date",
            "server",
            "data",
            "whois database",
            "whois",
            "registrar abuse",
            "repackaging",
            "registrars",
            "icann whois",
            "form",
            "email",
            "request email",
            "stateprovince",
            "whois status",
            "tech",
            "address range",
            "network name",
            "type",
            "status",
            "whois server",
            "entity akamai",
            "handle",
            "orgtechref",
            "akamai address",
            "broadway city",
            "postalcode",
            "orgtechphone",
            "label akamai",
            "arin country",
            "us continent",
            "services",
            "net192",
            "net1920000",
            "as14153",
            "as15133",
            "edgec25",
            "w jefferson",
            "blvd",
            "algorithm",
            "cus odigicert",
            "cngeotrust tls",
            "rsa ca",
            "g1 validity",
            "subject public",
            "serving ip",
            "address",
            "status code",
            "body length",
            "kb body",
            "responsibility",
            "learn",
            "citizen verizon",
            "drupal",
            "corporate",
            "utc google",
            "tag manager",
            "gtmpz6697q",
            "utc g22l6jkpfvc",
            "utc linkedin",
            "insight tag",
            "utc adobe",
            "dynamic tag",
            "sameorigin",
            "date wed",
            "miss setcookie",
            "secure",
            "httponly",
            "unix",
            "cachecontrol",
            "html info",
            "title",
            "ip address",
            "stworld",
            "stworld og",
            "uetsid",
            "sctr",
            "pinunauth",
            "awsalb",
            "udnsntcsession",
            "tdid",
            "qplatform mfapp",
            "adrollfpc",
            "arv4",
            "udnsntcs",
            "interim sim",
            "newegg",
            "verizon",
            "buy verizon",
            "card",
            "newegg shopping",
            "ver2",
            "vids1",
            "msclkidn"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "CIDR": 3,
            "FileHash-SHA256": 316,
            "FileHash-SHA1": 4,
            "domain": 101,
            "hostname": 295,
            "URL": 290,
            "IPv4": 8,
            "email": 12,
            "FileHash-MD5": 12,
            "Mutex": 1,
            "URI": 1
          },
          "indicator_count": 1043,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "8 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "6a1172cd04ed75967ff3ffc5",
          "name": "Rain + Acid; Questionable Civil Rights Violations.",
          "description": "[The full list of names and addresses for Akamai, the world's largest web hosting company, has been released..and it is not clear how many of them have been registered or used] <the first time I agree with pretext.",
          "modified": "2026-05-23T09:26:37.004000",
          "created": "2026-05-23T09:26:37.004000",
          "tags": [
            "akamai",
            "orgid",
            "akamai ref",
            "net173",
            "net1730000",
            "orgtechhandle",
            "steven jay",
            "orgname",
            "cidr",
            "noc united",
            "orgabusehandle",
            "nethandle",
            "key identifier",
            "x509v3 subject",
            "full name",
            "v3 serial",
            "number",
            "cus cndigicert",
            "tls rsa",
            "sha256",
            "ca1 odigicert",
            "inc validity",
            "city",
            "kam sze",
            "verisign",
            "date",
            "server",
            "data",
            "whois database",
            "whois",
            "registrar abuse",
            "repackaging",
            "registrars",
            "icann whois",
            "form",
            "email",
            "request email",
            "stateprovince",
            "whois status",
            "tech",
            "address range",
            "network name",
            "type",
            "status",
            "whois server",
            "entity akamai",
            "handle",
            "orgtechref",
            "akamai address",
            "broadway city",
            "postalcode",
            "orgtechphone",
            "label akamai",
            "arin country",
            "us continent",
            "services",
            "net192",
            "net1920000",
            "as14153",
            "as15133",
            "edgec25",
            "w jefferson",
            "blvd",
            "algorithm",
            "cus odigicert",
            "cngeotrust tls",
            "rsa ca",
            "g1 validity",
            "subject public",
            "serving ip",
            "address",
            "status code",
            "body length",
            "kb body",
            "responsibility",
            "learn",
            "citizen verizon",
            "drupal",
            "corporate",
            "utc google",
            "tag manager",
            "gtmpz6697q",
            "utc g22l6jkpfvc",
            "utc linkedin",
            "insight tag",
            "utc adobe",
            "dynamic tag",
            "sameorigin",
            "date wed",
            "miss setcookie",
            "secure",
            "httponly",
            "unix",
            "cachecontrol",
            "html info",
            "title",
            "ip address",
            "stworld",
            "stworld og",
            "uetsid",
            "sctr",
            "pinunauth",
            "awsalb",
            "udnsntcsession",
            "tdid",
            "qplatform mfapp",
            "adrollfpc",
            "arv4",
            "udnsntcs",
            "interim sim",
            "newegg",
            "verizon",
            "buy verizon",
            "card",
            "newegg shopping",
            "ver2",
            "vids1",
            "msclkidn"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "CIDR": 3,
            "FileHash-SHA256": 316,
            "FileHash-SHA1": 4,
            "domain": 95,
            "hostname": 279,
            "URL": 267,
            "IPv4": 8,
            "email": 11,
            "FileHash-MD5": 12,
            "Mutex": 1,
            "URI": 1
          },
          "indicator_count": 997,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "8 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "6a1172cc0a8d5c02b90c7abf",
          "name": "Rain + Acid; Questionable Civil Rights Violations.",
          "description": "[The full list of names and addresses for Akamai, the world's largest web hosting company, has been released..and it is not clear how many of them have been registered or used] <the first time I agree with pretext.",
          "modified": "2026-05-23T09:26:36.279000",
          "created": "2026-05-23T09:26:36.279000",
          "tags": [
            "akamai",
            "orgid",
            "akamai ref",
            "net173",
            "net1730000",
            "orgtechhandle",
            "steven jay",
            "orgname",
            "cidr",
            "noc united",
            "orgabusehandle",
            "nethandle",
            "key identifier",
            "x509v3 subject",
            "full name",
            "v3 serial",
            "number",
            "cus cndigicert",
            "tls rsa",
            "sha256",
            "ca1 odigicert",
            "inc validity",
            "city",
            "kam sze",
            "verisign",
            "date",
            "server",
            "data",
            "whois database",
            "whois",
            "registrar abuse",
            "repackaging",
            "registrars",
            "icann whois",
            "form",
            "email",
            "request email",
            "stateprovince",
            "whois status",
            "tech",
            "address range",
            "network name",
            "type",
            "status",
            "whois server",
            "entity akamai",
            "handle",
            "orgtechref",
            "akamai address",
            "broadway city",
            "postalcode",
            "orgtechphone",
            "label akamai",
            "arin country",
            "us continent",
            "services",
            "net192",
            "net1920000",
            "as14153",
            "as15133",
            "edgec25",
            "w jefferson",
            "blvd",
            "algorithm",
            "cus odigicert",
            "cngeotrust tls",
            "rsa ca",
            "g1 validity",
            "subject public",
            "serving ip",
            "address",
            "status code",
            "body length",
            "kb body",
            "responsibility",
            "learn",
            "citizen verizon",
            "drupal",
            "corporate",
            "utc google",
            "tag manager",
            "gtmpz6697q",
            "utc g22l6jkpfvc",
            "utc linkedin",
            "insight tag",
            "utc adobe",
            "dynamic tag",
            "sameorigin",
            "date wed",
            "miss setcookie",
            "secure",
            "httponly",
            "unix",
            "cachecontrol",
            "html info",
            "title",
            "ip address",
            "stworld",
            "stworld og",
            "uetsid",
            "sctr",
            "pinunauth",
            "awsalb",
            "udnsntcsession",
            "tdid",
            "qplatform mfapp",
            "adrollfpc",
            "arv4",
            "udnsntcs",
            "interim sim",
            "newegg",
            "verizon",
            "buy verizon",
            "card",
            "newegg shopping",
            "ver2",
            "vids1",
            "msclkidn"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "CIDR": 3,
            "FileHash-SHA256": 316,
            "FileHash-SHA1": 4,
            "domain": 95,
            "hostname": 279,
            "URL": 267,
            "IPv4": 8,
            "email": 11,
            "FileHash-MD5": 12,
            "Mutex": 1,
            "URI": 1
          },
          "indicator_count": 997,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "8 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "698e93e1ab02db8c49e8c3ed",
          "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
          "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
          "modified": "2026-05-17T15:52:35.396000",
          "created": "2026-02-13T03:00:49.872000",
          "tags": [
            "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
            "9698f46495ce9401c8bcaf9a2afe1598",
            "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
            "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
            "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
            "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
            "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
          ],
          "references": [
            "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
            "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
            "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
            "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
            "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
            "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
            "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
            "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
            "Verification failure observed in automated verification handlers during sandbox replay.",
            "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
            "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
            "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
            "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
            "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
            "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
            "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
            "Whitelisted IP Address 204.79.197.212 Location  United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. ,  ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc.,   Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 ,  5943 ,  80211 ,  #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf ,  The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
            "",
            "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr",
            "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all."
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "China",
            "United States of America",
            "Spain",
            "Japan",
            "Canada"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
          ],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 14,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 28000,
            "FileHash-SHA256": 48374,
            "FileHash-MD5": 42596,
            "FileHash-SHA1": 23243,
            "hostname": 35654,
            "URL": 75758,
            "SSLCertFingerprint": 30,
            "CVE": 7585,
            "email": 316,
            "FileHash-IMPHASH": 8,
            "CIDR": 26205,
            "JA3": 1,
            "URI": 5,
            "IPv4": 574,
            "Mutex": 1
          },
          "indicator_count": 288350,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 92,
          "modified_text": "14 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "69fc35be85a193d62e33e048",
          "name": "CAPE Sandbox- LOTA- Living off the Admin",
          "description": "The sandbox analysis reveals several high-risk activities that align with modern malware strains. Persistence Mechanisms: The file attempts to modify registry keys and drop executable files in sensitive directories, typical of malware seeking to survive system reboots.Network Communications: It initiates connections to known malicious C2 (Command and Control) infrastructure. This includes resolving DGA (Domain Generation Algorithm) domains and attempting P2P communication.Process Injection: The sample often spawns or injects code into legitimate system processes to evade detection by standard antivirus engines.Data Exfiltration: Observed behavioral signatures include calls to APIs used for harvesting credentials and system metadata, which are then queued for outbound transmission. Network comms\n385 HTTP  656 DNS  702 IP  1 JA3.\n[fcedee2f..]\nf0r5afo[.exe] 12/28/16 first appearance. 104.31.74.222 Ip I tagged 30 other malcious [exe] in here too. ref file: [e0c]",
          "modified": "2026-05-08T06:37:13.389000",
          "created": "2026-05-07T06:48:30.051000",
          "tags": [
            "cloudflare",
            "city",
            "san francisco",
            "rnocname",
            "orgid",
            "rtechhandle",
            "net104",
            "net1040000",
            "rtechemail",
            "rabusehandle"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1010",
              "name": "Application Window Discovery",
              "display_name": "T1010 - Application Window Discovery"
            },
            {
              "id": "T1016",
              "name": "System Network Configuration Discovery",
              "display_name": "T1016 - System Network Configuration Discovery"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1543",
              "name": "Create or Modify System Process",
              "display_name": "T1543 - Create or Modify System Process"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1571",
              "name": "Non-Standard Port",
              "display_name": "T1571 - Non-Standard Port"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            },
            {
              "id": "T1574",
              "name": "Hijack Execution Flow",
              "display_name": "T1574 - Hijack Execution Flow"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "IPv4": 102,
            "FileHash-MD5": 28,
            "FileHash-SHA1": 47,
            "FileHash-SHA256": 831,
            "URL": 1460,
            "domain": 315,
            "hostname": 266,
            "CIDR": 1,
            "email": 3
          },
          "indicator_count": 3053,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "23 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "69fc35bc6924906c52c89f27",
          "name": "CAPE Sandbox- LOTA- Living off the Admin",
          "description": "The sandbox analysis reveals several high-risk activities that align with modern malware strains. Persistence Mechanisms: The file attempts to modify registry keys and drop executable files in sensitive directories, typical of malware seeking to survive system reboots.Network Communications: It initiates connections to known malicious C2 (Command and Control) infrastructure. This includes resolving DGA (Domain Generation Algorithm) domains and attempting P2P communication.Process Injection: The sample often spawns or injects code into legitimate system processes to evade detection by standard antivirus engines.Data Exfiltration: Observed behavioral signatures include calls to APIs used for harvesting credentials and system metadata, which are then queued for outbound transmission. Network comms\n385 HTTP  656 DNS  702 IP  1 JA3.\n[fcedee2f..]\nf0r5afo[.exe] 12/28/16 first appearance. 104.31.74.222 Ip I tagged 30 other malcious [exe] in here too. ref file: [e0c]",
          "modified": "2026-05-08T06:30:44.363000",
          "created": "2026-05-07T06:48:28.947000",
          "tags": [
            "cloudflare",
            "city",
            "san francisco",
            "rnocname",
            "orgid",
            "rtechhandle",
            "net104",
            "net1040000",
            "rtechemail",
            "rabusehandle"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1010",
              "name": "Application Window Discovery",
              "display_name": "T1010 - Application Window Discovery"
            },
            {
              "id": "T1016",
              "name": "System Network Configuration Discovery",
              "display_name": "T1016 - System Network Configuration Discovery"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1543",
              "name": "Create or Modify System Process",
              "display_name": "T1543 - Create or Modify System Process"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1571",
              "name": "Non-Standard Port",
              "display_name": "T1571 - Non-Standard Port"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            },
            {
              "id": "T1574",
              "name": "Hijack Execution Flow",
              "display_name": "T1574 - Hijack Execution Flow"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "IPv4": 93,
            "FileHash-MD5": 24,
            "FileHash-SHA1": 43,
            "FileHash-SHA256": 167,
            "URL": 1447,
            "domain": 274,
            "hostname": 243,
            "CIDR": 1,
            "email": 3
          },
          "indicator_count": 2295,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "23 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "69fc35bbf5093f9bf3cd0a32",
          "name": "CAPE Sandbox- LOTA- Living off the Admin",
          "description": "The sandbox analysis reveals several high-risk activities that align with modern malware strains. Persistence Mechanisms: The file attempts to modify registry keys and drop executable files in sensitive directories, typical of malware seeking to survive system reboots.Network Communications: It initiates connections to known malicious C2 (Command and Control) infrastructure. This includes resolving DGA (Domain Generation Algorithm) domains and attempting P2P communication.Process Injection: The sample often spawns or injects code into legitimate system processes to evade detection by standard antivirus engines.Data Exfiltration: Observed behavioral signatures include calls to APIs used for harvesting credentials and system metadata, which are then queued for outbound transmission. Network comms\n385 HTTP  656 DNS  702 IP  1 JA3.\n[fcedee2f..]\nf0r5afo[.exe] 12/28/16 first appearance. 104.31.74.222 Ip I tagged 30 other malcious [exe] in here too. ref file: [e0c]",
          "modified": "2026-05-08T05:17:02.092000",
          "created": "2026-05-07T06:48:27.828000",
          "tags": [
            "cloudflare",
            "city",
            "san francisco",
            "rnocname",
            "orgid",
            "rtechhandle",
            "net104",
            "net1040000",
            "rtechemail",
            "rabusehandle"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1010",
              "name": "Application Window Discovery",
              "display_name": "T1010 - Application Window Discovery"
            },
            {
              "id": "T1016",
              "name": "System Network Configuration Discovery",
              "display_name": "T1016 - System Network Configuration Discovery"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1543",
              "name": "Create or Modify System Process",
              "display_name": "T1543 - Create or Modify System Process"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1571",
              "name": "Non-Standard Port",
              "display_name": "T1571 - Non-Standard Port"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            },
            {
              "id": "T1574",
              "name": "Hijack Execution Flow",
              "display_name": "T1574 - Hijack Execution Flow"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "IPv4": 110,
            "FileHash-MD5": 47,
            "FileHash-SHA1": 85,
            "FileHash-SHA256": 186,
            "URL": 1467,
            "domain": 274,
            "hostname": 247,
            "CIDR": 4,
            "email": 14
          },
          "indicator_count": 2434,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 68,
          "modified_text": "23 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "69d20ba3e768ce672f6faaf0",
          "name": "VirusTotal Windows Sandbox",
          "description": "A security alert has been issued by the UK government over the weekend, with the result of a malicious web address being sent to a member of the public via an address address linked tolinkedin.",
          "modified": "2026-05-05T07:28:14.492000",
          "created": "2026-04-05T07:13:39.327000",
          "tags": [
            "windows sandbox",
            "calls process",
            "time",
            "request header",
            "host",
            "windows nt",
            "win64",
            "khtml",
            "gecko",
            "acceptencoding",
            "accept",
            "response header",
            "date",
            "dword",
            "malware",
            "file type",
            "utf8",
            "crlf line",
            "unicode text",
            "yara",
            "binary",
            "found",
            "sample",
            "mitre attack",
            "malicious",
            "window",
            "next",
            "detail info",
            "tickcount",
            "behaviour",
            "processid",
            "threadid",
            "startaddress",
            "parameter",
            "offset",
            "windows xp",
            "professional",
            "write",
            "info",
            "shell",
            "cultureneutral",
            "count",
            "default",
            "subsys11001af4",
            "rev003",
            "rev033",
            "folders api",
            "skylakeibrs",
            "daba3ff",
            "inprocserver32",
            "first",
            "virustotal",
            "enterprise",
            "service",
            "close",
            "win32 exe",
            "pe32",
            "ms windows",
            "win16 ne",
            "icons library",
            "os2 executable",
            "generic windos",
            "executable",
            "pe64 library",
            "cname",
            "none rticon",
            "file size",
            "sha256",
            "mwdb",
            "bazaar",
            "sha3384",
            "crc32",
            "shutdown",
            "error",
            "back",
            "lsappdata",
            "inetfiles",
            "windowname",
            "protocol level",
            "application",
            "next connection",
            "address",
            "http url",
            "get http",
            "full path",
            "path",
            "filename",
            "targetprocess",
            "writeaddress",
            "size",
            "targetpid",
            "findfirstfileex",
            "class",
            "find",
            "open",
            "imagepath",
            "cmdline",
            "ping",
            "flags"
          ],
          "references": [
            "https://vtbehaviour.commondatastorage.googleapis.com/000bdbb9556e3474630b36d57190d5dae719886a6cdecf824af6a456243ebf88_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372160&Signature=wARiO6wRTZGhS9vOpI%2BvoWxpe55%2BBlHjfTVS2m1fsb3%2FyiqXoI5x8uRNh6fj6Qp6DpePIZAM2MHvDzi%2B5TT6VWKI4zyyc%2BeVp9gihB0djBnCJr%2BKCB18kdFNBE%2BicOTMmx5aJ1hSjWQcOBYm9PMkZ6%2BhLzxX3gxTMneBKGhh0ckFJRTRfM2gKMfEPrOQ6aVgfkTWJUR9FQYz5g2qKGSDh1CCNlEzXhO33BEPI9fN",
            "https://vtbehaviour.commondatastorage.googleapis.com/03a5d431bb42e7730a3ae3b3563cee73e7a782079cf56f57bad5fe665d261e54_SecneurX.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372244&Signature=fXjnCgFbGybFp%2BCRO6a%2FQ3LKU2uLiKNtjgwKzprL3LFL%2BTMgup6nbp7%2F9Hxy8bnBzlFtSzO0fcnf%2FpIsNim0UdrINmB63N9mKkBW1cOkjxV88PAy2nsFZA3FjOEYq4N0lgc8gAtS5eRTt%2Bwb7WjEnd3QQ7aPLuoVl2hjed4hC8Cit6efcSD9GbJCITMeX4%2FVHBYSjmDr4Pgip9ANSZ6wvzkRktqPpC23Qwl62gkuXE%2BKp0s%2Bq%",
            "https://vtbehaviour.commondatastorage.googleapis.com/14116af49a976b71f7ddd760161a1d50328baa280ac2c9a1f9f3a8996a3929b6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372327&Signature=bhG0zZxkKhoz9temkLENxZsdN9KeMsxW4nt2II1lmaPLEGAhNM4EmX5e7z1UM9LLsnqrvuZBhQs7ZnBuwSpY5T8iiKIu2%2FfZ83pX1Tw8s%2Bn%2BfXlEl3jlhzXWewZ9i8ZlXd6YIeWETsAak1j93aNnJHB2IPoZn7VISupTj400x7E%2FSm0ilDz4zCCDAjz1eTp1N41HvmoviGQGwTSnjTW5oyBHDm8RglOnnNqcEsm6%2BkGBJToFomLsipvuVIz8",
            "https://vtbehaviour.commondatastorage.googleapis.com/39c58d0f868d4e8d1b959dce19d0bbcc57bb8b9b832f9efbe4e2244051237b95_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372451&Signature=Dv9FcZuWlVKlY26EcoSmR4Kcb44tKDv4kyBrDOputdJDLMvfDX9%2Fs4Ss4cLURTdCso74wPUHQpcMVcyeGGK%2F3RwYbxXwJjMGGAJSCfCxIDRiL%2BLOQKY3M7zGyXrkpuwr5lQS4CaKp1LFajsxxwnKpd%2F5eXNMLqlyxh%2ByO3dJWTkY8WqNnnwnSjW0lqpwB9%2BBjgEdIeWsnMRqF0t4JQ8dJsmCbbTXmAKIEZ46Rpio044%2BrsqH",
            "https://vtbehaviour.commondatastorage.googleapis.com/539dc26a14b6277e87348594ab7d6e932d16aabb18612d77f29fe421a9f1d46a_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372560&Signature=tXBHkUCyFp7E2Um%2FMUvRPbUvaQmYPeBV7KGbi%2Bssa%2FkYQyqgH4u8fy6h0A8bVbsyQMMPf2EEF2JkzkiD6SXcfLADGdVqHYQya%2F6s2Ox5QnOFkJSATlDdXCWVp%2F4wHxZHInIRcrBPZFjjYFQM0u7VYCEMtkMCS0pzld2nGLlcOuOXBFxGTQPy0A03dikBC4Yw4f%2BdiMLMxO0hxZSo9FxPq1ylB4gs57NBBniylVO4Qi%2BLzleU5",
            "https://vtbehaviour.commondatastorage.googleapis.com/0ab7fad77871a45137c9f2e40e3cbf47e3d71315f71c8eca9c8d62bc24a53184_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372878&Signature=cLNwLw1L9ZCpQXZej7DaLTWH5w887X5wPnSpN1pwH2N4acSu8Llp25uprGRArg6qCuPbVQ2YPyIeCdwLCZvq%2FU0hP8m17ZPontiyR5zKb7jxcW57eEUuVnuSV9%2FnukwtPPJ%2BTY7a0%2B9rwSAU%2FL%2FJQ1yMke6VIX%2B%2F6KSWHgmLV%2F%2FR%2FbOxB0oZ4%2Fe%2Fsb2%2Fw12dZix7IY6c7wOj1OlWGQSkAZZsEoDw",
            "https://vtbehaviour.commondatastorage.googleapis.com/01f09136cb86f25635f91144946847d58c559228d50d9b84b0c021d4091b840b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373052&Signature=U7haY6XsgyJ83G1vAOPLrLLS%2BaMP9xAKOlnzSb4I9clIBLt9Y8xzP4qjfBxbeUfdF6s%2B6dtg4dXzqTjrAYSC3XOTEEtHZeK4ePz5qfS9n%2FWNrOKQb30VBhfUNL5DYUCd3XSOPjIVlbRz9ylDpwApfVK2AMarGiLLlnKRDv7M0S63SkQx8eWyabXd2afPPy96ZGNZVZfOhw5llZiztL6mYo%2BVivlyFsDcodH9F4XrS%2FPsSLeJRx5d",
            "https://vtbehaviour.commondatastorage.googleapis.com/7605fa9aeaae25656c40a553534d35418cca40dc48023d0b3237b402361c6816_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373200&Signature=uMO8ESBCpu0oIIRS0CToWTN9KlOHyq4uWjWMjfdcUCGyliW%2FSy8KDIg6OMWLUQ6SBC45Jm0Mr%2FNV6m74hTSnpmGdVf6k6mA3QrTQwUMaMk2QbBLU1IwUG8wvylr6KXEqQYYCkZksYiZEyNm%2B2hKNvWtKFc%2BZlL7M12RBSER84%2FDRQlJnK6qbDW3DYX1tPsXxTynGj5YxQDlUqfWU8CjZtSAfUK%2Bw%2FoybwyMsJc68%2B01HQ",
            "https://vtbehaviour.commondatastorage.googleapis.com/7605fa9aeaae25656c40a553534d35418cca40dc48023d0b3237b402361c6816_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373283&Signature=KIPnPqQCcifTzuRS43FhFyzCXei0rDK20JuVvXA3UkB%2Bj6R1a4SAH2sn%2BJO1ohLSxLswzbryMf81lr4eGQCMbr3Wwfwo7kHN1yHV4M187cNxRZlbZ4%2BzOZZgfWt3bJNLx2Z4%2B4aqarco7OzqkhcQizlq8frRttJQjcLcNxgWD3oV2QDxZxurniW%2BhRRUS%2Bv9uGXWIRhWYmbEA%2BaoQsvpX0AIeSUCn4qb%2Fh31hJe7JitkCE",
            "https://vtbehaviour.commondatastorage.googleapis.com/000007781f616194758c52c551ab2f198970675c9218eab9f1e4470f0a696e71_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373373&Signature=mjvxt7z8ajbHZY%2BdL0G02pE7trUx7SkineLNrDSnq8FxmEuCuDdnNDWKdPawPb4w2NnK5HFkV3BAdTJrRNBxBceLP%2FevhdkmR4C%2BiZZ8pz9GBeqwl0l6oJMBga2ZHfKcA%2BxqQgP5r1zzN%2BZPMH0zxPdHYZA2WlzkfzPBDQcTEDdz8aTIaX%2BOP5JUo4gYjqxxxrdBLVGv0i54PedBqgFw5IRrPpdH%2FwlQGTLKQ%2BSjslq2d0",
            "https://vtbehaviour.commondatastorage.googleapis.com/39c58d0f868d4e8d1b959dce19d0bbcc57bb8b9b832f9efbe4e2244051237b95_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373454&Signature=oXNg992chHQhOJxpI2XcWdFB%2FxJme1ol4iA4aOgaKWQcqa9WXsYlPcTANPmFkyrHIciosnksXEJrIAfFsjAYeEqG%2F7oPGCQLBILFHUhwZVcoJR9PgFwUsHBu%2FqiWSOifVPER4vpDL0gbsuNlU6gHT5aWRW%2BwoOwbHSIt5jj%2FJ3%2FxGDBAUaZrSuQurOM0Nb3qRhNN1NOTUj7mGTuUBXdtvnzCFLjxl3Kk6dYYFgmwhWI04P3JIB"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1010",
              "name": "Application Window Discovery",
              "display_name": "T1010 - Application Window Discovery"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1574",
              "name": "Hijack Execution Flow",
              "display_name": "T1574 - Hijack Execution Flow"
            },
            {
              "id": "T1090",
              "name": "Proxy",
              "display_name": "T1090 - Proxy"
            },
            {
              "id": "T1012",
              "name": "Query Registry",
              "display_name": "T1012 - Query Registry"
            },
            {
              "id": "T1014",
              "name": "Rootkit",
              "display_name": "T1014 - Rootkit"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1542",
              "name": "Pre-OS Boot",
              "display_name": "T1542 - Pre-OS Boot"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 72,
            "FileHash-MD5": 56,
            "FileHash-SHA1": 27,
            "FileHash-SHA256": 113,
            "domain": 19,
            "hostname": 89
          },
          "indicator_count": 376,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "26 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "69d20ba2a469e45b8dfd8c31",
          "name": "VirusTotal Windows Sandbox",
          "description": "A security alert has been issued by the UK government over the weekend, with the result of a malicious web address being sent to a member of the public via an address address linked tolinkedin.",
          "modified": "2026-05-05T07:28:14.492000",
          "created": "2026-04-05T07:13:38.063000",
          "tags": [
            "windows sandbox",
            "calls process",
            "time",
            "request header",
            "host",
            "windows nt",
            "win64",
            "khtml",
            "gecko",
            "acceptencoding",
            "accept",
            "response header",
            "date",
            "dword",
            "malware",
            "file type",
            "utf8",
            "crlf line",
            "unicode text",
            "yara",
            "binary",
            "found",
            "sample",
            "mitre attack",
            "malicious",
            "window",
            "next",
            "detail info",
            "tickcount",
            "behaviour",
            "processid",
            "threadid",
            "startaddress",
            "parameter",
            "offset",
            "windows xp",
            "professional",
            "write",
            "info",
            "shell",
            "cultureneutral",
            "count",
            "default",
            "subsys11001af4",
            "rev003",
            "rev033",
            "folders api",
            "skylakeibrs",
            "daba3ff",
            "inprocserver32",
            "first",
            "virustotal",
            "enterprise",
            "service",
            "close",
            "win32 exe",
            "pe32",
            "ms windows",
            "win16 ne",
            "icons library",
            "os2 executable",
            "generic windos",
            "executable",
            "pe64 library",
            "cname",
            "none rticon",
            "file size",
            "sha256",
            "mwdb",
            "bazaar",
            "sha3384",
            "crc32",
            "shutdown",
            "error",
            "back",
            "lsappdata",
            "inetfiles",
            "windowname",
            "protocol level",
            "application",
            "next connection",
            "address",
            "http url",
            "get http",
            "full path",
            "path",
            "filename",
            "targetprocess",
            "writeaddress",
            "size",
            "targetpid",
            "findfirstfileex",
            "class",
            "find",
            "open",
            "imagepath",
            "cmdline",
            "ping",
            "flags"
          ],
          "references": [
            "https://vtbehaviour.commondatastorage.googleapis.com/000bdbb9556e3474630b36d57190d5dae719886a6cdecf824af6a456243ebf88_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372160&Signature=wARiO6wRTZGhS9vOpI%2BvoWxpe55%2BBlHjfTVS2m1fsb3%2FyiqXoI5x8uRNh6fj6Qp6DpePIZAM2MHvDzi%2B5TT6VWKI4zyyc%2BeVp9gihB0djBnCJr%2BKCB18kdFNBE%2BicOTMmx5aJ1hSjWQcOBYm9PMkZ6%2BhLzxX3gxTMneBKGhh0ckFJRTRfM2gKMfEPrOQ6aVgfkTWJUR9FQYz5g2qKGSDh1CCNlEzXhO33BEPI9fN",
            "https://vtbehaviour.commondatastorage.googleapis.com/03a5d431bb42e7730a3ae3b3563cee73e7a782079cf56f57bad5fe665d261e54_SecneurX.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372244&Signature=fXjnCgFbGybFp%2BCRO6a%2FQ3LKU2uLiKNtjgwKzprL3LFL%2BTMgup6nbp7%2F9Hxy8bnBzlFtSzO0fcnf%2FpIsNim0UdrINmB63N9mKkBW1cOkjxV88PAy2nsFZA3FjOEYq4N0lgc8gAtS5eRTt%2Bwb7WjEnd3QQ7aPLuoVl2hjed4hC8Cit6efcSD9GbJCITMeX4%2FVHBYSjmDr4Pgip9ANSZ6wvzkRktqPpC23Qwl62gkuXE%2BKp0s%2Bq%",
            "https://vtbehaviour.commondatastorage.googleapis.com/14116af49a976b71f7ddd760161a1d50328baa280ac2c9a1f9f3a8996a3929b6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372327&Signature=bhG0zZxkKhoz9temkLENxZsdN9KeMsxW4nt2II1lmaPLEGAhNM4EmX5e7z1UM9LLsnqrvuZBhQs7ZnBuwSpY5T8iiKIu2%2FfZ83pX1Tw8s%2Bn%2BfXlEl3jlhzXWewZ9i8ZlXd6YIeWETsAak1j93aNnJHB2IPoZn7VISupTj400x7E%2FSm0ilDz4zCCDAjz1eTp1N41HvmoviGQGwTSnjTW5oyBHDm8RglOnnNqcEsm6%2BkGBJToFomLsipvuVIz8",
            "https://vtbehaviour.commondatastorage.googleapis.com/39c58d0f868d4e8d1b959dce19d0bbcc57bb8b9b832f9efbe4e2244051237b95_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372451&Signature=Dv9FcZuWlVKlY26EcoSmR4Kcb44tKDv4kyBrDOputdJDLMvfDX9%2Fs4Ss4cLURTdCso74wPUHQpcMVcyeGGK%2F3RwYbxXwJjMGGAJSCfCxIDRiL%2BLOQKY3M7zGyXrkpuwr5lQS4CaKp1LFajsxxwnKpd%2F5eXNMLqlyxh%2ByO3dJWTkY8WqNnnwnSjW0lqpwB9%2BBjgEdIeWsnMRqF0t4JQ8dJsmCbbTXmAKIEZ46Rpio044%2BrsqH",
            "https://vtbehaviour.commondatastorage.googleapis.com/539dc26a14b6277e87348594ab7d6e932d16aabb18612d77f29fe421a9f1d46a_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372560&Signature=tXBHkUCyFp7E2Um%2FMUvRPbUvaQmYPeBV7KGbi%2Bssa%2FkYQyqgH4u8fy6h0A8bVbsyQMMPf2EEF2JkzkiD6SXcfLADGdVqHYQya%2F6s2Ox5QnOFkJSATlDdXCWVp%2F4wHxZHInIRcrBPZFjjYFQM0u7VYCEMtkMCS0pzld2nGLlcOuOXBFxGTQPy0A03dikBC4Yw4f%2BdiMLMxO0hxZSo9FxPq1ylB4gs57NBBniylVO4Qi%2BLzleU5",
            "https://vtbehaviour.commondatastorage.googleapis.com/0ab7fad77871a45137c9f2e40e3cbf47e3d71315f71c8eca9c8d62bc24a53184_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372878&Signature=cLNwLw1L9ZCpQXZej7DaLTWH5w887X5wPnSpN1pwH2N4acSu8Llp25uprGRArg6qCuPbVQ2YPyIeCdwLCZvq%2FU0hP8m17ZPontiyR5zKb7jxcW57eEUuVnuSV9%2FnukwtPPJ%2BTY7a0%2B9rwSAU%2FL%2FJQ1yMke6VIX%2B%2F6KSWHgmLV%2F%2FR%2FbOxB0oZ4%2Fe%2Fsb2%2Fw12dZix7IY6c7wOj1OlWGQSkAZZsEoDw",
            "https://vtbehaviour.commondatastorage.googleapis.com/01f09136cb86f25635f91144946847d58c559228d50d9b84b0c021d4091b840b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373052&Signature=U7haY6XsgyJ83G1vAOPLrLLS%2BaMP9xAKOlnzSb4I9clIBLt9Y8xzP4qjfBxbeUfdF6s%2B6dtg4dXzqTjrAYSC3XOTEEtHZeK4ePz5qfS9n%2FWNrOKQb30VBhfUNL5DYUCd3XSOPjIVlbRz9ylDpwApfVK2AMarGiLLlnKRDv7M0S63SkQx8eWyabXd2afPPy96ZGNZVZfOhw5llZiztL6mYo%2BVivlyFsDcodH9F4XrS%2FPsSLeJRx5d",
            "https://vtbehaviour.commondatastorage.googleapis.com/7605fa9aeaae25656c40a553534d35418cca40dc48023d0b3237b402361c6816_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373200&Signature=uMO8ESBCpu0oIIRS0CToWTN9KlOHyq4uWjWMjfdcUCGyliW%2FSy8KDIg6OMWLUQ6SBC45Jm0Mr%2FNV6m74hTSnpmGdVf6k6mA3QrTQwUMaMk2QbBLU1IwUG8wvylr6KXEqQYYCkZksYiZEyNm%2B2hKNvWtKFc%2BZlL7M12RBSER84%2FDRQlJnK6qbDW3DYX1tPsXxTynGj5YxQDlUqfWU8CjZtSAfUK%2Bw%2FoybwyMsJc68%2B01HQ",
            "https://vtbehaviour.commondatastorage.googleapis.com/7605fa9aeaae25656c40a553534d35418cca40dc48023d0b3237b402361c6816_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373283&Signature=KIPnPqQCcifTzuRS43FhFyzCXei0rDK20JuVvXA3UkB%2Bj6R1a4SAH2sn%2BJO1ohLSxLswzbryMf81lr4eGQCMbr3Wwfwo7kHN1yHV4M187cNxRZlbZ4%2BzOZZgfWt3bJNLx2Z4%2B4aqarco7OzqkhcQizlq8frRttJQjcLcNxgWD3oV2QDxZxurniW%2BhRRUS%2Bv9uGXWIRhWYmbEA%2BaoQsvpX0AIeSUCn4qb%2Fh31hJe7JitkCE",
            "https://vtbehaviour.commondatastorage.googleapis.com/000007781f616194758c52c551ab2f198970675c9218eab9f1e4470f0a696e71_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373373&Signature=mjvxt7z8ajbHZY%2BdL0G02pE7trUx7SkineLNrDSnq8FxmEuCuDdnNDWKdPawPb4w2NnK5HFkV3BAdTJrRNBxBceLP%2FevhdkmR4C%2BiZZ8pz9GBeqwl0l6oJMBga2ZHfKcA%2BxqQgP5r1zzN%2BZPMH0zxPdHYZA2WlzkfzPBDQcTEDdz8aTIaX%2BOP5JUo4gYjqxxxrdBLVGv0i54PedBqgFw5IRrPpdH%2FwlQGTLKQ%2BSjslq2d0",
            "https://vtbehaviour.commondatastorage.googleapis.com/39c58d0f868d4e8d1b959dce19d0bbcc57bb8b9b832f9efbe4e2244051237b95_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373454&Signature=oXNg992chHQhOJxpI2XcWdFB%2FxJme1ol4iA4aOgaKWQcqa9WXsYlPcTANPmFkyrHIciosnksXEJrIAfFsjAYeEqG%2F7oPGCQLBILFHUhwZVcoJR9PgFwUsHBu%2FqiWSOifVPER4vpDL0gbsuNlU6gHT5aWRW%2BwoOwbHSIt5jj%2FJ3%2FxGDBAUaZrSuQurOM0Nb3qRhNN1NOTUj7mGTuUBXdtvnzCFLjxl3Kk6dYYFgmwhWI04P3JIB"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1010",
              "name": "Application Window Discovery",
              "display_name": "T1010 - Application Window Discovery"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1574",
              "name": "Hijack Execution Flow",
              "display_name": "T1574 - Hijack Execution Flow"
            },
            {
              "id": "T1090",
              "name": "Proxy",
              "display_name": "T1090 - Proxy"
            },
            {
              "id": "T1012",
              "name": "Query Registry",
              "display_name": "T1012 - Query Registry"
            },
            {
              "id": "T1014",
              "name": "Rootkit",
              "display_name": "T1014 - Rootkit"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1542",
              "name": "Pre-OS Boot",
              "display_name": "T1542 - Pre-OS Boot"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 72,
            "FileHash-MD5": 60,
            "FileHash-SHA1": 31,
            "FileHash-SHA256": 149,
            "domain": 19,
            "hostname": 91
          },
          "indicator_count": 422,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "26 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "69d20ba21b989eb65ac172a8",
          "name": "VirusTotal Windows Sandbox",
          "description": "A security alert has been issued by the UK government over the weekend, with the result of a malicious web address being sent to a member of the public via an address address linked tolinkedin.",
          "modified": "2026-05-05T07:28:14.492000",
          "created": "2026-04-05T07:13:38.308000",
          "tags": [
            "windows sandbox",
            "calls process",
            "time",
            "request header",
            "host",
            "windows nt",
            "win64",
            "khtml",
            "gecko",
            "acceptencoding",
            "accept",
            "response header",
            "date",
            "dword",
            "malware",
            "file type",
            "utf8",
            "crlf line",
            "unicode text",
            "yara",
            "binary",
            "found",
            "sample",
            "mitre attack",
            "malicious",
            "window",
            "next",
            "detail info",
            "tickcount",
            "behaviour",
            "processid",
            "threadid",
            "startaddress",
            "parameter",
            "offset",
            "windows xp",
            "professional",
            "write",
            "info",
            "shell",
            "cultureneutral",
            "count",
            "default",
            "subsys11001af4",
            "rev003",
            "rev033",
            "folders api",
            "skylakeibrs",
            "daba3ff",
            "inprocserver32",
            "first",
            "virustotal",
            "enterprise",
            "service",
            "close",
            "win32 exe",
            "pe32",
            "ms windows",
            "win16 ne",
            "icons library",
            "os2 executable",
            "generic windos",
            "executable",
            "pe64 library",
            "cname",
            "none rticon",
            "file size",
            "sha256",
            "mwdb",
            "bazaar",
            "sha3384",
            "crc32",
            "shutdown",
            "error",
            "back",
            "lsappdata",
            "inetfiles",
            "windowname",
            "protocol level",
            "application",
            "next connection",
            "address",
            "http url",
            "get http",
            "full path",
            "path",
            "filename",
            "targetprocess",
            "writeaddress",
            "size",
            "targetpid",
            "findfirstfileex",
            "class",
            "find",
            "open",
            "imagepath",
            "cmdline",
            "ping",
            "flags"
          ],
          "references": [
            "https://vtbehaviour.commondatastorage.googleapis.com/000bdbb9556e3474630b36d57190d5dae719886a6cdecf824af6a456243ebf88_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372160&Signature=wARiO6wRTZGhS9vOpI%2BvoWxpe55%2BBlHjfTVS2m1fsb3%2FyiqXoI5x8uRNh6fj6Qp6DpePIZAM2MHvDzi%2B5TT6VWKI4zyyc%2BeVp9gihB0djBnCJr%2BKCB18kdFNBE%2BicOTMmx5aJ1hSjWQcOBYm9PMkZ6%2BhLzxX3gxTMneBKGhh0ckFJRTRfM2gKMfEPrOQ6aVgfkTWJUR9FQYz5g2qKGSDh1CCNlEzXhO33BEPI9fN",
            "https://vtbehaviour.commondatastorage.googleapis.com/03a5d431bb42e7730a3ae3b3563cee73e7a782079cf56f57bad5fe665d261e54_SecneurX.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372244&Signature=fXjnCgFbGybFp%2BCRO6a%2FQ3LKU2uLiKNtjgwKzprL3LFL%2BTMgup6nbp7%2F9Hxy8bnBzlFtSzO0fcnf%2FpIsNim0UdrINmB63N9mKkBW1cOkjxV88PAy2nsFZA3FjOEYq4N0lgc8gAtS5eRTt%2Bwb7WjEnd3QQ7aPLuoVl2hjed4hC8Cit6efcSD9GbJCITMeX4%2FVHBYSjmDr4Pgip9ANSZ6wvzkRktqPpC23Qwl62gkuXE%2BKp0s%2Bq%",
            "https://vtbehaviour.commondatastorage.googleapis.com/14116af49a976b71f7ddd760161a1d50328baa280ac2c9a1f9f3a8996a3929b6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372327&Signature=bhG0zZxkKhoz9temkLENxZsdN9KeMsxW4nt2II1lmaPLEGAhNM4EmX5e7z1UM9LLsnqrvuZBhQs7ZnBuwSpY5T8iiKIu2%2FfZ83pX1Tw8s%2Bn%2BfXlEl3jlhzXWewZ9i8ZlXd6YIeWETsAak1j93aNnJHB2IPoZn7VISupTj400x7E%2FSm0ilDz4zCCDAjz1eTp1N41HvmoviGQGwTSnjTW5oyBHDm8RglOnnNqcEsm6%2BkGBJToFomLsipvuVIz8",
            "https://vtbehaviour.commondatastorage.googleapis.com/39c58d0f868d4e8d1b959dce19d0bbcc57bb8b9b832f9efbe4e2244051237b95_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372451&Signature=Dv9FcZuWlVKlY26EcoSmR4Kcb44tKDv4kyBrDOputdJDLMvfDX9%2Fs4Ss4cLURTdCso74wPUHQpcMVcyeGGK%2F3RwYbxXwJjMGGAJSCfCxIDRiL%2BLOQKY3M7zGyXrkpuwr5lQS4CaKp1LFajsxxwnKpd%2F5eXNMLqlyxh%2ByO3dJWTkY8WqNnnwnSjW0lqpwB9%2BBjgEdIeWsnMRqF0t4JQ8dJsmCbbTXmAKIEZ46Rpio044%2BrsqH",
            "https://vtbehaviour.commondatastorage.googleapis.com/539dc26a14b6277e87348594ab7d6e932d16aabb18612d77f29fe421a9f1d46a_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372560&Signature=tXBHkUCyFp7E2Um%2FMUvRPbUvaQmYPeBV7KGbi%2Bssa%2FkYQyqgH4u8fy6h0A8bVbsyQMMPf2EEF2JkzkiD6SXcfLADGdVqHYQya%2F6s2Ox5QnOFkJSATlDdXCWVp%2F4wHxZHInIRcrBPZFjjYFQM0u7VYCEMtkMCS0pzld2nGLlcOuOXBFxGTQPy0A03dikBC4Yw4f%2BdiMLMxO0hxZSo9FxPq1ylB4gs57NBBniylVO4Qi%2BLzleU5",
            "https://vtbehaviour.commondatastorage.googleapis.com/0ab7fad77871a45137c9f2e40e3cbf47e3d71315f71c8eca9c8d62bc24a53184_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372878&Signature=cLNwLw1L9ZCpQXZej7DaLTWH5w887X5wPnSpN1pwH2N4acSu8Llp25uprGRArg6qCuPbVQ2YPyIeCdwLCZvq%2FU0hP8m17ZPontiyR5zKb7jxcW57eEUuVnuSV9%2FnukwtPPJ%2BTY7a0%2B9rwSAU%2FL%2FJQ1yMke6VIX%2B%2F6KSWHgmLV%2F%2FR%2FbOxB0oZ4%2Fe%2Fsb2%2Fw12dZix7IY6c7wOj1OlWGQSkAZZsEoDw",
            "https://vtbehaviour.commondatastorage.googleapis.com/01f09136cb86f25635f91144946847d58c559228d50d9b84b0c021d4091b840b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373052&Signature=U7haY6XsgyJ83G1vAOPLrLLS%2BaMP9xAKOlnzSb4I9clIBLt9Y8xzP4qjfBxbeUfdF6s%2B6dtg4dXzqTjrAYSC3XOTEEtHZeK4ePz5qfS9n%2FWNrOKQb30VBhfUNL5DYUCd3XSOPjIVlbRz9ylDpwApfVK2AMarGiLLlnKRDv7M0S63SkQx8eWyabXd2afPPy96ZGNZVZfOhw5llZiztL6mYo%2BVivlyFsDcodH9F4XrS%2FPsSLeJRx5d",
            "https://vtbehaviour.commondatastorage.googleapis.com/7605fa9aeaae25656c40a553534d35418cca40dc48023d0b3237b402361c6816_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373200&Signature=uMO8ESBCpu0oIIRS0CToWTN9KlOHyq4uWjWMjfdcUCGyliW%2FSy8KDIg6OMWLUQ6SBC45Jm0Mr%2FNV6m74hTSnpmGdVf6k6mA3QrTQwUMaMk2QbBLU1IwUG8wvylr6KXEqQYYCkZksYiZEyNm%2B2hKNvWtKFc%2BZlL7M12RBSER84%2FDRQlJnK6qbDW3DYX1tPsXxTynGj5YxQDlUqfWU8CjZtSAfUK%2Bw%2FoybwyMsJc68%2B01HQ",
            "https://vtbehaviour.commondatastorage.googleapis.com/7605fa9aeaae25656c40a553534d35418cca40dc48023d0b3237b402361c6816_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373283&Signature=KIPnPqQCcifTzuRS43FhFyzCXei0rDK20JuVvXA3UkB%2Bj6R1a4SAH2sn%2BJO1ohLSxLswzbryMf81lr4eGQCMbr3Wwfwo7kHN1yHV4M187cNxRZlbZ4%2BzOZZgfWt3bJNLx2Z4%2B4aqarco7OzqkhcQizlq8frRttJQjcLcNxgWD3oV2QDxZxurniW%2BhRRUS%2Bv9uGXWIRhWYmbEA%2BaoQsvpX0AIeSUCn4qb%2Fh31hJe7JitkCE",
            "https://vtbehaviour.commondatastorage.googleapis.com/000007781f616194758c52c551ab2f198970675c9218eab9f1e4470f0a696e71_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373373&Signature=mjvxt7z8ajbHZY%2BdL0G02pE7trUx7SkineLNrDSnq8FxmEuCuDdnNDWKdPawPb4w2NnK5HFkV3BAdTJrRNBxBceLP%2FevhdkmR4C%2BiZZ8pz9GBeqwl0l6oJMBga2ZHfKcA%2BxqQgP5r1zzN%2BZPMH0zxPdHYZA2WlzkfzPBDQcTEDdz8aTIaX%2BOP5JUo4gYjqxxxrdBLVGv0i54PedBqgFw5IRrPpdH%2FwlQGTLKQ%2BSjslq2d0",
            "https://vtbehaviour.commondatastorage.googleapis.com/39c58d0f868d4e8d1b959dce19d0bbcc57bb8b9b832f9efbe4e2244051237b95_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373454&Signature=oXNg992chHQhOJxpI2XcWdFB%2FxJme1ol4iA4aOgaKWQcqa9WXsYlPcTANPmFkyrHIciosnksXEJrIAfFsjAYeEqG%2F7oPGCQLBILFHUhwZVcoJR9PgFwUsHBu%2FqiWSOifVPER4vpDL0gbsuNlU6gHT5aWRW%2BwoOwbHSIt5jj%2FJ3%2FxGDBAUaZrSuQurOM0Nb3qRhNN1NOTUj7mGTuUBXdtvnzCFLjxl3Kk6dYYFgmwhWI04P3JIB"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1010",
              "name": "Application Window Discovery",
              "display_name": "T1010 - Application Window Discovery"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1574",
              "name": "Hijack Execution Flow",
              "display_name": "T1574 - Hijack Execution Flow"
            },
            {
              "id": "T1090",
              "name": "Proxy",
              "display_name": "T1090 - Proxy"
            },
            {
              "id": "T1012",
              "name": "Query Registry",
              "display_name": "T1012 - Query Registry"
            },
            {
              "id": "T1014",
              "name": "Rootkit",
              "display_name": "T1014 - Rootkit"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1542",
              "name": "Pre-OS Boot",
              "display_name": "T1542 - Pre-OS Boot"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 72,
            "FileHash-MD5": 56,
            "FileHash-SHA1": 27,
            "FileHash-SHA256": 113,
            "domain": 19,
            "hostname": 89
          },
          "indicator_count": 376,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "26 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "69d20ba20b81857c628e1d9e",
          "name": "VirusTotal Windows Sandbox",
          "description": "A security alert has been issued by the UK government over the weekend, with the result of a malicious web address being sent to a member of the public via an address address linked tolinkedin.",
          "modified": "2026-05-05T07:28:14.492000",
          "created": "2026-04-05T07:13:38.735000",
          "tags": [
            "windows sandbox",
            "calls process",
            "time",
            "request header",
            "host",
            "windows nt",
            "win64",
            "khtml",
            "gecko",
            "acceptencoding",
            "accept",
            "response header",
            "date",
            "dword",
            "malware",
            "file type",
            "utf8",
            "crlf line",
            "unicode text",
            "yara",
            "binary",
            "found",
            "sample",
            "mitre attack",
            "malicious",
            "window",
            "next",
            "detail info",
            "tickcount",
            "behaviour",
            "processid",
            "threadid",
            "startaddress",
            "parameter",
            "offset",
            "windows xp",
            "professional",
            "write",
            "info",
            "shell",
            "cultureneutral",
            "count",
            "default",
            "subsys11001af4",
            "rev003",
            "rev033",
            "folders api",
            "skylakeibrs",
            "daba3ff",
            "inprocserver32",
            "first",
            "virustotal",
            "enterprise",
            "service",
            "close",
            "win32 exe",
            "pe32",
            "ms windows",
            "win16 ne",
            "icons library",
            "os2 executable",
            "generic windos",
            "executable",
            "pe64 library",
            "cname",
            "none rticon",
            "file size",
            "sha256",
            "mwdb",
            "bazaar",
            "sha3384",
            "crc32",
            "shutdown",
            "error",
            "back",
            "lsappdata",
            "inetfiles",
            "windowname",
            "protocol level",
            "application",
            "next connection",
            "address",
            "http url",
            "get http",
            "full path",
            "path",
            "filename",
            "targetprocess",
            "writeaddress",
            "size",
            "targetpid",
            "findfirstfileex",
            "class",
            "find",
            "open",
            "imagepath",
            "cmdline",
            "ping",
            "flags"
          ],
          "references": [
            "https://vtbehaviour.commondatastorage.googleapis.com/000bdbb9556e3474630b36d57190d5dae719886a6cdecf824af6a456243ebf88_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372160&Signature=wARiO6wRTZGhS9vOpI%2BvoWxpe55%2BBlHjfTVS2m1fsb3%2FyiqXoI5x8uRNh6fj6Qp6DpePIZAM2MHvDzi%2B5TT6VWKI4zyyc%2BeVp9gihB0djBnCJr%2BKCB18kdFNBE%2BicOTMmx5aJ1hSjWQcOBYm9PMkZ6%2BhLzxX3gxTMneBKGhh0ckFJRTRfM2gKMfEPrOQ6aVgfkTWJUR9FQYz5g2qKGSDh1CCNlEzXhO33BEPI9fN",
            "https://vtbehaviour.commondatastorage.googleapis.com/03a5d431bb42e7730a3ae3b3563cee73e7a782079cf56f57bad5fe665d261e54_SecneurX.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372244&Signature=fXjnCgFbGybFp%2BCRO6a%2FQ3LKU2uLiKNtjgwKzprL3LFL%2BTMgup6nbp7%2F9Hxy8bnBzlFtSzO0fcnf%2FpIsNim0UdrINmB63N9mKkBW1cOkjxV88PAy2nsFZA3FjOEYq4N0lgc8gAtS5eRTt%2Bwb7WjEnd3QQ7aPLuoVl2hjed4hC8Cit6efcSD9GbJCITMeX4%2FVHBYSjmDr4Pgip9ANSZ6wvzkRktqPpC23Qwl62gkuXE%2BKp0s%2Bq%",
            "https://vtbehaviour.commondatastorage.googleapis.com/14116af49a976b71f7ddd760161a1d50328baa280ac2c9a1f9f3a8996a3929b6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372327&Signature=bhG0zZxkKhoz9temkLENxZsdN9KeMsxW4nt2II1lmaPLEGAhNM4EmX5e7z1UM9LLsnqrvuZBhQs7ZnBuwSpY5T8iiKIu2%2FfZ83pX1Tw8s%2Bn%2BfXlEl3jlhzXWewZ9i8ZlXd6YIeWETsAak1j93aNnJHB2IPoZn7VISupTj400x7E%2FSm0ilDz4zCCDAjz1eTp1N41HvmoviGQGwTSnjTW5oyBHDm8RglOnnNqcEsm6%2BkGBJToFomLsipvuVIz8",
            "https://vtbehaviour.commondatastorage.googleapis.com/39c58d0f868d4e8d1b959dce19d0bbcc57bb8b9b832f9efbe4e2244051237b95_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372451&Signature=Dv9FcZuWlVKlY26EcoSmR4Kcb44tKDv4kyBrDOputdJDLMvfDX9%2Fs4Ss4cLURTdCso74wPUHQpcMVcyeGGK%2F3RwYbxXwJjMGGAJSCfCxIDRiL%2BLOQKY3M7zGyXrkpuwr5lQS4CaKp1LFajsxxwnKpd%2F5eXNMLqlyxh%2ByO3dJWTkY8WqNnnwnSjW0lqpwB9%2BBjgEdIeWsnMRqF0t4JQ8dJsmCbbTXmAKIEZ46Rpio044%2BrsqH",
            "https://vtbehaviour.commondatastorage.googleapis.com/539dc26a14b6277e87348594ab7d6e932d16aabb18612d77f29fe421a9f1d46a_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372560&Signature=tXBHkUCyFp7E2Um%2FMUvRPbUvaQmYPeBV7KGbi%2Bssa%2FkYQyqgH4u8fy6h0A8bVbsyQMMPf2EEF2JkzkiD6SXcfLADGdVqHYQya%2F6s2Ox5QnOFkJSATlDdXCWVp%2F4wHxZHInIRcrBPZFjjYFQM0u7VYCEMtkMCS0pzld2nGLlcOuOXBFxGTQPy0A03dikBC4Yw4f%2BdiMLMxO0hxZSo9FxPq1ylB4gs57NBBniylVO4Qi%2BLzleU5",
            "https://vtbehaviour.commondatastorage.googleapis.com/0ab7fad77871a45137c9f2e40e3cbf47e3d71315f71c8eca9c8d62bc24a53184_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372878&Signature=cLNwLw1L9ZCpQXZej7DaLTWH5w887X5wPnSpN1pwH2N4acSu8Llp25uprGRArg6qCuPbVQ2YPyIeCdwLCZvq%2FU0hP8m17ZPontiyR5zKb7jxcW57eEUuVnuSV9%2FnukwtPPJ%2BTY7a0%2B9rwSAU%2FL%2FJQ1yMke6VIX%2B%2F6KSWHgmLV%2F%2FR%2FbOxB0oZ4%2Fe%2Fsb2%2Fw12dZix7IY6c7wOj1OlWGQSkAZZsEoDw",
            "https://vtbehaviour.commondatastorage.googleapis.com/01f09136cb86f25635f91144946847d58c559228d50d9b84b0c021d4091b840b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373052&Signature=U7haY6XsgyJ83G1vAOPLrLLS%2BaMP9xAKOlnzSb4I9clIBLt9Y8xzP4qjfBxbeUfdF6s%2B6dtg4dXzqTjrAYSC3XOTEEtHZeK4ePz5qfS9n%2FWNrOKQb30VBhfUNL5DYUCd3XSOPjIVlbRz9ylDpwApfVK2AMarGiLLlnKRDv7M0S63SkQx8eWyabXd2afPPy96ZGNZVZfOhw5llZiztL6mYo%2BVivlyFsDcodH9F4XrS%2FPsSLeJRx5d",
            "https://vtbehaviour.commondatastorage.googleapis.com/7605fa9aeaae25656c40a553534d35418cca40dc48023d0b3237b402361c6816_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373200&Signature=uMO8ESBCpu0oIIRS0CToWTN9KlOHyq4uWjWMjfdcUCGyliW%2FSy8KDIg6OMWLUQ6SBC45Jm0Mr%2FNV6m74hTSnpmGdVf6k6mA3QrTQwUMaMk2QbBLU1IwUG8wvylr6KXEqQYYCkZksYiZEyNm%2B2hKNvWtKFc%2BZlL7M12RBSER84%2FDRQlJnK6qbDW3DYX1tPsXxTynGj5YxQDlUqfWU8CjZtSAfUK%2Bw%2FoybwyMsJc68%2B01HQ",
            "https://vtbehaviour.commondatastorage.googleapis.com/7605fa9aeaae25656c40a553534d35418cca40dc48023d0b3237b402361c6816_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373283&Signature=KIPnPqQCcifTzuRS43FhFyzCXei0rDK20JuVvXA3UkB%2Bj6R1a4SAH2sn%2BJO1ohLSxLswzbryMf81lr4eGQCMbr3Wwfwo7kHN1yHV4M187cNxRZlbZ4%2BzOZZgfWt3bJNLx2Z4%2B4aqarco7OzqkhcQizlq8frRttJQjcLcNxgWD3oV2QDxZxurniW%2BhRRUS%2Bv9uGXWIRhWYmbEA%2BaoQsvpX0AIeSUCn4qb%2Fh31hJe7JitkCE",
            "https://vtbehaviour.commondatastorage.googleapis.com/000007781f616194758c52c551ab2f198970675c9218eab9f1e4470f0a696e71_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373373&Signature=mjvxt7z8ajbHZY%2BdL0G02pE7trUx7SkineLNrDSnq8FxmEuCuDdnNDWKdPawPb4w2NnK5HFkV3BAdTJrRNBxBceLP%2FevhdkmR4C%2BiZZ8pz9GBeqwl0l6oJMBga2ZHfKcA%2BxqQgP5r1zzN%2BZPMH0zxPdHYZA2WlzkfzPBDQcTEDdz8aTIaX%2BOP5JUo4gYjqxxxrdBLVGv0i54PedBqgFw5IRrPpdH%2FwlQGTLKQ%2BSjslq2d0",
            "https://vtbehaviour.commondatastorage.googleapis.com/39c58d0f868d4e8d1b959dce19d0bbcc57bb8b9b832f9efbe4e2244051237b95_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373454&Signature=oXNg992chHQhOJxpI2XcWdFB%2FxJme1ol4iA4aOgaKWQcqa9WXsYlPcTANPmFkyrHIciosnksXEJrIAfFsjAYeEqG%2F7oPGCQLBILFHUhwZVcoJR9PgFwUsHBu%2FqiWSOifVPER4vpDL0gbsuNlU6gHT5aWRW%2BwoOwbHSIt5jj%2FJ3%2FxGDBAUaZrSuQurOM0Nb3qRhNN1NOTUj7mGTuUBXdtvnzCFLjxl3Kk6dYYFgmwhWI04P3JIB"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1010",
              "name": "Application Window Discovery",
              "display_name": "T1010 - Application Window Discovery"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1574",
              "name": "Hijack Execution Flow",
              "display_name": "T1574 - Hijack Execution Flow"
            },
            {
              "id": "T1090",
              "name": "Proxy",
              "display_name": "T1090 - Proxy"
            },
            {
              "id": "T1012",
              "name": "Query Registry",
              "display_name": "T1012 - Query Registry"
            },
            {
              "id": "T1014",
              "name": "Rootkit",
              "display_name": "T1014 - Rootkit"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1542",
              "name": "Pre-OS Boot",
              "display_name": "T1542 - Pre-OS Boot"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 72,
            "FileHash-MD5": 56,
            "FileHash-SHA1": 27,
            "FileHash-SHA256": 113,
            "domain": 19,
            "hostname": 89
          },
          "indicator_count": 376,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "26 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "69d1e6ce077c5cf8496fa302",
          "name": "CAPE Sandbox",
          "description": "",
          "modified": "2026-05-05T04:12:57.309000",
          "created": "2026-04-05T04:36:30.538000",
          "tags": [
            "time",
            "request header",
            "host",
            "windows nt",
            "win64",
            "khtml",
            "gecko",
            "acceptencoding",
            "accept",
            "response header",
            "date",
            "dword",
            "malware",
            "settings",
            "first counter",
            "default",
            "mbisslshort",
            "bearer",
            "mwdb",
            "bazaar",
            "sha3384",
            "ssdeep",
            "file size",
            "bridge",
            "info",
            "agent",
            "shutdown",
            "root"
          ],
          "references": [
            "https://vtbehaviour.commondatastorage.googleapis.com/03a5d431bb42e7730a3ae3b3563cee73e7a782079cf56f57bad5fe665d261e54_SecneurX.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775363662&Signature=Tb8lvDZ68jjF2NK2JHjGnbiQU0CMN6YW3je3jpljK7OVsGRWX1LnhaGZlf6odMBfrpxaxZw%2BWzDkww75LB%2BADvpT9Xv0msqXikUiwwQe5VdtWh5VPTKc%2B%2BguXjCV3aKkhOAH2IyxYXhJ9bdfnc2BrxnksuvBxrk1dxGITo7d3UQk%2Fva7WWsUVJ%2BmU8mN%2FtKaGLCwcq7VdiqnC6Eg0g4EVMh1778azV8silgLjwHNsPTUCAg2zyROda",
            "https://vtbehaviour.commondatastorage.googleapis.com/03a5d431bb42e7730a3ae3b3563cee73e7a782079cf56f57bad5fe665d261e54_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775363951&Signature=oqtwIJblsSOTE5uJIegeSNPrf62ZPoDH59%2FW8iBG9vqCrR3VsyJAXXj1ZonKOO9FUzFmVhNEPhCds5p0mfETuLN7FXdTJedgO2RCoL%2F5Cl6lMWxcsJfQDtslHFW3X07r6%2F82tCBq4PwlUQPQwbqnscNE%2FYRLEdiLZdjM4Fq8nFQG%2BOgC9iHeyKoQR9TOnBE3VYI2YChpkUlJbeYYQJaPm8qPrIetztmBEUDYx2ObcFktYfyhqvwP"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 2,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 79,
            "FileHash-MD5": 251,
            "FileHash-SHA1": 31,
            "FileHash-SHA256": 41,
            "domain": 13,
            "hostname": 89
          },
          "indicator_count": 504,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "26 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "69d1e6ce33e21ce9229830d7",
          "name": "CAPE Sandbox",
          "description": "",
          "modified": "2026-05-05T04:12:57.309000",
          "created": "2026-04-05T04:36:30.329000",
          "tags": [
            "time",
            "request header",
            "host",
            "windows nt",
            "win64",
            "khtml",
            "gecko",
            "acceptencoding",
            "accept",
            "response header",
            "date",
            "dword",
            "malware",
            "settings",
            "first counter",
            "default",
            "mbisslshort",
            "bearer",
            "mwdb",
            "bazaar",
            "sha3384",
            "ssdeep",
            "file size",
            "bridge",
            "info",
            "agent",
            "shutdown",
            "root"
          ],
          "references": [
            "https://vtbehaviour.commondatastorage.googleapis.com/03a5d431bb42e7730a3ae3b3563cee73e7a782079cf56f57bad5fe665d261e54_SecneurX.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775363662&Signature=Tb8lvDZ68jjF2NK2JHjGnbiQU0CMN6YW3je3jpljK7OVsGRWX1LnhaGZlf6odMBfrpxaxZw%2BWzDkww75LB%2BADvpT9Xv0msqXikUiwwQe5VdtWh5VPTKc%2B%2BguXjCV3aKkhOAH2IyxYXhJ9bdfnc2BrxnksuvBxrk1dxGITo7d3UQk%2Fva7WWsUVJ%2BmU8mN%2FtKaGLCwcq7VdiqnC6Eg0g4EVMh1778azV8silgLjwHNsPTUCAg2zyROda",
            "https://vtbehaviour.commondatastorage.googleapis.com/03a5d431bb42e7730a3ae3b3563cee73e7a782079cf56f57bad5fe665d261e54_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775363951&Signature=oqtwIJblsSOTE5uJIegeSNPrf62ZPoDH59%2FW8iBG9vqCrR3VsyJAXXj1ZonKOO9FUzFmVhNEPhCds5p0mfETuLN7FXdTJedgO2RCoL%2F5Cl6lMWxcsJfQDtslHFW3X07r6%2F82tCBq4PwlUQPQwbqnscNE%2FYRLEdiLZdjM4Fq8nFQG%2BOgC9iHeyKoQR9TOnBE3VYI2YChpkUlJbeYYQJaPm8qPrIetztmBEUDYx2ObcFktYfyhqvwP"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 2,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 80,
            "FileHash-MD5": 251,
            "FileHash-SHA1": 31,
            "FileHash-SHA256": 41,
            "domain": 13,
            "hostname": 89
          },
          "indicator_count": 505,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "26 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "69cd260f166927294ceac113",
          "name": "CAPE Sandbox",
          "description": "A security alert has been issued by the UK government over the weekend, with the result of a malicious web address being sent to a member of the public via an address address linked tolinkedin.<<<pretext",
          "modified": "2026-05-01T14:30:53.370000",
          "created": "2026-04-01T14:05:03.015000",
          "tags": [
            "time",
            "request header",
            "host",
            "windows nt",
            "win64",
            "khtml",
            "gecko",
            "acceptencoding",
            "accept",
            "response header",
            "date",
            "dword",
            "malware",
            "settings",
            "first counter",
            "default",
            "mbisslshort",
            "bearer",
            "mwdb",
            "bazaar",
            "sha3384",
            "ssdeep",
            "file size",
            "bridge",
            "info",
            "agent",
            "shutdown",
            "root",
            "trusted insider",
            "verizon"
          ],
          "references": [
            "https://vtbehaviour.commondatastorage.googleapis.com/03a5d431bb42e7730a3ae3b3563cee73e7a782079cf56f57bad5fe665d261e54_SecneurX.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775052326&Signature=EwzqMFG4Bx4ptKj%2BUPzOPRE6Qw6H4prXiFDRHz53VujBI4Qp%2FChlOM99GkqSy2RrjDX7KqOvWAD1T%2FElJsNdQnvqWJWFa%2FQJVZ4OVf178twMrqL4i1kGM5j24ubnFhYXkL0qNzyI1cWOtVVaVeG2Z2VQEMBcOS%2BONZRvlii2EKaJYYatE1AR1BfvODpofyrMbJXtpOCG1qNJ4RjHY8F3kkWoBPLxqY71e4qLZkgXVqIe9bqy4Bnf57AVqd",
            "https://vtbehaviour.commondatastorage.googleapis.com/03a5d431bb42e7730a3ae3b3563cee73e7a782079cf56f57bad5fe665d261e54_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775052384&Signature=bXWASH%2FPy0xlusWzJvXu%2BHqzMkXxPsi2vPSccyzBwu5T9wUAziv58Ff40CcQ2rnFCnTZ2jCl0OmxLzttA7UQB%2BV37XmURNN1wKCT8EjP5jG8G1NzmXhj7kLy%2FibMwbmPEWNes7Tfmd81O8NXB2BhWT7YwM1u3Se2BZ81AVpLDs2SNOaN6rm7BOdZbszJ35xoAvf0nVYX5ZJ4hg72DrQaksf9fCJGECHhJkdJ8%2BRUVVqNLkYjkwDk"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 79,
            "FileHash-MD5": 251,
            "FileHash-SHA1": 31,
            "FileHash-SHA256": 41,
            "domain": 13,
            "hostname": 88
          },
          "indicator_count": 503,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "30 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "69cd26033d4ca1985ca61d9e",
          "name": "CAPE Sandbox",
          "description": "A security alert has been issued by the UK government over the weekend, with the result of a malicious web address being sent to a member of the public via an address address linked tolinkedin.<<<pretext",
          "modified": "2026-05-01T14:30:53.370000",
          "created": "2026-04-01T14:04:51.933000",
          "tags": [
            "time",
            "request header",
            "host",
            "windows nt",
            "win64",
            "khtml",
            "gecko",
            "acceptencoding",
            "accept",
            "response header",
            "date",
            "dword",
            "malware",
            "settings",
            "first counter",
            "default",
            "mbisslshort",
            "bearer",
            "mwdb",
            "bazaar",
            "sha3384",
            "ssdeep",
            "file size",
            "bridge",
            "info",
            "agent",
            "shutdown",
            "root",
            "trusted insider",
            "verizon"
          ],
          "references": [
            "https://vtbehaviour.commondatastorage.googleapis.com/03a5d431bb42e7730a3ae3b3563cee73e7a782079cf56f57bad5fe665d261e54_SecneurX.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775052326&Signature=EwzqMFG4Bx4ptKj%2BUPzOPRE6Qw6H4prXiFDRHz53VujBI4Qp%2FChlOM99GkqSy2RrjDX7KqOvWAD1T%2FElJsNdQnvqWJWFa%2FQJVZ4OVf178twMrqL4i1kGM5j24ubnFhYXkL0qNzyI1cWOtVVaVeG2Z2VQEMBcOS%2BONZRvlii2EKaJYYatE1AR1BfvODpofyrMbJXtpOCG1qNJ4RjHY8F3kkWoBPLxqY71e4qLZkgXVqIe9bqy4Bnf57AVqd",
            "https://vtbehaviour.commondatastorage.googleapis.com/03a5d431bb42e7730a3ae3b3563cee73e7a782079cf56f57bad5fe665d261e54_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775052384&Signature=bXWASH%2FPy0xlusWzJvXu%2BHqzMkXxPsi2vPSccyzBwu5T9wUAziv58Ff40CcQ2rnFCnTZ2jCl0OmxLzttA7UQB%2BV37XmURNN1wKCT8EjP5jG8G1NzmXhj7kLy%2FibMwbmPEWNes7Tfmd81O8NXB2BhWT7YwM1u3Se2BZ81AVpLDs2SNOaN6rm7BOdZbszJ35xoAvf0nVYX5ZJ4hg72DrQaksf9fCJGECHhJkdJ8%2BRUVVqNLkYjkwDk"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 79,
            "FileHash-MD5": 251,
            "FileHash-SHA1": 31,
            "FileHash-SHA256": 41,
            "domain": 13,
            "hostname": 88
          },
          "indicator_count": 503,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "30 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "69cd2453535ddbc214f9f14e",
          "name": "VirusTotal report\n                    for document.html",
          "description": "A security alert has been issued over the weekend, with links to the linkedin.com website being linked to a security breach dating back to 1970. and the first of its kind in the UK.",
          "modified": "2026-05-01T14:30:53.370000",
          "created": "2026-04-01T13:57:39.026000",
          "tags": [
            "file type",
            "spawns",
            "https",
            "urls",
            "mitre attack",
            "network info",
            "malicious",
            "ascii text",
            "creates",
            "found",
            "phishing",
            "next",
            "time",
            "request header",
            "host",
            "windows nt",
            "win64",
            "khtml",
            "gecko",
            "acceptencoding",
            "accept",
            "response header",
            "path"
          ],
          "references": [
            "https://vtbehaviour.commondatastorage.googleapis.com/644031a68bde879af85bcc9cb3e6fa1e9a6b0f61d49307581974b5dbc09d3de8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775051777&Signature=GZlu6DPN6v98tQo25y0w35JRTEJsBkTkPLCQXMwbY176auYdg37%2BQIH9jW5Wh4nYP8f6x5qDbT8ZRIrB%2F96cNxUefW8t5sDbBJCeNdsv9V8E4wYdpc7CBgWCor2MyxnMXcxHpOmCSm6wJbTfHBXSyUc4wjlxVdCTO1HagMSjZd3NdM4v03ffHl6LHo7%2F489GG%2F0zDmAfW0%2FiRbo%2BvTafEPW%2F6U23SdWnNFliaiQc9322wEBIipDEgFtt",
            "https://vtbehaviour.commondatastorage.googleapis.com/644031a68bde879af85bcc9cb3e6fa1e9a6b0f61d49307581974b5dbc09d3de8_SecneurX.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775051972&Signature=yYtfMjbzEmeyxRDO6eroUm%2FGh1NSAK3rD42UZEkTrX5h37NifJZ2K0WMJrux%2BcsrnR2Q5bIMs0HvMko%2BkDcC%2FsC4aXHIwkfRwv%2B7sXalRONuRPyS04YJ7NLS7LOp9%2FJ%2B%2Fwr0pR6MJ%2BKk96cKBP8wRR%2FwG%2Bl8Vf8YWHaP5QmY9c2Xz%2FlCc886XMqqgIGd84UaXsgrCTJ%2B18x90esVg0VGP94wCuOZOztw%2FyPeWTLW"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1046",
              "name": "Network Service Scanning",
              "display_name": "T1046 - Network Service Scanning"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 14,
            "FileHash-SHA1": 5,
            "FileHash-SHA256": 23,
            "URL": 54,
            "hostname": 20,
            "domain": 13
          },
          "indicator_count": 129,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "30 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "6992bae83a5988dff8311490",
          "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)",
          "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.",
          "modified": "2026-04-24T13:20:48.450000",
          "created": "2026-02-16T06:36:24.788000",
          "tags": [
            "Obfuscation: XOR-based String Encryption (0x20)",
            "T1110.001 (Brute Force: Password Guessing)",
            "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba",
            "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf",
            "#PotentialUS-Origin_FalseFlag_Obfuscation"
          ],
          "references": [
            "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186",
            "Obfuscation: XOR-based String Encryption (0x20)",
            "T1110.001 (Brute Force: Password Guessing)",
            "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains",
            "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f",
            "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.",
            "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.",
            "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.",
            "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.",
            "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting",
            "",
            "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.",
            "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.",
            "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.",
            "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.",
            "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.",
            "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.",
            "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.",
            "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs",
            "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.",
            "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.",
            "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.",
            "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset."
          ],
          "public": 1,
          "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "Malware Family: StealthWorker / GoBrut",
              "display_name": "Malware Family: StealthWorker / GoBrut",
              "target": "/malware/Malware Family: StealthWorker / GoBrut"
            },
            {
              "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf",
              "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1001",
              "name": "Data Obfuscation",
              "display_name": "T1001 - Data Obfuscation"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 5,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 2166,
            "FileHash-SHA1": 2067,
            "FileHash-SHA256": 3371,
            "domain": 13295,
            "URL": 6860,
            "email": 272,
            "hostname": 4705,
            "SSLCertFingerprint": 268,
            "CVE": 108,
            "CIDR": 6
          },
          "indicator_count": 33118,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 82,
          "modified_text": "37 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "69afa09e29202dbe523711cd",
          "name": "How much more do you need.",
          "description": "",
          "modified": "2026-04-09T04:21:15.538000",
          "created": "2026-03-10T04:39:58.187000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 84,
            "URL": 74,
            "FileHash-MD5": 70,
            "FileHash-SHA1": 29,
            "FileHash-SHA256": 152,
            "hostname": 224
          },
          "indicator_count": 633,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "52 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "69a55b7d676fe8ba16c0eec0",
          "name": "192.196.0.115",
          "description": "bruteforce",
          "modified": "2026-04-01T09:17:38.908000",
          "created": "2026-03-02T09:42:21.847000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "CIDR": 1,
            "URL": 49,
            "FileHash-SHA256": 157,
            "email": 2,
            "hostname": 74,
            "domain": 119,
            "FileHash-SHA1": 62,
            "FileHash-MD5": 60,
            "CVE": 1
          },
          "indicator_count": 525,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "60 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "69bf64eccb5d39a90a3c391e",
          "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
          "description": "",
          "modified": "2026-03-27T00:30:39.055000",
          "created": "2026-03-22T03:41:32.565000",
          "tags": [
            "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
            "9698f46495ce9401c8bcaf9a2afe1598",
            "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
            "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
            "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
            "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
            "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
          ],
          "references": [
            "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
            "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
            "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
            "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
            "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
            "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
            "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
            "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
            "Verification failure observed in automated verification handlers during sandbox replay.",
            "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
            "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
            "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
            "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
            "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
            "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
            "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
            "Whitelisted IP Address 204.79.197.212 Location  United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. ,  ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc.,   Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 ,  5943 ,  80211 ,  #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf ,  The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
            "",
            "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "China",
            "United States of America",
            "Spain",
            "Japan",
            "Canada"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
          ],
          "TLP": "green",
          "cloned_from": "698e93e1ab02db8c49e8c3ed",
          "export_count": 4,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 27572,
            "FileHash-SHA256": 46076,
            "FileHash-MD5": 42177,
            "FileHash-SHA1": 22874,
            "hostname": 33438,
            "URL": 74810,
            "SSLCertFingerprint": 21,
            "CVE": 7579,
            "email": 297,
            "FileHash-IMPHASH": 8,
            "CIDR": 26203,
            "JA3": 1
          },
          "indicator_count": 281056,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 152,
          "modified_text": "66 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "69bf64e1d5e06aa6207f78de",
          "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos",
          "description": "",
          "modified": "2026-03-27T00:30:39.055000",
          "created": "2026-03-22T03:41:21.863000",
          "tags": [
            "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
            "9698f46495ce9401c8bcaf9a2afe1598",
            "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
            "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
            "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
            "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
            "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
          ],
          "references": [
            "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
            "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
            "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
            "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
            "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
            "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
            "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
            "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
            "Verification failure observed in automated verification handlers during sandbox replay.",
            "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
            "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
            "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
            "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
            "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
            "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
            "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
            "Whitelisted IP Address 204.79.197.212 Location  United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. ,  ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc.,   Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 ,  5943 ,  80211 ,  #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf ,  The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
            "",
            "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "China",
            "United States of America",
            "Spain",
            "Japan",
            "Canada"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
          ],
          "TLP": "green",
          "cloned_from": "698e93e1ab02db8c49e8c3ed",
          "export_count": 3,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 27572,
            "FileHash-SHA256": 46076,
            "FileHash-MD5": 42177,
            "FileHash-SHA1": 22874,
            "hostname": 33438,
            "URL": 74810,
            "SSLCertFingerprint": 21,
            "CVE": 7579,
            "email": 297,
            "FileHash-IMPHASH": 8,
            "CIDR": 26203,
            "JA3": 1
          },
          "indicator_count": 281056,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 149,
          "modified_text": "66 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "687d18de7177474b759ab2b7",
          "name": "SoundCloud - Hear the world\u2019s sounds",
          "description": "Social engineering included lots of contact via Facebook, Twitter, SoundCloud, Victims website, iCloud.. iCloud was erased and the hacker left the man \u2018deadmau5\u2018 .  deadmau5 was used threatening posts emails and whoever they are sent photos and became overly interested in victims music. 1st to report music was not showing up on YouTube. Statements show victim had millions of views redirected. Hackers would often thank artistss for another million views. Songs pirated. Jansky on SoundCloud contacted victims daughter often, sent a photo and said he was from Great Britain. \n\u2022 ALFPER:PUA:Win32/InstallCore\n\u2022 TrojanDropper:Win32/VB.IL\n\u2022 Win.Trojan.Agent-\n|| blog.jpcert.or.jp \n\n\u2022 Registrant Org: Japan Computer Emergency Response Team Coordination Center\n\nI feel like this is very dangerous. These people are in Colorado no matter where they say they are.",
          "modified": "2025-08-19T14:03:11.976000",
          "created": "2025-07-20T16:27:10.608000",
          "tags": [
            "read c",
            "search",
            "medium",
            "entries",
            "show",
            "unicode",
            "tls handshake",
            "memcommit",
            "delete",
            "crlf line",
            "next",
            "dock",
            "write",
            "execution",
            "malware",
            "copy",
            "no expiration",
            "filehashmd5",
            "filehashsha256",
            "showing",
            "urls",
            "passive dns",
            "http",
            "unique",
            "l add",
            "pulse pulses",
            "ip address",
            "related nids",
            "files location",
            "united",
            "code",
            "present jul",
            "present showing",
            "title error",
            "date checked",
            "url hostname",
            "server response",
            "google safe",
            "results jul",
            "next associated",
            "files show",
            "win32",
            "date",
            "urls show",
            "error",
            "creation date",
            "name servers",
            "value emails",
            "name eric",
            "wahlforss name",
            "org soundcloud",
            "city berlin",
            "country de",
            "dnssec unsigned",
            "files",
            "verdict",
            "domain",
            "files ip",
            "address",
            "location united",
            "asn as16509",
            "less",
            "results nov",
            "associated urls",
            "results jan",
            "present feb",
            "related tags",
            "none indicator",
            "facts domain",
            "present",
            "akamai external",
            "resources whois",
            "urlvoid",
            "related",
            "png image",
            "rgba",
            "alfper",
            "ipv4 add",
            "trojandropper",
            "present may",
            "present jun",
            "cname",
            "emails",
            "status",
            "servers",
            "less whois",
            "body",
            "fastly error",
            "please",
            "sea p",
            "america flag",
            "america asn",
            "trojan",
            "accept",
            "url add",
            "ip related",
            "pulses none",
            "cdhc",
            "oxq xr8w1",
            "fv5hc9a2l",
            "s showing",
            "next related",
            "domains domain",
            "script urls",
            "present sep",
            "cookie",
            "hostname add"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1143",
              "name": "Hidden Window",
              "display_name": "T1143 - Hidden Window"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 11,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 6020,
            "hostname": 1865,
            "FileHash-SHA256": 676,
            "FileHash-MD5": 106,
            "FileHash-SHA1": 86,
            "domain": 990,
            "email": 5
          },
          "indicator_count": 9748,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 141,
          "modified_text": "285 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "687d18d829739be014393c59",
          "name": "SoundCloud - Hear the world\u2019s sounds",
          "description": "Social engineering included lots of contact via Facebook, Twitter, SoundCloud, Victims website, iCloud.. iCloud was erased and the hacker left the man \u2018deadmau5\u2018 .  deadmau5 was used threatening posts emails and whoever they are sent photos and became overly interested in victims music. 1st to report music was not showing up on YouTube. Statements show victim had millions of views redirected. Hackers would often thank artistss for another million views. Songs pirated. Jansky on SoundCloud contacted victims daughter often, sent a photo and said he was from Great Britain. \n\u2022 ALFPER:PUA:Win32/InstallCore\n\u2022 TrojanDropper:Win32/VB.IL\n\u2022 Win.Trojan.Agent-\n|| blog.jpcert.or.jp \n\n\u2022 Registrant Org: Japan Computer Emergency Response Team Coordination Center\n\nI feel like this is very dangerous. These people are in Colorado no matter where they say they are.",
          "modified": "2025-08-19T14:03:11.976000",
          "created": "2025-07-20T16:27:04.872000",
          "tags": [
            "read c",
            "search",
            "medium",
            "entries",
            "show",
            "unicode",
            "tls handshake",
            "memcommit",
            "delete",
            "crlf line",
            "next",
            "dock",
            "write",
            "execution",
            "malware",
            "copy",
            "no expiration",
            "filehashmd5",
            "filehashsha256",
            "showing",
            "urls",
            "passive dns",
            "http",
            "unique",
            "l add",
            "pulse pulses",
            "ip address",
            "related nids",
            "files location",
            "united",
            "code",
            "present jul",
            "present showing",
            "title error",
            "date checked",
            "url hostname",
            "server response",
            "google safe",
            "results jul",
            "next associated",
            "files show",
            "win32",
            "date",
            "urls show",
            "error",
            "creation date",
            "name servers",
            "value emails",
            "name eric",
            "wahlforss name",
            "org soundcloud",
            "city berlin",
            "country de",
            "dnssec unsigned",
            "files",
            "verdict",
            "domain",
            "files ip",
            "address",
            "location united",
            "asn as16509",
            "less",
            "results nov",
            "associated urls",
            "results jan",
            "present feb",
            "related tags",
            "none indicator",
            "facts domain",
            "present",
            "akamai external",
            "resources whois",
            "urlvoid",
            "related",
            "png image",
            "rgba",
            "alfper",
            "ipv4 add",
            "trojandropper",
            "present may",
            "present jun",
            "cname",
            "emails",
            "status",
            "servers",
            "less whois",
            "body",
            "fastly error",
            "please",
            "sea p",
            "america flag",
            "america asn",
            "trojan",
            "accept",
            "url add",
            "ip related",
            "pulses none",
            "cdhc",
            "oxq xr8w1",
            "fv5hc9a2l",
            "s showing",
            "next related",
            "domains domain",
            "script urls",
            "present sep",
            "cookie",
            "hostname add"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1143",
              "name": "Hidden Window",
              "display_name": "T1143 - Hidden Window"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 11,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 6020,
            "hostname": 1865,
            "FileHash-SHA256": 676,
            "FileHash-MD5": 106,
            "FileHash-SHA1": 86,
            "domain": 990,
            "email": 5
          },
          "indicator_count": 9748,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 142,
          "modified_text": "285 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "66e94760a415fb970ab2dfdd",
          "name": "Pornhub Api connected to Targets phone via Remote Telegram  install",
          "description": "Cyber attack named 'Project Endgame' by threat actors ||  Cyber criminal IMMEDIATELY remotely accessed targets device when it was new from manufacturer. Remote installation of telegram app, installed pornhub. Dumping, making all types of pornography appear to come from targets and associated persons devices. It's never ending. || Win32:PWSX-gen\\ [Trj]\n#Lowfi:HSTR:Win32/Exprio\nALF:Trojan:BAT/EnvVarCharReplacement\nBackdoor:Win32/Tofsee\nTrojan:Win32/Azorult\nTrojan:Win32/Danabot\nTrojan:Win32/Eqtonex\nTrojan:Win32/Meredrop\nTrojanDownloader:Win32/Tofsee\nVirTool:Win32/Obfuscator\nWin.Dropper.Tofsee-10023347-0",
          "modified": "2024-10-17T08:04:26.924000",
          "created": "2024-09-17T09:09:52.842000",
          "tags": [
            "all scoreblue",
            "contacted",
            "telegram",
            "pornhub",
            "hostname",
            "domain",
            "iocs",
            "pdf report",
            "pcap",
            "stix",
            "openioc",
            "ck t1003",
            "os credential",
            "dumping t1005",
            "local system",
            "t1012",
            "registry t1018",
            "remote system",
            "discovery t1027",
            "files",
            "t1053",
            "whitelisted",
            "agent",
            "as13414 twitter",
            "as14061",
            "as15169 google",
            "as16552",
            "as16276",
            "as19679 dropbox",
            "as22612",
            "as25019",
            "as32934",
            "as35680",
            "as62597",
            "as54113",
            "as397241",
            "as397240",
            "nsone as63949",
            "as35819",
            "china unknown",
            "chrome",
            "code",
            "as16552 tiggee",
            "as2914 ntt",
            "as25019 saudi",
            "asnone hong",
            "as63949 linode",
            "as7303 telecom",
            "as8151",
            "as9318 sk",
            "asn as13414",
            "asn as48684",
            "cookie",
            "encrypt",
            "endgame",
            "emails",
            "cryp",
            "delphi",
            "dynamicloader",
            "dns",
            "grum",
            "germany unknown",
            "gmt max",
            "connection",
            "dns resolutions",
            "porn",
            "regsz",
            "langgeorgian",
            "sublangdefault",
            "rticon",
            "english",
            "regsetvalueexa",
            "regdword",
            "medium",
            "t1055",
            "win32",
            "malware",
            "copy",
            "updater",
            "generic",
            "delete c",
            "yara rule",
            "high",
            "search",
            "ms windows",
            "tofsee",
            "show",
            "windows",
            "russia as49505",
            "united",
            "grum",
            "write",
            "query",
            "contacted",
            "installs",
            "stream",
            "unknown",
            "as46606",
            "passive dns",
            "date",
            "scan endpoints",
            "pulse pulses",
            "urls",
            "as8151",
            "mexico unknown",
            "saudi arabia",
            "as25019 saudi",
            "china unknown",
            "as7303 telecom",
            "hungary unknown",
            "trojan",
            "msie",
            "body",
            "ransom",
            "icmp traffic",
            "pdb path",
            "filehash",
            "url http",
            "http",
            "address",
            "russia unknown",
            "privacy tools",
            "as396982 google",
            "as57416 llc",
            "div div",
            "span h3",
            "span div",
            "h3 p",
            "as24940 hetzner",
            "face",
            "delete",
            "yara detections",
            "sinkhole cookie",
            "value snkz",
            "pe32",
            "suspicious",
            "possible",
            "as56864 xeon",
            "ipv4",
            "pulse submit",
            "url analysis",
            "ip address",
            "location united",
            "next",
            "germany unknown",
            "method",
            "allowed server",
            "content length",
            "content type",
            "cookie",
            "registrar abuse",
            "explorer",
            "files matching",
            "homepage",
            "hungary unknown",
            "installs ip",
            "installs",
            "ip",
            "link",
            "mexico unknown",
            "pegasus",
            "operation endgame",
            "public key",
            "ransom",
            "twitter redirect",
            "Kong unknown",
            "script urls",
            "servers",
            "updater",
            "united kingdom unknown",
            "unique",
            "ukraine unknown",
            "trojan features",
            "trojan",
            "tofsee",
            "title telegram",
            "tags twitter",
            "twitter",
            "tags",
            "sublangdefault"
          ],
          "references": [
            "Pornhub.com | Telegram https://t.me/login/36861 | loopprojects.t.me",
            "Cookie : stel_ssid b86d14460f22d8fea8_13386273115952986987",
            "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
            "https://www.pornhub.com/video/search?search=tsara+brashears",
            "ads.pornhub.com | ams-v61.pornhub.com | api-stage.pornhub.com",
            "api-stage.pornhub.com | abtesting.pornhub.com | pornhub.com | cms-stage20.pornhub.com | imgs.pornhub.com | http://tourcdn.girlsdoporn.com",
            "girlsdoporn.com | bar.pornhub.com | bar.pornhub.com | cdn-d-vid-embed.pornhub.com | http://pornhub.tv/Jena6599 | whatsapp.pornhub.com",
            "https://sslproxy.gatewayclient3.v.hikops.com",
            "api2ip.ua \u00bb External IP Lookup Service Domain",
            "83610e8d2924c9886b25ad530e8ad971.pornhub.com",
            "Win32:PWSX-gen\\ [Trj] IDS Detections Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua) Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 HTTP Request to a *.top domain Dotted Quad Host ZIP Request Possible EXE Download From Suspicious TLD TLS Handshake Failure ... Less",
            "IDS Detections: Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua)",
            "IDS Detections: Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile",
            "IDS Detections: Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016",
            "Win32:RansomX-gen\\ [Ransom] Trojan:Win32/Neconyd.A"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Australia",
            "Brazil",
            "Singapore",
            "Netherlands",
            "Russian Federation",
            "Japan",
            "Malaysia",
            "Hong Kong",
            "Ireland",
            "Korea, Republic of",
            "France",
            "United Kingdom of Great Britain and Northern Ireland",
            "Argentina",
            "Austria",
            "China",
            "Canada",
            "Germany"
          ],
          "malware_families": [
            {
              "id": "Backdoor:Win32/Tofsee",
              "display_name": "Backdoor:Win32/Tofsee",
              "target": "/malware/Backdoor:Win32/Tofsee"
            },
            {
              "id": "TrojanDownloader:Win32/Tofsee",
              "display_name": "TrojanDownloader:Win32/Tofsee",
              "target": "/malware/TrojanDownloader:Win32/Tofsee"
            },
            {
              "id": "Win32:PWSX-gen\\ [Trj]",
              "display_name": "Win32:PWSX-gen\\ [Trj]",
              "target": null
            },
            {
              "id": "Win.Dropper.Tofsee-10023347-0",
              "display_name": "Win.Dropper.Tofsee-10023347-0",
              "target": null
            },
            {
              "id": "#Lowfi:HSTR:Win32/Exprio",
              "display_name": "#Lowfi:HSTR:Win32/Exprio",
              "target": null
            },
            {
              "id": "VirTool:Win32/Obfuscator",
              "display_name": "VirTool:Win32/Obfuscator",
              "target": "/malware/VirTool:Win32/Obfuscator"
            },
            {
              "id": "Trojan:Win32/Meredrop",
              "display_name": "Trojan:Win32/Meredrop",
              "target": "/malware/Trojan:Win32/Meredrop"
            },
            {
              "id": "Trojan:Win32/Eqtonex",
              "display_name": "Trojan:Win32/Eqtonex",
              "target": "/malware/Trojan:Win32/Eqtonex"
            },
            {
              "id": "Trojan:Win32/Danabot",
              "display_name": "Trojan:Win32/Danabot",
              "target": "/malware/Trojan:Win32/Danabot"
            },
            {
              "id": "Trojan:Win32/Azorult",
              "display_name": "Trojan:Win32/Azorult",
              "target": "/malware/Trojan:Win32/Azorult"
            },
            {
              "id": "ALF:Trojan:BAT/EnvVarCharReplacement",
              "display_name": "ALF:Trojan:BAT/EnvVarCharReplacement",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1005",
              "name": "Data from Local System",
              "display_name": "T1005 - Data from Local System"
            },
            {
              "id": "T1012",
              "name": "Query Registry",
              "display_name": "T1012 - Query Registry"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1040",
              "name": "Network Sniffing",
              "display_name": "T1040 - Network Sniffing"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1081",
              "name": "Credentials in Files",
              "display_name": "T1081 - Credentials in Files"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1210",
              "name": "Exploitation of Remote Services",
              "display_name": "T1210 - Exploitation of Remote Services"
            },
            {
              "id": "T1428",
              "name": "Exploit Enterprise Resources",
              "display_name": "T1428 - Exploit Enterprise Resources"
            },
            {
              "id": "T1443",
              "name": "Remotely Install Application",
              "display_name": "T1443 - Remotely Install Application"
            },
            {
              "id": "T1478",
              "name": "Install Insecure or Malicious Configuration",
              "display_name": "T1478 - Install Insecure or Malicious Configuration"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 31,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 1570,
            "FileHash-SHA1": 1301,
            "FileHash-SHA256": 3497,
            "URL": 3835,
            "domain": 1475,
            "hostname": 2405,
            "CIDR": 1,
            "email": 23
          },
          "indicator_count": 14107,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 230,
          "modified_text": "591 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "66c08b488620dac7697026c7",
          "name": "Fakefolder | Ransom:Win32/CVE affecting HCA Healthcare cloud",
          "description": "Cloud computing - User Acceptance Testing (UAT)\napparently used by HCA one of the nations leading healthcare providers. It's seems HCA's cloud is compromised. The cloud has a number of high priority vulnerabilities, malware, ransomware, zero day, etc.  Patient accounts aiming involved, (some patients received letters of serious PII, PHI compromise) lost records, patient blacklisting, hacking, and nefarious manipulations by providers. I've been made aware of CORHIO closing compromised patient accounts. Some patients account access and data has reportedly been lost.\n#VirTool:Win32/Obfuscator.ADB\nALF:HeraklezEval:Ransom:Win32/CVE\nRansom:Win32/StopCrypt.AK!MTB\nRansom:Win32/Wannaren.A\nTrojan:Win32/BlackMon\nTrojan:Win32/Fakefolder\nTulach Malware",
          "modified": "2024-10-15T14:02:54.772000",
          "created": "2024-08-17T11:36:40.810000",
          "tags": [
            "microsoft edge",
            "iocs",
            "alberta ndp",
            "security",
            "vc rescue",
            "disk",
            "apple",
            "google",
            "windows",
            "powershell",
            "security https",
            "no data",
            "tag count",
            "analyzer threat",
            "url summary",
            "ip summary",
            "summary",
            "sample",
            "detection list",
            "site",
            "cisco umbrella",
            "alexa top",
            "blacklist",
            "million",
            "mail spammer",
            "firehol",
            "ip address",
            "noname057",
            "anonymizer",
            "firehol proxy",
            "proxy",
            "india mail",
            "malware",
            "full name",
            "first",
            "v3 serial",
            "number",
            "cus odigicert",
            "global tls",
            "rsa4096 sha256",
            "ca1 validity",
            "subject public",
            "key info",
            "dns replication",
            "date",
            "script script",
            "as12912",
            "a domains",
            "a li",
            "poland unknown",
            "t mobile",
            "domains",
            "przejd",
            "passive dns",
            "authority",
            "meta",
            "accept",
            "cname",
            "record type",
            "ttl value",
            "aaaa",
            "poland",
            "scan endpoints",
            "all scoreblue",
            "ipv4",
            "pulse pulses",
            "files",
            "location poland",
            "asnone united",
            "moved",
            "location",
            "vary",
            "accept encoding",
            "content type",
            "virtool",
            "related pulses",
            "file samples",
            "files matching",
            "show",
            "search",
            "date hash",
            "next",
            "showing",
            "as39198",
            "body",
            "window",
            "certificate",
            "hostname",
            "unknown",
            "red bull",
            "script urls",
            "as2828 verizon",
            "ireland unknown",
            "gmt content",
            "as8068",
            "as8075",
            "servers",
            "creation date",
            "united",
            "trojan",
            "trojan features",
            "win32",
            "msr aug",
            "urls",
            "reverse dns",
            "trojandropper",
            "historical ssl",
            "referrer",
            "infiltrate",
            "threat network",
            "malicious",
            "snapchat",
            "eternal blue",
            "sneaky simay",
            "groups",
            "covert",
            "probe",
            "whois lookup",
            "domain name",
            "united",
            "as15169 google",
            "a nxdomain",
            "germany",
            "dynamicloader",
            "yara rule",
            "high",
            "medium",
            "port",
            "dynamic",
            "domain",
            "file name",
            "pcap",
            "copy",
            "url host",
            "port method",
            "user agent",
            "okrnserver",
            "002000",
            "hit tcpmemhit",
            "algorithm",
            "data",
            "cus oentrust",
            "entrust",
            "l1k validity",
            "cpl lwarszawa",
            "ot mobile",
            "status",
            "name servers",
            "as6354",
            "mtb aug",
            "key algorithm",
            "key identifier",
            "subject key",
            "identifier",
            "x509v3 key",
            "usage",
            "info",
            "location united",
            "win32 exe",
            "pe32 executable",
            "ms windows",
            "intel",
            "win16 ne",
            "os2 executable",
            "generic windos",
            "executable",
            "vs2010",
            "info compiler",
            "products",
            "vs2008",
            "header intel",
            "name md5",
            "type",
            "language",
            "ascii text",
            "cyrillic",
            "registrar of",
            "domain names",
            "ii llc",
            "contacted",
            "file type",
            "mb file",
            "graph",
            "ip detections",
            "country",
            "type name",
            "network",
            "tsara brashears",
            "december",
            "typhon reborn",
            "speakez securus",
            "hacktool",
            "emotet",
            "formbook",
            "critical",
            "installer",
            "tofsee",
            "hiddentear",
            "cnc",
            "email collection",
            "apple data",
            "data collection",
            "tsara brashears",
            "for privacy",
            "record value",
            "emails",
            "expiration date",
            "swipper",
            "tulach",
            "aitm",
            "query",
            "observed dns",
            "activity dns",
            "total",
            "google llc",
            "pe32",
            "write",
            "april",
            "defender",
            "otx telemetry",
            "win32cve aug",
            "polska s",
            "copyright",
            "levelblue",
            "dashboard",
            "pulse submit",
            "url analysis",
            "as20940",
            "as16625 akamai",
            "entrustdns",
            "france",
            "entries",
            "refresh",
            "443 ma2592000",
            "net174",
            "net1740000",
            "mcics",
            "read c",
            "write c",
            "tlsv1",
            "default",
            "module load",
            "execution",
            "dock",
            "persistence",
            "xport",
            "redacted for",
            "privacy tech",
            "privacy admin",
            "organization",
            "postal code",
            "stateprovince",
            "server",
            "registrar abuse",
            "code",
            "high priority",
            "critical",
            "CVE-2023-29059"
          ],
          "references": [
            "uat.drw.hcahealthcare.cloud | developers.t-mobile.pl | kwvjuemg.exe",
            "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.",
            "Antivirus Detections: Ransom:Win32/Wannaren.A UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser ,  UPXv20MarkusLaszloReiser ,  UPX Alerts procmem_yara creates_largekey process_creation_suspicious_location network_bind deletes_executed_files dead_connect dynamic_function_loading encrypted_ioc http_request network_cnc_https_generic powershell_download powershell_request enumerates_running_processes stealth_window cape_extracted_content injection_rwx network_http",
            "Yara Detections: LZMA ,  UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX",
            "Alerts: procmem_yara creates_largekey process_creation_suspicious_location network_bind cape_extracted_content",
            "Alerts: deletes_executed_files dead_connect dynamic_function_loading encrypted_ioc http_request injection_rwx network_http",
            "Alerts: network_cnc_https_generic powershell_download powershell_request enumerates_running_processes stealth_window",
            "nr-data.net [Apple Private Data Collection]",
            "https://www.anyxxxtube.net/search-porn/tsara-brashears/",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
            "https://twitter.com/PORNO_SEXYBABES | twitter.com | www.pornhub.com | www.anyxxxtube.net",
            "Apple path:https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | itunes.apple.com",
            "record-viewer-application.hcahealthcare.cloud",
            "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled",
            "Tulach IP: 114.114.114.114",
            "Antivirus Detections: #VirTool:Win32/Obfuscator.ADB | IDS Detections:Observed DNS Query to .biz TLD | Domains Contacted: pywolwnvd.biz",
            "Yara Detections: SUSP_Unsigned_GoogleUpdate OriginalFilenameGoogleUpdate.exe | Alerts cape_extracted_content",
            "Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS) 'Swipper'",
            "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29059 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29059\\",
            "cvename.cg | https://cve.mitre.org/cgi | https://cve.mitre.org/cgi-bin/cvename.cg... | https://cve.mitre.org/cgi-bin/cvename.cgi?nam...",
            "https://cve.mitre.org/includes/jquery-migrate-3.0.0.min.js | https://cve.mitre.org/includes/printerfriendly.js | https://cve.mitre.org/css/main.css",
            "https://cve.mitre.org/images/cvelogobanner.png | https://cve.mitre.org/images/linkedin.jpg | https://cve.mitre.org/images/medium.png",
            "https://cve.mitre.org/images/nvd-logo.png | https://cve.mitre.org/images/search_icon.png | https://cve.mitre.org/images/twitter.jpg",
            "https://cve.mitre.org/images/youtube.png | https://cve.mitre.org/includes/browserheight.js | https://cve.mitre.org/includes/jquery-3.2.1.min.js",
            "https://cve.mitre.org/css/print.css | https://cve.mitre.org/favicon.ico | https://cve.mitre.org/images/GitHub_round_sm",
            "https://cve.mitre.org/includes/jquery-migrate-3.0.0.min.js | https://cve.mitre.org/includes/printerfriendly.js | cve.mitre.org"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Trojan:Win32/BlackMon",
              "display_name": "Trojan:Win32/BlackMon",
              "target": "/malware/Trojan:Win32/BlackMon"
            },
            {
              "id": "Trojan:Win32/Fakefolder",
              "display_name": "Trojan:Win32/Fakefolder",
              "target": "/malware/Trojan:Win32/Fakefolder"
            },
            {
              "id": "Ransom:Win32/Wannaren.A",
              "display_name": "Ransom:Win32/Wannaren.A",
              "target": "/malware/Ransom:Win32/Wannaren.A"
            },
            {
              "id": "Ransom:Win32/StopCrypt.AK!MTB",
              "display_name": "Ransom:Win32/StopCrypt.AK!MTB",
              "target": "/malware/Ransom:Win32/StopCrypt.AK!MTB"
            },
            {
              "id": "Tulach Malware",
              "display_name": "Tulach Malware",
              "target": null
            },
            {
              "id": "#VirTool:Win32/Obfuscator.ADB",
              "display_name": "#VirTool:Win32/Obfuscator.ADB",
              "target": "/malware/#VirTool:Win32/Obfuscator.ADB"
            },
            {
              "id": "ALF:HeraklezEval:Ransom:Win32/CVE",
              "display_name": "ALF:HeraklezEval:Ransom:Win32/CVE",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1143",
              "name": "Hidden Window",
              "display_name": "T1143 - Hidden Window"
            }
          ],
          "industries": [
            "Healthcare",
            "Technology",
            "Civilian Society",
            "Telecommunications",
            "Networking"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 53,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 1975,
            "FileHash-SHA1": 1731,
            "FileHash-SHA256": 4646,
            "URL": 636,
            "domain": 283,
            "hostname": 798,
            "email": 12,
            "CVE": 3,
            "SSLCertFingerprint": 2
          },
          "indicator_count": 10086,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 233,
          "modified_text": "593 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        }
      ],
      "references": [
        "",
        "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.",
        "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr",
        "https://vtbehaviour.commondatastorage.googleapis.com/000007781f616194758c52c551ab2f198970675c9218eab9f1e4470f0a696e71_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373373&Signature=mjvxt7z8ajbHZY%2BdL0G02pE7trUx7SkineLNrDSnq8FxmEuCuDdnNDWKdPawPb4w2NnK5HFkV3BAdTJrRNBxBceLP%2FevhdkmR4C%2BiZZ8pz9GBeqwl0l6oJMBga2ZHfKcA%2BxqQgP5r1zzN%2BZPMH0zxPdHYZA2WlzkfzPBDQcTEDdz8aTIaX%2BOP5JUo4gYjqxxxrdBLVGv0i54PedBqgFw5IRrPpdH%2FwlQGTLKQ%2BSjslq2d0",
        "Verification failure observed in automated verification handlers during sandbox replay.",
        "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.",
        "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.",
        "https://cve.mitre.org/includes/jquery-migrate-3.0.0.min.js | https://cve.mitre.org/includes/printerfriendly.js | https://cve.mitre.org/css/main.css",
        "https://cve.mitre.org/images/cvelogobanner.png | https://cve.mitre.org/images/linkedin.jpg | https://cve.mitre.org/images/medium.png",
        "83610e8d2924c9886b25ad530e8ad971.pornhub.com",
        "https://vtbehaviour.commondatastorage.googleapis.com/03a5d431bb42e7730a3ae3b3563cee73e7a782079cf56f57bad5fe665d261e54_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775363951&Signature=oqtwIJblsSOTE5uJIegeSNPrf62ZPoDH59%2FW8iBG9vqCrR3VsyJAXXj1ZonKOO9FUzFmVhNEPhCds5p0mfETuLN7FXdTJedgO2RCoL%2F5Cl6lMWxcsJfQDtslHFW3X07r6%2F82tCBq4PwlUQPQwbqnscNE%2FYRLEdiLZdjM4Fq8nFQG%2BOgC9iHeyKoQR9TOnBE3VYI2YChpkUlJbeYYQJaPm8qPrIetztmBEUDYx2ObcFktYfyhqvwP",
        "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
        "Antivirus Detections: #VirTool:Win32/Obfuscator.ADB | IDS Detections:Observed DNS Query to .biz TLD | Domains Contacted: pywolwnvd.biz",
        "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.",
        "Tulach IP: 114.114.114.114",
        "Win32:PWSX-gen\\ [Trj] IDS Detections Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua) Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 HTTP Request to a *.top domain Dotted Quad Host ZIP Request Possible EXE Download From Suspicious TLD TLS Handshake Failure ... Less",
        "https://vtbehaviour.commondatastorage.googleapis.com/0ab7fad77871a45137c9f2e40e3cbf47e3d71315f71c8eca9c8d62bc24a53184_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372878&Signature=cLNwLw1L9ZCpQXZej7DaLTWH5w887X5wPnSpN1pwH2N4acSu8Llp25uprGRArg6qCuPbVQ2YPyIeCdwLCZvq%2FU0hP8m17ZPontiyR5zKb7jxcW57eEUuVnuSV9%2FnukwtPPJ%2BTY7a0%2B9rwSAU%2FL%2FJQ1yMke6VIX%2B%2F6KSWHgmLV%2F%2FR%2FbOxB0oZ4%2Fe%2Fsb2%2Fw12dZix7IY6c7wOj1OlWGQSkAZZsEoDw",
        "https://vtbehaviour.commondatastorage.googleapis.com/03a5d431bb42e7730a3ae3b3563cee73e7a782079cf56f57bad5fe665d261e54_SecneurX.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775363662&Signature=Tb8lvDZ68jjF2NK2JHjGnbiQU0CMN6YW3je3jpljK7OVsGRWX1LnhaGZlf6odMBfrpxaxZw%2BWzDkww75LB%2BADvpT9Xv0msqXikUiwwQe5VdtWh5VPTKc%2B%2BguXjCV3aKkhOAH2IyxYXhJ9bdfnc2BrxnksuvBxrk1dxGITo7d3UQk%2Fva7WWsUVJ%2BmU8mN%2FtKaGLCwcq7VdiqnC6Eg0g4EVMh1778azV8silgLjwHNsPTUCAg2zyROda",
        "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.",
        "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.",
        "https://sslproxy.gatewayclient3.v.hikops.com",
        "Win32:RansomX-gen\\ [Ransom] Trojan:Win32/Neconyd.A",
        "https://vtbehaviour.commondatastorage.googleapis.com/03a5d431bb42e7730a3ae3b3563cee73e7a782079cf56f57bad5fe665d261e54_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775052384&Signature=bXWASH%2FPy0xlusWzJvXu%2BHqzMkXxPsi2vPSccyzBwu5T9wUAziv58Ff40CcQ2rnFCnTZ2jCl0OmxLzttA7UQB%2BV37XmURNN1wKCT8EjP5jG8G1NzmXhj7kLy%2FibMwbmPEWNes7Tfmd81O8NXB2BhWT7YwM1u3Se2BZ81AVpLDs2SNOaN6rm7BOdZbszJ35xoAvf0nVYX5ZJ4hg72DrQaksf9fCJGECHhJkdJ8%2BRUVVqNLkYjkwDk",
        "https://vtbehaviour.commondatastorage.googleapis.com/03a5d431bb42e7730a3ae3b3563cee73e7a782079cf56f57bad5fe665d261e54_SecneurX.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372244&Signature=fXjnCgFbGybFp%2BCRO6a%2FQ3LKU2uLiKNtjgwKzprL3LFL%2BTMgup6nbp7%2F9Hxy8bnBzlFtSzO0fcnf%2FpIsNim0UdrINmB63N9mKkBW1cOkjxV88PAy2nsFZA3FjOEYq4N0lgc8gAtS5eRTt%2Bwb7WjEnd3QQ7aPLuoVl2hjed4hC8Cit6efcSD9GbJCITMeX4%2FVHBYSjmDr4Pgip9ANSZ6wvzkRktqPpC23Qwl62gkuXE%2BKp0s%2Bq%",
        "https://vtbehaviour.commondatastorage.googleapis.com/7605fa9aeaae25656c40a553534d35418cca40dc48023d0b3237b402361c6816_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373283&Signature=KIPnPqQCcifTzuRS43FhFyzCXei0rDK20JuVvXA3UkB%2Bj6R1a4SAH2sn%2BJO1ohLSxLswzbryMf81lr4eGQCMbr3Wwfwo7kHN1yHV4M187cNxRZlbZ4%2BzOZZgfWt3bJNLx2Z4%2B4aqarco7OzqkhcQizlq8frRttJQjcLcNxgWD3oV2QDxZxurniW%2BhRRUS%2Bv9uGXWIRhWYmbEA%2BaoQsvpX0AIeSUCn4qb%2Fh31hJe7JitkCE",
        "Whitelisted IP Address 204.79.197.212 Location  United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. ,  ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc.,   Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 ,  5943 ,  80211 ,  #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf ,  The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
        "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
        "Yara Detections: SUSP_Unsigned_GoogleUpdate OriginalFilenameGoogleUpdate.exe | Alerts cape_extracted_content",
        "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
        "https://vtbehaviour.commondatastorage.googleapis.com/03a5d431bb42e7730a3ae3b3563cee73e7a782079cf56f57bad5fe665d261e54_SecneurX.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775052326&Signature=EwzqMFG4Bx4ptKj%2BUPzOPRE6Qw6H4prXiFDRHz53VujBI4Qp%2FChlOM99GkqSy2RrjDX7KqOvWAD1T%2FElJsNdQnvqWJWFa%2FQJVZ4OVf178twMrqL4i1kGM5j24ubnFhYXkL0qNzyI1cWOtVVaVeG2Z2VQEMBcOS%2BONZRvlii2EKaJYYatE1AR1BfvODpofyrMbJXtpOCG1qNJ4RjHY8F3kkWoBPLxqY71e4qLZkgXVqIe9bqy4Bnf57AVqd",
        "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset.",
        "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs",
        "Yara Detections: LZMA ,  UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX",
        "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.",
        "https://vtbehaviour.commondatastorage.googleapis.com/39c58d0f868d4e8d1b959dce19d0bbcc57bb8b9b832f9efbe4e2244051237b95_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373454&Signature=oXNg992chHQhOJxpI2XcWdFB%2FxJme1ol4iA4aOgaKWQcqa9WXsYlPcTANPmFkyrHIciosnksXEJrIAfFsjAYeEqG%2F7oPGCQLBILFHUhwZVcoJR9PgFwUsHBu%2FqiWSOifVPER4vpDL0gbsuNlU6gHT5aWRW%2BwoOwbHSIt5jj%2FJ3%2FxGDBAUaZrSuQurOM0Nb3qRhNN1NOTUj7mGTuUBXdtvnzCFLjxl3Kk6dYYFgmwhWI04P3JIB",
        "Obfuscation: XOR-based String Encryption (0x20)",
        "api2ip.ua \u00bb External IP Lookup Service Domain",
        "https://cve.mitre.org/includes/jquery-migrate-3.0.0.min.js | https://cve.mitre.org/includes/printerfriendly.js | cve.mitre.org",
        "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
        "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.",
        "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.",
        "https://www.anyxxxtube.net/search-porn/tsara-brashears/",
        "Cookie : stel_ssid b86d14460f22d8fea8_13386273115952986987",
        "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186",
        "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.",
        "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.",
        "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
        "https://vtbehaviour.commondatastorage.googleapis.com/539dc26a14b6277e87348594ab7d6e932d16aabb18612d77f29fe421a9f1d46a_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372560&Signature=tXBHkUCyFp7E2Um%2FMUvRPbUvaQmYPeBV7KGbi%2Bssa%2FkYQyqgH4u8fy6h0A8bVbsyQMMPf2EEF2JkzkiD6SXcfLADGdVqHYQya%2F6s2Ox5QnOFkJSATlDdXCWVp%2F4wHxZHInIRcrBPZFjjYFQM0u7VYCEMtkMCS0pzld2nGLlcOuOXBFxGTQPy0A03dikBC4Yw4f%2BdiMLMxO0hxZSo9FxPq1ylB4gs57NBBniylVO4Qi%2BLzleU5",
        "https://vtbehaviour.commondatastorage.googleapis.com/644031a68bde879af85bcc9cb3e6fa1e9a6b0f61d49307581974b5dbc09d3de8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775051777&Signature=GZlu6DPN6v98tQo25y0w35JRTEJsBkTkPLCQXMwbY176auYdg37%2BQIH9jW5Wh4nYP8f6x5qDbT8ZRIrB%2F96cNxUefW8t5sDbBJCeNdsv9V8E4wYdpc7CBgWCor2MyxnMXcxHpOmCSm6wJbTfHBXSyUc4wjlxVdCTO1HagMSjZd3NdM4v03ffHl6LHo7%2F489GG%2F0zDmAfW0%2FiRbo%2BvTafEPW%2F6U23SdWnNFliaiQc9322wEBIipDEgFtt",
        "https://www.pornhub.com/video/search?search=tsara+brashears",
        "https://twitter.com/PORNO_SEXYBABES | twitter.com | www.pornhub.com | www.anyxxxtube.net",
        "cvename.cg | https://cve.mitre.org/cgi | https://cve.mitre.org/cgi-bin/cvename.cg... | https://cve.mitre.org/cgi-bin/cvename.cgi?nam...",
        "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
        "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
        "T1110.001 (Brute Force: Password Guessing)",
        "Antivirus Detections: Ransom:Win32/Wannaren.A UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser ,  UPXv20MarkusLaszloReiser ,  UPX Alerts procmem_yara creates_largekey process_creation_suspicious_location network_bind deletes_executed_files dead_connect dynamic_function_loading encrypted_ioc http_request network_cnc_https_generic powershell_download powershell_request enumerates_running_processes stealth_window cape_extracted_content injection_rwx network_http",
        "IDS Detections: Suspicious User Agent (Microsoft Internet Explorer) SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016",
        "https://vtbehaviour.commondatastorage.googleapis.com/01f09136cb86f25635f91144946847d58c559228d50d9b84b0c021d4091b840b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373052&Signature=U7haY6XsgyJ83G1vAOPLrLLS%2BaMP9xAKOlnzSb4I9clIBLt9Y8xzP4qjfBxbeUfdF6s%2B6dtg4dXzqTjrAYSC3XOTEEtHZeK4ePz5qfS9n%2FWNrOKQb30VBhfUNL5DYUCd3XSOPjIVlbRz9ylDpwApfVK2AMarGiLLlnKRDv7M0S63SkQx8eWyabXd2afPPy96ZGNZVZfOhw5llZiztL6mYo%2BVivlyFsDcodH9F4XrS%2FPsSLeJRx5d",
        "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
        "record-viewer-application.hcahealthcare.cloud",
        "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.",
        "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
        "https://vtbehaviour.commondatastorage.googleapis.com/14116af49a976b71f7ddd760161a1d50328baa280ac2c9a1f9f3a8996a3929b6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372327&Signature=bhG0zZxkKhoz9temkLENxZsdN9KeMsxW4nt2II1lmaPLEGAhNM4EmX5e7z1UM9LLsnqrvuZBhQs7ZnBuwSpY5T8iiKIu2%2FfZ83pX1Tw8s%2Bn%2BfXlEl3jlhzXWewZ9i8ZlXd6YIeWETsAak1j93aNnJHB2IPoZn7VISupTj400x7E%2FSm0ilDz4zCCDAjz1eTp1N41HvmoviGQGwTSnjTW5oyBHDm8RglOnnNqcEsm6%2BkGBJToFomLsipvuVIz8",
        "Alerts: deletes_executed_files dead_connect dynamic_function_loading encrypted_ioc http_request injection_rwx network_http",
        "uat.drw.hcahealthcare.cloud | developers.t-mobile.pl | kwvjuemg.exe",
        "Alerts: network_cnc_https_generic powershell_download powershell_request enumerates_running_processes stealth_window",
        "Apple path:https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | itunes.apple.com",
        "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
        "girlsdoporn.com | bar.pornhub.com | bar.pornhub.com | cdn-d-vid-embed.pornhub.com | http://pornhub.tv/Jena6599 | whatsapp.pornhub.com",
        "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.",
        "Alerts: procmem_yara creates_largekey process_creation_suspicious_location network_bind cape_extracted_content",
        "https://vtbehaviour.commondatastorage.googleapis.com/39c58d0f868d4e8d1b959dce19d0bbcc57bb8b9b832f9efbe4e2244051237b95_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372451&Signature=Dv9FcZuWlVKlY26EcoSmR4Kcb44tKDv4kyBrDOputdJDLMvfDX9%2Fs4Ss4cLURTdCso74wPUHQpcMVcyeGGK%2F3RwYbxXwJjMGGAJSCfCxIDRiL%2BLOQKY3M7zGyXrkpuwr5lQS4CaKp1LFajsxxwnKpd%2F5eXNMLqlyxh%2ByO3dJWTkY8WqNnnwnSjW0lqpwB9%2BBjgEdIeWsnMRqF0t4JQ8dJsmCbbTXmAKIEZ46Rpio044%2BrsqH",
        "https://cve.mitre.org/images/youtube.png | https://cve.mitre.org/includes/browserheight.js | https://cve.mitre.org/includes/jquery-3.2.1.min.js",
        "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting",
        "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all.",
        "Pornhub.com | Telegram https://t.me/login/36861 | loopprojects.t.me",
        "ads.pornhub.com | ams-v61.pornhub.com | api-stage.pornhub.com",
        "IDS Detections: Observed External IP Lookup Domain (api .2ip .ua in TLS SNI) Query to a *.top domain - Likely Hostile",
        "https://vtbehaviour.commondatastorage.googleapis.com/7605fa9aeaae25656c40a553534d35418cca40dc48023d0b3237b402361c6816_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373200&Signature=uMO8ESBCpu0oIIRS0CToWTN9KlOHyq4uWjWMjfdcUCGyliW%2FSy8KDIg6OMWLUQ6SBC45Jm0Mr%2FNV6m74hTSnpmGdVf6k6mA3QrTQwUMaMk2QbBLU1IwUG8wvylr6KXEqQYYCkZksYiZEyNm%2B2hKNvWtKFc%2BZlL7M12RBSER84%2FDRQlJnK6qbDW3DYX1tPsXxTynGj5YxQDlUqfWU8CjZtSAfUK%2Bw%2FoybwyMsJc68%2B01HQ",
        "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.",
        "api-stage.pornhub.com | abtesting.pornhub.com | pornhub.com | cms-stage20.pornhub.com | imgs.pornhub.com | http://tourcdn.girlsdoporn.com",
        "Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS) 'Swipper'",
        "https://vtbehaviour.commondatastorage.googleapis.com/644031a68bde879af85bcc9cb3e6fa1e9a6b0f61d49307581974b5dbc09d3de8_SecneurX.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775051972&Signature=yYtfMjbzEmeyxRDO6eroUm%2FGh1NSAK3rD42UZEkTrX5h37NifJZ2K0WMJrux%2BcsrnR2Q5bIMs0HvMko%2BkDcC%2FsC4aXHIwkfRwv%2B7sXalRONuRPyS04YJ7NLS7LOp9%2FJ%2B%2Fwr0pR6MJ%2BKk96cKBP8wRR%2FwG%2Bl8Vf8YWHaP5QmY9c2Xz%2FlCc886XMqqgIGd84UaXsgrCTJ%2B18x90esVg0VGP94wCuOZOztw%2FyPeWTLW",
        "nr-data.net [Apple Private Data Collection]",
        "https://vtbehaviour.commondatastorage.googleapis.com/000bdbb9556e3474630b36d57190d5dae719886a6cdecf824af6a456243ebf88_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372160&Signature=wARiO6wRTZGhS9vOpI%2BvoWxpe55%2BBlHjfTVS2m1fsb3%2FyiqXoI5x8uRNh6fj6Qp6DpePIZAM2MHvDzi%2B5TT6VWKI4zyyc%2BeVp9gihB0djBnCJr%2BKCB18kdFNBE%2BicOTMmx5aJ1hSjWQcOBYm9PMkZ6%2BhLzxX3gxTMneBKGhh0ckFJRTRfM2gKMfEPrOQ6aVgfkTWJUR9FQYz5g2qKGSDh1CCNlEzXhO33BEPI9fN",
        "https://cve.mitre.org/css/print.css | https://cve.mitre.org/favicon.ico | https://cve.mitre.org/images/GitHub_round_sm",
        "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
        "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29059 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29059\\",
        "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
        "https://cve.mitre.org/images/nvd-logo.png | https://cve.mitre.org/images/search_icon.png | https://cve.mitre.org/images/twitter.jpg",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
        "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process",
        "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f",
        "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains",
        "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
        "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
        "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
        "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled",
        "IDS Detections: Potential Dridex.Maldoc Minimal Executable Request External IP Address Lookup DNS Query (2ip .ua)",
        "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence."
      ],
      "related": {
        "alienvault": {
          "adversary": [],
          "malware_families": [],
          "industries": [],
          "unique_indicators": 0
        },
        "other": {
          "adversary": [
            "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s"
          ],
          "malware_families": [
            "Virtool:win32/obfuscator",
            "Trojan:win32/blackmon",
            "Trojan:win32/danabot",
            "Ransom:win32/stopcrypt.ak!mtb",
            "Alf:heraklezeval:ransom:win32/cve",
            "Trojandownloader:win32/tofsee",
            "Win.dropper.tofsee-10023347-0",
            "#virtool:win32/obfuscator.adb",
            "Md5 hash: f8add7e7161460ea2b1970cf4ca535bf",
            "Tulach malware",
            "Malware family: stealthworker / gobrut",
            "Win32:pwsx-gen\\ [trj]",
            "Trojan:win32/meredrop",
            "Backdoor:win32/tofsee",
            "Trojan:win32/eqtonex",
            "Trojan:win32/azorult",
            "#lowfi:hstr:win32/exprio",
            "Alf:trojan:bat/envvarcharreplacement",
            "Trojan:win32/fakefolder",
            "Ransom:win32/wannaren.a"
          ],
          "industries": [
            "Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in",
            "Networking",
            "Telecommunications",
            "Technology",
            "Healthcare",
            "Civilian society"
          ],
          "unique_indicators": 187390
        }
      }
    },
    "false_positive": [],
    "alexa": "http://www.alexa.com/siteinfo/drupal.org",
    "whois": "http://whois.domaintools.com/drupal.org",
    "domain": "drupal.org",
    "hostname": "Unavailable"
  },
  "geo": {},
  "geo_ipapicom": {},
  "pulse_count": 26,
  "pulses": [
    {
      "id": "6a1172cd479d8218e859db0c",
      "name": "Rain + Acid; Questionable Civil Rights Violations.",
      "description": "[The full list of names and addresses for Akamai, the world's largest web hosting company, has been released..and it is not clear how many of them have been registered or used] <the first time I agree with pretext.",
      "modified": "2026-05-23T09:36:11.136000",
      "created": "2026-05-23T09:26:37.608000",
      "tags": [
        "akamai",
        "orgid",
        "akamai ref",
        "net173",
        "net1730000",
        "orgtechhandle",
        "steven jay",
        "orgname",
        "cidr",
        "noc united",
        "orgabusehandle",
        "nethandle",
        "key identifier",
        "x509v3 subject",
        "full name",
        "v3 serial",
        "number",
        "cus cndigicert",
        "tls rsa",
        "sha256",
        "ca1 odigicert",
        "inc validity",
        "city",
        "kam sze",
        "verisign",
        "date",
        "server",
        "data",
        "whois database",
        "whois",
        "registrar abuse",
        "repackaging",
        "registrars",
        "icann whois",
        "form",
        "email",
        "request email",
        "stateprovince",
        "whois status",
        "tech",
        "address range",
        "network name",
        "type",
        "status",
        "whois server",
        "entity akamai",
        "handle",
        "orgtechref",
        "akamai address",
        "broadway city",
        "postalcode",
        "orgtechphone",
        "label akamai",
        "arin country",
        "us continent",
        "services",
        "net192",
        "net1920000",
        "as14153",
        "as15133",
        "edgec25",
        "w jefferson",
        "blvd",
        "algorithm",
        "cus odigicert",
        "cngeotrust tls",
        "rsa ca",
        "g1 validity",
        "subject public",
        "serving ip",
        "address",
        "status code",
        "body length",
        "kb body",
        "responsibility",
        "learn",
        "citizen verizon",
        "drupal",
        "corporate",
        "utc google",
        "tag manager",
        "gtmpz6697q",
        "utc g22l6jkpfvc",
        "utc linkedin",
        "insight tag",
        "utc adobe",
        "dynamic tag",
        "sameorigin",
        "date wed",
        "miss setcookie",
        "secure",
        "httponly",
        "unix",
        "cachecontrol",
        "html info",
        "title",
        "ip address",
        "stworld",
        "stworld og",
        "uetsid",
        "sctr",
        "pinunauth",
        "awsalb",
        "udnsntcsession",
        "tdid",
        "qplatform mfapp",
        "adrollfpc",
        "arv4",
        "udnsntcs",
        "interim sim",
        "newegg",
        "verizon",
        "buy verizon",
        "card",
        "newegg shopping",
        "ver2",
        "vids1",
        "msclkidn"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "CIDR": 3,
        "FileHash-SHA256": 316,
        "FileHash-SHA1": 4,
        "domain": 96,
        "hostname": 279,
        "URL": 267,
        "IPv4": 8,
        "email": 11,
        "FileHash-MD5": 12,
        "Mutex": 1,
        "URI": 1
      },
      "indicator_count": 998,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 66,
      "modified_text": "8 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "6a1172cb47ba739f26d5dbd6",
      "name": "Rain + Acid; Questionable Civil Rights Violations.",
      "description": "[The full list of names and addresses for Akamai, the world's largest web hosting company, has been released..and it is not clear how many of them have been registered or used] <the first time I agree with pretext.",
      "modified": "2026-05-23T09:28:45.751000",
      "created": "2026-05-23T09:26:35.365000",
      "tags": [
        "akamai",
        "orgid",
        "akamai ref",
        "net173",
        "net1730000",
        "orgtechhandle",
        "steven jay",
        "orgname",
        "cidr",
        "noc united",
        "orgabusehandle",
        "nethandle",
        "key identifier",
        "x509v3 subject",
        "full name",
        "v3 serial",
        "number",
        "cus cndigicert",
        "tls rsa",
        "sha256",
        "ca1 odigicert",
        "inc validity",
        "city",
        "kam sze",
        "verisign",
        "date",
        "server",
        "data",
        "whois database",
        "whois",
        "registrar abuse",
        "repackaging",
        "registrars",
        "icann whois",
        "form",
        "email",
        "request email",
        "stateprovince",
        "whois status",
        "tech",
        "address range",
        "network name",
        "type",
        "status",
        "whois server",
        "entity akamai",
        "handle",
        "orgtechref",
        "akamai address",
        "broadway city",
        "postalcode",
        "orgtechphone",
        "label akamai",
        "arin country",
        "us continent",
        "services",
        "net192",
        "net1920000",
        "as14153",
        "as15133",
        "edgec25",
        "w jefferson",
        "blvd",
        "algorithm",
        "cus odigicert",
        "cngeotrust tls",
        "rsa ca",
        "g1 validity",
        "subject public",
        "serving ip",
        "address",
        "status code",
        "body length",
        "kb body",
        "responsibility",
        "learn",
        "citizen verizon",
        "drupal",
        "corporate",
        "utc google",
        "tag manager",
        "gtmpz6697q",
        "utc g22l6jkpfvc",
        "utc linkedin",
        "insight tag",
        "utc adobe",
        "dynamic tag",
        "sameorigin",
        "date wed",
        "miss setcookie",
        "secure",
        "httponly",
        "unix",
        "cachecontrol",
        "html info",
        "title",
        "ip address",
        "stworld",
        "stworld og",
        "uetsid",
        "sctr",
        "pinunauth",
        "awsalb",
        "udnsntcsession",
        "tdid",
        "qplatform mfapp",
        "adrollfpc",
        "arv4",
        "udnsntcs",
        "interim sim",
        "newegg",
        "verizon",
        "buy verizon",
        "card",
        "newegg shopping",
        "ver2",
        "vids1",
        "msclkidn"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "CIDR": 3,
        "FileHash-SHA256": 316,
        "FileHash-SHA1": 4,
        "domain": 101,
        "hostname": 295,
        "URL": 290,
        "IPv4": 8,
        "email": 12,
        "FileHash-MD5": 12,
        "Mutex": 1,
        "URI": 1
      },
      "indicator_count": 1043,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 66,
      "modified_text": "8 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "6a1172cd04ed75967ff3ffc5",
      "name": "Rain + Acid; Questionable Civil Rights Violations.",
      "description": "[The full list of names and addresses for Akamai, the world's largest web hosting company, has been released..and it is not clear how many of them have been registered or used] <the first time I agree with pretext.",
      "modified": "2026-05-23T09:26:37.004000",
      "created": "2026-05-23T09:26:37.004000",
      "tags": [
        "akamai",
        "orgid",
        "akamai ref",
        "net173",
        "net1730000",
        "orgtechhandle",
        "steven jay",
        "orgname",
        "cidr",
        "noc united",
        "orgabusehandle",
        "nethandle",
        "key identifier",
        "x509v3 subject",
        "full name",
        "v3 serial",
        "number",
        "cus cndigicert",
        "tls rsa",
        "sha256",
        "ca1 odigicert",
        "inc validity",
        "city",
        "kam sze",
        "verisign",
        "date",
        "server",
        "data",
        "whois database",
        "whois",
        "registrar abuse",
        "repackaging",
        "registrars",
        "icann whois",
        "form",
        "email",
        "request email",
        "stateprovince",
        "whois status",
        "tech",
        "address range",
        "network name",
        "type",
        "status",
        "whois server",
        "entity akamai",
        "handle",
        "orgtechref",
        "akamai address",
        "broadway city",
        "postalcode",
        "orgtechphone",
        "label akamai",
        "arin country",
        "us continent",
        "services",
        "net192",
        "net1920000",
        "as14153",
        "as15133",
        "edgec25",
        "w jefferson",
        "blvd",
        "algorithm",
        "cus odigicert",
        "cngeotrust tls",
        "rsa ca",
        "g1 validity",
        "subject public",
        "serving ip",
        "address",
        "status code",
        "body length",
        "kb body",
        "responsibility",
        "learn",
        "citizen verizon",
        "drupal",
        "corporate",
        "utc google",
        "tag manager",
        "gtmpz6697q",
        "utc g22l6jkpfvc",
        "utc linkedin",
        "insight tag",
        "utc adobe",
        "dynamic tag",
        "sameorigin",
        "date wed",
        "miss setcookie",
        "secure",
        "httponly",
        "unix",
        "cachecontrol",
        "html info",
        "title",
        "ip address",
        "stworld",
        "stworld og",
        "uetsid",
        "sctr",
        "pinunauth",
        "awsalb",
        "udnsntcsession",
        "tdid",
        "qplatform mfapp",
        "adrollfpc",
        "arv4",
        "udnsntcs",
        "interim sim",
        "newegg",
        "verizon",
        "buy verizon",
        "card",
        "newegg shopping",
        "ver2",
        "vids1",
        "msclkidn"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "CIDR": 3,
        "FileHash-SHA256": 316,
        "FileHash-SHA1": 4,
        "domain": 95,
        "hostname": 279,
        "URL": 267,
        "IPv4": 8,
        "email": 11,
        "FileHash-MD5": 12,
        "Mutex": 1,
        "URI": 1
      },
      "indicator_count": 997,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 66,
      "modified_text": "8 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "6a1172cc0a8d5c02b90c7abf",
      "name": "Rain + Acid; Questionable Civil Rights Violations.",
      "description": "[The full list of names and addresses for Akamai, the world's largest web hosting company, has been released..and it is not clear how many of them have been registered or used] <the first time I agree with pretext.",
      "modified": "2026-05-23T09:26:36.279000",
      "created": "2026-05-23T09:26:36.279000",
      "tags": [
        "akamai",
        "orgid",
        "akamai ref",
        "net173",
        "net1730000",
        "orgtechhandle",
        "steven jay",
        "orgname",
        "cidr",
        "noc united",
        "orgabusehandle",
        "nethandle",
        "key identifier",
        "x509v3 subject",
        "full name",
        "v3 serial",
        "number",
        "cus cndigicert",
        "tls rsa",
        "sha256",
        "ca1 odigicert",
        "inc validity",
        "city",
        "kam sze",
        "verisign",
        "date",
        "server",
        "data",
        "whois database",
        "whois",
        "registrar abuse",
        "repackaging",
        "registrars",
        "icann whois",
        "form",
        "email",
        "request email",
        "stateprovince",
        "whois status",
        "tech",
        "address range",
        "network name",
        "type",
        "status",
        "whois server",
        "entity akamai",
        "handle",
        "orgtechref",
        "akamai address",
        "broadway city",
        "postalcode",
        "orgtechphone",
        "label akamai",
        "arin country",
        "us continent",
        "services",
        "net192",
        "net1920000",
        "as14153",
        "as15133",
        "edgec25",
        "w jefferson",
        "blvd",
        "algorithm",
        "cus odigicert",
        "cngeotrust tls",
        "rsa ca",
        "g1 validity",
        "subject public",
        "serving ip",
        "address",
        "status code",
        "body length",
        "kb body",
        "responsibility",
        "learn",
        "citizen verizon",
        "drupal",
        "corporate",
        "utc google",
        "tag manager",
        "gtmpz6697q",
        "utc g22l6jkpfvc",
        "utc linkedin",
        "insight tag",
        "utc adobe",
        "dynamic tag",
        "sameorigin",
        "date wed",
        "miss setcookie",
        "secure",
        "httponly",
        "unix",
        "cachecontrol",
        "html info",
        "title",
        "ip address",
        "stworld",
        "stworld og",
        "uetsid",
        "sctr",
        "pinunauth",
        "awsalb",
        "udnsntcsession",
        "tdid",
        "qplatform mfapp",
        "adrollfpc",
        "arv4",
        "udnsntcs",
        "interim sim",
        "newegg",
        "verizon",
        "buy verizon",
        "card",
        "newegg shopping",
        "ver2",
        "vids1",
        "msclkidn"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "CIDR": 3,
        "FileHash-SHA256": 316,
        "FileHash-SHA1": 4,
        "domain": 95,
        "hostname": 279,
        "URL": 267,
        "IPv4": 8,
        "email": 11,
        "FileHash-MD5": 12,
        "Mutex": 1,
        "URI": 1
      },
      "indicator_count": 997,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 66,
      "modified_text": "8 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "698e93e1ab02db8c49e8c3ed",
      "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
      "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
      "modified": "2026-05-17T15:52:35.396000",
      "created": "2026-02-13T03:00:49.872000",
      "tags": [
        "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
        "9698f46495ce9401c8bcaf9a2afe1598",
        "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
        "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
        "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
        "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
        "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
      ],
      "references": [
        "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
        "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
        "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
        "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
        "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
        "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
        "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
        "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
        "Verification failure observed in automated verification handlers during sandbox replay.",
        "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
        "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
        "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
        "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
        "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
        "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
        "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
        "Whitelisted IP Address 204.79.197.212 Location  United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. ,  ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc.,   Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 ,  5943 ,  80211 ,  #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf ,  The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
        "",
        "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr",
        "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all."
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "China",
        "United States of America",
        "Spain",
        "Japan",
        "Canada"
      ],
      "malware_families": [],
      "attack_ids": [],
      "industries": [
        "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
      ],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 14,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 28000,
        "FileHash-SHA256": 48374,
        "FileHash-MD5": 42596,
        "FileHash-SHA1": 23243,
        "hostname": 35654,
        "URL": 75758,
        "SSLCertFingerprint": 30,
        "CVE": 7585,
        "email": 316,
        "FileHash-IMPHASH": 8,
        "CIDR": 26205,
        "JA3": 1,
        "URI": 5,
        "IPv4": 574,
        "Mutex": 1
      },
      "indicator_count": 288350,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 92,
      "modified_text": "14 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "69fc35be85a193d62e33e048",
      "name": "CAPE Sandbox- LOTA- Living off the Admin",
      "description": "The sandbox analysis reveals several high-risk activities that align with modern malware strains. Persistence Mechanisms: The file attempts to modify registry keys and drop executable files in sensitive directories, typical of malware seeking to survive system reboots.Network Communications: It initiates connections to known malicious C2 (Command and Control) infrastructure. This includes resolving DGA (Domain Generation Algorithm) domains and attempting P2P communication.Process Injection: The sample often spawns or injects code into legitimate system processes to evade detection by standard antivirus engines.Data Exfiltration: Observed behavioral signatures include calls to APIs used for harvesting credentials and system metadata, which are then queued for outbound transmission. Network comms\n385 HTTP  656 DNS  702 IP  1 JA3.\n[fcedee2f..]\nf0r5afo[.exe] 12/28/16 first appearance. 104.31.74.222 Ip I tagged 30 other malcious [exe] in here too. ref file: [e0c]",
      "modified": "2026-05-08T06:37:13.389000",
      "created": "2026-05-07T06:48:30.051000",
      "tags": [
        "cloudflare",
        "city",
        "san francisco",
        "rnocname",
        "orgid",
        "rtechhandle",
        "net104",
        "net1040000",
        "rtechemail",
        "rabusehandle"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1010",
          "name": "Application Window Discovery",
          "display_name": "T1010 - Application Window Discovery"
        },
        {
          "id": "T1016",
          "name": "System Network Configuration Discovery",
          "display_name": "T1016 - System Network Configuration Discovery"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1095",
          "name": "Non-Application Layer Protocol",
          "display_name": "T1095 - Non-Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1543",
          "name": "Create or Modify System Process",
          "display_name": "T1543 - Create or Modify System Process"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1571",
          "name": "Non-Standard Port",
          "display_name": "T1571 - Non-Standard Port"
        },
        {
          "id": "T1573",
          "name": "Encrypted Channel",
          "display_name": "T1573 - Encrypted Channel"
        },
        {
          "id": "T1574",
          "name": "Hijack Execution Flow",
          "display_name": "T1574 - Hijack Execution Flow"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "IPv4": 102,
        "FileHash-MD5": 28,
        "FileHash-SHA1": 47,
        "FileHash-SHA256": 831,
        "URL": 1460,
        "domain": 315,
        "hostname": 266,
        "CIDR": 1,
        "email": 3
      },
      "indicator_count": 3053,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "23 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "69fc35bc6924906c52c89f27",
      "name": "CAPE Sandbox- LOTA- Living off the Admin",
      "description": "The sandbox analysis reveals several high-risk activities that align with modern malware strains. Persistence Mechanisms: The file attempts to modify registry keys and drop executable files in sensitive directories, typical of malware seeking to survive system reboots.Network Communications: It initiates connections to known malicious C2 (Command and Control) infrastructure. This includes resolving DGA (Domain Generation Algorithm) domains and attempting P2P communication.Process Injection: The sample often spawns or injects code into legitimate system processes to evade detection by standard antivirus engines.Data Exfiltration: Observed behavioral signatures include calls to APIs used for harvesting credentials and system metadata, which are then queued for outbound transmission. Network comms\n385 HTTP  656 DNS  702 IP  1 JA3.\n[fcedee2f..]\nf0r5afo[.exe] 12/28/16 first appearance. 104.31.74.222 Ip I tagged 30 other malcious [exe] in here too. ref file: [e0c]",
      "modified": "2026-05-08T06:30:44.363000",
      "created": "2026-05-07T06:48:28.947000",
      "tags": [
        "cloudflare",
        "city",
        "san francisco",
        "rnocname",
        "orgid",
        "rtechhandle",
        "net104",
        "net1040000",
        "rtechemail",
        "rabusehandle"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1010",
          "name": "Application Window Discovery",
          "display_name": "T1010 - Application Window Discovery"
        },
        {
          "id": "T1016",
          "name": "System Network Configuration Discovery",
          "display_name": "T1016 - System Network Configuration Discovery"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1095",
          "name": "Non-Application Layer Protocol",
          "display_name": "T1095 - Non-Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1543",
          "name": "Create or Modify System Process",
          "display_name": "T1543 - Create or Modify System Process"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1571",
          "name": "Non-Standard Port",
          "display_name": "T1571 - Non-Standard Port"
        },
        {
          "id": "T1573",
          "name": "Encrypted Channel",
          "display_name": "T1573 - Encrypted Channel"
        },
        {
          "id": "T1574",
          "name": "Hijack Execution Flow",
          "display_name": "T1574 - Hijack Execution Flow"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "IPv4": 93,
        "FileHash-MD5": 24,
        "FileHash-SHA1": 43,
        "FileHash-SHA256": 167,
        "URL": 1447,
        "domain": 274,
        "hostname": 243,
        "CIDR": 1,
        "email": 3
      },
      "indicator_count": 2295,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "23 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "69fc35bbf5093f9bf3cd0a32",
      "name": "CAPE Sandbox- LOTA- Living off the Admin",
      "description": "The sandbox analysis reveals several high-risk activities that align with modern malware strains. Persistence Mechanisms: The file attempts to modify registry keys and drop executable files in sensitive directories, typical of malware seeking to survive system reboots.Network Communications: It initiates connections to known malicious C2 (Command and Control) infrastructure. This includes resolving DGA (Domain Generation Algorithm) domains and attempting P2P communication.Process Injection: The sample often spawns or injects code into legitimate system processes to evade detection by standard antivirus engines.Data Exfiltration: Observed behavioral signatures include calls to APIs used for harvesting credentials and system metadata, which are then queued for outbound transmission. Network comms\n385 HTTP  656 DNS  702 IP  1 JA3.\n[fcedee2f..]\nf0r5afo[.exe] 12/28/16 first appearance. 104.31.74.222 Ip I tagged 30 other malcious [exe] in here too. ref file: [e0c]",
      "modified": "2026-05-08T05:17:02.092000",
      "created": "2026-05-07T06:48:27.828000",
      "tags": [
        "cloudflare",
        "city",
        "san francisco",
        "rnocname",
        "orgid",
        "rtechhandle",
        "net104",
        "net1040000",
        "rtechemail",
        "rabusehandle"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1010",
          "name": "Application Window Discovery",
          "display_name": "T1010 - Application Window Discovery"
        },
        {
          "id": "T1016",
          "name": "System Network Configuration Discovery",
          "display_name": "T1016 - System Network Configuration Discovery"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1095",
          "name": "Non-Application Layer Protocol",
          "display_name": "T1095 - Non-Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1543",
          "name": "Create or Modify System Process",
          "display_name": "T1543 - Create or Modify System Process"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1571",
          "name": "Non-Standard Port",
          "display_name": "T1571 - Non-Standard Port"
        },
        {
          "id": "T1573",
          "name": "Encrypted Channel",
          "display_name": "T1573 - Encrypted Channel"
        },
        {
          "id": "T1574",
          "name": "Hijack Execution Flow",
          "display_name": "T1574 - Hijack Execution Flow"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "IPv4": 110,
        "FileHash-MD5": 47,
        "FileHash-SHA1": 85,
        "FileHash-SHA256": 186,
        "URL": 1467,
        "domain": 274,
        "hostname": 247,
        "CIDR": 4,
        "email": 14
      },
      "indicator_count": 2434,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 68,
      "modified_text": "23 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "69d20ba3e768ce672f6faaf0",
      "name": "VirusTotal Windows Sandbox",
      "description": "A security alert has been issued by the UK government over the weekend, with the result of a malicious web address being sent to a member of the public via an address address linked tolinkedin.",
      "modified": "2026-05-05T07:28:14.492000",
      "created": "2026-04-05T07:13:39.327000",
      "tags": [
        "windows sandbox",
        "calls process",
        "time",
        "request header",
        "host",
        "windows nt",
        "win64",
        "khtml",
        "gecko",
        "acceptencoding",
        "accept",
        "response header",
        "date",
        "dword",
        "malware",
        "file type",
        "utf8",
        "crlf line",
        "unicode text",
        "yara",
        "binary",
        "found",
        "sample",
        "mitre attack",
        "malicious",
        "window",
        "next",
        "detail info",
        "tickcount",
        "behaviour",
        "processid",
        "threadid",
        "startaddress",
        "parameter",
        "offset",
        "windows xp",
        "professional",
        "write",
        "info",
        "shell",
        "cultureneutral",
        "count",
        "default",
        "subsys11001af4",
        "rev003",
        "rev033",
        "folders api",
        "skylakeibrs",
        "daba3ff",
        "inprocserver32",
        "first",
        "virustotal",
        "enterprise",
        "service",
        "close",
        "win32 exe",
        "pe32",
        "ms windows",
        "win16 ne",
        "icons library",
        "os2 executable",
        "generic windos",
        "executable",
        "pe64 library",
        "cname",
        "none rticon",
        "file size",
        "sha256",
        "mwdb",
        "bazaar",
        "sha3384",
        "crc32",
        "shutdown",
        "error",
        "back",
        "lsappdata",
        "inetfiles",
        "windowname",
        "protocol level",
        "application",
        "next connection",
        "address",
        "http url",
        "get http",
        "full path",
        "path",
        "filename",
        "targetprocess",
        "writeaddress",
        "size",
        "targetpid",
        "findfirstfileex",
        "class",
        "find",
        "open",
        "imagepath",
        "cmdline",
        "ping",
        "flags"
      ],
      "references": [
        "https://vtbehaviour.commondatastorage.googleapis.com/000bdbb9556e3474630b36d57190d5dae719886a6cdecf824af6a456243ebf88_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372160&Signature=wARiO6wRTZGhS9vOpI%2BvoWxpe55%2BBlHjfTVS2m1fsb3%2FyiqXoI5x8uRNh6fj6Qp6DpePIZAM2MHvDzi%2B5TT6VWKI4zyyc%2BeVp9gihB0djBnCJr%2BKCB18kdFNBE%2BicOTMmx5aJ1hSjWQcOBYm9PMkZ6%2BhLzxX3gxTMneBKGhh0ckFJRTRfM2gKMfEPrOQ6aVgfkTWJUR9FQYz5g2qKGSDh1CCNlEzXhO33BEPI9fN",
        "https://vtbehaviour.commondatastorage.googleapis.com/03a5d431bb42e7730a3ae3b3563cee73e7a782079cf56f57bad5fe665d261e54_SecneurX.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372244&Signature=fXjnCgFbGybFp%2BCRO6a%2FQ3LKU2uLiKNtjgwKzprL3LFL%2BTMgup6nbp7%2F9Hxy8bnBzlFtSzO0fcnf%2FpIsNim0UdrINmB63N9mKkBW1cOkjxV88PAy2nsFZA3FjOEYq4N0lgc8gAtS5eRTt%2Bwb7WjEnd3QQ7aPLuoVl2hjed4hC8Cit6efcSD9GbJCITMeX4%2FVHBYSjmDr4Pgip9ANSZ6wvzkRktqPpC23Qwl62gkuXE%2BKp0s%2Bq%",
        "https://vtbehaviour.commondatastorage.googleapis.com/14116af49a976b71f7ddd760161a1d50328baa280ac2c9a1f9f3a8996a3929b6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372327&Signature=bhG0zZxkKhoz9temkLENxZsdN9KeMsxW4nt2II1lmaPLEGAhNM4EmX5e7z1UM9LLsnqrvuZBhQs7ZnBuwSpY5T8iiKIu2%2FfZ83pX1Tw8s%2Bn%2BfXlEl3jlhzXWewZ9i8ZlXd6YIeWETsAak1j93aNnJHB2IPoZn7VISupTj400x7E%2FSm0ilDz4zCCDAjz1eTp1N41HvmoviGQGwTSnjTW5oyBHDm8RglOnnNqcEsm6%2BkGBJToFomLsipvuVIz8",
        "https://vtbehaviour.commondatastorage.googleapis.com/39c58d0f868d4e8d1b959dce19d0bbcc57bb8b9b832f9efbe4e2244051237b95_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372451&Signature=Dv9FcZuWlVKlY26EcoSmR4Kcb44tKDv4kyBrDOputdJDLMvfDX9%2Fs4Ss4cLURTdCso74wPUHQpcMVcyeGGK%2F3RwYbxXwJjMGGAJSCfCxIDRiL%2BLOQKY3M7zGyXrkpuwr5lQS4CaKp1LFajsxxwnKpd%2F5eXNMLqlyxh%2ByO3dJWTkY8WqNnnwnSjW0lqpwB9%2BBjgEdIeWsnMRqF0t4JQ8dJsmCbbTXmAKIEZ46Rpio044%2BrsqH",
        "https://vtbehaviour.commondatastorage.googleapis.com/539dc26a14b6277e87348594ab7d6e932d16aabb18612d77f29fe421a9f1d46a_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372560&Signature=tXBHkUCyFp7E2Um%2FMUvRPbUvaQmYPeBV7KGbi%2Bssa%2FkYQyqgH4u8fy6h0A8bVbsyQMMPf2EEF2JkzkiD6SXcfLADGdVqHYQya%2F6s2Ox5QnOFkJSATlDdXCWVp%2F4wHxZHInIRcrBPZFjjYFQM0u7VYCEMtkMCS0pzld2nGLlcOuOXBFxGTQPy0A03dikBC4Yw4f%2BdiMLMxO0hxZSo9FxPq1ylB4gs57NBBniylVO4Qi%2BLzleU5",
        "https://vtbehaviour.commondatastorage.googleapis.com/0ab7fad77871a45137c9f2e40e3cbf47e3d71315f71c8eca9c8d62bc24a53184_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372878&Signature=cLNwLw1L9ZCpQXZej7DaLTWH5w887X5wPnSpN1pwH2N4acSu8Llp25uprGRArg6qCuPbVQ2YPyIeCdwLCZvq%2FU0hP8m17ZPontiyR5zKb7jxcW57eEUuVnuSV9%2FnukwtPPJ%2BTY7a0%2B9rwSAU%2FL%2FJQ1yMke6VIX%2B%2F6KSWHgmLV%2F%2FR%2FbOxB0oZ4%2Fe%2Fsb2%2Fw12dZix7IY6c7wOj1OlWGQSkAZZsEoDw",
        "https://vtbehaviour.commondatastorage.googleapis.com/01f09136cb86f25635f91144946847d58c559228d50d9b84b0c021d4091b840b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373052&Signature=U7haY6XsgyJ83G1vAOPLrLLS%2BaMP9xAKOlnzSb4I9clIBLt9Y8xzP4qjfBxbeUfdF6s%2B6dtg4dXzqTjrAYSC3XOTEEtHZeK4ePz5qfS9n%2FWNrOKQb30VBhfUNL5DYUCd3XSOPjIVlbRz9ylDpwApfVK2AMarGiLLlnKRDv7M0S63SkQx8eWyabXd2afPPy96ZGNZVZfOhw5llZiztL6mYo%2BVivlyFsDcodH9F4XrS%2FPsSLeJRx5d",
        "https://vtbehaviour.commondatastorage.googleapis.com/7605fa9aeaae25656c40a553534d35418cca40dc48023d0b3237b402361c6816_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373200&Signature=uMO8ESBCpu0oIIRS0CToWTN9KlOHyq4uWjWMjfdcUCGyliW%2FSy8KDIg6OMWLUQ6SBC45Jm0Mr%2FNV6m74hTSnpmGdVf6k6mA3QrTQwUMaMk2QbBLU1IwUG8wvylr6KXEqQYYCkZksYiZEyNm%2B2hKNvWtKFc%2BZlL7M12RBSER84%2FDRQlJnK6qbDW3DYX1tPsXxTynGj5YxQDlUqfWU8CjZtSAfUK%2Bw%2FoybwyMsJc68%2B01HQ",
        "https://vtbehaviour.commondatastorage.googleapis.com/7605fa9aeaae25656c40a553534d35418cca40dc48023d0b3237b402361c6816_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373283&Signature=KIPnPqQCcifTzuRS43FhFyzCXei0rDK20JuVvXA3UkB%2Bj6R1a4SAH2sn%2BJO1ohLSxLswzbryMf81lr4eGQCMbr3Wwfwo7kHN1yHV4M187cNxRZlbZ4%2BzOZZgfWt3bJNLx2Z4%2B4aqarco7OzqkhcQizlq8frRttJQjcLcNxgWD3oV2QDxZxurniW%2BhRRUS%2Bv9uGXWIRhWYmbEA%2BaoQsvpX0AIeSUCn4qb%2Fh31hJe7JitkCE",
        "https://vtbehaviour.commondatastorage.googleapis.com/000007781f616194758c52c551ab2f198970675c9218eab9f1e4470f0a696e71_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373373&Signature=mjvxt7z8ajbHZY%2BdL0G02pE7trUx7SkineLNrDSnq8FxmEuCuDdnNDWKdPawPb4w2NnK5HFkV3BAdTJrRNBxBceLP%2FevhdkmR4C%2BiZZ8pz9GBeqwl0l6oJMBga2ZHfKcA%2BxqQgP5r1zzN%2BZPMH0zxPdHYZA2WlzkfzPBDQcTEDdz8aTIaX%2BOP5JUo4gYjqxxxrdBLVGv0i54PedBqgFw5IRrPpdH%2FwlQGTLKQ%2BSjslq2d0",
        "https://vtbehaviour.commondatastorage.googleapis.com/39c58d0f868d4e8d1b959dce19d0bbcc57bb8b9b832f9efbe4e2244051237b95_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373454&Signature=oXNg992chHQhOJxpI2XcWdFB%2FxJme1ol4iA4aOgaKWQcqa9WXsYlPcTANPmFkyrHIciosnksXEJrIAfFsjAYeEqG%2F7oPGCQLBILFHUhwZVcoJR9PgFwUsHBu%2FqiWSOifVPER4vpDL0gbsuNlU6gHT5aWRW%2BwoOwbHSIt5jj%2FJ3%2FxGDBAUaZrSuQurOM0Nb3qRhNN1NOTUj7mGTuUBXdtvnzCFLjxl3Kk6dYYFgmwhWI04P3JIB"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1010",
          "name": "Application Window Discovery",
          "display_name": "T1010 - Application Window Discovery"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1574",
          "name": "Hijack Execution Flow",
          "display_name": "T1574 - Hijack Execution Flow"
        },
        {
          "id": "T1090",
          "name": "Proxy",
          "display_name": "T1090 - Proxy"
        },
        {
          "id": "T1012",
          "name": "Query Registry",
          "display_name": "T1012 - Query Registry"
        },
        {
          "id": "T1014",
          "name": "Rootkit",
          "display_name": "T1014 - Rootkit"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1542",
          "name": "Pre-OS Boot",
          "display_name": "T1542 - Pre-OS Boot"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 72,
        "FileHash-MD5": 56,
        "FileHash-SHA1": 27,
        "FileHash-SHA256": 113,
        "domain": 19,
        "hostname": 89
      },
      "indicator_count": 376,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "26 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "69d20ba2a469e45b8dfd8c31",
      "name": "VirusTotal Windows Sandbox",
      "description": "A security alert has been issued by the UK government over the weekend, with the result of a malicious web address being sent to a member of the public via an address address linked tolinkedin.",
      "modified": "2026-05-05T07:28:14.492000",
      "created": "2026-04-05T07:13:38.063000",
      "tags": [
        "windows sandbox",
        "calls process",
        "time",
        "request header",
        "host",
        "windows nt",
        "win64",
        "khtml",
        "gecko",
        "acceptencoding",
        "accept",
        "response header",
        "date",
        "dword",
        "malware",
        "file type",
        "utf8",
        "crlf line",
        "unicode text",
        "yara",
        "binary",
        "found",
        "sample",
        "mitre attack",
        "malicious",
        "window",
        "next",
        "detail info",
        "tickcount",
        "behaviour",
        "processid",
        "threadid",
        "startaddress",
        "parameter",
        "offset",
        "windows xp",
        "professional",
        "write",
        "info",
        "shell",
        "cultureneutral",
        "count",
        "default",
        "subsys11001af4",
        "rev003",
        "rev033",
        "folders api",
        "skylakeibrs",
        "daba3ff",
        "inprocserver32",
        "first",
        "virustotal",
        "enterprise",
        "service",
        "close",
        "win32 exe",
        "pe32",
        "ms windows",
        "win16 ne",
        "icons library",
        "os2 executable",
        "generic windos",
        "executable",
        "pe64 library",
        "cname",
        "none rticon",
        "file size",
        "sha256",
        "mwdb",
        "bazaar",
        "sha3384",
        "crc32",
        "shutdown",
        "error",
        "back",
        "lsappdata",
        "inetfiles",
        "windowname",
        "protocol level",
        "application",
        "next connection",
        "address",
        "http url",
        "get http",
        "full path",
        "path",
        "filename",
        "targetprocess",
        "writeaddress",
        "size",
        "targetpid",
        "findfirstfileex",
        "class",
        "find",
        "open",
        "imagepath",
        "cmdline",
        "ping",
        "flags"
      ],
      "references": [
        "https://vtbehaviour.commondatastorage.googleapis.com/000bdbb9556e3474630b36d57190d5dae719886a6cdecf824af6a456243ebf88_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372160&Signature=wARiO6wRTZGhS9vOpI%2BvoWxpe55%2BBlHjfTVS2m1fsb3%2FyiqXoI5x8uRNh6fj6Qp6DpePIZAM2MHvDzi%2B5TT6VWKI4zyyc%2BeVp9gihB0djBnCJr%2BKCB18kdFNBE%2BicOTMmx5aJ1hSjWQcOBYm9PMkZ6%2BhLzxX3gxTMneBKGhh0ckFJRTRfM2gKMfEPrOQ6aVgfkTWJUR9FQYz5g2qKGSDh1CCNlEzXhO33BEPI9fN",
        "https://vtbehaviour.commondatastorage.googleapis.com/03a5d431bb42e7730a3ae3b3563cee73e7a782079cf56f57bad5fe665d261e54_SecneurX.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372244&Signature=fXjnCgFbGybFp%2BCRO6a%2FQ3LKU2uLiKNtjgwKzprL3LFL%2BTMgup6nbp7%2F9Hxy8bnBzlFtSzO0fcnf%2FpIsNim0UdrINmB63N9mKkBW1cOkjxV88PAy2nsFZA3FjOEYq4N0lgc8gAtS5eRTt%2Bwb7WjEnd3QQ7aPLuoVl2hjed4hC8Cit6efcSD9GbJCITMeX4%2FVHBYSjmDr4Pgip9ANSZ6wvzkRktqPpC23Qwl62gkuXE%2BKp0s%2Bq%",
        "https://vtbehaviour.commondatastorage.googleapis.com/14116af49a976b71f7ddd760161a1d50328baa280ac2c9a1f9f3a8996a3929b6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372327&Signature=bhG0zZxkKhoz9temkLENxZsdN9KeMsxW4nt2II1lmaPLEGAhNM4EmX5e7z1UM9LLsnqrvuZBhQs7ZnBuwSpY5T8iiKIu2%2FfZ83pX1Tw8s%2Bn%2BfXlEl3jlhzXWewZ9i8ZlXd6YIeWETsAak1j93aNnJHB2IPoZn7VISupTj400x7E%2FSm0ilDz4zCCDAjz1eTp1N41HvmoviGQGwTSnjTW5oyBHDm8RglOnnNqcEsm6%2BkGBJToFomLsipvuVIz8",
        "https://vtbehaviour.commondatastorage.googleapis.com/39c58d0f868d4e8d1b959dce19d0bbcc57bb8b9b832f9efbe4e2244051237b95_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372451&Signature=Dv9FcZuWlVKlY26EcoSmR4Kcb44tKDv4kyBrDOputdJDLMvfDX9%2Fs4Ss4cLURTdCso74wPUHQpcMVcyeGGK%2F3RwYbxXwJjMGGAJSCfCxIDRiL%2BLOQKY3M7zGyXrkpuwr5lQS4CaKp1LFajsxxwnKpd%2F5eXNMLqlyxh%2ByO3dJWTkY8WqNnnwnSjW0lqpwB9%2BBjgEdIeWsnMRqF0t4JQ8dJsmCbbTXmAKIEZ46Rpio044%2BrsqH",
        "https://vtbehaviour.commondatastorage.googleapis.com/539dc26a14b6277e87348594ab7d6e932d16aabb18612d77f29fe421a9f1d46a_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372560&Signature=tXBHkUCyFp7E2Um%2FMUvRPbUvaQmYPeBV7KGbi%2Bssa%2FkYQyqgH4u8fy6h0A8bVbsyQMMPf2EEF2JkzkiD6SXcfLADGdVqHYQya%2F6s2Ox5QnOFkJSATlDdXCWVp%2F4wHxZHInIRcrBPZFjjYFQM0u7VYCEMtkMCS0pzld2nGLlcOuOXBFxGTQPy0A03dikBC4Yw4f%2BdiMLMxO0hxZSo9FxPq1ylB4gs57NBBniylVO4Qi%2BLzleU5",
        "https://vtbehaviour.commondatastorage.googleapis.com/0ab7fad77871a45137c9f2e40e3cbf47e3d71315f71c8eca9c8d62bc24a53184_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372878&Signature=cLNwLw1L9ZCpQXZej7DaLTWH5w887X5wPnSpN1pwH2N4acSu8Llp25uprGRArg6qCuPbVQ2YPyIeCdwLCZvq%2FU0hP8m17ZPontiyR5zKb7jxcW57eEUuVnuSV9%2FnukwtPPJ%2BTY7a0%2B9rwSAU%2FL%2FJQ1yMke6VIX%2B%2F6KSWHgmLV%2F%2FR%2FbOxB0oZ4%2Fe%2Fsb2%2Fw12dZix7IY6c7wOj1OlWGQSkAZZsEoDw",
        "https://vtbehaviour.commondatastorage.googleapis.com/01f09136cb86f25635f91144946847d58c559228d50d9b84b0c021d4091b840b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373052&Signature=U7haY6XsgyJ83G1vAOPLrLLS%2BaMP9xAKOlnzSb4I9clIBLt9Y8xzP4qjfBxbeUfdF6s%2B6dtg4dXzqTjrAYSC3XOTEEtHZeK4ePz5qfS9n%2FWNrOKQb30VBhfUNL5DYUCd3XSOPjIVlbRz9ylDpwApfVK2AMarGiLLlnKRDv7M0S63SkQx8eWyabXd2afPPy96ZGNZVZfOhw5llZiztL6mYo%2BVivlyFsDcodH9F4XrS%2FPsSLeJRx5d",
        "https://vtbehaviour.commondatastorage.googleapis.com/7605fa9aeaae25656c40a553534d35418cca40dc48023d0b3237b402361c6816_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373200&Signature=uMO8ESBCpu0oIIRS0CToWTN9KlOHyq4uWjWMjfdcUCGyliW%2FSy8KDIg6OMWLUQ6SBC45Jm0Mr%2FNV6m74hTSnpmGdVf6k6mA3QrTQwUMaMk2QbBLU1IwUG8wvylr6KXEqQYYCkZksYiZEyNm%2B2hKNvWtKFc%2BZlL7M12RBSER84%2FDRQlJnK6qbDW3DYX1tPsXxTynGj5YxQDlUqfWU8CjZtSAfUK%2Bw%2FoybwyMsJc68%2B01HQ",
        "https://vtbehaviour.commondatastorage.googleapis.com/7605fa9aeaae25656c40a553534d35418cca40dc48023d0b3237b402361c6816_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373283&Signature=KIPnPqQCcifTzuRS43FhFyzCXei0rDK20JuVvXA3UkB%2Bj6R1a4SAH2sn%2BJO1ohLSxLswzbryMf81lr4eGQCMbr3Wwfwo7kHN1yHV4M187cNxRZlbZ4%2BzOZZgfWt3bJNLx2Z4%2B4aqarco7OzqkhcQizlq8frRttJQjcLcNxgWD3oV2QDxZxurniW%2BhRRUS%2Bv9uGXWIRhWYmbEA%2BaoQsvpX0AIeSUCn4qb%2Fh31hJe7JitkCE",
        "https://vtbehaviour.commondatastorage.googleapis.com/000007781f616194758c52c551ab2f198970675c9218eab9f1e4470f0a696e71_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373373&Signature=mjvxt7z8ajbHZY%2BdL0G02pE7trUx7SkineLNrDSnq8FxmEuCuDdnNDWKdPawPb4w2NnK5HFkV3BAdTJrRNBxBceLP%2FevhdkmR4C%2BiZZ8pz9GBeqwl0l6oJMBga2ZHfKcA%2BxqQgP5r1zzN%2BZPMH0zxPdHYZA2WlzkfzPBDQcTEDdz8aTIaX%2BOP5JUo4gYjqxxxrdBLVGv0i54PedBqgFw5IRrPpdH%2FwlQGTLKQ%2BSjslq2d0",
        "https://vtbehaviour.commondatastorage.googleapis.com/39c58d0f868d4e8d1b959dce19d0bbcc57bb8b9b832f9efbe4e2244051237b95_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373454&Signature=oXNg992chHQhOJxpI2XcWdFB%2FxJme1ol4iA4aOgaKWQcqa9WXsYlPcTANPmFkyrHIciosnksXEJrIAfFsjAYeEqG%2F7oPGCQLBILFHUhwZVcoJR9PgFwUsHBu%2FqiWSOifVPER4vpDL0gbsuNlU6gHT5aWRW%2BwoOwbHSIt5jj%2FJ3%2FxGDBAUaZrSuQurOM0Nb3qRhNN1NOTUj7mGTuUBXdtvnzCFLjxl3Kk6dYYFgmwhWI04P3JIB"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1010",
          "name": "Application Window Discovery",
          "display_name": "T1010 - Application Window Discovery"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1574",
          "name": "Hijack Execution Flow",
          "display_name": "T1574 - Hijack Execution Flow"
        },
        {
          "id": "T1090",
          "name": "Proxy",
          "display_name": "T1090 - Proxy"
        },
        {
          "id": "T1012",
          "name": "Query Registry",
          "display_name": "T1012 - Query Registry"
        },
        {
          "id": "T1014",
          "name": "Rootkit",
          "display_name": "T1014 - Rootkit"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1542",
          "name": "Pre-OS Boot",
          "display_name": "T1542 - Pre-OS Boot"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 72,
        "FileHash-MD5": 60,
        "FileHash-SHA1": 31,
        "FileHash-SHA256": 149,
        "domain": 19,
        "hostname": 91
      },
      "indicator_count": 422,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "26 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    }
  ],
  "error": null,
  "vt": {
    "error": "VirusTotal rate limit reached. Try again shortly.",
    "indicator": "http://drupal.org",
    "type": "URL"
  },
  "abuseipdb": null,
  "urlhaus": {
    "indicator": "http://drupal.org",
    "type": "URL",
    "found": false,
    "verdict": "clean",
    "error": null
  },
  "from_cache": true,
  "_cached_at": 1780284277.6795828
}