{ "type": "URL", "indicator": "https://connect.facebook.net", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://connect.facebook.net", "type": "url", "type_title": "URL", "validation": [ { "source": "akamai", "message": "Akamai rank: #189", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain facebook.net", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain facebook.net", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2904826635, "indicator": "https://connect.facebook.net", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 50, "pulses": [ { "id": "69b17ce52b022720772044dc", "name": "CAPE Sandbox", "description": "Creepy. not ok. abuse of power #stalker", "modified": "2026-04-10T14:06:02.757000", "created": "2026-03-11T14:32:05.801000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 36, "domain": 14, "hostname": 105 }, "indicator_count": 161, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d0ac87c6799549809753ce", "name": "VirusTotal report\n for Other-20230212T074754Z-001.zip", "description": "com - is the name of a German domain registered with the United-Domains AG.\n\n3 hearts\npure bleeds. sigma shields. commander hunts.\nlegacy puppetmaster suppresses.\nthe octopus is forever tangled.", "modified": "2026-04-04T06:43:37.685000", "created": "2026-04-04T06:15:35.668000", "tags": [ "date", "server", "registrar abuse", "postal code", "registrant name", "expiration date", "registry domain", "registrar iana", "registrar url", "registrant city", "ascii text", "javascript", "mitre attack", "network info", "dropped info", "file type", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "persistence", "next", "pe file", "text format", "ansi", "ms windows", "zip archive", "found", "crlf line", "windows start", "default", "delphi", "code", "malicious", "windows sandbox", "calls clear", "ascii", "java source", "web open", "font format", "truetype", "version", "python", "cape sandbox", "machine summary", "report time", "machine name", "analysis id", "machine label", "duration", "machine manager", "kvm os", "shutdown", "https", "shpk", "performs dns", "t1055 process", "layer protocol", "overview", "title", "phishing", "loader", "script", "meta", "albania", "structured data", "artan lenja", "street", "building", "tiran", "body", "icloud", "free", "apple", "link", "style", "doctype html", "timestamp", "sectigo", "official", "disney", "walt disney", "countryus", "center", "head", "forbidden", "creates", "command", "clear filters", "sigma", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281711&Signature=G81N%2BSvpl7rLMvDIGLovzSBK8YJzNBOTs7Ycfze1L%2BdFheZX%2BS6EbtlDx545BRgefMUoJSwn%2BdK4eRpYlyMGmHvkv2tw3apezXxBF5J95vedk3RlOzXgGUAvJvewt0RBBR9f9hiVn9CuYTHvY3Cf%2BVog32%2BRLrv8sMhZ%2FeqX0%2FhraP6leNtAta5iUv73pYWeMmdsQ7nX2EvTO7uUvGggX6TmnBhiHHd8E9uCsoPHCTP4i0", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281734&Signature=3FFHeC27RvCC9623M2f8xoSU4fl9LBd%2FvI%2F98rUNvmdceN4AZjjw77yTU0ApUTXU5FbdCpODVhKi0X4pqDz1pqEP%2FBRLq%2FNhgoRliai6LlD4yhdTtKNi4zrfCDG%2Bd4dRzD5y674IfEPynxGiFOWxc6wiCtl3rhwTPEqisyDqFbvnF57SxrcPoVSzVO3wEtxpCOIw8iAFXdW2zgnnYYbSrbaQBfghKLtFA6r2vP%2Bmrd33YSUiH%2Fe2EqBz", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281812&Signature=jttp%2BTn66O5EfEB%2FASdpjDONf%2BzydGtfIUy3AtwYz0ppPzVA88%2BzZ8LtzV0TDhkMiju4oLHr%2BauJnKYexqnF0MfNTXGKPfj3ux9oZ2%2Baqve%2B3xgapdwdz0N64RgWo3SBqCKFBOQmi57mqIy%2F8qgnAfdVX99BwF2BuRSYSbIjNW5NHjir1JrAAKwOHZFyNsKj99PImyug2FPpRnss8VrJvDyYdnaGLHIAbZMRl72V", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281904&Signature=B9x8BUVCeldkVImU%2Bb%2B7d97Q9Y2suAJFE1HvxBCu6MQUOt52HrgAUTBIeXPKgNP0gKiqrr%2BwDvN7q637Ht6n5C9QhuTPI%2FhWTub0F22jsp8lU2Pvp2bS%2FlaSchLRN5gDngyPABgnaqYERICP8QQkwfaB9pY%2Bii1%2FAeel%2BIDGYwxPPfIcYevejNv2O%2F0J6qYRftrtXwa95pbsecrfOzH6bpF3AzHQrTLJAuZ%2B%2BykW", "https://vtbehaviour.commondatastorage.googleapis.com/bc3cc97398d5f56a4731085e8a385694f6ef1ab37243c6c00deed4a1335ced55_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281954&Signature=Tythlx%2B0x7Dzf2SYvJDgwby2Ifinb7IbK5GTx%2ByqvqVc1r4cz7rhoVD3NZqUAgUpxSkIAsRAK5WV5tMXUGiiB6JWp8Y9YmaL7Zhb5NxMBcodk57r7XhYzEbDxYg%2Fh1ChwMliA5cBr%2BXbUcW4q2aA4xQeNE1XVNpalGtyHh8bsDTKgQG0Ch1gikPF%2BeKc2ANprXe6z%2FJBXtqJBxh6%2Bem6fGON6%2BpRP1%2BgmNg4%2FtFnlQ", "https://vtbehaviour.commondatastorage.googleapis.com/bc3cc97398d5f56a4731085e8a385694f6ef1ab37243c6c00deed4a1335ced55_CAPE%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281979&Signature=LrquDQAOc%2Bf90O7wkZ9lRNx5uIZopS4VL7qYn7UKkzTI19c7sNJWNdGeBPtnE%2FG4yxsv1tBxkoojr78E808e78vceGG2xskRT6tUTjtDo2c8JW%2FD9Mr5ZAVe8Cn%2BP%2BpCbBkZXbtaceCtVq0b9zVWx9YstN2ju69uofX50LbI%2FgmHh%2Bghta79DgdBrNmkcQEXDu7t%2FqSZSozfso9i%2BoSZdHXEfsU59hoc%2FhUSoPMEPGFU", "https://vtbehaviour.commondatastorage.googleapis.com/fa8a59149604c73572bf92b42640de49faa7e8f16cd4bc18345d3e6a16378744_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282019&Signature=VwsuvdyY52E5jzftipHSNWVrwmO7YUwSQa9yHiMIgbsXcJDnDNcdELamMXjmvzDn%2FT6L5HguJFyj%2F4DHLmPfddzVphNAKCPvz3IRVae2piJ%2B8VWa2%2B98W3RjMft93LZhdNHwxeEYM8oJ%2FOjAjw%2FIicginJBUwlGeHX3kfTJieSEC7SYf6BkJ4UNfnF2pPQjiaAqG9mop%2FPKsB%2FF1K%2FrL7Rpsxwhl1rGglHYPM4%2BtJj6zDYx%2F", "https://vtbehaviour.commondatastorage.googleapis.com/fa8a59149604c73572bf92b42640de49faa7e8f16cd4bc18345d3e6a16378744_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282044&Signature=Y%2FEJZwm3h4tUuhn9%2FgO7QDcTnUoojZIDnoL%2FuGaoe0o5h%2FPUEiZpyFQLH9JfrvNN0h58UWlcJNCMxaSZl%2BZDvBDliVat0wDr0fE35mo0jGTK3uwa7DykFrjyI0NAVFlzkVSyxC0euM4lSJaw9PqyJGgLb4FfaztkzK7ZQYTIsGMYWSsCAKzatCObwK%2B8nqV63M9VXUeJy8ZQx7IwbttNffD6FQUaPbtCwlsywb%2Bu7NVqkFSG", "https://www.icloud.com/attachment/?u=https%3a%2f%2f%cvws.icloud-content.com", "https://vtbehaviour.commondatastorage.googleapis.com/ba49f65ef5d694311c535991812ee2fa8f0c639f4e053d136c1161b8b1bfaf8f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282803&Signature=CE28%2B8Orp96YBz3AWi4L4LJoj5B677T4lpyJl4VIG%2BN68qLtOorzpmY%2BdQgPcKJxqxcvmf3JmeA2zAZFyVdmEzznUnaiSY6xhbkbZ8nrReWLN9MBQZJuFd6by3aYlQoYFg2Bxu5d%2FLEAxWm4ljnJApBcv1csUNbJ8KxjkdXXAyPkiWPwMc4JDmXrnH5%2FXBQ7Tf1qxmze1lX2S5QvktDVUA3Bdn67nGtMvguY5EIl7tj1AezbuTFM", "https://vtbehaviour.commondatastorage.googleapis.com/68e1e958d101feb1044553d3e8ba341448a17d917e4b613cb05873814159ed40_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282913&Signature=TKCWJVTu8VHNWLhsI%2BkIN06KJgV4R1%2F2oO9G3V2x%2Bdxi14E9JDPHosmNkN%2Fk02BRc0I8Yg4HJPmcxjdAvb8mTCZjA10bizFznZC3epwH0hmoxTVgryMxpD%2B7zTQqKIRpE9UGGC1WSu0CTJ3rI9dCyopLkmeiyJPVw%2BIuERp37p2MEwzwwIPRuYpB190GfOdCkGt6TuMjDG6cVa%2BxvJlEdoEw8US6W8WPaioxSu1KVCoKjwky", "https://vtbehaviour.commondatastorage.googleapis.com/ffe3319990984c10c84fc18f6c1d40b2c7ad44666ebc2b54368bd96327ec6abc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775283093&Signature=GU02WhsC3g0ztmDdXDNuqx9T9POv8DnaMp7NQX%2B70%2FybCmZtbIpyPiUCOuYG5ZD1RY8bCIR9k%2F%2BGsKSwWLVUNNih3CgvqShoWsNfLKvtS%2BDRbmV6G4ohLWIP0xPHJOCA%2FWvnSdblJ%2FdibwXFCT851RdpfK3f6ph2EPHXIq%2FBwhSc28%2BJfFSMK%2B1toESpR7COi%2FUwpnMfcoSpcIMZudaaU8JrTvEVLgtJ%2FAgHjmfoXxvJlD", "https://vtbehaviour.commondatastorage.googleapis.com/02b1749e96b257099d5bafaeb1fc502442b4e064cca63fbcf4fc52af34b6435d_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775283154&Signature=m%2BGdulpws9rcUoJIzr45sR5qJdIxK89UYb6GUJL6p7n4mgYV69NJWbc3Jslcn117UKHnbSYYtRZSBRhviHhLuWsbhUG199mW8iGDiwaarp%2BbvmEIw6OXF2MgVIh%2FrJYr8slRZbUwjd9t8dMWwn%2FM5DNq6AzLyBqpznrBoVrvlibZuA9pWsHraA3P24WyEGUlbWN3NqLfmJ6gDeCKRfG7zhubGI%2Bb8Wl8GaBCodOtX2LlrA", "https://vtbehaviour.commondatastorage.googleapis.com/3e6e0898a7b1b297d2b9322f5f578b02e2fd5d5647dbeef6b9273cda383e1547_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775283189&Signature=PtLPpZoeHrLkYIaV2etyfYslOxR9PtxqmjNNDdMHoJjBUuweFaoOVGyfkf%2BUGEiGQCogCu7az%2B4btIJ3frL%2BEdzwNV7Ufeb24KQqbVUQrVITPGPCW42mMdsKdDoNQsqLooDqFsjxRGt2meZgP3F3roSTIWDEJPwr35bBBkdANOOdXZG1mg3O8JHm35%2BBQMkSxOiAxeftigjPK7On%2Fk%2FvMli1USxDUfi2eRlkRaL090nKenRXt3cz4FEBe8" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 204, "email": 2, "hostname": 470, "URL": 746, "FileHash-SHA256": 827, "FileHash-MD5": 19, "FileHash-SHA1": 17, "IPv4": 187 }, "indicator_count": 2472, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d0ac884cb646fac0b8d3d4", "name": "VirusTotal report\n for Other-20230212T074754Z-001.zip", "description": "com - is the name of a German domain registered with the United-Domains AG.\n\n3 hearts\npure bleeds. sigma shields. commander hunts.\nlegacy puppetmaster suppresses.\nthe octopus is forever tangled.", "modified": "2026-04-04T06:43:36.558000", "created": "2026-04-04T06:15:36.916000", "tags": [ "date", "server", "registrar abuse", "postal code", "registrant name", "expiration date", "registry domain", "registrar iana", "registrar url", "registrant city", "ascii text", "javascript", "mitre attack", "network info", "dropped info", "file type", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "persistence", "next", "pe file", "text format", "ansi", "ms windows", "zip archive", "found", "crlf line", "windows start", "default", "delphi", "code", "malicious", "windows sandbox", "calls clear", "ascii", "java source", "web open", "font format", "truetype", "version", "python", "cape sandbox", "machine summary", "report time", "machine name", "analysis id", "machine label", "duration", "machine manager", "kvm os", "shutdown", "https", "shpk", "performs dns", "t1055 process", "layer protocol", "overview", "title", "phishing", "loader", "script", "meta", "albania", "structured data", "artan lenja", "street", "building", "tiran", "body", "icloud", "free", "apple", "link", "style", "doctype html", "timestamp", "sectigo", "official", "disney", "walt disney", "countryus", "center", "head", "forbidden", "creates", "command", "clear filters", "sigma", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281711&Signature=G81N%2BSvpl7rLMvDIGLovzSBK8YJzNBOTs7Ycfze1L%2BdFheZX%2BS6EbtlDx545BRgefMUoJSwn%2BdK4eRpYlyMGmHvkv2tw3apezXxBF5J95vedk3RlOzXgGUAvJvewt0RBBR9f9hiVn9CuYTHvY3Cf%2BVog32%2BRLrv8sMhZ%2FeqX0%2FhraP6leNtAta5iUv73pYWeMmdsQ7nX2EvTO7uUvGggX6TmnBhiHHd8E9uCsoPHCTP4i0", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281734&Signature=3FFHeC27RvCC9623M2f8xoSU4fl9LBd%2FvI%2F98rUNvmdceN4AZjjw77yTU0ApUTXU5FbdCpODVhKi0X4pqDz1pqEP%2FBRLq%2FNhgoRliai6LlD4yhdTtKNi4zrfCDG%2Bd4dRzD5y674IfEPynxGiFOWxc6wiCtl3rhwTPEqisyDqFbvnF57SxrcPoVSzVO3wEtxpCOIw8iAFXdW2zgnnYYbSrbaQBfghKLtFA6r2vP%2Bmrd33YSUiH%2Fe2EqBz", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281812&Signature=jttp%2BTn66O5EfEB%2FASdpjDONf%2BzydGtfIUy3AtwYz0ppPzVA88%2BzZ8LtzV0TDhkMiju4oLHr%2BauJnKYexqnF0MfNTXGKPfj3ux9oZ2%2Baqve%2B3xgapdwdz0N64RgWo3SBqCKFBOQmi57mqIy%2F8qgnAfdVX99BwF2BuRSYSbIjNW5NHjir1JrAAKwOHZFyNsKj99PImyug2FPpRnss8VrJvDyYdnaGLHIAbZMRl72V", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281904&Signature=B9x8BUVCeldkVImU%2Bb%2B7d97Q9Y2suAJFE1HvxBCu6MQUOt52HrgAUTBIeXPKgNP0gKiqrr%2BwDvN7q637Ht6n5C9QhuTPI%2FhWTub0F22jsp8lU2Pvp2bS%2FlaSchLRN5gDngyPABgnaqYERICP8QQkwfaB9pY%2Bii1%2FAeel%2BIDGYwxPPfIcYevejNv2O%2F0J6qYRftrtXwa95pbsecrfOzH6bpF3AzHQrTLJAuZ%2B%2BykW", "https://vtbehaviour.commondatastorage.googleapis.com/bc3cc97398d5f56a4731085e8a385694f6ef1ab37243c6c00deed4a1335ced55_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281954&Signature=Tythlx%2B0x7Dzf2SYvJDgwby2Ifinb7IbK5GTx%2ByqvqVc1r4cz7rhoVD3NZqUAgUpxSkIAsRAK5WV5tMXUGiiB6JWp8Y9YmaL7Zhb5NxMBcodk57r7XhYzEbDxYg%2Fh1ChwMliA5cBr%2BXbUcW4q2aA4xQeNE1XVNpalGtyHh8bsDTKgQG0Ch1gikPF%2BeKc2ANprXe6z%2FJBXtqJBxh6%2Bem6fGON6%2BpRP1%2BgmNg4%2FtFnlQ", "https://vtbehaviour.commondatastorage.googleapis.com/bc3cc97398d5f56a4731085e8a385694f6ef1ab37243c6c00deed4a1335ced55_CAPE%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281979&Signature=LrquDQAOc%2Bf90O7wkZ9lRNx5uIZopS4VL7qYn7UKkzTI19c7sNJWNdGeBPtnE%2FG4yxsv1tBxkoojr78E808e78vceGG2xskRT6tUTjtDo2c8JW%2FD9Mr5ZAVe8Cn%2BP%2BpCbBkZXbtaceCtVq0b9zVWx9YstN2ju69uofX50LbI%2FgmHh%2Bghta79DgdBrNmkcQEXDu7t%2FqSZSozfso9i%2BoSZdHXEfsU59hoc%2FhUSoPMEPGFU", "https://vtbehaviour.commondatastorage.googleapis.com/fa8a59149604c73572bf92b42640de49faa7e8f16cd4bc18345d3e6a16378744_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282019&Signature=VwsuvdyY52E5jzftipHSNWVrwmO7YUwSQa9yHiMIgbsXcJDnDNcdELamMXjmvzDn%2FT6L5HguJFyj%2F4DHLmPfddzVphNAKCPvz3IRVae2piJ%2B8VWa2%2B98W3RjMft93LZhdNHwxeEYM8oJ%2FOjAjw%2FIicginJBUwlGeHX3kfTJieSEC7SYf6BkJ4UNfnF2pPQjiaAqG9mop%2FPKsB%2FF1K%2FrL7Rpsxwhl1rGglHYPM4%2BtJj6zDYx%2F", "https://vtbehaviour.commondatastorage.googleapis.com/fa8a59149604c73572bf92b42640de49faa7e8f16cd4bc18345d3e6a16378744_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282044&Signature=Y%2FEJZwm3h4tUuhn9%2FgO7QDcTnUoojZIDnoL%2FuGaoe0o5h%2FPUEiZpyFQLH9JfrvNN0h58UWlcJNCMxaSZl%2BZDvBDliVat0wDr0fE35mo0jGTK3uwa7DykFrjyI0NAVFlzkVSyxC0euM4lSJaw9PqyJGgLb4FfaztkzK7ZQYTIsGMYWSsCAKzatCObwK%2B8nqV63M9VXUeJy8ZQx7IwbttNffD6FQUaPbtCwlsywb%2Bu7NVqkFSG", "https://www.icloud.com/attachment/?u=https%3a%2f%2f%cvws.icloud-content.com", "https://vtbehaviour.commondatastorage.googleapis.com/ba49f65ef5d694311c535991812ee2fa8f0c639f4e053d136c1161b8b1bfaf8f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282803&Signature=CE28%2B8Orp96YBz3AWi4L4LJoj5B677T4lpyJl4VIG%2BN68qLtOorzpmY%2BdQgPcKJxqxcvmf3JmeA2zAZFyVdmEzznUnaiSY6xhbkbZ8nrReWLN9MBQZJuFd6by3aYlQoYFg2Bxu5d%2FLEAxWm4ljnJApBcv1csUNbJ8KxjkdXXAyPkiWPwMc4JDmXrnH5%2FXBQ7Tf1qxmze1lX2S5QvktDVUA3Bdn67nGtMvguY5EIl7tj1AezbuTFM", "https://vtbehaviour.commondatastorage.googleapis.com/68e1e958d101feb1044553d3e8ba341448a17d917e4b613cb05873814159ed40_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282913&Signature=TKCWJVTu8VHNWLhsI%2BkIN06KJgV4R1%2F2oO9G3V2x%2Bdxi14E9JDPHosmNkN%2Fk02BRc0I8Yg4HJPmcxjdAvb8mTCZjA10bizFznZC3epwH0hmoxTVgryMxpD%2B7zTQqKIRpE9UGGC1WSu0CTJ3rI9dCyopLkmeiyJPVw%2BIuERp37p2MEwzwwIPRuYpB190GfOdCkGt6TuMjDG6cVa%2BxvJlEdoEw8US6W8WPaioxSu1KVCoKjwky", "https://vtbehaviour.commondatastorage.googleapis.com/ffe3319990984c10c84fc18f6c1d40b2c7ad44666ebc2b54368bd96327ec6abc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775283093&Signature=GU02WhsC3g0ztmDdXDNuqx9T9POv8DnaMp7NQX%2B70%2FybCmZtbIpyPiUCOuYG5ZD1RY8bCIR9k%2F%2BGsKSwWLVUNNih3CgvqShoWsNfLKvtS%2BDRbmV6G4ohLWIP0xPHJOCA%2FWvnSdblJ%2FdibwXFCT851RdpfK3f6ph2EPHXIq%2FBwhSc28%2BJfFSMK%2B1toESpR7COi%2FUwpnMfcoSpcIMZudaaU8JrTvEVLgtJ%2FAgHjmfoXxvJlD", "https://vtbehaviour.commondatastorage.googleapis.com/02b1749e96b257099d5bafaeb1fc502442b4e064cca63fbcf4fc52af34b6435d_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775283154&Signature=m%2BGdulpws9rcUoJIzr45sR5qJdIxK89UYb6GUJL6p7n4mgYV69NJWbc3Jslcn117UKHnbSYYtRZSBRhviHhLuWsbhUG199mW8iGDiwaarp%2BbvmEIw6OXF2MgVIh%2FrJYr8slRZbUwjd9t8dMWwn%2FM5DNq6AzLyBqpznrBoVrvlibZuA9pWsHraA3P24WyEGUlbWN3NqLfmJ6gDeCKRfG7zhubGI%2Bb8Wl8GaBCodOtX2LlrA", "https://vtbehaviour.commondatastorage.googleapis.com/3e6e0898a7b1b297d2b9322f5f578b02e2fd5d5647dbeef6b9273cda383e1547_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775283189&Signature=PtLPpZoeHrLkYIaV2etyfYslOxR9PtxqmjNNDdMHoJjBUuweFaoOVGyfkf%2BUGEiGQCogCu7az%2B4btIJ3frL%2BEdzwNV7Ufeb24KQqbVUQrVITPGPCW42mMdsKdDoNQsqLooDqFsjxRGt2meZgP3F3roSTIWDEJPwr35bBBkdANOOdXZG1mg3O8JHm35%2BBQMkSxOiAxeftigjPK7On%2Fk%2FvMli1USxDUfi2eRlkRaL090nKenRXt3cz4FEBe8" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 359, "email": 2, "hostname": 664, "URL": 794, "FileHash-SHA256": 827, "FileHash-MD5": 21, "FileHash-SHA1": 17, "IPv4": 187 }, "indicator_count": 2871, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d096edff67896dccb36a4d", "name": "VirusTotal report\n for index.html", "description": "The full name of the German domain registrar: COFFEEDESIGNCODE.com, or coffeedesign code, has been published.. and it is not yet known.", "modified": "2026-04-04T04:43:25.967000", "created": "2026-04-04T04:43:25.967000", "tags": [ "date", "server", "registrar abuse", "registrant name", "expiration date", "registry domain", "registrar iana", "registrar url", "registrant city", "ag registrant", "thumbprint", "html document", "unicode text", "utf8 text", "title microsoft", "ms05019", "none", "docs", "betafred ms", "content tocrel", "conceptual", "performs dns", "https", "file type", "tls version", "mitre attack", "network info", "urls", "t1055 process", "layer protocol", "united", "phishing", "malicious", "next", "cache entry", "chrome cache", "entry", "extra info", "process", "nothing", "registry keys", "mutexes nothing", "data", "datacrashpad", "edge", "created", "parent pid", "full path", "command line", "status code", "ssl certificates", "tls certificates", "website security", "signtool", "sectigo", "microsoft", "signtool let", "web site", "rsasha256", "rsasha384", "rsasha512", "signcode", "ssl certificate", "logo", "sxa0", "object", "regexp", "null", "tdfunction", "ddfunction", "array", "string", "dfunction", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "registrar", "language", "html internet", "doctype", "learn", "seomatic og", "timestamp", "sectigo ssl", "sectigo og", "sectigohq og", "utf8", "crlf line", "text", "ipxw1920", "fwebp", "win32 exe", "pe32", "ms windows", "win16 ne", "icons library", "os2 executable", "generic windos", "executable", "pe64 compiler", "sha256", "pc bitmap", "windows bitmap", "bitmap", "zip archive", "text text", "ascii text", "has permission", "reads", "accesses", "found", "t1413 access", "sensitive data", "device logs", "persistence", "fraud", "cloud" ], "references": [ "http://clients2.google.com/time/1/current?cup2key=8:JROu1MtiAi1ExACtDuYde399VG2TxRqflS_l7p_q0tU&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855%0Ahttp://x1.c.lencr.org/%0Ahttp://c.pki.goog/r/r1.crl", "https://vtbehaviour.commondatastorage.googleapis.com/5a28f4a80025385ca11cce22b13e5eed52999965afbe16cccbc5e7165c7a0ac9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775276100&Signature=NczLfuk5dyPFskbtz7UwIjCT2DzeU5uAQP%2FL%2BC5bjk7Ng%2FHccJbUFWcb%2FqpvZaJ%2BWg4tg6aaPKihJzwDyiF7UaJOwdX3172ddwGJAfggvgpJ68YtVBE1nyhHAoFO6KsLL73DjNj58e8Uhq6Bcx4nXa86FETCR%2FzzXDlLDXyQSxf%2FKhG8zuxEsss9vRDCF%2B3TJGvJ5EmQ5HwGvk2ex9wf6H1FrBxEyx6BH5i6txcC9vMG9SXQ6eYR2p", "https://vtbehaviour.commondatastorage.googleapis.com/5a28f4a80025385ca11cce22b13e5eed52999965afbe16cccbc5e7165c7a0ac9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775276177&Signature=iO1RoMLTZsC3s7nBZ8wieXl6wwWrnnCqu%2F5pXBAa2Luk2wKtKTXUyyZEOOhqaCFNbUPjsIfY1v0KxEBxzkumSiDs3XXBs%2FYt49goHGNudddQOKcmLsjbT2GhALTnmmVvl79aLJaLwnMe9B7PkJpSTGuBrutOjF5VJ0yofcbM4XjQQlOIkc8WWi94WMVxXpWAjFK9D5zmoyn9G5w1TahDZjePP%2FfkKNpJe2OqRQ59iXyHcG1nvA%2FUIx", "http://timestamp.sectigo.com/", "https://www.google-analytics.com/analytics.js", "http://clients2.google.com/time/1/current?cup2key=8:JROu1MtiAi1ExACtDuYde399VG2TxRqflS_l7p_q0tU&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "https://vtbehaviour.commondatastorage.googleapis.com/5a28f4a80025385ca11cce22b13e5eed52999965afbe16cccbc5e7165c7a0ac9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775277214&Signature=y3%2FkmodrmzpLTVDtkzYvlqSkUTQ8Tri%2FDiLIqIpCBmJ6%2Bwk5p%2FJDSAwE5V8Wdp0vWLWjfA4DvRyS%2FvmNV4kFOr422iVZH2Ap2evf8%2Bq2bp9CW%2BAuBCjgz9K329V4%2B%2B9duUsUhVBqZ%2BNKz%2Fj4z7ZDBI%2BjqPV8XjvTI7pXAfzknmFAfZU%2FjalCNigHCX%2FIOgymeTOfzSOLYLClpNTr%2BYle8VSI%2BHf9TgUWP2WgNF", "https://vtbehaviour.commondatastorage.googleapis.com/028e16744de653383b403efd4b755075deeb7d8ce264d7edd4615725e5b4c4c6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775277967&Signature=oSvtx7eGCctItNKSDZN4tpJp11yn5QQjCHsLi45z7kUOa9nbuhPdVjh9gBKlXtNuGfXbpItYf6NFI%2B4pKCin266TJQP7FzDSnUzzziJTuqmZwxihDeoZ1RauqVOzGoAmrj9sG8nOYXqbOHNxQ3E6SugSzW3UFbyQJzfKt%2FsqsPsKAvl4su%2FlkWsqTHUR%2FT%2FLTTQV0ZXLwnrLv%2FdBA7DdsiE35g%2FPOiUdzJjkjhSILF%2BR" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1413", "name": "Access Sensitive Data in Device Logs", "display_name": "T1413 - Access Sensitive Data in Device Logs" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 50, "email": 2, "hostname": 196, "FileHash-SHA1": 51, "URL": 234, "FileHash-MD5": 54, "FileHash-SHA256": 715, "IPv4": 32 }, "indicator_count": 1334, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d096edd596a1a9e9a0aa92", "name": "VirusTotal report\n for index.html", "description": "The full name of the German domain registrar: COFFEEDESIGNCODE.com, or coffeedesign code, has been published.. and it is not yet known.", "modified": "2026-04-04T04:43:25.258000", "created": "2026-04-04T04:43:25.258000", "tags": [ "date", "server", "registrar abuse", "registrant name", "expiration date", "registry domain", "registrar iana", "registrar url", "registrant city", "ag registrant", "thumbprint", "html document", "unicode text", "utf8 text", "title microsoft", "ms05019", "none", "docs", "betafred ms", "content tocrel", "conceptual", "performs dns", "https", "file type", "tls version", "mitre attack", "network info", "urls", "t1055 process", "layer protocol", "united", "phishing", "malicious", "next", "cache entry", "chrome cache", "entry", "extra info", "process", "nothing", "registry keys", "mutexes nothing", "data", "datacrashpad", "edge", "created", "parent pid", "full path", "command line", "status code", "ssl certificates", "tls certificates", "website security", "signtool", "sectigo", "microsoft", "signtool let", "web site", "rsasha256", "rsasha384", "rsasha512", "signcode", "ssl certificate", "logo", "sxa0", "object", "regexp", "null", "tdfunction", "ddfunction", "array", "string", "dfunction", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "registrar", "language", "html internet", "doctype", "learn", "seomatic og", "timestamp", "sectigo ssl", "sectigo og", "sectigohq og", "utf8", "crlf line", "text", "ipxw1920", "fwebp", "win32 exe", "pe32", "ms windows", "win16 ne", "icons library", "os2 executable", "generic windos", "executable", "pe64 compiler", "sha256", "pc bitmap", "windows bitmap", "bitmap", "zip archive", "text text", "ascii text", "has permission", "reads", "accesses", "found", "t1413 access", "sensitive data", "device logs", "persistence", "fraud", "cloud" ], "references": [ "http://clients2.google.com/time/1/current?cup2key=8:JROu1MtiAi1ExACtDuYde399VG2TxRqflS_l7p_q0tU&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855%0Ahttp://x1.c.lencr.org/%0Ahttp://c.pki.goog/r/r1.crl", "https://vtbehaviour.commondatastorage.googleapis.com/5a28f4a80025385ca11cce22b13e5eed52999965afbe16cccbc5e7165c7a0ac9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775276100&Signature=NczLfuk5dyPFskbtz7UwIjCT2DzeU5uAQP%2FL%2BC5bjk7Ng%2FHccJbUFWcb%2FqpvZaJ%2BWg4tg6aaPKihJzwDyiF7UaJOwdX3172ddwGJAfggvgpJ68YtVBE1nyhHAoFO6KsLL73DjNj58e8Uhq6Bcx4nXa86FETCR%2FzzXDlLDXyQSxf%2FKhG8zuxEsss9vRDCF%2B3TJGvJ5EmQ5HwGvk2ex9wf6H1FrBxEyx6BH5i6txcC9vMG9SXQ6eYR2p", "https://vtbehaviour.commondatastorage.googleapis.com/5a28f4a80025385ca11cce22b13e5eed52999965afbe16cccbc5e7165c7a0ac9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775276177&Signature=iO1RoMLTZsC3s7nBZ8wieXl6wwWrnnCqu%2F5pXBAa2Luk2wKtKTXUyyZEOOhqaCFNbUPjsIfY1v0KxEBxzkumSiDs3XXBs%2FYt49goHGNudddQOKcmLsjbT2GhALTnmmVvl79aLJaLwnMe9B7PkJpSTGuBrutOjF5VJ0yofcbM4XjQQlOIkc8WWi94WMVxXpWAjFK9D5zmoyn9G5w1TahDZjePP%2FfkKNpJe2OqRQ59iXyHcG1nvA%2FUIx", "http://timestamp.sectigo.com/", "https://www.google-analytics.com/analytics.js", "http://clients2.google.com/time/1/current?cup2key=8:JROu1MtiAi1ExACtDuYde399VG2TxRqflS_l7p_q0tU&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "https://vtbehaviour.commondatastorage.googleapis.com/5a28f4a80025385ca11cce22b13e5eed52999965afbe16cccbc5e7165c7a0ac9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775277214&Signature=y3%2FkmodrmzpLTVDtkzYvlqSkUTQ8Tri%2FDiLIqIpCBmJ6%2Bwk5p%2FJDSAwE5V8Wdp0vWLWjfA4DvRyS%2FvmNV4kFOr422iVZH2Ap2evf8%2Bq2bp9CW%2BAuBCjgz9K329V4%2B%2B9duUsUhVBqZ%2BNKz%2Fj4z7ZDBI%2BjqPV8XjvTI7pXAfzknmFAfZU%2FjalCNigHCX%2FIOgymeTOfzSOLYLClpNTr%2BYle8VSI%2BHf9TgUWP2WgNF", "https://vtbehaviour.commondatastorage.googleapis.com/028e16744de653383b403efd4b755075deeb7d8ce264d7edd4615725e5b4c4c6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775277967&Signature=oSvtx7eGCctItNKSDZN4tpJp11yn5QQjCHsLi45z7kUOa9nbuhPdVjh9gBKlXtNuGfXbpItYf6NFI%2B4pKCin266TJQP7FzDSnUzzziJTuqmZwxihDeoZ1RauqVOzGoAmrj9sG8nOYXqbOHNxQ3E6SugSzW3UFbyQJzfKt%2FsqsPsKAvl4su%2FlkWsqTHUR%2FT%2FLTTQV0ZXLwnrLv%2FdBA7DdsiE35g%2FPOiUdzJjkjhSILF%2BR" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1413", "name": "Access Sensitive Data in Device Logs", "display_name": "T1413 - Access Sensitive Data in Device Logs" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 50, "email": 2, "hostname": 196, "FileHash-SHA1": 51, "URL": 234, "FileHash-MD5": 54, "FileHash-SHA256": 715, "IPv4": 32 }, "indicator_count": 1334, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cbc67616143807f363df15", "name": "VirusTotal report\n for document.html", "description": "", "modified": "2026-03-31T13:04:54.941000", "created": "2026-03-31T13:04:54.941000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "IPv4": 17, "URL": 100, "domain": 3, "hostname": 40 }, "indicator_count": 163, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cbc676f5e3a563141df00f", "name": "VirusTotal report\n for document.html", "description": "", "modified": "2026-03-31T13:04:54.365000", "created": "2026-03-31T13:04:54.365000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "IPv4": 17, "URL": 100, "domain": 3, "hostname": 40 }, "indicator_count": 163, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c093748442bdddcab64347", "name": "Clone by Q.Vashti credit - \" emotet-is-not-dead-yet.html\"", "description": "", "modified": "2026-03-23T02:38:59.086000", "created": "2026-03-23T01:12:20.012000", "tags": [ "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "ssl certificate", "spawns", "sha1", "copy md5", "copy sha1", "copy sha256", "ascii text", "sha256", "united", "size", "pattern match", "png image", "path", "date", "encrypt", "mask", "june", "hybrid", "general", "local", "click", "strings", "domains", "hashes", "value", "variables", "optanonwrapper", "parsely", "typeof function", "handlebars", "stq function", "x string", "optanon", "verified", "ecdsa", "automattic", "linux x8664", "khtml", "gecko", "aes128gcm", "cloudflarenet", "europedublin", "facebook", "accept", "emotet", "dead", "twitter", "unit", "thursday", "january", "google tag", "utc gtm53l4wgzn", "utc na", "server nginx", "date mon", "gmt contenttype", "connection", "wordpress vip", "https", "link", "contentencoding", "miss xrq", "html document", "unicode text", "utf8 text", "crlf", "lf line", "resolved ips", "cname", "http", "ip address", "gmt ifnonematch", "info file", "network dropped", "duration cuckoo", "version file", "machine label", "shutdown", "address port", "url data", "address range", "cidr", "network name", "type", "status", "whois server", "entity autom93", "handle", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cne6", "validity", "subject public", "key info", "key algorithm", "thumbprint", "inc abuse", "email", "street", "service", "arin rdapwhois", "rdapwhois", "reporting", "copyright", "registry", "allocation", "geofeed https", "range", "name automattic", "parent net192", "net1920000", "net type", "origin as", "autom93", "restful link", "arin search", "whoisrws", "delegation", "ta0007 command", "control ta0011", "catalog tree", "cndigicert sha2", "secure server", "ca odigicert", "inc cus", "subject", "corporation cus", "algorithm", "azure rsa", "tls issuing", "cus subject", "stwa lredmond", "corporation c", "get http", "request", "response", "windows nt", "win64", "dns resolutions" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": "6846c463106765b93b44335a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 446, "FileHash-SHA1": 349, "FileHash-SHA256": 1979, "SSLCertFingerprint": 15, "URL": 362, "domain": 120, "hostname": 329, "CIDR": 8, "email": 2, "IPv4": 1 }, "indicator_count": 3611, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "27 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6923408464566e39caf32285", "name": "Discord- DNS | Malvertizing | Ransom/Msilzilla (sifting IoC\u2019s created by scnrscnr)", "description": "TAGS\nActive\n443 ma2592000\nChristopher Pool\nPool's Closed\nTimothy Pool\na li\n google\namerica att\napache\napache ip\nasn as46606\nauditmode force\nbehavior\nbinary\nbinary file\nbk role\nchat\ncheck\nchrome\nck ids\ncommon stealer\ncookie\ndata upload\ndefender\ndelete c\ndirectui\ndiscord\ndns lookup\ndomain add\ndrop\ndynamicloader\neb d8\nee fc\nerror oct\nexplorer\nexternal ip\nextraction\nf0 ff\nfailed\nff bb\nff d5\nff ff\nfiles\nfoundry\ngmt content\ngmt etag\ngmt server\ngoogle chrome\nguard\nhigh\ninsert\nlolminer\nmalware\nmedia\nmeta\nmoved\nmovie\nmsie\nmsvisualbasic60\nmtb aug -present \nneversend\npowershell\nrelated nids\nresponse ip\nself\nservice domain\nsingapore\nsmartassembly\nspan\nspan a\nsx08x00x00a\ntargeting\ntls sni\ntrojan\ntrojandropper\ntwitter\ntx08x00x00n\nunique\nuser agent\nux08x00x00h\nvirtool\nvirustotal api\nvoice\nvx08x00x00j\nwrite\nwrite c\nwx08x00x00\nx08x00x00b\nx08x00x00x00\nyara\nyara rule\nyx08x00x00l\nz3je\nz3uwq7\nzx08x00x00", "modified": "2025-12-23T16:04:54.329000", "created": "2025-11-23T17:12:36.917000", "tags": [ "no expiration", "expiration", "url https", "url http", "filehashsha256", "hostname", "domain", "filehashmd5", "filehashsha1", "ipv4", "code", "pool", "timothy pool", "z3je z3uwq7", "creation date", "ip address", "emails", "expiration date", "status", "hostname add", "pulse pulses", "passive dns", "urls", "date" ], "references": [ "https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba", "Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted", "http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com", "https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com", "www.techcult.com", "http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com", "https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE", "truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com", "yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com", "lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json", "162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/", "http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing", "http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site", "2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt", "IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)", "IDS Detections: Observed Discord Domain (discord .com in TLS SNI)", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less", "Yara: Detections ConventionEngine_Term_Users", "Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents", "Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly", "Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc", "Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process", "Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name", "Yara : MS_Visual_Basic_6_0 ,", "Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly", "Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile", "Alerts: mouse_movement_detect", "Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left", "scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.", "Foundry stalking." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDropper:Win32/VB.IL0", "display_name": "TrojanDropper:Win32/VB.IL0", "target": "/malware/TrojanDropper:Win32/VB.IL0" }, { "id": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "display_name": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "target": null }, { "id": "Win.Ransomware.Msilzilla-10014498-0", "display_name": "Win.Ransomware.Msilzilla-10014498-0", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1443", "name": "Remotely Install Application", "display_name": "T1443 - Remotely Install Application" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 773, "FileHash-SHA1": 684, "FileHash-SHA256": 1910, "CVE": 2, "SSLCertFingerprint": 4, "URL": 3783, "domain": 878, "email": 7, "hostname": 1913 }, "indicator_count": 9954, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "117 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688ef0516013ca78448bf4e5", "name": "Foundry \u2022 Reflected Networks Pornhub Malvertising Subsidiary", "description": "Foundry ? Pornhub\nsanfoundry.com\ncompliance.fifoundry.net- Pornhub subsidiary. Targets networks, devices, routers, used for promoting pornography and her music. Producer revealed her hooks were used for Justin Bieber & Tori Kelly songs that. A producer stated her songs had been grifted. Both Tsara Brashears & a studio were in Pegasus & attacked by \u2018Lazarus\u2019 Group. She was told in detail how her songs can be used by music insiders if they choose. Target trolled by mocking hackers re: the JB and Kelly song.. Trojan:Win32/DisableUAC.A!bit\n, MSIL:Suspicious:ScreenCapture.S01\nIDS Detections\nLokiBot Checkin\nLokiBot User-Agent (Charon/Inferno)\nLokiBot Application/Credential Data Exfiltration Detected M1\nLokiBot Request for C2 Commands Detected M1\nLokiBot Application/Credential Data Exfiltration Detected M2\nLokiBot Request for C2 Commands Detected M2\nTrojan Generic - POST To gate.php with no referer\nSSL excessive fatal alerts (possible POODLE attack against server)\nI will revisit this. Gloryhole Foundation?", "modified": "2025-09-02T04:01:31.218000", "created": "2025-08-03T05:14:57.402000", "tags": [ "united", "moved", "entries", "passive dns", "detected m1", "next associated", "mtb apr", "mtb aug", "server", "gmt content", "trojandropper", "trojan", "body", "lokibot request", "c2 commands", "detected m2", "otx telemetry", "historical otx", "twitter running", "open ports", "cves", "time", "dynamicloader", "port", "search", "show", "destination", "alerts", "copy", "dynamic", "medium", "write", "creation date", "hostmaster", "urls", "domain", "showing", "hostname add", "pulse pulses", "date", "flag", "falcon sandbox", "name server", "markmonitor", "analysis", "mitre att", "anonymous", "upgrade", "hybrid", "contact", "usa windows", "december", "input threat", "level analysis", "summary", "february", "hwp support", "january", "october", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "calls", "command", "javascript", "object model", "model", "windir", "json data", "localappdata", "ascii text", "temp", "getprocaddress", "script", "license", "runtime process", "copy md5", "facebook", "roboto", "error", "win64", "path", "blink", "meta", "factory", "general", "comspec", "click", "strings", "damage", "mini", "stop", "core", "expl", "win32", "gmt server", "ecacc saa83dd", "ipv4 add", "twitter", "cobalt strike", "mozilla" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 263, "FileHash-SHA1": 256, "FileHash-SHA256": 837, "hostname": 4415, "URL": 1918, "domain": 1884, "email": 2, "SSLCertFingerprint": 2 }, "indicator_count": 9577, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "229 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688716977e80a4274f2eafa9", "name": "LeadIQ | The Smart B2B Prospecting Platform | Malware Packed | Agent Tesla & more", "description": "Found in Bot joining Pulse.", "modified": "2025-08-27T06:03:05.020000", "created": "2025-07-28T06:20:07.660000", "tags": [ "present jul", "united", "entries", "search", "moved", "ip address", "creation date", "record value", "date", "showing", "body", "meta", "passive dns", "next associated", "win32spigot apr", "title error", "ipv4 add", "pulse pulses", "urls", "files", "adaptivebee", "worm", "win32", "urls show", "date checked", "url hostname", "server response", "google safe", "results jul", "location united", "asn asnone", "nameservers", "less whois", "registrar", "csc corporate", "status", "servers", "name servers", "hostname", "hostname add", "a domains", "script urls", "unknown aaaa", "technology one", "script script", "certificate", "null", "trojan", "twitter", "domain", "files ip", "address domain", "ip related", "pulses otx", "virtool", "http", "present jun", "present may", "pulse submit", "url analysis", "reverse dns", "australia asn", "as55532 squiz", "dns resolutions", "overview ip", "address", "ipv4", "iocs", "data upload", "extraction", "ided iocs", "failed", "shaw", "ail tvnas", "rl irl", "domain add", "ostname add", "verdict", "show", "types", "type", "indicator data", "searc type", "a indicator", "data", "select across", "all pages", "domain domain", "checked url", "hostname server", "response ip", "address google", "safe browsing", "msie", "chrome", "present dec", "base", "read c", "port", "destination", "delete", "copy", "write", "memcommit", "cryptexportkey", "invalid pointer", "writeconsolea", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "defense evasion", "t1480 execution", "signing defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "size", "ascii text", "crlf line", "mitre att", "error", "click", "hybrid", "local", "path", "starfield", "strings", "refresh", "tools", "onload", "span", "form", "adversaries", "windows nt", "generic http", "exe upload", "inbound", "outbound", "yara detections", "malware", "expiration date", "whois show", "name andrew", "bauer name", "div id", "beginstring", "beginerror", "script", "general", "cloud", "find", "footer", "ninite feb", "telper", "ninite mar", "ninite apr", "trojandropper", "mtb mar", "url https", "general full", "security tls", "software", "resource hash", "protocol h2", "frankfurt", "main", "germany", "input", "skype", "opciones", "july", "es form", "dom name", "post https", "imagen", "microsoft", "iniciar sesin", "value", "variables", "config", "debug", "loader", "geturl", "b function", "addlistener", "proof", "amazon02", "dk summary", "amazon rsa", "september", "browsing", "resource", "asn16509", "name value", "queueprogress", "timestamp input", "status actions" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 487, "FileHash-SHA1": 461, "URL": 10732, "domain": 1672, "email": 6, "hostname": 3039, "FileHash-SHA256": 2569, "SSLCertFingerprint": 7 }, "indicator_count": 18973, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "235 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688343b9e60e8693f50e515f", "name": "Cycbot & worse - Palantir Monitoring Target/s", "description": "Palantir \u2022 Gotham \u2022 Foundry Top tier sells tools used to monitor, harass, smear , invoke fear, even \u2018kill\u2019. Used by military., too many partners to name (includes the entire government., heavy military, NSA use) of course Twitter, Apple Facebook, Pegasus related, possibly Paragon if what I\u2019ve read and researched is true. *There are 188 Palantir Foundry links in this pulse. ||\nMonitored target || Apparently ,\u2018tool\u2019 is weaponized against civilians for unknown and unwarranted purposes. || Lofty and unclear how or why a manner of death of target was predicted and posted online 12 years ago. || More research is needed.\n\nMalware named was found in research. \n\n #targeted #rip #palantir #foundry #gotham #twitter #techbromafia #silencing #overreach #quasi_gov #ongoing #active #moved #dangerous", "modified": "2025-08-24T06:01:34.920000", "created": "2025-07-25T08:43:37.734000", "tags": [ "status", "united", "unknown ns", "passive dns", "urls", "creation date", "search", "emails", "date", "expiration date", "tcp include", "top source", "top destination", "show", "source source", "data upload", "extraction", "showing", "moved", "certificate", "ip address", "domain", "body", "present jul", "present jun", "present aug", "present sep", "trojan", "name servers", "twitter", "vtflooder", "foundry", "virustotal", "gotham", "palantir", "tools", "destination", "port", "msie", "windows nt", "unknown", "read c", "etpro trojan", "malware", "copy", "write", "infostealer", "possible", "virustotal", "copyleft", "present jan", "entries", "next associated", "ipv4 add", "pulse submit", "url analysis", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "discovery att", "hostname add", "files", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "ascii text", "mitre att", "pattern match", "show technique", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "look", "verify", "restart", "se extri", "referen", "etpro tr", "virtool", "referencec", "failed", "se extra", "eanioae", "include review", "exclude sugges", "includec review", "exclude", "suggest data", "open ports", "reverse dns", "location united", "america flag", "boardman", "t1045", "ck ids", "packing", "t1060", "run keys", "startup", "folder", "t1057", "discovery", "t1071", "value emails", "name domain", "org microsoft", "microsoft way", "city redmond", "country us", "dnssec", "t1012", "t1047", "instrumentation", "t1053", "taskjob", "spyware", "source", "signing defense", "size", "meta", "onload", "dynamicloader", "unicode text", "crlf line", "utf8", "medium", "write c", "default", "delphi", "win32", "code", "stream", "next", "akamai rank", "show process", "prefetch2", "dns server", "network traffic", "virus", "monitored target", "tofsee", "generic http", "exe upload", "inbound", "outbound", "delete", "yara detections", "markus", "flowid22101", "pixelevtid11771", "dvid", "urls show", "date checked", "188 palantir results", "adversaries", "development att", "ssl certificate", "flag", "stop", "facebook", "4328", "5943", "stealer", "unknown aaaa", "present may", "domain add", "hyundaitx", "twitter", "monitored tsara", "brashears", "apple", "ios", "remote", "cycbot", "maudio fw", "heur", "productversion", "fileversion", "maudio firewire" ], "references": [ "palantirfoundry.com \u2022 https://edenglobalpartners.palantirfoundry.com/", "247seekscenter.com \u2022 ns-1986.awsdns-56.co.uk: | 365-notifcation.com", "ETPRO TROJAN Win32/Oderoor Checkin \u2022 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain", "Domain ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.google.com)", "ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection", "platform.twitter.co \u2022 rm.twitter.co \u2022 upload.twitter.co \u2022 http://2fsyndication.twitter.co/", "http://legal.twitter.co \u2022 http://mobile.twitter.co/", "ec2-44-228-94-74.us-west-2.compute.amazonaws.com \u2022 defender.palantirfoundry.com", "https://embaxter.palantirfoundry.com \u2022 https://amgistudios.palantirfoundry.com", "https://ametrine-containers.palantirfoundry.com \u2022 https://amfp.palantirfoundry.com", "https://ameteklms.palantirfoundry.com \u2022 https://ametrine-compute.palantirfoundry.com", "https://amiable-constellation.palantirfoundry.com \u2022 https://amplifi.palantirfoundry.com", "https://oscar.palantirfoundry.com/ \u2022 https://replica.palantirfoundry.com/", "https://statemed.palantirgov.com/workspace/settings/notifications \u2022 https://cchbc.palantirfoundry.com", "https://test-1.washington.palantircloud.com \u2022 https://tarn.palantirgov.com \u2022 https://stateplatform.palantirgov.com", "https://imperium-dev-1.palantircloud.com \u2022 https://hii.palantirgov.com \u2022 https://genoa.washington.palantircloud.com", "tsystems.palantirfoundry.com \u2022 https://statemed.palantirgov.com \u2022 https://statecms.palantirgov.com", "https://replica.palantirfoundry.com/ \u2022 https://spacejam.palantirfoundry.com/ \u2022", "https://pl.pornhub.mrst.one/ \u2022 hotamateurpornsite.xxx \u2022 squirting.porn \u2022 https://de-pornhub.mrst.one/", "Hostname: hcl-dna-sandbox.palantirfoundry.com", "https://www.hyundaitx.com/", "ETPRO TROJAN Win32/Tofsee.AX google.com connectivity check", "https://remote.downloadnow-1.com/", "Alerts: injection_runpe deletes_self persistence_autorun stealth_file antivirus_virustotal infostealer_ftp", "Alerts: infostealer_mail network_smtp persistence_ads recon_programs injection", "Monitored Target - Spawned process \"iexplore.exe\" w/commandline \"SCODEF:5860 CREDAT:275457 /prefetch:2\" (Show Process) source", "Monitored Target: Queries DNS server details \"www.hyundaitx.com\" source Network Traffic T1071.004", "Palantir/ Hyuandi coexist | Confirmed Targets transportation was a Hyuandi SUV |", "ipad-steals-app-ideas_1_.jpg - MD5 6dd66b729a649dec250b24533a58a996" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Malware.Vtflooder-9783271-0", "display_name": "Win.Malware.Vtflooder-9783271-0", "target": null }, { "id": "Trojan.Kazy-237", "display_name": "Trojan.Kazy-237", "target": null }, { "id": "Trojan.Vundo-5335", "display_name": "Trojan.Vundo-5335", "target": null }, { "id": "Generic31.BKFG", "display_name": "Generic31.BKFG", "target": null }, { "id": "Win.Packed.Krucky-6941986-0", "display_name": "Win.Packed.Krucky-6941986-0", "target": null }, { "id": "ALF:HSTR:KrunchyMalPacker!MTB", "display_name": "ALF:HSTR:KrunchyMalPacker!MTB", "target": null }, { "id": "Win.Trojan.Agent-920890", "display_name": "Win.Trojan.Agent-920890", "target": null }, { "id": "Win.Trojan.Jorik-10365", "display_name": "Win.Trojan.Jorik-10365", "target": null }, { "id": "Trojan.Adload-2492", "display_name": "Trojan.Adload-2492", "target": null }, { "id": "Trojan.Spy-59563", "display_name": "Trojan.Spy-59563", "target": null }, { "id": "Ransom:Win32/Cryptor", "display_name": "Ransom:Win32/Cryptor", "target": "/malware/Ransom:Win32/Cryptor" }, { "id": "Win32/Blacked", "display_name": "Win32/Blacked", "target": null }, { "id": "Win.Trojan.Cycbot-764", "display_name": "Win.Trojan.Cycbot-764", "target": null }, { "id": "Trojan.VB-47534", "display_name": "Trojan.VB-47534", "target": null }, { "id": "Backdoor:Win32/Drixed.J ,", "display_name": "Backdoor:Win32/Drixed.J ,", "target": "/malware/Backdoor:Win32/Drixed.J ," }, { "id": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "display_name": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "target": null }, { "id": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "display_name": "ALF:HeraklezEval:PWS:Win32/Ldpinch!rfn", "target": null }, { "id": "Malware Tool", "display_name": "Malware Tool", "target": null }, { "id": "Palantir Spyware", "display_name": "Palantir Spyware", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "TA0030", "name": "Defense Evasion", "display_name": "TA0030 - Defense Evasion" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1088", "name": "Bypass User Account Control", "display_name": "T1088 - Bypass User Account Control" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4203, "domain": 1218, "email": 9, "hostname": 2006, "FileHash-SHA256": 2740, "FileHash-MD5": 424, "FileHash-SHA1": 419, "SSLCertFingerprint": 12 }, "indicator_count": 11031, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6882e2a53af80b1af320079d", "name": "VirusTotal - Palantir- KrunchyMalPacker | Vflooder", "description": "-> Hostname: \u2022 edenglobalpartners.palantirfoundry.com\n\u2022 c.twitterintegration.com\n*Trojan:Win32/Vflooder.E\nIDS Detections:\n- Win32/Flooder.Agent.NAS CnC Domain in DNS Lookup\n\u2022 Virus Total vtapi DOS\n\u2022 Generic HTTP EXE Upload Inbound\n\u2022 Observed Suspicious UA (Mozilla/5.0)\n\u2022 Generic HTTP EXE Upload Outbound || \n*ALF:HSTR:KrunchyMalPacker!MTB\t\n IDS Detections\n-Win32/Vflooder.B Checkin\n\u2022 TLS Handshake Failure\nYara Detections: \nkkrunchy023alpha2\nAlerts:\n\u2022 static_pe_anomaly\n\u2022 suricata_alert\n\u2022 dynamic_function_loading\n\u2022 network_cnc_https_generic\n\u2022 reads_self\n\u2022 network_cnc_http\n\u2022 network_http\n\u2022 packer_unknown_pe_section_name\n\u2022 packer_entropy\n\u2022 injection_rwx ||\n__________\nIP\u2019s Contacted:\n\u2022 34.54.88.138\n\u2022 162.159.140.229\nDomains Contacted\n\u2022 twitter.com (SBKA - Palantir?)\n\u2022 www.virustotal.com\n#botnetresulttesting #virustotal_unsafe #vtflooder #palantir #twitter #gotham foundry #brian_sabey_has_a_new_toy #targeting #tsara_brashears", "modified": "2025-08-24T01:04:01.801000", "created": "2025-07-25T01:49:25.325000", "tags": [ "windows nt", "dynamicloader", "contentlength", "tls handshake", "failure", "host", "show", "medium", "search", "entries", "copy", "write", "malware", "generic http", "exe upload", "inbound", "outbound", "domain", "trojan", "u0019", "trojandropper", "backdoor", "mtb jul", "united", "passive dns", "open ports", "win32berbew jul", "ipv4 add", "present jul", "present jun", "cname", "present aug", "present sep", "status", "certificate", "date", "twitter", "unknown ns", "name servers", "servers", "showing", "urls", "creation date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1903, "hostname": 806, "FileHash-SHA256": 1594, "FileHash-MD5": 264, "FileHash-SHA1": 297, "SSLCertFingerprint": 1, "domain": 515, "email": 5 }, "indicator_count": 5385, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "238 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6846c463106765b93b44335a", "name": "emotet-is-not-dead-yet.html", "description": "https://blogs.vmware.com/\n\n[ emotet-is-not-dead-yet.html ]\n\nFileHash-SHA256\n3f7f582dc3ea77d4a5ca6d5d1964ae459d6a187c9c5d49cbd3405447975e4f15 ||\n\nCrowdsourced IDS:\nMatches rule PROTOCOL-ICMP PATH MTU denial of service attempt\nMatches rule PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set\nMatches rule PROTOCOL-ICMP Echo Reply", "modified": "2025-07-09T11:03:10.334000", "created": "2025-06-09T11:24:19.234000", "tags": [ "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "ssl certificate", "spawns", "sha1", "copy md5", "copy sha1", "copy sha256", "ascii text", "sha256", "united", "size", "pattern match", "png image", "path", "date", "encrypt", "mask", "june", "hybrid", "general", "local", "click", "strings", "domains", "hashes", "value", "variables", "optanonwrapper", "parsely", "typeof function", "handlebars", "stq function", "x string", "optanon", "verified", "ecdsa", "automattic", "linux x8664", "khtml", "gecko", "aes128gcm", "cloudflarenet", "europedublin", "facebook", "accept", "emotet", "dead", "twitter", "unit", "thursday", "january", "google tag", "utc gtm53l4wgzn", "utc na", "server nginx", "date mon", "gmt contenttype", "connection", "wordpress vip", "https", "link", "contentencoding", "miss xrq", "html document", "unicode text", "utf8 text", "crlf", "lf line", "resolved ips", "cname", "http", "ip address", "gmt ifnonematch", "info file", "network dropped", "duration cuckoo", "version file", "machine label", "shutdown", "address port", "url data", "address range", "cidr", "network name", "type", "status", "whois server", "entity autom93", "handle", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cne6", "validity", "subject public", "key info", "key algorithm", "thumbprint", "inc abuse", "email", "street", "service", "arin rdapwhois", "rdapwhois", "reporting", "copyright", "registry", "allocation", "geofeed https", "range", "name automattic", "parent net192", "net1920000", "net type", "origin as", "autom93", "restful link", "arin search", "whoisrws", "delegation", "ta0007 command", "control ta0011", "catalog tree", "cndigicert sha2", "secure server", "ca odigicert", "inc cus", "subject", "corporation cus", "algorithm", "azure rsa", "tls issuing", "cus subject", "stwa lredmond", "corporation c", "get http", "request", "response", "windows nt", "win64", "dns resolutions" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 446, "FileHash-SHA1": 349, "FileHash-SHA256": 1979, "SSLCertFingerprint": 15, "URL": 361, "domain": 120, "hostname": 329, "CIDR": 8, "email": 2 }, "indicator_count": 3609, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "284 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "670224ac3c8cce621843a477", "name": "Man in Browser Multi-systems attack | Ransom", "description": "System wide issues. Internal and external attack affecting medical and educational institution \u2022 Man in Browser \u2022 Mail spammer. Many other priority vulnerabilities.\nShort List of Malware Families\nAtros3.AHFB\nETPRO\nNOD32\nSAPE.Heur.9B552\nSpammer:MSIL/Misnt.A\nSymantec\nTrojan:Win32/Zonsterarch\nWin.Ransomware.Sodinokibi-7013612-0\nIDS Detections\nW32/Emotet.v4 Checkin", "modified": "2024-11-05T05:02:29.649000", "created": "2024-10-06T05:48:28.806000", "tags": [ "as32934", "passive dns", "urls", "address", "search", "unknown", "aaaa", "as13414 twitter", "as19679 dropbox", "germany unknown", "france unknown", "hong kong", "asnone hong", "kong unknown", "kong", "all scoreblue", "ipv4", "files", "http", "ip address", "related nids", "files location", "flag united", "hostname", "a domains", "meta", "moved", "body", "as13768 aptum", "canada", "asnone united", "whitelisted", "url analysis", "location united", "cookie", "united states", "record type", "ttl value", "key identifier", "full name", "data", "v3 serial", "number", "cus odigicert", "cndigicert sha2", "high assurance", "server ca", "validity", "united", "as2914 ntt", "yuming", "name servers", "date", "next", "as32780 hosting", "welcome", "pulse pulses", "accept", "domainmaster", "creation date", "expiration date", "as35280 acorus", "as396982 google", "status", "cname", "united kingdom", "trojan", "service", "ransom", "pulse submit", "asn as35280", "error", "japan unknown", "post https", "post method", "medium", "high", "registry", "creates", "alerts", "contacted", "tools", "win32", "malware", "copy", "persistence", "execution", "powershell e", "script urls", "httponly set", "general", "read c", "show", "entries", "etpro trojan", "intel", "ms windows", "file", "virustotal", "write", "baidu", "vipre", "panda", "download", "main", "look", "install", "push", "sape.heur.9b552", "nod32", "symantec", "etpro", "dynamicloader", "yara rule", "stack pivoting", "cape", "maninbrowser", "mitb", "t1055", "server", "registrar abuse", "contact phone", "registrar url", "registrar", "whois lookup", "dnssec", "domain name", "attempts", "performs", "packing t1045", "browse scan", "august", "as174 cogent", "canada unknown", "overview ip", "files domain", "files related", "pulses none", "related tags", "gmt content", "type", "content length", "svr id", "encrypt", "trojandropper", "virtool", "msie", "chrome", "as45012 dogado", "tr tr", "die domain", "td tr", "gmt server", "scan endpoints", "scoreblue ipv4", "ripe route", "ip location", "asn as45012", "cloudpit dogado", "gmbh", "whois server", "reverse ip", "abuse contact", "de adminc", "ssh attacker", "mysql", "tor relays", "sabey type", "showing", "pulses", "indicator facts", "hichina zhicheng technology ltd.,", "domain", "as4837 china", "china unknown", "default", "tlsv1", "germany as34788", "post", "windows nt", "dotted quad", "fake browser", "artemis", "emotet", "as9808 china", "as56047 china", "as56040 china", "as58541 qingdao", "et trojan", "sinkhole cookie", "macoute", "sha256", "yara detections", "worm", "explorer", "possible", "april", "uchealth", "ogoogle inc", "lsalford", "ocomodo ca", "limited", "secure server", "c2087940" ], "references": [ "\u00bb 2preprod-sonar-data-preprod-sonar-data5z.redirectme.netmovilpreprod-sonar-datappmovilpreprod-sonar-datafentryd.0025.ali.zomans.com", "prfsmtppr01ccd.uchospitals.edu \u2022 165.68.13.55", "IDS Detections: ETPRO TROJAN Spammer MSIL/Misnt.A Get MX ETPRO TROJAN Spammer MSIL/Misnt.A Fetching Spam List", "IDS Detections: ETPRO TROJAN Spammer MSIL/Misnt.A Spam Payload Download", "Spammer:MSIL/Misnt.A PLUS - FileHash-SHA256 5966e329cb56a0cc4956f1ca0da2b337aa3e6145d4622ac1152bfc29ab96304d", "YARA Detections: WinRAR_SFX", "High Priority Alerts: antisandbox_unhook antivirus_virustotal", "utmmail.bcw.edu | 166.78.44.213 11/04/24 | isu.edu | iup.edu | siu.edu | stcloudstate.edu | ucr.edu | router9.mail.cornell.edu", "dmz-mailsec-scanner-6.mit.edu | external-relay.iupui.edu | fresno.ucsf.edu | mail.virginia.edu | mailfilter2.cgu.edu | mx.gonzaga.edu", "mx3.stanford.edu | my-stjohns-edu.mail.protection.outlook.com | prfsmtppr01ccd.uchospitals.edu", "extdomembers-2022.bounceme.netoppofrobledevradiod.devkissflowd-netoppofweblatedevradio-krd-kr-finance-fw.devkissflowd-netoppofweblatedevradio-krd-kr.ali.zomans.com", "trojan.msil.spammer.ai = spammer.ai", "interact.f5.com", "https://0-enakamai-lanwpradio-pornos4-dd-engine.redirectme.netoppofe2znetoppofindnetoppofcassandraddd-production.neto46cassandra.ali.zomans.com", "http://apple.phishing.91tbc.com/ | apple.phishing.491459.top http://apple.phishing.91tbc.com/?ZYUKUR=8049183536181170.html", "https://bd-server.com/user/JasminMcVey2/", "http://google.com.demo-box.cognito.svcgateway.foodsigned-php.ppp.canva-apps.cn/", "(Invalid IP) 022.12.7.75 Chrome \\\\ user data \\\\ crowd deny \\\\ rData \\\\ crowd deny \\\\ 28 \\\\ metadata \\\\ ve", "(Invalid IP) 022.12.7.75 redirect \u00bb 18.12.7.75 AS 3 (MIT-GATEWAYS) US", "High Priority IDS Detections: W32/Emotet.v4 FileHash-SHA256 613ed78c024ee7744c5b53c18b315d10faa39d18975f1634f82da61c02ea8a4f", "Suspicious of NSO Pegasus type spyware campaign (possibly)" ], "public": 1, "adversary": "", "targeted_countries": [ "Singapore", "Malaysia", "United States of America", "Argentina", "France", "Sweden", "Ireland", "Romania", "Taiwan", "Germany", "Netherlands", "Brazil", "Colombia", "Indonesia", "Hong Kong", "Poland", "Slovakia", "Lithuania", "United Kingdom of Great Britain and Northern Ireland", "Denmark", "Slovenia", "Greece", "Italy", "Aruba", "China", "Japan" ], "malware_families": [ { "id": "Trojan:Win32/Zonsterarch", "display_name": "Trojan:Win32/Zonsterarch", "target": "/malware/Trojan:Win32/Zonsterarch" }, { "id": "Win.Ransomware.Sodinokibi-7013612-0", "display_name": "Win.Ransomware.Sodinokibi-7013612-0", "target": null }, { "id": "Atros3.AHFB", "display_name": "Atros3.AHFB", "target": null }, { "id": "Spammer:MSIL/Misnt.A", "display_name": "Spammer:MSIL/Misnt.A", "target": "/malware/Spammer:MSIL/Misnt.A" }, { "id": "SAPE.Heur.9B552", "display_name": "SAPE.Heur.9B552", "target": null }, { "id": "NOD32", "display_name": "NOD32", "target": null }, { "id": "Symantec", "display_name": "Symantec", "target": null }, { "id": "ETPRO", "display_name": "ETPRO", "target": null }, { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "C2087940", "display_name": "C2087940", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" } ], "industries": [ "Healthcare", "Civilian Society", "Technology", "Education" ], "TLP": "green", "cloned_from": null, "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1287, "hostname": 2995, "URL": 3606, "email": 22, "FileHash-MD5": 173, "FileHash-SHA256": 1059, "FileHash-SHA1": 163, "CIDR": 1, "SSLCertFingerprint": 43 }, "indicator_count": 9349, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "530 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66fc29a49b5ac693c8d75122", "name": "Medical Campus - Aurora, Co | Recheck", "description": "This weekend we found a busybox MIORI Hackers - serious attack Aurora, Medical Campus -Mirai. This recheck is generic. All results generated automatically by LevelBlue, sourced by ScoreBlue.\nMaybe it will be clean today. Complaints of pop up auto logins on locked screens and autonomous system running alongside actual system. System root.\nMalware Families:\nTrojanDownloader:Win32/Bulilit, ELF:Mirai-TO\\ [Trj], Backdoor:Linux/Mirai.B, TELPER:HSTR:DotCisOffer, TrojanSpy:Win32/Nivdort, Backdoor:Win32/Bladabindi, ALF:E5, Win.Malware.Midie-9950743-0, Trojan:Win32/Emotet.ARJ!MTB", "modified": "2024-10-31T16:03:52.240000", "created": "2024-10-01T16:56:04.004000", "tags": [ "united", "as397240", "search", "showing", "as54113", "as397241", "unknown", "moved", "creation date", "record value", "next", "date", "body", "a domains", "passive dns", "formbook cnc", "checkin", "entries", "github pages", "sea x", "accept", "status", "name servers", "certificate", "urls", "aaaa", "cname", "meta", "whitelisted ip", "address", "location united", "asn as36459", "github", "less whois", "registrar", "markmonitor", "related tags", "as36459", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "ninite", "expiration date", "domain", "hostname", "sha256", "sha1", "ascii text", "pattern match", "document file", "v2 document", "utf8", "crlf line", "beginstring", "size", "null", "hybrid", "refresh", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "url https", "tulach type", "role title", "added active", "pulses url", "url http", "nextc type", "type indicator", "related pulses", "filehashsha256", "copyright", "ipv6", "germany", "italy", "trojan", "trojanspy", "worm", "trojanclicker", "virtool", "service", "linux x8664", "khtml", "gecko", "veryhigh", "redirect", "httpsupgrades", "collisionbox", "runner", "gameoverpanel", "trex", "orgtechhandle", "orgtechref", "director", "university", "nethandle", "net168", "net1680000", "ucha", "orgid", "east", "report spam", "as8075", "servers", "secure server", "error all", "typeof", "error f", "crazy doll", "created", "filehashmd5", "types of", "russia", "emotet type", "mirai type", "mirai", "mtb description", "win32 type", "as31034 aruba", "italy unknown", "as19527 google", "encrypt", "health type", "miori hackers", "brute force", "backdoor", "aurora", "ip address", "path", "unis", "dotcisoffer", "bladabindi", "artro", "script urls", "as46606", "brazil unknown", "as11284", "as10906", "apache", "lanc type", "telper", "win32", "win64", "pulses email", "as9009 m247", "as7296 alchemy", "as14061", "as16276", "trojandropper", "ransom", "mtb sep", "msie", "chrome", "ip check", "gmt content", "pulse submit", "url analysis", "files ip", "aaaa nxdomain", "nxdomain", "a nxdomain", "as22612", "dnssec", "meta http", "accept encoding", "request id", "united kingdom", "div div", "arial helvetica", "emails", "as15169 google", "cryp", "gmt cache", "sameorigin", "domain name", "code", "false", "command type", "roleselfservice", "mcig sep", "all search", "author avatar", "days ago", "http", "related nids", "files location", "as30081", "gmt contenttype", "mozilla", "as15133 verizon", "whitelisted", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "softcnapp", "overview ip", "flag united", "files related", "as62597 nsone", "as31898 oracle", "mtb aug", "class", "twitter", "april", "secure", "httponly", "expiresthu", "pragma", "as13414 twitter", "smoke loader", "reverse dns", "asnone united", "idlogin sep", "uid38009", "expiration", "hack type", "porn type" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Italy", "Aruba" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3850, "FileHash-MD5": 6012, "FileHash-SHA1": 5906, "domain": 3329, "email": 33, "hostname": 4231, "CVE": 2, "FileHash-SHA256": 8407, "CIDR": 2, "SSLCertFingerprint": 7 }, "indicator_count": 31779, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "535 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66c5e0783f84565b1fe842e1", "name": "Twitter\u00bbX.com migration to malware templates Attorney Brian Sabey Hall Render ", "description": "", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-21T12:41:28.437000", "tags": [ "ip address", "b cms", "express", "security risk", "found https", "server tsa", "b server", "digicert inc", "web application", "expiresthu", "path", "secure", "self", "body", "sha256 hash", "http response", "gmt perf", "accept expiry", "gmt pragma", "referrer", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "united", "flag", "contacted", "http traffic", "as20940", "name servers", "status", "search", "invalid url", "passive dns", "urls", "next", "as13414 twitter", "as15133 verizon", "nxdomain", "whitelisted", "a nxdomain", "aaaa", "trojan", "virtool", "twitter", "date hash", "avast avg", "related pulses", "file samples", "files matching", "show", "copyright", "levelblue", "showing", "scan endpoints", "all scoreblue", "server tsa b", "trojan features", "brian sabey", "cname", "as35994 akamai", "as4230 claro", "brazil", "date", "unknown", "ireland unknown", "registrar", "ionos se", "brain sabey" ], "references": [ "Researched Link: https://twitter.com/x/migrate?tok=7b2265223a222f5265786f725663302f7374617475732f31373335353637303533363938383236343333267665643d326168554b45776a7836506d37714f3248417858516d496b454864736445653851716f55426567514941784142267573673d414f76566177333047616a6b6e31444f6c50716444715861477457632532302532302f75726c3f657372633d7326713d267263743d6a2673613d552675726c3d68747470733a2f2f747769747465722e636f6d2f5265786f725663302f7374617475732f31373335353637303533363938383236343333267665643d326168554b45776a783", "https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8QqoUBegQIAxAB&usg=AOvVaw30Gajkn1DOlPqdDqXaGtWc /.git/HEAD", "https://twitter.com/404javascript.js", "https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8QqoUBegQIAxAB&usg=AOvVaw30Gajkn1DOlPqdDqXaGtWc /url?esrc=s&q=&rct=j&sa=U&url=https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8Qr4kDegQIAxAC&usg=AOvVaw3hTJ23b0U6ZvO_HwyLOEoQ", "https://unify.apideck.com/vault/callback", "https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8QqoUBegQIAxAB&usg=AOvVaw30Gajkn1DOlPqdDqXaGtWc%20%20/url?esrc=s&q=&rct=j&sa=U&url=https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8Qr4kDegQIAxAC&usg=AOvVaw3hTJ23b0U6ZvO_HwyLOEoQ", "Framing target as a self host of malicious, malware filled templates via twitter.com migrate to X.com", "Redirects to: https://twitter.com?mx=1 IP address: 104.244.42.129 Hosting: Unknown Running on: Tsa B CMS: Express Powered by: Express", "Block ID:\tEVA120 ?" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Belgium", "Ireland" ], "malware_families": [ { "id": "ALF:E5.SpikeAex.DYNHASH", "display_name": "ALF:E5.SpikeAex.DYNHASH", "target": null }, { "id": "Trojan:Win32/Upatre", "display_name": "Trojan:Win32/Upatre", "target": "/malware/Trojan:Win32/Upatre" }, { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1110.004", "name": "Credential Stuffing", "display_name": "T1110.004 - Credential Stuffing" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "green", "cloned_from": "66b910d6b8a1a2fade2e72f1", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 615, "domain": 368, "FileHash-SHA256": 1751, "hostname": 443, "FileHash-MD5": 419, "FileHash-SHA1": 419, "email": 7 }, "indicator_count": 4022, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66b910d6b8a1a2fade2e72f1", "name": "Twitter.com = X.com Migration to malware templates Brian Sabey photos| | Framing target| HoneyPots?", "description": "Again, multiple malicious X.com Twitter migration templates with photos of Brian Sabey and wife appear separately Sabey appear in Tsara Brashears search results with 'LDS Mafia' and Dia Sabey's 'Anti Trump' sentiment. Believed to be 'remotely' self hosted on a server purported to belong to Brashears. This has been done for a while to implicate target hosting and spreading well over 1 million illegal adult, murder,threat and darker sites,murls,domains. It's untrue and is considered framing since 2017, who reported it. \nRedirects to:\n\nhttps://twitter.com?mx=1\nTsara Brashears fake server is Brian Sabey, Red Team, potentially Law Enforcement, idk. \nIP address: 104.244.42.129\n\nHosting: Unknown\n\nRunning on: Tsa B (Tsara Brashears)\nCMS: Express\nPowered by: Express\n\n#VirTool:Win32/Obfuscator.ADB\nALF:E5.SpikeAex.DYNHASH\nTrojan:Win32/Upatre\nTrojan:Win32/Vflooder", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-11T19:28:22.948000", "tags": [ "ip address", "b cms", "express", "security risk", "found https", "server tsa", "b server", "digicert inc", "web application", "expiresthu", "path", "secure", "self", "body", "sha256 hash", "http response", "gmt perf", "accept expiry", "gmt pragma", "referrer", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "united", "flag", "contacted", "http traffic", "as20940", "name servers", "status", "search", "invalid url", "passive dns", "urls", "next", "as13414 twitter", "as15133 verizon", "nxdomain", "whitelisted", "a nxdomain", "aaaa", "trojan", "virtool", "twitter", "date hash", "avast avg", "related pulses", "file samples", "files matching", "show", "copyright", "levelblue", "showing", "scan endpoints", "all scoreblue", "server tsa b", "trojan features", "brian sabey", "cname", "as35994 akamai", "as4230 claro", "brazil", "date", "unknown", "ireland unknown", "registrar", "ionos se", "brain sabey" ], "references": [ "Researched Link: https://twitter.com/x/migrate?tok=7b2265223a222f5265786f725663302f7374617475732f31373335353637303533363938383236343333267665643d326168554b45776a7836506d37714f3248417858516d496b454864736445653851716f55426567514941784142267573673d414f76566177333047616a6b6e31444f6c50716444715861477457632532302532302f75726c3f657372633d7326713d267263743d6a2673613d552675726c3d68747470733a2f2f747769747465722e636f6d2f5265786f725663302f7374617475732f31373335353637303533363938383236343333267665643d326168554b45776a783", "https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8QqoUBegQIAxAB&usg=AOvVaw30Gajkn1DOlPqdDqXaGtWc /.git/HEAD", "https://twitter.com/404javascript.js", "https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8QqoUBegQIAxAB&usg=AOvVaw30Gajkn1DOlPqdDqXaGtWc /url?esrc=s&q=&rct=j&sa=U&url=https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8Qr4kDegQIAxAC&usg=AOvVaw3hTJ23b0U6ZvO_HwyLOEoQ", "https://unify.apideck.com/vault/callback", "https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8QqoUBegQIAxAB&usg=AOvVaw30Gajkn1DOlPqdDqXaGtWc%20%20/url?esrc=s&q=&rct=j&sa=U&url=https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8Qr4kDegQIAxAC&usg=AOvVaw3hTJ23b0U6ZvO_HwyLOEoQ", "Framing target as a self host of malicious, malware filled templates via twitter.com migrate to X.com", "Redirects to: https://twitter.com?mx=1 IP address: 104.244.42.129 Hosting: Unknown Running on: Tsa B CMS: Express Powered by: Express", "Block ID:\tEVA120 ?" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Belgium", "Ireland" ], "malware_families": [ { "id": "ALF:E5.SpikeAex.DYNHASH", "display_name": "ALF:E5.SpikeAex.DYNHASH", "target": null }, { "id": "Trojan:Win32/Upatre", "display_name": "Trojan:Win32/Upatre", "target": "/malware/Trojan:Win32/Upatre" }, { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1110.004", "name": "Credential Stuffing", "display_name": "T1110.004 - Credential Stuffing" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 451, "domain": 353, "FileHash-SHA256": 1714, "hostname": 418, "FileHash-MD5": 419, "FileHash-SHA1": 419, "email": 7 }, "indicator_count": 3781, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "555 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d32648280eb859dfca1c19", "name": "x.com - That's what friends are for!", "description": "Original pulses modified, unknown stealer, junk data stuffing sifted through. Careful notes have been taken regarding ultra significant pulses. I've done the best I can to analyze compare, compile from all record of original pulse. | Further analysis shows an effort to destroy quite a bit of pertinent evidence. | I consider the target, family and associates to be especially endangered. Target has become isolated from most people target associated with, mostly by force as not to spread the malicious vulnerabilities that ha e affected many.\nTarget & associated have been interacting with and work with \n, hiring (not everyone they know) those involved. | There has been significant modification and degradation of the origin of information collected. | Who can you report to if the perpetrator is the Law. | This has always been the reason. | Don't hire another hit. What's the point? To uphold a fake integrity as a legacy?", "modified": "2024-09-30T10:01:49.889000", "created": "2024-08-31T14:18:48.037000", "tags": [ "referrer", "historical ssl", "united", "as13414 twitter", "nxdomain", "whitelisted", "cname", "a nxdomain", "status", "aaaa", "as15133 verizon", "search", "date", "twitter", "spoofed", "qbot qakbot", "qbot", "information", "t1027", "files", "t1036", "t1041", "c2 channel", "t1056", "capture", "t1057", "discovery", "memcommit", "process32nextw", "regsetvalueexa", "regdword", "module load", "t1129", "show", "intel", "ms windows", "trojan", "copy", "write", "win64", "next", "url https", "qbot type", "indicator role", "title added", "active related", "pulses url", "url http", "showing", "entries", "msie", "windows nt", "formsecnen", "read", "read c", "russia as48848", "qmount", "unknown", "pecompact", "malware", "role title", "added active", "related pulses", "type indicator", "as44273 host", "name servers", "as47846", "germany unknown", "443 ma2592000", "scan endpoints", "passive dns", "urls", "creation date", "all scoreblue", "hostname", "filehashsha256", "filehashsha1", "filehashmd5", "months ago", "ipv4", "report spam", "tinynote", "cobalt strike", "ransomexx", "quackbot", "comspec", "prefetch8", "pattern match", "prefetch1", "mitre att", "ck id", "show technique", "ck matrix", "null", "path", "hybrid", "general", "click", "strings", "langchinese", "icmp traffic", "pe resource", "pe section", "companyname gm", "win32", "push", "fakedout threat", "analyzer paste", "iocs", "hostnames", "urls https", "overview ip", "address", "related nids", "files hostname", "files domain", "files related", "pulses none", "related tags", "virustotal", "china unknown", "as4837 china", "redacted for", "as4835 china", "douglas county", "co sheriff", "office", "pegasus attacks", "sa victim", "cve type", "cve cve20170147", "no expiration", "expiration", "domain", "create new", "subsys00000000", "as16625 akamai", "as20940", "as39960", "as6762 telecom", "united kingdom", "emails", "span", "created", "white", "formatpng feb", "refererparam", "classid1", "login0", "typeid1", "style1", "dynamicloader", "high", "yara rule", "neshta", "neshta virus", "myapp", "ids detections", "yara detections", "alerts", "worm", "delphi", "ip address", "files location", "china flag", "china domain", "pulses otx", "pulses", "as45102 alibaba", "japan unknown", "as32934", "as19679 dropbox", "pulse pulses", "google safe", "browsing", "hosting", "body", "as7018 att", "verdict vpn", "as9009 m247", "canada unknown", "as174 cogent", "israel unknown", "as12310", "romania unknown", "as48945", "as64286", "b3viles0 feb", "modified", "siteid290", "org7", "novno jan", "siteid289", "org4", "org9", "locuo", "siteid969", "https", "http", "rims https", "evader", "message", "jeffrey scott", "reimer dpt", "pegasus", "pinterest", "amadey", "quasar rat", "eternalblue", "service", "sahil", "andcustomer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Netherlands", "Italy", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Korea, Republic of", "France", "Malaysia" ], "malware_families": [ { "id": "Qbot", "display_name": "Qbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2161, "FileHash-SHA1": 2073, "FileHash-SHA256": 7032, "domain": 3959, "hostname": 7581, "email": 22, "URL": 17579, "SSLCertFingerprint": 3, "CVE": 2 }, "indicator_count": 40412, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "566 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d3264283628d23b8f28b9d", "name": "x.com - That's what friends are for!", "description": "Original pulses modified, unknown stealer, junk data stuffing sifted through. Careful notes have been taken regarding ultra significant pulses. I've done the best I can to analyze compare, compile from all record of original pulse. | Further analysis shows an effort to destroy quite a bit of pertinent evidence. | I consider the target, family and associates to be especially endangered. Target has become isolated from most people target associated with, mostly by force as not to spread the malicious vulnerabilities that ha e affected many.\nTarget & associated have been interacting with and work with \n, hiring (not everyone they know) those involved. | There has been significant modification and degradation of the origin of information collected. | Who can you report to if the perpetrator is the Law. | This has always been the reason. | Don't hire another hit. What's the point? To uphold a fake integrity as a legacy?", "modified": "2024-09-30T10:01:49.889000", "created": "2024-08-31T14:18:42.621000", "tags": [ "referrer", "historical ssl", "united", "as13414 twitter", "nxdomain", "whitelisted", "cname", "a nxdomain", "status", "aaaa", "as15133 verizon", "search", "date", "twitter", "spoofed", "qbot qakbot", "qbot", "information", "t1027", "files", "t1036", "t1041", "c2 channel", "t1056", "capture", "t1057", "discovery", "memcommit", "process32nextw", "regsetvalueexa", "regdword", "module load", "t1129", "show", "intel", "ms windows", "trojan", "copy", "write", "win64", "next", "url https", "qbot type", "indicator role", "title added", "active related", "pulses url", "url http", "showing", "entries", "msie", "windows nt", "formsecnen", "read", "read c", "russia as48848", "qmount", "unknown", "pecompact", "malware", "role title", "added active", "related pulses", "type indicator", "as44273 host", "name servers", "as47846", "germany unknown", "443 ma2592000", "scan endpoints", "passive dns", "urls", "creation date", "all scoreblue", "hostname", "filehashsha256", "filehashsha1", "filehashmd5", "months ago", "ipv4", "report spam", "tinynote", "cobalt strike", "ransomexx", "quackbot", "comspec", "prefetch8", "pattern match", "prefetch1", "mitre att", "ck id", "show technique", "ck matrix", "null", "path", "hybrid", "general", "click", "strings", "langchinese", "icmp traffic", "pe resource", "pe section", "companyname gm", "win32", "push", "fakedout threat", "analyzer paste", "iocs", "hostnames", "urls https", "overview ip", "address", "related nids", "files hostname", "files domain", "files related", "pulses none", "related tags", "virustotal", "china unknown", "as4837 china", "redacted for", "as4835 china", "douglas county", "co sheriff", "office", "pegasus attacks", "sa victim", "cve type", "cve cve20170147", "no expiration", "expiration", "domain", "create new", "subsys00000000", "as16625 akamai", "as20940", "as39960", "as6762 telecom", "united kingdom", "emails", "span", "created", "white", "formatpng feb", "refererparam", "classid1", "login0", "typeid1", "style1", "dynamicloader", "high", "yara rule", "neshta", "neshta virus", "myapp", "ids detections", "yara detections", "alerts", "worm", "delphi", "ip address", "files location", "china flag", "china domain", "pulses otx", "pulses", "as45102 alibaba", "japan unknown", "as32934", "as19679 dropbox", "pulse pulses", "google safe", "browsing", "hosting", "body", "as7018 att", "verdict vpn", "as9009 m247", "canada unknown", "as174 cogent", "israel unknown", "as12310", "romania unknown", "as48945", "as64286", "b3viles0 feb", "modified", "siteid290", "org7", "novno jan", "siteid289", "org4", "org9", "locuo", "siteid969", "https", "http", "rims https", "evader", "message", "jeffrey scott", "reimer dpt", "pegasus", "pinterest", "amadey", "quasar rat", "eternalblue", "service", "sahil", "andcustomer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Netherlands", "Italy", "United Kingdom of Great Britain and Northern Ireland", "Japan", "Korea, Republic of", "France", "Malaysia" ], "malware_families": [ { "id": "Qbot", "display_name": "Qbot", "target": null } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2161, "FileHash-SHA1": 2073, "FileHash-SHA256": 7032, "domain": 3959, "hostname": 7581, "email": 22, "URL": 17579, "SSLCertFingerprint": 3, "CVE": 2 }, "indicator_count": 40412, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "566 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66c7c4116e56d78702dd38ad", "name": "InQuest - 22-08-2024", "description": "", "modified": "2024-09-21T23:00:38.725000", "created": "2024-08-22T23:04:49.499000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "URL": 203, "FileHash-SHA256": 1, "hostname": 58, "FileHash-SHA1": 6, "FileHash-MD5": 40 }, "indicator_count": 314, "is_author": false, "is_subscribing": null, "subscriber_count": 1601, "modified_text": "574 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66c672884a5a8e32131dfd69", "name": "InQuest - 21-08-2024", "description": "", "modified": "2024-09-20T23:05:17.284000", "created": "2024-08-21T23:04:40.612000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "URL": 199, "FileHash-SHA256": 1, "hostname": 51, "FileHash-SHA1": 6, "FileHash-MD5": 43 }, "indicator_count": 306, "is_author": false, "is_subscribing": null, "subscriber_count": 1600, "modified_text": "575 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66c520a736abef9223238164", "name": "InQuest - 20-08-2024", "description": "", "modified": "2024-09-19T23:04:15.781000", "created": "2024-08-20T23:03:03.472000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "hostname": 55, "URL": 215, "domain": 6, "FileHash-MD5": 46, "FileHash-SHA1": 6 }, "indicator_count": 332, "is_author": false, "is_subscribing": null, "subscriber_count": 1601, "modified_text": "576 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66c3d01623155e5ed0012368", "name": "InQuest - 19-08-2024", "description": "", "modified": "2024-09-18T23:04:39.329000", "created": "2024-08-19T23:07:02.343000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "hostname": 51, "URL": 202, "domain": 5, "FileHash-MD5": 44, "FileHash-SHA1": 6 }, "indicator_count": 312, "is_author": false, "is_subscribing": null, "subscriber_count": 1600, "modified_text": "577 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "669ee58a95337067cacd8316", "name": "InQuest - 22-07-2024", "description": "", "modified": "2024-08-21T23:02:06.560000", "created": "2024-07-22T23:04:42.168000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 6, "FileHash-MD5": 48, "hostname": 53, "URL": 193, "domain": 4 }, "indicator_count": 304, "is_author": false, "is_subscribing": null, "subscriber_count": 1603, "modified_text": "605 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "669d9437679997a2b80d55c6", "name": "InQuest - 21-07-2024", "description": "", "modified": "2024-08-20T23:03:18.426000", "created": "2024-07-21T23:05:27.136000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 6, "FileHash-MD5": 48, "hostname": 53, "URL": 193, "domain": 4 }, "indicator_count": 304, "is_author": false, "is_subscribing": null, "subscriber_count": 1603, "modified_text": "606 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "669c42e7c9eaf196ff9c19c9", "name": "InQuest - 20-07-2024", "description": "", "modified": "2024-08-19T23:00:37.357000", "created": "2024-07-20T23:06:15.359000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 6, "FileHash-MD5": 48, "hostname": 53, "URL": 193, "domain": 4 }, "indicator_count": 304, "is_author": false, "is_subscribing": null, "subscriber_count": 1601, "modified_text": "607 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "669af15c05e0dbc244b40746", "name": "InQuest - 19-07-2024", "description": "", "modified": "2024-08-18T23:06:34.363000", "created": "2024-07-19T23:06:04.410000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 6, "FileHash-MD5": 48, "hostname": 53, "URL": 193, "domain": 4 }, "indicator_count": 304, "is_author": false, "is_subscribing": null, "subscriber_count": 1600, "modified_text": "608 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6699a0d96bb8ddbe0c161507", "name": "InQuest - 18-07-2024", "description": "", "modified": "2024-08-17T23:04:21.565000", "created": "2024-07-18T23:10:17.753000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 32, "URL": 156, "FileHash-MD5": 29, "FileHash-SHA256": 2, "FileHash-SHA1": 6, "domain": 1 }, "indicator_count": 226, "is_author": false, "is_subscribing": null, "subscriber_count": 1600, "modified_text": "609 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6696fdc550416698dee3cf91", "name": "InQuest - 16-07-2024", "description": "", "modified": "2024-08-15T23:03:32.764000", "created": "2024-07-16T23:09:56.812000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 34, "URL": 164, "domain": 7, "FileHash-SHA256": 7, "FileHash-SHA1": 6, "FileHash-MD5": 17 }, "indicator_count": 235, "is_author": false, "is_subscribing": null, "subscriber_count": 1601, "modified_text": "611 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6695abe0e0a6187859126b0a", "name": "InQuest - 15-07-2024", "description": "", "modified": "2024-08-14T23:00:18.722000", "created": "2024-07-15T23:08:16.301000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 255, "domain": 3, "hostname": 50, "FileHash-MD5": 41, "FileHash-SHA1": 6 }, "indicator_count": 355, "is_author": false, "is_subscribing": null, "subscriber_count": 1600, "modified_text": "612 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66945aeed04179e834fa143f", "name": "InQuest - 14-07-2024", "description": "", "modified": "2024-08-13T23:03:40.685000", "created": "2024-07-14T23:10:38.072000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 183, "domain": 6, "hostname": 30, "FileHash-SHA256": 1, "FileHash-SHA1": 6, "FileHash-MD5": 25 }, "indicator_count": 251, "is_author": false, "is_subscribing": null, "subscriber_count": 1600, "modified_text": "613 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "669307518e9dbda4a3ad29a0", "name": "InQuest - 13-07-2024", "description": "", "modified": "2024-08-12T23:00:18.687000", "created": "2024-07-13T23:01:37.502000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 57, "URL": 236, "domain": 6, "FileHash-MD5": 50, "FileHash-SHA256": 1, "FileHash-SHA1": 6 }, "indicator_count": 356, "is_author": false, "is_subscribing": null, "subscriber_count": 1600, "modified_text": "614 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6691b6f854204077e7673993", "name": "InQuest - 12-07-2024", "description": "", "modified": "2024-08-11T23:04:05.117000", "created": "2024-07-12T23:06:32.251000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 238, "hostname": 62, "domain": 6, "FileHash-SHA1": 6, "FileHash-MD5": 42 }, "indicator_count": 354, "is_author": false, "is_subscribing": null, "subscriber_count": 1600, "modified_text": "615 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6690666b33459ffdaae4fbb3", "name": "InQuest - 11-07-2024", "description": "", "modified": "2024-08-10T23:03:27.119000", "created": "2024-07-11T23:10:35.390000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 168, "hostname": 34, "domain": 6, "FileHash-SHA1": 6, "FileHash-MD5": 29 }, "indicator_count": 243, "is_author": false, "is_subscribing": null, "subscriber_count": 1600, "modified_text": "616 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "668f1514c0e3118d5a3b1c1d", "name": "InQuest - 10-07-2024", "description": "", "modified": "2024-08-09T23:10:32.796000", "created": "2024-07-10T23:11:16.017000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 36, "URL": 171, "domain": 3, "FileHash-SHA1": 6, "FileHash-MD5": 28 }, "indicator_count": 244, "is_author": false, "is_subscribing": null, "subscriber_count": 1600, "modified_text": "617 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "668dc3960fa983d4208ea66a", "name": "InQuest - 09-07-2024", "description": "", "modified": "2024-08-08T23:00:27.177000", "created": "2024-07-09T23:11:18.699000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 159, "FileHash-SHA256": 2, "FileHash-MD5": 32, "hostname": 34, "FileHash-SHA1": 7, "domain": 1 }, "indicator_count": 235, "is_author": false, "is_subscribing": null, "subscriber_count": 1601, "modified_text": "618 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "668c72322c9e53f441949f6c", "name": "InQuest - 08-07-2024", "description": "", "modified": "2024-08-07T23:00:36.671000", "created": "2024-07-08T23:11:46.348000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 197, "hostname": 34, "domain": 3, "FileHash-SHA256": 7, "FileHash-MD5": 21, "FileHash-SHA1": 6 }, "indicator_count": 268, "is_author": false, "is_subscribing": null, "subscriber_count": 1601, "modified_text": "619 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "668b20a741aa3637fd8e1df1", "name": "InQuest - 07-07-2024", "description": "", "modified": "2024-08-06T23:01:42.804000", "created": "2024-07-07T23:11:35.964000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 197, "hostname": 34, "domain": 3, "FileHash-SHA256": 7, "FileHash-MD5": 21, "FileHash-SHA1": 6 }, "indicator_count": 268, "is_author": false, "is_subscribing": null, "subscriber_count": 1601, "modified_text": "620 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6689cf2fb1ab0c1c5a7d2022", "name": "InQuest - 06-07-2024", "description": "", "modified": "2024-08-05T23:02:24.366000", "created": "2024-07-06T23:11:43.824000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 197, "hostname": 34, "domain": 3, "FileHash-SHA256": 7, "FileHash-MD5": 21, "FileHash-SHA1": 6 }, "indicator_count": 268, "is_author": false, "is_subscribing": null, "subscriber_count": 1601, "modified_text": "621 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66887db7b10821a7f4b99da7", "name": "InQuest - 05-07-2024", "description": "", "modified": "2024-08-04T23:04:48.069000", "created": "2024-07-05T23:11:51.281000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 197, "hostname": 34, "domain": 3, "FileHash-SHA256": 7, "FileHash-MD5": 21, "FileHash-SHA1": 6 }, "indicator_count": 268, "is_author": false, "is_subscribing": null, "subscriber_count": 1601, "modified_text": "622 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66872b0745ee6f948f30f2bb", "name": "InQuest - 04-07-2024", "description": "", "modified": "2024-08-03T23:00:03.286000", "created": "2024-07-04T23:06:47.442000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 208, "hostname": 50, "domain": 4, "FileHash-SHA1": 6, "FileHash-MD5": 42 }, "indicator_count": 310, "is_author": false, "is_subscribing": null, "subscriber_count": 1600, "modified_text": "623 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6685d9bbf9a949ef7c6361eb", "name": "InQuest - 03-07-2024", "description": "", "modified": "2024-08-02T23:02:51.268000", "created": "2024-07-03T23:07:39.605000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 224, "domain": 12, "FileHash-MD5": 43, "hostname": 55, "FileHash-SHA256": 1, "FileHash-SHA1": 6 }, "indicator_count": 341, "is_author": false, "is_subscribing": null, "subscriber_count": 1600, "modified_text": "624 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6684885b80936c717ddb03bf", "name": "InQuest - 02-07-2024", "description": "", "modified": "2024-08-01T23:05:00.895000", "created": "2024-07-02T23:08:11.704000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 45, "hostname": 51, "URL": 198, "FileHash-SHA256": 3, "domain": 4, "FileHash-SHA1": 6 }, "indicator_count": 307, "is_author": false, "is_subscribing": null, "subscriber_count": 1601, "modified_text": "625 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6683366b34d09588908eefd1", "name": "InQuest - 01-07-2024", "description": "", "modified": "2024-07-31T23:02:13.281000", "created": "2024-07-01T23:06:19.247000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 6, "FileHash-MD5": 42, "hostname": 74, "URL": 289, "domain": 4 }, "indicator_count": 415, "is_author": false, "is_subscribing": null, "subscriber_count": 1600, "modified_text": "626 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6681e508cb0297fbdff647f3", "name": "InQuest - 30-06-2024", "description": "", "modified": "2024-07-30T23:00:22.594000", "created": "2024-06-30T23:06:48.595000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 6, "FileHash-MD5": 52, "hostname": 53, "URL": 191, "domain": 4 }, "indicator_count": 306, "is_author": false, "is_subscribing": null, "subscriber_count": 1600, "modified_text": "627 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "668093546a842adbcf3567cd", "name": "InQuest - 29-06-2024", "description": "", "modified": "2024-07-29T23:03:11.089000", "created": "2024-06-29T23:05:56.662000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 6, "FileHash-MD5": 47, "hostname": 56, "URL": 183, "domain": 3 }, "indicator_count": 295, "is_author": false, "is_subscribing": null, "subscriber_count": 1600, "modified_text": "628 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667f41be14ba1aa22c4329d2", "name": "InQuest - 28-06-2024", "description": "", "modified": "2024-07-28T23:00:54.190000", "created": "2024-06-28T23:05:34.553000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 6, "FileHash-MD5": 52, "hostname": 53, "URL": 191, "domain": 4 }, "indicator_count": 306, "is_author": false, "is_subscribing": null, "subscriber_count": 1601, "modified_text": "629 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667df07ddc0b63e755931298", "name": "InQuest - 27-06-2024", "description": "", "modified": "2024-07-27T23:02:29.208000", "created": "2024-06-27T23:06:37.821000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 11, "URL": 146, "FileHash-MD5": 39, "hostname": 36, "FileHash-SHA1": 6 }, "indicator_count": 238, "is_author": false, "is_subscribing": null, "subscriber_count": 1603, "modified_text": "630 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "667c9f5cdd5004315275c6e0", "name": "InQuest - 26-06-2024", "description": "", "modified": "2024-07-26T23:01:39.013000", "created": "2024-06-26T23:08:12.223000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6, "URL": 192, "FileHash-SHA256": 2, "hostname": 53, "FileHash-SHA1": 6, "FileHash-MD5": 42 }, "indicator_count": 301, "is_author": false, "is_subscribing": null, "subscriber_count": 1603, "modified_text": "631 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N", "scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.", "2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt", "Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc", "https://vtbehaviour.commondatastorage.googleapis.com/fa8a59149604c73572bf92b42640de49faa7e8f16cd4bc18345d3e6a16378744_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282019&Signature=VwsuvdyY52E5jzftipHSNWVrwmO7YUwSQa9yHiMIgbsXcJDnDNcdELamMXjmvzDn%2FT6L5HguJFyj%2F4DHLmPfddzVphNAKCPvz3IRVae2piJ%2B8VWa2%2B98W3RjMft93LZhdNHwxeEYM8oJ%2FOjAjw%2FIicginJBUwlGeHX3kfTJieSEC7SYf6BkJ4UNfnF2pPQjiaAqG9mop%2FPKsB%2FF1K%2FrL7Rpsxwhl1rGglHYPM4%2BtJj6zDYx%2F", "(Invalid IP) 022.12.7.75 redirect \u00bb 18.12.7.75 AS 3 (MIT-GATEWAYS) US", "Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted", "Spammer:MSIL/Misnt.A PLUS - FileHash-SHA256 5966e329cb56a0cc4956f1ca0da2b337aa3e6145d4622ac1152bfc29ab96304d", "Alerts: injection_runpe deletes_self persistence_autorun stealth_file antivirus_virustotal infostealer_ftp", "trojan.msil.spammer.ai = spammer.ai", "https://statemed.palantirgov.com/workspace/settings/notifications \u2022 https://cchbc.palantirfoundry.com", "IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less", "Domain ET WEB_CLIENT SUSPICOUS Possible automated connectivity check (www.google.com)", "Yara : MS_Visual_Basic_6_0 ,", "Alerts: mouse_movement_detect", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "https://ametrine-containers.palantirfoundry.com \u2022 https://amfp.palantirfoundry.com", "ETPRO TROJAN Win32/Tofsee.AX google.com connectivity check", "https://imperium-dev-1.palantircloud.com \u2022 https://hii.palantirgov.com \u2022 https://genoa.washington.palantircloud.com", "https://www.google-analytics.com/analytics.js", "Monitored Target - Spawned process \"iexplore.exe\" w/commandline \"SCODEF:5860 CREDAT:275457 /prefetch:2\" (Show Process) source", "https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8QqoUBegQIAxAB&usg=AOvVaw30Gajkn1DOlPqdDqXaGtWc%20%20/url?esrc=s&q=&rct=j&sa=U&url=https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8Qr4kDegQIAxAC&usg=AOvVaw3hTJ23b0U6ZvO_HwyLOEoQ", "http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281734&Signature=3FFHeC27RvCC9623M2f8xoSU4fl9LBd%2FvI%2F98rUNvmdceN4AZjjw77yTU0ApUTXU5FbdCpODVhKi0X4pqDz1pqEP%2FBRLq%2FNhgoRliai6LlD4yhdTtKNi4zrfCDG%2Bd4dRzD5y674IfEPynxGiFOWxc6wiCtl3rhwTPEqisyDqFbvnF57SxrcPoVSzVO3wEtxpCOIw8iAFXdW2zgnnYYbSrbaQBfghKLtFA6r2vP%2Bmrd33YSUiH%2Fe2EqBz", "https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba", "ec2-44-228-94-74.us-west-2.compute.amazonaws.com \u2022 defender.palantirfoundry.com", "https://vtbehaviour.commondatastorage.googleapis.com/5a28f4a80025385ca11cce22b13e5eed52999965afbe16cccbc5e7165c7a0ac9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775276100&Signature=NczLfuk5dyPFskbtz7UwIjCT2DzeU5uAQP%2FL%2BC5bjk7Ng%2FHccJbUFWcb%2FqpvZaJ%2BWg4tg6aaPKihJzwDyiF7UaJOwdX3172ddwGJAfggvgpJ68YtVBE1nyhHAoFO6KsLL73DjNj58e8Uhq6Bcx4nXa86FETCR%2FzzXDlLDXyQSxf%2FKhG8zuxEsss9vRDCF%2B3TJGvJ5EmQ5HwGvk2ex9wf6H1FrBxEyx6BH5i6txcC9vMG9SXQ6eYR2p", "Hostname: hcl-dna-sandbox.palantirfoundry.com", "Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly", "https://oscar.palantirfoundry.com/ \u2022 https://replica.palantirfoundry.com/", "http://clients2.google.com/time/1/current?cup2key=8:JROu1MtiAi1ExACtDuYde399VG2TxRqflS_l7p_q0tU&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855%0Ahttp://x1.c.lencr.org/%0Ahttp://c.pki.goog/r/r1.crl", "162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE", "IDS Detections: ETPRO TROJAN Spammer MSIL/Misnt.A Spam Payload Download", "ET POLICY Internal Host Retrieving External IP via ipchicken.com - Possible Infection", "tsystems.palantirfoundry.com \u2022 https://statemed.palantirgov.com \u2022 https://statecms.palantirgov.com", "https://pl.pornhub.mrst.one/ \u2022 hotamateurpornsite.xxx \u2022 squirting.porn \u2022 https://de-pornhub.mrst.one/", "https://0-enakamai-lanwpradio-pornos4-dd-engine.redirectme.netoppofe2znetoppofindnetoppofcassandraddd-production.neto46cassandra.ali.zomans.com", "https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8QqoUBegQIAxAB&usg=AOvVaw30Gajkn1DOlPqdDqXaGtWc /url?esrc=s&q=&rct=j&sa=U&url=https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8Qr4kDegQIAxAC&usg=AOvVaw3hTJ23b0U6ZvO_HwyLOEoQ", "https://vtbehaviour.commondatastorage.googleapis.com/5a28f4a80025385ca11cce22b13e5eed52999965afbe16cccbc5e7165c7a0ac9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775277214&Signature=y3%2FkmodrmzpLTVDtkzYvlqSkUTQ8Tri%2FDiLIqIpCBmJ6%2Bwk5p%2FJDSAwE5V8Wdp0vWLWjfA4DvRyS%2FvmNV4kFOr422iVZH2Ap2evf8%2Bq2bp9CW%2BAuBCjgz9K329V4%2B%2B9duUsUhVBqZ%2BNKz%2Fj4z7ZDBI%2BjqPV8XjvTI7pXAfzknmFAfZU%2FjalCNigHCX%2FIOgymeTOfzSOLYLClpNTr%2BYle8VSI%2BHf9TgUWP2WgNF", "https://remote.downloadnow-1.com/", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC", "Yara: Detections ConventionEngine_Term_Users", "dmz-mailsec-scanner-6.mit.edu | external-relay.iupui.edu | fresno.ucsf.edu | mail.virginia.edu | mailfilter2.cgu.edu | mx.gonzaga.edu", "palantirfoundry.com \u2022 https://edenglobalpartners.palantirfoundry.com/", "http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site", "https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8QqoUBegQIAxAB&usg=AOvVaw30Gajkn1DOlPqdDqXaGtWc /.git/HEAD", "High Priority IDS Detections: W32/Emotet.v4 FileHash-SHA256 613ed78c024ee7744c5b53c18b315d10faa39d18975f1634f82da61c02ea8a4f", "https://test-1.washington.palantircloud.com \u2022 https://tarn.palantirgov.com \u2022 https://stateplatform.palantirgov.com", "High Priority Alerts: antisandbox_unhook antivirus_virustotal", "https://labs.inquest.net/iocdb", "https://www.icloud.com/attachment/?u=https%3a%2f%2f%cvws.icloud-content.com", "Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile", "Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents", "Block ID:\tEVA120 ?", "247seekscenter.com \u2022 ns-1986.awsdns-56.co.uk: | 365-notifcation.com", "https://unify.apideck.com/vault/callback", "Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process", "http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing", "yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com", "ipad-steals-app-ideas_1_.jpg - MD5 6dd66b729a649dec250b24533a58a996", "http://timestamp.sectigo.com/", "https://vtbehaviour.commondatastorage.googleapis.com/68e1e958d101feb1044553d3e8ba341448a17d917e4b613cb05873814159ed40_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282913&Signature=TKCWJVTu8VHNWLhsI%2BkIN06KJgV4R1%2F2oO9G3V2x%2Bdxi14E9JDPHosmNkN%2Fk02BRc0I8Yg4HJPmcxjdAvb8mTCZjA10bizFznZC3epwH0hmoxTVgryMxpD%2B7zTQqKIRpE9UGGC1WSu0CTJ3rI9dCyopLkmeiyJPVw%2BIuERp37p2MEwzwwIPRuYpB190GfOdCkGt6TuMjDG6cVa%2BxvJlEdoEw8US6W8WPaioxSu1KVCoKjwky", "https://amiable-constellation.palantirfoundry.com \u2022 https://amplifi.palantirfoundry.com", "https://vtbehaviour.commondatastorage.googleapis.com/028e16744de653383b403efd4b755075deeb7d8ce264d7edd4615725e5b4c4c6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775277967&Signature=oSvtx7eGCctItNKSDZN4tpJp11yn5QQjCHsLi45z7kUOa9nbuhPdVjh9gBKlXtNuGfXbpItYf6NFI%2B4pKCin266TJQP7FzDSnUzzziJTuqmZwxihDeoZ1RauqVOzGoAmrj9sG8nOYXqbOHNxQ3E6SugSzW3UFbyQJzfKt%2FsqsPsKAvl4su%2FlkWsqTHUR%2FT%2FLTTQV0ZXLwnrLv%2FdBA7DdsiE35g%2FPOiUdzJjkjhSILF%2BR", "https://ameteklms.palantirfoundry.com \u2022 https://ametrine-compute.palantirfoundry.com", "http://google.com.demo-box.cognito.svcgateway.foodsigned-php.ppp.canva-apps.cn/", "https://www.hyundaitx.com/", "\u00bb 2preprod-sonar-data-preprod-sonar-data5z.redirectme.netmovilpreprod-sonar-datappmovilpreprod-sonar-datafentryd.0025.ali.zomans.com", "(Invalid IP) 022.12.7.75 Chrome \\\\ user data \\\\ crowd deny \\\\ rData \\\\ crowd deny \\\\ 28 \\\\ metadata \\\\ ve", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281812&Signature=jttp%2BTn66O5EfEB%2FASdpjDONf%2BzydGtfIUy3AtwYz0ppPzVA88%2BzZ8LtzV0TDhkMiju4oLHr%2BauJnKYexqnF0MfNTXGKPfj3ux9oZ2%2Baqve%2B3xgapdwdz0N64RgWo3SBqCKFBOQmi57mqIy%2F8qgnAfdVX99BwF2BuRSYSbIjNW5NHjir1JrAAKwOHZFyNsKj99PImyug2FPpRnss8VrJvDyYdnaGLHIAbZMRl72V", "https://vtbehaviour.commondatastorage.googleapis.com/ba49f65ef5d694311c535991812ee2fa8f0c639f4e053d136c1161b8b1bfaf8f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282803&Signature=CE28%2B8Orp96YBz3AWi4L4LJoj5B677T4lpyJl4VIG%2BN68qLtOorzpmY%2BdQgPcKJxqxcvmf3JmeA2zAZFyVdmEzznUnaiSY6xhbkbZ8nrReWLN9MBQZJuFd6by3aYlQoYFg2Bxu5d%2FLEAxWm4ljnJApBcv1csUNbJ8KxjkdXXAyPkiWPwMc4JDmXrnH5%2FXBQ7Tf1qxmze1lX2S5QvktDVUA3Bdn67nGtMvguY5EIl7tj1AezbuTFM", "https://replica.palantirfoundry.com/ \u2022 https://spacejam.palantirfoundry.com/ \u2022", "mx3.stanford.edu | my-stjohns-edu.mail.protection.outlook.com | prfsmtppr01ccd.uchospitals.edu", "http://clients2.google.com/time/1/current?cup2key=8:JROu1MtiAi1ExACtDuYde399VG2TxRqflS_l7p_q0tU&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "https://vtbehaviour.commondatastorage.googleapis.com/ffe3319990984c10c84fc18f6c1d40b2c7ad44666ebc2b54368bd96327ec6abc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775283093&Signature=GU02WhsC3g0ztmDdXDNuqx9T9POv8DnaMp7NQX%2B70%2FybCmZtbIpyPiUCOuYG5ZD1RY8bCIR9k%2F%2BGsKSwWLVUNNih3CgvqShoWsNfLKvtS%2BDRbmV6G4ohLWIP0xPHJOCA%2FWvnSdblJ%2FdibwXFCT851RdpfK3f6ph2EPHXIq%2FBwhSc28%2BJfFSMK%2B1toESpR7COi%2FUwpnMfcoSpcIMZudaaU8JrTvEVLgtJ%2FAgHjmfoXxvJlD", "Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "Suspicious of NSO Pegasus type spyware campaign (possibly)", "Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name", "utmmail.bcw.edu | 166.78.44.213 11/04/24 | isu.edu | iup.edu | siu.edu | stcloudstate.edu | ucr.edu | router9.mail.cornell.edu", "Framing target as a self host of malicious, malware filled templates via twitter.com migrate to X.com", "YARA Detections: WinRAR_SFX", "http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com", "https://embaxter.palantirfoundry.com \u2022 https://amgistudios.palantirfoundry.com", "https://twitter.com/404javascript.js", "https://vtbehaviour.commondatastorage.googleapis.com/3e6e0898a7b1b297d2b9322f5f578b02e2fd5d5647dbeef6b9273cda383e1547_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775283189&Signature=PtLPpZoeHrLkYIaV2etyfYslOxR9PtxqmjNNDdMHoJjBUuweFaoOVGyfkf%2BUGEiGQCogCu7az%2B4btIJ3frL%2BEdzwNV7Ufeb24KQqbVUQrVITPGPCW42mMdsKdDoNQsqLooDqFsjxRGt2meZgP3F3roSTIWDEJPwr35bBBkdANOOdXZG1mg3O8JHm35%2BBQMkSxOiAxeftigjPK7On%2Fk%2FvMli1USxDUfi2eRlkRaL090nKenRXt3cz4FEBe8", "Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left", "https://bd-server.com/user/JasminMcVey2/", "prfsmtppr01ccd.uchospitals.edu \u2022 165.68.13.55", "https://vtbehaviour.commondatastorage.googleapis.com/bc3cc97398d5f56a4731085e8a385694f6ef1ab37243c6c00deed4a1335ced55_CAPE%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281979&Signature=LrquDQAOc%2Bf90O7wkZ9lRNx5uIZopS4VL7qYn7UKkzTI19c7sNJWNdGeBPtnE%2FG4yxsv1tBxkoojr78E808e78vceGG2xskRT6tUTjtDo2c8JW%2FD9Mr5ZAVe8Cn%2BP%2BpCbBkZXbtaceCtVq0b9zVWx9YstN2ju69uofX50LbI%2FgmHh%2Bghta79DgdBrNmkcQEXDu7t%2FqSZSozfso9i%2BoSZdHXEfsU59hoc%2FhUSoPMEPGFU", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281904&Signature=B9x8BUVCeldkVImU%2Bb%2B7d97Q9Y2suAJFE1HvxBCu6MQUOt52HrgAUTBIeXPKgNP0gKiqrr%2BwDvN7q637Ht6n5C9QhuTPI%2FhWTub0F22jsp8lU2Pvp2bS%2FlaSchLRN5gDngyPABgnaqYERICP8QQkwfaB9pY%2Bii1%2FAeel%2BIDGYwxPPfIcYevejNv2O%2F0J6qYRftrtXwa95pbsecrfOzH6bpF3AzHQrTLJAuZ%2B%2BykW", "extdomembers-2022.bounceme.netoppofrobledevradiod.devkissflowd-netoppofweblatedevradio-krd-kr-finance-fw.devkissflowd-netoppofweblatedevradio-krd-kr.ali.zomans.com", "Redirects to: https://twitter.com?mx=1 IP address: 104.244.42.129 Hosting: Unknown Running on: Tsa B CMS: Express Powered by: Express", "https://vtbehaviour.commondatastorage.googleapis.com/02b1749e96b257099d5bafaeb1fc502442b4e064cca63fbcf4fc52af34b6435d_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775283154&Signature=m%2BGdulpws9rcUoJIzr45sR5qJdIxK89UYb6GUJL6p7n4mgYV69NJWbc3Jslcn117UKHnbSYYtRZSBRhviHhLuWsbhUG199mW8iGDiwaarp%2BbvmEIw6OXF2MgVIh%2FrJYr8slRZbUwjd9t8dMWwn%2FM5DNq6AzLyBqpznrBoVrvlibZuA9pWsHraA3P24WyEGUlbWN3NqLfmJ6gDeCKRfG7zhubGI%2Bb8Wl8GaBCodOtX2LlrA", "https://vtbehaviour.commondatastorage.googleapis.com/fa8a59149604c73572bf92b42640de49faa7e8f16cd4bc18345d3e6a16378744_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282044&Signature=Y%2FEJZwm3h4tUuhn9%2FgO7QDcTnUoojZIDnoL%2FuGaoe0o5h%2FPUEiZpyFQLH9JfrvNN0h58UWlcJNCMxaSZl%2BZDvBDliVat0wDr0fE35mo0jGTK3uwa7DykFrjyI0NAVFlzkVSyxC0euM4lSJaw9PqyJGgLb4FfaztkzK7ZQYTIsGMYWSsCAKzatCObwK%2B8nqV63M9VXUeJy8ZQx7IwbttNffD6FQUaPbtCwlsywb%2Bu7NVqkFSG", "www.techcult.com", "Foundry stalking.", "Alerts: infostealer_mail network_smtp persistence_ads recon_programs injection", "http://apple.phishing.91tbc.com/ | apple.phishing.491459.top http://apple.phishing.91tbc.com/?ZYUKUR=8049183536181170.html", "https://vtbehaviour.commondatastorage.googleapis.com/bc3cc97398d5f56a4731085e8a385694f6ef1ab37243c6c00deed4a1335ced55_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281954&Signature=Tythlx%2B0x7Dzf2SYvJDgwby2Ifinb7IbK5GTx%2ByqvqVc1r4cz7rhoVD3NZqUAgUpxSkIAsRAK5WV5tMXUGiiB6JWp8Y9YmaL7Zhb5NxMBcodk57r7XhYzEbDxYg%2Fh1ChwMliA5cBr%2BXbUcW4q2aA4xQeNE1XVNpalGtyHh8bsDTKgQG0Ch1gikPF%2BeKc2ANprXe6z%2FJBXtqJBxh6%2Bem6fGON6%2BpRP1%2BgmNg4%2FtFnlQ", "lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json", "IDS Detections: Observed Discord Domain (discord .com in TLS SNI)", "truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com", "IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)", "https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com", "https://vtbehaviour.commondatastorage.googleapis.com/5a28f4a80025385ca11cce22b13e5eed52999965afbe16cccbc5e7165c7a0ac9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775276177&Signature=iO1RoMLTZsC3s7nBZ8wieXl6wwWrnnCqu%2F5pXBAa2Luk2wKtKTXUyyZEOOhqaCFNbUPjsIfY1v0KxEBxzkumSiDs3XXBs%2FYt49goHGNudddQOKcmLsjbT2GhALTnmmVvl79aLJaLwnMe9B7PkJpSTGuBrutOjF5VJ0yofcbM4XjQQlOIkc8WWi94WMVxXpWAjFK9D5zmoyn9G5w1TahDZjePP%2FfkKNpJe2OqRQ59iXyHcG1nvA%2FUIx", "Monitored Target: Queries DNS server details \"www.hyundaitx.com\" source Network Traffic T1071.004", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281711&Signature=G81N%2BSvpl7rLMvDIGLovzSBK8YJzNBOTs7Ycfze1L%2BdFheZX%2BS6EbtlDx545BRgefMUoJSwn%2BdK4eRpYlyMGmHvkv2tw3apezXxBF5J95vedk3RlOzXgGUAvJvewt0RBBR9f9hiVn9CuYTHvY3Cf%2BVog32%2BRLrv8sMhZ%2FeqX0%2FhraP6leNtAta5iUv73pYWeMmdsQ7nX2EvTO7uUvGggX6TmnBhiHHd8E9uCsoPHCTP4i0", "interact.f5.com", "Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly", "http://legal.twitter.co \u2022 http://mobile.twitter.co/", "IDS Detections: ETPRO TROJAN Spammer MSIL/Misnt.A Get MX ETPRO TROJAN Spammer MSIL/Misnt.A Fetching Spam List", "Palantir/ Hyuandi coexist | Confirmed Targets transportation was a Hyuandi SUV |", "ETPRO TROJAN Win32/Oderoor Checkin \u2022 ET INFO DYNAMIC_DNS Query to *.dyndns. Domain", "platform.twitter.co \u2022 rm.twitter.co \u2022 upload.twitter.co \u2022 http://2fsyndication.twitter.co/", "Researched Link: https://twitter.com/x/migrate?tok=7b2265223a222f5265786f725663302f7374617475732f31373335353637303533363938383236343333267665643d326168554b45776a7836506d37714f3248417858516d496b454864736445653851716f55426567514941784142267573673d414f76566177333047616a6b6e31444f6c50716444715861477457632532302532302f75726c3f657372633d7326713d267263743d6a2673613d552675726c3d68747470733a2f2f747769747465722e636f6d2f5265786f725663302f7374617475732f31373335353637303533363938383236343333267665643d326168554b45776a783" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Spammer:msil/misnt.a", "#virtool:win32/obfuscator.adb", "Win.trojan.cycbot-764", "Sape.heur.9b552", "Win32/blacked", "Symantec", "Trojan.vb-47534", "Palantir spyware", "Trojan.kazy-237", "Trojan:win32/upatre", "Alf:heraklezeval:pws:win32/ldpinch!rfn", "Trojandropper:win32/vb.il0", "Etpro", "Ransom:win32/cryptor", "Trojan.adload-2492", "Trojan:win32/vflooder", "Trojan.vundo-5335", "Trojan:win32/zonsterarch", "Nod32", "Qbot", "Emotet", "Win.malware.vtflooder-9783271-0", "Atros3.ahfb", "Generic31.bkfg", "Backdoor:win32/drixed.j ,", "Malware tool", "Alf:hstr:krunchymalpacker!mtb", "Alf:trojan:win32/cassini_56a3061!ibt", "C2087940", "Mirai", "Alf:e5.spikeaex.dynhash", "Win.ransomware.msilzilla-10014498-0", "Artro", "Win.packed.krucky-6941986-0", "Trojan.spy-59563", "Win.ransomware.sodinokibi-7013612-0", "Win.trojan.jorik-10365", "Worm:win32/macoute.a", "Win.trojan.agent-920890" ], "industries": [ "Education", "Civilian society", "Healthcare", "Technology" ], "unique_indicators": 141228 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/facebook.net", "whois": "http://whois.domaintools.com/facebook.net", "domain": "facebook.net", "hostname": "connect.facebook.net" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 50, "pulses": [ { "id": "69b17ce52b022720772044dc", "name": "CAPE Sandbox", "description": "Creepy. not ok. abuse of power #stalker", "modified": "2026-04-10T14:06:02.757000", "created": "2026-03-11T14:32:05.801000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 36, "domain": 14, "hostname": 105 }, "indicator_count": 161, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d0ac87c6799549809753ce", "name": "VirusTotal report\n for Other-20230212T074754Z-001.zip", "description": "com - is the name of a German domain registered with the United-Domains AG.\n\n3 hearts\npure bleeds. sigma shields. commander hunts.\nlegacy puppetmaster suppresses.\nthe octopus is forever tangled.", "modified": "2026-04-04T06:43:37.685000", "created": "2026-04-04T06:15:35.668000", "tags": [ "date", "server", "registrar abuse", "postal code", "registrant name", "expiration date", "registry domain", "registrar iana", "registrar url", "registrant city", "ascii text", "javascript", "mitre attack", "network info", "dropped info", "file type", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "persistence", "next", "pe file", "text format", "ansi", "ms windows", "zip archive", "found", "crlf line", "windows start", "default", "delphi", "code", "malicious", "windows sandbox", "calls clear", "ascii", "java source", "web open", "font format", "truetype", "version", "python", "cape sandbox", "machine summary", "report time", "machine name", "analysis id", "machine label", "duration", "machine manager", "kvm os", "shutdown", "https", "shpk", "performs dns", "t1055 process", "layer protocol", "overview", "title", "phishing", "loader", "script", "meta", "albania", "structured data", "artan lenja", "street", "building", "tiran", "body", "icloud", "free", "apple", "link", "style", "doctype html", "timestamp", "sectigo", "official", "disney", "walt disney", "countryus", "center", "head", "forbidden", "creates", "command", "clear filters", "sigma", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281711&Signature=G81N%2BSvpl7rLMvDIGLovzSBK8YJzNBOTs7Ycfze1L%2BdFheZX%2BS6EbtlDx545BRgefMUoJSwn%2BdK4eRpYlyMGmHvkv2tw3apezXxBF5J95vedk3RlOzXgGUAvJvewt0RBBR9f9hiVn9CuYTHvY3Cf%2BVog32%2BRLrv8sMhZ%2FeqX0%2FhraP6leNtAta5iUv73pYWeMmdsQ7nX2EvTO7uUvGggX6TmnBhiHHd8E9uCsoPHCTP4i0", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281734&Signature=3FFHeC27RvCC9623M2f8xoSU4fl9LBd%2FvI%2F98rUNvmdceN4AZjjw77yTU0ApUTXU5FbdCpODVhKi0X4pqDz1pqEP%2FBRLq%2FNhgoRliai6LlD4yhdTtKNi4zrfCDG%2Bd4dRzD5y674IfEPynxGiFOWxc6wiCtl3rhwTPEqisyDqFbvnF57SxrcPoVSzVO3wEtxpCOIw8iAFXdW2zgnnYYbSrbaQBfghKLtFA6r2vP%2Bmrd33YSUiH%2Fe2EqBz", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281812&Signature=jttp%2BTn66O5EfEB%2FASdpjDONf%2BzydGtfIUy3AtwYz0ppPzVA88%2BzZ8LtzV0TDhkMiju4oLHr%2BauJnKYexqnF0MfNTXGKPfj3ux9oZ2%2Baqve%2B3xgapdwdz0N64RgWo3SBqCKFBOQmi57mqIy%2F8qgnAfdVX99BwF2BuRSYSbIjNW5NHjir1JrAAKwOHZFyNsKj99PImyug2FPpRnss8VrJvDyYdnaGLHIAbZMRl72V", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281904&Signature=B9x8BUVCeldkVImU%2Bb%2B7d97Q9Y2suAJFE1HvxBCu6MQUOt52HrgAUTBIeXPKgNP0gKiqrr%2BwDvN7q637Ht6n5C9QhuTPI%2FhWTub0F22jsp8lU2Pvp2bS%2FlaSchLRN5gDngyPABgnaqYERICP8QQkwfaB9pY%2Bii1%2FAeel%2BIDGYwxPPfIcYevejNv2O%2F0J6qYRftrtXwa95pbsecrfOzH6bpF3AzHQrTLJAuZ%2B%2BykW", "https://vtbehaviour.commondatastorage.googleapis.com/bc3cc97398d5f56a4731085e8a385694f6ef1ab37243c6c00deed4a1335ced55_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281954&Signature=Tythlx%2B0x7Dzf2SYvJDgwby2Ifinb7IbK5GTx%2ByqvqVc1r4cz7rhoVD3NZqUAgUpxSkIAsRAK5WV5tMXUGiiB6JWp8Y9YmaL7Zhb5NxMBcodk57r7XhYzEbDxYg%2Fh1ChwMliA5cBr%2BXbUcW4q2aA4xQeNE1XVNpalGtyHh8bsDTKgQG0Ch1gikPF%2BeKc2ANprXe6z%2FJBXtqJBxh6%2Bem6fGON6%2BpRP1%2BgmNg4%2FtFnlQ", "https://vtbehaviour.commondatastorage.googleapis.com/bc3cc97398d5f56a4731085e8a385694f6ef1ab37243c6c00deed4a1335ced55_CAPE%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281979&Signature=LrquDQAOc%2Bf90O7wkZ9lRNx5uIZopS4VL7qYn7UKkzTI19c7sNJWNdGeBPtnE%2FG4yxsv1tBxkoojr78E808e78vceGG2xskRT6tUTjtDo2c8JW%2FD9Mr5ZAVe8Cn%2BP%2BpCbBkZXbtaceCtVq0b9zVWx9YstN2ju69uofX50LbI%2FgmHh%2Bghta79DgdBrNmkcQEXDu7t%2FqSZSozfso9i%2BoSZdHXEfsU59hoc%2FhUSoPMEPGFU", "https://vtbehaviour.commondatastorage.googleapis.com/fa8a59149604c73572bf92b42640de49faa7e8f16cd4bc18345d3e6a16378744_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282019&Signature=VwsuvdyY52E5jzftipHSNWVrwmO7YUwSQa9yHiMIgbsXcJDnDNcdELamMXjmvzDn%2FT6L5HguJFyj%2F4DHLmPfddzVphNAKCPvz3IRVae2piJ%2B8VWa2%2B98W3RjMft93LZhdNHwxeEYM8oJ%2FOjAjw%2FIicginJBUwlGeHX3kfTJieSEC7SYf6BkJ4UNfnF2pPQjiaAqG9mop%2FPKsB%2FF1K%2FrL7Rpsxwhl1rGglHYPM4%2BtJj6zDYx%2F", "https://vtbehaviour.commondatastorage.googleapis.com/fa8a59149604c73572bf92b42640de49faa7e8f16cd4bc18345d3e6a16378744_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282044&Signature=Y%2FEJZwm3h4tUuhn9%2FgO7QDcTnUoojZIDnoL%2FuGaoe0o5h%2FPUEiZpyFQLH9JfrvNN0h58UWlcJNCMxaSZl%2BZDvBDliVat0wDr0fE35mo0jGTK3uwa7DykFrjyI0NAVFlzkVSyxC0euM4lSJaw9PqyJGgLb4FfaztkzK7ZQYTIsGMYWSsCAKzatCObwK%2B8nqV63M9VXUeJy8ZQx7IwbttNffD6FQUaPbtCwlsywb%2Bu7NVqkFSG", "https://www.icloud.com/attachment/?u=https%3a%2f%2f%cvws.icloud-content.com", "https://vtbehaviour.commondatastorage.googleapis.com/ba49f65ef5d694311c535991812ee2fa8f0c639f4e053d136c1161b8b1bfaf8f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282803&Signature=CE28%2B8Orp96YBz3AWi4L4LJoj5B677T4lpyJl4VIG%2BN68qLtOorzpmY%2BdQgPcKJxqxcvmf3JmeA2zAZFyVdmEzznUnaiSY6xhbkbZ8nrReWLN9MBQZJuFd6by3aYlQoYFg2Bxu5d%2FLEAxWm4ljnJApBcv1csUNbJ8KxjkdXXAyPkiWPwMc4JDmXrnH5%2FXBQ7Tf1qxmze1lX2S5QvktDVUA3Bdn67nGtMvguY5EIl7tj1AezbuTFM", "https://vtbehaviour.commondatastorage.googleapis.com/68e1e958d101feb1044553d3e8ba341448a17d917e4b613cb05873814159ed40_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282913&Signature=TKCWJVTu8VHNWLhsI%2BkIN06KJgV4R1%2F2oO9G3V2x%2Bdxi14E9JDPHosmNkN%2Fk02BRc0I8Yg4HJPmcxjdAvb8mTCZjA10bizFznZC3epwH0hmoxTVgryMxpD%2B7zTQqKIRpE9UGGC1WSu0CTJ3rI9dCyopLkmeiyJPVw%2BIuERp37p2MEwzwwIPRuYpB190GfOdCkGt6TuMjDG6cVa%2BxvJlEdoEw8US6W8WPaioxSu1KVCoKjwky", "https://vtbehaviour.commondatastorage.googleapis.com/ffe3319990984c10c84fc18f6c1d40b2c7ad44666ebc2b54368bd96327ec6abc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775283093&Signature=GU02WhsC3g0ztmDdXDNuqx9T9POv8DnaMp7NQX%2B70%2FybCmZtbIpyPiUCOuYG5ZD1RY8bCIR9k%2F%2BGsKSwWLVUNNih3CgvqShoWsNfLKvtS%2BDRbmV6G4ohLWIP0xPHJOCA%2FWvnSdblJ%2FdibwXFCT851RdpfK3f6ph2EPHXIq%2FBwhSc28%2BJfFSMK%2B1toESpR7COi%2FUwpnMfcoSpcIMZudaaU8JrTvEVLgtJ%2FAgHjmfoXxvJlD", "https://vtbehaviour.commondatastorage.googleapis.com/02b1749e96b257099d5bafaeb1fc502442b4e064cca63fbcf4fc52af34b6435d_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775283154&Signature=m%2BGdulpws9rcUoJIzr45sR5qJdIxK89UYb6GUJL6p7n4mgYV69NJWbc3Jslcn117UKHnbSYYtRZSBRhviHhLuWsbhUG199mW8iGDiwaarp%2BbvmEIw6OXF2MgVIh%2FrJYr8slRZbUwjd9t8dMWwn%2FM5DNq6AzLyBqpznrBoVrvlibZuA9pWsHraA3P24WyEGUlbWN3NqLfmJ6gDeCKRfG7zhubGI%2Bb8Wl8GaBCodOtX2LlrA", "https://vtbehaviour.commondatastorage.googleapis.com/3e6e0898a7b1b297d2b9322f5f578b02e2fd5d5647dbeef6b9273cda383e1547_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775283189&Signature=PtLPpZoeHrLkYIaV2etyfYslOxR9PtxqmjNNDdMHoJjBUuweFaoOVGyfkf%2BUGEiGQCogCu7az%2B4btIJ3frL%2BEdzwNV7Ufeb24KQqbVUQrVITPGPCW42mMdsKdDoNQsqLooDqFsjxRGt2meZgP3F3roSTIWDEJPwr35bBBkdANOOdXZG1mg3O8JHm35%2BBQMkSxOiAxeftigjPK7On%2Fk%2FvMli1USxDUfi2eRlkRaL090nKenRXt3cz4FEBe8" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 204, "email": 2, "hostname": 470, "URL": 746, "FileHash-SHA256": 827, "FileHash-MD5": 19, "FileHash-SHA1": 17, "IPv4": 187 }, "indicator_count": 2472, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d0ac884cb646fac0b8d3d4", "name": "VirusTotal report\n for Other-20230212T074754Z-001.zip", "description": "com - is the name of a German domain registered with the United-Domains AG.\n\n3 hearts\npure bleeds. sigma shields. commander hunts.\nlegacy puppetmaster suppresses.\nthe octopus is forever tangled.", "modified": "2026-04-04T06:43:36.558000", "created": "2026-04-04T06:15:36.916000", "tags": [ "date", "server", "registrar abuse", "postal code", "registrant name", "expiration date", "registry domain", "registrar iana", "registrar url", "registrant city", "ascii text", "javascript", "mitre attack", "network info", "dropped info", "file type", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "persistence", "next", "pe file", "text format", "ansi", "ms windows", "zip archive", "found", "crlf line", "windows start", "default", "delphi", "code", "malicious", "windows sandbox", "calls clear", "ascii", "java source", "web open", "font format", "truetype", "version", "python", "cape sandbox", "machine summary", "report time", "machine name", "analysis id", "machine label", "duration", "machine manager", "kvm os", "shutdown", "https", "shpk", "performs dns", "t1055 process", "layer protocol", "overview", "title", "phishing", "loader", "script", "meta", "albania", "structured data", "artan lenja", "street", "building", "tiran", "body", "icloud", "free", "apple", "link", "style", "doctype html", "timestamp", "sectigo", "official", "disney", "walt disney", "countryus", "center", "head", "forbidden", "creates", "command", "clear filters", "sigma", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281711&Signature=G81N%2BSvpl7rLMvDIGLovzSBK8YJzNBOTs7Ycfze1L%2BdFheZX%2BS6EbtlDx545BRgefMUoJSwn%2BdK4eRpYlyMGmHvkv2tw3apezXxBF5J95vedk3RlOzXgGUAvJvewt0RBBR9f9hiVn9CuYTHvY3Cf%2BVog32%2BRLrv8sMhZ%2FeqX0%2FhraP6leNtAta5iUv73pYWeMmdsQ7nX2EvTO7uUvGggX6TmnBhiHHd8E9uCsoPHCTP4i0", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281734&Signature=3FFHeC27RvCC9623M2f8xoSU4fl9LBd%2FvI%2F98rUNvmdceN4AZjjw77yTU0ApUTXU5FbdCpODVhKi0X4pqDz1pqEP%2FBRLq%2FNhgoRliai6LlD4yhdTtKNi4zrfCDG%2Bd4dRzD5y674IfEPynxGiFOWxc6wiCtl3rhwTPEqisyDqFbvnF57SxrcPoVSzVO3wEtxpCOIw8iAFXdW2zgnnYYbSrbaQBfghKLtFA6r2vP%2Bmrd33YSUiH%2Fe2EqBz", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281812&Signature=jttp%2BTn66O5EfEB%2FASdpjDONf%2BzydGtfIUy3AtwYz0ppPzVA88%2BzZ8LtzV0TDhkMiju4oLHr%2BauJnKYexqnF0MfNTXGKPfj3ux9oZ2%2Baqve%2B3xgapdwdz0N64RgWo3SBqCKFBOQmi57mqIy%2F8qgnAfdVX99BwF2BuRSYSbIjNW5NHjir1JrAAKwOHZFyNsKj99PImyug2FPpRnss8VrJvDyYdnaGLHIAbZMRl72V", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281904&Signature=B9x8BUVCeldkVImU%2Bb%2B7d97Q9Y2suAJFE1HvxBCu6MQUOt52HrgAUTBIeXPKgNP0gKiqrr%2BwDvN7q637Ht6n5C9QhuTPI%2FhWTub0F22jsp8lU2Pvp2bS%2FlaSchLRN5gDngyPABgnaqYERICP8QQkwfaB9pY%2Bii1%2FAeel%2BIDGYwxPPfIcYevejNv2O%2F0J6qYRftrtXwa95pbsecrfOzH6bpF3AzHQrTLJAuZ%2B%2BykW", "https://vtbehaviour.commondatastorage.googleapis.com/bc3cc97398d5f56a4731085e8a385694f6ef1ab37243c6c00deed4a1335ced55_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281954&Signature=Tythlx%2B0x7Dzf2SYvJDgwby2Ifinb7IbK5GTx%2ByqvqVc1r4cz7rhoVD3NZqUAgUpxSkIAsRAK5WV5tMXUGiiB6JWp8Y9YmaL7Zhb5NxMBcodk57r7XhYzEbDxYg%2Fh1ChwMliA5cBr%2BXbUcW4q2aA4xQeNE1XVNpalGtyHh8bsDTKgQG0Ch1gikPF%2BeKc2ANprXe6z%2FJBXtqJBxh6%2Bem6fGON6%2BpRP1%2BgmNg4%2FtFnlQ", "https://vtbehaviour.commondatastorage.googleapis.com/bc3cc97398d5f56a4731085e8a385694f6ef1ab37243c6c00deed4a1335ced55_CAPE%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281979&Signature=LrquDQAOc%2Bf90O7wkZ9lRNx5uIZopS4VL7qYn7UKkzTI19c7sNJWNdGeBPtnE%2FG4yxsv1tBxkoojr78E808e78vceGG2xskRT6tUTjtDo2c8JW%2FD9Mr5ZAVe8Cn%2BP%2BpCbBkZXbtaceCtVq0b9zVWx9YstN2ju69uofX50LbI%2FgmHh%2Bghta79DgdBrNmkcQEXDu7t%2FqSZSozfso9i%2BoSZdHXEfsU59hoc%2FhUSoPMEPGFU", "https://vtbehaviour.commondatastorage.googleapis.com/fa8a59149604c73572bf92b42640de49faa7e8f16cd4bc18345d3e6a16378744_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282019&Signature=VwsuvdyY52E5jzftipHSNWVrwmO7YUwSQa9yHiMIgbsXcJDnDNcdELamMXjmvzDn%2FT6L5HguJFyj%2F4DHLmPfddzVphNAKCPvz3IRVae2piJ%2B8VWa2%2B98W3RjMft93LZhdNHwxeEYM8oJ%2FOjAjw%2FIicginJBUwlGeHX3kfTJieSEC7SYf6BkJ4UNfnF2pPQjiaAqG9mop%2FPKsB%2FF1K%2FrL7Rpsxwhl1rGglHYPM4%2BtJj6zDYx%2F", "https://vtbehaviour.commondatastorage.googleapis.com/fa8a59149604c73572bf92b42640de49faa7e8f16cd4bc18345d3e6a16378744_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282044&Signature=Y%2FEJZwm3h4tUuhn9%2FgO7QDcTnUoojZIDnoL%2FuGaoe0o5h%2FPUEiZpyFQLH9JfrvNN0h58UWlcJNCMxaSZl%2BZDvBDliVat0wDr0fE35mo0jGTK3uwa7DykFrjyI0NAVFlzkVSyxC0euM4lSJaw9PqyJGgLb4FfaztkzK7ZQYTIsGMYWSsCAKzatCObwK%2B8nqV63M9VXUeJy8ZQx7IwbttNffD6FQUaPbtCwlsywb%2Bu7NVqkFSG", "https://www.icloud.com/attachment/?u=https%3a%2f%2f%cvws.icloud-content.com", "https://vtbehaviour.commondatastorage.googleapis.com/ba49f65ef5d694311c535991812ee2fa8f0c639f4e053d136c1161b8b1bfaf8f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282803&Signature=CE28%2B8Orp96YBz3AWi4L4LJoj5B677T4lpyJl4VIG%2BN68qLtOorzpmY%2BdQgPcKJxqxcvmf3JmeA2zAZFyVdmEzznUnaiSY6xhbkbZ8nrReWLN9MBQZJuFd6by3aYlQoYFg2Bxu5d%2FLEAxWm4ljnJApBcv1csUNbJ8KxjkdXXAyPkiWPwMc4JDmXrnH5%2FXBQ7Tf1qxmze1lX2S5QvktDVUA3Bdn67nGtMvguY5EIl7tj1AezbuTFM", "https://vtbehaviour.commondatastorage.googleapis.com/68e1e958d101feb1044553d3e8ba341448a17d917e4b613cb05873814159ed40_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282913&Signature=TKCWJVTu8VHNWLhsI%2BkIN06KJgV4R1%2F2oO9G3V2x%2Bdxi14E9JDPHosmNkN%2Fk02BRc0I8Yg4HJPmcxjdAvb8mTCZjA10bizFznZC3epwH0hmoxTVgryMxpD%2B7zTQqKIRpE9UGGC1WSu0CTJ3rI9dCyopLkmeiyJPVw%2BIuERp37p2MEwzwwIPRuYpB190GfOdCkGt6TuMjDG6cVa%2BxvJlEdoEw8US6W8WPaioxSu1KVCoKjwky", "https://vtbehaviour.commondatastorage.googleapis.com/ffe3319990984c10c84fc18f6c1d40b2c7ad44666ebc2b54368bd96327ec6abc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775283093&Signature=GU02WhsC3g0ztmDdXDNuqx9T9POv8DnaMp7NQX%2B70%2FybCmZtbIpyPiUCOuYG5ZD1RY8bCIR9k%2F%2BGsKSwWLVUNNih3CgvqShoWsNfLKvtS%2BDRbmV6G4ohLWIP0xPHJOCA%2FWvnSdblJ%2FdibwXFCT851RdpfK3f6ph2EPHXIq%2FBwhSc28%2BJfFSMK%2B1toESpR7COi%2FUwpnMfcoSpcIMZudaaU8JrTvEVLgtJ%2FAgHjmfoXxvJlD", "https://vtbehaviour.commondatastorage.googleapis.com/02b1749e96b257099d5bafaeb1fc502442b4e064cca63fbcf4fc52af34b6435d_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775283154&Signature=m%2BGdulpws9rcUoJIzr45sR5qJdIxK89UYb6GUJL6p7n4mgYV69NJWbc3Jslcn117UKHnbSYYtRZSBRhviHhLuWsbhUG199mW8iGDiwaarp%2BbvmEIw6OXF2MgVIh%2FrJYr8slRZbUwjd9t8dMWwn%2FM5DNq6AzLyBqpznrBoVrvlibZuA9pWsHraA3P24WyEGUlbWN3NqLfmJ6gDeCKRfG7zhubGI%2Bb8Wl8GaBCodOtX2LlrA", "https://vtbehaviour.commondatastorage.googleapis.com/3e6e0898a7b1b297d2b9322f5f578b02e2fd5d5647dbeef6b9273cda383e1547_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775283189&Signature=PtLPpZoeHrLkYIaV2etyfYslOxR9PtxqmjNNDdMHoJjBUuweFaoOVGyfkf%2BUGEiGQCogCu7az%2B4btIJ3frL%2BEdzwNV7Ufeb24KQqbVUQrVITPGPCW42mMdsKdDoNQsqLooDqFsjxRGt2meZgP3F3roSTIWDEJPwr35bBBkdANOOdXZG1mg3O8JHm35%2BBQMkSxOiAxeftigjPK7On%2Fk%2FvMli1USxDUfi2eRlkRaL090nKenRXt3cz4FEBe8" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 359, "email": 2, "hostname": 664, "URL": 794, "FileHash-SHA256": 827, "FileHash-MD5": 21, "FileHash-SHA1": 17, "IPv4": 187 }, "indicator_count": 2871, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d096edff67896dccb36a4d", "name": "VirusTotal report\n for index.html", "description": "The full name of the German domain registrar: COFFEEDESIGNCODE.com, or coffeedesign code, has been published.. and it is not yet known.", "modified": "2026-04-04T04:43:25.967000", "created": "2026-04-04T04:43:25.967000", "tags": [ "date", "server", "registrar abuse", "registrant name", "expiration date", "registry domain", "registrar iana", "registrar url", "registrant city", "ag registrant", "thumbprint", "html document", "unicode text", "utf8 text", "title microsoft", "ms05019", "none", "docs", "betafred ms", "content tocrel", "conceptual", "performs dns", "https", "file type", "tls version", "mitre attack", "network info", "urls", "t1055 process", "layer protocol", "united", "phishing", "malicious", "next", "cache entry", "chrome cache", "entry", "extra info", "process", "nothing", "registry keys", "mutexes nothing", "data", "datacrashpad", "edge", "created", "parent pid", "full path", "command line", "status code", "ssl certificates", "tls certificates", "website security", "signtool", "sectigo", "microsoft", "signtool let", "web site", "rsasha256", "rsasha384", "rsasha512", "signcode", "ssl certificate", "logo", "sxa0", "object", "regexp", "null", "tdfunction", "ddfunction", "array", "string", "dfunction", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "registrar", "language", "html internet", "doctype", "learn", "seomatic og", "timestamp", "sectigo ssl", "sectigo og", "sectigohq og", "utf8", "crlf line", "text", "ipxw1920", "fwebp", "win32 exe", "pe32", "ms windows", "win16 ne", "icons library", "os2 executable", "generic windos", "executable", "pe64 compiler", "sha256", "pc bitmap", "windows bitmap", "bitmap", "zip archive", "text text", "ascii text", "has permission", "reads", "accesses", "found", "t1413 access", "sensitive data", "device logs", "persistence", "fraud", "cloud" ], "references": [ "http://clients2.google.com/time/1/current?cup2key=8:JROu1MtiAi1ExACtDuYde399VG2TxRqflS_l7p_q0tU&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855%0Ahttp://x1.c.lencr.org/%0Ahttp://c.pki.goog/r/r1.crl", "https://vtbehaviour.commondatastorage.googleapis.com/5a28f4a80025385ca11cce22b13e5eed52999965afbe16cccbc5e7165c7a0ac9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775276100&Signature=NczLfuk5dyPFskbtz7UwIjCT2DzeU5uAQP%2FL%2BC5bjk7Ng%2FHccJbUFWcb%2FqpvZaJ%2BWg4tg6aaPKihJzwDyiF7UaJOwdX3172ddwGJAfggvgpJ68YtVBE1nyhHAoFO6KsLL73DjNj58e8Uhq6Bcx4nXa86FETCR%2FzzXDlLDXyQSxf%2FKhG8zuxEsss9vRDCF%2B3TJGvJ5EmQ5HwGvk2ex9wf6H1FrBxEyx6BH5i6txcC9vMG9SXQ6eYR2p", "https://vtbehaviour.commondatastorage.googleapis.com/5a28f4a80025385ca11cce22b13e5eed52999965afbe16cccbc5e7165c7a0ac9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775276177&Signature=iO1RoMLTZsC3s7nBZ8wieXl6wwWrnnCqu%2F5pXBAa2Luk2wKtKTXUyyZEOOhqaCFNbUPjsIfY1v0KxEBxzkumSiDs3XXBs%2FYt49goHGNudddQOKcmLsjbT2GhALTnmmVvl79aLJaLwnMe9B7PkJpSTGuBrutOjF5VJ0yofcbM4XjQQlOIkc8WWi94WMVxXpWAjFK9D5zmoyn9G5w1TahDZjePP%2FfkKNpJe2OqRQ59iXyHcG1nvA%2FUIx", "http://timestamp.sectigo.com/", "https://www.google-analytics.com/analytics.js", "http://clients2.google.com/time/1/current?cup2key=8:JROu1MtiAi1ExACtDuYde399VG2TxRqflS_l7p_q0tU&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "https://vtbehaviour.commondatastorage.googleapis.com/5a28f4a80025385ca11cce22b13e5eed52999965afbe16cccbc5e7165c7a0ac9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775277214&Signature=y3%2FkmodrmzpLTVDtkzYvlqSkUTQ8Tri%2FDiLIqIpCBmJ6%2Bwk5p%2FJDSAwE5V8Wdp0vWLWjfA4DvRyS%2FvmNV4kFOr422iVZH2Ap2evf8%2Bq2bp9CW%2BAuBCjgz9K329V4%2B%2B9duUsUhVBqZ%2BNKz%2Fj4z7ZDBI%2BjqPV8XjvTI7pXAfzknmFAfZU%2FjalCNigHCX%2FIOgymeTOfzSOLYLClpNTr%2BYle8VSI%2BHf9TgUWP2WgNF", "https://vtbehaviour.commondatastorage.googleapis.com/028e16744de653383b403efd4b755075deeb7d8ce264d7edd4615725e5b4c4c6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775277967&Signature=oSvtx7eGCctItNKSDZN4tpJp11yn5QQjCHsLi45z7kUOa9nbuhPdVjh9gBKlXtNuGfXbpItYf6NFI%2B4pKCin266TJQP7FzDSnUzzziJTuqmZwxihDeoZ1RauqVOzGoAmrj9sG8nOYXqbOHNxQ3E6SugSzW3UFbyQJzfKt%2FsqsPsKAvl4su%2FlkWsqTHUR%2FT%2FLTTQV0ZXLwnrLv%2FdBA7DdsiE35g%2FPOiUdzJjkjhSILF%2BR" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1413", "name": "Access Sensitive Data in Device Logs", "display_name": "T1413 - Access Sensitive Data in Device Logs" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 50, "email": 2, "hostname": 196, "FileHash-SHA1": 51, "URL": 234, "FileHash-MD5": 54, "FileHash-SHA256": 715, "IPv4": 32 }, "indicator_count": 1334, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d096edd596a1a9e9a0aa92", "name": "VirusTotal report\n for index.html", "description": "The full name of the German domain registrar: COFFEEDESIGNCODE.com, or coffeedesign code, has been published.. and it is not yet known.", "modified": "2026-04-04T04:43:25.258000", "created": "2026-04-04T04:43:25.258000", "tags": [ "date", "server", "registrar abuse", "registrant name", "expiration date", "registry domain", "registrar iana", "registrar url", "registrant city", "ag registrant", "thumbprint", "html document", "unicode text", "utf8 text", "title microsoft", "ms05019", "none", "docs", "betafred ms", "content tocrel", "conceptual", "performs dns", "https", "file type", "tls version", "mitre attack", "network info", "urls", "t1055 process", "layer protocol", "united", "phishing", "malicious", "next", "cache entry", "chrome cache", "entry", "extra info", "process", "nothing", "registry keys", "mutexes nothing", "data", "datacrashpad", "edge", "created", "parent pid", "full path", "command line", "status code", "ssl certificates", "tls certificates", "website security", "signtool", "sectigo", "microsoft", "signtool let", "web site", "rsasha256", "rsasha384", "rsasha512", "signcode", "ssl certificate", "logo", "sxa0", "object", "regexp", "null", "tdfunction", "ddfunction", "array", "string", "dfunction", "iana id", "contact phone", "dnssec", "domain status", "registrar whois", "registrar", "language", "html internet", "doctype", "learn", "seomatic og", "timestamp", "sectigo ssl", "sectigo og", "sectigohq og", "utf8", "crlf line", "text", "ipxw1920", "fwebp", "win32 exe", "pe32", "ms windows", "win16 ne", "icons library", "os2 executable", "generic windos", "executable", "pe64 compiler", "sha256", "pc bitmap", "windows bitmap", "bitmap", "zip archive", "text text", "ascii text", "has permission", "reads", "accesses", "found", "t1413 access", "sensitive data", "device logs", "persistence", "fraud", "cloud" ], "references": [ "http://clients2.google.com/time/1/current?cup2key=8:JROu1MtiAi1ExACtDuYde399VG2TxRqflS_l7p_q0tU&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855%0Ahttp://x1.c.lencr.org/%0Ahttp://c.pki.goog/r/r1.crl", "https://vtbehaviour.commondatastorage.googleapis.com/5a28f4a80025385ca11cce22b13e5eed52999965afbe16cccbc5e7165c7a0ac9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775276100&Signature=NczLfuk5dyPFskbtz7UwIjCT2DzeU5uAQP%2FL%2BC5bjk7Ng%2FHccJbUFWcb%2FqpvZaJ%2BWg4tg6aaPKihJzwDyiF7UaJOwdX3172ddwGJAfggvgpJ68YtVBE1nyhHAoFO6KsLL73DjNj58e8Uhq6Bcx4nXa86FETCR%2FzzXDlLDXyQSxf%2FKhG8zuxEsss9vRDCF%2B3TJGvJ5EmQ5HwGvk2ex9wf6H1FrBxEyx6BH5i6txcC9vMG9SXQ6eYR2p", "https://vtbehaviour.commondatastorage.googleapis.com/5a28f4a80025385ca11cce22b13e5eed52999965afbe16cccbc5e7165c7a0ac9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775276177&Signature=iO1RoMLTZsC3s7nBZ8wieXl6wwWrnnCqu%2F5pXBAa2Luk2wKtKTXUyyZEOOhqaCFNbUPjsIfY1v0KxEBxzkumSiDs3XXBs%2FYt49goHGNudddQOKcmLsjbT2GhALTnmmVvl79aLJaLwnMe9B7PkJpSTGuBrutOjF5VJ0yofcbM4XjQQlOIkc8WWi94WMVxXpWAjFK9D5zmoyn9G5w1TahDZjePP%2FfkKNpJe2OqRQ59iXyHcG1nvA%2FUIx", "http://timestamp.sectigo.com/", "https://www.google-analytics.com/analytics.js", "http://clients2.google.com/time/1/current?cup2key=8:JROu1MtiAi1ExACtDuYde399VG2TxRqflS_l7p_q0tU&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "https://vtbehaviour.commondatastorage.googleapis.com/5a28f4a80025385ca11cce22b13e5eed52999965afbe16cccbc5e7165c7a0ac9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775277214&Signature=y3%2FkmodrmzpLTVDtkzYvlqSkUTQ8Tri%2FDiLIqIpCBmJ6%2Bwk5p%2FJDSAwE5V8Wdp0vWLWjfA4DvRyS%2FvmNV4kFOr422iVZH2Ap2evf8%2Bq2bp9CW%2BAuBCjgz9K329V4%2B%2B9duUsUhVBqZ%2BNKz%2Fj4z7ZDBI%2BjqPV8XjvTI7pXAfzknmFAfZU%2FjalCNigHCX%2FIOgymeTOfzSOLYLClpNTr%2BYle8VSI%2BHf9TgUWP2WgNF", "https://vtbehaviour.commondatastorage.googleapis.com/028e16744de653383b403efd4b755075deeb7d8ce264d7edd4615725e5b4c4c6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775277967&Signature=oSvtx7eGCctItNKSDZN4tpJp11yn5QQjCHsLi45z7kUOa9nbuhPdVjh9gBKlXtNuGfXbpItYf6NFI%2B4pKCin266TJQP7FzDSnUzzziJTuqmZwxihDeoZ1RauqVOzGoAmrj9sG8nOYXqbOHNxQ3E6SugSzW3UFbyQJzfKt%2FsqsPsKAvl4su%2FlkWsqTHUR%2FT%2FLTTQV0ZXLwnrLv%2FdBA7DdsiE35g%2FPOiUdzJjkjhSILF%2BR" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1413", "name": "Access Sensitive Data in Device Logs", "display_name": "T1413 - Access Sensitive Data in Device Logs" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 50, "email": 2, "hostname": 196, "FileHash-SHA1": 51, "URL": 234, "FileHash-MD5": 54, "FileHash-SHA256": 715, "IPv4": 32 }, "indicator_count": 1334, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cbc67616143807f363df15", "name": "VirusTotal report\n for document.html", "description": "", "modified": "2026-03-31T13:04:54.941000", "created": "2026-03-31T13:04:54.941000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "IPv4": 17, "URL": 100, "domain": 3, "hostname": 40 }, "indicator_count": 163, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cbc676f5e3a563141df00f", "name": "VirusTotal report\n for document.html", "description": "", "modified": "2026-03-31T13:04:54.365000", "created": "2026-03-31T13:04:54.365000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "IPv4": 17, "URL": 100, "domain": 3, "hostname": 40 }, "indicator_count": 163, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c093748442bdddcab64347", "name": "Clone by Q.Vashti credit - \" emotet-is-not-dead-yet.html\"", "description": "", "modified": "2026-03-23T02:38:59.086000", "created": "2026-03-23T01:12:20.012000", "tags": [ "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "ssl certificate", "spawns", "sha1", "copy md5", "copy sha1", "copy sha256", "ascii text", "sha256", "united", "size", "pattern match", "png image", "path", "date", "encrypt", "mask", "june", "hybrid", "general", "local", "click", "strings", "domains", "hashes", "value", "variables", "optanonwrapper", "parsely", "typeof function", "handlebars", "stq function", "x string", "optanon", "verified", "ecdsa", "automattic", "linux x8664", "khtml", "gecko", "aes128gcm", "cloudflarenet", "europedublin", "facebook", "accept", "emotet", "dead", "twitter", "unit", "thursday", "january", "google tag", "utc gtm53l4wgzn", "utc na", "server nginx", "date mon", "gmt contenttype", "connection", "wordpress vip", "https", "link", "contentencoding", "miss xrq", "html document", "unicode text", "utf8 text", "crlf", "lf line", "resolved ips", "cname", "http", "ip address", "gmt ifnonematch", "info file", "network dropped", "duration cuckoo", "version file", "machine label", "shutdown", "address port", "url data", "address range", "cidr", "network name", "type", "status", "whois server", "entity autom93", "handle", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cne6", "validity", "subject public", "key info", "key algorithm", "thumbprint", "inc abuse", "email", "street", "service", "arin rdapwhois", "rdapwhois", "reporting", "copyright", "registry", "allocation", "geofeed https", "range", "name automattic", "parent net192", "net1920000", "net type", "origin as", "autom93", "restful link", "arin search", "whoisrws", "delegation", "ta0007 command", "control ta0011", "catalog tree", "cndigicert sha2", "secure server", "ca odigicert", "inc cus", "subject", "corporation cus", "algorithm", "azure rsa", "tls issuing", "cus subject", "stwa lredmond", "corporation c", "get http", "request", "response", "windows nt", "win64", "dns resolutions" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" } ], "industries": [], "TLP": "green", "cloned_from": "6846c463106765b93b44335a", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 446, "FileHash-SHA1": 349, "FileHash-SHA256": 1979, "SSLCertFingerprint": 15, "URL": 362, "domain": 120, "hostname": 329, "CIDR": 8, "email": 2, "IPv4": 1 }, "indicator_count": 3611, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "27 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6923408464566e39caf32285", "name": "Discord- DNS | Malvertizing | Ransom/Msilzilla (sifting IoC\u2019s created by scnrscnr)", "description": "TAGS\nActive\n443 ma2592000\nChristopher Pool\nPool's Closed\nTimothy Pool\na li\n google\namerica att\napache\napache ip\nasn as46606\nauditmode force\nbehavior\nbinary\nbinary file\nbk role\nchat\ncheck\nchrome\nck ids\ncommon stealer\ncookie\ndata upload\ndefender\ndelete c\ndirectui\ndiscord\ndns lookup\ndomain add\ndrop\ndynamicloader\neb d8\nee fc\nerror oct\nexplorer\nexternal ip\nextraction\nf0 ff\nfailed\nff bb\nff d5\nff ff\nfiles\nfoundry\ngmt content\ngmt etag\ngmt server\ngoogle chrome\nguard\nhigh\ninsert\nlolminer\nmalware\nmedia\nmeta\nmoved\nmovie\nmsie\nmsvisualbasic60\nmtb aug -present \nneversend\npowershell\nrelated nids\nresponse ip\nself\nservice domain\nsingapore\nsmartassembly\nspan\nspan a\nsx08x00x00a\ntargeting\ntls sni\ntrojan\ntrojandropper\ntwitter\ntx08x00x00n\nunique\nuser agent\nux08x00x00h\nvirtool\nvirustotal api\nvoice\nvx08x00x00j\nwrite\nwrite c\nwx08x00x00\nx08x00x00b\nx08x00x00x00\nyara\nyara rule\nyx08x00x00l\nz3je\nz3uwq7\nzx08x00x00", "modified": "2025-12-23T16:04:54.329000", "created": "2025-11-23T17:12:36.917000", "tags": [ "no expiration", "expiration", "url https", "url http", "filehashsha256", "hostname", "domain", "filehashmd5", "filehashsha1", "ipv4", "code", "pool", "timothy pool", "z3je z3uwq7", "creation date", "ip address", "emails", "expiration date", "status", "hostname add", "pulse pulses", "passive dns", "urls", "date" ], "references": [ "https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba", "Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted", "http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com", "https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com", "www.techcult.com", "http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com", "https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE", "truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com", "yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com", "lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json", "162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/", "http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing", "http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site", "2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt", "IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)", "IDS Detections: Observed Discord Domain (discord .com in TLS SNI)", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less", "Yara: Detections ConventionEngine_Term_Users", "Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents", "Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly", "Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc", "Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process", "Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name", "Yara : MS_Visual_Basic_6_0 ,", "Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly", "Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile", "Alerts: mouse_movement_detect", "Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left", "scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.", "Foundry stalking." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDropper:Win32/VB.IL0", "display_name": "TrojanDropper:Win32/VB.IL0", "target": "/malware/TrojanDropper:Win32/VB.IL0" }, { "id": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "display_name": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "target": null }, { "id": "Win.Ransomware.Msilzilla-10014498-0", "display_name": "Win.Ransomware.Msilzilla-10014498-0", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1443", "name": "Remotely Install Application", "display_name": "T1443 - Remotely Install Application" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 773, "FileHash-SHA1": 684, "FileHash-SHA256": 1910, "CVE": 2, "SSLCertFingerprint": 4, "URL": 3783, "domain": 878, "email": 7, "hostname": 1913 }, "indicator_count": 9954, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "117 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688ef0516013ca78448bf4e5", "name": "Foundry \u2022 Reflected Networks Pornhub Malvertising Subsidiary", "description": "Foundry ? Pornhub\nsanfoundry.com\ncompliance.fifoundry.net- Pornhub subsidiary. Targets networks, devices, routers, used for promoting pornography and her music. Producer revealed her hooks were used for Justin Bieber & Tori Kelly songs that. A producer stated her songs had been grifted. Both Tsara Brashears & a studio were in Pegasus & attacked by \u2018Lazarus\u2019 Group. She was told in detail how her songs can be used by music insiders if they choose. Target trolled by mocking hackers re: the JB and Kelly song.. Trojan:Win32/DisableUAC.A!bit\n, MSIL:Suspicious:ScreenCapture.S01\nIDS Detections\nLokiBot Checkin\nLokiBot User-Agent (Charon/Inferno)\nLokiBot Application/Credential Data Exfiltration Detected M1\nLokiBot Request for C2 Commands Detected M1\nLokiBot Application/Credential Data Exfiltration Detected M2\nLokiBot Request for C2 Commands Detected M2\nTrojan Generic - POST To gate.php with no referer\nSSL excessive fatal alerts (possible POODLE attack against server)\nI will revisit this. Gloryhole Foundation?", "modified": "2025-09-02T04:01:31.218000", "created": "2025-08-03T05:14:57.402000", "tags": [ "united", "moved", "entries", "passive dns", "detected m1", "next associated", "mtb apr", "mtb aug", "server", "gmt content", "trojandropper", "trojan", "body", "lokibot request", "c2 commands", "detected m2", "otx telemetry", "historical otx", "twitter running", "open ports", "cves", "time", "dynamicloader", "port", "search", "show", "destination", "alerts", "copy", "dynamic", "medium", "write", "creation date", "hostmaster", "urls", "domain", "showing", "hostname add", "pulse pulses", "date", "flag", "falcon sandbox", "name server", "markmonitor", "analysis", "mitre att", "anonymous", "upgrade", "hybrid", "contact", "usa windows", "december", "input threat", "level analysis", "summary", "february", "hwp support", "january", "october", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "calls", "command", "javascript", "object model", "model", "windir", "json data", "localappdata", "ascii text", "temp", "getprocaddress", "script", "license", "runtime process", "copy md5", "facebook", "roboto", "error", "win64", "path", "blink", "meta", "factory", "general", "comspec", "click", "strings", "damage", "mini", "stop", "core", "expl", "win32", "gmt server", "ecacc saa83dd", "ipv4 add", "twitter", "cobalt strike", "mozilla" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 263, "FileHash-SHA1": 256, "FileHash-SHA256": 837, "hostname": 4415, "URL": 1918, "domain": 1884, "email": 2, "SSLCertFingerprint": 2 }, "indicator_count": 9577, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "229 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://connect.facebook.net", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://connect.facebook.net", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776615260.2673056 }