{ "type": "URL", "indicator": "https://login.microsoftonline.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://login.microsoftonline.com/", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #36", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #106", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain microsoftonline.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain microsoftonline.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2899338058, "indicator": "https://login.microsoftonline.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 34, "pulses": [ { "id": "6a16afb92680fcea084bb7b0", "name": "credit: scoreblue ['Eternal Blue_Wana Cry MS'] clone - user notes: interesting name tagged", "description": "", "modified": "2026-05-27T08:54:31.968000", "created": "2026-05-27T08:47:53.724000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536c8eee8d42d670e27723", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2662, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17084, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a16ab45548ef01419902c8f", "name": "Credit: Scoreblue - \"iOS Attack - Crouching Yeti: http://x.[com]/denverpolice/status/| CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue Public", "description": "", "modified": "2026-05-27T08:28:53.256000", "created": "2026-05-27T08:28:53.256000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a16ab3f9578fcc7ffd52a3a", "name": "Credit: Scoreblue - \"iOS Attack - Crouching Yeti: http://x.[com]/denverpolice/status/| CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue Public", "description": "", "modified": "2026-05-27T08:28:47.467000", "created": "2026-05-27T08:28:47.467000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69228447b9c71795633314df", "name": "Keep Corrupt - University of Alberta Incidents continue to escalate - 04.24.26", "description": "Recovered accounts that have been used & abused - courtesy of decisions by non-technical leadership = accounts for UAlberta students -> PW manager made inaccessible (tied to UAlberta account) during a Data-Breach.\nWhen PW manager & Accounts returned, was populated by these (many = fraudulent; some appear to be abuse of legitimate services, while others do not, yet don't know function or origin)\n\nNot representative of OG PW manager. Many (most) accts. used/abused (on-going). \n\nDon't have a backup of original = hard to compare. Don't quite know what the majority of these companies etc. are for and/or do exactly. Putting them together as they roll-in.\nCan't turn them off in most cases - I don't have access to the U of A accounts these originate from and/or original recovery methods. \n\n2 more batches to add to this pulse (Need to add into VT) 02.16.26\n\nCountries listed are where 2 victims (UAlberta Graduates) have citizenship or some tie with.", "modified": "2026-05-24T21:18:51.782000", "created": "2025-11-23T03:49:27.649000", "tags": [ "geoip", "as54113", "fastly", "as20940", "as15169", "google", "as214401", "maincubesas", "gmbh", "apache geoip", "facebook", "UAlberta", "AHS", "Treaty 8", "GoA", "Alberta", "Edmonton", "YEG" ], "references": [ "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a", "URLscanio, FSio, vT", "03.11.14: https://www.virustotal.com/graph/embed/ge2e309eb8bd34fcca56398089b2291058dfe1fca69dc4e5aa66db0365caf735b?theme=dark", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/summary", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/iocs", "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a (11.22.25)" ], "public": 1, "adversary": "", "targeted_countries": [ "Cura\u00e7ao", "Guatemala", "Sint Maarten (Dutch part)", "Tanzania, United Republic of", "Barbados", "United States of America", "Bahamas", "Anguilla", "Canada", "Saint Vincent and the Grenadines", "United Kingdom of Great Britain and Northern Ireland", "Kenya", "France", "Aruba", "Mexico", "Poland", "Costa Rica", "Ireland", "Trinidad and Tobago", "Netherlands", "Slovakia", "Spain", "Philippines" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Technology", "Telecommunications", "Education", "Healthcare", "Finance", "Retail", "Hospitality", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 47, "FileHash-MD5": 53, "FileHash-SHA1": 16, "FileHash-SHA256": 1059, "URL": 6374, "domain": 3314, "email": 1395, "hostname": 3740, "CVE": 1 }, "indicator_count": 15999, "is_author": false, "is_subscribing": null, "subscriber_count": 136, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a100b692408f972b61c1cec", "name": "\"don't save her\" a continued message * CAPE Sandbox", "description": "[sample of the Pigeonhole Sieve malware has been found in the X-Sieve R system, designed to detect and prevent the spread of malicious software, which is currently being used by Microsoft Office.] -pretext", "modified": "2026-05-24T05:56:24.709000", "created": "2026-05-22T07:53:13.480000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "defense evasion", "next", "wednesday", "january", "extra info", "attack network", "info dropped", "geospatial endpoints" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435695&Signature=UoqeOvA3l0SmZPLGLkJ4n7oue%2FoXBTcyhLy5g1zr97R1z9EBf2vAXrsnA8mHkedBOo0cd7lQhlV4QLek1AiAP4Z%2F9XgN%2FgaAo3L%2FP0tI1NFNb5lJ9mZ4YQ5aVcF1jYBD4bluT9%2BjUQaRIkFHR4w4OIpWVuJOGdkbT7UxU%2BgyPR3o2Ij%2Fli0GfJO%2B%2B2KMpTnBE0mWDM%2BrEThJKW2Ty5flTxONg4m7toLl7%2BspvX1Q", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435775&Signature=AkieU7eRCNrzND0lejy10HFR7OdRvNqyswrKIdggTIg6w4naejOYYwut39HnOup0%2BqQcIl4AJ6iCv7BrJuqNoIe3WuL3S3c9To36FuiNd2aOBRNZcN9gHBz7GSvTlAnmNNOt9OIZbdryCE4RnMJA4q7aOGLAd3dJzbXxC1sLLrpBBY0wTeb7cvNcLLEuJzsk9AQw8m9nZ%2BMfQJB8hWxaWNXySZkIl%2Fkufg7NdeYBFT4YXsi2gxWg0UruP%2FFYE8", "https://vtbehaviour.commondatastorage.googleapis.com/0002412eddb6f812afb3e131d7e801536cb4ff8a410a6d6c6bc559fdb3546116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779436484&Signature=Pr1pfaimFPZRbQFRLBhpICwKcQGlnx4U5y%2FQZiFEs%2BMGp9zOdmylpsondhJ%2FoJg6NIwY9%2Bk2v9SRh8rgNd2aefaWARh%2ByYvcCFEELbz7cf%2F2f128%2FN%2BsNKOuiRC2JFyN37Wq2hSLt9NYUERhB0THMCMQtw1axrtOHh9CLz3YZ%2BdO7E%2B3g1aOrD3sDAwOgmWR9n9pk%2Fj55fIyJqPDU80OB1RXmaU4XNnEIBA69dpnuj57WGWd" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 33, "CIDR": 5, "FileHash-MD5": 275, "FileHash-SHA1": 27, "FileHash-SHA256": 45, "URL": 149, "domain": 8, "email": 7, "hostname": 165, "CVE": 1 }, "indicator_count": 715, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ea8e2082633358a0c28090", "name": "CAPE Sandbox \"YL\"", "description": "\"YL\" imprint left behind on a usere property. Unsure.", "modified": "2026-05-23T21:00:44.705000", "created": "2026-04-23T21:24:48.742000", "tags": [ "csv text", "unicode text", "utf8 text", "crlf line", "text text" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 362, "FileHash-SHA1": 102, "FileHash-SHA256": 347, "URL": 243, "domain": 79, "hostname": 297, "email": 5 }, "indicator_count": 1435, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a10b5fcbae6ff7196fadd8a", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:24:24.934000", "created": "2026-05-22T20:01:00.435000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "CIDR": 63, "FileHash-MD5": 397, "FileHash-SHA1": 112, "FileHash-SHA256": 506, "URL": 500, "domain": 152, "email": 19, "hostname": 624, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 2623, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a10b601afa660d39df59585", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:24:23.966000", "created": "2026-05-22T20:01:05.318000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 217, "CIDR": 63, "FileHash-MD5": 399, "FileHash-SHA1": 114, "FileHash-SHA256": 513, "URL": 605, "domain": 328, "email": 21, "hostname": 694, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 3010, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a10b5fc8feb5a31eedfc0ec", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:00:59.988000", "created": "2026-05-22T20:00:59.988000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "CIDR": 63, "FileHash-MD5": 397, "FileHash-SHA1": 112, "FileHash-SHA256": 506, "URL": 500, "domain": 152, "email": 19, "hostname": 624, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 2623, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a10b5eb25a8421d03c37021", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:00:43.360000", "created": "2026-05-22T20:00:43.360000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "CIDR": 63, "FileHash-MD5": 397, "FileHash-SHA1": 112, "FileHash-SHA256": 506, "URL": 500, "domain": 152, "email": 19, "hostname": 624, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 2623, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a10b5eae1aa45c197c5f4cd", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:00:42.869000", "created": "2026-05-22T20:00:42.869000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "CIDR": 63, "FileHash-MD5": 397, "FileHash-SHA1": 112, "FileHash-SHA256": 506, "URL": 500, "domain": 152, "email": 19, "hostname": 624, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 2623, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a100b5a7b1e843e08b7f57b", "name": "\"don't save her\" a continued message * CAPE Sandbox", "description": "[sample of the Pigeonhole Sieve malware has been found in the X-Sieve R system, designed to detect and prevent the spread of malicious software, which is currently being used by Microsoft Office.] -pretext", "modified": "2026-05-22T08:00:01.133000", "created": "2026-05-22T07:52:58.704000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "defense evasion", "next", "wednesday", "january", "extra info", "attack network", "info dropped", "geospatial endpoints" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435695&Signature=UoqeOvA3l0SmZPLGLkJ4n7oue%2FoXBTcyhLy5g1zr97R1z9EBf2vAXrsnA8mHkedBOo0cd7lQhlV4QLek1AiAP4Z%2F9XgN%2FgaAo3L%2FP0tI1NFNb5lJ9mZ4YQ5aVcF1jYBD4bluT9%2BjUQaRIkFHR4w4OIpWVuJOGdkbT7UxU%2BgyPR3o2Ij%2Fli0GfJO%2B%2B2KMpTnBE0mWDM%2BrEThJKW2Ty5flTxONg4m7toLl7%2BspvX1Q", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435775&Signature=AkieU7eRCNrzND0lejy10HFR7OdRvNqyswrKIdggTIg6w4naejOYYwut39HnOup0%2BqQcIl4AJ6iCv7BrJuqNoIe3WuL3S3c9To36FuiNd2aOBRNZcN9gHBz7GSvTlAnmNNOt9OIZbdryCE4RnMJA4q7aOGLAd3dJzbXxC1sLLrpBBY0wTeb7cvNcLLEuJzsk9AQw8m9nZ%2BMfQJB8hWxaWNXySZkIl%2Fkufg7NdeYBFT4YXsi2gxWg0UruP%2FFYE8", "https://vtbehaviour.commondatastorage.googleapis.com/0002412eddb6f812afb3e131d7e801536cb4ff8a410a6d6c6bc559fdb3546116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779436484&Signature=Pr1pfaimFPZRbQFRLBhpICwKcQGlnx4U5y%2FQZiFEs%2BMGp9zOdmylpsondhJ%2FoJg6NIwY9%2Bk2v9SRh8rgNd2aefaWARh%2ByYvcCFEELbz7cf%2F2f128%2FN%2BsNKOuiRC2JFyN37Wq2hSLt9NYUERhB0THMCMQtw1axrtOHh9CLz3YZ%2BdO7E%2B3g1aOrD3sDAwOgmWR9n9pk%2Fj55fIyJqPDU80OB1RXmaU4XNnEIBA69dpnuj57WGWd" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 36, "CIDR": 1, "FileHash-MD5": 273, "FileHash-SHA1": 30, "FileHash-SHA256": 46, "URL": 137, "domain": 5, "email": 3, "hostname": 165 }, "indicator_count": 696, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a100b5a4fbd55e1c62e2a34", "name": "\"don't save her\" a continued message * CAPE Sandbox", "description": "[sample of the Pigeonhole Sieve malware has been found in the X-Sieve R system, designed to detect and prevent the spread of malicious software, which is currently being used by Microsoft Office.] -pretext", "modified": "2026-05-22T07:52:58.211000", "created": "2026-05-22T07:52:58.211000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "defense evasion", "next", "wednesday", "january", "extra info", "attack network", "info dropped", "geospatial endpoints" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435695&Signature=UoqeOvA3l0SmZPLGLkJ4n7oue%2FoXBTcyhLy5g1zr97R1z9EBf2vAXrsnA8mHkedBOo0cd7lQhlV4QLek1AiAP4Z%2F9XgN%2FgaAo3L%2FP0tI1NFNb5lJ9mZ4YQ5aVcF1jYBD4bluT9%2BjUQaRIkFHR4w4OIpWVuJOGdkbT7UxU%2BgyPR3o2Ij%2Fli0GfJO%2B%2B2KMpTnBE0mWDM%2BrEThJKW2Ty5flTxONg4m7toLl7%2BspvX1Q", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435775&Signature=AkieU7eRCNrzND0lejy10HFR7OdRvNqyswrKIdggTIg6w4naejOYYwut39HnOup0%2BqQcIl4AJ6iCv7BrJuqNoIe3WuL3S3c9To36FuiNd2aOBRNZcN9gHBz7GSvTlAnmNNOt9OIZbdryCE4RnMJA4q7aOGLAd3dJzbXxC1sLLrpBBY0wTeb7cvNcLLEuJzsk9AQw8m9nZ%2BMfQJB8hWxaWNXySZkIl%2Fkufg7NdeYBFT4YXsi2gxWg0UruP%2FFYE8", "https://vtbehaviour.commondatastorage.googleapis.com/0002412eddb6f812afb3e131d7e801536cb4ff8a410a6d6c6bc559fdb3546116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779436484&Signature=Pr1pfaimFPZRbQFRLBhpICwKcQGlnx4U5y%2FQZiFEs%2BMGp9zOdmylpsondhJ%2FoJg6NIwY9%2Bk2v9SRh8rgNd2aefaWARh%2ByYvcCFEELbz7cf%2F2f128%2FN%2BsNKOuiRC2JFyN37Wq2hSLt9NYUERhB0THMCMQtw1axrtOHh9CLz3YZ%2BdO7E%2B3g1aOrD3sDAwOgmWR9n9pk%2Fj55fIyJqPDU80OB1RXmaU4XNnEIBA69dpnuj57WGWd" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 30, "CIDR": 1, "FileHash-MD5": 273, "FileHash-SHA1": 27, "FileHash-SHA256": 43, "URL": 131, "domain": 5, "email": 3, "hostname": 156 }, "indicator_count": 669, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a100b5a2838b1cc50ba5360", "name": "\"don't save her\" a continued message * CAPE Sandbox", "description": "[sample of the Pigeonhole Sieve malware has been found in the X-Sieve R system, designed to detect and prevent the spread of malicious software, which is currently being used by Microsoft Office.] -pretext", "modified": "2026-05-22T07:52:57.995000", "created": "2026-05-22T07:52:57.995000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "defense evasion", "next", "wednesday", "january", "extra info", "attack network", "info dropped", "geospatial endpoints" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435695&Signature=UoqeOvA3l0SmZPLGLkJ4n7oue%2FoXBTcyhLy5g1zr97R1z9EBf2vAXrsnA8mHkedBOo0cd7lQhlV4QLek1AiAP4Z%2F9XgN%2FgaAo3L%2FP0tI1NFNb5lJ9mZ4YQ5aVcF1jYBD4bluT9%2BjUQaRIkFHR4w4OIpWVuJOGdkbT7UxU%2BgyPR3o2Ij%2Fli0GfJO%2B%2B2KMpTnBE0mWDM%2BrEThJKW2Ty5flTxONg4m7toLl7%2BspvX1Q", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435775&Signature=AkieU7eRCNrzND0lejy10HFR7OdRvNqyswrKIdggTIg6w4naejOYYwut39HnOup0%2BqQcIl4AJ6iCv7BrJuqNoIe3WuL3S3c9To36FuiNd2aOBRNZcN9gHBz7GSvTlAnmNNOt9OIZbdryCE4RnMJA4q7aOGLAd3dJzbXxC1sLLrpBBY0wTeb7cvNcLLEuJzsk9AQw8m9nZ%2BMfQJB8hWxaWNXySZkIl%2Fkufg7NdeYBFT4YXsi2gxWg0UruP%2FFYE8", "https://vtbehaviour.commondatastorage.googleapis.com/0002412eddb6f812afb3e131d7e801536cb4ff8a410a6d6c6bc559fdb3546116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779436484&Signature=Pr1pfaimFPZRbQFRLBhpICwKcQGlnx4U5y%2FQZiFEs%2BMGp9zOdmylpsondhJ%2FoJg6NIwY9%2Bk2v9SRh8rgNd2aefaWARh%2ByYvcCFEELbz7cf%2F2f128%2FN%2BsNKOuiRC2JFyN37Wq2hSLt9NYUERhB0THMCMQtw1axrtOHh9CLz3YZ%2BdO7E%2B3g1aOrD3sDAwOgmWR9n9pk%2Fj55fIyJqPDU80OB1RXmaU4XNnEIBA69dpnuj57WGWd" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 30, "CIDR": 1, "FileHash-MD5": 273, "FileHash-SHA1": 27, "FileHash-SHA256": 43, "URL": 131, "domain": 5, "email": 3, "hostname": 156 }, "indicator_count": 669, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a100b59bb15041d5cfffd88", "name": "\"don't save her\" a continued message * CAPE Sandbox", "description": "[sample of the Pigeonhole Sieve malware has been found in the X-Sieve R system, designed to detect and prevent the spread of malicious software, which is currently being used by Microsoft Office.] -pretext", "modified": "2026-05-22T07:52:57.865000", "created": "2026-05-22T07:52:57.865000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "defense evasion", "next", "wednesday", "january", "extra info", "attack network", "info dropped", "geospatial endpoints" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435695&Signature=UoqeOvA3l0SmZPLGLkJ4n7oue%2FoXBTcyhLy5g1zr97R1z9EBf2vAXrsnA8mHkedBOo0cd7lQhlV4QLek1AiAP4Z%2F9XgN%2FgaAo3L%2FP0tI1NFNb5lJ9mZ4YQ5aVcF1jYBD4bluT9%2BjUQaRIkFHR4w4OIpWVuJOGdkbT7UxU%2BgyPR3o2Ij%2Fli0GfJO%2B%2B2KMpTnBE0mWDM%2BrEThJKW2Ty5flTxONg4m7toLl7%2BspvX1Q", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435775&Signature=AkieU7eRCNrzND0lejy10HFR7OdRvNqyswrKIdggTIg6w4naejOYYwut39HnOup0%2BqQcIl4AJ6iCv7BrJuqNoIe3WuL3S3c9To36FuiNd2aOBRNZcN9gHBz7GSvTlAnmNNOt9OIZbdryCE4RnMJA4q7aOGLAd3dJzbXxC1sLLrpBBY0wTeb7cvNcLLEuJzsk9AQw8m9nZ%2BMfQJB8hWxaWNXySZkIl%2Fkufg7NdeYBFT4YXsi2gxWg0UruP%2FFYE8", "https://vtbehaviour.commondatastorage.googleapis.com/0002412eddb6f812afb3e131d7e801536cb4ff8a410a6d6c6bc559fdb3546116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779436484&Signature=Pr1pfaimFPZRbQFRLBhpICwKcQGlnx4U5y%2FQZiFEs%2BMGp9zOdmylpsondhJ%2FoJg6NIwY9%2Bk2v9SRh8rgNd2aefaWARh%2ByYvcCFEELbz7cf%2F2f128%2FN%2BsNKOuiRC2JFyN37Wq2hSLt9NYUERhB0THMCMQtw1axrtOHh9CLz3YZ%2BdO7E%2B3g1aOrD3sDAwOgmWR9n9pk%2Fj55fIyJqPDU80OB1RXmaU4XNnEIBA69dpnuj57WGWd" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 30, "CIDR": 1, "FileHash-MD5": 273, "FileHash-SHA1": 27, "FileHash-SHA256": 43, "URL": 131, "domain": 5, "email": 3, "hostname": 156 }, "indicator_count": 669, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a100b59a54621b833de1120", "name": "\"don't save her\" a continued message * CAPE Sandbox", "description": "[sample of the Pigeonhole Sieve malware has been found in the X-Sieve R system, designed to detect and prevent the spread of malicious software, which is currently being used by Microsoft Office.] -pretext", "modified": "2026-05-22T07:52:57.606000", "created": "2026-05-22T07:52:57.606000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "defense evasion", "next", "wednesday", "january", "extra info", "attack network", "info dropped", "geospatial endpoints" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435695&Signature=UoqeOvA3l0SmZPLGLkJ4n7oue%2FoXBTcyhLy5g1zr97R1z9EBf2vAXrsnA8mHkedBOo0cd7lQhlV4QLek1AiAP4Z%2F9XgN%2FgaAo3L%2FP0tI1NFNb5lJ9mZ4YQ5aVcF1jYBD4bluT9%2BjUQaRIkFHR4w4OIpWVuJOGdkbT7UxU%2BgyPR3o2Ij%2Fli0GfJO%2B%2B2KMpTnBE0mWDM%2BrEThJKW2Ty5flTxONg4m7toLl7%2BspvX1Q", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435775&Signature=AkieU7eRCNrzND0lejy10HFR7OdRvNqyswrKIdggTIg6w4naejOYYwut39HnOup0%2BqQcIl4AJ6iCv7BrJuqNoIe3WuL3S3c9To36FuiNd2aOBRNZcN9gHBz7GSvTlAnmNNOt9OIZbdryCE4RnMJA4q7aOGLAd3dJzbXxC1sLLrpBBY0wTeb7cvNcLLEuJzsk9AQw8m9nZ%2BMfQJB8hWxaWNXySZkIl%2Fkufg7NdeYBFT4YXsi2gxWg0UruP%2FFYE8", "https://vtbehaviour.commondatastorage.googleapis.com/0002412eddb6f812afb3e131d7e801536cb4ff8a410a6d6c6bc559fdb3546116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779436484&Signature=Pr1pfaimFPZRbQFRLBhpICwKcQGlnx4U5y%2FQZiFEs%2BMGp9zOdmylpsondhJ%2FoJg6NIwY9%2Bk2v9SRh8rgNd2aefaWARh%2ByYvcCFEELbz7cf%2F2f128%2FN%2BsNKOuiRC2JFyN37Wq2hSLt9NYUERhB0THMCMQtw1axrtOHh9CLz3YZ%2BdO7E%2B3g1aOrD3sDAwOgmWR9n9pk%2Fj55fIyJqPDU80OB1RXmaU4XNnEIBA69dpnuj57WGWd" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 30, "CIDR": 1, "FileHash-MD5": 273, "FileHash-SHA1": 27, "FileHash-SHA256": 43, "URL": 131, "domain": 5, "email": 3, "hostname": 156 }, "indicator_count": 669, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "698e93e1ab02db8c49e8c3ed", "name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)", "description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.", "modified": "2026-05-17T15:52:35.396000", "created": "2026-02-13T03:00:49.872000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all." ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 28000, "FileHash-SHA256": 48374, "FileHash-MD5": 42596, "FileHash-SHA1": 23243, "hostname": 35654, "URL": 75758, "SSLCertFingerprint": 30, "CVE": 7585, "email": 316, "FileHash-IMPHASH": 8, "CIDR": 26205, "JA3": 1, "URI": 5, "IPv4": 574, "Mutex": 1 }, "indicator_count": 288350, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "13 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e1f540aa36f336eb92ff53", "name": "VirusTotal report\n for program.exe", "description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not appear on BBC Radio 5 live or on iPlayer.]", "modified": "2026-05-17T08:02:15.940000", "created": "2026-04-17T08:54:24.517000", "tags": [ "executable", "msdos", "pe32 executable", "intel", "ms windows", "dos borland", "generic windos", "dos executable", "pe32 compiler", "borland delphi", "delphi", "file type", "json", "ascii", "ascii text", "drops pe", "pe file", "sample", "persistence", "malicious", "next", "network capture", "wireshark pcap", "next generation", "dump file", "format", "little endian", "pcap", "nothing", "registry keys", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "read registry", "apis nothing", "https", "urls", "creates", "pe32", "sigma", "window", "mailpassview", "default", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha256", "cname", "inprocserver32", "accept", "shutdown", "guard", "darkgate", "windows sandbox", "calls process", "systemroot", "commands", "created", "xcaxdb xcaxdb", "x82xec x82xec", "x83xc4 x83xc4", "xc1 x", "xffu xffu", "x8be x8be", "x81e x81e", "xc4 xc4", "x81i x81i", "xf3x86 xf3x86", "activator", "detail info", "tickcount", "processid", "threadid", "startaddress", "parameter", "offset", "socket", "text", "classname", "behaviour", "class", "shell", "find", "mitre attack", "network info", "processes extra", "program", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "title", "phishing", "cape sandbox", "t1055", "style", "courier", "ip address", "port", "gmt ifnonematch", "machine summary", "meta", "inter" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2", "https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk", "https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG", "https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic", "https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz", "https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19", "https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ", "https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1200", "name": "Hardware Additions", "display_name": "T1200 - Hardware Additions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 860, "FileHash-MD5": 180, "FileHash-SHA1": 224, "URL": 639, "hostname": 362, "domain": 107, "email": 2 }, "indicator_count": 2374, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e1f540bec93625fc7c7466", "name": "VirusTotal report\n for program.exe", "description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not appear on BBC Radio 5 live or on iPlayer.]", "modified": "2026-05-17T08:02:15.940000", "created": "2026-04-17T08:54:24.226000", "tags": [ "executable", "msdos", "pe32 executable", "intel", "ms windows", "dos borland", "generic windos", "dos executable", "pe32 compiler", "borland delphi", "delphi", "file type", "json", "ascii", "ascii text", "drops pe", "pe file", "sample", "persistence", "malicious", "next", "network capture", "wireshark pcap", "next generation", "dump file", "format", "little endian", "pcap", "nothing", "registry keys", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "read registry", "apis nothing", "https", "urls", "creates", "pe32", "sigma", "window", "mailpassview", "default", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha256", "cname", "inprocserver32", "accept", "shutdown", "guard", "darkgate", "windows sandbox", "calls process", "systemroot", "commands", "created", "xcaxdb xcaxdb", "x82xec x82xec", "x83xc4 x83xc4", "xc1 x", "xffu xffu", "x8be x8be", "x81e x81e", "xc4 xc4", "x81i x81i", "xf3x86 xf3x86", "activator", "detail info", "tickcount", "processid", "threadid", "startaddress", "parameter", "offset", "socket", "text", "classname", "behaviour", "class", "shell", "find", "mitre attack", "network info", "processes extra", "program", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "title", "phishing", "cape sandbox", "t1055", "style", "courier", "ip address", "port", "gmt ifnonematch", "machine summary", "meta", "inter" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2", "https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk", "https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG", "https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic", "https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz", "https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19", "https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ", "https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1200", "name": "Hardware Additions", "display_name": "T1200 - Hardware Additions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 686, "FileHash-MD5": 96, "FileHash-SHA1": 136, "URL": 561, "hostname": 316, "domain": 105, "email": 2 }, "indicator_count": 1902, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e1f53e6b3e17deca1277b7", "name": "VirusTotal report\n for program.exe", "description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not appear on BBC Radio 5 live or on iPlayer.]", "modified": "2026-05-17T08:02:15.940000", "created": "2026-04-17T08:54:22.034000", "tags": [ "executable", "msdos", "pe32 executable", "intel", "ms windows", "dos borland", "generic windos", "dos executable", "pe32 compiler", "borland delphi", "delphi", "file type", "json", "ascii", "ascii text", "drops pe", "pe file", "sample", "persistence", "malicious", "next", "network capture", "wireshark pcap", "next generation", "dump file", "format", "little endian", "pcap", "nothing", "registry keys", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "read registry", "apis nothing", "https", "urls", "creates", "pe32", "sigma", "window", "mailpassview", "default", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha256", "cname", "inprocserver32", "accept", "shutdown", "guard", "darkgate", "windows sandbox", "calls process", "systemroot", "commands", "created", "xcaxdb xcaxdb", "x82xec x82xec", "x83xc4 x83xc4", "xc1 x", "xffu xffu", "x8be x8be", "x81e x81e", "xc4 xc4", "x81i x81i", "xf3x86 xf3x86", "activator", "detail info", "tickcount", "processid", "threadid", "startaddress", "parameter", "offset", "socket", "text", "classname", "behaviour", "class", "shell", "find", "mitre attack", "network info", "processes extra", "program", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "title", "phishing", "cape sandbox", "t1055", "style", "courier", "ip address", "port", "gmt ifnonematch", "machine summary", "meta", "inter" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2", "https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk", "https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG", "https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic", "https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz", "https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19", "https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ", "https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1200", "name": "Hardware Additions", "display_name": "T1200 - Hardware Additions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 686, "FileHash-MD5": 96, "FileHash-SHA1": 136, "URL": 562, "hostname": 313, "domain": 105, "email": 2, "YARA": 1 }, "indicator_count": 1901, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e1f52e424e1151ddd9c696", "name": "VirusTotal report\n for program.exe", "description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not appear on BBC Radio 5 live or on iPlayer.]", "modified": "2026-05-17T08:02:15.940000", "created": "2026-04-17T08:54:06.864000", "tags": [ "executable", "msdos", "pe32 executable", "intel", "ms windows", "dos borland", "generic windos", "dos executable", "pe32 compiler", "borland delphi", "delphi", "file type", "json", "ascii", "ascii text", "drops pe", "pe file", "sample", "persistence", "malicious", "next", "network capture", "wireshark pcap", "next generation", "dump file", "format", "little endian", "pcap", "nothing", "registry keys", "mutexes nothing", "parent pid", "full path", "command line", "files c", "read files", "read registry", "apis nothing", "https", "urls", "creates", "pe32", "sigma", "window", "mailpassview", "default", "mwdb", "bazaar", "sha3384", "ssdeep", "file size", "sha256", "cname", "inprocserver32", "accept", "shutdown", "guard", "darkgate", "windows sandbox", "calls process", "systemroot", "commands", "created", "xcaxdb xcaxdb", "x82xec x82xec", "x83xc4 x83xc4", "xc1 x", "xffu xffu", "x8be x8be", "x81e x81e", "xc4 xc4", "x81i x81i", "xf3x86 xf3x86", "activator", "detail info", "tickcount", "processid", "threadid", "startaddress", "parameter", "offset", "socket", "text", "classname", "behaviour", "class", "shell", "find", "mitre attack", "network info", "processes extra", "program", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "title", "phishing", "cape sandbox", "t1055", "style", "courier", "ip address", "port", "gmt ifnonematch", "machine summary", "meta", "inter" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2", "https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk", "https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG", "https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic", "https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz", "https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19", "https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ", "https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1200", "name": "Hardware Additions", "display_name": "T1200 - Hardware Additions" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 714, "FileHash-MD5": 128, "FileHash-SHA1": 152, "URL": 692, "hostname": 456, "domain": 121, "email": 2, "YARA": 5 }, "indicator_count": 2270, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d48d3cfab80e8a75ef85c1", "name": "Free Automated Malware Analysis Service - Falcon Sandbox -", "description": "", "modified": "2026-05-07T04:07:52.917000", "created": "2026-04-07T04:51:08.017000", "tags": [ "ip address", "december", "c2 server", "famous chollima", "hostwinds", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "threat level", "ansi", "date", "pcap", "pcap processing", "report domain", "report", "sha256", "filepath", "runtime process", "path", "suspicious", "hostile", "hybrid", "accept", "close", "click", "hosts", "malicious", "general", "local", "factory", "strings", "contact", "united", "flag", "germany germany", "enom", "gmt flag", "server", "name server", "contacted hosts", "hybrid analysis", "api key", "vetting process", "please note", "please", "prefetch8 ansi", "show process", "hash seen", "ck id", "win64", "gecko", "mitre att", "comspec", "april", "refresh", "model", "mozi", "window", "dest" ], "references": [ "https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5e690fae4c892737e7365efe", "https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5f7728aa32edd97f433dbb02", "https://hybrid-analysis.com/sample/a7a080e1e8bbd8b71a897b4d8d9d549207c2931a5e416c4599fc5cf51fc357c6", "https://hybrid-analysis.com/sample/e05affb84f4d1e1f2fb5f0200d819ffa64e3bc17c9e9b56f46a910b1c08f95e4/69d48a496246d30efa004564" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 84, "domain": 72, "URL": 113, "FileHash-MD5": 94, "FileHash-SHA1": 68, "email": 2, "hostname": 91, "SSLCertFingerprint": 12 }, "indicator_count": 536, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d48d3b4cb631f407faf565", "name": "Free Automated Malware Analysis Service - Falcon Sandbox -", "description": "", "modified": "2026-05-07T04:07:52.917000", "created": "2026-04-07T04:51:07.591000", "tags": [ "ip address", "december", "c2 server", "famous chollima", "hostwinds", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "threat level", "ansi", "date", "pcap", "pcap processing", "report domain", "report", "sha256", "filepath", "runtime process", "path", "suspicious", "hostile", "hybrid", "accept", "close", "click", "hosts", "malicious", "general", "local", "factory", "strings", "contact", "united", "flag", "germany germany", "enom", "gmt flag", "server", "name server", "contacted hosts", "hybrid analysis", "api key", "vetting process", "please note", "please", "prefetch8 ansi", "show process", "hash seen", "ck id", "win64", "gecko", "mitre att", "comspec", "april", "refresh", "model", "mozi", "window", "dest" ], "references": [ "https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5e690fae4c892737e7365efe", "https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5f7728aa32edd97f433dbb02", "https://hybrid-analysis.com/sample/a7a080e1e8bbd8b71a897b4d8d9d549207c2931a5e416c4599fc5cf51fc357c6", "https://hybrid-analysis.com/sample/e05affb84f4d1e1f2fb5f0200d819ffa64e3bc17c9e9b56f46a910b1c08f95e4/69d48a496246d30efa004564" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 84, "domain": 72, "URL": 112, "FileHash-MD5": 94, "FileHash-SHA1": 68, "email": 2, "hostname": 91, "SSLCertFingerprint": 12 }, "indicator_count": 535, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d48d3b4900e932be011875", "name": "Free Automated Malware Analysis Service - Falcon Sandbox -", "description": "", "modified": "2026-05-07T04:07:52.917000", "created": "2026-04-07T04:51:07.162000", "tags": [ "ip address", "december", "c2 server", "famous chollima", "hostwinds", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "threat level", "ansi", "date", "pcap", "pcap processing", "report domain", "report", "sha256", "filepath", "runtime process", "path", "suspicious", "hostile", "hybrid", "accept", "close", "click", "hosts", "malicious", "general", "local", "factory", "strings", "contact", "united", "flag", "germany germany", "enom", "gmt flag", "server", "name server", "contacted hosts", "hybrid analysis", "api key", "vetting process", "please note", "please", "prefetch8 ansi", "show process", "hash seen", "ck id", "win64", "gecko", "mitre att", "comspec", "april", "refresh", "model", "mozi", "window", "dest" ], "references": [ "https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5e690fae4c892737e7365efe", "https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5f7728aa32edd97f433dbb02", "https://hybrid-analysis.com/sample/a7a080e1e8bbd8b71a897b4d8d9d549207c2931a5e416c4599fc5cf51fc357c6", "https://hybrid-analysis.com/sample/e05affb84f4d1e1f2fb5f0200d819ffa64e3bc17c9e9b56f46a910b1c08f95e4/69d48a496246d30efa004564" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 84, "domain": 72, "URL": 112, "FileHash-MD5": 94, "FileHash-SHA1": 68, "email": 2, "hostname": 91, "SSLCertFingerprint": 12 }, "indicator_count": 535, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "24 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d2274c68bc029b77ff8b2c", "name": "CAPE Sandbox", "description": "The full text of the full translation of this article:..2.4.3.7.8.6.1.9.5.0., the first of its kind.>>", "modified": "2026-05-05T09:01:42.428000", "created": "2026-04-05T09:11:40.830000", "tags": [ "aaaa", "algorithm", "number", "cgb osectigo", "public server", "ov r36", "validity", "cus sttexas", "oforcepoint llc", "public key", "info", "host name", "handle", "rdap database", "iana registrar", "entity", "dnssec", "yes conformance", "redacted for", "server", "domain status", "privacy billing", "privacy tech", "privacy admin", "email", "postal code", "date", "registrar abuse", "code", "dspm", "forcepoint dlp", "forcepoint", "login", "password", "austin", "texas", "hub customer", "data security", "protect", "organization", "stateprovince", "attempts", "reads", "sha1", "sha256", "mwdb", "bazaar", "sha3384", "crc32", "ssdeep", "checks" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 3, "FileHash-SHA256": 685, "domain": 205, "hostname": 426, "FileHash-MD5": 722, "FileHash-SHA1": 348, "URL": 438, "email": 3 }, "indicator_count": 2830, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d2273d57ede103894c1943", "name": "CAPE Sandbox", "description": "The full text of the full translation of this article:..2.4.3.7.8.6.1.9.5.0., the first of its kind.>>", "modified": "2026-05-05T09:01:42.428000", "created": "2026-04-05T09:11:25.506000", "tags": [ "aaaa", "algorithm", "number", "cgb osectigo", "public server", "ov r36", "validity", "cus sttexas", "oforcepoint llc", "public key", "info", "host name", "handle", "rdap database", "iana registrar", "entity", "dnssec", "yes conformance", "redacted for", "server", "domain status", "privacy billing", "privacy tech", "privacy admin", "email", "postal code", "date", "registrar abuse", "code", "dspm", "forcepoint dlp", "forcepoint", "login", "password", "austin", "texas", "hub customer", "data security", "protect", "organization", "stateprovince", "attempts", "reads", "sha1", "sha256", "mwdb", "bazaar", "sha3384", "crc32", "ssdeep", "checks" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 3, "FileHash-SHA256": 685, "domain": 205, "hostname": 426, "FileHash-MD5": 722, "FileHash-SHA1": 348, "URL": 438, "email": 3 }, "indicator_count": 2830, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d2272769a32400c257e7e7", "name": "CAPE Sandbox", "description": "The full text of the full translation of this article:..2.4.3.7.8.6.1.9.5.0., the first of its kind.>>", "modified": "2026-05-05T09:01:42.428000", "created": "2026-04-05T09:11:03.976000", "tags": [ "aaaa", "algorithm", "number", "cgb osectigo", "public server", "ov r36", "validity", "cus sttexas", "oforcepoint llc", "public key", "info", "host name", "handle", "rdap database", "iana registrar", "entity", "dnssec", "yes conformance", "redacted for", "server", "domain status", "privacy billing", "privacy tech", "privacy admin", "email", "postal code", "date", "registrar abuse", "code", "dspm", "forcepoint dlp", "forcepoint", "login", "password", "austin", "texas", "hub customer", "data security", "protect", "organization", "stateprovince", "attempts", "reads", "sha1", "sha256", "mwdb", "bazaar", "sha3384", "crc32", "ssdeep", "checks" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 3, "FileHash-SHA256": 685, "domain": 205, "hostname": 426, "FileHash-MD5": 722, "FileHash-SHA1": 348, "URL": 438, "email": 3 }, "indicator_count": 2830, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64eccb5d39a90a3c391e", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:32.565000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 152, "modified_text": "65 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf64e1d5e06aa6207f78de", "name": "Spam \u201cBroken Seal\u201d DocuSign-themed Delivery w/Fileless Process Hollowing (Zeppelin/Bloat-A) by msudosos", "description": "", "modified": "2026-03-27T00:30:39.055000", "created": "2026-03-22T03:41:21.863000", "tags": [ "Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi", "9698f46495ce9401c8bcaf9a2afe1598", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)", "MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71", "Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link", "DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)" ], "references": [ "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Verification failure observed in automated verification handlers during sandbox replay.", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr" ], "public": 1, "adversary": "", "targeted_countries": [ "China", "United States of America", "Spain", "Japan", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In" ], "TLP": "green", "cloned_from": "698e93e1ab02db8c49e8c3ed", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 27572, "FileHash-SHA256": 46076, "FileHash-MD5": 42177, "FileHash-SHA1": 22874, "hostname": 33438, "URL": 74810, "SSLCertFingerprint": 21, "CVE": 7579, "email": 297, "FileHash-IMPHASH": 8, "CIDR": 26203, "JA3": 1 }, "indicator_count": 281056, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "65 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b4e6e84208c35347c765a8", "name": "VirusTotal report\n for software.exe", "description": "this is a living nightmare", "modified": "2026-03-14T04:41:12.907000", "created": "2026-03-14T04:41:12.907000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 7, "URL": 5, "domain": 1, "hostname": 4 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "78 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6877812111419a98043ea105", "name": "a core Artsy Mobile OSS project 'The Artsy CocoaPods Specs' - miniuser - 07.15.25", "description": "a core Artsy Mobile OSS project 'The Artsy CocoaPods Specs' - VirusTotal Graph", "modified": "2025-08-15T10:03:43.186000", "created": "2025-07-16T10:38:25.125000", "tags": [ "d48d88208c9f", "entity" ], "references": [ "https://www.virustotal.com/graph/embed/gf3de459eb283404e9f258937b8f0dbf20d5a18c113f44cd6ba094af9d302c918?theme=dark", "https://report.netcraft.com/submission/wSKHZprZCkFd2jVQe8GsiNIWYjitfPrZ?tab=urls - Reported to Netcraft 07.23.25" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 126, "FileHash-MD5": 17, "FileHash-SHA1": 14, "FileHash-SHA256": 540, "domain": 9, "hostname": 93 }, "indicator_count": 799, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "289 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66536c8eee8d42d670e27723", "name": "Eternal Blue _ WannaCry MS17-010 | Apple iOS iMessage injection infiltration", "description": "", "modified": "2024-06-25T16:05:26.604000", "created": "2024-05-26T17:08:30.022000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "704 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66536881127f5ee988306394", "name": "iOS Attack - Crouching Yeti: http://x.com/denverpolice/status/|", "description": "Targeted triangulation. Apple iOS iPad. Attack chains of Operation Triangulation involves advanced tactics employed by those acting as secret middleman, deploying spoofed trusted websites, emails, alarming news stories, messages, Bluetooth hacking, if threat actor has full CnC of targets phone via injection (sometimes it's random) can power on B/T. In Spoofed sites, malicious redirects, iMessage 0day case. Zero-click iMessage exploit seen. Information is sent to attacker and stored. Data harvesting, financial & identity theft, service modification and DoS intended. Used by law enforcement, governments, attorney PI's, cyber security defense, red teams and/or malicious hackers.\n*Crouching Yeti threat description notes: Contextual Indicators: Domain is classified as Social Networking Contextual Indicators: The URL is known benign by Check Point's Threat Cloud Contextual Indicators: Https://x.com is popular among websites with good reputation Contextual Indicators: Domain Cisco Umbrella rank is 312.", "modified": "2024-06-25T16:05:26.604000", "created": "2024-05-26T16:51:13.962000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "704 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6358763a4c1d9a7e3a576dc0", "name": "Twitter Feed - ecarlesi - 25-10-2022", "description": "", "modified": "2022-11-24T23:02:31.591000", "created": "2022-10-25T23:50:18.206000", "tags": [ "phishing", "malware" ], "references": [ "https://twitter.com/ecarlesi/status/1584702058787127296", "https://twitter.com/ecarlesi/status/1584702200760393730", "https://twitter.com/ecarlesi/status/1584702204316770304", "https://twitter.com/ecarlesi/status/1584702210272727040", "https://twitter.com/ecarlesi/status/1584702210239508480", "https://twitter.com/ecarlesi/status/1584702218627792897", "https://twitter.com/ecarlesi/status/1584702374475575296", "https://twitter.com/ecarlesi/status/1584702547905814528", "https://twitter.com/ecarlesi/status/1584702733684117506", "https://twitter.com/ecarlesi/status/1584702957332926466", "https://twitter.com/ecarlesi/status/1584703016778735618", "https://twitter.com/ecarlesi/status/1584704125673021441", "https://twitter.com/ecarlesi/status/1584704500073435137", "https://twitter.com/ecarlesi/status/1584705072822353922", "https://twitter.com/ecarlesi/status/1584705554408153088", "https://twitter.com/ecarlesi/status/1584709451566702594", "https://twitter.com/ecarlesi/status/1584709709990436865", "https://twitter.com/ecarlesi/status/1584710427438612481", "https://twitter.com/ecarlesi/status/1584712347930820613", "https://twitter.com/ecarlesi/status/1584712349432307713", "https://twitter.com/ecarlesi/status/1584712348216053760", "https://twitter.com/ecarlesi/status/1584712348429914114", "https://twitter.com/ecarlesi/status/1584712350912888832", "https://twitter.com/ecarlesi/status/1584712351286165505", "https://twitter.com/ecarlesi/status/1584712348710961153", "https://twitter.com/ecarlesi/status/1584714027082686465", "https://twitter.com/ecarlesi/status/1584714105486704642", "https://twitter.com/ecarlesi/status/1584714216929386497", "https://twitter.com/ecarlesi/status/1584714220540682242", "https://twitter.com/ecarlesi/status/1584714222700830722", "https://twitter.com/ecarlesi/status/1584714224223326212", "https://twitter.com/ecarlesi/status/1584714223791357955", "https://twitter.com/ecarlesi/status/1584714225573924864", "https://twitter.com/ecarlesi/status/1584714223741030401", "https://twitter.com/ecarlesi/status/1584714223652929536", "https://twitter.com/ecarlesi/status/1584714225582211076", "https://twitter.com/ecarlesi/status/1584714227281022983", "https://twitter.com/ecarlesi/status/1584714227989856258", "https://twitter.com/ecarlesi/status/1584714283551793152", "https://twitter.com/ecarlesi/status/1584714303814471680", "https://twitter.com/ecarlesi/status/1584714726608617472", "https://twitter.com/ecarlesi/status/1584714727996932097", "https://twitter.com/ecarlesi/status/1584714726772281345", "https://twitter.com/ecarlesi/status/1584714726382211072", "https://twitter.com/ecarlesi/status/1584714727149690880", "https://twitter.com/ecarlesi/status/1584714726382215169", "https://twitter.com/ecarlesi/status/1584714731788591104", "https://twitter.com/ecarlesi/status/1584714735924248578", "https://twitter.com/ecarlesi/status/1584714740022091777", "https://twitter.com/ecarlesi/status/1584714739942391808", "https://twitter.com/ecarlesi/status/1584714971522297856", "https://twitter.com/ecarlesi/status/1584715026853777408", "https://twitter.com/ecarlesi/status/1584715044503408644", "https://twitter.com/ecarlesi/status/1584715349643198464", "https://twitter.com/ecarlesi/status/1584715512587624451", "https://twitter.com/ecarlesi/status/1584715520485515265", "https://twitter.com/ecarlesi/status/1584715524356935682", "https://twitter.com/ecarlesi/status/1584715529335496709", "https://twitter.com/ecarlesi/status/1584715529499152386", "https://twitter.com/ecarlesi/status/1584715532435177472", "https://twitter.com/ecarlesi/status/1584715878163255296", "https://twitter.com/ecarlesi/status/1584715879618592768", "https://twitter.com/ecarlesi/status/1584715891354255361", "https://twitter.com/ecarlesi/status/1584715952872210433", "https://twitter.com/ecarlesi/status/1584716009335914497", "https://twitter.com/ecarlesi/status/1584717154921975810", "https://twitter.com/ecarlesi/status/1584718782269980675", "https://twitter.com/ecarlesi/status/1584719752571887616", "https://twitter.com/ecarlesi/status/1584720370573185024", "https://twitter.com/ecarlesi/status/1584720554266923011", "https://twitter.com/ecarlesi/status/1584720912510853120", "https://twitter.com/ecarlesi/status/1584720925643182086", "https://twitter.com/ecarlesi/status/1584721452493946880", "https://twitter.com/ecarlesi/status/1584722687192190978", "https://twitter.com/ecarlesi/status/1584725238864125952", "https://twitter.com/ecarlesi/status/1584726239503421440", "https://twitter.com/ecarlesi/status/1584727254986203136", "https://twitter.com/ecarlesi/status/1584727333725818880", "https://twitter.com/ecarlesi/status/1584727419705073664", "https://twitter.com/ecarlesi/status/1584727449320964097", "https://twitter.com/ecarlesi/status/1584727686919905280", "https://twitter.com/ecarlesi/status/1584727690791223297", "https://twitter.com/ecarlesi/status/1584727719840989185", "https://twitter.com/ecarlesi/status/1584727756922822661", "https://twitter.com/ecarlesi/status/1584727762530598918", "https://twitter.com/ecarlesi/status/1584727776753582080", "https://twitter.com/ecarlesi/status/1584727780054507523", "https://twitter.com/ecarlesi/status/1584727780100538370", "https://twitter.com/ecarlesi/status/1584728119214325761", "https://twitter.com/ecarlesi/status/1584728484470980610", "https://twitter.com/ecarlesi/status/1584728774880403456", "https://twitter.com/ecarlesi/status/1584729149033398272", "https://twitter.com/ecarlesi/status/1584729161205256192", "https://twitter.com/ecarlesi/status/1584729814740738051", "https://twitter.com/ecarlesi/status/1584730267482460161", "https://twitter.com/ecarlesi/status/1584730867498422272", "https://twitter.com/ecarlesi/status/1584731275901997056", "https://twitter.com/ecarlesi/status/1584731288837267461", "https://twitter.com/ecarlesi/status/1584731433020624898", "https://twitter.com/ecarlesi/status/1584731495226384384", "https://twitter.com/ecarlesi/status/1584731560401674241", "https://twitter.com/ecarlesi/status/1584731728102432768", "https://twitter.com/ecarlesi/status/1584731934042820608", "https://twitter.com/ecarlesi/status/1584731933942185986", "https://twitter.com/ecarlesi/status/1584731934261137409", "https://twitter.com/ecarlesi/status/1584731937972912130", "https://twitter.com/ecarlesi/status/1584732855908945920", "https://twitter.com/ecarlesi/status/1584732864515645441", "https://twitter.com/ecarlesi/status/1584733205269471232", "https://twitter.com/ecarlesi/status/1584733798620602373", "https://twitter.com/ecarlesi/status/1584734326595276800", "https://twitter.com/ecarlesi/status/1584734457583607808", "https://twitter.com/ecarlesi/status/1584735355093323776", "https://twitter.com/ecarlesi/status/1584735401129934848", "https://twitter.com/ecarlesi/status/1584735702159343616", "https://twitter.com/ecarlesi/status/1584735726301741058", "https://twitter.com/ecarlesi/status/1584736401354113026", "https://twitter.com/ecarlesi/status/1584736869757108224", "https://twitter.com/ecarlesi/status/1584737010786439168", "https://twitter.com/ecarlesi/status/1584737236754604035", "https://twitter.com/ecarlesi/status/1584737335803092992", "https://twitter.com/ecarlesi/status/1584737773919125504", "https://twitter.com/ecarlesi/status/1584738152987729920", "https://twitter.com/ecarlesi/status/1584738296915189760", "https://twitter.com/ecarlesi/status/1584738509511970816", "https://twitter.com/ecarlesi/status/1584739200225755136", "https://twitter.com/ecarlesi/status/1584739327065657350", "https://twitter.com/ecarlesi/status/1584740019146788864", "https://twitter.com/ecarlesi/status/1584740369543139331", "https://twitter.com/ecarlesi/status/1584741313345355776", "https://twitter.com/ecarlesi/status/1584741878976712704", "https://twitter.com/ecarlesi/status/1584743293371416576", "https://twitter.com/ecarlesi/status/1584743452574728193", "https://twitter.com/ecarlesi/status/1584743455254790145", "https://twitter.com/ecarlesi/status/1584743499056005122", "https://twitter.com/ecarlesi/status/1584744140524355591", "https://twitter.com/ecarlesi/status/1584744160426336261", "https://twitter.com/ecarlesi/status/1584744203061534724", "https://twitter.com/ecarlesi/status/1584744581391859712", "https://twitter.com/ecarlesi/status/1584744596701077504", "https://twitter.com/ecarlesi/status/1584744704897318912", "https://twitter.com/ecarlesi/status/1584745241759944704", "https://twitter.com/ecarlesi/status/1584745729746165760", "https://twitter.com/ecarlesi/status/1584745746229854208", "https://twitter.com/ecarlesi/status/1584745839515279361", "https://twitter.com/ecarlesi/status/1584746029248909314", "https://twitter.com/ecarlesi/status/1584746092297584641", "https://twitter.com/ecarlesi/status/1584746362658324481", "https://twitter.com/ecarlesi/status/1584746370572877824", "https://twitter.com/ecarlesi/status/1584746487694630915", "https://twitter.com/ecarlesi/status/1584746493038272513", "https://twitter.com/ecarlesi/status/1584746670100807682", "https://twitter.com/ecarlesi/status/1584746678107660293", "https://twitter.com/ecarlesi/status/1584747223073570816", "https://twitter.com/ecarlesi/status/1584747266665025536", "https://twitter.com/ecarlesi/status/1584747274860695553", "https://twitter.com/ecarlesi/status/1584747316325621761", "https://twitter.com/ecarlesi/status/1584747341298683904", "https://twitter.com/ecarlesi/status/1584747546928238593", "https://twitter.com/ecarlesi/status/1584747861333479425", "https://twitter.com/ecarlesi/status/1584747867461361664", "https://twitter.com/ecarlesi/status/1584747869768237059", "https://twitter.com/ecarlesi/status/1584747875971600384", "https://twitter.com/ecarlesi/status/1584748136257363968", "https://twitter.com/ecarlesi/status/1584748154129469440", "https://twitter.com/ecarlesi/status/1584748171648983040", "https://twitter.com/ecarlesi/status/1584748175960772608", "https://twitter.com/ecarlesi/status/1584748734696640513", "https://twitter.com/ecarlesi/status/1584748989374611457", "https://twitter.com/ecarlesi/status/1584749320515076097", "https://twitter.com/ecarlesi/status/1584749903745814529", "https://twitter.com/ecarlesi/status/1584752260495642626", "https://twitter.com/ecarlesi/status/1584752264782270465", "https://twitter.com/ecarlesi/status/1584752697189744640", "https://twitter.com/ecarlesi/status/1584752950504718342", "https://twitter.com/ecarlesi/status/1584754850096877570", "https://twitter.com/ecarlesi/status/1584758053311844352", "https://twitter.com/ecarlesi/status/1584760518807588864", "https://twitter.com/ecarlesi/status/1584760817148370944", "https://twitter.com/ecarlesi/status/1584761759419834375", "https://twitter.com/ecarlesi/status/1584761940777353217", "https://twitter.com/ecarlesi/status/1584762336916668416", "https://twitter.com/ecarlesi/status/1584762341157224450", "https://twitter.com/ecarlesi/status/1584766131847430145", "https://twitter.com/ecarlesi/status/1584767286992404480", "https://twitter.com/ecarlesi/status/1584768135667777539", "https://twitter.com/ecarlesi/status/1584774597643276288", "https://twitter.com/ecarlesi/status/1584776467594022912", "https://twitter.com/ecarlesi/status/1584776479065374720", "https://twitter.com/ecarlesi/status/1584777126632374272", "https://twitter.com/ecarlesi/status/1584777689885544448", "https://twitter.com/ecarlesi/status/1584777802989068294", "https://twitter.com/ecarlesi/status/1584778281445908480", "https://twitter.com/ecarlesi/status/1584788744334442498", "https://twitter.com/ecarlesi/status/1584788960865296384", "https://twitter.com/ecarlesi/status/1584789042004099074", "https://twitter.com/ecarlesi/status/1584789065605464064", "https://twitter.com/ecarlesi/status/1584790042194632704", "https://twitter.com/ecarlesi/status/1584790440573898753", "https://twitter.com/ecarlesi/status/1584790844669935617", "https://twitter.com/ecarlesi/status/1584790853754753025", "https://twitter.com/ecarlesi/status/1584790930627985408", "https://twitter.com/ecarlesi/status/1584791124400640001", "https://twitter.com/ecarlesi/status/1584791124798996481", "https://twitter.com/ecarlesi/status/1584791124417417217", "https://twitter.com/ecarlesi/status/1584791124400640003", "https://twitter.com/ecarlesi/status/1584791124429922305", "https://twitter.com/ecarlesi/status/1584791176258920450", "https://twitter.com/ecarlesi/status/1584791184005808128", "https://twitter.com/ecarlesi/status/1584791181938024450", "https://twitter.com/ecarlesi/status/1584791184651730944", "https://twitter.com/ecarlesi/status/1584791208928444418", "https://twitter.com/ecarlesi/status/1584791552987217921", "https://twitter.com/ecarlesi/status/1584791680443711493", "https://twitter.com/ecarlesi/status/1584791788677746688", "https://twitter.com/ecarlesi/status/1584791788916711424", "https://twitter.com/ecarlesi/status/1584791833325993984", "https://twitter.com/ecarlesi/status/1584792130752598016", "https://twitter.com/ecarlesi/status/1584792365985841153", "https://twitter.com/ecarlesi/status/1584795536867184640", "https://twitter.com/ecarlesi/status/1584824417053556742", "https://twitter.com/ecarlesi/status/1584824417036763138", "https://twitter.com/ecarlesi/status/1584824624331849730", "https://twitter.com/ecarlesi/status/1584824868402614272", "https://twitter.com/ecarlesi/status/1584825612824444928", "https://twitter.com/ecarlesi/status/1584825615097729025", "https://twitter.com/ecarlesi/status/1584828169244254208", "https://twitter.com/ecarlesi/status/1584836274292228098", "https://twitter.com/ecarlesi/status/1584837013555105792", "https://twitter.com/ecarlesi/status/1584837328937177091", "https://twitter.com/ecarlesi/status/1584837339091959808", "https://twitter.com/ecarlesi/status/1584837585637195776", "https://twitter.com/ecarlesi/status/1584837847156129794", "https://twitter.com/ecarlesi/status/1584838897493839876", "https://twitter.com/ecarlesi/status/1584839620780605443", "https://twitter.com/ecarlesi/status/1584842716839550977", "https://twitter.com/ecarlesi/status/1584842985371484162", "https://twitter.com/ecarlesi/status/1584845453698408450", "https://twitter.com/ecarlesi/status/1584846086925058053", "https://twitter.com/ecarlesi/status/1584851694365691904", "https://twitter.com/ecarlesi/status/1584853128989609984", "https://twitter.com/ecarlesi/status/1584853803203022848", "https://twitter.com/ecarlesi/status/1584857022335488002", "https://twitter.com/ecarlesi/status/1584858335316250624", "https://twitter.com/ecarlesi/status/1584858392153268224", "https://twitter.com/ecarlesi/status/1584858612173864968", "https://twitter.com/ecarlesi/status/1584858612614287361", "https://twitter.com/ecarlesi/status/1584858612152864768", "https://twitter.com/ecarlesi/status/1584858853862170624", "https://twitter.com/ecarlesi/status/1584858990160347137", "https://twitter.com/ecarlesi/status/1584858995185143811", "https://twitter.com/ecarlesi/status/1584859028013867008", "https://twitter.com/ecarlesi/status/1584859032099196931", "https://twitter.com/ecarlesi/status/1584859032099164162", "https://twitter.com/ecarlesi/status/1584859036691976194", "https://twitter.com/ecarlesi/status/1584859369900068864", "https://twitter.com/ecarlesi/status/1584859386521976833", "https://twitter.com/ecarlesi/status/1584859411499126785", "https://twitter.com/ecarlesi/status/1584859446165004289", "https://twitter.com/ecarlesi/status/1584859446752296960", "https://twitter.com/ecarlesi/status/1584859491874504706", "https://twitter.com/ecarlesi/status/1584859525479387136", "https://twitter.com/ecarlesi/status/1584859742144532480", "https://twitter.com/ecarlesi/status/1584860161751007236", "https://twitter.com/ecarlesi/status/1584860282089885698", "https://twitter.com/ecarlesi/status/1584860282253443079", "https://twitter.com/ecarlesi/status/1584860370434392065", "https://twitter.com/ecarlesi/status/1584860439191642114", "https://twitter.com/ecarlesi/status/1584860475979882496", "https://twitter.com/ecarlesi/status/1584860507546292227", "https://twitter.com/ecarlesi/status/1584860504471773185", "https://twitter.com/ecarlesi/status/1584860506661199874", "https://twitter.com/ecarlesi/status/1584860532825362438", "https://twitter.com/ecarlesi/status/1584860969016197120", "https://twitter.com/ecarlesi/status/1584861064403079168", "https://twitter.com/ecarlesi/status/1584861368443965440", "https://twitter.com/ecarlesi/status/1584861882007134209", "https://twitter.com/ecarlesi/status/1584862052635615233", "https://twitter.com/ecarlesi/status/1584862125872365574", "https://twitter.com/ecarlesi/status/1584863253968158721", "https://twitter.com/ecarlesi/status/1584863917561503744", "https://twitter.com/ecarlesi/status/1584864214086307841", "https://twitter.com/ecarlesi/status/1584864248118870019", "https://twitter.com/ecarlesi/status/1584864256889061378", "https://twitter.com/ecarlesi/status/1584864268247244801", "https://twitter.com/ecarlesi/status/1584864280549236736", "https://twitter.com/ecarlesi/status/1584864280251432962", "https://twitter.com/ecarlesi/status/1584864982021414912", "https://twitter.com/ecarlesi/status/1584865536697139200", "https://twitter.com/ecarlesi/status/1584865600370839554", "https://twitter.com/ecarlesi/status/1584865806248251398", "https://twitter.com/ecarlesi/status/1584865973194178562", "https://twitter.com/ecarlesi/status/1584866414262947842", "https://twitter.com/ecarlesi/status/1584867142696042497", "https://twitter.com/ecarlesi/status/1584867287948984322", "https://twitter.com/ecarlesi/status/1584868055246684161", "https://twitter.com/ecarlesi/status/1584868767024050177", "https://twitter.com/ecarlesi/status/1584869216984899584", "https://twitter.com/ecarlesi/status/1584869398506094592", "https://twitter.com/ecarlesi/status/1584872093136474112", "https://twitter.com/ecarlesi/status/1584872446053728256", "https://twitter.com/ecarlesi/status/1584872919490256897", "https://twitter.com/ecarlesi/status/1584873140168978432", "https://twitter.com/ecarlesi/status/1584875138373357572", "https://twitter.com/ecarlesi/status/1584875513390194689", "https://twitter.com/ecarlesi/status/1584875810787414016", "https://twitter.com/ecarlesi/status/1584876585869398016", "https://twitter.com/ecarlesi/status/1584877594888925184", "https://twitter.com/ecarlesi/status/1584878255135674369", "https://twitter.com/ecarlesi/status/1584878916749099010", "https://twitter.com/ecarlesi/status/1584879240297824256", "https://twitter.com/ecarlesi/status/1584886018922217477", "https://twitter.com/ecarlesi/status/1584887698434801664", "https://twitter.com/ecarlesi/status/1584887713756479489", "https://twitter.com/ecarlesi/status/1584887764927086592", "https://twitter.com/ecarlesi/status/1584888187188645890", "https://twitter.com/ecarlesi/status/1584888187264057345", "https://twitter.com/ecarlesi/status/1584888189239672833", "https://twitter.com/ecarlesi/status/1584888199104561152", "https://twitter.com/ecarlesi/status/1584888202875338753", "https://twitter.com/ecarlesi/status/1584888225218367488", "https://twitter.com/ecarlesi/status/1584888426914004993", "https://twitter.com/ecarlesi/status/1584888428969205760", "https://twitter.com/ecarlesi/status/1584888449953406982", "https://twitter.com/ecarlesi/status/1584888451865919488", "https://twitter.com/ecarlesi/status/1584888552176975874", "https://twitter.com/ecarlesi/status/1584888709270458369", "https://twitter.com/ecarlesi/status/1584888707882131458", "https://twitter.com/ecarlesi/status/1584888709492740100", "https://twitter.com/ecarlesi/status/1584888709962416128", "https://twitter.com/ecarlesi/status/1584888712583864320", "https://twitter.com/ecarlesi/status/1584888710885265410", "https://twitter.com/ecarlesi/status/1584888712739053571", "https://twitter.com/ecarlesi/status/1584888712663539712", "https://twitter.com/ecarlesi/status/1584888715855503360", "https://twitter.com/ecarlesi/status/1584888805378629632", "https://twitter.com/ecarlesi/status/1584888818347417600", "https://twitter.com/ecarlesi/status/1584889064368607234", "https://twitter.com/ecarlesi/status/1584889090612363265", "https://twitter.com/ecarlesi/status/1584889095259668480", "https://twitter.com/ecarlesi/status/1584889515042283522", "https://twitter.com/ecarlesi/status/1584889522470486018", "https://twitter.com/ecarlesi/status/1584889528271134723", "https://twitter.com/ecarlesi/status/1584889530615828480", "https://twitter.com/ecarlesi/status/1584889533539270656", "https://twitter.com/ecarlesi/status/1584889538270355457", "https://twitter.com/ecarlesi/status/1584889588551663621", "https://twitter.com/ecarlesi/status/1584889696030711809", "https://twitter.com/ecarlesi/status/1584889696907395072", "https://twitter.com/ecarlesi/status/1584889699302313984", "https://twitter.com/ecarlesi/status/1584889706881449984", "https://twitter.com/ecarlesi/status/1584889717295824897", "https://twitter.com/ecarlesi/status/1584889778088153088", "https://twitter.com/ecarlesi/status/1584889778037719042", "https://twitter.com/ecarlesi/status/1584889780415905793", "https://twitter.com/ecarlesi/status/1584889787294617601", "https://twitter.com/ecarlesi/status/1584889798447226880", "https://twitter.com/ecarlesi/status/1584889837705904131", "https://twitter.com/ecarlesi/status/1584889850481856512", "https://twitter.com/ecarlesi/status/1584889863928791041", "https://twitter.com/ecarlesi/status/1584889868638887936", "https://twitter.com/ecarlesi/status/1584890138102009857", "https://twitter.com/ecarlesi/status/1584890525014003714", "https://twitter.com/ecarlesi/status/1584890585143562241", "https://twitter.com/ecarlesi/status/1584890762147385344", "https://twitter.com/ecarlesi/status/1584890943081267200", "https://twitter.com/ecarlesi/status/1584891157993095168", "https://twitter.com/ecarlesi/status/1584891193980223488", "https://twitter.com/ecarlesi/status/1584891251912069121", "https://twitter.com/ecarlesi/status/1584891524957048832", "https://twitter.com/ecarlesi/status/1584891545148424198", "https://twitter.com/ecarlesi/status/1584891645710958594", "https://twitter.com/ecarlesi/status/1584891648147968005", "https://twitter.com/ecarlesi/status/1584891666653134848", "https://twitter.com/ecarlesi/status/1584891676589522946", "https://twitter.com/ecarlesi/status/1584891899260899339", "https://twitter.com/ecarlesi/status/1584891917174816769", "https://twitter.com/ecarlesi/status/1584892412064944128", "https://twitter.com/ecarlesi/status/1584892469006696450", "https://twitter.com/ecarlesi/status/1584892630734888966", "https://twitter.com/ecarlesi/status/1584892776625364992", "https://twitter.com/ecarlesi/status/1584893104989036545", "https://twitter.com/ecarlesi/status/1584893304776409094", "https://twitter.com/ecarlesi/status/1584893541792337920", "https://twitter.com/ecarlesi/status/1584893794377502720", "https://twitter.com/ecarlesi/status/1584897172910252032", "https://twitter.com/ecarlesi/status/1584899761995382784", "https://twitter.com/ecarlesi/status/1584901557056901121", "https://twitter.com/ecarlesi/status/1584911936528998400", "https://twitter.com/ecarlesi/status/1584912162308358144", "https://twitter.com/ecarlesi/status/1584912252716863488", "https://twitter.com/ecarlesi/status/1584912352406896648", "https://twitter.com/ecarlesi/status/1584912784952795136", "https://twitter.com/ecarlesi/status/1584912858466361344", "https://twitter.com/ecarlesi/status/1584912923964719104", "https://twitter.com/ecarlesi/status/1584913066185134080", "https://twitter.com/ecarlesi/status/1584913065195233282", "https://twitter.com/ecarlesi/status/1584913066428342274", "https://twitter.com/ecarlesi/status/1584913064238923776", "https://twitter.com/ecarlesi/status/1584913065581109248", "https://twitter.com/ecarlesi/status/1584913065690206220", "https://twitter.com/ecarlesi/status/1584913065363099648", "https://twitter.com/ecarlesi/status/1584913067279896576", "https://twitter.com/ecarlesi/status/1584913076549296130", "https://twitter.com/ecarlesi/status/1584913081464922113", "https://twitter.com/ecarlesi/status/1584913328404664322", "https://twitter.com/ecarlesi/status/1584913531291533312", "https://twitter.com/ecarlesi/status/1584913530662387715", "https://twitter.com/ecarlesi/status/1584913530096156679", "https://twitter.com/ecarlesi/status/1584913737848340484", "https://twitter.com/ecarlesi/status/1584913737735192577", "https://twitter.com/ecarlesi/status/1584913743372324866", "https://twitter.com/ecarlesi/status/1584913759189041152", "https://twitter.com/ecarlesi/status/1584913762062139394", "https://twitter.com/ecarlesi/status/1584913763697922048", "https://twitter.com/ecarlesi/status/1584913765912510464", "https://twitter.com/ecarlesi/status/1584913770954084352", "https://twitter.com/ecarlesi/status/1584913771281190914", "https://twitter.com/ecarlesi/status/1584913918845231105", "https://twitter.com/ecarlesi/status/1584913945588015104", "https://twitter.com/ecarlesi/status/1584914010155220993", "https://twitter.com/ecarlesi/status/1584914010373251074", "https://twitter.com/ecarlesi/status/1584915560202215426", "https://twitter.com/ecarlesi/status/1584916839418810368", "https://twitter.com/ecarlesi/status/1584916891604320260", "https://twitter.com/ecarlesi/status/1584917131795341314", "https://twitter.com/ecarlesi/status/1584922402257080320", "https://twitter.com/ecarlesi/status/1584924709350768642", "https://twitter.com/ecarlesi/status/1584925810082942978", "https://twitter.com/ecarlesi/status/1584926464025280512", "https://twitter.com/ecarlesi/status/1584926834558369796", "https://twitter.com/ecarlesi/status/1584928379819655168", "https://twitter.com/ecarlesi/status/1584928853746761729", "https://twitter.com/ecarlesi/status/1584929648802205696", "https://twitter.com/ecarlesi/status/1584933064094158850", "https://twitter.com/ecarlesi/status/1584934344925200384", "https://twitter.com/ecarlesi/status/1584934395844366336", "https://twitter.com/ecarlesi/status/1584934552882929664", "https://twitter.com/ecarlesi/status/1584934568695631875", "https://twitter.com/ecarlesi/status/1584934641105924097", "https://twitter.com/ecarlesi/status/1584935375453265927", "https://twitter.com/ecarlesi/status/1584935431723950082", "https://twitter.com/ecarlesi/status/1584935604155981825", "https://twitter.com/ecarlesi/status/1584936230386634761", "https://twitter.com/ecarlesi/status/1584936404357824512", "https://twitter.com/ecarlesi/status/1584940250975043587", "https://twitter.com/ecarlesi/status/1584941224359870464", "https://twitter.com/ecarlesi/status/1584942061601673217", "https://twitter.com/ecarlesi/status/1584942186340179974", "https://twitter.com/ecarlesi/status/1584942574585798656", "https://twitter.com/ecarlesi/status/1584943192083992581", "https://twitter.com/ecarlesi/status/1584944618243776520", "https://twitter.com/ecarlesi/status/1584951318178893834", "https://twitter.com/ecarlesi/status/1584954731524407298", "https://twitter.com/ecarlesi/status/1584955265400639488", "https://twitter.com/ecarlesi/status/1584957215500341276", "https://twitter.com/ecarlesi/status/1584957278431727616", "https://twitter.com/ecarlesi/status/1584957395566043136", "https://twitter.com/ecarlesi/status/1584958518905405440", "https://twitter.com/ecarlesi/status/1584960656557613056", "https://twitter.com/ecarlesi/status/1584960737797148674", "https://twitter.com/ecarlesi/status/1584973036402319363", "https://twitter.com/ecarlesi/status/1584973264581177344", "https://twitter.com/ecarlesi/status/1584973371489792001", "https://twitter.com/ecarlesi/status/1584973586673999873", "https://twitter.com/ecarlesi/status/1584974311362027521", "https://twitter.com/ecarlesi/status/1584974811599552512", "https://twitter.com/ecarlesi/status/1584975620739678208", "https://twitter.com/ecarlesi/status/1584975648807800832", "https://twitter.com/ecarlesi/status/1584975737169354752", "https://twitter.com/ecarlesi/status/1584975992678158336", "https://twitter.com/ecarlesi/status/1584978311557808128", "https://twitter.com/ecarlesi/status/1584982579567939584", "https://twitter.com/ecarlesi/status/1584983833883074560", "https://twitter.com/ecarlesi/status/1584986640589754369", "https://twitter.com/ecarlesi/status/1584989183113773056", "https://twitter.com/ecarlesi/status/1584992002256633883", "https://twitter.com/ecarlesi/status/1585000420250112000", "https://twitter.com/ecarlesi/status/1585010769338322945", "https://twitter.com/ecarlesi/status/1585015635163095071", "https://twitter.com/ecarlesi/status/1585016002923864077", "https://twitter.com/ecarlesi/status/1585017198535385115", "https://twitter.com/ecarlesi/status/1585020272670920705", "https://twitter.com/ecarlesi/status/1585029001793478668", "https://twitter.com/ecarlesi/status/1585033347989966848", "https://twitter.com/ecarlesi/status/1585033577456181269", "https://twitter.com/ecarlesi/status/1585033804477079553", "https://twitter.com/ecarlesi/status/1585034422084149258", "https://twitter.com/ecarlesi/status/1585038309423816723", "https://twitter.com/ecarlesi/status/1585042539874291712", "https://twitter.com/ecarlesi/status/1585049613656113155", "https://twitter.com/ecarlesi/status/1585050347231387648", "https://twitter.com/ecarlesi/status/1585051303453069312", "https://twitter.com/ecarlesi/status/1585051974420004865", "https://twitter.com/ecarlesi/status/1585052596523438082", "https://twitter.com/ecarlesi/status/1585053182853513216" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 495 }, "indicator_count": 495, "is_author": false, "is_subscribing": null, "subscriber_count": 1621, "modified_text": "1283 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "https://twitter.com/ecarlesi/status/1584889780415905793", "https://twitter.com/ecarlesi/status/1584714726608617472", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/summary", "https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ", "https://twitter.com/ecarlesi/status/1584727686919905280", "https://twitter.com/ecarlesi/status/1584889798447226880", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "https://twitter.com/ecarlesi/status/1584718782269980675", "https://twitter.com/ecarlesi/status/1584960656557613056", "http://x.com/denverpolice/status/", "https://twitter.com/ecarlesi/status/1584872093136474112", "https://twitter.com/ecarlesi/status/1584836274292228098", "https://twitter.com/ecarlesi/status/1584860969016197120", "Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess", "https://twitter.com/ecarlesi/status/1584714223741030401", "https://twitter.com/ecarlesi/status/1584891524957048832", "As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.", "https://twitter.com/ecarlesi/status/1584727690791223297", "https://twitter.com/ecarlesi/status/1584890943081267200", "https://twitter.com/ecarlesi/status/1584714731788591104", "https://twitter.com/ecarlesi/status/1584734326595276800", "https://twitter.com/ecarlesi/status/1584877594888925184", "Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.", "https://twitter.com/ecarlesi/status/1584791788677746688", "https://twitter.com/ecarlesi/status/1584715044503408644", "https://twitter.com/ecarlesi/status/1584702218627792897", "https://twitter.com/ecarlesi/status/1584747861333479425", "https://twitter.com/ecarlesi/status/1584762336916668416", "https://twitter.com/ecarlesi/status/1584731495226384384", "https://twitter.com/ecarlesi/status/1584714227989856258", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "https://twitter.com/ecarlesi/status/1584864248118870019", "https://twitter.com/ecarlesi/status/1584888451865919488", "https://twitter.com/ecarlesi/status/1584888805378629632", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk", "https://twitter.com/ecarlesi/status/1584866414262947842", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://twitter.com/ecarlesi/status/1584889696030711809", "https://twitter.com/ecarlesi/status/1584914010373251074", "https://twitter.com/ecarlesi/status/1584887713756479489", "https://twitter.com/ecarlesi/status/1584859525479387136", "https://twitter.com/ecarlesi/status/1584936404357824512", "https://twitter.com/ecarlesi/status/1584714726772281345", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "https://twitter.com/ecarlesi/status/1584704500073435137", "https://twitter.com/ecarlesi/status/1584705072822353922", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://twitter.com/ecarlesi/status/1584868767024050177", "https://twitter.com/ecarlesi/status/1584888715855503360", "https://twitter.com/ecarlesi/status/1584876585869398016", "https://twitter.com/ecarlesi/status/1584892630734888966", "https://twitter.com/ecarlesi/status/1584746493038272513", "https://twitter.com/ecarlesi/status/1584860504471773185", "https://twitter.com/ecarlesi/status/1584891251912069121", "https://twitter.com/ecarlesi/status/1584727449320964097", "https://twitter.com/ecarlesi/status/1584891917174816769", "https://twitter.com/ecarlesi/status/1584889868638887936", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435695&Signature=UoqeOvA3l0SmZPLGLkJ4n7oue%2FoXBTcyhLy5g1zr97R1z9EBf2vAXrsnA8mHkedBOo0cd7lQhlV4QLek1AiAP4Z%2F9XgN%2FgaAo3L%2FP0tI1NFNb5lJ9mZ4YQ5aVcF1jYBD4bluT9%2BjUQaRIkFHR4w4OIpWVuJOGdkbT7UxU%2BgyPR3o2Ij%2Fli0GfJO%2B%2B2KMpTnBE0mWDM%2BrEThJKW2Ty5flTxONg4m7toLl7%2BspvX1Q", "https://twitter.com/ecarlesi/status/1584864280251432962", "https://twitter.com/ecarlesi/status/1584975992678158336", "https://twitter.com/ecarlesi/status/1584715878163255296", "https://twitter.com/ecarlesi/status/1584727419705073664", "https://twitter.com/ecarlesi/status/1584705554408153088", "https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic", "https://twitter.com/ecarlesi/status/1584912858466361344", "https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5e690fae4c892737e7365efe", "https://twitter.com/ecarlesi/status/1584864982021414912", "https://twitter.com/ecarlesi/status/1584824868402614272", "https://twitter.com/ecarlesi/status/1584992002256633883", "https://twitter.com/ecarlesi/status/1584858612173864968", "https://twitter.com/ecarlesi/status/1584791208928444418", "https://twitter.com/ecarlesi/status/1584791680443711493", "https://twitter.com/ecarlesi/status/1584792130752598016", "https://twitter.com/ecarlesi/status/1584924709350768642", "https://twitter.com/ecarlesi/status/1584875138373357572", "https://twitter.com/ecarlesi/status/1584748989374611457", "https://twitter.com/ecarlesi/status/1584746362658324481", "https://twitter.com/ecarlesi/status/1584748175960772608", "https://twitter.com/ecarlesi/status/1584726239503421440", "https://twitter.com/ecarlesi/status/1584889538270355457", "https://twitter.com/ecarlesi/status/1584744140524355591", "https://twitter.com/ecarlesi/status/1585010769338322945", "https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG", "https://twitter.com/ecarlesi/status/1584712348710961153", "https://twitter.com/ecarlesi/status/1584889090612363265", "https://twitter.com/ecarlesi/status/1584891666653134848", "https://twitter.com/ecarlesi/status/1584714222700830722", "https://twitter.com/ecarlesi/status/1584861882007134209", "https://twitter.com/ecarlesi/status/1584714727996932097", "https://twitter.com/ecarlesi/status/1584943192083992581", "https://twitter.com/ecarlesi/status/1585038309423816723", "https://twitter.com/ecarlesi/status/1584762341157224450", "https://twitter.com/ecarlesi/status/1584859028013867008", "https://twitter.com/ecarlesi/status/1585051303453069312", "https://twitter.com/ecarlesi/status/1584872919490256897", "https://twitter.com/ecarlesi/status/1584913066428342274", "https://twitter.com/ecarlesi/status/1584975737169354752", "https://twitter.com/ecarlesi/status/1584727762530598918", "https://twitter.com/ecarlesi/status/1584752264782270465", "https://twitter.com/ecarlesi/status/1584728774880403456", "https://twitter.com/ecarlesi/status/1584942574585798656", "https://twitter.com/ecarlesi/status/1584955265400639488", "https://twitter.com/ecarlesi/status/1584865806248251398", "https://twitter.com/ecarlesi/status/1584889717295824897", "https://twitter.com/ecarlesi/status/1584888187188645890", "https://twitter.com/ecarlesi/status/1584888428969205760", "https://twitter.com/ecarlesi/status/1584714227281022983", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://twitter.com/ecarlesi/status/1584715529499152386", "https://twitter.com/ecarlesi/status/1584754850096877570", "https://twitter.com/ecarlesi/status/1584746487694630915", "https://twitter.com/ecarlesi/status/1584732864515645441", "https://twitter.com/ecarlesi/status/1584913328404664322", "https://twitter.com/ecarlesi/status/1584889530615828480", "https://twitter.com/ecarlesi/status/1584791124798996481", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "https://twitter.com/ecarlesi/status/1584940250975043587", "https://twitter.com/ecarlesi/status/1584727719840989185", "https://twitter.com/ecarlesi/status/1584888712739053571", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "https://twitter.com/ecarlesi/status/1584889588551663621", "https://twitter.com/ecarlesi/status/1584973036402319363", "https://twitter.com/ecarlesi/status/1584776479065374720", "https://twitter.com/ecarlesi/status/1584913770954084352", "https://twitter.com/ecarlesi/status/1584767286992404480", "https://twitter.com/ecarlesi/status/1584791124429922305", "https://twitter.com/ecarlesi/status/1584747274860695553", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure", "https://twitter.com/ecarlesi/status/1584859446165004289", "https://twitter.com/ecarlesi/status/1584729149033398272", "https://twitter.com/ecarlesi/status/1584934552882929664", "https://twitter.com/ecarlesi/status/1584743293371416576", "https://twitter.com/ecarlesi/status/1584934568695631875", "https://twitter.com/ecarlesi/status/1584865536697139200", "https://twitter.com/ecarlesi/status/1584861368443965440", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://twitter.com/ecarlesi/status/1584761940777353217", "https://twitter.com/ecarlesi/status/1584860475979882496", "https://twitter.com/ecarlesi/status/1584867142696042497", "https://twitter.com/ecarlesi/status/1584869216984899584", "https://twitter.com/ecarlesi/status/1584715529335496709", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://twitter.com/ecarlesi/status/1584702733684117506", "https://twitter.com/ecarlesi/status/1584842716839550977", "Redirects to https://twitter.com?mx=1", "https://twitter.com/ecarlesi/status/1584891645710958594", "https://twitter.com/ecarlesi/status/1584790042194632704", "https://twitter.com/ecarlesi/status/1584857022335488002", "https://twitter.com/ecarlesi/status/1584892776625364992", "https://twitter.com/ecarlesi/status/1584738509511970816", "https://twitter.com/ecarlesi/status/1584973371489792001", "https://twitter.com/ecarlesi/status/1584888707882131458", "https://twitter.com/ecarlesi/status/1584888189239672833", "https://twitter.com/ecarlesi/status/1584739327065657350", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "https://twitter.com/ecarlesi/status/1584839620780605443", "https://twitter.com/ecarlesi/status/1584737773919125504", "https://twitter.com/ecarlesi/status/1584859369900068864", "https://twitter.com/ecarlesi/status/1584752950504718342", "https://twitter.com/ecarlesi/status/1584889522470486018", "https://twitter.com/ecarlesi/status/1584740369543139331", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).", "https://twitter.com/ecarlesi/status/1584744203061534724", "https://twitter.com/ecarlesi/status/1584935431723950082", "https://twitter.com/ecarlesi/status/1584720370573185024", "https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%", "https://twitter.com/ecarlesi/status/1584712351286165505", "https://twitter.com/ecarlesi/status/1584890762147385344", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "URLscanio, FSio, vT", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "https://twitter.com/ecarlesi/status/1584892469006696450", "https://twitter.com/ecarlesi/status/1584891648147968005", "https://twitter.com/ecarlesi/status/1585015635163095071", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "https://twitter.com/ecarlesi/status/1584752260495642626", "https://twitter.com/ecarlesi/status/1584889706881449984", "https://twitter.com/ecarlesi/status/1584878916749099010", "https://twitter.com/ecarlesi/status/1584728484470980610", "https://twitter.com/ecarlesi/status/1585034422084149258", "https://twitter.com/ecarlesi/status/1584795536867184640", "https://twitter.com/ecarlesi/status/1584913530096156679", "https://twitter.com/ecarlesi/status/1584888449953406982", "https://twitter.com/ecarlesi/status/1584858335316250624", "https://twitter.com/ecarlesi/status/1584934344925200384", "https://twitter.com/ecarlesi/status/1584958518905405440", "https://twitter.com/ecarlesi/status/1584853803203022848", "https://twitter.com/ecarlesi/status/1584712347930820613", "https://twitter.com/ecarlesi/status/1585053182853513216", "https://twitter.com/ecarlesi/status/1584913076549296130", "https://twitter.com/ecarlesi/status/1584853128989609984", "https://twitter.com/ecarlesi/status/1584720925643182086", "https://twitter.com/ecarlesi/status/1584715879618592768", "https://twitter.com/ecarlesi/status/1584925810082942978", "https://twitter.com/ecarlesi/status/1584790853754753025", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://twitter.com/ecarlesi/status/1584792365985841153", "https://twitter.com/ecarlesi/status/1584913765912510464", "https://twitter.com/ecarlesi/status/1584747341298683904", "https://twitter.com/ecarlesi/status/1584861064403079168", "https://twitter.com/ecarlesi/status/1584714735924248578", "https://twitter.com/ecarlesi/status/1584973264581177344", "https://twitter.com/ecarlesi/status/1584944618243776520", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "https://twitter.com/ecarlesi/status/1584888187264057345", "https://twitter.com/ecarlesi/status/1584869398506094592", "https://twitter.com/ecarlesi/status/1584860161751007236", "https://twitter.com/ecarlesi/status/1584715891354255361", "https://twitter.com/ecarlesi/status/1584747266665025536", "https://twitter.com/ecarlesi/status/1584889515042283522", "https://twitter.com/ecarlesi/status/1584838897493839876", "https://twitter.com/ecarlesi/status/1584913081464922113", "https://twitter.com/ecarlesi/status/1584954731524407298", "https://twitter.com/ecarlesi/status/1584913065363099648", "https://twitter.com/ecarlesi/status/1584912923964719104", "https://twitter.com/ecarlesi/status/1584846086925058053", "https://twitter.com/ecarlesi/status/1584891193980223488", "The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.", "https://twitter.com/ecarlesi/status/1584928853746761729", "https://twitter.com/ecarlesi/status/1584714027082686465", "https://twitter.com/ecarlesi/status/1584868055246684161", "https://twitter.com/ecarlesi/status/1584957395566043136", "Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.", "https://twitter.com/ecarlesi/status/1585016002923864077", "https://twitter.com/ecarlesi/status/1584860282089885698", "https://twitter.com/ecarlesi/status/1584917131795341314", "https://twitter.com/ecarlesi/status/1584791552987217921", "https://twitter.com/ecarlesi/status/1584864214086307841", "https://twitter.com/ecarlesi/status/1584913066185134080", "https://twitter.com/ecarlesi/status/1584913737848340484", "https://twitter.com/ecarlesi/status/1584714727149690880", "https://twitter.com/ecarlesi/status/1584858392153268224", "https://twitter.com/ecarlesi/status/1584747869768237059", "https://twitter.com/ecarlesi/status/1584913918845231105", "https://twitter.com/ecarlesi/status/1584727776753582080", "https://twitter.com/ecarlesi/status/1584746092297584641", "https://twitter.com/ecarlesi/status/1584913743372324866", "https://twitter.com/ecarlesi/status/1584957278431727616", "https://twitter.com/ecarlesi/status/1584859411499126785", "https://twitter.com/ecarlesi/status/1584735702159343616", "https://twitter.com/ecarlesi/status/1584702210272727040", "https://twitter.com/ecarlesi/status/1584913737735192577", "https://twitter.com/ecarlesi/status/1584717154921975810", "https://twitter.com/ecarlesi/status/1585033347989966848", "MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.", "https://twitter.com/ecarlesi/status/1584859386521976833", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://twitter.com/ecarlesi/status/1584888709492740100", "https://twitter.com/ecarlesi/status/1584913067279896576", "eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.", "https://twitter.com/ecarlesi/status/1584737236754604035", "https://twitter.com/ecarlesi/status/1584788960865296384", "https://twitter.com/ecarlesi/status/1584712348216053760", "https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19", "https://twitter.com/ecarlesi/status/1584859491874504706", "https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ", "https://twitter.com/ecarlesi/status/1584891157993095168", "https://twitter.com/ecarlesi/status/1584828169244254208", "https://twitter.com/ecarlesi/status/1584912162308358144", "https://twitter.com/ecarlesi/status/1584760817148370944", "https://twitter.com/ecarlesi/status/1584887764927086592", "SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.", "https://twitter.com/ecarlesi/status/1585000420250112000", "https://twitter.com/ecarlesi/status/1584860282253443079", "https://twitter.com/ecarlesi/status/1584777126632374272", "https://twitter.com/ecarlesi/status/1584702200760393730", "https://twitter.com/ecarlesi/status/1584738152987729920", "https://twitter.com/ecarlesi/status/1584891545148424198", "https://twitter.com/ecarlesi/status/1584837585637195776", "https://hybrid-analysis.com/sample/a7a080e1e8bbd8b71a897b4d8d9d549207c2931a5e416c4599fc5cf51fc357c6", "https://twitter.com/ecarlesi/status/1584951318178893834", "https://twitter.com/ecarlesi/status/1584744160426336261", "https://twitter.com/ecarlesi/status/1584709709990436865", "https://www.virustotal.com/graph/embed/gf3de459eb283404e9f258937b8f0dbf20d5a18c113f44cd6ba094af9d302c918?theme=dark", "https://twitter.com/ecarlesi/status/1584986640589754369", "https://twitter.com/ecarlesi/status/1584702957332926466", "https://twitter.com/ecarlesi/status/1584778281445908480", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/iocs", "https://twitter.com/ecarlesi/status/1584936230386634761", "https://hybrid-analysis.com/sample/e05affb84f4d1e1f2fb5f0200d819ffa64e3bc17c9e9b56f46a910b1c08f95e4/69d48a496246d30efa004564", "https://twitter.com/ecarlesi/status/1584913771281190914", "https://twitter.com/ecarlesi/status/1584727780100538370", "https://twitter.com/ecarlesi/status/1584889787294617601", "https://twitter.com/ecarlesi/status/1584975620739678208", "https://twitter.com/ecarlesi/status/1584710427438612481", "https://twitter.com/ecarlesi/status/1584747546928238593", "https://twitter.com/ecarlesi/status/1584860370434392065", "https://twitter.com/ecarlesi/status/1584715520485515265", "https://twitter.com/ecarlesi/status/1584746029248909314", "https://twitter.com/ecarlesi/status/1584865973194178562", "https://twitter.com/ecarlesi/status/1584889699302313984", "https://twitter.com/ecarlesi/status/1584744596701077504", "https://twitter.com/ecarlesi/status/1584747316325621761", "https://twitter.com/ecarlesi/status/1584729161205256192", "https://twitter.com/ecarlesi/status/1584712348429914114", "https://twitter.com/ecarlesi/status/1584720912510853120", "https://twitter.com/ecarlesi/status/1584789065605464064", "https://twitter.com/ecarlesi/status/1584745241759944704", "https://twitter.com/ecarlesi/status/1584860532825362438", "https://twitter.com/ecarlesi/status/1584715512587624451", "https://twitter.com/ecarlesi/status/1584728119214325761", "https://twitter.com/ecarlesi/status/1585017198535385115", "https://twitter.com/ecarlesi/status/1584727756922822661", "https://twitter.com/ecarlesi/status/1584889837705904131", "https://twitter.com/ecarlesi/status/1584913065581109248", "https://twitter.com/ecarlesi/status/1584791176258920450", "https://twitter.com/ecarlesi/status/1584791181938024450", "https://twitter.com/ecarlesi/status/1585051974420004865", "https://twitter.com/ecarlesi/status/1584889095259668480", "https://twitter.com/ecarlesi/status/1584837328937177091", "nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.", "https://twitter.com/ecarlesi/status/1584860439191642114", "https://twitter.com/ecarlesi/status/1584901557056901121", "https://twitter.com/ecarlesi/status/1584886018922217477", "https://twitter.com/ecarlesi/status/1584737010786439168", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "https://twitter.com/ecarlesi/status/1584858612152864768", "https://twitter.com/ecarlesi/status/1584891676589522946", "https://twitter.com/ecarlesi/status/1584926464025280512", "https://twitter.com/ecarlesi/status/1584837339091959808", "https://twitter.com/ecarlesi/status/1584766131847430145", "https://twitter.com/ecarlesi/status/1584916891604320260", "https://twitter.com/ecarlesi/status/1584714726382211072", "https://twitter.com/ecarlesi/status/1584960737797148674", "https://twitter.com/ecarlesi/status/1584776467594022912", "https://twitter.com/ecarlesi/status/1584982579567939584", "https://twitter.com/ecarlesi/status/1584749903745814529", "https://twitter.com/ecarlesi/status/1584887698434801664", "https://twitter.com/ecarlesi/status/1584888712663539712", "https://twitter.com/ecarlesi/status/1584731934042820608", "https://twitter.com/ecarlesi/status/1584714224223326212", "https://twitter.com/ecarlesi/status/1584747867461361664", "https://twitter.com/ecarlesi/status/1584889064368607234", "https://twitter.com/ecarlesi/status/1584729814740738051", "https://twitter.com/ecarlesi/status/1584714225573924864", "https://twitter.com/ecarlesi/status/1584725238864125952", "https://twitter.com/ecarlesi/status/1584916839418810368", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "https://twitter.com/ecarlesi/status/1584791124417417217", "https://twitter.com/ecarlesi/status/1584720554266923011", "https://twitter.com/ecarlesi/status/1584893304776409094", "https://twitter.com/ecarlesi/status/1584845453698408450", "https://twitter.com/ecarlesi/status/1584888710885265410", "https://twitter.com/ecarlesi/status/1584714225582211076", "https://twitter.com/ecarlesi/status/1584714739942391808", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://twitter.com/ecarlesi/status/1584862125872365574", "https://twitter.com/ecarlesi/status/1584733798620602373", "https://twitter.com/ecarlesi/status/1584738296915189760", "https://twitter.com/ecarlesi/status/1584748734696640513", "https://twitter.com/ecarlesi/status/1584758053311844352", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "https://twitter.com/ecarlesi/status/1584888426914004993", "https://twitter.com/ecarlesi/status/1584913531291533312", "https://twitter.com/ecarlesi/status/1584715952872210433", "https://twitter.com/ecarlesi/status/1584714971522297856", "https://twitter.com/ecarlesi/status/1584889778037719042", "https://twitter.com/ecarlesi/status/1584911936528998400", "https://twitter.com/ecarlesi/status/1584739200225755136", "https://twitter.com/ecarlesi/status/1584735355093323776", "https://twitter.com/ecarlesi/status/1584712349432307713", "https://twitter.com/ecarlesi/status/1584974311362027521", "https://twitter.com/ecarlesi/status/1584748154129469440", "https://twitter.com/ecarlesi/status/1584862052635615233", "https://twitter.com/ecarlesi/status/1584743455254790145", "https://twitter.com/ecarlesi/status/1584731275901997056", "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a (11.22.25)", "https://twitter.com/ecarlesi/status/1584934641105924097", "https://twitter.com/ecarlesi/status/1584719752571887616", "https://twitter.com/ecarlesi/status/1584731433020624898", "https://twitter.com/ecarlesi/status/1585029001793478668", "https://twitter.com/ecarlesi/status/1584745746229854208", "https://twitter.com/ecarlesi/status/1584867287948984322", "https://twitter.com/ecarlesi/status/1584702058787127296", "https://twitter.com/ecarlesi/status/1584702547905814528", "https://twitter.com/ecarlesi/status/1585042539874291712", "https://twitter.com/ecarlesi/status/1584922402257080320", "https://twitter.com/ecarlesi/status/1584888199104561152", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "https://twitter.com/ecarlesi/status/1584731937972912130", "https://twitter.com/ecarlesi/status/1584873140168978432", "Verification failure observed in automated verification handlers during sandbox replay.", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "https://twitter.com/ecarlesi/status/1584704125673021441", "https://twitter.com/ecarlesi/status/1584974811599552512", "https://twitter.com/ecarlesi/status/1584897172910252032", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT", "https://twitter.com/ecarlesi/status/1584745839515279361", "https://twitter.com/ecarlesi/status/1584912352406896648", "https://report.netcraft.com/submission/wSKHZprZCkFd2jVQe8GsiNIWYjitfPrZ?tab=urls - Reported to Netcraft 07.23.25", "https://twitter.com/ecarlesi/status/1584889778088153088", "https://vtbehaviour.commondatastorage.googleapis.com/0002412eddb6f812afb3e131d7e801536cb4ff8a410a6d6c6bc559fdb3546116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779436484&Signature=Pr1pfaimFPZRbQFRLBhpICwKcQGlnx4U5y%2FQZiFEs%2BMGp9zOdmylpsondhJ%2FoJg6NIwY9%2Bk2v9SRh8rgNd2aefaWARh%2ByYvcCFEELbz7cf%2F2f128%2FN%2BsNKOuiRC2JFyN37Wq2hSLt9NYUERhB0THMCMQtw1axrtOHh9CLz3YZ%2BdO7E%2B3g1aOrD3sDAwOgmWR9n9pk%2Fj55fIyJqPDU80OB1RXmaU4XNnEIBA69dpnuj57WGWd", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://twitter.com/ecarlesi/status/1584825615097729025", "https://twitter.com/ecarlesi/status/1584791833325993984", "https://twitter.com/ecarlesi/status/1584736401354113026", "https://twitter.com/ecarlesi/status/1584736869757108224", "https://twitter.com/ecarlesi/status/1584712350912888832", "https://twitter.com/ecarlesi/status/1584791184651730944", "https://twitter.com/ecarlesi/status/1584888709962416128", "The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr", "https://twitter.com/ecarlesi/status/1584714726382215169", "https://twitter.com/ecarlesi/status/1584890585143562241", "Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat", "https://twitter.com/ecarlesi/status/1584727254986203136", "https://twitter.com/ecarlesi/status/1584714303814471680", "https://twitter.com/ecarlesi/status/1584752697189744640", "https://twitter.com/ecarlesi/status/1584913762062139394", "https://twitter.com/ecarlesi/status/1584709451566702594", "https://twitter.com/ecarlesi/status/1584760518807588864", "https://twitter.com/ecarlesi/status/1584859742144532480", "https://twitter.com/ecarlesi/status/1584743499056005122", "https://twitter.com/ecarlesi/status/1584864280549236736", "https://twitter.com/ecarlesi/status/1585033804477079553", "03.11.14: https://www.virustotal.com/graph/embed/ge2e309eb8bd34fcca56398089b2291058dfe1fca69dc4e5aa66db0365caf735b?theme=dark", "https://twitter.com/ecarlesi/status/1584735401129934848", "https://twitter.com/ecarlesi/status/1584859036691976194", "https://twitter.com/ecarlesi/status/1584889528271134723", "https://twitter.com/ecarlesi/status/1584975648807800832", "https://twitter.com/ecarlesi/status/1584714220540682242", "https://twitter.com/ecarlesi/status/1584741878976712704", "https://twitter.com/ecarlesi/status/1584715349643198464", "https://twitter.com/ecarlesi/status/1584942061601673217", "https://twitter.com/ecarlesi/status/1584912252716863488", "https://twitter.com/ecarlesi/status/1584732855908945920", "https://twitter.com/ecarlesi/status/1584889533539270656", "https://twitter.com/ecarlesi/status/1584748171648983040", "https://twitter.com/ecarlesi/status/1584727333725818880", "https://twitter.com/ecarlesi/status/1584859032099164162", "https://twitter.com/ecarlesi/status/1584746370572877824", "https://hybrid-analysis.com/sample/4549eed582050392e9cecd9b69f0d8d796fd5132e47a2e8161c4bf76ed176a9e/5f7728aa32edd97f433dbb02", "https://twitter.com/ecarlesi/status/1584727780054507523", "https://twitter.com/ecarlesi/status/1584731560401674241", "https://twitter.com/ecarlesi/status/1584915560202215426", "https://twitter.com/ecarlesi/status/1584989183113773056", "Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)", "https://twitter.com/ecarlesi/status/1584824417053556742", "https://twitter.com/ecarlesi/status/1584899761995382784", "https://twitter.com/ecarlesi/status/1584714283551793152", "https://twitter.com/ecarlesi/status/1584731934261137409", "https://twitter.com/ecarlesi/status/1584890138102009857", "https://twitter.com/ecarlesi/status/1584935604155981825", "https://twitter.com/ecarlesi/status/1584703016778735618", "https://twitter.com/ecarlesi/status/1584747223073570816", "https://twitter.com/ecarlesi/status/1584892412064944128", "https://twitter.com/ecarlesi/status/1584790930627985408", "https://twitter.com/ecarlesi/status/1584942186340179974", "https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK", "https://twitter.com/ecarlesi/status/1584745729746165760", "https://twitter.com/ecarlesi/status/1584933064094158850", "https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2", "https://twitter.com/ecarlesi/status/1584714223652929536", "https://twitter.com/ecarlesi/status/1584928379819655168", "https://twitter.com/ecarlesi/status/1584973586673999873", "https://twitter.com/ecarlesi/status/1584747875971600384", "https://twitter.com/ecarlesi/status/1584715026853777408", "https://twitter.com/ecarlesi/status/1584791184005808128", "https://twitter.com/ecarlesi/status/1584734457583607808", "https://twitter.com/ecarlesi/status/1584741313345355776", "https://twitter.com/ecarlesi/status/1584714105486704642", "https://twitter.com/ecarlesi/status/1584858995185143811", "https://twitter.com/ecarlesi/status/1584863253968158721", "https://twitter.com/ecarlesi/status/1584889696907395072", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "https://twitter.com/ecarlesi/status/1585052596523438082", "https://twitter.com/ecarlesi/status/1584842985371484162", "https://twitter.com/ecarlesi/status/1584860506661199874", "https://twitter.com/ecarlesi/status/1584731288837267461", "https://twitter.com/ecarlesi/status/1584837013555105792", "https://twitter.com/ecarlesi/status/1584888202875338753", "https://twitter.com/ecarlesi/status/1584888709270458369", "https://twitter.com/ecarlesi/status/1584888225218367488", "https://twitter.com/ecarlesi/status/1584721452493946880", "https://twitter.com/ecarlesi/status/1584865600370839554", "https://twitter.com/ecarlesi/status/1584983833883074560", "https://twitter.com/ecarlesi/status/1584858853862170624", "https://twitter.com/ecarlesi/status/1584790844669935617", "My Independent research finds an intersect between different pdf DV versions being able to connect to Raspberry Pi devices as it was the FCC application document. Risk: Mac ID connectivity to all.", "https://twitter.com/ecarlesi/status/1584731728102432768", "https://twitter.com/ecarlesi/status/1584860507546292227", "https://twitter.com/ecarlesi/status/1584761759419834375", "https://twitter.com/ecarlesi/status/1584768135667777539", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435775&Signature=AkieU7eRCNrzND0lejy10HFR7OdRvNqyswrKIdggTIg6w4naejOYYwut39HnOup0%2BqQcIl4AJ6iCv7BrJuqNoIe3WuL3S3c9To36FuiNd2aOBRNZcN9gHBz7GSvTlAnmNNOt9OIZbdryCE4RnMJA4q7aOGLAd3dJzbXxC1sLLrpBBY0wTeb7cvNcLLEuJzsk9AQw8m9nZ%2BMfQJB8hWxaWNXySZkIl%2Fkufg7NdeYBFT4YXsi2gxWg0UruP%2FFYE8", "https://twitter.com/ecarlesi/status/1584913759189041152", "https://twitter.com/ecarlesi/status/1584716009335914497", "https://twitter.com/ecarlesi/status/1584740019146788864", "https://twitter.com/ecarlesi/status/1584722687192190978", "https://twitter.com/ecarlesi/status/1584889850481856512", "https://twitter.com/ecarlesi/status/1584714216929386497", "https://twitter.com/ecarlesi/status/1584702210239508480", "https://twitter.com/ecarlesi/status/1584912784952795136", "https://twitter.com/ecarlesi/status/1584730267482460161", "https://twitter.com/ecarlesi/status/1585033577456181269", "Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.", "https://twitter.com/ecarlesi/status/1584733205269471232", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir", "https://twitter.com/ecarlesi/status/1584859032099196931", "https://twitter.com/ecarlesi/status/1584914010155220993", "Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.", "https://twitter.com/ecarlesi/status/1584735726301741058", "https://twitter.com/ecarlesi/status/1585049613656113155", "https://twitter.com/ecarlesi/status/1584851694365691904", "https://twitter.com/ecarlesi/status/1584913530662387715", "https://twitter.com/ecarlesi/status/1584934395844366336", "https://twitter.com/ecarlesi/status/1584935375453265927", "https://twitter.com/ecarlesi/status/1584929648802205696", "https://twitter.com/ecarlesi/status/1584774597643276288", "https://twitter.com/ecarlesi/status/1584702204316770304", "https://twitter.com/ecarlesi/status/1585020272670920705", "https://twitter.com/ecarlesi/status/1584777689885544448", "https://twitter.com/ecarlesi/status/1584837847156129794", "https://twitter.com/ecarlesi/status/1584715532435177472", "https://twitter.com/ecarlesi/status/1584913065195233282", "https://twitter.com/ecarlesi/status/1584875513390194689", "https://twitter.com/ecarlesi/status/1584957215500341276", "https://twitter.com/ecarlesi/status/1584913763697922048", "https://twitter.com/ecarlesi/status/1584791788916711424", "https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz", "https://twitter.com/ecarlesi/status/1584891899260899339", "https://twitter.com/ecarlesi/status/1584714223791357955", "https://twitter.com/ecarlesi/status/1584888818347417600", "https://twitter.com/ecarlesi/status/1584878255135674369", "https://twitter.com/ecarlesi/status/1584926834558369796", "https://twitter.com/ecarlesi/status/1584859446752296960", "https://twitter.com/ecarlesi/status/1584714740022091777", "https://twitter.com/ecarlesi/status/1584893794377502720", "https://twitter.com/ecarlesi/status/1584889863928791041", "https://twitter.com/ecarlesi/status/1584863917561503744", "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a", "https://twitter.com/ecarlesi/status/1584875810787414016", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://twitter.com/ecarlesi/status/1584746678107660293", "https://twitter.com/ecarlesi/status/1584730867498422272", "https://twitter.com/ecarlesi/status/1584789042004099074", "https://twitter.com/ecarlesi/status/1584791124400640001", "https://twitter.com/ecarlesi/status/1584890525014003714", "https://twitter.com/ecarlesi/status/1584791124400640003", "https://twitter.com/ecarlesi/status/1584824417036763138", "https://twitter.com/ecarlesi/status/1584748136257363968", "https://twitter.com/ecarlesi/status/1584790440573898753", "https://twitter.com/ecarlesi/status/1584888552176975874", "https://twitter.com/ecarlesi/status/1584737335803092992", "https://twitter.com/ecarlesi/status/1584777802989068294", "https://twitter.com/ecarlesi/status/1584824624331849730", "https://twitter.com/ecarlesi/status/1584743452574728193", "https://twitter.com/ecarlesi/status/1584744704897318912", "https://twitter.com/ecarlesi/status/1584872446053728256", "https://twitter.com/ecarlesi/status/1584825612824444928", "https://twitter.com/ecarlesi/status/1584879240297824256", "https://twitter.com/ecarlesi/status/1584715524356935682", "https://twitter.com/ecarlesi/status/1584913064238923776", "https://twitter.com/ecarlesi/status/1584788744334442498", "https://twitter.com/ecarlesi/status/1584913065690206220", "https://twitter.com/ecarlesi/status/1585050347231387648", "https://twitter.com/ecarlesi/status/1584702374475575296", "https://twitter.com/ecarlesi/status/1584864268247244801", "https://twitter.com/ecarlesi/status/1584744581391859712", "https://twitter.com/ecarlesi/status/1584978311557808128", "https://twitter.com/ecarlesi/status/1584941224359870464", "https://twitter.com/ecarlesi/status/1584731933942185986", "https://twitter.com/ecarlesi/status/1584858612614287361", "https://twitter.com/ecarlesi/status/1584749320515076097", "https://twitter.com/ecarlesi/status/1584888712583864320", "https://twitter.com/ecarlesi/status/1584893541792337920", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://twitter.com/ecarlesi/status/1584858990160347137", "https://twitter.com/ecarlesi/status/1584746670100807682", "https://twitter.com/ecarlesi/status/1584893104989036545", "https://twitter.com/ecarlesi/status/1584913945588015104", "https://twitter.com/ecarlesi/status/1584864256889061378" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win32:trojan-gen", "Win.malware.vtflooder-6723768-0", "Win.dropper.qqpass-9895638-0", "Win.trojan.downloader-63174", "Win.trojan.agent-752791", "Win32:malware-gen", "Wannacry", "Trojan:win32/qqpass", "Win32/vflooder.b checkin", "Clicker.bgou", "Win32/vflooder.b vtapi dos" ], "industries": [ "Government", "Telecommunications", "Healthcare", "Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in", "Education", "Finance", "Transportation", "Retail", "Hospitality", "Technology" ], "unique_indicators": 164420 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/microsoftonline.com", "whois": "http://whois.domaintools.com/microsoftonline.com", "domain": "microsoftonline.com", "hostname": "login.microsoftonline.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 34, "pulses": [ { "id": "6a16afb92680fcea084bb7b0", "name": "credit: scoreblue ['Eternal Blue_Wana Cry MS'] clone - user notes: interesting name tagged", "description": "", "modified": "2026-05-27T08:54:31.968000", "created": "2026-05-27T08:47:53.724000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536c8eee8d42d670e27723", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2662, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17084, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a16ab45548ef01419902c8f", "name": "Credit: Scoreblue - \"iOS Attack - Crouching Yeti: http://x.[com]/denverpolice/status/| CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue Public", "description": "", "modified": "2026-05-27T08:28:53.256000", "created": "2026-05-27T08:28:53.256000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a16ab3f9578fcc7ffd52a3a", "name": "Credit: Scoreblue - \"iOS Attack - Crouching Yeti: http://x.[com]/denverpolice/status/| CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue Public", "description": "", "modified": "2026-05-27T08:28:47.467000", "created": "2026-05-27T08:28:47.467000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69228447b9c71795633314df", "name": "Keep Corrupt - University of Alberta Incidents continue to escalate - 04.24.26", "description": "Recovered accounts that have been used & abused - courtesy of decisions by non-technical leadership = accounts for UAlberta students -> PW manager made inaccessible (tied to UAlberta account) during a Data-Breach.\nWhen PW manager & Accounts returned, was populated by these (many = fraudulent; some appear to be abuse of legitimate services, while others do not, yet don't know function or origin)\n\nNot representative of OG PW manager. Many (most) accts. used/abused (on-going). \n\nDon't have a backup of original = hard to compare. Don't quite know what the majority of these companies etc. are for and/or do exactly. Putting them together as they roll-in.\nCan't turn them off in most cases - I don't have access to the U of A accounts these originate from and/or original recovery methods. \n\n2 more batches to add to this pulse (Need to add into VT) 02.16.26\n\nCountries listed are where 2 victims (UAlberta Graduates) have citizenship or some tie with.", "modified": "2026-05-24T21:18:51.782000", "created": "2025-11-23T03:49:27.649000", "tags": [ "geoip", "as54113", "fastly", "as20940", "as15169", "google", "as214401", "maincubesas", "gmbh", "apache geoip", "facebook", "UAlberta", "AHS", "Treaty 8", "GoA", "Alberta", "Edmonton", "YEG" ], "references": [ "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a", "URLscanio, FSio, vT", "03.11.14: https://www.virustotal.com/graph/embed/ge2e309eb8bd34fcca56398089b2291058dfe1fca69dc4e5aa66db0365caf735b?theme=dark", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/summary", "https://www.virustotal.com/gui/collection/6a41ae1cf2d3d51fedd2393d893c3b26ed0352dde2e0851d03f0bae9aaa69ae1/iocs", "https://viz.greynoise.io/ip/analysis/3cf1334a-df9d-448f-8145-d5fe67637c1a (11.22.25)" ], "public": 1, "adversary": "", "targeted_countries": [ "Cura\u00e7ao", "Guatemala", "Sint Maarten (Dutch part)", "Tanzania, United Republic of", "Barbados", "United States of America", "Bahamas", "Anguilla", "Canada", "Saint Vincent and the Grenadines", "United Kingdom of Great Britain and Northern Ireland", "Kenya", "France", "Aruba", "Mexico", "Poland", "Costa Rica", "Ireland", "Trinidad and Tobago", "Netherlands", "Slovakia", "Spain", "Philippines" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Technology", "Telecommunications", "Education", "Healthcare", "Finance", "Retail", "Hospitality", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 47, "FileHash-MD5": 53, "FileHash-SHA1": 16, "FileHash-SHA256": 1059, "URL": 6374, "domain": 3314, "email": 1395, "hostname": 3740, "CVE": 1 }, "indicator_count": 15999, "is_author": false, "is_subscribing": null, "subscriber_count": 136, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a100b692408f972b61c1cec", "name": "\"don't save her\" a continued message * CAPE Sandbox", "description": "[sample of the Pigeonhole Sieve malware has been found in the X-Sieve R system, designed to detect and prevent the spread of malicious software, which is currently being used by Microsoft Office.] -pretext", "modified": "2026-05-24T05:56:24.709000", "created": "2026-05-22T07:53:13.480000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "defense evasion", "next", "wednesday", "january", "extra info", "attack network", "info dropped", "geospatial endpoints" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435695&Signature=UoqeOvA3l0SmZPLGLkJ4n7oue%2FoXBTcyhLy5g1zr97R1z9EBf2vAXrsnA8mHkedBOo0cd7lQhlV4QLek1AiAP4Z%2F9XgN%2FgaAo3L%2FP0tI1NFNb5lJ9mZ4YQ5aVcF1jYBD4bluT9%2BjUQaRIkFHR4w4OIpWVuJOGdkbT7UxU%2BgyPR3o2Ij%2Fli0GfJO%2B%2B2KMpTnBE0mWDM%2BrEThJKW2Ty5flTxONg4m7toLl7%2BspvX1Q", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435775&Signature=AkieU7eRCNrzND0lejy10HFR7OdRvNqyswrKIdggTIg6w4naejOYYwut39HnOup0%2BqQcIl4AJ6iCv7BrJuqNoIe3WuL3S3c9To36FuiNd2aOBRNZcN9gHBz7GSvTlAnmNNOt9OIZbdryCE4RnMJA4q7aOGLAd3dJzbXxC1sLLrpBBY0wTeb7cvNcLLEuJzsk9AQw8m9nZ%2BMfQJB8hWxaWNXySZkIl%2Fkufg7NdeYBFT4YXsi2gxWg0UruP%2FFYE8", "https://vtbehaviour.commondatastorage.googleapis.com/0002412eddb6f812afb3e131d7e801536cb4ff8a410a6d6c6bc559fdb3546116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779436484&Signature=Pr1pfaimFPZRbQFRLBhpICwKcQGlnx4U5y%2FQZiFEs%2BMGp9zOdmylpsondhJ%2FoJg6NIwY9%2Bk2v9SRh8rgNd2aefaWARh%2ByYvcCFEELbz7cf%2F2f128%2FN%2BsNKOuiRC2JFyN37Wq2hSLt9NYUERhB0THMCMQtw1axrtOHh9CLz3YZ%2BdO7E%2B3g1aOrD3sDAwOgmWR9n9pk%2Fj55fIyJqPDU80OB1RXmaU4XNnEIBA69dpnuj57WGWd" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 33, "CIDR": 5, "FileHash-MD5": 275, "FileHash-SHA1": 27, "FileHash-SHA256": 45, "URL": 149, "domain": 8, "email": 7, "hostname": 165, "CVE": 1 }, "indicator_count": 715, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ea8e2082633358a0c28090", "name": "CAPE Sandbox \"YL\"", "description": "\"YL\" imprint left behind on a usere property. Unsure.", "modified": "2026-05-23T21:00:44.705000", "created": "2026-04-23T21:24:48.742000", "tags": [ "csv text", "unicode text", "utf8 text", "crlf line", "text text" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1202", "name": "Indirect Command Execution", "display_name": "T1202 - Indirect Command Execution" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1221", "name": "Template Injection", "display_name": "T1221 - Template Injection" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1030", "name": "Data Transfer Size Limits", "display_name": "T1030 - Data Transfer Size Limits" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 362, "FileHash-SHA1": 102, "FileHash-SHA256": 347, "URL": 243, "domain": 79, "hostname": 297, "email": 5 }, "indicator_count": 1435, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a10b5fcbae6ff7196fadd8a", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:24:24.934000", "created": "2026-05-22T20:01:00.435000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "CIDR": 63, "FileHash-MD5": 397, "FileHash-SHA1": 112, "FileHash-SHA256": 506, "URL": 500, "domain": 152, "email": 19, "hostname": 624, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 2623, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a10b601afa660d39df59585", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:24:23.966000", "created": "2026-05-22T20:01:05.318000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 217, "CIDR": 63, "FileHash-MD5": 399, "FileHash-SHA1": 114, "FileHash-SHA256": 513, "URL": 605, "domain": 328, "email": 21, "hostname": 694, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 3010, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a10b5fc8feb5a31eedfc0ec", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:00:59.988000", "created": "2026-05-22T20:00:59.988000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "CIDR": 63, "FileHash-MD5": 397, "FileHash-SHA1": 112, "FileHash-SHA256": 506, "URL": 500, "domain": 152, "email": 19, "hostname": 624, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 2623, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a10b5eb25a8421d03c37021", "name": "Full Circle: The Banking Trojan | Wiper | Emotet * CAPE Sandbox", "description": "[It was supposed to be a simple question, but it turns out the question is more of a Q for the rest of the year: is it really possible to do it all on a computer?] As evidenced by another researcher I am validating their findings, \"\t\nuserlolxxl has commented on one of your pulses (\"don't save her\" a continued message * CAPE Sandbox).\nhttps://www.virustotal.com/gui/file/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5/behavior][https://www.virustotal.com/gui/domain/dvtec2.com.ua/relations, communicating files mail server domain mail[.]dvtec2[.]com[.]ua resolves https://www.virustotal.com/gui/ip-address/185.104.44.17/relations\"", "modified": "2026-05-22T20:00:43.360000", "created": "2026-05-22T20:00:43.360000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "nextron", "word", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "next", "kyiv registrant", "country", "server", "hosting ukraine", "registrar", "kyiv", "query time", "uaepp name", "internet invest", "whois privacy", "domain name", "thumbprint", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "key algorithm", "x509v3 key", "encrypt cnr11", "encrypt cnr10", "encrypt cnr3", "aaaa", "utf8", "rsapss", "sha256", "esmtps id", "e41f26401ec", "office", "esmtps", "https", "creates", "tls version", "dbe4b640081", "esmtp id", "ebe855402e7", "system number", "label hosting", "ukraine ltd", "registry ripe", "ncc country", "ua continent", "handle", "address range", "cidr", "network name", "type", "assigned pa", "status", "whois server", "po box", "kiev", "ukraine adminc", "ripe", "filtered route", "default", "shell folders", "inprocserver32", "parent pid", "full path", "command line", "cname", "folders", "accept", "gmt ifnonematch", "shutdown", "config", "contact domain", "holder", "available from", "kiev region", "code", "llc admin", "icann whois", "registry tech", "form", "tech", "ripe ncc", "as200000 city", "abuse contact", "orgid", "address", "orgabuseref", "ripe network", "postalcode", "overview", "banned", "malicious", "duration cuckoo", "version file", "machine label", "manager", "malware config", "type emotet", "jenny", "esmtp", "adumitriu", "xagvyej", "jenny green", "subject", "hello", "kind", "gsd support", "drops", "internet", "http", "performs dns", "yara", "t1055 process", "persistence", "emotet", "02025", "apple", "enterprise", "united", "traces back to usa", "bankers trojan" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476594&Signature=fzxKLlFs1nX8XZjUhCUYy%2FXq%2BwKSl9us6JE%2B6ybuD2FB%2FYxHrjhDmT9VA5jX2vGWh725B%2BnYbuerqS9lI%2F8VsqMEVyltTKup7tinRnxTlmAkvdR11q1URUz8G4eG2JBbqZQskKhGuyGFFaYcsd8HNCN0TciN%2FtnC7U6zsNLv5liPDSKcVQz%2BS8G%2BQgyKgUkFiDUzhh%2Bx3JmKYfMY%2BuATVgXkEO7tY5iUxWbeFaRQ", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779476914&Signature=X%2BOI3H%2FhLCU6Z%2F1GBGeuHFZRK3ck%2F3ttuukxC9jkM6ChhfbI%2FA1B8wEWIwO3h96ZxdDqMrsNjxYMiLiR6opmt04q6bXr19bw%2FpyqffAlGgyH54NTOd4W4V3vDgDFVAGlgpSWKilpUvZBouT8vWgFh5nQFhBU6V20hA57B%2Fhmh1Aq%2BUqGFi7L8FIinUhUSZqM3dbGkPkOTDCHk8XXTVOTXYm9fdX11WaxFSstQhydC32aNVttDxddQq", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478165&Signature=xvYPy6urLZRp%2FNUIglcpTZ0dKgiAf0xVeGpcDY6QnttpRbDj60kaBIj%2BlQ7gSNFBABi4TsYhQ8Oab6Veo9YSujwQeYnWD6EOnRArLf%2FJCOinlHjRbeW9JhWDB88Ep9ubdyeX9iEzaVYcrgTM9gbJMkTbkLw8SXIYr6IZjL3FPomuELP3w937ZduHHsp04xawdI7LB9VKdH%2Fywmv9qcB5YW3f0xJLO%2B5T2QElaJl99Lq5rur58jp%", "https://vtbehaviour.commondatastorage.googleapis.com/630e1dd423feb4af15dacd299d62785b95c7d5035c8b3421063dfce922a2fd3b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478206&Signature=j5W%2BdnmxSjHb3p%2Fg07hockdh4i4KExiX%2FnH9QUCkDbubyww3fKH9eP9kFH3nJ%2BawxWsOUhJj4%2BK9j6gRYzKC%2FR0WWMAh6e6jfYuX26XMp1YZZqTNXEnZfkvNdGRN5Cka6vw57ZRuZcN%2BCL5FaWGOrPxDwpMzTsh9Qo62wyFdNSi%2FiXChrlAlXWNf7zMEV1Pyfp%2B8Q8m7BtO4npImTE4W3Mik%2FSSPXkSvtAFoKMGLDY0%2BCF%2", "https://vtbehaviour.commondatastorage.googleapis.com/4a1710a2798d32efeec6831d8aab90c7f248c65f42d8208dfef211a36152df39_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779478277&Signature=MLz456A289G%2BL07AgpxPfSqG9o6bArnbv7TO4RSMxDAOpOYj4dOVr48Tcm2d7Uv2429ql9Wlgf4JwzE4Ab9wl16mpS13NSJDrZcQbiWKRpE2daAEIHiZIz%2FlxToDBcP3eZl1Hsqps3RXbdJc%2F%2BwHvZ86Wme%2FTqyG5y27%2FgeyLVtaIvt0eXe55FZ1%2BjcTjndNa%2BAa%2BwACuCLG2n030oy6OeHYN1rkEnmnJecXAw51WwAn", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479129&Signature=FkFNyP2vyo5CfTsAq%2BFvrqCMz2bhYkLSlPGBx3U4BCYuvFwMleBhKHrwbpAcEBUML9jIH%2Bg0AxpTZvAiH6CarH4VLy%2BALlnGPb%2F9fqaMkIAlB%2BZREYxsg%2BdNyt0adKXcvsmrcg6H9RespamRZ8V4PFToZjDPps%2FwEzX081rrnFZgikang831fP1Lf5uv4nVUxYnyWDDVkytRx9fFZIYCB5Q37uK5gnHXswTv9%2FDpDkRxtS", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479661&Signature=XqRv2dzr0tVvYKb8bAfMslLVj5uKfyYWhdnIAajfxfM%2Fu6tzv%2FBNmjzhkDX9tpotmvIQG4QIBqM3loowGjcPDcordUF%2Fy0nuaZ%2B4jJd202wWTq0PM2TpeY%2BoKbqFTr0%2FV1woinEUz3D%2FwgJAw7Y1XtsOWfjKby%2BuMDgS%2BMFayvLhA9TZtoLS48uZnjLiespOuIE2IkvuZhZnkx6PHt4cZeZ1SAxeSuFoDQEhovtA%2FI%2FBxYiD", "https://vtbehaviour.commondatastorage.googleapis.com/0004798a5b6d5acda9800dd63873e148c69a309fb275835c429c149e9291ebb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479619&Signature=WpCRMDToBbPACvuqYzQGmlMg%2FCkBnFTggqFGmmHaglzN9je5VnjDj30wCq7SSw8SWLscjkCPrfuD0EkYJ1xfXntJlcl9KGGr9jNB4fQXuEEUiE8yj6v4SfACfYhIMlNi0o9CaPCfIxb6jUfMN0WYJVqhLqCq94ITVIzKXxwLwX9TrDoUTaKE11foz4kq9Nu6aN7N%2Fi1VAbrEfS97t1E3b6aKXBvTBJ044lERzuMh0QVmYirWkUgeK3h5qu", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479748&Signature=bmCNstJ9sHQgsE7ftRhH0aIPUmBBHkP2qQ3rHVpByPWgffnrKG52ag1t9RW3%2FetCVEJOqM7QIcRAmh2I%2FKAe9kYjPuhl2PVAXTMHY5HnJO1JMOSKNlqLkhdHaCne1MWQgI3tQyu4o1WsLFozD6GltOMnKU0HtbToD%2BlbPwr6Tgfg30chrrVniGrmRioP6BcmXUHwIHVqrZMTvxE16%2BqF3jilzlc%2F6%2BD4By7PNkd0GYCgQ4il2L", "https://vtbehaviour.commondatastorage.googleapis.com/07189d16eb2fb450654c56bf99f8e74d3837872d805e2ef6ec0fa2ad0186d57b_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779479907&Signature=iueIcUDv9RIYkBRQtii5Jfuv%2BeG9yJAR5YXQn2gInk3FCxuCJZ%2B13LeDjwijF7yPbTVrC1wNPnJ%2FVbq1cmlXyNO8tlv%2B8elIQFS54gR8nAVRGN4LU1dNoeO32%2FO66F3pXxP0eqqMU%2FQP3gtxgj1DgdO30ZFIiCgg%2Fg9D%2FSKKj5Xv2mPG46PvAmIwtW3nOKCQG90FTtbSkmUqlKz3F8OM0vxczYYlKKqT9NEwz9wpPFDE2cfWdMv0ir" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 194, "CIDR": 63, "FileHash-MD5": 397, "FileHash-SHA1": 112, "FileHash-SHA256": 506, "URL": 500, "domain": 152, "email": 19, "hostname": 624, "CVE": 1, "IPv6": 53, "Mutex": 1, "URI": 1 }, "indicator_count": 2623, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://login.microsoftonline.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://login.microsoftonline.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780222559.6187277 }