{ "type": "URL", "indicator": "https://microsoftstart.org", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://microsoftstart.org", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4317975422, "indicator": "https://microsoftstart.org", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "69efc567ae24b8285a71099d", "name": "Enemy of the State: Order in the Court \u2022 Part 4 - World Media", "description": "Critical, out of control targeting. Suspected Pegasus related campaign seen in State of Colorado court and Hospital systems+++. The answer is NO. The crime victim / survivor was never going to be given a chance to bring forward a case of any type of. Silenced. Not allowed to pursue justice. Car accident. No. Robbed. No Assault. No. Either the State is heavily involved or systems are manipulated by adversaries.\n\nCVE found more than a year ago, Original OTX researchers Pulses not found.\nCVE Overview:\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.", "modified": "2026-05-27T18:05:26.880000", "created": "2026-04-27T20:21:59.824000", "tags": [ "wifi id", "april", "extraction", "enter sc", "type ol", "data upload", "extra", "referen", "wifi data", "wifi", "ntgraph xe", "dynamicloader", "high", "port", "a8 f0", "c0 a0", "c4 d8", "a4 c4", "cache", "yara rule", "write", "music", "explorer", "guard", "tracker", "media", "default", "file", "id login", "mwdb", "bazaar", "sha3384", "ssdeep", "xport", "accept", "agent", "shutdown", "pe file", "network info", "sample", "aslr", "program", "mitre attack", "processes extra", "overview zenbox", "verdict", "iocs", "extra data", "included iocs", "indicator", "review iocs", "find", "dr wifi", "include review", "exclude sugges", "find s", "failed", "typ url", "registrant name", "all domain", "passive dns", "urls", "files", "access", "all ipv4", "america flag", "des moines", "level", "zeppelin", "domain add", "united states", "active", "msie", "windows nt", "united", "search", "medium", "as16509", "unknown", "upatre", "malware", "next", "ip address", "pty ltd", "url analysis", "trojan", "write c", "suspicious", "tt tr", "ultradns client", "service", "name servers", "emails", "world media", "contacted", "post", "u001b4nu0017", "powershell", "sc data", "type", "enter", "data", "cre pul", "enric", "extraction data", "denver courts", "hacking", "mitm_attacks", "injustice", "tracking", "ai", "ee fc", "ff d5", "domain", "australia", "files ip", "script script", "set cookie", "cookie", "related pulses", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "javascript", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "title", "look", "verify", "restart", "australia asn", "as9714 vocus", "body", "certificate", "present may", "japan unknown", "a domains", "value", "content type", "location japan", "shibuya", "japan asn", "as2497 internet", "dns resolutions", "domains top", "united states", "ipv4", "targeting", "tsara brashears", "state colorado", "critical", "pornhub", "tulach", "sabey", "poleass", "foundrypalantir", "pegasus", "state", "quasi", "shhh", "denver", "dougco", "jeffrey reimer", "reimer gropes", "christopher ahmann", "workers compensation", "commerce industry", "aig", "industry commerce", "confluence" ], "references": [ "[DR] Wifi ID Login v1.3 [03 April 2014].exe", "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a", "bell.ca", "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http", "https://welcome.indonesiawifi.net/wifi.id/flexizone", "SLF:MSIL/PSTAnomaly.A SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb", "A target pursued post criminal assault on Pinnacol Assuranve insured premises", "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD", "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...", "Yara Detections: PWSWin32Kegotip , VirusWin32Gogo , VirusWin32Hala , VirusWin32Wholdor", "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect", "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep dynamic_function_loading", "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx", "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters", "IP\u2019s Contacted: 143.204.237.45 58.138.175.188 65.38.128.10 147.21.128.26 78.41.204.31 132.148.77.44", "IP\u2019s Contacted: 185.104.29.148 92.122.107.204 139.76.134.15 184.150.211.195", "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net", "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au", "Backdoor.Win32.Pushdo.s Checkin", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)", "Name Servers PDNS1.ULTRADNS.NET Org", "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #", "https://otx.alienvault.com/indicator/cve/CVE-2022-26134", "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO", "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado", "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected", "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration", "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png", "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms", "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY", "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH", "CVE-2022-26134 \u2022 PRIVILEGES REQUIRED: NONE" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "SLF:MSIL/PSTAnomaly.A", "display_name": "SLF:MSIL/PSTAnomaly.A", "target": "/malware/SLF:MSIL/PSTAnomaly.A" }, { "id": "Win.Trojan.Pushdo-20", "display_name": "Win.Trojan.Pushdo-20", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "TrojanDownloader:Win32/Cutwail.BV", "display_name": "TrojanDownloader:Win32/Cutwail.BV", "target": "/malware/TrojanDownloader:Win32/Cutwail.BV" }, { "id": "World Media", "display_name": "World Media", "target": null }, { "id": "CVE-2022-26134", "display_name": "CVE-2022-26134", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Legal", "Judicial", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1037, "hostname": 865, "domain": 685, "URL": 2224, "FileHash-MD5": 131, "FileHash-SHA1": 94, "CVE": 1, "email": 8, "SSLCertFingerprint": 6 }, "indicator_count": 5051, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69efc7a6778f84c179d27073", "name": "Credit Q.Vashti - Cloned Pulse [\"Enemy of the State: Order in the Court\"]", "description": "", "modified": "2026-05-27T18:05:26.880000", "created": "2026-04-27T20:31:34.221000", "tags": [ "wifi id", "april", "extraction", "enter sc", "type ol", "data upload", "extra", "referen", "wifi data", "wifi", "ntgraph xe", "dynamicloader", "high", "port", "a8 f0", "c0 a0", "c4 d8", "a4 c4", "cache", "yara rule", "write", "music", "explorer", "guard", "tracker", "media", "default", "file", "id login", "mwdb", "bazaar", "sha3384", "ssdeep", "xport", "accept", "agent", "shutdown", "pe file", "network info", "sample", "aslr", "program", "mitre attack", "processes extra", "overview zenbox", "verdict", "iocs", "extra data", "included iocs", "indicator", "review iocs", "find", "dr wifi", "include review", "exclude sugges", "find s", "failed", "typ url", "registrant name", "all domain", "passive dns", "urls", "files", "access", "all ipv4", "america flag", "des moines", "level", "zeppelin", "domain add", "united states", "active", "msie", "windows nt", "united", "search", "medium", "as16509", "unknown", "upatre", "malware", "next", "ip address", "pty ltd", "url analysis", "trojan", "write c", "suspicious", "tt tr", "ultradns client", "service", "name servers", "emails", "world media", "contacted", "post", "u001b4nu0017", "powershell", "sc data", "type", "enter", "data", "cre pul", "enric", "extraction data", "denver courts", "hacking", "mitm_attacks", "injustice", "tracking", "ai", "ee fc", "ff d5", "domain", "australia", "files ip", "script script", "set cookie", "cookie", "related pulses", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "javascript", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "title", "look", "verify", "restart", "australia asn", "as9714 vocus", "body", "certificate", "present may", "japan unknown", "a domains", "value", "content type", "location japan", "shibuya", "japan asn", "as2497 internet", "dns resolutions", "domains top", "united states", "ipv4", "targeting", "tsara brashears", "state colorado", "critical", "pornhub", "tulach", "sabey", "poleass", "foundrypalantir", "pegasus", "state", "quasi", "shhh", "denver", "dougco", "jeffrey reimer", "reimer gropes", "christopher ahmann", "workers compensation", "commerce industry", "aig", "industry commerce", "confluence" ], "references": [ "[DR] Wifi ID Login v1.3 [03 April 2014].exe", "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a", "bell.ca", "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http", "https://welcome.indonesiawifi.net/wifi.id/flexizone", "SLF:MSIL/PSTAnomaly.A SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb", "A target pursued post criminal assault on Pinnacol Assuranve insured premises", "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD", "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...", "Yara Detections: PWSWin32Kegotip , VirusWin32Gogo , VirusWin32Hala , VirusWin32Wholdor", "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect", "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep dynamic_function_loading", "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx", "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters", "IP\u2019s Contacted: 143.204.237.45 58.138.175.188 65.38.128.10 147.21.128.26 78.41.204.31 132.148.77.44", "IP\u2019s Contacted: 185.104.29.148 92.122.107.204 139.76.134.15 184.150.211.195", "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net", "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au", "Backdoor.Win32.Pushdo.s Checkin", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)", "Name Servers PDNS1.ULTRADNS.NET Org", "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #", "https://otx.alienvault.com/indicator/cve/CVE-2022-26134", "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO", "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado", "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected", "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration", "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png", "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms", "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY", "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH", "CVE-2022-26134 \u2022 PRIVILEGES REQUIRED: NONE" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "SLF:MSIL/PSTAnomaly.A", "display_name": "SLF:MSIL/PSTAnomaly.A", "target": "/malware/SLF:MSIL/PSTAnomaly.A" }, { "id": "Win.Trojan.Pushdo-20", "display_name": "Win.Trojan.Pushdo-20", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "TrojanDownloader:Win32/Cutwail.BV", "display_name": "TrojanDownloader:Win32/Cutwail.BV", "target": "/malware/TrojanDownloader:Win32/Cutwail.BV" }, { "id": "World Media", "display_name": "World Media", "target": null }, { "id": "CVE-2022-26134", "display_name": "CVE-2022-26134", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Legal", "Judicial", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "69efc567ae24b8285a71099d", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1039, "hostname": 868, "domain": 687, "URL": 2226, "FileHash-MD5": 133, "FileHash-SHA1": 96, "CVE": 1, "email": 8, "SSLCertFingerprint": 6 }, "indicator_count": 5064, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ede4900c0c36d508b00892", "name": "VirusTotal report for index.html tlp:green", "description": "[The following is the full text of the following:..woff2/akamai/clientlib-brand-base/resources/InstrumentSans-Variable-Latin-Italic] pdfkit[.net] = trans ip. Otx kept having server errors when trying to upload more comprehensive reports on this. Interference not by otx, suspect.", "modified": "2026-05-26T10:06:50.708000", "created": "2026-04-26T10:10:24.165000", "tags": [ "html internet", "html document", "unicode text", "utf8 text", "ascii text", "language", "https", "mitre attack", "network info", "processes extra", "transip", "performs dns", "t1055 process", "layer protocol", "overview", "overview zenbox", "title", "next", "meta", "link", "path", "doctype html", "ieedge", "bezet", "head", "body", "get url", "ip reputation", "divi child", "site kit", "google", "truetype", "woff", "user", "agent", "style", "original", "unknown", "has permission", "tls version", "file type", "loads", "urls", "persistence", "cloud", "malicious", "found", "dropped info", "zenbox android", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/117a61ad457cb776ca2e337cc04dce86510931b1e311b02e709a5e6c486333c4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777196678&Signature=HzcyQV1X4%2BZuxALwV5MKabxavBVI2pXXV%2BqZ%2FxjbZGEzJLq3HvfBlhoJvnPO72cTsUYIRIF8xWwC5jRcagGjKfbaLJN2X5M8YJLFvzNW8EUuKXbP4HlPUyWW4vdbPPfTDk7AH9O3Mc%2Bsqm0rUu1TTZ5W30gnKw%2B8w129EjLK4TTXdxBhsVZflHp65tluC8NtT6PKr40eTUW79dRIU4EmpzQYixwP5kHPdWny4lMV2tyDCM4BVbj5jGGjOMlG", "https://vtbehaviour.commondatastorage.googleapis.com/117a61ad457cb776ca2e337cc04dce86510931b1e311b02e709a5e6c486333c4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777196704&Signature=oj%2BDJfu%2FPrkzTQYzv%2BNGIb7bMBOERBArPqSmhPICbJXukp7MyQm%2FhSDqT3TSgCuwYbRMqjTmAdHa9EBQ%2FCjlr3PdRe5jLJ3yEljzhIZMVkux2h7EGR9NvtyGFd0b4G6DcOYfzDyXI7IIUvEDVqDTPa2biRIlSwUKAXKvFLQvemNBTNwAt6ZWjRPcsjpgkPpPBVYA6mGR50QOtob74rarfPZno74N59OZkm5XoVm7mwuzGXDl189f", "https://vtbehaviour.commondatastorage.googleapis.com/45a190c2f2471d465eadce7b529473c1092e0b0fa4a8bd5066f2f0dadd021517_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777197660&Signature=ZeKi%2BRgUGuBZD7C84XN%2BMrK%2FhjGTkk9wZi%2B8oRGqD%2FMkt4j53TX2%2FNO2D5kv3PFADqhPUkUWatmRPNgFj3%2Fxgz2H%2B1MaxZeG4uZ7yDAjWSgY1bcI2k5Z4SWMDc8FAivGl7%2FYutQiu%2FIWCMxbxTnk4yJQiQtuOgqwVTZybq4ROhIA52sWpFV9sAHWnPeTZJIPWahZpZz3LH5ByhNbVb8fHKqxFmoQAswKLvlgjAcNSh", "https://vtbehaviour.commondatastorage.googleapis.com/00000d3cb583c86b8fd89bcd270cf1a9c1974f23518caf52a9d55ba482afc255_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777198022&Signature=X%2FtJADqZ8hUIDWnAnxXSy836h8XaVn9hIB%2FoJc%2BMiH70BQaiUPucRhxoQpLz8ff%2BU7i4DwbrecytnCCLiVA1QuLWxTYL9hBhT8xX%2F3h564r8jpG8kTHcyZTD%2F1w9THtZhgtgccYteH8vuC1RaaNpHpj8RESbs6TdENGlhzHELvXxYplQuBznpKau1ZeLiNJFngKuEOT%2FkcHjzOM%2B%2BUZzAovTwc6PDZOk4C4qBT7YdZ", "https://vtbehaviour.commondatastorage.googleapis.com/000011b9276d67cb6c737226e1572ad5396d96a7ce2a6512c6c5774371332730_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777198160&Signature=ErZReZYXc0zl2849KmoGwJGof9NjsCg2iX3sqgLWs2FU4WBoLpZAVnFi6g7Z3BFda%2FDPKxZ7%2FHG%2BlEU2VB7ctD7pXcNfD%2F3nEPZC54sles9Cycinws6vWWfHnYmSpwKF4DtTjjbL%2F7bwIb%2FOrT%2BeKzVvt7gGL%2ByHJpWrAgr4UtNSHKVmHLIIgRH%2FfDOtlS410ed%2Bal8ukGl9ZSeDQjYg0A0KKxdNkAtcJPN4fLcl" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 554, "FileHash-MD5": 53, "FileHash-SHA1": 4, "URL": 561, "hostname": 275, "domain": 114 }, "indicator_count": 1561, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e4e39558ce3e9467915ec9", "name": "VirusTotal Windows Sandbox - Bios Mutex", "description": "< A full list of details about the file that was used to launch the Yomi ransomware attack on the Windows operating system in the 1990s, and which has now been described as \"malicious\".> Firmware Neutral. Bios Mutex. This is cruel.", "modified": "2026-05-20T00:02:48.915000", "created": "2026-04-19T14:15:49.333000", "tags": [ "toggle", "xff dxff0dx89", "x8bxc0xff", "xf0xb3 xf0xb3", "pxa1x90xa6", "x85xc0t x85xc0t", "xe0xfbt", "l xe0xfbt", "x83xc4 x83xc4", "x85xd2t x85xd2t", "download", "first", "path", "enterprise", "service", "close", "success", "regopenkeyexa", "createmutexw", "regopenkeyexw", "regenumvaluew", "netbiosthread1", "netbiosthread2", "regcreatekeyexw", "hkeycurrentuser", "loadlibrarya", "shell", "fail", "windows sandbox", "calls process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/af586c4273d941f49291bd82b3363e97ec68755793a06e6982d8e5291e461f28_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776607834&Signature=hyJ%2FTXDs5ybL7Px0RGD8qpbR2mhMsw9TGnNlVw1emJtvQUIxQ3fbIohjSdWraqmbe1ed3W0qMGeOjKauzQYJM6g4YT4TvdlSBfruPE0NYGLVLi7m2GB6fGGn84yrlYQ34ioU%2F1vJ6f%2FItzTch0a9TpisvD%2FGLq%2FEngakns%2FkmlbkSwGqIlsWY7fVv5H%2BjLF7n%2BKoiRgnElJKbZIKXhoyatx0K1hwEm5FhR2psWxfTwyv7bs", "https://vtbehaviour.commondatastorage.googleapis.com/af586c4273d941f49291bd82b3363e97ec68755793a06e6982d8e5291e461f28_VirusTotal%20Cuckoofork.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776608137&Signature=UiEXl5dFUjdbtSBJ5oDC2ewFK3bwZVFMU4c58Oj69fhp7qdwfqPbxDkJ%2Fip5zs3usTaZu8qrwgjJ3EgqO87YfEBtsV%2FCUTRvtFeHfzrOTkbE1WkOuasRAa92snPaPCt9Kk3y5q3jRMDlVA9g2rpZOsCub%2BYzl0%2FfdG8m%2FFed4xqdb2hu9ANjORr6MflPpQO8ThcwsbuThAuY4d28geQGVt86xzc00GELx6tbWViWiFA", "https://vtbehaviour.commondatastorage.googleapis.com/af586c4273d941f49291bd82b3363e97ec68755793a06e6982d8e5291e461f28_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776608198&Signature=N5AMDdOomLkmCompJzyYyrKb70Dt3nkBA2WmItg2wH6lcZDEqCt9pFe6xjRCi4BUBNOVGWgmAb2xg9tPXQ1mJghdn%2FehssyS8JLpmPFRDGeH7r2ULHprDQ3%2BoXTR9IC38%2F8K1ED36yL6kqTBdr%2BTYNi71%2B6rs%2FBqPgCVgVBMfrtmZHg49tzBjd5GNuDWptnb9gJVuovKjCJh2Ure8hIjmfG4I95r1rmZhHHgE7hRIBqB" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 6, "FileHash-SHA256": 139, "SSLCertFingerprint": 3, "URL": 145, "hostname": 99, "domain": 41 }, "indicator_count": 442, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e4ce38b03b0bb283c78a42", "name": "CAPE Sandbox- circa 1980", "description": "I dont even have windows and its haunting me. The real treasure today was this though.. you were tricky with your 1980's work to find:\na74535b274b8bfa42e4d7dd33fd8703e\n2bcdb3bf34303a29106a3aefa21d611a170443ea\n4da1f382887248188f43e579f6a28163d4337cca2a7d8dc893b58dff35e9c745\n244aaea6a195a18bbd72a13a9a421e72", "modified": "2026-05-19T13:22:41.504000", "created": "2026-04-19T12:44:40.519000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 196, "FileHash-SHA1": 174, "FileHash-SHA256": 1546, "URL": 157, "hostname": 403, "domain": 80, "CIDR": 4, "email": 10 }, "indicator_count": 2570, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "A target pursued post criminal assault on Pinnacol Assuranve insured premises", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)", "https://vtbehaviour.commondatastorage.googleapis.com/af586c4273d941f49291bd82b3363e97ec68755793a06e6982d8e5291e461f28_VirusTotal%20Cuckoofork.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776608137&Signature=UiEXl5dFUjdbtSBJ5oDC2ewFK3bwZVFMU4c58Oj69fhp7qdwfqPbxDkJ%2Fip5zs3usTaZu8qrwgjJ3EgqO87YfEBtsV%2FCUTRvtFeHfzrOTkbE1WkOuasRAa92snPaPCt9Kk3y5q3jRMDlVA9g2rpZOsCub%2BYzl0%2FfdG8m%2FFed4xqdb2hu9ANjORr6MflPpQO8ThcwsbuThAuY4d28geQGVt86xzc00GELx6tbWViWiFA", "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au", "Yara Detections: PWSWin32Kegotip , VirusWin32Gogo , VirusWin32Hala , VirusWin32Wholdor", "[DR] Wifi ID Login v1.3 [03 April 2014].exe", "https://vtbehaviour.commondatastorage.googleapis.com/45a190c2f2471d465eadce7b529473c1092e0b0fa4a8bd5066f2f0dadd021517_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777197660&Signature=ZeKi%2BRgUGuBZD7C84XN%2BMrK%2FhjGTkk9wZi%2B8oRGqD%2FMkt4j53TX2%2FNO2D5kv3PFADqhPUkUWatmRPNgFj3%2Fxgz2H%2B1MaxZeG4uZ7yDAjWSgY1bcI2k5Z4SWMDc8FAivGl7%2FYutQiu%2FIWCMxbxTnk4yJQiQtuOgqwVTZybq4ROhIA52sWpFV9sAHWnPeTZJIPWahZpZz3LH5ByhNbVb8fHKqxFmoQAswKLvlgjAcNSh", "https://vtbehaviour.commondatastorage.googleapis.com/af586c4273d941f49291bd82b3363e97ec68755793a06e6982d8e5291e461f28_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776607834&Signature=hyJ%2FTXDs5ybL7Px0RGD8qpbR2mhMsw9TGnNlVw1emJtvQUIxQ3fbIohjSdWraqmbe1ed3W0qMGeOjKauzQYJM6g4YT4TvdlSBfruPE0NYGLVLi7m2GB6fGGn84yrlYQ34ioU%2F1vJ6f%2FItzTch0a9TpisvD%2FGLq%2FEngakns%2FkmlbkSwGqIlsWY7fVv5H%2BjLF7n%2BKoiRgnElJKbZIKXhoyatx0K1hwEm5FhR2psWxfTwyv7bs", "https://vtbehaviour.commondatastorage.googleapis.com/00000d3cb583c86b8fd89bcd270cf1a9c1974f23518caf52a9d55ba482afc255_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777198022&Signature=X%2FtJADqZ8hUIDWnAnxXSy836h8XaVn9hIB%2FoJc%2BMiH70BQaiUPucRhxoQpLz8ff%2BU7i4DwbrecytnCCLiVA1QuLWxTYL9hBhT8xX%2F3h564r8jpG8kTHcyZTD%2F1w9THtZhgtgccYteH8vuC1RaaNpHpj8RESbs6TdENGlhzHELvXxYplQuBznpKau1ZeLiNJFngKuEOT%2FkcHjzOM%2B%2BUZzAovTwc6PDZOk4C4qBT7YdZ", "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep dynamic_function_loading", "https://vtbehaviour.commondatastorage.googleapis.com/000011b9276d67cb6c737226e1572ad5396d96a7ce2a6512c6c5774371332730_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777198160&Signature=ErZReZYXc0zl2849KmoGwJGof9NjsCg2iX3sqgLWs2FU4WBoLpZAVnFi6g7Z3BFda%2FDPKxZ7%2FHG%2BlEU2VB7ctD7pXcNfD%2F3nEPZC54sles9Cycinws6vWWfHnYmSpwKF4DtTjjbL%2F7bwIb%2FOrT%2BeKzVvt7gGL%2ByHJpWrAgr4UtNSHKVmHLIIgRH%2FfDOtlS410ed%2Bal8ukGl9ZSeDQjYg0A0KKxdNkAtcJPN4fLcl", "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a", "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp", "https://vtbehaviour.commondatastorage.googleapis.com/117a61ad457cb776ca2e337cc04dce86510931b1e311b02e709a5e6c486333c4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777196678&Signature=HzcyQV1X4%2BZuxALwV5MKabxavBVI2pXXV%2BqZ%2FxjbZGEzJLq3HvfBlhoJvnPO72cTsUYIRIF8xWwC5jRcagGjKfbaLJN2X5M8YJLFvzNW8EUuKXbP4HlPUyWW4vdbPPfTDk7AH9O3Mc%2Bsqm0rUu1TTZ5W30gnKw%2B8w129EjLK4TTXdxBhsVZflHp65tluC8NtT6PKr40eTUW79dRIU4EmpzQYixwP5kHPdWny4lMV2tyDCM4BVbj5jGGjOMlG", "SLF:MSIL/PSTAnomaly.A SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb", "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado", "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration", "IP\u2019s Contacted: 143.204.237.45 58.138.175.188 65.38.128.10 147.21.128.26 78.41.204.31 132.148.77.44", "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO", "Backdoor.Win32.Pushdo.s Checkin", "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png", "https://vtbehaviour.commondatastorage.googleapis.com/117a61ad457cb776ca2e337cc04dce86510931b1e311b02e709a5e6c486333c4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777196704&Signature=oj%2BDJfu%2FPrkzTQYzv%2BNGIb7bMBOERBArPqSmhPICbJXukp7MyQm%2FhSDqT3TSgCuwYbRMqjTmAdHa9EBQ%2FCjlr3PdRe5jLJ3yEljzhIZMVkux2h7EGR9NvtyGFd0b4G6DcOYfzDyXI7IIUvEDVqDTPa2biRIlSwUKAXKvFLQvemNBTNwAt6ZWjRPcsjpgkPpPBVYA6mGR50QOtob74rarfPZno74N59OZkm5XoVm7mwuzGXDl189f", "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...", "https://otx.alienvault.com/indicator/cve/CVE-2022-26134", "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms", "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx", "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net", "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY", "bell.ca", "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters", "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect", "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http", "CVE-2022-26134 \u2022 PRIVILEGES REQUIRED: NONE", "IP\u2019s Contacted: 185.104.29.148 92.122.107.204 139.76.134.15 184.150.211.195", "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected", "Name Servers PDNS1.ULTRADNS.NET Org", "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #", "https://vtbehaviour.commondatastorage.googleapis.com/af586c4273d941f49291bd82b3363e97ec68755793a06e6982d8e5291e461f28_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776608198&Signature=N5AMDdOomLkmCompJzyYyrKb70Dt3nkBA2WmItg2wH6lcZDEqCt9pFe6xjRCi4BUBNOVGWgmAb2xg9tPXQ1mJghdn%2FehssyS8JLpmPFRDGeH7r2ULHprDQ3%2BoXTR9IC38%2F8K1ED36yL6kqTBdr%2BTYNi71%2B6rs%2FBqPgCVgVBMfrtmZHg49tzBjd5GNuDWptnb9gJVuovKjCJh2Ure8hIjmfG4I95r1rmZhHHgE7hRIBqB", "https://welcome.indonesiawifi.net/wifi.id/flexizone", "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win.trojan.pushdo-20", "Slf:msil/pstanomaly.a", "Cve-2022-26134", "Trojandownloader:win32/cutwail.bs", "World media", "Trojandownloader:win32/cutwail.bv" ], "industries": [ "Legal", "Government", "Technology", "Telecommunications", "Judicial" ], "unique_indicators": 8538 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/microsoftstart.org", "whois": "http://whois.domaintools.com/microsoftstart.org", "domain": "microsoftstart.org", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "69efc567ae24b8285a71099d", "name": "Enemy of the State: Order in the Court \u2022 Part 4 - World Media", "description": "Critical, out of control targeting. Suspected Pegasus related campaign seen in State of Colorado court and Hospital systems+++. The answer is NO. The crime victim / survivor was never going to be given a chance to bring forward a case of any type of. Silenced. Not allowed to pursue justice. Car accident. No. Robbed. No Assault. No. Either the State is heavily involved or systems are manipulated by adversaries.\n\nCVE found more than a year ago, Original OTX researchers Pulses not found.\nCVE Overview:\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.", "modified": "2026-05-27T18:05:26.880000", "created": "2026-04-27T20:21:59.824000", "tags": [ "wifi id", "april", "extraction", "enter sc", "type ol", "data upload", "extra", "referen", "wifi data", "wifi", "ntgraph xe", "dynamicloader", "high", "port", "a8 f0", "c0 a0", "c4 d8", "a4 c4", "cache", "yara rule", "write", "music", "explorer", "guard", "tracker", "media", "default", "file", "id login", "mwdb", "bazaar", "sha3384", "ssdeep", "xport", "accept", "agent", "shutdown", "pe file", "network info", "sample", "aslr", "program", "mitre attack", "processes extra", "overview zenbox", "verdict", "iocs", "extra data", "included iocs", "indicator", "review iocs", "find", "dr wifi", "include review", "exclude sugges", "find s", "failed", "typ url", "registrant name", "all domain", "passive dns", "urls", "files", "access", "all ipv4", "america flag", "des moines", "level", "zeppelin", "domain add", "united states", "active", "msie", "windows nt", "united", "search", "medium", "as16509", "unknown", "upatre", "malware", "next", "ip address", "pty ltd", "url analysis", "trojan", "write c", "suspicious", "tt tr", "ultradns client", "service", "name servers", "emails", "world media", "contacted", "post", "u001b4nu0017", "powershell", "sc data", "type", "enter", "data", "cre pul", "enric", "extraction data", "denver courts", "hacking", "mitm_attacks", "injustice", "tracking", "ai", "ee fc", "ff d5", "domain", "australia", "files ip", "script script", "set cookie", "cookie", "related pulses", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "javascript", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "title", "look", "verify", "restart", "australia asn", "as9714 vocus", "body", "certificate", "present may", "japan unknown", "a domains", "value", "content type", "location japan", "shibuya", "japan asn", "as2497 internet", "dns resolutions", "domains top", "united states", "ipv4", "targeting", "tsara brashears", "state colorado", "critical", "pornhub", "tulach", "sabey", "poleass", "foundrypalantir", "pegasus", "state", "quasi", "shhh", "denver", "dougco", "jeffrey reimer", "reimer gropes", "christopher ahmann", "workers compensation", "commerce industry", "aig", "industry commerce", "confluence" ], "references": [ "[DR] Wifi ID Login v1.3 [03 April 2014].exe", "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a", "bell.ca", "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http", "https://welcome.indonesiawifi.net/wifi.id/flexizone", "SLF:MSIL/PSTAnomaly.A SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb", "A target pursued post criminal assault on Pinnacol Assuranve insured premises", "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD", "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...", "Yara Detections: PWSWin32Kegotip , VirusWin32Gogo , VirusWin32Hala , VirusWin32Wholdor", "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect", "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep dynamic_function_loading", "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx", "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters", "IP\u2019s Contacted: 143.204.237.45 58.138.175.188 65.38.128.10 147.21.128.26 78.41.204.31 132.148.77.44", "IP\u2019s Contacted: 185.104.29.148 92.122.107.204 139.76.134.15 184.150.211.195", "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net", "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au", "Backdoor.Win32.Pushdo.s Checkin", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)", "Name Servers PDNS1.ULTRADNS.NET Org", "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #", "https://otx.alienvault.com/indicator/cve/CVE-2022-26134", "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO", "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado", "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected", "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration", "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png", "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms", "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY", "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH", "CVE-2022-26134 \u2022 PRIVILEGES REQUIRED: NONE" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "SLF:MSIL/PSTAnomaly.A", "display_name": "SLF:MSIL/PSTAnomaly.A", "target": "/malware/SLF:MSIL/PSTAnomaly.A" }, { "id": "Win.Trojan.Pushdo-20", "display_name": "Win.Trojan.Pushdo-20", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "TrojanDownloader:Win32/Cutwail.BV", "display_name": "TrojanDownloader:Win32/Cutwail.BV", "target": "/malware/TrojanDownloader:Win32/Cutwail.BV" }, { "id": "World Media", "display_name": "World Media", "target": null }, { "id": "CVE-2022-26134", "display_name": "CVE-2022-26134", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Legal", "Judicial", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1037, "hostname": 865, "domain": 685, "URL": 2224, "FileHash-MD5": 131, "FileHash-SHA1": 94, "CVE": 1, "email": 8, "SSLCertFingerprint": 6 }, "indicator_count": 5051, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69efc7a6778f84c179d27073", "name": "Credit Q.Vashti - Cloned Pulse [\"Enemy of the State: Order in the Court\"]", "description": "", "modified": "2026-05-27T18:05:26.880000", "created": "2026-04-27T20:31:34.221000", "tags": [ "wifi id", "april", "extraction", "enter sc", "type ol", "data upload", "extra", "referen", "wifi data", "wifi", "ntgraph xe", "dynamicloader", "high", "port", "a8 f0", "c0 a0", "c4 d8", "a4 c4", "cache", "yara rule", "write", "music", "explorer", "guard", "tracker", "media", "default", "file", "id login", "mwdb", "bazaar", "sha3384", "ssdeep", "xport", "accept", "agent", "shutdown", "pe file", "network info", "sample", "aslr", "program", "mitre attack", "processes extra", "overview zenbox", "verdict", "iocs", "extra data", "included iocs", "indicator", "review iocs", "find", "dr wifi", "include review", "exclude sugges", "find s", "failed", "typ url", "registrant name", "all domain", "passive dns", "urls", "files", "access", "all ipv4", "america flag", "des moines", "level", "zeppelin", "domain add", "united states", "active", "msie", "windows nt", "united", "search", "medium", "as16509", "unknown", "upatre", "malware", "next", "ip address", "pty ltd", "url analysis", "trojan", "write c", "suspicious", "tt tr", "ultradns client", "service", "name servers", "emails", "world media", "contacted", "post", "u001b4nu0017", "powershell", "sc data", "type", "enter", "data", "cre pul", "enric", "extraction data", "denver courts", "hacking", "mitm_attacks", "injustice", "tracking", "ai", "ee fc", "ff d5", "domain", "australia", "files ip", "script script", "set cookie", "cookie", "related pulses", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "defense evasion", "spawns", "javascript", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "error", "tools", "title", "look", "verify", "restart", "australia asn", "as9714 vocus", "body", "certificate", "present may", "japan unknown", "a domains", "value", "content type", "location japan", "shibuya", "japan asn", "as2497 internet", "dns resolutions", "domains top", "united states", "ipv4", "targeting", "tsara brashears", "state colorado", "critical", "pornhub", "tulach", "sabey", "poleass", "foundrypalantir", "pegasus", "state", "quasi", "shhh", "denver", "dougco", "jeffrey reimer", "reimer gropes", "christopher ahmann", "workers compensation", "commerce industry", "aig", "industry commerce", "confluence" ], "references": [ "[DR] Wifi ID Login v1.3 [03 April 2014].exe", "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a", "bell.ca", "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http", "https://welcome.indonesiawifi.net/wifi.id/flexizone", "SLF:MSIL/PSTAnomaly.A SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb", "A target pursued post criminal assault on Pinnacol Assuranve insured premises", "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp", "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD", "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...", "Yara Detections: PWSWin32Kegotip , VirusWin32Gogo , VirusWin32Hala , VirusWin32Wholdor", "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect", "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep dynamic_function_loading", "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx", "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters", "IP\u2019s Contacted: 143.204.237.45 58.138.175.188 65.38.128.10 147.21.128.26 78.41.204.31 132.148.77.44", "IP\u2019s Contacted: 185.104.29.148 92.122.107.204 139.76.134.15 184.150.211.195", "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net", "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au", "Backdoor.Win32.Pushdo.s Checkin", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)", "Name Servers PDNS1.ULTRADNS.NET Org", "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #", "https://otx.alienvault.com/indicator/cve/CVE-2022-26134", "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO", "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado", "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected", "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration", "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png", "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms", "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY", "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH", "CVE-2022-26134 \u2022 PRIVILEGES REQUIRED: NONE" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "SLF:MSIL/PSTAnomaly.A", "display_name": "SLF:MSIL/PSTAnomaly.A", "target": "/malware/SLF:MSIL/PSTAnomaly.A" }, { "id": "Win.Trojan.Pushdo-20", "display_name": "Win.Trojan.Pushdo-20", "target": null }, { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "TrojanDownloader:Win32/Cutwail.BV", "display_name": "TrojanDownloader:Win32/Cutwail.BV", "target": "/malware/TrojanDownloader:Win32/Cutwail.BV" }, { "id": "World Media", "display_name": "World Media", "target": null }, { "id": "CVE-2022-26134", "display_name": "CVE-2022-26134", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [ "Government", "Legal", "Judicial", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": "69efc567ae24b8285a71099d", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1039, "hostname": 868, "domain": 687, "URL": 2226, "FileHash-MD5": 133, "FileHash-SHA1": 96, "CVE": 1, "email": 8, "SSLCertFingerprint": 6 }, "indicator_count": 5064, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ede4900c0c36d508b00892", "name": "VirusTotal report for index.html tlp:green", "description": "[The following is the full text of the following:..woff2/akamai/clientlib-brand-base/resources/InstrumentSans-Variable-Latin-Italic] pdfkit[.net] = trans ip. Otx kept having server errors when trying to upload more comprehensive reports on this. Interference not by otx, suspect.", "modified": "2026-05-26T10:06:50.708000", "created": "2026-04-26T10:10:24.165000", "tags": [ "html internet", "html document", "unicode text", "utf8 text", "ascii text", "language", "https", "mitre attack", "network info", "processes extra", "transip", "performs dns", "t1055 process", "layer protocol", "overview", "overview zenbox", "title", "next", "meta", "link", "path", "doctype html", "ieedge", "bezet", "head", "body", "get url", "ip reputation", "divi child", "site kit", "google", "truetype", "woff", "user", "agent", "style", "original", "unknown", "has permission", "tls version", "file type", "loads", "urls", "persistence", "cloud", "malicious", "found", "dropped info", "zenbox android", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/117a61ad457cb776ca2e337cc04dce86510931b1e311b02e709a5e6c486333c4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777196678&Signature=HzcyQV1X4%2BZuxALwV5MKabxavBVI2pXXV%2BqZ%2FxjbZGEzJLq3HvfBlhoJvnPO72cTsUYIRIF8xWwC5jRcagGjKfbaLJN2X5M8YJLFvzNW8EUuKXbP4HlPUyWW4vdbPPfTDk7AH9O3Mc%2Bsqm0rUu1TTZ5W30gnKw%2B8w129EjLK4TTXdxBhsVZflHp65tluC8NtT6PKr40eTUW79dRIU4EmpzQYixwP5kHPdWny4lMV2tyDCM4BVbj5jGGjOMlG", "https://vtbehaviour.commondatastorage.googleapis.com/117a61ad457cb776ca2e337cc04dce86510931b1e311b02e709a5e6c486333c4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777196704&Signature=oj%2BDJfu%2FPrkzTQYzv%2BNGIb7bMBOERBArPqSmhPICbJXukp7MyQm%2FhSDqT3TSgCuwYbRMqjTmAdHa9EBQ%2FCjlr3PdRe5jLJ3yEljzhIZMVkux2h7EGR9NvtyGFd0b4G6DcOYfzDyXI7IIUvEDVqDTPa2biRIlSwUKAXKvFLQvemNBTNwAt6ZWjRPcsjpgkPpPBVYA6mGR50QOtob74rarfPZno74N59OZkm5XoVm7mwuzGXDl189f", "https://vtbehaviour.commondatastorage.googleapis.com/45a190c2f2471d465eadce7b529473c1092e0b0fa4a8bd5066f2f0dadd021517_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777197660&Signature=ZeKi%2BRgUGuBZD7C84XN%2BMrK%2FhjGTkk9wZi%2B8oRGqD%2FMkt4j53TX2%2FNO2D5kv3PFADqhPUkUWatmRPNgFj3%2Fxgz2H%2B1MaxZeG4uZ7yDAjWSgY1bcI2k5Z4SWMDc8FAivGl7%2FYutQiu%2FIWCMxbxTnk4yJQiQtuOgqwVTZybq4ROhIA52sWpFV9sAHWnPeTZJIPWahZpZz3LH5ByhNbVb8fHKqxFmoQAswKLvlgjAcNSh", "https://vtbehaviour.commondatastorage.googleapis.com/00000d3cb583c86b8fd89bcd270cf1a9c1974f23518caf52a9d55ba482afc255_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777198022&Signature=X%2FtJADqZ8hUIDWnAnxXSy836h8XaVn9hIB%2FoJc%2BMiH70BQaiUPucRhxoQpLz8ff%2BU7i4DwbrecytnCCLiVA1QuLWxTYL9hBhT8xX%2F3h564r8jpG8kTHcyZTD%2F1w9THtZhgtgccYteH8vuC1RaaNpHpj8RESbs6TdENGlhzHELvXxYplQuBznpKau1ZeLiNJFngKuEOT%2FkcHjzOM%2B%2BUZzAovTwc6PDZOk4C4qBT7YdZ", "https://vtbehaviour.commondatastorage.googleapis.com/000011b9276d67cb6c737226e1572ad5396d96a7ce2a6512c6c5774371332730_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1777198160&Signature=ErZReZYXc0zl2849KmoGwJGof9NjsCg2iX3sqgLWs2FU4WBoLpZAVnFi6g7Z3BFda%2FDPKxZ7%2FHG%2BlEU2VB7ctD7pXcNfD%2F3nEPZC54sles9Cycinws6vWWfHnYmSpwKF4DtTjjbL%2F7bwIb%2FOrT%2BeKzVvt7gGL%2ByHJpWrAgr4UtNSHKVmHLIIgRH%2FfDOtlS410ed%2Bal8ukGl9ZSeDQjYg0A0KKxdNkAtcJPN4fLcl" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 554, "FileHash-MD5": 53, "FileHash-SHA1": 4, "URL": 561, "hostname": 275, "domain": 114 }, "indicator_count": 1561, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "5 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e4e39558ce3e9467915ec9", "name": "VirusTotal Windows Sandbox - Bios Mutex", "description": "< A full list of details about the file that was used to launch the Yomi ransomware attack on the Windows operating system in the 1990s, and which has now been described as \"malicious\".> Firmware Neutral. Bios Mutex. This is cruel.", "modified": "2026-05-20T00:02:48.915000", "created": "2026-04-19T14:15:49.333000", "tags": [ "toggle", "xff dxff0dx89", "x8bxc0xff", "xf0xb3 xf0xb3", "pxa1x90xa6", "x85xc0t x85xc0t", "xe0xfbt", "l xe0xfbt", "x83xc4 x83xc4", "x85xd2t x85xd2t", "download", "first", "path", "enterprise", "service", "close", "success", "regopenkeyexa", "createmutexw", "regopenkeyexw", "regenumvaluew", "netbiosthread1", "netbiosthread2", "regcreatekeyexw", "hkeycurrentuser", "loadlibrarya", "shell", "fail", "windows sandbox", "calls process" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/af586c4273d941f49291bd82b3363e97ec68755793a06e6982d8e5291e461f28_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776607834&Signature=hyJ%2FTXDs5ybL7Px0RGD8qpbR2mhMsw9TGnNlVw1emJtvQUIxQ3fbIohjSdWraqmbe1ed3W0qMGeOjKauzQYJM6g4YT4TvdlSBfruPE0NYGLVLi7m2GB6fGGn84yrlYQ34ioU%2F1vJ6f%2FItzTch0a9TpisvD%2FGLq%2FEngakns%2FkmlbkSwGqIlsWY7fVv5H%2BjLF7n%2BKoiRgnElJKbZIKXhoyatx0K1hwEm5FhR2psWxfTwyv7bs", "https://vtbehaviour.commondatastorage.googleapis.com/af586c4273d941f49291bd82b3363e97ec68755793a06e6982d8e5291e461f28_VirusTotal%20Cuckoofork.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776608137&Signature=UiEXl5dFUjdbtSBJ5oDC2ewFK3bwZVFMU4c58Oj69fhp7qdwfqPbxDkJ%2Fip5zs3usTaZu8qrwgjJ3EgqO87YfEBtsV%2FCUTRvtFeHfzrOTkbE1WkOuasRAa92snPaPCt9Kk3y5q3jRMDlVA9g2rpZOsCub%2BYzl0%2FfdG8m%2FFed4xqdb2hu9ANjORr6MflPpQO8ThcwsbuThAuY4d28geQGVt86xzc00GELx6tbWViWiFA", "https://vtbehaviour.commondatastorage.googleapis.com/af586c4273d941f49291bd82b3363e97ec68755793a06e6982d8e5291e461f28_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776608198&Signature=N5AMDdOomLkmCompJzyYyrKb70Dt3nkBA2WmItg2wH6lcZDEqCt9pFe6xjRCi4BUBNOVGWgmAb2xg9tPXQ1mJghdn%2FehssyS8JLpmPFRDGeH7r2ULHprDQ3%2BoXTR9IC38%2F8K1ED36yL6kqTBdr%2BTYNi71%2B6rs%2FBqPgCVgVBMfrtmZHg49tzBjd5GNuDWptnb9gJVuovKjCJh2Ure8hIjmfG4I95r1rmZhHHgE7hRIBqB" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 9, "FileHash-SHA1": 6, "FileHash-SHA256": 139, "SSLCertFingerprint": 3, "URL": 145, "hostname": 99, "domain": 41 }, "indicator_count": 442, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e4ce38b03b0bb283c78a42", "name": "CAPE Sandbox- circa 1980", "description": "I dont even have windows and its haunting me. The real treasure today was this though.. you were tricky with your 1980's work to find:\na74535b274b8bfa42e4d7dd33fd8703e\n2bcdb3bf34303a29106a3aefa21d611a170443ea\n4da1f382887248188f43e579f6a28163d4337cca2a7d8dc893b58dff35e9c745\n244aaea6a195a18bbd72a13a9a421e72", "modified": "2026-05-19T13:22:41.504000", "created": "2026-04-19T12:44:40.519000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 196, "FileHash-SHA1": 174, "FileHash-SHA256": 1546, "URL": 157, "hostname": 403, "domain": 80, "CIDR": 4, "email": 10 }, "indicator_count": 2570, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://microsoftstart.org", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://microsoftstart.org", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780222152.0783777 }