{ "type": "URL", "indicator": "https://platform.civicplus.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://platform.civicplus.com", "type": "url", "type_title": "URL", "validation": [ { "source": "whitelist", "message": "Whitelisted domain civicplus.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain civicplus.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3163753760, "indicator": "https://platform.civicplus.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 18, "pulses": [ { "id": "69df292dac938e1d181a38e2", "name": "VirusTotal report\n for index.html", "description": " 'broken seal'\n\nObservations: Unplugged, Airbook, flashed wrote or write javascript in red around 2:45am EST when trying to upload and took me to a google screen.", "modified": "2026-05-16T00:08:35.224000", "created": "2026-04-15T05:59:09.898000", "tags": [ "sign", "submission", "unread", "community score", "status", "content type", "date", "community join", "community", "api key", "body", "dns resolutions", "ip traffic", "performs dns", "found", "https", "urls", "mitre attack", "network info", "processes extra", "mnhqrsc7", "t1055 process", "layer protocol", "phishing", "next", "get http", "rules not", "http", "injection", "memory pattern", "cape sandbox", "zenbox", "detections not", "found mitre", "info ids", "size", "analysis date", "domains", "facebook", "language", "vhash", "ssdeep", "file type", "html internet", "magic html", "unicode text", "utf8 text", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cne7", "validity", "subject public", "key info", "handle", "server", "entity", "registrar abuse", "llc creation", "join", "umbrella", "trid file", "redacted for", "privacy tech", "privacy admin", "country", "stateprovince", "postal code", "organization", "email", "code", "canva", "overview", "dropped info", "malicious", "default", "file size", "mwdb", "bazaar", "sha3384", "acrongl integ", "adc4240758", "sha256", "accept", "shutdown", "back", "windows sandbox", "calls process", "docguard", "greyware mitre", "evasion", "vs98", "compiler", "sp6 build", "chi2", "contained", "authentihash", "rich pe", "win32 exe", "system process", "pe file", "ms windows", "downloads", "united", "drops pe", "tls version", "persistence", "fraud", "nothing", "registry keys", "parent pid", "full path", "command line", "mutexes nothing", "created", "files c", "read files", "read registry", "tcp connections", "udp connections", "files nothing", "description", "host process", "windows", "user", "integritylevel", "detailsendswith", "helper objects", "cache", "imageendswith", "autorun keys", "modification id", "asep", "victor sergeev", "tim shelton", "nextron", "from", "system32", "syswow64", "winsxs", "lolbins", "roth", "markus neis", "filesavira", "rule set", "github", "matches rule", "florian roth", "capture", "malware", "cgb osectigo", "public server", "dv r36", "pdf document", "magic pdf", "trid adobe", "format", "crc32", "win1", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "write", "shell", "open" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC", "https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6", "https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg", "https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh", "https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s", "https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2", "https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR", "https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ", "https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk", "https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ", "https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8", "https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB", "https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m", "https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh", "https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME", "https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235521&Signature=XyL%2BziErEMLdDGzpkOrsFWzF%2Bs8%2F%2BHa%2Ft1S5%2FfgkdYZVZNUoI9ouy4IwZLiV4Fi2woIHU9YMnGYvqC6u0SHx0R%2FTbBYsAWIRLcS0jXCiNEz33EKRDTLcQqaAqg1bgEzbagC8RvfUjg5sQp8chQSkn3nYGGovJ1W9KDWu39peg7l0wU95LMSY%2BtbjEdzA0ghSq8IG%2BBSGkETgfJdXrKjyTRw1x5DEwN%2BENKfa54%2FmxDHO7iP3", "https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235484&Signature=hjxNiAS7V%2Bsk78jk2ksTamwBDr%2Bbip09k8w%2FY%2FkvqfB676c53pmH%2Fwa7Py9BXy9tIptTKWA5SsC3Zck6ghdFqW3CcffOr0qRIsUIFknMfbuE3oC4UsaSuLoa%2B54UO0%2FJMTN9B5Y1HSbWJqFkxVX1WVQ5ry5yt9yJUK3m0DTRx9bsJ%2FoCKT3ionJdg5tZcst941SNesx3DRgpuAQmN9UVlNpRNCEwutgqN8XoC4EnI5l6Nt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 5178, "URL": 5165, "FileHash-MD5": 1546, "FileHash-SHA1": 381, "domain": 1818, "hostname": 3413, "email": 22, "URI": 2, "CVE": 1 }, "indicator_count": 17526, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "699bf39a4b96d1d4236cf91f", "name": "Suspicious PDF Analysis+Behavioral Summary", "description": "Analysis of network and process logs indicates an attempt to undermine the system\u2019s Root of Trust by manipulating certificate validation files. The attacker is likely using Man-in-the-Middle techniques to force the system to accept revoked or fraudulent certificates. Additionally, suspicious activity within Adobe processes suggests that software update mechanisms are being hijacked to execute malicious code. Immediate isolation is required to prevent the installation of unauthorized software or the interception of encrypted data.", "modified": "2026-05-15T17:51:27.499000", "created": "2026-02-23T06:28:42.282000", "tags": [ "" ], "references": [ "", "TLP: AMBER" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1892, "FileHash-SHA256": 9944, "FileHash-MD5": 1802, "URL": 225, "hostname": 445, "domain": 284, "CVE": 91, "SSLCertFingerprint": 2, "email": 14, "CIDR": 5 }, "indicator_count": 14704, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dde8e68ac7a2840b6bdd2c", "name": "certs validating exp", "description": "date: Wed 13 Aug 2025 18:27:37 GMT\n443 Certificate Issuer\tUS\n443 Certificate Issuer\tLet's Encrypt\n443 Certificate Issuer\tR11\n443 Certificate Version\t3\n443 Certificate Serialnumber\t06E70A00F1A7ECC718E549DFC033670782FD\n443 Certificate Notbefore\tJun 27 22:43:23 2025 GMT\n443 Certificate Notafter\tSep 25 22:43:22 2025 GMT\n443 Certificate Subjectaltname\tfirestoneco.gov\n443 Certificate Caissuers\thttp://r11.i.lencr.org/\n443 Certificate Crldistributionpoints\thttp://r11.c.lencr.org/126.crl\n443 Certificate Sha1\t947ab069c85d001d60febdc3c2205bbb75ad7c0b>>>>", "modified": "2026-05-14T07:02:49.006000", "created": "2026-04-14T07:12:38.854000", "tags": [ "united", "a domains", "function", "javascript type", "script endif", "megamenutext", "script script", "link", "passive dns", "ip address", "date", "body", "config", "window", "title", "target", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 55, "domain": 27, "hostname": 23 }, "indicator_count": 106, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dde8e68ac7a2840b6bdd2b", "name": "certs validating exp", "description": "date: Wed 13 Aug 2025 18:27:37 GMT\n443 Certificate Issuer\tUS\n443 Certificate Issuer\tLet's Encrypt\n443 Certificate Issuer\tR11\n443 Certificate Version\t3\n443 Certificate Serialnumber\t06E70A00F1A7ECC718E549DFC033670782FD\n443 Certificate Notbefore\tJun 27 22:43:23 2025 GMT\n443 Certificate Notafter\tSep 25 22:43:22 2025 GMT\n443 Certificate Subjectaltname\tfirestoneco.gov\n443 Certificate Caissuers\thttp://r11.i.lencr.org/\n443 Certificate Crldistributionpoints\thttp://r11.c.lencr.org/126.crl\n443 Certificate Sha1\t947ab069c85d001d60febdc3c2205bbb75ad7c0b>>>>", "modified": "2026-05-14T07:02:49.006000", "created": "2026-04-14T07:12:38.474000", "tags": [ "united", "a domains", "function", "javascript type", "script endif", "megamenutext", "script script", "link", "passive dns", "ip address", "date", "body", "config", "window", "title", "target", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 56, "domain": 27, "hostname": 23 }, "indicator_count": 107, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dde8e61e9d84a49e7404e9", "name": "certs validating exp", "description": "date: Wed 13 Aug 2025 18:27:37 GMT\n443 Certificate Issuer\tUS\n443 Certificate Issuer\tLet's Encrypt\n443 Certificate Issuer\tR11\n443 Certificate Version\t3\n443 Certificate Serialnumber\t06E70A00F1A7ECC718E549DFC033670782FD\n443 Certificate Notbefore\tJun 27 22:43:23 2025 GMT\n443 Certificate Notafter\tSep 25 22:43:22 2025 GMT\n443 Certificate Subjectaltname\tfirestoneco.gov\n443 Certificate Caissuers\thttp://r11.i.lencr.org/\n443 Certificate Crldistributionpoints\thttp://r11.c.lencr.org/126.crl\n443 Certificate Sha1\t947ab069c85d001d60febdc3c2205bbb75ad7c0b>>>>", "modified": "2026-05-14T07:02:49.006000", "created": "2026-04-14T07:12:38.096000", "tags": [ "united", "a domains", "function", "javascript type", "script endif", "megamenutext", "script script", "link", "passive dns", "ip address", "date", "body", "config", "window", "title", "target", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 4, "URL": 206, "domain": 96, "hostname": 107 }, "indicator_count": 413, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dde8e5a8942bd5ac1fbcee", "name": "certs validating exp", "description": "date: Wed 13 Aug 2025 18:27:37 GMT\n443 Certificate Issuer\tUS\n443 Certificate Issuer\tLet's Encrypt\n443 Certificate Issuer\tR11\n443 Certificate Version\t3\n443 Certificate Serialnumber\t06E70A00F1A7ECC718E549DFC033670782FD\n443 Certificate Notbefore\tJun 27 22:43:23 2025 GMT\n443 Certificate Notafter\tSep 25 22:43:22 2025 GMT\n443 Certificate Subjectaltname\tfirestoneco.gov\n443 Certificate Caissuers\thttp://r11.i.lencr.org/\n443 Certificate Crldistributionpoints\thttp://r11.c.lencr.org/126.crl\n443 Certificate Sha1\t947ab069c85d001d60febdc3c2205bbb75ad7c0b>>>>", "modified": "2026-05-14T07:02:49.006000", "created": "2026-04-14T07:12:37.635000", "tags": [ "united", "a domains", "function", "javascript type", "script endif", "megamenutext", "script script", "link", "passive dns", "ip address", "date", "body", "config", "window", "title", "target", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 3, "URL": 58, "domain": 29, "hostname": 24, "YARA": 1, "FileHash-MD5": 2, "FileHash-SHA256": 2 }, "indicator_count": 119, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cec51dd4caf951207fb1a8", "name": "VirusTotal report\n for ul Business Intelligence. Moving Beyond the Obvious 2007.pdf", "description": "The full text of this page, which contains the following text, has been published on the website of Civicplus.com, the social networking site, for the first time since its launch in 2008.", "modified": "2026-05-02T19:36:13.629000", "created": "2026-04-02T19:35:57.845000", "tags": [ "file type", "chrome cache", "entry", "cache entry", "jpeg image", "jfif", "png image", "ascii text", "json", "united", "malicious", "code", "persistence", "phishing", "next", "10px", "ad code", "please", "antiddos", "firewall", "helvetica", "noscript", "request", "doctype html", "ieedge", "title", "body", "span", "android", "gmt p3p", "idc dsp", "cor adm", "devi taii", "psa psd", "ivai ivdi", "coni his", "our ind", "data", "contenttype", "performs dns", "https", "mitre attack", "network info", "processes extra", "html page", "t1055 process", "layer protocol", "overview", "overview zenbox" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/000ea1a97119456bc0d73d6f04298896bcf8a014015dd5a3854db979acc33ba4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775158226&Signature=3QddteTdwd75BU6tgEH4xfsAlwIG9pwNTU%2B8HvPznGKaEJfuEtDcpYQyXWaSVlGW29PwL%2Fps1Qfqzxq9FuYI6MpYw3Bx7KqBKoEqzG%2BfIDblZaHtF%2Bq57ipRLnJbyvLR8w%2B1bXr7vwOsQlnBMQPRzC9hK4UR1xQRt%2BFkGma5x53fb1ICCz4wT7DcsKUsrwBYrNpWD3InFukyHR38M91oretTmUAb2PGAKNugUwaY22shu94UubqcBJGvmX", "https://vtbehaviour.commondatastorage.googleapis.com/9ca5c168d3a3b77403a468a247b08f3987c9baee621bc93a1330d4343d5167e6_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775158347&Signature=sEbgpIc1%2BiCg1xj63drTjLA1epwJeKE9CT6C%2FnPtDvvNsLwbXXgIXmkAt2dKfK5cqb2MQ6rWSIcBDnierzZWQvJ%2F%2BpnBcvgW3mwnRqcrPKCIDaXkVSOfCziQhhgU%2F0YIEehdmBIxg%2BcMlXk6Ub0B3YYdlFlz4c%2Ft13IcN1R6g1%2FPy4zGIhnQQvcGI78vhrb0VqY48%2BeoY5%2FROErUXojoI%2Bi8IP%2FrmkiUEspZnd", "https://vtbehaviour.commondatastorage.googleapis.com/9ca5c168d3a3b77403a468a247b08f3987c9baee621bc93a1330d4343d5167e6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775158717&Signature=0%2FgP6zQY0JvD44dS9aqwH0bqe9ln9c3valuyOk8IADGwNXhOIDcXq6ivyb5hcITWzdHmiMnds3LC6HH6Dw9JXfM47tiL9OKF%2BbTQPz9B8Fr2JanaTSCRjOV2H%2FXW1wZjSdhhcSQyWhw97q4rqKyI%2F1VEbewxt2wrLP0TazgfCoHOCU2Qh08l7nSN%2F1idGUl5yUkmlHE60kQxe%2BHjcktoYejJf6exwwI9QED8MFrrm%2BGEwdmILRQtAbLe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 281, "URL": 91, "FileHash-MD5": 9, "FileHash-SHA1": 8, "domain": 8, "hostname": 102 }, "indicator_count": 499, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cec51dc2c14c906bce0b67", "name": "VirusTotal report\n for ul Business Intelligence. Moving Beyond the Obvious 2007.pdf", "description": "The full text of this page, which contains the following text, has been published on the website of Civicplus.com, the social networking site, for the first time since its launch in 2008.", "modified": "2026-05-02T19:36:13.629000", "created": "2026-04-02T19:35:57.899000", "tags": [ "file type", "chrome cache", "entry", "cache entry", "jpeg image", "jfif", "png image", "ascii text", "json", "united", "malicious", "code", "persistence", "phishing", "next", "10px", "ad code", "please", "antiddos", "firewall", "helvetica", "noscript", "request", "doctype html", "ieedge", "title", "body", "span", "android", "gmt p3p", "idc dsp", "cor adm", "devi taii", "psa psd", "ivai ivdi", "coni his", "our ind", "data", "contenttype", "performs dns", "https", "mitre attack", "network info", "processes extra", "html page", "t1055 process", "layer protocol", "overview", "overview zenbox" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/000ea1a97119456bc0d73d6f04298896bcf8a014015dd5a3854db979acc33ba4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775158226&Signature=3QddteTdwd75BU6tgEH4xfsAlwIG9pwNTU%2B8HvPznGKaEJfuEtDcpYQyXWaSVlGW29PwL%2Fps1Qfqzxq9FuYI6MpYw3Bx7KqBKoEqzG%2BfIDblZaHtF%2Bq57ipRLnJbyvLR8w%2B1bXr7vwOsQlnBMQPRzC9hK4UR1xQRt%2BFkGma5x53fb1ICCz4wT7DcsKUsrwBYrNpWD3InFukyHR38M91oretTmUAb2PGAKNugUwaY22shu94UubqcBJGvmX", "https://vtbehaviour.commondatastorage.googleapis.com/9ca5c168d3a3b77403a468a247b08f3987c9baee621bc93a1330d4343d5167e6_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775158347&Signature=sEbgpIc1%2BiCg1xj63drTjLA1epwJeKE9CT6C%2FnPtDvvNsLwbXXgIXmkAt2dKfK5cqb2MQ6rWSIcBDnierzZWQvJ%2F%2BpnBcvgW3mwnRqcrPKCIDaXkVSOfCziQhhgU%2F0YIEehdmBIxg%2BcMlXk6Ub0B3YYdlFlz4c%2Ft13IcN1R6g1%2FPy4zGIhnQQvcGI78vhrb0VqY48%2BeoY5%2FROErUXojoI%2Bi8IP%2FrmkiUEspZnd", "https://vtbehaviour.commondatastorage.googleapis.com/9ca5c168d3a3b77403a468a247b08f3987c9baee621bc93a1330d4343d5167e6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775158717&Signature=0%2FgP6zQY0JvD44dS9aqwH0bqe9ln9c3valuyOk8IADGwNXhOIDcXq6ivyb5hcITWzdHmiMnds3LC6HH6Dw9JXfM47tiL9OKF%2BbTQPz9B8Fr2JanaTSCRjOV2H%2FXW1wZjSdhhcSQyWhw97q4rqKyI%2F1VEbewxt2wrLP0TazgfCoHOCU2Qh08l7nSN%2F1idGUl5yUkmlHE60kQxe%2BHjcktoYejJf6exwwI9QED8MFrrm%2BGEwdmILRQtAbLe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 281, "URL": 91, "FileHash-MD5": 9, "FileHash-SHA1": 8, "domain": 8, "hostname": 102 }, "indicator_count": 499, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cec51c08c81128a8e46bd9", "name": "VirusTotal report\n for ul Business Intelligence. Moving Beyond the Obvious 2007.pdf", "description": "The full text of this page, which contains the following text, has been published on the website of Civicplus.com, the social networking site, for the first time since its launch in 2008.", "modified": "2026-05-02T19:36:13.629000", "created": "2026-04-02T19:35:56.216000", "tags": [ "file type", "chrome cache", "entry", "cache entry", "jpeg image", "jfif", "png image", "ascii text", "json", "united", "malicious", "code", "persistence", "phishing", "next", "10px", "ad code", "please", "antiddos", "firewall", "helvetica", "noscript", "request", "doctype html", "ieedge", "title", "body", "span", "android", "gmt p3p", "idc dsp", "cor adm", "devi taii", "psa psd", "ivai ivdi", "coni his", "our ind", "data", "contenttype", "performs dns", "https", "mitre attack", "network info", "processes extra", "html page", "t1055 process", "layer protocol", "overview", "overview zenbox" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/000ea1a97119456bc0d73d6f04298896bcf8a014015dd5a3854db979acc33ba4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775158226&Signature=3QddteTdwd75BU6tgEH4xfsAlwIG9pwNTU%2B8HvPznGKaEJfuEtDcpYQyXWaSVlGW29PwL%2Fps1Qfqzxq9FuYI6MpYw3Bx7KqBKoEqzG%2BfIDblZaHtF%2Bq57ipRLnJbyvLR8w%2B1bXr7vwOsQlnBMQPRzC9hK4UR1xQRt%2BFkGma5x53fb1ICCz4wT7DcsKUsrwBYrNpWD3InFukyHR38M91oretTmUAb2PGAKNugUwaY22shu94UubqcBJGvmX", "https://vtbehaviour.commondatastorage.googleapis.com/9ca5c168d3a3b77403a468a247b08f3987c9baee621bc93a1330d4343d5167e6_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775158347&Signature=sEbgpIc1%2BiCg1xj63drTjLA1epwJeKE9CT6C%2FnPtDvvNsLwbXXgIXmkAt2dKfK5cqb2MQ6rWSIcBDnierzZWQvJ%2F%2BpnBcvgW3mwnRqcrPKCIDaXkVSOfCziQhhgU%2F0YIEehdmBIxg%2BcMlXk6Ub0B3YYdlFlz4c%2Ft13IcN1R6g1%2FPy4zGIhnQQvcGI78vhrb0VqY48%2BeoY5%2FROErUXojoI%2Bi8IP%2FrmkiUEspZnd", "https://vtbehaviour.commondatastorage.googleapis.com/9ca5c168d3a3b77403a468a247b08f3987c9baee621bc93a1330d4343d5167e6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775158717&Signature=0%2FgP6zQY0JvD44dS9aqwH0bqe9ln9c3valuyOk8IADGwNXhOIDcXq6ivyb5hcITWzdHmiMnds3LC6HH6Dw9JXfM47tiL9OKF%2BbTQPz9B8Fr2JanaTSCRjOV2H%2FXW1wZjSdhhcSQyWhw97q4rqKyI%2F1VEbewxt2wrLP0TazgfCoHOCU2Qh08l7nSN%2F1idGUl5yUkmlHE60kQxe%2BHjcktoYejJf6exwwI9QED8MFrrm%2BGEwdmILRQtAbLe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 281, "URL": 91, "FileHash-MD5": 9, "FileHash-SHA1": 8, "domain": 8, "hostname": 102 }, "indicator_count": 499, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c9f04fda51a74fa94942e5", "name": "US Bases 202 google drop to icloud infostealer/wiper", "description": "A complete analysis of Pulse, a collection of user-created Pulses, has been published on the website of Inomanliner.net. and it is not possible to access the full archive.", "modified": "2026-04-29T03:09:49.528000", "created": "2026-03-30T03:38:55.602000", "tags": [ "pulse pulses", "http", "passive dns", "urls", "files related", "pulses otx", "pulses", "related tags", "acrstealer", "clearfake", "zip archive", "php script", "ascii text" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 367, "domain": 60, "FileHash-SHA256": 166, "FileHash-MD5": 8, "FileHash-SHA1": 4, "hostname": 53, "SSLCertFingerprint": 4, "email": 1 }, "indicator_count": 663, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "32 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c38daf71dc209ac52c5160", "name": "Snakebyte Parallels Panel 46a40bd64233b1838740a5d8e7dc68a363125537", "description": "A complete list of names, locations and details for a new website:.com, a group of companies, groups, organisations, and a third of the world's largest web service, known as Whois.<< 'broken seal'\n\nObservations: Unplugged, Airbook, flashed wrote or write javascript in red around 2:45am EST when trying to upload and took me to a google screen.", "modified": "2026-05-16T00:08:35.224000", "created": "2026-04-15T05:59:09.898000", "tags": [ "sign", "submission", "unread", "community score", "status", "content type", "date", "community join", "community", "api key", "body", "dns resolutions", "ip traffic", "performs dns", "found", "https", "urls", "mitre attack", "network info", "processes extra", "mnhqrsc7", "t1055 process", "layer protocol", "phishing", "next", "get http", "rules not", "http", "injection", "memory pattern", "cape sandbox", "zenbox", "detections not", "found mitre", "info ids", "size", "analysis date", "domains", "facebook", "language", "vhash", "ssdeep", "file type", "html internet", "magic html", "unicode text", "utf8 text", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cne7", "validity", "subject public", "key info", "handle", "server", "entity", "registrar abuse", "llc creation", "join", "umbrella", "trid file", "redacted for", "privacy tech", "privacy admin", "country", "stateprovince", "postal code", "organization", "email", "code", "canva", "overview", "dropped info", "malicious", "default", "file size", "mwdb", "bazaar", "sha3384", "acrongl integ", "adc4240758", "sha256", "accept", "shutdown", "back", "windows sandbox", "calls process", "docguard", "greyware mitre", "evasion", "vs98", "compiler", "sp6 build", "chi2", "contained", "authentihash", "rich pe", "win32 exe", "system process", "pe file", "ms windows", "downloads", "united", "drops pe", "tls version", "persistence", "fraud", "nothing", "registry keys", "parent pid", "full path", "command line", "mutexes nothing", "created", "files c", "read files", "read registry", "tcp connections", "udp connections", "files nothing", "description", "host process", "windows", "user", "integritylevel", "detailsendswith", "helper objects", "cache", "imageendswith", "autorun keys", "modification id", "asep", "victor sergeev", "tim shelton", "nextron", "from", "system32", "syswow64", "winsxs", "lolbins", "roth", "markus neis", "filesavira", "rule set", "github", "matches rule", "florian roth", "capture", "malware", "cgb osectigo", "public server", "dv r36", "pdf document", "magic pdf", "trid adobe", "format", "crc32", "win1", "detail info", "tickcount", "filename", "behaviour", "imagepath", "cmdline", "offset", "targetprocess", "writeaddress", "write", "shell", "open" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC", "https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6", "https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg", "https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh", "https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s", "https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2", "https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR", "https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ", "https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk", "https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ", "https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8", "https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB", "https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m", "https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh", "https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME", "https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235521&Signature=XyL%2BziErEMLdDGzpkOrsFWzF%2Bs8%2F%2BHa%2Ft1S5%2FfgkdYZVZNUoI9ouy4IwZLiV4Fi2woIHU9YMnGYvqC6u0SHx0R%2FTbBYsAWIRLcS0jXCiNEz33EKRDTLcQqaAqg1bgEzbagC8RvfUjg5sQp8chQSkn3nYGGovJ1W9KDWu39peg7l0wU95LMSY%2BtbjEdzA0ghSq8IG%2BBSGkETgfJdXrKjyTRw1x5DEwN%2BENKfa54%2FmxDHO7iP3", "https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235484&Signature=hjxNiAS7V%2Bsk78jk2ksTamwBDr%2Bbip09k8w%2FY%2FkvqfB676c53pmH%2Fwa7Py9BXy9tIptTKWA5SsC3Zck6ghdFqW3CcffOr0qRIsUIFknMfbuE3oC4UsaSuLoa%2B54UO0%2FJMTN9B5Y1HSbWJqFkxVX1WVQ5ry5yt9yJUK3m0DTRx9bsJ%2FoCKT3ionJdg5tZcst941SNesx3DRgpuAQmN9UVlNpRNCEwutgqN8XoC4EnI5l6Nt" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 5178, "URL": 5165, "FileHash-MD5": 1546, "FileHash-SHA1": 381, "domain": 1818, "hostname": 3413, "email": 22, "URI": 2, "CVE": 1 }, "indicator_count": 17526, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "699bf39a4b96d1d4236cf91f", "name": "Suspicious PDF Analysis+Behavioral Summary", "description": "Analysis of network and process logs indicates an attempt to undermine the system\u2019s Root of Trust by manipulating certificate validation files. The attacker is likely using Man-in-the-Middle techniques to force the system to accept revoked or fraudulent certificates. Additionally, suspicious activity within Adobe processes suggests that software update mechanisms are being hijacked to execute malicious code. Immediate isolation is required to prevent the installation of unauthorized software or the interception of encrypted data.", "modified": "2026-05-15T17:51:27.499000", "created": "2026-02-23T06:28:42.282000", "tags": [ "" ], "references": [ "", "TLP: AMBER" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [ "" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1892, "FileHash-SHA256": 9944, "FileHash-MD5": 1802, "URL": 225, "hostname": 445, "domain": 284, "CVE": 91, "SSLCertFingerprint": 2, "email": 14, "CIDR": 5 }, "indicator_count": 14704, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dde8e68ac7a2840b6bdd2c", "name": "certs validating exp", "description": "date: Wed 13 Aug 2025 18:27:37 GMT\n443 Certificate Issuer\tUS\n443 Certificate Issuer\tLet's Encrypt\n443 Certificate Issuer\tR11\n443 Certificate Version\t3\n443 Certificate Serialnumber\t06E70A00F1A7ECC718E549DFC033670782FD\n443 Certificate Notbefore\tJun 27 22:43:23 2025 GMT\n443 Certificate Notafter\tSep 25 22:43:22 2025 GMT\n443 Certificate Subjectaltname\tfirestoneco.gov\n443 Certificate Caissuers\thttp://r11.i.lencr.org/\n443 Certificate Crldistributionpoints\thttp://r11.c.lencr.org/126.crl\n443 Certificate Sha1\t947ab069c85d001d60febdc3c2205bbb75ad7c0b>>>>", "modified": "2026-05-14T07:02:49.006000", "created": "2026-04-14T07:12:38.854000", "tags": [ "united", "a domains", "function", "javascript type", "script endif", "megamenutext", "script script", "link", "passive dns", "ip address", "date", "body", "config", "window", "title", "target", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 55, "domain": 27, "hostname": 23 }, "indicator_count": 106, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dde8e68ac7a2840b6bdd2b", "name": "certs validating exp", "description": "date: Wed 13 Aug 2025 18:27:37 GMT\n443 Certificate Issuer\tUS\n443 Certificate Issuer\tLet's Encrypt\n443 Certificate Issuer\tR11\n443 Certificate Version\t3\n443 Certificate Serialnumber\t06E70A00F1A7ECC718E549DFC033670782FD\n443 Certificate Notbefore\tJun 27 22:43:23 2025 GMT\n443 Certificate Notafter\tSep 25 22:43:22 2025 GMT\n443 Certificate Subjectaltname\tfirestoneco.gov\n443 Certificate Caissuers\thttp://r11.i.lencr.org/\n443 Certificate Crldistributionpoints\thttp://r11.c.lencr.org/126.crl\n443 Certificate Sha1\t947ab069c85d001d60febdc3c2205bbb75ad7c0b>>>>", "modified": "2026-05-14T07:02:49.006000", "created": "2026-04-14T07:12:38.474000", "tags": [ "united", "a domains", "function", "javascript type", "script endif", "megamenutext", "script script", "link", "passive dns", "ip address", "date", "body", "config", "window", "title", "target", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "URL": 56, "domain": 27, "hostname": 23 }, "indicator_count": 107, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dde8e61e9d84a49e7404e9", "name": "certs validating exp", "description": "date: Wed 13 Aug 2025 18:27:37 GMT\n443 Certificate Issuer\tUS\n443 Certificate Issuer\tLet's Encrypt\n443 Certificate Issuer\tR11\n443 Certificate Version\t3\n443 Certificate Serialnumber\t06E70A00F1A7ECC718E549DFC033670782FD\n443 Certificate Notbefore\tJun 27 22:43:23 2025 GMT\n443 Certificate Notafter\tSep 25 22:43:22 2025 GMT\n443 Certificate Subjectaltname\tfirestoneco.gov\n443 Certificate Caissuers\thttp://r11.i.lencr.org/\n443 Certificate Crldistributionpoints\thttp://r11.c.lencr.org/126.crl\n443 Certificate Sha1\t947ab069c85d001d60febdc3c2205bbb75ad7c0b>>>>", "modified": "2026-05-14T07:02:49.006000", "created": "2026-04-14T07:12:38.096000", "tags": [ "united", "a domains", "function", "javascript type", "script endif", "megamenutext", "script script", "link", "passive dns", "ip address", "date", "body", "config", "window", "title", "target", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 4, "URL": 206, "domain": 96, "hostname": 107 }, "indicator_count": 413, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dde8e5a8942bd5ac1fbcee", "name": "certs validating exp", "description": "date: Wed 13 Aug 2025 18:27:37 GMT\n443 Certificate Issuer\tUS\n443 Certificate Issuer\tLet's Encrypt\n443 Certificate Issuer\tR11\n443 Certificate Version\t3\n443 Certificate Serialnumber\t06E70A00F1A7ECC718E549DFC033670782FD\n443 Certificate Notbefore\tJun 27 22:43:23 2025 GMT\n443 Certificate Notafter\tSep 25 22:43:22 2025 GMT\n443 Certificate Subjectaltname\tfirestoneco.gov\n443 Certificate Caissuers\thttp://r11.i.lencr.org/\n443 Certificate Crldistributionpoints\thttp://r11.c.lencr.org/126.crl\n443 Certificate Sha1\t947ab069c85d001d60febdc3c2205bbb75ad7c0b>>>>", "modified": "2026-05-14T07:02:49.006000", "created": "2026-04-14T07:12:37.635000", "tags": [ "united", "a domains", "function", "javascript type", "script endif", "megamenutext", "script script", "link", "passive dns", "ip address", "date", "body", "config", "window", "title", "target", "encrypt" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 3, "URL": 58, "domain": 29, "hostname": 24, "YARA": 1, "FileHash-MD5": 2, "FileHash-SHA256": 2 }, "indicator_count": 119, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cec51dd4caf951207fb1a8", "name": "VirusTotal report\n for ul Business Intelligence. Moving Beyond the Obvious 2007.pdf", "description": "The full text of this page, which contains the following text, has been published on the website of Civicplus.com, the social networking site, for the first time since its launch in 2008.", "modified": "2026-05-02T19:36:13.629000", "created": "2026-04-02T19:35:57.845000", "tags": [ "file type", "chrome cache", "entry", "cache entry", "jpeg image", "jfif", "png image", "ascii text", "json", "united", "malicious", "code", "persistence", "phishing", "next", "10px", "ad code", "please", "antiddos", "firewall", "helvetica", "noscript", "request", "doctype html", "ieedge", "title", "body", "span", "android", "gmt p3p", "idc dsp", "cor adm", "devi taii", "psa psd", "ivai ivdi", "coni his", "our ind", "data", "contenttype", "performs dns", "https", "mitre attack", "network info", "processes extra", "html page", "t1055 process", "layer protocol", "overview", "overview zenbox" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/000ea1a97119456bc0d73d6f04298896bcf8a014015dd5a3854db979acc33ba4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775158226&Signature=3QddteTdwd75BU6tgEH4xfsAlwIG9pwNTU%2B8HvPznGKaEJfuEtDcpYQyXWaSVlGW29PwL%2Fps1Qfqzxq9FuYI6MpYw3Bx7KqBKoEqzG%2BfIDblZaHtF%2Bq57ipRLnJbyvLR8w%2B1bXr7vwOsQlnBMQPRzC9hK4UR1xQRt%2BFkGma5x53fb1ICCz4wT7DcsKUsrwBYrNpWD3InFukyHR38M91oretTmUAb2PGAKNugUwaY22shu94UubqcBJGvmX", "https://vtbehaviour.commondatastorage.googleapis.com/9ca5c168d3a3b77403a468a247b08f3987c9baee621bc93a1330d4343d5167e6_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775158347&Signature=sEbgpIc1%2BiCg1xj63drTjLA1epwJeKE9CT6C%2FnPtDvvNsLwbXXgIXmkAt2dKfK5cqb2MQ6rWSIcBDnierzZWQvJ%2F%2BpnBcvgW3mwnRqcrPKCIDaXkVSOfCziQhhgU%2F0YIEehdmBIxg%2BcMlXk6Ub0B3YYdlFlz4c%2Ft13IcN1R6g1%2FPy4zGIhnQQvcGI78vhrb0VqY48%2BeoY5%2FROErUXojoI%2Bi8IP%2FrmkiUEspZnd", "https://vtbehaviour.commondatastorage.googleapis.com/9ca5c168d3a3b77403a468a247b08f3987c9baee621bc93a1330d4343d5167e6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775158717&Signature=0%2FgP6zQY0JvD44dS9aqwH0bqe9ln9c3valuyOk8IADGwNXhOIDcXq6ivyb5hcITWzdHmiMnds3LC6HH6Dw9JXfM47tiL9OKF%2BbTQPz9B8Fr2JanaTSCRjOV2H%2FXW1wZjSdhhcSQyWhw97q4rqKyI%2F1VEbewxt2wrLP0TazgfCoHOCU2Qh08l7nSN%2F1idGUl5yUkmlHE60kQxe%2BHjcktoYejJf6exwwI9QED8MFrrm%2BGEwdmILRQtAbLe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 281, "URL": 91, "FileHash-MD5": 9, "FileHash-SHA1": 8, "domain": 8, "hostname": 102 }, "indicator_count": 499, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cec51dc2c14c906bce0b67", "name": "VirusTotal report\n for ul Business Intelligence. Moving Beyond the Obvious 2007.pdf", "description": "The full text of this page, which contains the following text, has been published on the website of Civicplus.com, the social networking site, for the first time since its launch in 2008.", "modified": "2026-05-02T19:36:13.629000", "created": "2026-04-02T19:35:57.899000", "tags": [ "file type", "chrome cache", "entry", "cache entry", "jpeg image", "jfif", "png image", "ascii text", "json", "united", "malicious", "code", "persistence", "phishing", "next", "10px", "ad code", "please", "antiddos", "firewall", "helvetica", "noscript", "request", "doctype html", "ieedge", "title", "body", "span", "android", "gmt p3p", "idc dsp", "cor adm", "devi taii", "psa psd", "ivai ivdi", "coni his", "our ind", "data", "contenttype", "performs dns", "https", "mitre attack", "network info", "processes extra", "html page", "t1055 process", "layer protocol", "overview", "overview zenbox" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/000ea1a97119456bc0d73d6f04298896bcf8a014015dd5a3854db979acc33ba4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775158226&Signature=3QddteTdwd75BU6tgEH4xfsAlwIG9pwNTU%2B8HvPznGKaEJfuEtDcpYQyXWaSVlGW29PwL%2Fps1Qfqzxq9FuYI6MpYw3Bx7KqBKoEqzG%2BfIDblZaHtF%2Bq57ipRLnJbyvLR8w%2B1bXr7vwOsQlnBMQPRzC9hK4UR1xQRt%2BFkGma5x53fb1ICCz4wT7DcsKUsrwBYrNpWD3InFukyHR38M91oretTmUAb2PGAKNugUwaY22shu94UubqcBJGvmX", "https://vtbehaviour.commondatastorage.googleapis.com/9ca5c168d3a3b77403a468a247b08f3987c9baee621bc93a1330d4343d5167e6_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775158347&Signature=sEbgpIc1%2BiCg1xj63drTjLA1epwJeKE9CT6C%2FnPtDvvNsLwbXXgIXmkAt2dKfK5cqb2MQ6rWSIcBDnierzZWQvJ%2F%2BpnBcvgW3mwnRqcrPKCIDaXkVSOfCziQhhgU%2F0YIEehdmBIxg%2BcMlXk6Ub0B3YYdlFlz4c%2Ft13IcN1R6g1%2FPy4zGIhnQQvcGI78vhrb0VqY48%2BeoY5%2FROErUXojoI%2Bi8IP%2FrmkiUEspZnd", "https://vtbehaviour.commondatastorage.googleapis.com/9ca5c168d3a3b77403a468a247b08f3987c9baee621bc93a1330d4343d5167e6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775158717&Signature=0%2FgP6zQY0JvD44dS9aqwH0bqe9ln9c3valuyOk8IADGwNXhOIDcXq6ivyb5hcITWzdHmiMnds3LC6HH6Dw9JXfM47tiL9OKF%2BbTQPz9B8Fr2JanaTSCRjOV2H%2FXW1wZjSdhhcSQyWhw97q4rqKyI%2F1VEbewxt2wrLP0TazgfCoHOCU2Qh08l7nSN%2F1idGUl5yUkmlHE60kQxe%2BHjcktoYejJf6exwwI9QED8MFrrm%2BGEwdmILRQtAbLe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 281, "URL": 91, "FileHash-MD5": 9, "FileHash-SHA1": 8, "domain": 8, "hostname": 102 }, "indicator_count": 499, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cec51c08c81128a8e46bd9", "name": "VirusTotal report\n for ul Business Intelligence. Moving Beyond the Obvious 2007.pdf", "description": "The full text of this page, which contains the following text, has been published on the website of Civicplus.com, the social networking site, for the first time since its launch in 2008.", "modified": "2026-05-02T19:36:13.629000", "created": "2026-04-02T19:35:56.216000", "tags": [ "file type", "chrome cache", "entry", "cache entry", "jpeg image", "jfif", "png image", "ascii text", "json", "united", "malicious", "code", "persistence", "phishing", "next", "10px", "ad code", "please", "antiddos", "firewall", "helvetica", "noscript", "request", "doctype html", "ieedge", "title", "body", "span", "android", "gmt p3p", "idc dsp", "cor adm", "devi taii", "psa psd", "ivai ivdi", "coni his", "our ind", "data", "contenttype", "performs dns", "https", "mitre attack", "network info", "processes extra", "html page", "t1055 process", "layer protocol", "overview", "overview zenbox" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/000ea1a97119456bc0d73d6f04298896bcf8a014015dd5a3854db979acc33ba4_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775158226&Signature=3QddteTdwd75BU6tgEH4xfsAlwIG9pwNTU%2B8HvPznGKaEJfuEtDcpYQyXWaSVlGW29PwL%2Fps1Qfqzxq9FuYI6MpYw3Bx7KqBKoEqzG%2BfIDblZaHtF%2Bq57ipRLnJbyvLR8w%2B1bXr7vwOsQlnBMQPRzC9hK4UR1xQRt%2BFkGma5x53fb1ICCz4wT7DcsKUsrwBYrNpWD3InFukyHR38M91oretTmUAb2PGAKNugUwaY22shu94UubqcBJGvmX", "https://vtbehaviour.commondatastorage.googleapis.com/9ca5c168d3a3b77403a468a247b08f3987c9baee621bc93a1330d4343d5167e6_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775158347&Signature=sEbgpIc1%2BiCg1xj63drTjLA1epwJeKE9CT6C%2FnPtDvvNsLwbXXgIXmkAt2dKfK5cqb2MQ6rWSIcBDnierzZWQvJ%2F%2BpnBcvgW3mwnRqcrPKCIDaXkVSOfCziQhhgU%2F0YIEehdmBIxg%2BcMlXk6Ub0B3YYdlFlz4c%2Ft13IcN1R6g1%2FPy4zGIhnQQvcGI78vhrb0VqY48%2BeoY5%2FROErUXojoI%2Bi8IP%2FrmkiUEspZnd", "https://vtbehaviour.commondatastorage.googleapis.com/9ca5c168d3a3b77403a468a247b08f3987c9baee621bc93a1330d4343d5167e6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775158717&Signature=0%2FgP6zQY0JvD44dS9aqwH0bqe9ln9c3valuyOk8IADGwNXhOIDcXq6ivyb5hcITWzdHmiMnds3LC6HH6Dw9JXfM47tiL9OKF%2BbTQPz9B8Fr2JanaTSCRjOV2H%2FXW1wZjSdhhcSQyWhw97q4rqKyI%2F1VEbewxt2wrLP0TazgfCoHOCU2Qh08l7nSN%2F1idGUl5yUkmlHE60kQxe%2BHjcktoYejJf6exwwI9QED8MFrrm%2BGEwdmILRQtAbLe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 281, "URL": 91, "FileHash-MD5": 9, "FileHash-SHA1": 8, "domain": 8, "hostname": 102 }, "indicator_count": 499, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "29 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c9f04fda51a74fa94942e5", "name": "US Bases 202 google drop to icloud infostealer/wiper", "description": "A complete analysis of Pulse, a collection of user-created Pulses, has been published on the website of Inomanliner.net. and it is not possible to access the full archive.", "modified": "2026-04-29T03:09:49.528000", "created": "2026-03-30T03:38:55.602000", "tags": [ "pulse pulses", "http", "passive dns", "urls", "files related", "pulses otx", "pulses", "related tags", "acrstealer", "clearfake", "zip archive", "php script", "ascii text" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 367, "domain": 60, "FileHash-SHA256": 166, "FileHash-MD5": 8, "FileHash-SHA1": 4, "hostname": 53, "SSLCertFingerprint": 4, "email": 1 }, "indicator_count": 663, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "32 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://platform.civicplus.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://platform.civicplus.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780264727.6206272 }