{ "type": "URL", "indicator": "https://policies.google.com/terms", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://policies.google.com/terms", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #1", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #3", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain google.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain google.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3213076973, "indicator": "https://policies.google.com/terms", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "6a056cacb981e6f3b2dd4647", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware clone credit scoreblue", "description": "", "modified": "2026-05-14T07:28:01.780000", "created": "2026-05-14T06:33:16.946000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": "66eb3ef6d765187a437767e4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1521, "FileHash-SHA1": 1395, "FileHash-SHA256": 6084, "URL": 1499, "domain": 1947, "hostname": 1361, "email": 18, "CVE": 1 }, "indicator_count": 13826, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a056cac80d9b80eb1a97e29", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware clone credit scoreblue", "description": "", "modified": "2026-05-14T07:14:09.098000", "created": "2026-05-14T06:33:16.505000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": "66eb3ef6d765187a437767e4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1493, "FileHash-SHA1": 1393, "FileHash-SHA256": 5881, "URL": 1499, "domain": 1947, "hostname": 1360, "email": 18, "CVE": 1 }, "indicator_count": 13592, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fed99080ca19fd27b184cb", "name": "CAPE Sandbox - \"Client Challenge\" Created 4/27/2025.", "description": "[The Cuckoo.com website has been shut down by Microsoft, with the result of an analysis of the network's traffic patterns, and the results of its analysis] A SHA for an educational app/website I dont even have generated what is called \" Client Challenge\"\n 2c4b2093aa07afb9d633fd4e734a9707\n2732a5adf7152c21b4a5aaa0a7b45f3d4be7874a\naa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d\n622b6b82655de58b927dd956ab84db9d\n48:IYhkrFN9YfHFTtJXQHyeyQ4v3W7UNp/xmhIfgjOGkOHMZKKyMaiskaO3n:TsYdxJXQHFY375ro6tZ8MaM93n\nT1E05100012CF6C176147724BB9E73B25A2B5064476216E41C3AEDDA28CF82FD9EC426EC\nHTML \ninternet\nhtml\nHTML document, Unicode text, UTF-8 text\nHyperText Markup Language (100%)\nHTML\n3.03 KB (3101 bytes) /_fs-ch-1T1wmsGaOgGaSxcX/assets/inter-var.woff2\n/_fs-ch-1T1wmsGaOgGaSxcX/assets/styles.css -13jdrops from one html/38 malic files/bluetooth cap.", "modified": "2026-05-10T08:20:56.907000", "created": "2026-05-09T06:52:00.985000", "tags": [ "nothing", "registry keys", "mutexes nothing", "data", "datacrashpad", "edge", "created", "parent pid", "full path", "command line", "https", "network info", "processes extra", "performs dns", "layer protocol", "overview", "mitre attack", "overview zenbox", "verdict", "guest system", "phishing", "defense evasion", "next", "ip info", "ip country", "united", "info process", "mwdb", "bazaar", "sha3384", "ssdeep", "strong", "file type", "library", "size", "default", "sha1", "accept", "mcafee", "span", "install", "softonic", "alerta", "download", "error", "crypt32", "body", "bootkit", "lockfile", "title", "inside", "shutdown", "impact", "global", "restart", "uwaga", "startpage", "window", "find", "false", "null", "payload", "write", "installer", "winmm", "back", "nlrnsrdb", "trumusic", "kevsight tox", "html internet", "html document", "unicode text", "utf8 text", "language", "settings", "first counter", "file size", "sha256", "bridge", "info", "date", "agent", "root", "pe file", "ms windows", "pe32", "found", "png image", "rgba", "cabinet archive", "files c", "delphi", "code", "persistence", "malicious", "unix", "wed jun", "dropped info", "linux verdict", "bluetooth", "4/27/25", "drops", "legacy admin", "hacking tools", "geofence", "education", "government" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308356&Signature=Bq0QXx5QtdlR4B1OLE2oNH2ivhP5koRxoxaBIC4bDOb1nad7b%2B4MKW2csIzcVHkiJ2lEuxuzVaPZAtPN9ZbTMiEwygTIHCvt%2BjujlP3fb2dgOki9C6FhEd5DCKB3RdzsNdqXB2VDF7rZoLj%2BNII3rrWNk714D3qNNxku1k1gsD%2FpGCxIrO0e0y2styb6l6hhzJjcGwSCEPbS6MRA%2BA90qkVuNCgIucEDcJ5lkx0B2OOW4YW0Csc3", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308390&Signature=29e34JRtkg7NaukyKdD3mE9rGo0hrpCAePmGPmvrVPeeHY4ax13egnxzXVjOctDKN%2F26RdliQEdXTd301UZjrUIJxeMbNgmdXQ3AdU5y%2FV8c21ePTIEAIq2Onb%2Bq5kutHekqTdBS3d0tgfIBKVBE9kZsGWzbMQFPKPv%2B%2FDpvMZSgtM2dO2vord9nXbkwcHCYBrVWvVALPOmXc910%2BAWvZOsLaWmvQjsMI0DTAIUwyx0zveFkVWqa2XOJbD", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308554&Signature=lODaur8GDc6MSh92WMx%2BV%2F7WRfkYjVs6kHiY4Sx12RcybRrsXaBC6oik%2FVeSMne1EODoqRn6AOcL%2FnIJ3J1ki%2Flrawz0HqWnxDTycnuefpWaPbw6abOU2796lcdgAMJxF9cGIDFHeaJDHQhbd0qeV07OK%2BhEKGGkjFWmqxOlqcTx526c%2FyRTuJaoFKrRzHVk9z2Xhv16kmnrY1VWhnBNyv3cMtVW076z2DheqC1Nya4ZJR3T", "https://vtbehaviour.commondatastorage.googleapis.com/fe2fcf32cc0d38931131fde27db1e5693774844075b4e3c33c82a3625f397a7d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308630&Signature=tal7xZ9VHrLtK%2Fx5z4thfPUsqP4jnN7mnhQemzL4D6Jt%2BSk8bXHsrCdJlx%2Be1lnoGRVGwvwKCjx3CEIT2hLNbJt09HJOJW8y0ZHcSz%2BVuPuDQOe77pC%2F3yFozFW3vI7CEZI7ISt8C80aND1aciQHVQazVru6MO8fQbjeA78vsrN6MB0ZuxTE%2FXOh0gshhIYHplGRIVhhJx5waxIeoxWL1ZXsSC%2BoXwk4g44W5t38Y5Tkcf%2", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308947&Signature=alDMcpCHWUfDgEjmw6GuL5bYJ7WAgrYGXsYb8PfNczzjNzMmdclOsPPSd8nKJEDsDmNxeb2sw0hYiHkOza%2FRN9q8612YM9nTO2inlISRitzqqNDU6JlAsf97walR1G6zBOoJyqTiDrsSbx5evH65eHfvmspVqAXrb%2BQ47kPd56689I4BQ%2BsXgtfYNLYfi0tZCIDXf9zFVUl7yJpOaXHvd6%2FB7n3VeDqry5%2FrR9w%2Ftznq2oHOWz", "https://vtbehaviour.commondatastorage.googleapis.com/96726d252031408ce594cb2d0f49cc98a87d5742e5c7bf95b067158bf1ecbb5a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309020&Signature=vqlAf29Jh8gzLx2hXd4oK3SHSQ7rtDkDCKFUjJTgs37n6pJU8vOHAMY%2BZDsFv79mq1BdEHoY7nok%2B%2F8fXKVOYaTlt0eAlBTIvhYUtDyujmwblYEgNlDU1rpNNKmZ55W8WmPUBFmUN3AaCIOZIX5vA4HFg6qulPpJnXDQ57TINvsk4Wwf9mClPe97Ye9DE6zAZarXt7XMT2RTpxVJqTD143j7%2BeJGcwEPknT64TWHLEfitFThoeAdncSqpQS74B", "https://vtbehaviour.commondatastorage.googleapis.com/cb38f0c781c188c3fc2ace5f55a12f2a4833c1c5fc869e698cf7994041e4a135_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309094&Signature=2X1UxXszEC0vdMoCHG30M8zifvQi45%2FJScJ8N3QaALRZ8JM5fIK5QIhWdv9eYZgDlMDjqEs9sECAtO16r8UbHNPoPwRNzqUN6f6UIq0L8Tj%2BIYQrjZo7NBhiH6eUgkTaHAoBU02WDYP5Ov0biBhHziqfTBQQ5yDFh0H9CPRlLUefNK%2BHM%2BQYLwGLUpQ5yBTv1Mh5suQ1PLSj3g%2Fz429aGgT0ianBgbW7IIV50lIP4m5cr5UUek3l", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309164&Signature=NWdp0fiFpH6Jr1kaVwKEFGn0Zk0wRKMQLorUPZy7WKGD3M381ZLQM1PRrWmvwz5bujAib4QiCiOLd8A7PMvTMnOKQXz%2BwsI8tZk1vXfRwW6DJpI8nj3KWKoP3btIoik2VBrWn%2Fr1xNdIJ4Ic2MQEfOpslObUTaNkvaOGbdedf8llYwYXllyZneCKuVP5wMIq72nExH21e3%2FIfViwNbHZFbKS6roKZkLx4V7XxVk94woz0KT1LUAS0dYh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 529, "IPv4": 403, "hostname": 394, "domain": 121, "URL": 262, "FileHash-SHA1": 291, "FileHash-SHA256": 396 }, "indicator_count": 2396, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fed98ed79b13165d78dc30", "name": "CAPE Sandbox - \"Client Challenge\" Created 4/27/2025.", "description": "[The Cuckoo.com website has been shut down by Microsoft, with the result of an analysis of the network's traffic patterns, and the results of its analysis] A SHA for an educational app/website I dont even have generated what is called \" Client Challenge\"\n 2c4b2093aa07afb9d633fd4e734a9707\n2732a5adf7152c21b4a5aaa0a7b45f3d4be7874a\naa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d\n622b6b82655de58b927dd956ab84db9d\n48:IYhkrFN9YfHFTtJXQHyeyQ4v3W7UNp/xmhIfgjOGkOHMZKKyMaiskaO3n:TsYdxJXQHFY375ro6tZ8MaM93n\nT1E05100012CF6C176147724BB9E73B25A2B5064476216E41C3AEDDA28CF82FD9EC426EC\nHTML \ninternet\nhtml\nHTML document, Unicode text, UTF-8 text\nHyperText Markup Language (100%)\nHTML\n3.03 KB (3101 bytes) /_fs-ch-1T1wmsGaOgGaSxcX/assets/inter-var.woff2\n/_fs-ch-1T1wmsGaOgGaSxcX/assets/styles.css -13jdrops from one html/38 malic files/bluetooth cap.", "modified": "2026-05-10T08:11:16.996000", "created": "2026-05-09T06:51:58.884000", "tags": [ "nothing", "registry keys", "mutexes nothing", "data", "datacrashpad", "edge", "created", "parent pid", "full path", "command line", "https", "network info", "processes extra", "performs dns", "layer protocol", "overview", "mitre attack", "overview zenbox", "verdict", "guest system", "phishing", "defense evasion", "next", "ip info", "ip country", "united", "info process", "mwdb", "bazaar", "sha3384", "ssdeep", "strong", "file type", "library", "size", "default", "sha1", "accept", "mcafee", "span", "install", "softonic", "alerta", "download", "error", "crypt32", "body", "bootkit", "lockfile", "title", "inside", "shutdown", "impact", "global", "restart", "uwaga", "startpage", "window", "find", "false", "null", "payload", "write", "installer", "winmm", "back", "nlrnsrdb", "trumusic", "kevsight tox", "html internet", "html document", "unicode text", "utf8 text", "language", "settings", "first counter", "file size", "sha256", "bridge", "info", "date", "agent", "root", "pe file", "ms windows", "pe32", "found", "png image", "rgba", "cabinet archive", "files c", "delphi", "code", "persistence", "malicious", "unix", "wed jun", "dropped info", "linux verdict", "bluetooth", "4/27/25", "drops", "legacy admin", "hacking tools", "geofence", "education", "government" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308356&Signature=Bq0QXx5QtdlR4B1OLE2oNH2ivhP5koRxoxaBIC4bDOb1nad7b%2B4MKW2csIzcVHkiJ2lEuxuzVaPZAtPN9ZbTMiEwygTIHCvt%2BjujlP3fb2dgOki9C6FhEd5DCKB3RdzsNdqXB2VDF7rZoLj%2BNII3rrWNk714D3qNNxku1k1gsD%2FpGCxIrO0e0y2styb6l6hhzJjcGwSCEPbS6MRA%2BA90qkVuNCgIucEDcJ5lkx0B2OOW4YW0Csc3", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308390&Signature=29e34JRtkg7NaukyKdD3mE9rGo0hrpCAePmGPmvrVPeeHY4ax13egnxzXVjOctDKN%2F26RdliQEdXTd301UZjrUIJxeMbNgmdXQ3AdU5y%2FV8c21ePTIEAIq2Onb%2Bq5kutHekqTdBS3d0tgfIBKVBE9kZsGWzbMQFPKPv%2B%2FDpvMZSgtM2dO2vord9nXbkwcHCYBrVWvVALPOmXc910%2BAWvZOsLaWmvQjsMI0DTAIUwyx0zveFkVWqa2XOJbD", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308554&Signature=lODaur8GDc6MSh92WMx%2BV%2F7WRfkYjVs6kHiY4Sx12RcybRrsXaBC6oik%2FVeSMne1EODoqRn6AOcL%2FnIJ3J1ki%2Flrawz0HqWnxDTycnuefpWaPbw6abOU2796lcdgAMJxF9cGIDFHeaJDHQhbd0qeV07OK%2BhEKGGkjFWmqxOlqcTx526c%2FyRTuJaoFKrRzHVk9z2Xhv16kmnrY1VWhnBNyv3cMtVW076z2DheqC1Nya4ZJR3T", "https://vtbehaviour.commondatastorage.googleapis.com/fe2fcf32cc0d38931131fde27db1e5693774844075b4e3c33c82a3625f397a7d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308630&Signature=tal7xZ9VHrLtK%2Fx5z4thfPUsqP4jnN7mnhQemzL4D6Jt%2BSk8bXHsrCdJlx%2Be1lnoGRVGwvwKCjx3CEIT2hLNbJt09HJOJW8y0ZHcSz%2BVuPuDQOe77pC%2F3yFozFW3vI7CEZI7ISt8C80aND1aciQHVQazVru6MO8fQbjeA78vsrN6MB0ZuxTE%2FXOh0gshhIYHplGRIVhhJx5waxIeoxWL1ZXsSC%2BoXwk4g44W5t38Y5Tkcf%2", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308947&Signature=alDMcpCHWUfDgEjmw6GuL5bYJ7WAgrYGXsYb8PfNczzjNzMmdclOsPPSd8nKJEDsDmNxeb2sw0hYiHkOza%2FRN9q8612YM9nTO2inlISRitzqqNDU6JlAsf97walR1G6zBOoJyqTiDrsSbx5evH65eHfvmspVqAXrb%2BQ47kPd56689I4BQ%2BsXgtfYNLYfi0tZCIDXf9zFVUl7yJpOaXHvd6%2FB7n3VeDqry5%2FrR9w%2Ftznq2oHOWz", "https://vtbehaviour.commondatastorage.googleapis.com/96726d252031408ce594cb2d0f49cc98a87d5742e5c7bf95b067158bf1ecbb5a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309020&Signature=vqlAf29Jh8gzLx2hXd4oK3SHSQ7rtDkDCKFUjJTgs37n6pJU8vOHAMY%2BZDsFv79mq1BdEHoY7nok%2B%2F8fXKVOYaTlt0eAlBTIvhYUtDyujmwblYEgNlDU1rpNNKmZ55W8WmPUBFmUN3AaCIOZIX5vA4HFg6qulPpJnXDQ57TINvsk4Wwf9mClPe97Ye9DE6zAZarXt7XMT2RTpxVJqTD143j7%2BeJGcwEPknT64TWHLEfitFThoeAdncSqpQS74B", "https://vtbehaviour.commondatastorage.googleapis.com/cb38f0c781c188c3fc2ace5f55a12f2a4833c1c5fc869e698cf7994041e4a135_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309094&Signature=2X1UxXszEC0vdMoCHG30M8zifvQi45%2FJScJ8N3QaALRZ8JM5fIK5QIhWdv9eYZgDlMDjqEs9sECAtO16r8UbHNPoPwRNzqUN6f6UIq0L8Tj%2BIYQrjZo7NBhiH6eUgkTaHAoBU02WDYP5Ov0biBhHziqfTBQQ5yDFh0H9CPRlLUefNK%2BHM%2BQYLwGLUpQ5yBTv1Mh5suQ1PLSj3g%2Fz429aGgT0ianBgbW7IIV50lIP4m5cr5UUek3l", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309164&Signature=NWdp0fiFpH6Jr1kaVwKEFGn0Zk0wRKMQLorUPZy7WKGD3M381ZLQM1PRrWmvwz5bujAib4QiCiOLd8A7PMvTMnOKQXz%2BwsI8tZk1vXfRwW6DJpI8nj3KWKoP3btIoik2VBrWn%2Fr1xNdIJ4Ic2MQEfOpslObUTaNkvaOGbdedf8llYwYXllyZneCKuVP5wMIq72nExH21e3%2FIfViwNbHZFbKS6roKZkLx4V7XxVk94woz0KT1LUAS0dYh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 547, "IPv4": 545, "hostname": 752, "domain": 290, "URL": 979, "FileHash-SHA1": 296, "FileHash-SHA256": 904, "CIDR": 2, "email": 2 }, "indicator_count": 4317, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fed98a5807c9756ff0eb87", "name": "CAPE Sandbox - \"Client Challenge\" Created 4/27/2025.", "description": "[The Cuckoo.com website has been shut down by Microsoft, with the result of an analysis of the network's traffic patterns, and the results of its analysis] A SHA for an educational app/website I dont even have generated what is called \" Client Challenge\"\n 2c4b2093aa07afb9d633fd4e734a9707\n2732a5adf7152c21b4a5aaa0a7b45f3d4be7874a\naa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d\n622b6b82655de58b927dd956ab84db9d\n48:IYhkrFN9YfHFTtJXQHyeyQ4v3W7UNp/xmhIfgjOGkOHMZKKyMaiskaO3n:TsYdxJXQHFY375ro6tZ8MaM93n\nT1E05100012CF6C176147724BB9E73B25A2B5064476216E41C3AEDDA28CF82FD9EC426EC\nHTML \ninternet\nhtml\nHTML document, Unicode text, UTF-8 text\nHyperText Markup Language (100%)\nHTML\n3.03 KB (3101 bytes) /_fs-ch-1T1wmsGaOgGaSxcX/assets/inter-var.woff2\n/_fs-ch-1T1wmsGaOgGaSxcX/assets/styles.css -13jdrops from one html/38 malic files/bluetooth cap.", "modified": "2026-05-09T12:26:36.816000", "created": "2026-05-09T06:51:54.319000", "tags": [ "nothing", "registry keys", "mutexes nothing", "data", "datacrashpad", "edge", "created", "parent pid", "full path", "command line", "https", "network info", "processes extra", "performs dns", "layer protocol", "overview", "mitre attack", "overview zenbox", "verdict", "guest system", "phishing", "defense evasion", "next", "ip info", "ip country", "united", "info process", "mwdb", "bazaar", "sha3384", "ssdeep", "strong", "file type", "library", "size", "default", "sha1", "accept", "mcafee", "span", "install", "softonic", "alerta", "download", "error", "crypt32", "body", "bootkit", "lockfile", "title", "inside", "shutdown", "impact", "global", "restart", "uwaga", "startpage", "window", "find", "false", "null", "payload", "write", "installer", "winmm", "back", "nlrnsrdb", "trumusic", "kevsight tox", "html internet", "html document", "unicode text", "utf8 text", "language", "settings", "first counter", "file size", "sha256", "bridge", "info", "date", "agent", "root", "pe file", "ms windows", "pe32", "found", "png image", "rgba", "cabinet archive", "files c", "delphi", "code", "persistence", "malicious", "unix", "wed jun", "dropped info", "linux verdict", "bluetooth", "4/27/25", "drops", "legacy admin", "hacking tools", "geofence", "education", "government" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308356&Signature=Bq0QXx5QtdlR4B1OLE2oNH2ivhP5koRxoxaBIC4bDOb1nad7b%2B4MKW2csIzcVHkiJ2lEuxuzVaPZAtPN9ZbTMiEwygTIHCvt%2BjujlP3fb2dgOki9C6FhEd5DCKB3RdzsNdqXB2VDF7rZoLj%2BNII3rrWNk714D3qNNxku1k1gsD%2FpGCxIrO0e0y2styb6l6hhzJjcGwSCEPbS6MRA%2BA90qkVuNCgIucEDcJ5lkx0B2OOW4YW0Csc3", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308390&Signature=29e34JRtkg7NaukyKdD3mE9rGo0hrpCAePmGPmvrVPeeHY4ax13egnxzXVjOctDKN%2F26RdliQEdXTd301UZjrUIJxeMbNgmdXQ3AdU5y%2FV8c21ePTIEAIq2Onb%2Bq5kutHekqTdBS3d0tgfIBKVBE9kZsGWzbMQFPKPv%2B%2FDpvMZSgtM2dO2vord9nXbkwcHCYBrVWvVALPOmXc910%2BAWvZOsLaWmvQjsMI0DTAIUwyx0zveFkVWqa2XOJbD", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308554&Signature=lODaur8GDc6MSh92WMx%2BV%2F7WRfkYjVs6kHiY4Sx12RcybRrsXaBC6oik%2FVeSMne1EODoqRn6AOcL%2FnIJ3J1ki%2Flrawz0HqWnxDTycnuefpWaPbw6abOU2796lcdgAMJxF9cGIDFHeaJDHQhbd0qeV07OK%2BhEKGGkjFWmqxOlqcTx526c%2FyRTuJaoFKrRzHVk9z2Xhv16kmnrY1VWhnBNyv3cMtVW076z2DheqC1Nya4ZJR3T", "https://vtbehaviour.commondatastorage.googleapis.com/fe2fcf32cc0d38931131fde27db1e5693774844075b4e3c33c82a3625f397a7d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308630&Signature=tal7xZ9VHrLtK%2Fx5z4thfPUsqP4jnN7mnhQemzL4D6Jt%2BSk8bXHsrCdJlx%2Be1lnoGRVGwvwKCjx3CEIT2hLNbJt09HJOJW8y0ZHcSz%2BVuPuDQOe77pC%2F3yFozFW3vI7CEZI7ISt8C80aND1aciQHVQazVru6MO8fQbjeA78vsrN6MB0ZuxTE%2FXOh0gshhIYHplGRIVhhJx5waxIeoxWL1ZXsSC%2BoXwk4g44W5t38Y5Tkcf%2", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308947&Signature=alDMcpCHWUfDgEjmw6GuL5bYJ7WAgrYGXsYb8PfNczzjNzMmdclOsPPSd8nKJEDsDmNxeb2sw0hYiHkOza%2FRN9q8612YM9nTO2inlISRitzqqNDU6JlAsf97walR1G6zBOoJyqTiDrsSbx5evH65eHfvmspVqAXrb%2BQ47kPd56689I4BQ%2BsXgtfYNLYfi0tZCIDXf9zFVUl7yJpOaXHvd6%2FB7n3VeDqry5%2FrR9w%2Ftznq2oHOWz", "https://vtbehaviour.commondatastorage.googleapis.com/96726d252031408ce594cb2d0f49cc98a87d5742e5c7bf95b067158bf1ecbb5a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309020&Signature=vqlAf29Jh8gzLx2hXd4oK3SHSQ7rtDkDCKFUjJTgs37n6pJU8vOHAMY%2BZDsFv79mq1BdEHoY7nok%2B%2F8fXKVOYaTlt0eAlBTIvhYUtDyujmwblYEgNlDU1rpNNKmZ55W8WmPUBFmUN3AaCIOZIX5vA4HFg6qulPpJnXDQ57TINvsk4Wwf9mClPe97Ye9DE6zAZarXt7XMT2RTpxVJqTD143j7%2BeJGcwEPknT64TWHLEfitFThoeAdncSqpQS74B", "https://vtbehaviour.commondatastorage.googleapis.com/cb38f0c781c188c3fc2ace5f55a12f2a4833c1c5fc869e698cf7994041e4a135_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309094&Signature=2X1UxXszEC0vdMoCHG30M8zifvQi45%2FJScJ8N3QaALRZ8JM5fIK5QIhWdv9eYZgDlMDjqEs9sECAtO16r8UbHNPoPwRNzqUN6f6UIq0L8Tj%2BIYQrjZo7NBhiH6eUgkTaHAoBU02WDYP5Ov0biBhHziqfTBQQ5yDFh0H9CPRlLUefNK%2BHM%2BQYLwGLUpQ5yBTv1Mh5suQ1PLSj3g%2Fz429aGgT0ianBgbW7IIV50lIP4m5cr5UUek3l", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309164&Signature=NWdp0fiFpH6Jr1kaVwKEFGn0Zk0wRKMQLorUPZy7WKGD3M381ZLQM1PRrWmvwz5bujAib4QiCiOLd8A7PMvTMnOKQXz%2BwsI8tZk1vXfRwW6DJpI8nj3KWKoP3btIoik2VBrWn%2Fr1xNdIJ4Ic2MQEfOpslObUTaNkvaOGbdedf8llYwYXllyZneCKuVP5wMIq72nExH21e3%2FIfViwNbHZFbKS6roKZkLx4V7XxVk94woz0KT1LUAS0dYh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 521, "IPv4": 402, "hostname": 393, "domain": 120, "URL": 261, "FileHash-SHA1": 287, "FileHash-SHA256": 391 }, "indicator_count": 2375, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fed9859e3d403a869a56d9", "name": "CAPE Sandbox - \"Client Challenge\" Created 4/27/2025.", "description": "[The Cuckoo.com website has been shut down by Microsoft, with the result of an analysis of the network's traffic patterns, and the results of its analysis] A SHA for an educational app/website I dont even have generated what is called \" Client Challenge\"\n 2c4b2093aa07afb9d633fd4e734a9707\n2732a5adf7152c21b4a5aaa0a7b45f3d4be7874a\naa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d\n622b6b82655de58b927dd956ab84db9d\n48:IYhkrFN9YfHFTtJXQHyeyQ4v3W7UNp/xmhIfgjOGkOHMZKKyMaiskaO3n:TsYdxJXQHFY375ro6tZ8MaM93n\nT1E05100012CF6C176147724BB9E73B25A2B5064476216E41C3AEDDA28CF82FD9EC426EC\nHTML \ninternet\nhtml\nHTML document, Unicode text, UTF-8 text\nHyperText Markup Language (100%)\nHTML\n3.03 KB (3101 bytes) /_fs-ch-1T1wmsGaOgGaSxcX/assets/inter-var.woff2\n/_fs-ch-1T1wmsGaOgGaSxcX/assets/styles.css -13jdrops from one html/38 malic files/bluetooth cap.", "modified": "2026-05-09T07:20:23.936000", "created": "2026-05-09T06:51:49.607000", "tags": [ "nothing", "registry keys", "mutexes nothing", "data", "datacrashpad", "edge", "created", "parent pid", "full path", "command line", "https", "network info", "processes extra", "performs dns", "layer protocol", "overview", "mitre attack", "overview zenbox", "verdict", "guest system", "phishing", "defense evasion", "next", "ip info", "ip country", "united", "info process", "mwdb", "bazaar", "sha3384", "ssdeep", "strong", "file type", "library", "size", "default", "sha1", "accept", "mcafee", "span", "install", "softonic", "alerta", "download", "error", "crypt32", "body", "bootkit", "lockfile", "title", "inside", "shutdown", "impact", "global", "restart", "uwaga", "startpage", "window", "find", "false", "null", "payload", "write", "installer", "winmm", "back", "nlrnsrdb", "trumusic", "kevsight tox", "html internet", "html document", "unicode text", "utf8 text", "language", "settings", "first counter", "file size", "sha256", "bridge", "info", "date", "agent", "root", "pe file", "ms windows", "pe32", "found", "png image", "rgba", "cabinet archive", "files c", "delphi", "code", "persistence", "malicious", "unix", "wed jun", "dropped info", "linux verdict", "bluetooth", "4/27/25", "drops", "legacy admin", "hacking tools", "geofence", "education", "government" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308356&Signature=Bq0QXx5QtdlR4B1OLE2oNH2ivhP5koRxoxaBIC4bDOb1nad7b%2B4MKW2csIzcVHkiJ2lEuxuzVaPZAtPN9ZbTMiEwygTIHCvt%2BjujlP3fb2dgOki9C6FhEd5DCKB3RdzsNdqXB2VDF7rZoLj%2BNII3rrWNk714D3qNNxku1k1gsD%2FpGCxIrO0e0y2styb6l6hhzJjcGwSCEPbS6MRA%2BA90qkVuNCgIucEDcJ5lkx0B2OOW4YW0Csc3", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308390&Signature=29e34JRtkg7NaukyKdD3mE9rGo0hrpCAePmGPmvrVPeeHY4ax13egnxzXVjOctDKN%2F26RdliQEdXTd301UZjrUIJxeMbNgmdXQ3AdU5y%2FV8c21ePTIEAIq2Onb%2Bq5kutHekqTdBS3d0tgfIBKVBE9kZsGWzbMQFPKPv%2B%2FDpvMZSgtM2dO2vord9nXbkwcHCYBrVWvVALPOmXc910%2BAWvZOsLaWmvQjsMI0DTAIUwyx0zveFkVWqa2XOJbD", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308554&Signature=lODaur8GDc6MSh92WMx%2BV%2F7WRfkYjVs6kHiY4Sx12RcybRrsXaBC6oik%2FVeSMne1EODoqRn6AOcL%2FnIJ3J1ki%2Flrawz0HqWnxDTycnuefpWaPbw6abOU2796lcdgAMJxF9cGIDFHeaJDHQhbd0qeV07OK%2BhEKGGkjFWmqxOlqcTx526c%2FyRTuJaoFKrRzHVk9z2Xhv16kmnrY1VWhnBNyv3cMtVW076z2DheqC1Nya4ZJR3T", "https://vtbehaviour.commondatastorage.googleapis.com/fe2fcf32cc0d38931131fde27db1e5693774844075b4e3c33c82a3625f397a7d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308630&Signature=tal7xZ9VHrLtK%2Fx5z4thfPUsqP4jnN7mnhQemzL4D6Jt%2BSk8bXHsrCdJlx%2Be1lnoGRVGwvwKCjx3CEIT2hLNbJt09HJOJW8y0ZHcSz%2BVuPuDQOe77pC%2F3yFozFW3vI7CEZI7ISt8C80aND1aciQHVQazVru6MO8fQbjeA78vsrN6MB0ZuxTE%2FXOh0gshhIYHplGRIVhhJx5waxIeoxWL1ZXsSC%2BoXwk4g44W5t38Y5Tkcf%2", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308947&Signature=alDMcpCHWUfDgEjmw6GuL5bYJ7WAgrYGXsYb8PfNczzjNzMmdclOsPPSd8nKJEDsDmNxeb2sw0hYiHkOza%2FRN9q8612YM9nTO2inlISRitzqqNDU6JlAsf97walR1G6zBOoJyqTiDrsSbx5evH65eHfvmspVqAXrb%2BQ47kPd56689I4BQ%2BsXgtfYNLYfi0tZCIDXf9zFVUl7yJpOaXHvd6%2FB7n3VeDqry5%2FrR9w%2Ftznq2oHOWz", "https://vtbehaviour.commondatastorage.googleapis.com/96726d252031408ce594cb2d0f49cc98a87d5742e5c7bf95b067158bf1ecbb5a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309020&Signature=vqlAf29Jh8gzLx2hXd4oK3SHSQ7rtDkDCKFUjJTgs37n6pJU8vOHAMY%2BZDsFv79mq1BdEHoY7nok%2B%2F8fXKVOYaTlt0eAlBTIvhYUtDyujmwblYEgNlDU1rpNNKmZ55W8WmPUBFmUN3AaCIOZIX5vA4HFg6qulPpJnXDQ57TINvsk4Wwf9mClPe97Ye9DE6zAZarXt7XMT2RTpxVJqTD143j7%2BeJGcwEPknT64TWHLEfitFThoeAdncSqpQS74B", "https://vtbehaviour.commondatastorage.googleapis.com/cb38f0c781c188c3fc2ace5f55a12f2a4833c1c5fc869e698cf7994041e4a135_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309094&Signature=2X1UxXszEC0vdMoCHG30M8zifvQi45%2FJScJ8N3QaALRZ8JM5fIK5QIhWdv9eYZgDlMDjqEs9sECAtO16r8UbHNPoPwRNzqUN6f6UIq0L8Tj%2BIYQrjZo7NBhiH6eUgkTaHAoBU02WDYP5Ov0biBhHziqfTBQQ5yDFh0H9CPRlLUefNK%2BHM%2BQYLwGLUpQ5yBTv1Mh5suQ1PLSj3g%2Fz429aGgT0ianBgbW7IIV50lIP4m5cr5UUek3l", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309164&Signature=NWdp0fiFpH6Jr1kaVwKEFGn0Zk0wRKMQLorUPZy7WKGD3M381ZLQM1PRrWmvwz5bujAib4QiCiOLd8A7PMvTMnOKQXz%2BwsI8tZk1vXfRwW6DJpI8nj3KWKoP3btIoik2VBrWn%2Fr1xNdIJ4Ic2MQEfOpslObUTaNkvaOGbdedf8llYwYXllyZneCKuVP5wMIq72nExH21e3%2FIfViwNbHZFbKS6roKZkLx4V7XxVk94woz0KT1LUAS0dYh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 522, "IPv4": 409, "hostname": 645, "domain": 178, "URL": 786, "FileHash-SHA1": 288, "FileHash-SHA256": 392, "CVE": 1 }, "indicator_count": 3221, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b784cc650f89739e92c4f4", "name": "CAPE Sandbox - google family link (dont have gmail)", "description": "index.html\nFile Type\tHTML document, Unicode text, UTF-8 text, with very long lines (3040)\nFile Size\t153711 bytes\nMD5\t49c89656ad04dbb9a29d7043f31722d5\nSHA1\td7893632bf29d9186ee05cfb7e52b80eb46013d5\nSHA256\t596bac3d66273f190e72aaf8e35a8088d2f06e6b6e153a9648327ce0778f8361 [VT] [MWDB] [Bazaar]\nSHA3-384\t7448e6873457ee7707faa770255c0b540feaf21aa3f9acf71c9bc8ebd8486457df23a5c21d8c374659a790714643d17b\nCRC32\tC67399A4\nTLSH\tT1A3E3C973416BE027501152A9B62D3B4EFE23E6A7C7A7C3D4B57C86D02F85CEB8413998\nSsdeep\t1536:w63/JengXYQh5g84wgWun5pwqNpXvh/eRMBvh7vG9vqvcjvh7vG9vqCb5:R/JenuYQDFmnUeX7xcM5", "modified": "2026-04-15T05:00:30.448000", "created": "2026-03-16T04:19:24.046000", "tags": [ "file type", "html document", "unicode text", "utf8 text", "file size", "sha256", "mwdb", "bazaar", "sha3384", "crc32 c67399a4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 5, "hostname": 143, "URL": 121, "domain": 11 }, "indicator_count": 288, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "46 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "677db8b56d3d4c3af9ebd9b5", "name": "hxxps://tinyurl [.] com/Pixel2 - Link to Google Drive of Malicious APKs (unenriched analysis of link to the Google Drive)", "description": "hxxps://tinyurl [.] com - Link to Google Drive of Malicious APKs\nIt appears a link to a Backup of Client's APKs (Telus Google Device Protected by Norton)\nDevice currently connected to the University of Alberta, Telus Communications (ISP), Alberta Health Services (AHS) and the Government of Alberta - is apparently itself malicious (still links to Google Drive Folder of APKs - to import for analysis later).", "modified": "2025-02-07T05:00:08.549000", "created": "2025-01-07T23:28:53.566000", "tags": [ "UAlberta", "AHS", "Google", "Telus", "Pixel", "Norton" ], "references": [ "https://www.filescan.io/uploads/677e0e14212309a70397d357/reports/0077a75d-f7d7-4634-a1ba-6f7b0488f9da/overview", "https://urlquery.net/report/16d1e034-1c64-4cbe-8b58-f5926dab9001", "https://www.virustotal.com/gui/url/1763a71e86e74729f1e993dc2e6b5cec9d91dd51245533a5300c85c9d49bc7ef", "http://www.hybrid-analysis.com/sample/dc744fc325700c6fda2b8d83b39a8c241258b9305058a3402ce70c97932acc74", "http://www.hybrid-analysis.com/sample/dc744fc325700c6fda2b8d83b39a8c241258b9305058a3402ce70c97932acc74/677d1d5dcb161e2448026452" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Healthcare", "Government", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "FileHash-MD5": 96, "FileHash-SHA1": 96, "FileHash-SHA256": 97, "SSLCertFingerprint": 4, "URL": 221, "hostname": 34 }, "indicator_count": 561, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "478 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66eb3ef6d765187a437767e4", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware", "description": "This a project. A target has been put into different Operations: Project Hilo, Project Helix, Operation Endgame, The NSO Cellebrite Pegasus hit list. These are real and very serious serious threat. Severe Cyber issues made their way to her infected devices as well as the devices of family members. Death threats continue to come in. Several DoD IP addresses found in a PDF. It's unresearched at this time,, DoD via BGP HE has been questionable considering use gateway abuse by SWIPPER. \n\nStill no authority can confirm victim is a suspect. Must be a crazy high to help Jeffrey Scott Reiner PT. DPT get away with assault in such a ridiculous manner. Court report posted online by Trellis (BS) is of course a falsified , vulnerability filled 'made you click' document.. Faldif0, empty docmpty doc, citing it was refreshed in 2023. \nThere is no doubt these masqueraders mean to intimidate, humiliate, isolate & harm target. These people are not in China. False attribution is likely. Attack is disseminates from USA.", "modified": "2024-10-18T20:04:41.836000", "created": "2024-09-18T20:58:30.691000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1493, "FileHash-SHA1": 1393, "FileHash-SHA256": 5881, "URL": 1495, "domain": 1947, "hostname": 1360, "email": 18, "CVE": 1 }, "indicator_count": 13588, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "589 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709fe5e685939cb8ce7486", "name": "Direct Search Network", "description": "", "modified": "2023-12-06T16:23:01.912000", "created": "2023-12-06T16:23:01.912000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1105, "domain": 665, "FileHash-SHA256": 1203, "URL": 2334, "FileHash-MD5": 384, "FileHash-SHA1": 62, "email": 2 }, "indicator_count": 5755, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64dac57e96082bfaec2f2334", "name": "Direct Search Network", "description": "Direct Search Network - Direct Navigation Traffic\nBat Downloader, Riskware, Malware, Ransomware, AdWare spam, Bots\nMalicious Host\n\nTags:\ncve-2007-0774\ncve-2011-5007\ncve-2009-1122\nbobsoft\ncontains-embedded-js\ncontains-elf\nnsis\ncve-1999-0016\narmadillo\nattachment\ncve-2020-11899\ncve-2016-2211\ncontains-pe\ncve-2010-3281", "modified": "2023-09-14T15:04:53.181000", "created": "2023-08-15T00:23:26.018000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2552, "FileHash-SHA256": 2345, "domain": 1477, "email": 31, "URL": 5053, "FileHash-MD5": 544, "FileHash-SHA1": 79 }, "indicator_count": 12081, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "990 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63eabe6f6a9aaa48a17d66e0", "name": "Google Chrome", "description": "Google has released a version of its operating system that stops automatically checking for security updates and instead instead uses the 'cros' tool to automatically install them on to the Google Chrome operating systems, as well as the Android version.", "modified": "2023-03-16T00:12:03.978000", "created": "2023-02-13T22:49:19.557000", "tags": [ "license", "copyright", "android open", "source project", "apache license", "version", "unless", "as is", "basis", "or conditions", "disables", "please", "google", "private key", "software", "work", "licensor", "a particular", "direct", "february", "generator", "david", "code", "bunny", "neither", "apache", "june", "uboot", "except", "bsd3clause", "bsd2clause", "library name", "link", "license name", "binaries", "qt websockets", "tink", "qt widgets", "unknown", "format", "branch", "any kind" ], "references": [ "cros-garcon.conf", "source.properties", "LICENSE", "android-info.txt", "android-sdk-preview-license", "web.dev.har", "NOTICE.csv", "android-sdk-license", "NOTICE.txt", "Downloads.pem", "weston.ini", "package.xml", "mkfs.ext3", "mkfs.ext4", "mkfs.ext2" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Lillylillith39", "id": "221303", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 453, "hostname": 81, "FileHash-SHA256": 245, "domain": 62, "email": 7, "FileHash-SHA1": 3, "YARA": 1 }, "indicator_count": 852, "is_author": false, "is_subscribing": null, "subscriber_count": 32, "modified_text": "1172 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308390&Signature=29e34JRtkg7NaukyKdD3mE9rGo0hrpCAePmGPmvrVPeeHY4ax13egnxzXVjOctDKN%2F26RdliQEdXTd301UZjrUIJxeMbNgmdXQ3AdU5y%2FV8c21ePTIEAIq2Onb%2Bq5kutHekqTdBS3d0tgfIBKVBE9kZsGWzbMQFPKPv%2B%2FDpvMZSgtM2dO2vord9nXbkwcHCYBrVWvVALPOmXc910%2BAWvZOsLaWmvQjsMI0DTAIUwyx0zveFkVWqa2XOJbD", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "android-sdk-preview-license", "https://vtbehaviour.commondatastorage.googleapis.com/cb38f0c781c188c3fc2ace5f55a12f2a4833c1c5fc869e698cf7994041e4a135_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309094&Signature=2X1UxXszEC0vdMoCHG30M8zifvQi45%2FJScJ8N3QaALRZ8JM5fIK5QIhWdv9eYZgDlMDjqEs9sECAtO16r8UbHNPoPwRNzqUN6f6UIq0L8Tj%2BIYQrjZo7NBhiH6eUgkTaHAoBU02WDYP5Ov0biBhHziqfTBQQ5yDFh0H9CPRlLUefNK%2BHM%2BQYLwGLUpQ5yBTv1Mh5suQ1PLSj3g%2Fz429aGgT0ianBgbW7IIV50lIP4m5cr5UUek3l", "mkfs.ext3", "source.properties", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308554&Signature=lODaur8GDc6MSh92WMx%2BV%2F7WRfkYjVs6kHiY4Sx12RcybRrsXaBC6oik%2FVeSMne1EODoqRn6AOcL%2FnIJ3J1ki%2Flrawz0HqWnxDTycnuefpWaPbw6abOU2796lcdgAMJxF9cGIDFHeaJDHQhbd0qeV07OK%2BhEKGGkjFWmqxOlqcTx526c%2FyRTuJaoFKrRzHVk9z2Xhv16kmnrY1VWhnBNyv3cMtVW076z2DheqC1Nya4ZJR3T", "mkfs.ext4", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308356&Signature=Bq0QXx5QtdlR4B1OLE2oNH2ivhP5koRxoxaBIC4bDOb1nad7b%2B4MKW2csIzcVHkiJ2lEuxuzVaPZAtPN9ZbTMiEwygTIHCvt%2BjujlP3fb2dgOki9C6FhEd5DCKB3RdzsNdqXB2VDF7rZoLj%2BNII3rrWNk714D3qNNxku1k1gsD%2FpGCxIrO0e0y2styb6l6hhzJjcGwSCEPbS6MRA%2BA90qkVuNCgIucEDcJ5lkx0B2OOW4YW0Csc3", "http://www.hybrid-analysis.com/sample/dc744fc325700c6fda2b8d83b39a8c241258b9305058a3402ce70c97932acc74/677d1d5dcb161e2448026452", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Downloads.pem", "cros-garcon.conf", "http://www.hybrid-analysis.com/sample/dc744fc325700c6fda2b8d83b39a8c241258b9305058a3402ce70c97932acc74", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "https://www.virustotal.com/gui/url/1763a71e86e74729f1e993dc2e6b5cec9d91dd51245533a5300c85c9d49bc7ef", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "android-sdk-license", "android-info.txt", "weston.ini", "compromised_site_redirector_fromcharcode fromCharCode", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "LICENSE", "https://www.filescan.io/uploads/677e0e14212309a70397d357/reports/0077a75d-f7d7-4634-a1ba-6f7b0488f9da/overview", "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "NOTICE.csv", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308947&Signature=alDMcpCHWUfDgEjmw6GuL5bYJ7WAgrYGXsYb8PfNczzjNzMmdclOsPPSd8nKJEDsDmNxeb2sw0hYiHkOza%2FRN9q8612YM9nTO2inlISRitzqqNDU6JlAsf97walR1G6zBOoJyqTiDrsSbx5evH65eHfvmspVqAXrb%2BQ47kPd56689I4BQ%2BsXgtfYNLYfi0tZCIDXf9zFVUl7yJpOaXHvd6%2FB7n3VeDqry5%2FrR9w%2Ftznq2oHOWz", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "package.xml", "NOTICE.txt", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "https://vtbehaviour.commondatastorage.googleapis.com/fe2fcf32cc0d38931131fde27db1e5693774844075b4e3c33c82a3625f397a7d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308630&Signature=tal7xZ9VHrLtK%2Fx5z4thfPUsqP4jnN7mnhQemzL4D6Jt%2BSk8bXHsrCdJlx%2Be1lnoGRVGwvwKCjx3CEIT2hLNbJt09HJOJW8y0ZHcSz%2BVuPuDQOe77pC%2F3yFozFW3vI7CEZI7ISt8C80aND1aciQHVQazVru6MO8fQbjeA78vsrN6MB0ZuxTE%2FXOh0gshhIYHplGRIVhhJx5waxIeoxWL1ZXsSC%2BoXwk4g44W5t38Y5Tkcf%2", "web.dev.har", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "https://vtbehaviour.commondatastorage.googleapis.com/96726d252031408ce594cb2d0f49cc98a87d5742e5c7bf95b067158bf1ecbb5a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309020&Signature=vqlAf29Jh8gzLx2hXd4oK3SHSQ7rtDkDCKFUjJTgs37n6pJU8vOHAMY%2BZDsFv79mq1BdEHoY7nok%2B%2F8fXKVOYaTlt0eAlBTIvhYUtDyujmwblYEgNlDU1rpNNKmZ55W8WmPUBFmUN3AaCIOZIX5vA4HFg6qulPpJnXDQ57TINvsk4Wwf9mClPe97Ye9DE6zAZarXt7XMT2RTpxVJqTD143j7%2BeJGcwEPknT64TWHLEfitFThoeAdncSqpQS74B", "https://urlquery.net/report/16d1e034-1c64-4cbe-8b58-f5926dab9001", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309164&Signature=NWdp0fiFpH6Jr1kaVwKEFGn0Zk0wRKMQLorUPZy7WKGD3M381ZLQM1PRrWmvwz5bujAib4QiCiOLd8A7PMvTMnOKQXz%2BwsI8tZk1vXfRwW6DJpI8nj3KWKoP3btIoik2VBrWn%2Fr1xNdIJ4Ic2MQEfOpslObUTaNkvaOGbdedf8llYwYXllyZneCKuVP5wMIq72nExH21e3%2FIfViwNbHZFbKS6roKZkLx4V7XxVk94woz0KT1LUAS0dYh", "mkfs.ext2" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Worm:win32/fesber.a", "Ransom:win32/eniqma.a", "Worm:win32/macoute.a", "Trojandownloader:win32/nemucod", "Trojanspy:win32/nivdort", "Cryp_xed-12", "Upackv037dwing", "Mal/generic-s", "Alf:heraklezeval:rogue:win32/fakerean", "Tofsee" ], "industries": [ "Healthcare", "Education", "Government" ], "unique_indicators": 25406 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/google.com", "whois": "http://whois.domaintools.com/google.com", "domain": "google.com", "hostname": "policies.google.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "6a056cacb981e6f3b2dd4647", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware clone credit scoreblue", "description": "", "modified": "2026-05-14T07:28:01.780000", "created": "2026-05-14T06:33:16.946000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": "66eb3ef6d765187a437767e4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1521, "FileHash-SHA1": 1395, "FileHash-SHA256": 6084, "URL": 1499, "domain": 1947, "hostname": 1361, "email": 18, "CVE": 1 }, "indicator_count": 13826, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a056cac80d9b80eb1a97e29", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware clone credit scoreblue", "description": "", "modified": "2026-05-14T07:14:09.098000", "created": "2026-05-14T06:33:16.505000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": "66eb3ef6d765187a437767e4", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1493, "FileHash-SHA1": 1393, "FileHash-SHA256": 5881, "URL": 1499, "domain": 1947, "hostname": 1360, "email": 18, "CVE": 1 }, "indicator_count": 13592, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fed99080ca19fd27b184cb", "name": "CAPE Sandbox - \"Client Challenge\" Created 4/27/2025.", "description": "[The Cuckoo.com website has been shut down by Microsoft, with the result of an analysis of the network's traffic patterns, and the results of its analysis] A SHA for an educational app/website I dont even have generated what is called \" Client Challenge\"\n 2c4b2093aa07afb9d633fd4e734a9707\n2732a5adf7152c21b4a5aaa0a7b45f3d4be7874a\naa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d\n622b6b82655de58b927dd956ab84db9d\n48:IYhkrFN9YfHFTtJXQHyeyQ4v3W7UNp/xmhIfgjOGkOHMZKKyMaiskaO3n:TsYdxJXQHFY375ro6tZ8MaM93n\nT1E05100012CF6C176147724BB9E73B25A2B5064476216E41C3AEDDA28CF82FD9EC426EC\nHTML \ninternet\nhtml\nHTML document, Unicode text, UTF-8 text\nHyperText Markup Language (100%)\nHTML\n3.03 KB (3101 bytes) /_fs-ch-1T1wmsGaOgGaSxcX/assets/inter-var.woff2\n/_fs-ch-1T1wmsGaOgGaSxcX/assets/styles.css -13jdrops from one html/38 malic files/bluetooth cap.", "modified": "2026-05-10T08:20:56.907000", "created": "2026-05-09T06:52:00.985000", "tags": [ "nothing", "registry keys", "mutexes nothing", "data", "datacrashpad", "edge", "created", "parent pid", "full path", "command line", "https", "network info", "processes extra", "performs dns", "layer protocol", "overview", "mitre attack", "overview zenbox", "verdict", "guest system", "phishing", "defense evasion", "next", "ip info", "ip country", "united", "info process", "mwdb", "bazaar", "sha3384", "ssdeep", "strong", "file type", "library", "size", "default", "sha1", "accept", "mcafee", "span", "install", "softonic", "alerta", "download", "error", "crypt32", "body", "bootkit", "lockfile", "title", "inside", "shutdown", "impact", "global", "restart", "uwaga", "startpage", "window", "find", "false", "null", "payload", "write", "installer", "winmm", "back", "nlrnsrdb", "trumusic", "kevsight tox", "html internet", "html document", "unicode text", "utf8 text", "language", "settings", "first counter", "file size", "sha256", "bridge", "info", "date", "agent", "root", "pe file", "ms windows", "pe32", "found", "png image", "rgba", "cabinet archive", "files c", "delphi", "code", "persistence", "malicious", "unix", "wed jun", "dropped info", "linux verdict", "bluetooth", "4/27/25", "drops", "legacy admin", "hacking tools", "geofence", "education", "government" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308356&Signature=Bq0QXx5QtdlR4B1OLE2oNH2ivhP5koRxoxaBIC4bDOb1nad7b%2B4MKW2csIzcVHkiJ2lEuxuzVaPZAtPN9ZbTMiEwygTIHCvt%2BjujlP3fb2dgOki9C6FhEd5DCKB3RdzsNdqXB2VDF7rZoLj%2BNII3rrWNk714D3qNNxku1k1gsD%2FpGCxIrO0e0y2styb6l6hhzJjcGwSCEPbS6MRA%2BA90qkVuNCgIucEDcJ5lkx0B2OOW4YW0Csc3", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308390&Signature=29e34JRtkg7NaukyKdD3mE9rGo0hrpCAePmGPmvrVPeeHY4ax13egnxzXVjOctDKN%2F26RdliQEdXTd301UZjrUIJxeMbNgmdXQ3AdU5y%2FV8c21ePTIEAIq2Onb%2Bq5kutHekqTdBS3d0tgfIBKVBE9kZsGWzbMQFPKPv%2B%2FDpvMZSgtM2dO2vord9nXbkwcHCYBrVWvVALPOmXc910%2BAWvZOsLaWmvQjsMI0DTAIUwyx0zveFkVWqa2XOJbD", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308554&Signature=lODaur8GDc6MSh92WMx%2BV%2F7WRfkYjVs6kHiY4Sx12RcybRrsXaBC6oik%2FVeSMne1EODoqRn6AOcL%2FnIJ3J1ki%2Flrawz0HqWnxDTycnuefpWaPbw6abOU2796lcdgAMJxF9cGIDFHeaJDHQhbd0qeV07OK%2BhEKGGkjFWmqxOlqcTx526c%2FyRTuJaoFKrRzHVk9z2Xhv16kmnrY1VWhnBNyv3cMtVW076z2DheqC1Nya4ZJR3T", "https://vtbehaviour.commondatastorage.googleapis.com/fe2fcf32cc0d38931131fde27db1e5693774844075b4e3c33c82a3625f397a7d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308630&Signature=tal7xZ9VHrLtK%2Fx5z4thfPUsqP4jnN7mnhQemzL4D6Jt%2BSk8bXHsrCdJlx%2Be1lnoGRVGwvwKCjx3CEIT2hLNbJt09HJOJW8y0ZHcSz%2BVuPuDQOe77pC%2F3yFozFW3vI7CEZI7ISt8C80aND1aciQHVQazVru6MO8fQbjeA78vsrN6MB0ZuxTE%2FXOh0gshhIYHplGRIVhhJx5waxIeoxWL1ZXsSC%2BoXwk4g44W5t38Y5Tkcf%2", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308947&Signature=alDMcpCHWUfDgEjmw6GuL5bYJ7WAgrYGXsYb8PfNczzjNzMmdclOsPPSd8nKJEDsDmNxeb2sw0hYiHkOza%2FRN9q8612YM9nTO2inlISRitzqqNDU6JlAsf97walR1G6zBOoJyqTiDrsSbx5evH65eHfvmspVqAXrb%2BQ47kPd56689I4BQ%2BsXgtfYNLYfi0tZCIDXf9zFVUl7yJpOaXHvd6%2FB7n3VeDqry5%2FrR9w%2Ftznq2oHOWz", "https://vtbehaviour.commondatastorage.googleapis.com/96726d252031408ce594cb2d0f49cc98a87d5742e5c7bf95b067158bf1ecbb5a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309020&Signature=vqlAf29Jh8gzLx2hXd4oK3SHSQ7rtDkDCKFUjJTgs37n6pJU8vOHAMY%2BZDsFv79mq1BdEHoY7nok%2B%2F8fXKVOYaTlt0eAlBTIvhYUtDyujmwblYEgNlDU1rpNNKmZ55W8WmPUBFmUN3AaCIOZIX5vA4HFg6qulPpJnXDQ57TINvsk4Wwf9mClPe97Ye9DE6zAZarXt7XMT2RTpxVJqTD143j7%2BeJGcwEPknT64TWHLEfitFThoeAdncSqpQS74B", "https://vtbehaviour.commondatastorage.googleapis.com/cb38f0c781c188c3fc2ace5f55a12f2a4833c1c5fc869e698cf7994041e4a135_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309094&Signature=2X1UxXszEC0vdMoCHG30M8zifvQi45%2FJScJ8N3QaALRZ8JM5fIK5QIhWdv9eYZgDlMDjqEs9sECAtO16r8UbHNPoPwRNzqUN6f6UIq0L8Tj%2BIYQrjZo7NBhiH6eUgkTaHAoBU02WDYP5Ov0biBhHziqfTBQQ5yDFh0H9CPRlLUefNK%2BHM%2BQYLwGLUpQ5yBTv1Mh5suQ1PLSj3g%2Fz429aGgT0ianBgbW7IIV50lIP4m5cr5UUek3l", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309164&Signature=NWdp0fiFpH6Jr1kaVwKEFGn0Zk0wRKMQLorUPZy7WKGD3M381ZLQM1PRrWmvwz5bujAib4QiCiOLd8A7PMvTMnOKQXz%2BwsI8tZk1vXfRwW6DJpI8nj3KWKoP3btIoik2VBrWn%2Fr1xNdIJ4Ic2MQEfOpslObUTaNkvaOGbdedf8llYwYXllyZneCKuVP5wMIq72nExH21e3%2FIfViwNbHZFbKS6roKZkLx4V7XxVk94woz0KT1LUAS0dYh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 529, "IPv4": 403, "hostname": 394, "domain": 121, "URL": 262, "FileHash-SHA1": 291, "FileHash-SHA256": 396 }, "indicator_count": 2396, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fed98ed79b13165d78dc30", "name": "CAPE Sandbox - \"Client Challenge\" Created 4/27/2025.", "description": "[The Cuckoo.com website has been shut down by Microsoft, with the result of an analysis of the network's traffic patterns, and the results of its analysis] A SHA for an educational app/website I dont even have generated what is called \" Client Challenge\"\n 2c4b2093aa07afb9d633fd4e734a9707\n2732a5adf7152c21b4a5aaa0a7b45f3d4be7874a\naa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d\n622b6b82655de58b927dd956ab84db9d\n48:IYhkrFN9YfHFTtJXQHyeyQ4v3W7UNp/xmhIfgjOGkOHMZKKyMaiskaO3n:TsYdxJXQHFY375ro6tZ8MaM93n\nT1E05100012CF6C176147724BB9E73B25A2B5064476216E41C3AEDDA28CF82FD9EC426EC\nHTML \ninternet\nhtml\nHTML document, Unicode text, UTF-8 text\nHyperText Markup Language (100%)\nHTML\n3.03 KB (3101 bytes) /_fs-ch-1T1wmsGaOgGaSxcX/assets/inter-var.woff2\n/_fs-ch-1T1wmsGaOgGaSxcX/assets/styles.css -13jdrops from one html/38 malic files/bluetooth cap.", "modified": "2026-05-10T08:11:16.996000", "created": "2026-05-09T06:51:58.884000", "tags": [ "nothing", "registry keys", "mutexes nothing", "data", "datacrashpad", "edge", "created", "parent pid", "full path", "command line", "https", "network info", "processes extra", "performs dns", "layer protocol", "overview", "mitre attack", "overview zenbox", "verdict", "guest system", "phishing", "defense evasion", "next", "ip info", "ip country", "united", "info process", "mwdb", "bazaar", "sha3384", "ssdeep", "strong", "file type", "library", "size", "default", "sha1", "accept", "mcafee", "span", "install", "softonic", "alerta", "download", "error", "crypt32", "body", "bootkit", "lockfile", "title", "inside", "shutdown", "impact", "global", "restart", "uwaga", "startpage", "window", "find", "false", "null", "payload", "write", "installer", "winmm", "back", "nlrnsrdb", "trumusic", "kevsight tox", "html internet", "html document", "unicode text", "utf8 text", "language", "settings", "first counter", "file size", "sha256", "bridge", "info", "date", "agent", "root", "pe file", "ms windows", "pe32", "found", "png image", "rgba", "cabinet archive", "files c", "delphi", "code", "persistence", "malicious", "unix", "wed jun", "dropped info", "linux verdict", "bluetooth", "4/27/25", "drops", "legacy admin", "hacking tools", "geofence", "education", "government" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308356&Signature=Bq0QXx5QtdlR4B1OLE2oNH2ivhP5koRxoxaBIC4bDOb1nad7b%2B4MKW2csIzcVHkiJ2lEuxuzVaPZAtPN9ZbTMiEwygTIHCvt%2BjujlP3fb2dgOki9C6FhEd5DCKB3RdzsNdqXB2VDF7rZoLj%2BNII3rrWNk714D3qNNxku1k1gsD%2FpGCxIrO0e0y2styb6l6hhzJjcGwSCEPbS6MRA%2BA90qkVuNCgIucEDcJ5lkx0B2OOW4YW0Csc3", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308390&Signature=29e34JRtkg7NaukyKdD3mE9rGo0hrpCAePmGPmvrVPeeHY4ax13egnxzXVjOctDKN%2F26RdliQEdXTd301UZjrUIJxeMbNgmdXQ3AdU5y%2FV8c21ePTIEAIq2Onb%2Bq5kutHekqTdBS3d0tgfIBKVBE9kZsGWzbMQFPKPv%2B%2FDpvMZSgtM2dO2vord9nXbkwcHCYBrVWvVALPOmXc910%2BAWvZOsLaWmvQjsMI0DTAIUwyx0zveFkVWqa2XOJbD", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308554&Signature=lODaur8GDc6MSh92WMx%2BV%2F7WRfkYjVs6kHiY4Sx12RcybRrsXaBC6oik%2FVeSMne1EODoqRn6AOcL%2FnIJ3J1ki%2Flrawz0HqWnxDTycnuefpWaPbw6abOU2796lcdgAMJxF9cGIDFHeaJDHQhbd0qeV07OK%2BhEKGGkjFWmqxOlqcTx526c%2FyRTuJaoFKrRzHVk9z2Xhv16kmnrY1VWhnBNyv3cMtVW076z2DheqC1Nya4ZJR3T", "https://vtbehaviour.commondatastorage.googleapis.com/fe2fcf32cc0d38931131fde27db1e5693774844075b4e3c33c82a3625f397a7d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308630&Signature=tal7xZ9VHrLtK%2Fx5z4thfPUsqP4jnN7mnhQemzL4D6Jt%2BSk8bXHsrCdJlx%2Be1lnoGRVGwvwKCjx3CEIT2hLNbJt09HJOJW8y0ZHcSz%2BVuPuDQOe77pC%2F3yFozFW3vI7CEZI7ISt8C80aND1aciQHVQazVru6MO8fQbjeA78vsrN6MB0ZuxTE%2FXOh0gshhIYHplGRIVhhJx5waxIeoxWL1ZXsSC%2BoXwk4g44W5t38Y5Tkcf%2", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308947&Signature=alDMcpCHWUfDgEjmw6GuL5bYJ7WAgrYGXsYb8PfNczzjNzMmdclOsPPSd8nKJEDsDmNxeb2sw0hYiHkOza%2FRN9q8612YM9nTO2inlISRitzqqNDU6JlAsf97walR1G6zBOoJyqTiDrsSbx5evH65eHfvmspVqAXrb%2BQ47kPd56689I4BQ%2BsXgtfYNLYfi0tZCIDXf9zFVUl7yJpOaXHvd6%2FB7n3VeDqry5%2FrR9w%2Ftznq2oHOWz", "https://vtbehaviour.commondatastorage.googleapis.com/96726d252031408ce594cb2d0f49cc98a87d5742e5c7bf95b067158bf1ecbb5a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309020&Signature=vqlAf29Jh8gzLx2hXd4oK3SHSQ7rtDkDCKFUjJTgs37n6pJU8vOHAMY%2BZDsFv79mq1BdEHoY7nok%2B%2F8fXKVOYaTlt0eAlBTIvhYUtDyujmwblYEgNlDU1rpNNKmZ55W8WmPUBFmUN3AaCIOZIX5vA4HFg6qulPpJnXDQ57TINvsk4Wwf9mClPe97Ye9DE6zAZarXt7XMT2RTpxVJqTD143j7%2BeJGcwEPknT64TWHLEfitFThoeAdncSqpQS74B", "https://vtbehaviour.commondatastorage.googleapis.com/cb38f0c781c188c3fc2ace5f55a12f2a4833c1c5fc869e698cf7994041e4a135_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309094&Signature=2X1UxXszEC0vdMoCHG30M8zifvQi45%2FJScJ8N3QaALRZ8JM5fIK5QIhWdv9eYZgDlMDjqEs9sECAtO16r8UbHNPoPwRNzqUN6f6UIq0L8Tj%2BIYQrjZo7NBhiH6eUgkTaHAoBU02WDYP5Ov0biBhHziqfTBQQ5yDFh0H9CPRlLUefNK%2BHM%2BQYLwGLUpQ5yBTv1Mh5suQ1PLSj3g%2Fz429aGgT0ianBgbW7IIV50lIP4m5cr5UUek3l", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309164&Signature=NWdp0fiFpH6Jr1kaVwKEFGn0Zk0wRKMQLorUPZy7WKGD3M381ZLQM1PRrWmvwz5bujAib4QiCiOLd8A7PMvTMnOKQXz%2BwsI8tZk1vXfRwW6DJpI8nj3KWKoP3btIoik2VBrWn%2Fr1xNdIJ4Ic2MQEfOpslObUTaNkvaOGbdedf8llYwYXllyZneCKuVP5wMIq72nExH21e3%2FIfViwNbHZFbKS6roKZkLx4V7XxVk94woz0KT1LUAS0dYh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 547, "IPv4": 545, "hostname": 752, "domain": 290, "URL": 979, "FileHash-SHA1": 296, "FileHash-SHA256": 904, "CIDR": 2, "email": 2 }, "indicator_count": 4317, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fed98a5807c9756ff0eb87", "name": "CAPE Sandbox - \"Client Challenge\" Created 4/27/2025.", "description": "[The Cuckoo.com website has been shut down by Microsoft, with the result of an analysis of the network's traffic patterns, and the results of its analysis] A SHA for an educational app/website I dont even have generated what is called \" Client Challenge\"\n 2c4b2093aa07afb9d633fd4e734a9707\n2732a5adf7152c21b4a5aaa0a7b45f3d4be7874a\naa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d\n622b6b82655de58b927dd956ab84db9d\n48:IYhkrFN9YfHFTtJXQHyeyQ4v3W7UNp/xmhIfgjOGkOHMZKKyMaiskaO3n:TsYdxJXQHFY375ro6tZ8MaM93n\nT1E05100012CF6C176147724BB9E73B25A2B5064476216E41C3AEDDA28CF82FD9EC426EC\nHTML \ninternet\nhtml\nHTML document, Unicode text, UTF-8 text\nHyperText Markup Language (100%)\nHTML\n3.03 KB (3101 bytes) /_fs-ch-1T1wmsGaOgGaSxcX/assets/inter-var.woff2\n/_fs-ch-1T1wmsGaOgGaSxcX/assets/styles.css -13jdrops from one html/38 malic files/bluetooth cap.", "modified": "2026-05-09T12:26:36.816000", "created": "2026-05-09T06:51:54.319000", "tags": [ "nothing", "registry keys", "mutexes nothing", "data", "datacrashpad", "edge", "created", "parent pid", "full path", "command line", "https", "network info", "processes extra", "performs dns", "layer protocol", "overview", "mitre attack", "overview zenbox", "verdict", "guest system", "phishing", "defense evasion", "next", "ip info", "ip country", "united", "info process", "mwdb", "bazaar", "sha3384", "ssdeep", "strong", "file type", "library", "size", "default", "sha1", "accept", "mcafee", "span", "install", "softonic", "alerta", "download", "error", "crypt32", "body", "bootkit", "lockfile", "title", "inside", "shutdown", "impact", "global", "restart", "uwaga", "startpage", "window", "find", "false", "null", "payload", "write", "installer", "winmm", "back", "nlrnsrdb", "trumusic", "kevsight tox", "html internet", "html document", "unicode text", "utf8 text", "language", "settings", "first counter", "file size", "sha256", "bridge", "info", "date", "agent", "root", "pe file", "ms windows", "pe32", "found", "png image", "rgba", "cabinet archive", "files c", "delphi", "code", "persistence", "malicious", "unix", "wed jun", "dropped info", "linux verdict", "bluetooth", "4/27/25", "drops", "legacy admin", "hacking tools", "geofence", "education", "government" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308356&Signature=Bq0QXx5QtdlR4B1OLE2oNH2ivhP5koRxoxaBIC4bDOb1nad7b%2B4MKW2csIzcVHkiJ2lEuxuzVaPZAtPN9ZbTMiEwygTIHCvt%2BjujlP3fb2dgOki9C6FhEd5DCKB3RdzsNdqXB2VDF7rZoLj%2BNII3rrWNk714D3qNNxku1k1gsD%2FpGCxIrO0e0y2styb6l6hhzJjcGwSCEPbS6MRA%2BA90qkVuNCgIucEDcJ5lkx0B2OOW4YW0Csc3", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308390&Signature=29e34JRtkg7NaukyKdD3mE9rGo0hrpCAePmGPmvrVPeeHY4ax13egnxzXVjOctDKN%2F26RdliQEdXTd301UZjrUIJxeMbNgmdXQ3AdU5y%2FV8c21ePTIEAIq2Onb%2Bq5kutHekqTdBS3d0tgfIBKVBE9kZsGWzbMQFPKPv%2B%2FDpvMZSgtM2dO2vord9nXbkwcHCYBrVWvVALPOmXc910%2BAWvZOsLaWmvQjsMI0DTAIUwyx0zveFkVWqa2XOJbD", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308554&Signature=lODaur8GDc6MSh92WMx%2BV%2F7WRfkYjVs6kHiY4Sx12RcybRrsXaBC6oik%2FVeSMne1EODoqRn6AOcL%2FnIJ3J1ki%2Flrawz0HqWnxDTycnuefpWaPbw6abOU2796lcdgAMJxF9cGIDFHeaJDHQhbd0qeV07OK%2BhEKGGkjFWmqxOlqcTx526c%2FyRTuJaoFKrRzHVk9z2Xhv16kmnrY1VWhnBNyv3cMtVW076z2DheqC1Nya4ZJR3T", "https://vtbehaviour.commondatastorage.googleapis.com/fe2fcf32cc0d38931131fde27db1e5693774844075b4e3c33c82a3625f397a7d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308630&Signature=tal7xZ9VHrLtK%2Fx5z4thfPUsqP4jnN7mnhQemzL4D6Jt%2BSk8bXHsrCdJlx%2Be1lnoGRVGwvwKCjx3CEIT2hLNbJt09HJOJW8y0ZHcSz%2BVuPuDQOe77pC%2F3yFozFW3vI7CEZI7ISt8C80aND1aciQHVQazVru6MO8fQbjeA78vsrN6MB0ZuxTE%2FXOh0gshhIYHplGRIVhhJx5waxIeoxWL1ZXsSC%2BoXwk4g44W5t38Y5Tkcf%2", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308947&Signature=alDMcpCHWUfDgEjmw6GuL5bYJ7WAgrYGXsYb8PfNczzjNzMmdclOsPPSd8nKJEDsDmNxeb2sw0hYiHkOza%2FRN9q8612YM9nTO2inlISRitzqqNDU6JlAsf97walR1G6zBOoJyqTiDrsSbx5evH65eHfvmspVqAXrb%2BQ47kPd56689I4BQ%2BsXgtfYNLYfi0tZCIDXf9zFVUl7yJpOaXHvd6%2FB7n3VeDqry5%2FrR9w%2Ftznq2oHOWz", "https://vtbehaviour.commondatastorage.googleapis.com/96726d252031408ce594cb2d0f49cc98a87d5742e5c7bf95b067158bf1ecbb5a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309020&Signature=vqlAf29Jh8gzLx2hXd4oK3SHSQ7rtDkDCKFUjJTgs37n6pJU8vOHAMY%2BZDsFv79mq1BdEHoY7nok%2B%2F8fXKVOYaTlt0eAlBTIvhYUtDyujmwblYEgNlDU1rpNNKmZ55W8WmPUBFmUN3AaCIOZIX5vA4HFg6qulPpJnXDQ57TINvsk4Wwf9mClPe97Ye9DE6zAZarXt7XMT2RTpxVJqTD143j7%2BeJGcwEPknT64TWHLEfitFThoeAdncSqpQS74B", "https://vtbehaviour.commondatastorage.googleapis.com/cb38f0c781c188c3fc2ace5f55a12f2a4833c1c5fc869e698cf7994041e4a135_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309094&Signature=2X1UxXszEC0vdMoCHG30M8zifvQi45%2FJScJ8N3QaALRZ8JM5fIK5QIhWdv9eYZgDlMDjqEs9sECAtO16r8UbHNPoPwRNzqUN6f6UIq0L8Tj%2BIYQrjZo7NBhiH6eUgkTaHAoBU02WDYP5Ov0biBhHziqfTBQQ5yDFh0H9CPRlLUefNK%2BHM%2BQYLwGLUpQ5yBTv1Mh5suQ1PLSj3g%2Fz429aGgT0ianBgbW7IIV50lIP4m5cr5UUek3l", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309164&Signature=NWdp0fiFpH6Jr1kaVwKEFGn0Zk0wRKMQLorUPZy7WKGD3M381ZLQM1PRrWmvwz5bujAib4QiCiOLd8A7PMvTMnOKQXz%2BwsI8tZk1vXfRwW6DJpI8nj3KWKoP3btIoik2VBrWn%2Fr1xNdIJ4Ic2MQEfOpslObUTaNkvaOGbdedf8llYwYXllyZneCKuVP5wMIq72nExH21e3%2FIfViwNbHZFbKS6roKZkLx4V7XxVk94woz0KT1LUAS0dYh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 521, "IPv4": 402, "hostname": 393, "domain": 120, "URL": 261, "FileHash-SHA1": 287, "FileHash-SHA256": 391 }, "indicator_count": 2375, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69fed9859e3d403a869a56d9", "name": "CAPE Sandbox - \"Client Challenge\" Created 4/27/2025.", "description": "[The Cuckoo.com website has been shut down by Microsoft, with the result of an analysis of the network's traffic patterns, and the results of its analysis] A SHA for an educational app/website I dont even have generated what is called \" Client Challenge\"\n 2c4b2093aa07afb9d633fd4e734a9707\n2732a5adf7152c21b4a5aaa0a7b45f3d4be7874a\naa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d\n622b6b82655de58b927dd956ab84db9d\n48:IYhkrFN9YfHFTtJXQHyeyQ4v3W7UNp/xmhIfgjOGkOHMZKKyMaiskaO3n:TsYdxJXQHFY375ro6tZ8MaM93n\nT1E05100012CF6C176147724BB9E73B25A2B5064476216E41C3AEDDA28CF82FD9EC426EC\nHTML \ninternet\nhtml\nHTML document, Unicode text, UTF-8 text\nHyperText Markup Language (100%)\nHTML\n3.03 KB (3101 bytes) /_fs-ch-1T1wmsGaOgGaSxcX/assets/inter-var.woff2\n/_fs-ch-1T1wmsGaOgGaSxcX/assets/styles.css -13jdrops from one html/38 malic files/bluetooth cap.", "modified": "2026-05-09T07:20:23.936000", "created": "2026-05-09T06:51:49.607000", "tags": [ "nothing", "registry keys", "mutexes nothing", "data", "datacrashpad", "edge", "created", "parent pid", "full path", "command line", "https", "network info", "processes extra", "performs dns", "layer protocol", "overview", "mitre attack", "overview zenbox", "verdict", "guest system", "phishing", "defense evasion", "next", "ip info", "ip country", "united", "info process", "mwdb", "bazaar", "sha3384", "ssdeep", "strong", "file type", "library", "size", "default", "sha1", "accept", "mcafee", "span", "install", "softonic", "alerta", "download", "error", "crypt32", "body", "bootkit", "lockfile", "title", "inside", "shutdown", "impact", "global", "restart", "uwaga", "startpage", "window", "find", "false", "null", "payload", "write", "installer", "winmm", "back", "nlrnsrdb", "trumusic", "kevsight tox", "html internet", "html document", "unicode text", "utf8 text", "language", "settings", "first counter", "file size", "sha256", "bridge", "info", "date", "agent", "root", "pe file", "ms windows", "pe32", "found", "png image", "rgba", "cabinet archive", "files c", "delphi", "code", "persistence", "malicious", "unix", "wed jun", "dropped info", "linux verdict", "bluetooth", "4/27/25", "drops", "legacy admin", "hacking tools", "geofence", "education", "government" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308356&Signature=Bq0QXx5QtdlR4B1OLE2oNH2ivhP5koRxoxaBIC4bDOb1nad7b%2B4MKW2csIzcVHkiJ2lEuxuzVaPZAtPN9ZbTMiEwygTIHCvt%2BjujlP3fb2dgOki9C6FhEd5DCKB3RdzsNdqXB2VDF7rZoLj%2BNII3rrWNk714D3qNNxku1k1gsD%2FpGCxIrO0e0y2styb6l6hhzJjcGwSCEPbS6MRA%2BA90qkVuNCgIucEDcJ5lkx0B2OOW4YW0Csc3", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308390&Signature=29e34JRtkg7NaukyKdD3mE9rGo0hrpCAePmGPmvrVPeeHY4ax13egnxzXVjOctDKN%2F26RdliQEdXTd301UZjrUIJxeMbNgmdXQ3AdU5y%2FV8c21ePTIEAIq2Onb%2Bq5kutHekqTdBS3d0tgfIBKVBE9kZsGWzbMQFPKPv%2B%2FDpvMZSgtM2dO2vord9nXbkwcHCYBrVWvVALPOmXc910%2BAWvZOsLaWmvQjsMI0DTAIUwyx0zveFkVWqa2XOJbD", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308554&Signature=lODaur8GDc6MSh92WMx%2BV%2F7WRfkYjVs6kHiY4Sx12RcybRrsXaBC6oik%2FVeSMne1EODoqRn6AOcL%2FnIJ3J1ki%2Flrawz0HqWnxDTycnuefpWaPbw6abOU2796lcdgAMJxF9cGIDFHeaJDHQhbd0qeV07OK%2BhEKGGkjFWmqxOlqcTx526c%2FyRTuJaoFKrRzHVk9z2Xhv16kmnrY1VWhnBNyv3cMtVW076z2DheqC1Nya4ZJR3T", "https://vtbehaviour.commondatastorage.googleapis.com/fe2fcf32cc0d38931131fde27db1e5693774844075b4e3c33c82a3625f397a7d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308630&Signature=tal7xZ9VHrLtK%2Fx5z4thfPUsqP4jnN7mnhQemzL4D6Jt%2BSk8bXHsrCdJlx%2Be1lnoGRVGwvwKCjx3CEIT2hLNbJt09HJOJW8y0ZHcSz%2BVuPuDQOe77pC%2F3yFozFW3vI7CEZI7ISt8C80aND1aciQHVQazVru6MO8fQbjeA78vsrN6MB0ZuxTE%2FXOh0gshhIYHplGRIVhhJx5waxIeoxWL1ZXsSC%2BoXwk4g44W5t38Y5Tkcf%2", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308947&Signature=alDMcpCHWUfDgEjmw6GuL5bYJ7WAgrYGXsYb8PfNczzjNzMmdclOsPPSd8nKJEDsDmNxeb2sw0hYiHkOza%2FRN9q8612YM9nTO2inlISRitzqqNDU6JlAsf97walR1G6zBOoJyqTiDrsSbx5evH65eHfvmspVqAXrb%2BQ47kPd56689I4BQ%2BsXgtfYNLYfi0tZCIDXf9zFVUl7yJpOaXHvd6%2FB7n3VeDqry5%2FrR9w%2Ftznq2oHOWz", "https://vtbehaviour.commondatastorage.googleapis.com/96726d252031408ce594cb2d0f49cc98a87d5742e5c7bf95b067158bf1ecbb5a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309020&Signature=vqlAf29Jh8gzLx2hXd4oK3SHSQ7rtDkDCKFUjJTgs37n6pJU8vOHAMY%2BZDsFv79mq1BdEHoY7nok%2B%2F8fXKVOYaTlt0eAlBTIvhYUtDyujmwblYEgNlDU1rpNNKmZ55W8WmPUBFmUN3AaCIOZIX5vA4HFg6qulPpJnXDQ57TINvsk4Wwf9mClPe97Ye9DE6zAZarXt7XMT2RTpxVJqTD143j7%2BeJGcwEPknT64TWHLEfitFThoeAdncSqpQS74B", "https://vtbehaviour.commondatastorage.googleapis.com/cb38f0c781c188c3fc2ace5f55a12f2a4833c1c5fc869e698cf7994041e4a135_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309094&Signature=2X1UxXszEC0vdMoCHG30M8zifvQi45%2FJScJ8N3QaALRZ8JM5fIK5QIhWdv9eYZgDlMDjqEs9sECAtO16r8UbHNPoPwRNzqUN6f6UIq0L8Tj%2BIYQrjZo7NBhiH6eUgkTaHAoBU02WDYP5Ov0biBhHziqfTBQQ5yDFh0H9CPRlLUefNK%2BHM%2BQYLwGLUpQ5yBTv1Mh5suQ1PLSj3g%2Fz429aGgT0ianBgbW7IIV50lIP4m5cr5UUek3l", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309164&Signature=NWdp0fiFpH6Jr1kaVwKEFGn0Zk0wRKMQLorUPZy7WKGD3M381ZLQM1PRrWmvwz5bujAib4QiCiOLd8A7PMvTMnOKQXz%2BwsI8tZk1vXfRwW6DJpI8nj3KWKoP3btIoik2VBrWn%2Fr1xNdIJ4Ic2MQEfOpslObUTaNkvaOGbdedf8llYwYXllyZneCKuVP5wMIq72nExH21e3%2FIfViwNbHZFbKS6roKZkLx4V7XxVk94woz0KT1LUAS0dYh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 522, "IPv4": 409, "hostname": 645, "domain": 178, "URL": 786, "FileHash-SHA1": 288, "FileHash-SHA256": 392, "CVE": 1 }, "indicator_count": 3221, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69b784cc650f89739e92c4f4", "name": "CAPE Sandbox - google family link (dont have gmail)", "description": "index.html\nFile Type\tHTML document, Unicode text, UTF-8 text, with very long lines (3040)\nFile Size\t153711 bytes\nMD5\t49c89656ad04dbb9a29d7043f31722d5\nSHA1\td7893632bf29d9186ee05cfb7e52b80eb46013d5\nSHA256\t596bac3d66273f190e72aaf8e35a8088d2f06e6b6e153a9648327ce0778f8361 [VT] [MWDB] [Bazaar]\nSHA3-384\t7448e6873457ee7707faa770255c0b540feaf21aa3f9acf71c9bc8ebd8486457df23a5c21d8c374659a790714643d17b\nCRC32\tC67399A4\nTLSH\tT1A3E3C973416BE027501152A9B62D3B4EFE23E6A7C7A7C3D4B57C86D02F85CEB8413998\nSsdeep\t1536:w63/JengXYQh5g84wgWun5pwqNpXvh/eRMBvh7vG9vqvcjvh7vG9vqCb5:R/JenuYQDFmnUeX7xcM5", "modified": "2026-04-15T05:00:30.448000", "created": "2026-03-16T04:19:24.046000", "tags": [ "file type", "html document", "unicode text", "utf8 text", "file size", "sha256", "mwdb", "bazaar", "sha3384", "crc32 c67399a4" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 5, "hostname": 143, "URL": 121, "domain": 11 }, "indicator_count": 288, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "46 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "677db8b56d3d4c3af9ebd9b5", "name": "hxxps://tinyurl [.] com/Pixel2 - Link to Google Drive of Malicious APKs (unenriched analysis of link to the Google Drive)", "description": "hxxps://tinyurl [.] com - Link to Google Drive of Malicious APKs\nIt appears a link to a Backup of Client's APKs (Telus Google Device Protected by Norton)\nDevice currently connected to the University of Alberta, Telus Communications (ISP), Alberta Health Services (AHS) and the Government of Alberta - is apparently itself malicious (still links to Google Drive Folder of APKs - to import for analysis later).", "modified": "2025-02-07T05:00:08.549000", "created": "2025-01-07T23:28:53.566000", "tags": [ "UAlberta", "AHS", "Google", "Telus", "Pixel", "Norton" ], "references": [ "https://www.filescan.io/uploads/677e0e14212309a70397d357/reports/0077a75d-f7d7-4634-a1ba-6f7b0488f9da/overview", "https://urlquery.net/report/16d1e034-1c64-4cbe-8b58-f5926dab9001", "https://www.virustotal.com/gui/url/1763a71e86e74729f1e993dc2e6b5cec9d91dd51245533a5300c85c9d49bc7ef", "http://www.hybrid-analysis.com/sample/dc744fc325700c6fda2b8d83b39a8c241258b9305058a3402ce70c97932acc74", "http://www.hybrid-analysis.com/sample/dc744fc325700c6fda2b8d83b39a8c241258b9305058a3402ce70c97932acc74/677d1d5dcb161e2448026452" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Healthcare", "Government", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 13, "FileHash-MD5": 96, "FileHash-SHA1": 96, "FileHash-SHA256": 97, "SSLCertFingerprint": 4, "URL": 221, "hostname": 34 }, "indicator_count": 561, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "478 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66eb3ef6d765187a437767e4", "name": "Hijacked 'Operation Endgame' Tofsee Ransomware", "description": "This a project. A target has been put into different Operations: Project Hilo, Project Helix, Operation Endgame, The NSO Cellebrite Pegasus hit list. These are real and very serious serious threat. Severe Cyber issues made their way to her infected devices as well as the devices of family members. Death threats continue to come in. Several DoD IP addresses found in a PDF. It's unresearched at this time,, DoD via BGP HE has been questionable considering use gateway abuse by SWIPPER. \n\nStill no authority can confirm victim is a suspect. Must be a crazy high to help Jeffrey Scott Reiner PT. DPT get away with assault in such a ridiculous manner. Court report posted online by Trellis (BS) is of course a falsified , vulnerability filled 'made you click' document.. Faldif0, empty docmpty doc, citing it was refreshed in 2023. \nThere is no doubt these masqueraders mean to intimidate, humiliate, isolate & harm target. These people are not in China. False attribution is likely. Attack is disseminates from USA.", "modified": "2024-10-18T20:04:41.836000", "created": "2024-09-18T20:58:30.691000", "tags": [ "as8075", "united", "pid425870621", "tid700443057", "tpid425870621", "slot1", "mascore2", "bcnt1", "unid88000705", "nct1", "date", "china", "china unknown", "passive dns", "body xml", "error code", "requestid", "hostid ec", "server", "gmt content", "type", "registry", "intel", "ms windows", "show", "entries", "search", "high", "pe32", "high process", "injection t1055", "salicode", "worm", "copy", "tools", "service", "write", "win32", "persistence", "execution", "april", "urls", "http", "unique", "scan endpoints", "all scoreblue", "url http", "pulse pulses", "ip address", "related nids", "code", "as54113", "unknown", "body", "fastly error", "please", "sea p", "msil", "accept", "aaaa", "nxdomain", "whitelisted", "as15169 google", "status", "as44273 host", "as46691", "domain", "url https", "files location", "info", "script urls", "path max", "age86400 set", "cookie", "script domains", "javascript", "script script", "trojanspy", "cname", "emails", "servers", "all search", "related pulses", "file samples", "files matching", "creation date", "germany unknown", "yara detections", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "meta", "home welcome", "write c", "delete c", "query", "local", "hostname", "a domains", "lowfi", "content type", "record value", "suite", "showing", "asnone united", "as29873", "ipv4", "pulse submit", "url analysis", "files", "pe32 executable", "potential scan", "0pgtwhu", "t1045", "port", "infection", "recon", "malware", "june", "delphi", "taobao network", "as45102 alibaba", "as4812 china", "next", "expiration date", "name servers", "dynamicloader", "dynamic", "sha256", "dynamic link", "library exe", "adobe", "incorporated", "read", "yara rule", "delete", "binary file", "push", "malicious", "july", "iocs", "levelbluelabs", "jeff4son", "adversaries", "registry run", "flow t1574", "dll sideloading", "boot", "logon autostart", "execution t1547", "keys", "startup folder", "t1497 may", "encryption", "catalog tree", "analysis ob0001", "virtual machine", "detection b0009", "check registry", "analysis ob0002", "executable code", "stack strings", "control ob0004", "get http", "http requests", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls http", "request", "response", "connection", "trojan", "otx scoreblue", "windows", "embeddedwb", "medium", "shellexecuteexw", "msie", "windows nt", "displayname", "tofsee", "hashes", "vhash", "authentihash", "ssdeep", "win32 exe", "magic pe32", "trid win32", "library", "read c", "file guard", "rtversion", "langchinese", "legalcopyright", "reserved", "ransom", "moved", "media", "ascii text", "default", "upack", "mike", "contacted", "x87xe1x1d", "regsetvalueexa", "x95xd3xa4", "regbinary", "x84xa8xe8i", "x8dxb7xb7", "hx88x9ax1e", "mx81xd1r", "x92xac", "xc2x84", "stream", "swipper", "pdfcreator.sf.net", "botnet", "black mercedes", "please forgive me", "therahand thouroughhand" ], "references": [ "Project Endgame - pegausintel.com -Unsjre if related to NSO Group", "Antivirus Detections: ALF:HeraklezEval:Rogue:Win32/FakeRean", "Yara Detections: compromised_site_redirector_fromcharcode , Cabinet_Archive , SFX_CAB", "Alerts: infostealer_cookies persistence_autorun recon_programs recon_fingerprint removes_zoneid_ads anomalous_deletefile", "P\u2019s Contacted: 93.184.221.240 3.33.130.190 | Domains Contacted: counterslocal.com", "compromised_site_redirector_fromcharcode fromCharCode", "Interesting Strings: http://www.interoperabilitybridges.com/wmp http://crbug.com/40902 http://crbug.com/516527", "Interesting Strings: http://service.real.com/realplayer/security/02062012_player/en/", "Interesting Strings: https://support.google.com/chrome/?p=plugin_pdf", "https://support.google.com/chrome/?p=plugin_quicktime https://chrome.google.com/", "Interesting Strings: http://schema.org/GovernmentOrganization https://support.google.com/chrome/?p=plugin_java https://crbug.com/593166", "Pdf.Phishing.TtraffRobotInstall-7605656-0 00004feb58be42ba1bd506ea89f90c5e1d83e6e1fb84841931949a454b0bb539", "Antivirus Detections Cryp_Xed-12 , Mal/Generic-S , Packed/Upack Yara Detections Upackv039finalDwing , UpackV037Dwing", "https://pin.it/ | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Macoute.A", "display_name": "Worm:Win32/Macoute.A", "target": "/malware/Worm:Win32/Macoute.A" }, { "id": "TrojanDownloader:Win32/Nemucod", "display_name": "TrojanDownloader:Win32/Nemucod", "target": "/malware/TrojanDownloader:Win32/Nemucod" }, { "id": "TrojanSpy:Win32/Nivdort", "display_name": "TrojanSpy:Win32/Nivdort", "target": "/malware/TrojanSpy:Win32/Nivdort" }, { "id": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "display_name": "ALF:HeraklezEval:Rogue:Win32/FakeRean", "target": null }, { "id": "Worm:Win32/Fesber.A", "display_name": "Worm:Win32/Fesber.A", "target": "/malware/Worm:Win32/Fesber.A" }, { "id": "Ransom:Win32/Eniqma.A", "display_name": "Ransom:Win32/Eniqma.A", "target": "/malware/Ransom:Win32/Eniqma.A" }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "UpackV037Dwing", "display_name": "UpackV037Dwing", "target": null }, { "id": "Cryp_Xed-12", "display_name": "Cryp_Xed-12", "target": null }, { "id": "Mal/Generic-S", "display_name": "Mal/Generic-S", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1493, "FileHash-SHA1": 1393, "FileHash-SHA256": 5881, "URL": 1495, "domain": 1947, "hostname": 1360, "email": 18, "CVE": 1 }, "indicator_count": 13588, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "589 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709fe5e685939cb8ce7486", "name": "Direct Search Network", "description": "", "modified": "2023-12-06T16:23:01.912000", "created": "2023-12-06T16:23:01.912000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1105, "domain": 665, "FileHash-SHA256": 1203, "URL": 2334, "FileHash-MD5": 384, "FileHash-SHA1": 62, "email": 2 }, "indicator_count": 5755, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://policies.google.com/terms", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://policies.google.com/terms", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780256242.0721014 }