{ "type": "URL", "indicator": "https://res.public.onecdn.static.microsoft/designer607825", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://res.public.onecdn.static.microsoft/designer607825", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4352920108, "indicator": "https://res.public.onecdn.static.microsoft/designer607825", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "6a03cc521e13c5d6d34555d0", "name": "Judgement Day. VirusTotal report for index.html", "description": "[Apple.com has sent a series of \"fl flushMessages\" to its servers, but what exactly is the data and what is it going to get out of the system and how does it feel?]", "modified": "2026-05-15T10:22:00.139000", "created": "2026-05-13T00:56:50.182000", "tags": [ "darwin kernel", "version", "wed feb", "apfs4kobjs", "instagram", "mosaic", "free", "get http", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls https", "tls sni", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "performs dns", "https", "urls", "united", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "phishing", "defense evasion", "next", "default", "parent pid", "full path", "command line", "k netsvcs", "k localservice", "s w32time", "event provider", "device", "registry keys" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 132, "FileHash-MD5": 43, "FileHash-SHA1": 6, "hostname": 364, "IPv4": 75, "URL": 574, "Mutex": 1, "FileHash-SHA256": 404 }, "indicator_count": 1599, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a04e84167efe8b5fa43e0ca", "name": "cve-2020-0601 + spoof signing", "description": "CVE2020-0601 is a Curveball vulnerability that could allow attackers to spoof signatures and is a high cryptographic validation flaw. Per NIST, \"A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability',\".", "modified": "2026-05-14T01:04:28.762000", "created": "2026-05-13T21:08:17.669000", "tags": [ "indicators show", "search", "type indicator", "role title", "added active", "related pulses", "instagram", "identifier", "cve-2020-0601" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 51, "hostname": 147, "FileHash-SHA1": 4, "domain": 119, "URL": 169, "IPv4": 282, "FileHash-MD5": 3, "FileHash-SHA256": 283 }, "indicator_count": 1058, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a04e8423bba51f1e0ff3030", "name": "cve-2020-0601 + spoof signing", "description": "CVE2020-0601 is a Curveball vulnerability that could allow attackers to spoof signatures and is a high cryptographic validation flaw. Per NIST, \"A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability',\".", "modified": "2026-05-13T22:50:49.596000", "created": "2026-05-13T21:08:18.159000", "tags": [ "indicators show", "search", "type indicator", "role title", "added active", "related pulses", "instagram", "identifier", "cve-2020-0601" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 51, "hostname": 147, "FileHash-SHA1": 4, "domain": 119, "URL": 169, "IPv4": 281, "FileHash-MD5": 3, "FileHash-SHA256": 283 }, "indicator_count": 1057, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a04e83b9a762101e54d6a4f", "name": "cve-2020-0601 + spoof signing", "description": "CVE2020-0601 is a Curveball vulnerability that could allow attackers to spoof signatures and is a high cryptographic validation flaw. Per NIST, \"A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability',\".", "modified": "2026-05-13T22:50:48.345000", "created": "2026-05-13T21:08:11.231000", "tags": [ "indicators show", "search", "type indicator", "role title", "added active", "related pulses", "instagram", "identifier", "cve-2020-0601" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 53, "hostname": 147, "FileHash-SHA1": 24, "domain": 119, "URL": 167, "IPv4": 281, "FileHash-MD5": 15, "FileHash-SHA256": 469, "Mutex": 2 }, "indicator_count": 1277, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a009e2d25595b3d89057042", "name": "CAPE Sandbox - Signals", "description": "[Marshfield Board and Committee Handbook 2025 is published by the Department of Public Safety and Environment (DPSA) and is subject to a review by its own staff and the UK government, as well as by government itself] pretext.", "modified": "2026-05-12T06:39:58.797000", "created": "2026-05-10T15:03:09.026000", "tags": [ "board", "non profit", "ta profile", "final", "html document", "unicode text", "utf8 text", "crlf", "lf line", "script", "welcome", "marshfield", "link", "arabic", "azerbaijani", "basque", "bengali", "meta", "object", "title", "body", "albanian", "cname", "nxdomain", "massachusetts", "privacy violation", "performs dns", "mitre attack", "network info", "processes extra", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "next", "serving ip", "address", "status code", "body length", "mb body", "oaauth helix", "helix", "signals", "beaconing", "frequencies", "trojanspy", "massdot", "network disruption", "abuse of encrypted channels", "network interference", "bruteforce", "anchor", "watering hole", "exposure of client data", "emfs", "efs", "signals attack", "cve's exploited", "improper channels", "health hazard", "spy", "network abuse", "havana" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f98191dfb868f38c502deb4c3fa4ebb2c8faed6f9b6377616d97b2ab35b48d9a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778424115&Signature=0KlAyyQQ9hQCJ2HfQ7xCJRM50TsPaZrEXCJe0%2F6yOGg8Oi5a91A0WK1%2BuHQxKNaYOtxinqlH%2BG96yg0ocsoEQVN80VjRx2Xem8DgMQpJD5eBvlPA%2BVGvR5eSs6WtnIfXxB1fzCYC3YRKGWq7c3iQ4WZydu0cWjCx71jj%2BLfWTcyMYhnRG9gu8o0MKuDHYOI1AAbUB3CVPpY8w99sMJQG9wi3zZdwIq5erBtrN7s3RMIq2mEYnfAo", "https://vtbehaviour.commondatastorage.googleapis.com/f98191dfb868f38c502deb4c3fa4ebb2c8faed6f9b6377616d97b2ab35b48d9a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778424986&Signature=m2ZqXELB%2F5hHTf8Z0b7gZDAwk4KeSrteumozXgFefkQCAi7YY9KSmLvaAG3iDN5fhIFTz%2FZ6wgaNF%2FpdsGYHATlc7dDOIIDCql%2FQ4d9eYuROdgqGHd1WruLoJvWWq%2BcRgmtNFT7WZjbOr8wpJ%2Fa5%2BUPoEsokskMbWAPqf6lEimhl1uHNx8qZvxVCO8a95rMA%2Ft2xDI0BvJ2rivyfFpFxL0B9Lj2oQ3OvppjhJ6oqFKJJoDudPAxilp" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "URL": 508, "domain": 139, "hostname": 317, "FileHash-SHA256": 600, "FileHash-SHA1": 1, "IPv4": 72, "email": 2 }, "indicator_count": 1642, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a009e2c69cc5c3b5aa7185e", "name": "CAPE Sandbox - Signals", "description": "[Marshfield Board and Committee Handbook 2025 is published by the Department of Public Safety and Environment (DPSA) and is subject to a review by its own staff and the UK government, as well as by government itself] pretext.", "modified": "2026-05-12T06:39:58.327000", "created": "2026-05-10T15:03:08.205000", "tags": [ "board", "non profit", "ta profile", "final", "html document", "unicode text", "utf8 text", "crlf", "lf line", "script", "welcome", "marshfield", "link", "arabic", "azerbaijani", "basque", "bengali", "meta", "object", "title", "body", "albanian", "cname", "nxdomain", "massachusetts", "privacy violation", "performs dns", "mitre attack", "network info", "processes extra", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "next", "serving ip", "address", "status code", "body length", "mb body", "oaauth helix", "helix", "signals", "beaconing", "frequencies", "trojanspy", "massdot", "network disruption", "abuse of encrypted channels", "network interference", "bruteforce", "anchor", "watering hole", "exposure of client data", "emfs", "efs", "signals attack", "cve's exploited", "improper channels", "health hazard", "spy", "network abuse", "havana" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f98191dfb868f38c502deb4c3fa4ebb2c8faed6f9b6377616d97b2ab35b48d9a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778424115&Signature=0KlAyyQQ9hQCJ2HfQ7xCJRM50TsPaZrEXCJe0%2F6yOGg8Oi5a91A0WK1%2BuHQxKNaYOtxinqlH%2BG96yg0ocsoEQVN80VjRx2Xem8DgMQpJD5eBvlPA%2BVGvR5eSs6WtnIfXxB1fzCYC3YRKGWq7c3iQ4WZydu0cWjCx71jj%2BLfWTcyMYhnRG9gu8o0MKuDHYOI1AAbUB3CVPpY8w99sMJQG9wi3zZdwIq5erBtrN7s3RMIq2mEYnfAo", "https://vtbehaviour.commondatastorage.googleapis.com/f98191dfb868f38c502deb4c3fa4ebb2c8faed6f9b6377616d97b2ab35b48d9a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778424986&Signature=m2ZqXELB%2F5hHTf8Z0b7gZDAwk4KeSrteumozXgFefkQCAi7YY9KSmLvaAG3iDN5fhIFTz%2FZ6wgaNF%2FpdsGYHATlc7dDOIIDCql%2FQ4d9eYuROdgqGHd1WruLoJvWWq%2BcRgmtNFT7WZjbOr8wpJ%2Fa5%2BUPoEsokskMbWAPqf6lEimhl1uHNx8qZvxVCO8a95rMA%2Ft2xDI0BvJ2rivyfFpFxL0B9Lj2oQ3OvppjhJ6oqFKJJoDudPAxilp" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "URL": 512, "domain": 141, "hostname": 323, "FileHash-SHA256": 600, "FileHash-SHA1": 1, "IPv4": 72, "email": 2 }, "indicator_count": 1654, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f98191dfb868f38c502deb4c3fa4ebb2c8faed6f9b6377616d97b2ab35b48d9a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778424115&Signature=0KlAyyQQ9hQCJ2HfQ7xCJRM50TsPaZrEXCJe0%2F6yOGg8Oi5a91A0WK1%2BuHQxKNaYOtxinqlH%2BG96yg0ocsoEQVN80VjRx2Xem8DgMQpJD5eBvlPA%2BVGvR5eSs6WtnIfXxB1fzCYC3YRKGWq7c3iQ4WZydu0cWjCx71jj%2BLfWTcyMYhnRG9gu8o0MKuDHYOI1AAbUB3CVPpY8w99sMJQG9wi3zZdwIq5erBtrN7s3RMIq2mEYnfAo", "https://vtbehaviour.commondatastorage.googleapis.com/f98191dfb868f38c502deb4c3fa4ebb2c8faed6f9b6377616d97b2ab35b48d9a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778424986&Signature=m2ZqXELB%2F5hHTf8Z0b7gZDAwk4KeSrteumozXgFefkQCAi7YY9KSmLvaAG3iDN5fhIFTz%2FZ6wgaNF%2FpdsGYHATlc7dDOIIDCql%2FQ4d9eYuROdgqGHd1WruLoJvWWq%2BcRgmtNFT7WZjbOr8wpJ%2Fa5%2BUPoEsokskMbWAPqf6lEimhl1uHNx8qZvxVCO8a95rMA%2Ft2xDI0BvJ2rivyfFpFxL0B9Lj2oQ3OvppjhJ6oqFKJJoDudPAxilp" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 4219 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/static.microsoft", "whois": "http://whois.domaintools.com/static.microsoft", "domain": "static.microsoft", "hostname": "res.public.onecdn.static.microsoft" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "6a03cc521e13c5d6d34555d0", "name": "Judgement Day. VirusTotal report for index.html", "description": "[Apple.com has sent a series of \"fl flushMessages\" to its servers, but what exactly is the data and what is it going to get out of the system and how does it feel?]", "modified": "2026-05-15T10:22:00.139000", "created": "2026-05-13T00:56:50.182000", "tags": [ "darwin kernel", "version", "wed feb", "apfs4kobjs", "instagram", "mosaic", "free", "get http", "dns resolutions", "ip traffic", "pattern domains", "memory pattern", "urls https", "tls sni", "algorithm", "key identifier", "x509v3 subject", "v3 serial", "number", "cus olet", "encrypt cnr13", "validity", "subject public", "key info", "performs dns", "https", "urls", "united", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "phishing", "defense evasion", "next", "default", "parent pid", "full path", "command line", "k netsvcs", "k localservice", "s w32time", "event provider", "device", "registry keys" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 132, "FileHash-MD5": 43, "FileHash-SHA1": 6, "hostname": 364, "IPv4": 75, "URL": 574, "Mutex": 1, "FileHash-SHA256": 404 }, "indicator_count": 1599, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a04e84167efe8b5fa43e0ca", "name": "cve-2020-0601 + spoof signing", "description": "CVE2020-0601 is a Curveball vulnerability that could allow attackers to spoof signatures and is a high cryptographic validation flaw. Per NIST, \"A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability',\".", "modified": "2026-05-14T01:04:28.762000", "created": "2026-05-13T21:08:17.669000", "tags": [ "indicators show", "search", "type indicator", "role title", "added active", "related pulses", "instagram", "identifier", "cve-2020-0601" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 51, "hostname": 147, "FileHash-SHA1": 4, "domain": 119, "URL": 169, "IPv4": 282, "FileHash-MD5": 3, "FileHash-SHA256": 283 }, "indicator_count": 1058, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a04e8423bba51f1e0ff3030", "name": "cve-2020-0601 + spoof signing", "description": "CVE2020-0601 is a Curveball vulnerability that could allow attackers to spoof signatures and is a high cryptographic validation flaw. Per NIST, \"A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability',\".", "modified": "2026-05-13T22:50:49.596000", "created": "2026-05-13T21:08:18.159000", "tags": [ "indicators show", "search", "type indicator", "role title", "added active", "related pulses", "instagram", "identifier", "cve-2020-0601" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 51, "hostname": 147, "FileHash-SHA1": 4, "domain": 119, "URL": 169, "IPv4": 281, "FileHash-MD5": 3, "FileHash-SHA256": 283 }, "indicator_count": 1057, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a04e83b9a762101e54d6a4f", "name": "cve-2020-0601 + spoof signing", "description": "CVE2020-0601 is a Curveball vulnerability that could allow attackers to spoof signatures and is a high cryptographic validation flaw. Per NIST, \"A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka 'Windows CryptoAPI Spoofing Vulnerability',\".", "modified": "2026-05-13T22:50:48.345000", "created": "2026-05-13T21:08:11.231000", "tags": [ "indicators show", "search", "type indicator", "role title", "added active", "related pulses", "instagram", "identifier", "cve-2020-0601" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 53, "hostname": 147, "FileHash-SHA1": 24, "domain": 119, "URL": 167, "IPv4": 281, "FileHash-MD5": 15, "FileHash-SHA256": 469, "Mutex": 2 }, "indicator_count": 1277, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "17 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a009e2d25595b3d89057042", "name": "CAPE Sandbox - Signals", "description": "[Marshfield Board and Committee Handbook 2025 is published by the Department of Public Safety and Environment (DPSA) and is subject to a review by its own staff and the UK government, as well as by government itself] pretext.", "modified": "2026-05-12T06:39:58.797000", "created": "2026-05-10T15:03:09.026000", "tags": [ "board", "non profit", "ta profile", "final", "html document", "unicode text", "utf8 text", "crlf", "lf line", "script", "welcome", "marshfield", "link", "arabic", "azerbaijani", "basque", "bengali", "meta", "object", "title", "body", "albanian", "cname", "nxdomain", "massachusetts", "privacy violation", "performs dns", "mitre attack", "network info", "processes extra", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "next", "serving ip", "address", "status code", "body length", "mb body", "oaauth helix", "helix", "signals", "beaconing", "frequencies", "trojanspy", "massdot", "network disruption", "abuse of encrypted channels", "network interference", "bruteforce", "anchor", "watering hole", "exposure of client data", "emfs", "efs", "signals attack", "cve's exploited", "improper channels", "health hazard", "spy", "network abuse", "havana" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f98191dfb868f38c502deb4c3fa4ebb2c8faed6f9b6377616d97b2ab35b48d9a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778424115&Signature=0KlAyyQQ9hQCJ2HfQ7xCJRM50TsPaZrEXCJe0%2F6yOGg8Oi5a91A0WK1%2BuHQxKNaYOtxinqlH%2BG96yg0ocsoEQVN80VjRx2Xem8DgMQpJD5eBvlPA%2BVGvR5eSs6WtnIfXxB1fzCYC3YRKGWq7c3iQ4WZydu0cWjCx71jj%2BLfWTcyMYhnRG9gu8o0MKuDHYOI1AAbUB3CVPpY8w99sMJQG9wi3zZdwIq5erBtrN7s3RMIq2mEYnfAo", "https://vtbehaviour.commondatastorage.googleapis.com/f98191dfb868f38c502deb4c3fa4ebb2c8faed6f9b6377616d97b2ab35b48d9a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778424986&Signature=m2ZqXELB%2F5hHTf8Z0b7gZDAwk4KeSrteumozXgFefkQCAi7YY9KSmLvaAG3iDN5fhIFTz%2FZ6wgaNF%2FpdsGYHATlc7dDOIIDCql%2FQ4d9eYuROdgqGHd1WruLoJvWWq%2BcRgmtNFT7WZjbOr8wpJ%2Fa5%2BUPoEsokskMbWAPqf6lEimhl1uHNx8qZvxVCO8a95rMA%2Ft2xDI0BvJ2rivyfFpFxL0B9Lj2oQ3OvppjhJ6oqFKJJoDudPAxilp" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "URL": 508, "domain": 139, "hostname": 317, "FileHash-SHA256": 600, "FileHash-SHA1": 1, "IPv4": 72, "email": 2 }, "indicator_count": 1642, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a009e2c69cc5c3b5aa7185e", "name": "CAPE Sandbox - Signals", "description": "[Marshfield Board and Committee Handbook 2025 is published by the Department of Public Safety and Environment (DPSA) and is subject to a review by its own staff and the UK government, as well as by government itself] pretext.", "modified": "2026-05-12T06:39:58.327000", "created": "2026-05-10T15:03:08.205000", "tags": [ "board", "non profit", "ta profile", "final", "html document", "unicode text", "utf8 text", "crlf", "lf line", "script", "welcome", "marshfield", "link", "arabic", "azerbaijani", "basque", "bengali", "meta", "object", "title", "body", "albanian", "cname", "nxdomain", "massachusetts", "privacy violation", "performs dns", "mitre attack", "network info", "processes extra", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "next", "serving ip", "address", "status code", "body length", "mb body", "oaauth helix", "helix", "signals", "beaconing", "frequencies", "trojanspy", "massdot", "network disruption", "abuse of encrypted channels", "network interference", "bruteforce", "anchor", "watering hole", "exposure of client data", "emfs", "efs", "signals attack", "cve's exploited", "improper channels", "health hazard", "spy", "network abuse", "havana" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/f98191dfb868f38c502deb4c3fa4ebb2c8faed6f9b6377616d97b2ab35b48d9a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778424115&Signature=0KlAyyQQ9hQCJ2HfQ7xCJRM50TsPaZrEXCJe0%2F6yOGg8Oi5a91A0WK1%2BuHQxKNaYOtxinqlH%2BG96yg0ocsoEQVN80VjRx2Xem8DgMQpJD5eBvlPA%2BVGvR5eSs6WtnIfXxB1fzCYC3YRKGWq7c3iQ4WZydu0cWjCx71jj%2BLfWTcyMYhnRG9gu8o0MKuDHYOI1AAbUB3CVPpY8w99sMJQG9wi3zZdwIq5erBtrN7s3RMIq2mEYnfAo", "https://vtbehaviour.commondatastorage.googleapis.com/f98191dfb868f38c502deb4c3fa4ebb2c8faed6f9b6377616d97b2ab35b48d9a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778424986&Signature=m2ZqXELB%2F5hHTf8Z0b7gZDAwk4KeSrteumozXgFefkQCAi7YY9KSmLvaAG3iDN5fhIFTz%2FZ6wgaNF%2FpdsGYHATlc7dDOIIDCql%2FQ4d9eYuROdgqGHd1WruLoJvWWq%2BcRgmtNFT7WZjbOr8wpJ%2Fa5%2BUPoEsokskMbWAPqf6lEimhl1uHNx8qZvxVCO8a95rMA%2Ft2xDI0BvJ2rivyfFpFxL0B9Lj2oQ3OvppjhJ6oqFKJJoDudPAxilp" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "URL": 512, "domain": 141, "hostname": 323, "FileHash-SHA256": 600, "FileHash-SHA1": 1, "IPv4": 72, "email": 2 }, "indicator_count": 1654, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://res.public.onecdn.static.microsoft/designer607825", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://res.public.onecdn.static.microsoft/designer607825", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780247063.9375784 }