{ "type": "URL", "indicator": "https://storage.azure.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://storage.azure.com/", "type": "url", "type_title": "URL", "validation": [ { "source": "akamai", "message": "Akamai rank: #45", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain azure.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain azure.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 4294945547, "indicator": "https://storage.azure.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "6a100b692408f972b61c1cec", "name": "\"don't save her\" a continued message * CAPE Sandbox", "description": "[sample of the Pigeonhole Sieve malware has been found in the X-Sieve R system, designed to detect and prevent the spread of malicious software, which is currently being used by Microsoft Office.] -pretext", "modified": "2026-05-24T05:56:24.709000", "created": "2026-05-22T07:53:13.480000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "defense evasion", "next", "wednesday", "january", "extra info", "attack network", "info dropped", "geospatial endpoints" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435695&Signature=UoqeOvA3l0SmZPLGLkJ4n7oue%2FoXBTcyhLy5g1zr97R1z9EBf2vAXrsnA8mHkedBOo0cd7lQhlV4QLek1AiAP4Z%2F9XgN%2FgaAo3L%2FP0tI1NFNb5lJ9mZ4YQ5aVcF1jYBD4bluT9%2BjUQaRIkFHR4w4OIpWVuJOGdkbT7UxU%2BgyPR3o2Ij%2Fli0GfJO%2B%2B2KMpTnBE0mWDM%2BrEThJKW2Ty5flTxONg4m7toLl7%2BspvX1Q", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435775&Signature=AkieU7eRCNrzND0lejy10HFR7OdRvNqyswrKIdggTIg6w4naejOYYwut39HnOup0%2BqQcIl4AJ6iCv7BrJuqNoIe3WuL3S3c9To36FuiNd2aOBRNZcN9gHBz7GSvTlAnmNNOt9OIZbdryCE4RnMJA4q7aOGLAd3dJzbXxC1sLLrpBBY0wTeb7cvNcLLEuJzsk9AQw8m9nZ%2BMfQJB8hWxaWNXySZkIl%2Fkufg7NdeYBFT4YXsi2gxWg0UruP%2FFYE8", "https://vtbehaviour.commondatastorage.googleapis.com/0002412eddb6f812afb3e131d7e801536cb4ff8a410a6d6c6bc559fdb3546116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779436484&Signature=Pr1pfaimFPZRbQFRLBhpICwKcQGlnx4U5y%2FQZiFEs%2BMGp9zOdmylpsondhJ%2FoJg6NIwY9%2Bk2v9SRh8rgNd2aefaWARh%2ByYvcCFEELbz7cf%2F2f128%2FN%2BsNKOuiRC2JFyN37Wq2hSLt9NYUERhB0THMCMQtw1axrtOHh9CLz3YZ%2BdO7E%2B3g1aOrD3sDAwOgmWR9n9pk%2Fj55fIyJqPDU80OB1RXmaU4XNnEIBA69dpnuj57WGWd" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 33, "CIDR": 5, "FileHash-MD5": 275, "FileHash-SHA1": 27, "FileHash-SHA256": 45, "URL": 149, "domain": 8, "email": 7, "hostname": 165, "CVE": 1 }, "indicator_count": 715, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a100b5a7b1e843e08b7f57b", "name": "\"don't save her\" a continued message * CAPE Sandbox", "description": "[sample of the Pigeonhole Sieve malware has been found in the X-Sieve R system, designed to detect and prevent the spread of malicious software, which is currently being used by Microsoft Office.] -pretext", "modified": "2026-05-22T08:00:01.133000", "created": "2026-05-22T07:52:58.704000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "defense evasion", "next", "wednesday", "january", "extra info", "attack network", "info dropped", "geospatial endpoints" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435695&Signature=UoqeOvA3l0SmZPLGLkJ4n7oue%2FoXBTcyhLy5g1zr97R1z9EBf2vAXrsnA8mHkedBOo0cd7lQhlV4QLek1AiAP4Z%2F9XgN%2FgaAo3L%2FP0tI1NFNb5lJ9mZ4YQ5aVcF1jYBD4bluT9%2BjUQaRIkFHR4w4OIpWVuJOGdkbT7UxU%2BgyPR3o2Ij%2Fli0GfJO%2B%2B2KMpTnBE0mWDM%2BrEThJKW2Ty5flTxONg4m7toLl7%2BspvX1Q", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435775&Signature=AkieU7eRCNrzND0lejy10HFR7OdRvNqyswrKIdggTIg6w4naejOYYwut39HnOup0%2BqQcIl4AJ6iCv7BrJuqNoIe3WuL3S3c9To36FuiNd2aOBRNZcN9gHBz7GSvTlAnmNNOt9OIZbdryCE4RnMJA4q7aOGLAd3dJzbXxC1sLLrpBBY0wTeb7cvNcLLEuJzsk9AQw8m9nZ%2BMfQJB8hWxaWNXySZkIl%2Fkufg7NdeYBFT4YXsi2gxWg0UruP%2FFYE8", "https://vtbehaviour.commondatastorage.googleapis.com/0002412eddb6f812afb3e131d7e801536cb4ff8a410a6d6c6bc559fdb3546116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779436484&Signature=Pr1pfaimFPZRbQFRLBhpICwKcQGlnx4U5y%2FQZiFEs%2BMGp9zOdmylpsondhJ%2FoJg6NIwY9%2Bk2v9SRh8rgNd2aefaWARh%2ByYvcCFEELbz7cf%2F2f128%2FN%2BsNKOuiRC2JFyN37Wq2hSLt9NYUERhB0THMCMQtw1axrtOHh9CLz3YZ%2BdO7E%2B3g1aOrD3sDAwOgmWR9n9pk%2Fj55fIyJqPDU80OB1RXmaU4XNnEIBA69dpnuj57WGWd" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 36, "CIDR": 1, "FileHash-MD5": 273, "FileHash-SHA1": 30, "FileHash-SHA256": 46, "URL": 137, "domain": 5, "email": 3, "hostname": 165 }, "indicator_count": 696, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a100b5a4fbd55e1c62e2a34", "name": "\"don't save her\" a continued message * CAPE Sandbox", "description": "[sample of the Pigeonhole Sieve malware has been found in the X-Sieve R system, designed to detect and prevent the spread of malicious software, which is currently being used by Microsoft Office.] -pretext", "modified": "2026-05-22T07:52:58.211000", "created": "2026-05-22T07:52:58.211000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "defense evasion", "next", "wednesday", "january", "extra info", "attack network", "info dropped", "geospatial endpoints" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435695&Signature=UoqeOvA3l0SmZPLGLkJ4n7oue%2FoXBTcyhLy5g1zr97R1z9EBf2vAXrsnA8mHkedBOo0cd7lQhlV4QLek1AiAP4Z%2F9XgN%2FgaAo3L%2FP0tI1NFNb5lJ9mZ4YQ5aVcF1jYBD4bluT9%2BjUQaRIkFHR4w4OIpWVuJOGdkbT7UxU%2BgyPR3o2Ij%2Fli0GfJO%2B%2B2KMpTnBE0mWDM%2BrEThJKW2Ty5flTxONg4m7toLl7%2BspvX1Q", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435775&Signature=AkieU7eRCNrzND0lejy10HFR7OdRvNqyswrKIdggTIg6w4naejOYYwut39HnOup0%2BqQcIl4AJ6iCv7BrJuqNoIe3WuL3S3c9To36FuiNd2aOBRNZcN9gHBz7GSvTlAnmNNOt9OIZbdryCE4RnMJA4q7aOGLAd3dJzbXxC1sLLrpBBY0wTeb7cvNcLLEuJzsk9AQw8m9nZ%2BMfQJB8hWxaWNXySZkIl%2Fkufg7NdeYBFT4YXsi2gxWg0UruP%2FFYE8", "https://vtbehaviour.commondatastorage.googleapis.com/0002412eddb6f812afb3e131d7e801536cb4ff8a410a6d6c6bc559fdb3546116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779436484&Signature=Pr1pfaimFPZRbQFRLBhpICwKcQGlnx4U5y%2FQZiFEs%2BMGp9zOdmylpsondhJ%2FoJg6NIwY9%2Bk2v9SRh8rgNd2aefaWARh%2ByYvcCFEELbz7cf%2F2f128%2FN%2BsNKOuiRC2JFyN37Wq2hSLt9NYUERhB0THMCMQtw1axrtOHh9CLz3YZ%2BdO7E%2B3g1aOrD3sDAwOgmWR9n9pk%2Fj55fIyJqPDU80OB1RXmaU4XNnEIBA69dpnuj57WGWd" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 30, "CIDR": 1, "FileHash-MD5": 273, "FileHash-SHA1": 27, "FileHash-SHA256": 43, "URL": 131, "domain": 5, "email": 3, "hostname": 156 }, "indicator_count": 669, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a100b5a2838b1cc50ba5360", "name": "\"don't save her\" a continued message * CAPE Sandbox", "description": "[sample of the Pigeonhole Sieve malware has been found in the X-Sieve R system, designed to detect and prevent the spread of malicious software, which is currently being used by Microsoft Office.] -pretext", "modified": "2026-05-22T07:52:57.995000", "created": "2026-05-22T07:52:57.995000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "defense evasion", "next", "wednesday", "january", "extra info", "attack network", "info dropped", "geospatial endpoints" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435695&Signature=UoqeOvA3l0SmZPLGLkJ4n7oue%2FoXBTcyhLy5g1zr97R1z9EBf2vAXrsnA8mHkedBOo0cd7lQhlV4QLek1AiAP4Z%2F9XgN%2FgaAo3L%2FP0tI1NFNb5lJ9mZ4YQ5aVcF1jYBD4bluT9%2BjUQaRIkFHR4w4OIpWVuJOGdkbT7UxU%2BgyPR3o2Ij%2Fli0GfJO%2B%2B2KMpTnBE0mWDM%2BrEThJKW2Ty5flTxONg4m7toLl7%2BspvX1Q", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435775&Signature=AkieU7eRCNrzND0lejy10HFR7OdRvNqyswrKIdggTIg6w4naejOYYwut39HnOup0%2BqQcIl4AJ6iCv7BrJuqNoIe3WuL3S3c9To36FuiNd2aOBRNZcN9gHBz7GSvTlAnmNNOt9OIZbdryCE4RnMJA4q7aOGLAd3dJzbXxC1sLLrpBBY0wTeb7cvNcLLEuJzsk9AQw8m9nZ%2BMfQJB8hWxaWNXySZkIl%2Fkufg7NdeYBFT4YXsi2gxWg0UruP%2FFYE8", "https://vtbehaviour.commondatastorage.googleapis.com/0002412eddb6f812afb3e131d7e801536cb4ff8a410a6d6c6bc559fdb3546116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779436484&Signature=Pr1pfaimFPZRbQFRLBhpICwKcQGlnx4U5y%2FQZiFEs%2BMGp9zOdmylpsondhJ%2FoJg6NIwY9%2Bk2v9SRh8rgNd2aefaWARh%2ByYvcCFEELbz7cf%2F2f128%2FN%2BsNKOuiRC2JFyN37Wq2hSLt9NYUERhB0THMCMQtw1axrtOHh9CLz3YZ%2BdO7E%2B3g1aOrD3sDAwOgmWR9n9pk%2Fj55fIyJqPDU80OB1RXmaU4XNnEIBA69dpnuj57WGWd" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 30, "CIDR": 1, "FileHash-MD5": 273, "FileHash-SHA1": 27, "FileHash-SHA256": 43, "URL": 131, "domain": 5, "email": 3, "hostname": 156 }, "indicator_count": 669, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a100b59bb15041d5cfffd88", "name": "\"don't save her\" a continued message * CAPE Sandbox", "description": "[sample of the Pigeonhole Sieve malware has been found in the X-Sieve R system, designed to detect and prevent the spread of malicious software, which is currently being used by Microsoft Office.] -pretext", "modified": "2026-05-22T07:52:57.865000", "created": "2026-05-22T07:52:57.865000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "defense evasion", "next", "wednesday", "january", "extra info", "attack network", "info dropped", "geospatial endpoints" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435695&Signature=UoqeOvA3l0SmZPLGLkJ4n7oue%2FoXBTcyhLy5g1zr97R1z9EBf2vAXrsnA8mHkedBOo0cd7lQhlV4QLek1AiAP4Z%2F9XgN%2FgaAo3L%2FP0tI1NFNb5lJ9mZ4YQ5aVcF1jYBD4bluT9%2BjUQaRIkFHR4w4OIpWVuJOGdkbT7UxU%2BgyPR3o2Ij%2Fli0GfJO%2B%2B2KMpTnBE0mWDM%2BrEThJKW2Ty5flTxONg4m7toLl7%2BspvX1Q", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435775&Signature=AkieU7eRCNrzND0lejy10HFR7OdRvNqyswrKIdggTIg6w4naejOYYwut39HnOup0%2BqQcIl4AJ6iCv7BrJuqNoIe3WuL3S3c9To36FuiNd2aOBRNZcN9gHBz7GSvTlAnmNNOt9OIZbdryCE4RnMJA4q7aOGLAd3dJzbXxC1sLLrpBBY0wTeb7cvNcLLEuJzsk9AQw8m9nZ%2BMfQJB8hWxaWNXySZkIl%2Fkufg7NdeYBFT4YXsi2gxWg0UruP%2FFYE8", "https://vtbehaviour.commondatastorage.googleapis.com/0002412eddb6f812afb3e131d7e801536cb4ff8a410a6d6c6bc559fdb3546116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779436484&Signature=Pr1pfaimFPZRbQFRLBhpICwKcQGlnx4U5y%2FQZiFEs%2BMGp9zOdmylpsondhJ%2FoJg6NIwY9%2Bk2v9SRh8rgNd2aefaWARh%2ByYvcCFEELbz7cf%2F2f128%2FN%2BsNKOuiRC2JFyN37Wq2hSLt9NYUERhB0THMCMQtw1axrtOHh9CLz3YZ%2BdO7E%2B3g1aOrD3sDAwOgmWR9n9pk%2Fj55fIyJqPDU80OB1RXmaU4XNnEIBA69dpnuj57WGWd" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 30, "CIDR": 1, "FileHash-MD5": 273, "FileHash-SHA1": 27, "FileHash-SHA256": 43, "URL": 131, "domain": 5, "email": 3, "hostname": 156 }, "indicator_count": 669, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a100b59a54621b833de1120", "name": "\"don't save her\" a continued message * CAPE Sandbox", "description": "[sample of the Pigeonhole Sieve malware has been found in the X-Sieve R system, designed to detect and prevent the spread of malicious software, which is currently being used by Microsoft Office.] -pretext", "modified": "2026-05-22T07:52:57.606000", "created": "2026-05-22T07:52:57.606000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "defense evasion", "next", "wednesday", "january", "extra info", "attack network", "info dropped", "geospatial endpoints" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435695&Signature=UoqeOvA3l0SmZPLGLkJ4n7oue%2FoXBTcyhLy5g1zr97R1z9EBf2vAXrsnA8mHkedBOo0cd7lQhlV4QLek1AiAP4Z%2F9XgN%2FgaAo3L%2FP0tI1NFNb5lJ9mZ4YQ5aVcF1jYBD4bluT9%2BjUQaRIkFHR4w4OIpWVuJOGdkbT7UxU%2BgyPR3o2Ij%2Fli0GfJO%2B%2B2KMpTnBE0mWDM%2BrEThJKW2Ty5flTxONg4m7toLl7%2BspvX1Q", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435775&Signature=AkieU7eRCNrzND0lejy10HFR7OdRvNqyswrKIdggTIg6w4naejOYYwut39HnOup0%2BqQcIl4AJ6iCv7BrJuqNoIe3WuL3S3c9To36FuiNd2aOBRNZcN9gHBz7GSvTlAnmNNOt9OIZbdryCE4RnMJA4q7aOGLAd3dJzbXxC1sLLrpBBY0wTeb7cvNcLLEuJzsk9AQw8m9nZ%2BMfQJB8hWxaWNXySZkIl%2Fkufg7NdeYBFT4YXsi2gxWg0UruP%2FFYE8", "https://vtbehaviour.commondatastorage.googleapis.com/0002412eddb6f812afb3e131d7e801536cb4ff8a410a6d6c6bc559fdb3546116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779436484&Signature=Pr1pfaimFPZRbQFRLBhpICwKcQGlnx4U5y%2FQZiFEs%2BMGp9zOdmylpsondhJ%2FoJg6NIwY9%2Bk2v9SRh8rgNd2aefaWARh%2ByYvcCFEELbz7cf%2F2f128%2FN%2BsNKOuiRC2JFyN37Wq2hSLt9NYUERhB0THMCMQtw1axrtOHh9CLz3YZ%2BdO7E%2B3g1aOrD3sDAwOgmWR9n9pk%2Fj55fIyJqPDU80OB1RXmaU4XNnEIBA69dpnuj57WGWd" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 30, "CIDR": 1, "FileHash-MD5": 273, "FileHash-SHA1": 27, "FileHash-SHA256": 43, "URL": 131, "domain": 5, "email": 3, "hostname": 156 }, "indicator_count": 669, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d2272769a32400c257e7e7", "name": "CAPE Sandbox", "description": "The full text of the full translation of this article:..2.4.3.7.8.6.1.9.5.0., the first of its kind.>>", "modified": "2026-05-05T09:01:42.428000", "created": "2026-04-05T09:11:03.976000", "tags": [ "aaaa", "algorithm", "number", "cgb osectigo", "public server", "ov r36", "validity", "cus sttexas", "oforcepoint llc", "public key", "info", "host name", "handle", "rdap database", "iana registrar", "entity", "dnssec", "yes conformance", "redacted for", "server", "domain status", "privacy billing", "privacy tech", "privacy admin", "email", "postal code", "date", "registrar abuse", "code", "dspm", "forcepoint dlp", "forcepoint", "login", "password", "austin", "texas", "hub customer", "data security", "protect", "organization", "stateprovince", "attempts", "reads", "sha1", "sha256", "mwdb", "bazaar", "sha3384", "crc32", "ssdeep", "checks" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 3, "FileHash-SHA256": 685, "domain": 205, "hostname": 426, "FileHash-MD5": 722, "FileHash-SHA1": 348, "URL": 438, "email": 3 }, "indicator_count": 2830, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d2273d57ede103894c1943", "name": "CAPE Sandbox", "description": "The full text of the full translation of this article:..2.4.3.7.8.6.1.9.5.0., the first of its kind.>>", "modified": "2026-05-05T09:01:42.428000", "created": "2026-04-05T09:11:25.506000", "tags": [ "aaaa", "algorithm", "number", "cgb osectigo", "public server", "ov r36", "validity", "cus sttexas", "oforcepoint llc", "public key", "info", "host name", "handle", "rdap database", "iana registrar", "entity", "dnssec", "yes conformance", "redacted for", "server", "domain status", "privacy billing", "privacy tech", "privacy admin", "email", "postal code", "date", "registrar abuse", "code", "dspm", "forcepoint dlp", "forcepoint", "login", "password", "austin", "texas", "hub customer", "data security", "protect", "organization", "stateprovince", "attempts", "reads", "sha1", "sha256", "mwdb", "bazaar", "sha3384", "crc32", "ssdeep", "checks" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 3, "FileHash-SHA256": 685, "domain": 205, "hostname": 426, "FileHash-MD5": 722, "FileHash-SHA1": 348, "URL": 438, "email": 3 }, "indicator_count": 2830, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d2274c68bc029b77ff8b2c", "name": "CAPE Sandbox", "description": "The full text of the full translation of this article:..2.4.3.7.8.6.1.9.5.0., the first of its kind.>>", "modified": "2026-05-05T09:01:42.428000", "created": "2026-04-05T09:11:40.830000", "tags": [ "aaaa", "algorithm", "number", "cgb osectigo", "public server", "ov r36", "validity", "cus sttexas", "oforcepoint llc", "public key", "info", "host name", "handle", "rdap database", "iana registrar", "entity", "dnssec", "yes conformance", "redacted for", "server", "domain status", "privacy billing", "privacy tech", "privacy admin", "email", "postal code", "date", "registrar abuse", "code", "dspm", "forcepoint dlp", "forcepoint", "login", "password", "austin", "texas", "hub customer", "data security", "protect", "organization", "stateprovince", "attempts", "reads", "sha1", "sha256", "mwdb", "bazaar", "sha3384", "crc32", "ssdeep", "checks" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 3, "FileHash-SHA256": 685, "domain": 205, "hostname": 426, "FileHash-MD5": 722, "FileHash-SHA1": 348, "URL": 438, "email": 3 }, "indicator_count": 2830, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0002412eddb6f812afb3e131d7e801536cb4ff8a410a6d6c6bc559fdb3546116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779436484&Signature=Pr1pfaimFPZRbQFRLBhpICwKcQGlnx4U5y%2FQZiFEs%2BMGp9zOdmylpsondhJ%2FoJg6NIwY9%2Bk2v9SRh8rgNd2aefaWARh%2ByYvcCFEELbz7cf%2F2f128%2FN%2BsNKOuiRC2JFyN37Wq2hSLt9NYUERhB0THMCMQtw1axrtOHh9CLz3YZ%2BdO7E%2B3g1aOrD3sDAwOgmWR9n9pk%2Fj55fIyJqPDU80OB1RXmaU4XNnEIBA69dpnuj57WGWd", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435775&Signature=AkieU7eRCNrzND0lejy10HFR7OdRvNqyswrKIdggTIg6w4naejOYYwut39HnOup0%2BqQcIl4AJ6iCv7BrJuqNoIe3WuL3S3c9To36FuiNd2aOBRNZcN9gHBz7GSvTlAnmNNOt9OIZbdryCE4RnMJA4q7aOGLAd3dJzbXxC1sLLrpBBY0wTeb7cvNcLLEuJzsk9AQw8m9nZ%2BMfQJB8hWxaWNXySZkIl%2Fkufg7NdeYBFT4YXsi2gxWg0UruP%2FFYE8", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435695&Signature=UoqeOvA3l0SmZPLGLkJ4n7oue%2FoXBTcyhLy5g1zr97R1z9EBf2vAXrsnA8mHkedBOo0cd7lQhlV4QLek1AiAP4Z%2F9XgN%2FgaAo3L%2FP0tI1NFNb5lJ9mZ4YQ5aVcF1jYBD4bluT9%2BjUQaRIkFHR4w4OIpWVuJOGdkbT7UxU%2BgyPR3o2Ij%2Fli0GfJO%2B%2B2KMpTnBE0mWDM%2BrEThJKW2Ty5flTxONg4m7toLl7%2BspvX1Q" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 3192 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/azure.com", "whois": "http://whois.domaintools.com/azure.com", "domain": "azure.com", "hostname": "storage.azure.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "6a100b692408f972b61c1cec", "name": "\"don't save her\" a continued message * CAPE Sandbox", "description": "[sample of the Pigeonhole Sieve malware has been found in the X-Sieve R system, designed to detect and prevent the spread of malicious software, which is currently being used by Microsoft Office.] -pretext", "modified": "2026-05-24T05:56:24.709000", "created": "2026-05-22T07:53:13.480000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "defense evasion", "next", "wednesday", "january", "extra info", "attack network", "info dropped", "geospatial endpoints" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435695&Signature=UoqeOvA3l0SmZPLGLkJ4n7oue%2FoXBTcyhLy5g1zr97R1z9EBf2vAXrsnA8mHkedBOo0cd7lQhlV4QLek1AiAP4Z%2F9XgN%2FgaAo3L%2FP0tI1NFNb5lJ9mZ4YQ5aVcF1jYBD4bluT9%2BjUQaRIkFHR4w4OIpWVuJOGdkbT7UxU%2BgyPR3o2Ij%2Fli0GfJO%2B%2B2KMpTnBE0mWDM%2BrEThJKW2Ty5flTxONg4m7toLl7%2BspvX1Q", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435775&Signature=AkieU7eRCNrzND0lejy10HFR7OdRvNqyswrKIdggTIg6w4naejOYYwut39HnOup0%2BqQcIl4AJ6iCv7BrJuqNoIe3WuL3S3c9To36FuiNd2aOBRNZcN9gHBz7GSvTlAnmNNOt9OIZbdryCE4RnMJA4q7aOGLAd3dJzbXxC1sLLrpBBY0wTeb7cvNcLLEuJzsk9AQw8m9nZ%2BMfQJB8hWxaWNXySZkIl%2Fkufg7NdeYBFT4YXsi2gxWg0UruP%2FFYE8", "https://vtbehaviour.commondatastorage.googleapis.com/0002412eddb6f812afb3e131d7e801536cb4ff8a410a6d6c6bc559fdb3546116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779436484&Signature=Pr1pfaimFPZRbQFRLBhpICwKcQGlnx4U5y%2FQZiFEs%2BMGp9zOdmylpsondhJ%2FoJg6NIwY9%2Bk2v9SRh8rgNd2aefaWARh%2ByYvcCFEELbz7cf%2F2f128%2FN%2BsNKOuiRC2JFyN37Wq2hSLt9NYUERhB0THMCMQtw1axrtOHh9CLz3YZ%2BdO7E%2B3g1aOrD3sDAwOgmWR9n9pk%2Fj55fIyJqPDU80OB1RXmaU4XNnEIBA69dpnuj57WGWd" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 33, "CIDR": 5, "FileHash-MD5": 275, "FileHash-SHA1": 27, "FileHash-SHA256": 45, "URL": 149, "domain": 8, "email": 7, "hostname": 165, "CVE": 1 }, "indicator_count": 715, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "7 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a100b5a7b1e843e08b7f57b", "name": "\"don't save her\" a continued message * CAPE Sandbox", "description": "[sample of the Pigeonhole Sieve malware has been found in the X-Sieve R system, designed to detect and prevent the spread of malicious software, which is currently being used by Microsoft Office.] -pretext", "modified": "2026-05-22T08:00:01.133000", "created": "2026-05-22T07:52:58.704000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "defense evasion", "next", "wednesday", "january", "extra info", "attack network", "info dropped", "geospatial endpoints" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435695&Signature=UoqeOvA3l0SmZPLGLkJ4n7oue%2FoXBTcyhLy5g1zr97R1z9EBf2vAXrsnA8mHkedBOo0cd7lQhlV4QLek1AiAP4Z%2F9XgN%2FgaAo3L%2FP0tI1NFNb5lJ9mZ4YQ5aVcF1jYBD4bluT9%2BjUQaRIkFHR4w4OIpWVuJOGdkbT7UxU%2BgyPR3o2Ij%2Fli0GfJO%2B%2B2KMpTnBE0mWDM%2BrEThJKW2Ty5flTxONg4m7toLl7%2BspvX1Q", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435775&Signature=AkieU7eRCNrzND0lejy10HFR7OdRvNqyswrKIdggTIg6w4naejOYYwut39HnOup0%2BqQcIl4AJ6iCv7BrJuqNoIe3WuL3S3c9To36FuiNd2aOBRNZcN9gHBz7GSvTlAnmNNOt9OIZbdryCE4RnMJA4q7aOGLAd3dJzbXxC1sLLrpBBY0wTeb7cvNcLLEuJzsk9AQw8m9nZ%2BMfQJB8hWxaWNXySZkIl%2Fkufg7NdeYBFT4YXsi2gxWg0UruP%2FFYE8", "https://vtbehaviour.commondatastorage.googleapis.com/0002412eddb6f812afb3e131d7e801536cb4ff8a410a6d6c6bc559fdb3546116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779436484&Signature=Pr1pfaimFPZRbQFRLBhpICwKcQGlnx4U5y%2FQZiFEs%2BMGp9zOdmylpsondhJ%2FoJg6NIwY9%2Bk2v9SRh8rgNd2aefaWARh%2ByYvcCFEELbz7cf%2F2f128%2FN%2BsNKOuiRC2JFyN37Wq2hSLt9NYUERhB0THMCMQtw1axrtOHh9CLz3YZ%2BdO7E%2B3g1aOrD3sDAwOgmWR9n9pk%2Fj55fIyJqPDU80OB1RXmaU4XNnEIBA69dpnuj57WGWd" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 36, "CIDR": 1, "FileHash-MD5": 273, "FileHash-SHA1": 30, "FileHash-SHA256": 46, "URL": 137, "domain": 5, "email": 3, "hostname": 165 }, "indicator_count": 696, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "8 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a100b5a4fbd55e1c62e2a34", "name": "\"don't save her\" a continued message * CAPE Sandbox", "description": "[sample of the Pigeonhole Sieve malware has been found in the X-Sieve R system, designed to detect and prevent the spread of malicious software, which is currently being used by Microsoft Office.] -pretext", "modified": "2026-05-22T07:52:58.211000", "created": "2026-05-22T07:52:58.211000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "defense evasion", "next", "wednesday", "january", "extra info", "attack network", "info dropped", "geospatial endpoints" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435695&Signature=UoqeOvA3l0SmZPLGLkJ4n7oue%2FoXBTcyhLy5g1zr97R1z9EBf2vAXrsnA8mHkedBOo0cd7lQhlV4QLek1AiAP4Z%2F9XgN%2FgaAo3L%2FP0tI1NFNb5lJ9mZ4YQ5aVcF1jYBD4bluT9%2BjUQaRIkFHR4w4OIpWVuJOGdkbT7UxU%2BgyPR3o2Ij%2Fli0GfJO%2B%2B2KMpTnBE0mWDM%2BrEThJKW2Ty5flTxONg4m7toLl7%2BspvX1Q", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435775&Signature=AkieU7eRCNrzND0lejy10HFR7OdRvNqyswrKIdggTIg6w4naejOYYwut39HnOup0%2BqQcIl4AJ6iCv7BrJuqNoIe3WuL3S3c9To36FuiNd2aOBRNZcN9gHBz7GSvTlAnmNNOt9OIZbdryCE4RnMJA4q7aOGLAd3dJzbXxC1sLLrpBBY0wTeb7cvNcLLEuJzsk9AQw8m9nZ%2BMfQJB8hWxaWNXySZkIl%2Fkufg7NdeYBFT4YXsi2gxWg0UruP%2FFYE8", "https://vtbehaviour.commondatastorage.googleapis.com/0002412eddb6f812afb3e131d7e801536cb4ff8a410a6d6c6bc559fdb3546116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779436484&Signature=Pr1pfaimFPZRbQFRLBhpICwKcQGlnx4U5y%2FQZiFEs%2BMGp9zOdmylpsondhJ%2FoJg6NIwY9%2Bk2v9SRh8rgNd2aefaWARh%2ByYvcCFEELbz7cf%2F2f128%2FN%2BsNKOuiRC2JFyN37Wq2hSLt9NYUERhB0THMCMQtw1axrtOHh9CLz3YZ%2BdO7E%2B3g1aOrD3sDAwOgmWR9n9pk%2Fj55fIyJqPDU80OB1RXmaU4XNnEIBA69dpnuj57WGWd" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 30, "CIDR": 1, "FileHash-MD5": 273, "FileHash-SHA1": 27, "FileHash-SHA256": 43, "URL": 131, "domain": 5, "email": 3, "hostname": 156 }, "indicator_count": 669, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a100b5a2838b1cc50ba5360", "name": "\"don't save her\" a continued message * CAPE Sandbox", "description": "[sample of the Pigeonhole Sieve malware has been found in the X-Sieve R system, designed to detect and prevent the spread of malicious software, which is currently being used by Microsoft Office.] -pretext", "modified": "2026-05-22T07:52:57.995000", "created": "2026-05-22T07:52:57.995000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "defense evasion", "next", "wednesday", "january", "extra info", "attack network", "info dropped", "geospatial endpoints" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435695&Signature=UoqeOvA3l0SmZPLGLkJ4n7oue%2FoXBTcyhLy5g1zr97R1z9EBf2vAXrsnA8mHkedBOo0cd7lQhlV4QLek1AiAP4Z%2F9XgN%2FgaAo3L%2FP0tI1NFNb5lJ9mZ4YQ5aVcF1jYBD4bluT9%2BjUQaRIkFHR4w4OIpWVuJOGdkbT7UxU%2BgyPR3o2Ij%2Fli0GfJO%2B%2B2KMpTnBE0mWDM%2BrEThJKW2Ty5flTxONg4m7toLl7%2BspvX1Q", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435775&Signature=AkieU7eRCNrzND0lejy10HFR7OdRvNqyswrKIdggTIg6w4naejOYYwut39HnOup0%2BqQcIl4AJ6iCv7BrJuqNoIe3WuL3S3c9To36FuiNd2aOBRNZcN9gHBz7GSvTlAnmNNOt9OIZbdryCE4RnMJA4q7aOGLAd3dJzbXxC1sLLrpBBY0wTeb7cvNcLLEuJzsk9AQw8m9nZ%2BMfQJB8hWxaWNXySZkIl%2Fkufg7NdeYBFT4YXsi2gxWg0UruP%2FFYE8", "https://vtbehaviour.commondatastorage.googleapis.com/0002412eddb6f812afb3e131d7e801536cb4ff8a410a6d6c6bc559fdb3546116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779436484&Signature=Pr1pfaimFPZRbQFRLBhpICwKcQGlnx4U5y%2FQZiFEs%2BMGp9zOdmylpsondhJ%2FoJg6NIwY9%2Bk2v9SRh8rgNd2aefaWARh%2ByYvcCFEELbz7cf%2F2f128%2FN%2BsNKOuiRC2JFyN37Wq2hSLt9NYUERhB0THMCMQtw1axrtOHh9CLz3YZ%2BdO7E%2B3g1aOrD3sDAwOgmWR9n9pk%2Fj55fIyJqPDU80OB1RXmaU4XNnEIBA69dpnuj57WGWd" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 30, "CIDR": 1, "FileHash-MD5": 273, "FileHash-SHA1": 27, "FileHash-SHA256": 43, "URL": 131, "domain": 5, "email": 3, "hostname": 156 }, "indicator_count": 669, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a100b59bb15041d5cfffd88", "name": "\"don't save her\" a continued message * CAPE Sandbox", "description": "[sample of the Pigeonhole Sieve malware has been found in the X-Sieve R system, designed to detect and prevent the spread of malicious software, which is currently being used by Microsoft Office.] -pretext", "modified": "2026-05-22T07:52:57.865000", "created": "2026-05-22T07:52:57.865000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "defense evasion", "next", "wednesday", "january", "extra info", "attack network", "info dropped", "geospatial endpoints" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435695&Signature=UoqeOvA3l0SmZPLGLkJ4n7oue%2FoXBTcyhLy5g1zr97R1z9EBf2vAXrsnA8mHkedBOo0cd7lQhlV4QLek1AiAP4Z%2F9XgN%2FgaAo3L%2FP0tI1NFNb5lJ9mZ4YQ5aVcF1jYBD4bluT9%2BjUQaRIkFHR4w4OIpWVuJOGdkbT7UxU%2BgyPR3o2Ij%2Fli0GfJO%2B%2B2KMpTnBE0mWDM%2BrEThJKW2Ty5flTxONg4m7toLl7%2BspvX1Q", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435775&Signature=AkieU7eRCNrzND0lejy10HFR7OdRvNqyswrKIdggTIg6w4naejOYYwut39HnOup0%2BqQcIl4AJ6iCv7BrJuqNoIe3WuL3S3c9To36FuiNd2aOBRNZcN9gHBz7GSvTlAnmNNOt9OIZbdryCE4RnMJA4q7aOGLAd3dJzbXxC1sLLrpBBY0wTeb7cvNcLLEuJzsk9AQw8m9nZ%2BMfQJB8hWxaWNXySZkIl%2Fkufg7NdeYBFT4YXsi2gxWg0UruP%2FFYE8", "https://vtbehaviour.commondatastorage.googleapis.com/0002412eddb6f812afb3e131d7e801536cb4ff8a410a6d6c6bc559fdb3546116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779436484&Signature=Pr1pfaimFPZRbQFRLBhpICwKcQGlnx4U5y%2FQZiFEs%2BMGp9zOdmylpsondhJ%2FoJg6NIwY9%2Bk2v9SRh8rgNd2aefaWARh%2ByYvcCFEELbz7cf%2F2f128%2FN%2BsNKOuiRC2JFyN37Wq2hSLt9NYUERhB0THMCMQtw1axrtOHh9CLz3YZ%2BdO7E%2B3g1aOrD3sDAwOgmWR9n9pk%2Fj55fIyJqPDU80OB1RXmaU4XNnEIBA69dpnuj57WGWd" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 30, "CIDR": 1, "FileHash-MD5": 273, "FileHash-SHA1": 27, "FileHash-SHA256": 43, "URL": 131, "domain": 5, "email": 3, "hostname": 156 }, "indicator_count": 669, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a100b59a54621b833de1120", "name": "\"don't save her\" a continued message * CAPE Sandbox", "description": "[sample of the Pigeonhole Sieve malware has been found in the X-Sieve R system, designed to detect and prevent the spread of malicious software, which is currently being used by Microsoft Office.] -pretext", "modified": "2026-05-22T07:52:57.606000", "created": "2026-05-22T07:52:57.606000", "tags": [ "table", "postfix", "eest", "tbody", "span", "deliveredto", "bayesspam", "fromeqenvfrom", "fromhasdn", "ipreputation", "date", "title", "file type", "ascii text", "crlf line", "sigma", "mitre attack", "network info", "dropped info", "use short", "name path", "windows folder", "defense evasion", "next", "wednesday", "january", "extra info", "attack network", "info dropped", "geospatial endpoints" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435695&Signature=UoqeOvA3l0SmZPLGLkJ4n7oue%2FoXBTcyhLy5g1zr97R1z9EBf2vAXrsnA8mHkedBOo0cd7lQhlV4QLek1AiAP4Z%2F9XgN%2FgaAo3L%2FP0tI1NFNb5lJ9mZ4YQ5aVcF1jYBD4bluT9%2BjUQaRIkFHR4w4OIpWVuJOGdkbT7UxU%2BgyPR3o2Ij%2Fli0GfJO%2B%2B2KMpTnBE0mWDM%2BrEThJKW2Ty5flTxONg4m7toLl7%2BspvX1Q", "https://vtbehaviour.commondatastorage.googleapis.com/0005c1a0f0dd0df76abbabf5f3f9303e46639dc29181b907388cf95a919bfdc5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779435775&Signature=AkieU7eRCNrzND0lejy10HFR7OdRvNqyswrKIdggTIg6w4naejOYYwut39HnOup0%2BqQcIl4AJ6iCv7BrJuqNoIe3WuL3S3c9To36FuiNd2aOBRNZcN9gHBz7GSvTlAnmNNOt9OIZbdryCE4RnMJA4q7aOGLAd3dJzbXxC1sLLrpBBY0wTeb7cvNcLLEuJzsk9AQw8m9nZ%2BMfQJB8hWxaWNXySZkIl%2Fkufg7NdeYBFT4YXsi2gxWg0UruP%2FFYE8", "https://vtbehaviour.commondatastorage.googleapis.com/0002412eddb6f812afb3e131d7e801536cb4ff8a410a6d6c6bc559fdb3546116_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779436484&Signature=Pr1pfaimFPZRbQFRLBhpICwKcQGlnx4U5y%2FQZiFEs%2BMGp9zOdmylpsondhJ%2FoJg6NIwY9%2Bk2v9SRh8rgNd2aefaWARh%2ByYvcCFEELbz7cf%2F2f128%2FN%2BsNKOuiRC2JFyN37Wq2hSLt9NYUERhB0THMCMQtw1axrtOHh9CLz3YZ%2BdO7E%2B3g1aOrD3sDAwOgmWR9n9pk%2Fj55fIyJqPDU80OB1RXmaU4XNnEIBA69dpnuj57WGWd" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 30, "CIDR": 1, "FileHash-MD5": 273, "FileHash-SHA1": 27, "FileHash-SHA256": 43, "URL": 131, "domain": 5, "email": 3, "hostname": 156 }, "indicator_count": 669, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d2272769a32400c257e7e7", "name": "CAPE Sandbox", "description": "The full text of the full translation of this article:..2.4.3.7.8.6.1.9.5.0., the first of its kind.>>", "modified": "2026-05-05T09:01:42.428000", "created": "2026-04-05T09:11:03.976000", "tags": [ "aaaa", "algorithm", "number", "cgb osectigo", "public server", "ov r36", "validity", "cus sttexas", "oforcepoint llc", "public key", "info", "host name", "handle", "rdap database", "iana registrar", "entity", "dnssec", "yes conformance", "redacted for", "server", "domain status", "privacy billing", "privacy tech", "privacy admin", "email", "postal code", "date", "registrar abuse", "code", "dspm", "forcepoint dlp", "forcepoint", "login", "password", "austin", "texas", "hub customer", "data security", "protect", "organization", "stateprovince", "attempts", "reads", "sha1", "sha256", "mwdb", "bazaar", "sha3384", "crc32", "ssdeep", "checks" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 3, "FileHash-SHA256": 685, "domain": 205, "hostname": 426, "FileHash-MD5": 722, "FileHash-SHA1": 348, "URL": 438, "email": 3 }, "indicator_count": 2830, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d2273d57ede103894c1943", "name": "CAPE Sandbox", "description": "The full text of the full translation of this article:..2.4.3.7.8.6.1.9.5.0., the first of its kind.>>", "modified": "2026-05-05T09:01:42.428000", "created": "2026-04-05T09:11:25.506000", "tags": [ "aaaa", "algorithm", "number", "cgb osectigo", "public server", "ov r36", "validity", "cus sttexas", "oforcepoint llc", "public key", "info", "host name", "handle", "rdap database", "iana registrar", "entity", "dnssec", "yes conformance", "redacted for", "server", "domain status", "privacy billing", "privacy tech", "privacy admin", "email", "postal code", "date", "registrar abuse", "code", "dspm", "forcepoint dlp", "forcepoint", "login", "password", "austin", "texas", "hub customer", "data security", "protect", "organization", "stateprovince", "attempts", "reads", "sha1", "sha256", "mwdb", "bazaar", "sha3384", "crc32", "ssdeep", "checks" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 3, "FileHash-SHA256": 685, "domain": 205, "hostname": 426, "FileHash-MD5": 722, "FileHash-SHA1": 348, "URL": 438, "email": 3 }, "indicator_count": 2830, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d2274c68bc029b77ff8b2c", "name": "CAPE Sandbox", "description": "The full text of the full translation of this article:..2.4.3.7.8.6.1.9.5.0., the first of its kind.>>", "modified": "2026-05-05T09:01:42.428000", "created": "2026-04-05T09:11:40.830000", "tags": [ "aaaa", "algorithm", "number", "cgb osectigo", "public server", "ov r36", "validity", "cus sttexas", "oforcepoint llc", "public key", "info", "host name", "handle", "rdap database", "iana registrar", "entity", "dnssec", "yes conformance", "redacted for", "server", "domain status", "privacy billing", "privacy tech", "privacy admin", "email", "postal code", "date", "registrar abuse", "code", "dspm", "forcepoint dlp", "forcepoint", "login", "password", "austin", "texas", "hub customer", "data security", "protect", "organization", "stateprovince", "attempts", "reads", "sha1", "sha256", "mwdb", "bazaar", "sha3384", "crc32", "ssdeep", "checks" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 3, "FileHash-SHA256": 685, "domain": 205, "hostname": 426, "FileHash-MD5": 722, "FileHash-SHA1": 348, "URL": 438, "email": 3 }, "indicator_count": 2830, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "25 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://storage.azure.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://storage.azure.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780211378.9377005 }