{
"type": "URL",
"indicator": "https://vanbuildtracker.com",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://vanbuildtracker.com",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 4297708711,
"indicator": "https://vanbuildtracker.com",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 16,
"pulses": [
{
"id": "69e1f53e6b3e17deca1277b7",
"name": "VirusTotal report\n for program.exe",
"description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not appear on BBC Radio 5 live or on iPlayer.]",
"modified": "2026-04-18T04:12:56.823000",
"created": "2026-04-17T08:54:22.034000",
"tags": [
"executable",
"msdos",
"pe32 executable",
"intel",
"ms windows",
"dos borland",
"generic windos",
"dos executable",
"pe32 compiler",
"borland delphi",
"delphi",
"file type",
"json",
"ascii",
"ascii text",
"drops pe",
"pe file",
"sample",
"persistence",
"malicious",
"next",
"network capture",
"wireshark pcap",
"next generation",
"dump file",
"format",
"little endian",
"pcap",
"nothing",
"registry keys",
"mutexes nothing",
"parent pid",
"full path",
"command line",
"files c",
"read files",
"read registry",
"apis nothing",
"https",
"urls",
"creates",
"pe32",
"sigma",
"window",
"mailpassview",
"default",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"file size",
"sha256",
"cname",
"inprocserver32",
"accept",
"shutdown",
"guard",
"darkgate",
"windows sandbox",
"calls process",
"systemroot",
"commands",
"created",
"xcaxdb xcaxdb",
"x82xec x82xec",
"x83xc4 x83xc4",
"xc1 x",
"xffu xffu",
"x8be x8be",
"x81e x81e",
"xc4 xc4",
"x81i x81i",
"xf3x86 xf3x86",
"activator",
"detail info",
"tickcount",
"processid",
"threadid",
"startaddress",
"parameter",
"offset",
"socket",
"text",
"classname",
"behaviour",
"class",
"shell",
"find",
"mitre attack",
"network info",
"processes extra",
"program",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"title",
"phishing",
"cape sandbox",
"t1055",
"style",
"courier",
"ip address",
"port",
"gmt ifnonematch",
"machine summary",
"meta",
"inter"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2",
"https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk",
"https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG",
"https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic",
"https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ",
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1200",
"name": "Hardware Additions",
"display_name": "T1200 - Hardware Additions"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 686,
"FileHash-MD5": 96,
"FileHash-SHA1": 136,
"IPv4": 98,
"URL": 562,
"hostname": 313,
"domain": 105,
"IPv6": 2,
"email": 2,
"YARA": 1
},
"indicator_count": 2001,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69e1f52e424e1151ddd9c696",
"name": "VirusTotal report\n for program.exe",
"description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not appear on BBC Radio 5 live or on iPlayer.]",
"modified": "2026-04-18T04:12:55.719000",
"created": "2026-04-17T08:54:06.864000",
"tags": [
"executable",
"msdos",
"pe32 executable",
"intel",
"ms windows",
"dos borland",
"generic windos",
"dos executable",
"pe32 compiler",
"borland delphi",
"delphi",
"file type",
"json",
"ascii",
"ascii text",
"drops pe",
"pe file",
"sample",
"persistence",
"malicious",
"next",
"network capture",
"wireshark pcap",
"next generation",
"dump file",
"format",
"little endian",
"pcap",
"nothing",
"registry keys",
"mutexes nothing",
"parent pid",
"full path",
"command line",
"files c",
"read files",
"read registry",
"apis nothing",
"https",
"urls",
"creates",
"pe32",
"sigma",
"window",
"mailpassview",
"default",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"file size",
"sha256",
"cname",
"inprocserver32",
"accept",
"shutdown",
"guard",
"darkgate",
"windows sandbox",
"calls process",
"systemroot",
"commands",
"created",
"xcaxdb xcaxdb",
"x82xec x82xec",
"x83xc4 x83xc4",
"xc1 x",
"xffu xffu",
"x8be x8be",
"x81e x81e",
"xc4 xc4",
"x81i x81i",
"xf3x86 xf3x86",
"activator",
"detail info",
"tickcount",
"processid",
"threadid",
"startaddress",
"parameter",
"offset",
"socket",
"text",
"classname",
"behaviour",
"class",
"shell",
"find",
"mitre attack",
"network info",
"processes extra",
"program",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"title",
"phishing",
"cape sandbox",
"t1055",
"style",
"courier",
"ip address",
"port",
"gmt ifnonematch",
"machine summary",
"meta",
"inter"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2",
"https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk",
"https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG",
"https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic",
"https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ",
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1200",
"name": "Hardware Additions",
"display_name": "T1200 - Hardware Additions"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 714,
"FileHash-MD5": 128,
"FileHash-SHA1": 152,
"IPv4": 98,
"URL": 692,
"hostname": 456,
"domain": 121,
"IPv6": 2,
"email": 2,
"YARA": 5
},
"indicator_count": 2370,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69e1f540bec93625fc7c7466",
"name": "VirusTotal report\n for program.exe",
"description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not appear on BBC Radio 5 live or on iPlayer.]",
"modified": "2026-04-18T01:05:57.196000",
"created": "2026-04-17T08:54:24.226000",
"tags": [
"executable",
"msdos",
"pe32 executable",
"intel",
"ms windows",
"dos borland",
"generic windos",
"dos executable",
"pe32 compiler",
"borland delphi",
"delphi",
"file type",
"json",
"ascii",
"ascii text",
"drops pe",
"pe file",
"sample",
"persistence",
"malicious",
"next",
"network capture",
"wireshark pcap",
"next generation",
"dump file",
"format",
"little endian",
"pcap",
"nothing",
"registry keys",
"mutexes nothing",
"parent pid",
"full path",
"command line",
"files c",
"read files",
"read registry",
"apis nothing",
"https",
"urls",
"creates",
"pe32",
"sigma",
"window",
"mailpassview",
"default",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"file size",
"sha256",
"cname",
"inprocserver32",
"accept",
"shutdown",
"guard",
"darkgate",
"windows sandbox",
"calls process",
"systemroot",
"commands",
"created",
"xcaxdb xcaxdb",
"x82xec x82xec",
"x83xc4 x83xc4",
"xc1 x",
"xffu xffu",
"x8be x8be",
"x81e x81e",
"xc4 xc4",
"x81i x81i",
"xf3x86 xf3x86",
"activator",
"detail info",
"tickcount",
"processid",
"threadid",
"startaddress",
"parameter",
"offset",
"socket",
"text",
"classname",
"behaviour",
"class",
"shell",
"find",
"mitre attack",
"network info",
"processes extra",
"program",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"title",
"phishing",
"cape sandbox",
"t1055",
"style",
"courier",
"ip address",
"port",
"gmt ifnonematch",
"machine summary",
"meta",
"inter"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2",
"https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk",
"https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG",
"https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic",
"https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ",
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1200",
"name": "Hardware Additions",
"display_name": "T1200 - Hardware Additions"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 686,
"FileHash-MD5": 96,
"FileHash-SHA1": 136,
"IPv4": 97,
"URL": 561,
"hostname": 316,
"domain": 105,
"IPv6": 2,
"email": 2
},
"indicator_count": 2001,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69e1f540aa36f336eb92ff53",
"name": "VirusTotal report\n for program.exe",
"description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not appear on BBC Radio 5 live or on iPlayer.]",
"modified": "2026-04-18T00:53:20.700000",
"created": "2026-04-17T08:54:24.517000",
"tags": [
"executable",
"msdos",
"pe32 executable",
"intel",
"ms windows",
"dos borland",
"generic windos",
"dos executable",
"pe32 compiler",
"borland delphi",
"delphi",
"file type",
"json",
"ascii",
"ascii text",
"drops pe",
"pe file",
"sample",
"persistence",
"malicious",
"next",
"network capture",
"wireshark pcap",
"next generation",
"dump file",
"format",
"little endian",
"pcap",
"nothing",
"registry keys",
"mutexes nothing",
"parent pid",
"full path",
"command line",
"files c",
"read files",
"read registry",
"apis nothing",
"https",
"urls",
"creates",
"pe32",
"sigma",
"window",
"mailpassview",
"default",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"file size",
"sha256",
"cname",
"inprocserver32",
"accept",
"shutdown",
"guard",
"darkgate",
"windows sandbox",
"calls process",
"systemroot",
"commands",
"created",
"xcaxdb xcaxdb",
"x82xec x82xec",
"x83xc4 x83xc4",
"xc1 x",
"xffu xffu",
"x8be x8be",
"x81e x81e",
"xc4 xc4",
"x81i x81i",
"xf3x86 xf3x86",
"activator",
"detail info",
"tickcount",
"processid",
"threadid",
"startaddress",
"parameter",
"offset",
"socket",
"text",
"classname",
"behaviour",
"class",
"shell",
"find",
"mitre attack",
"network info",
"processes extra",
"program",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"title",
"phishing",
"cape sandbox",
"t1055",
"style",
"courier",
"ip address",
"port",
"gmt ifnonematch",
"machine summary",
"meta",
"inter"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2",
"https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk",
"https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG",
"https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic",
"https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ",
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1200",
"name": "Hardware Additions",
"display_name": "T1200 - Hardware Additions"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 860,
"FileHash-MD5": 180,
"FileHash-SHA1": 224,
"IPv4": 97,
"URL": 639,
"hostname": 362,
"domain": 107,
"IPv6": 2,
"email": 2
},
"indicator_count": 2473,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69decb6dd1bd6da78fc72d0a",
"name": "Solarwinds Similarties? Tactics ASP.Net IoC\u2019s ISOLATED",
"description": "Does this have similarities to the SolarWinds Attack? Anyone?\n\nASP.NET is a web application framework created by Microsoft for building dynamic web applications.\nIt enables developers to create web pages that can interact with databases and respond to user inputs.\nASP.NET supports various programming languages, including C# and VB.NET.\nContext: ASP.NET is widely used for developing modern web applications and services. It allows developers to create interactive and data-driven web pages that can run on various operating systems, including Windows, Linux, and macOS. The framework is open-source and supports various architectures, including MVC (Model-View-Controller) and Web API, which facilitate the organization and development of complex applications.\nIn many instances ASP.net has been seen connected to malicious Tulach , Apple , a browser agent that transmits data to New Relic's collectors by using either of the domains bam.nr-data.net or bam-cell.nr-data.net.",
"modified": "2026-04-14T23:19:09.495000",
"created": "2026-04-14T23:19:09.495000",
"tags": [
"united",
"aaaa",
"certificate",
"error",
"read c",
"rgba",
"unicode",
"memcommit",
"delete",
"dock",
"execution",
"command decode",
"suricata ipv4",
"suricata tcpv4",
"flag",
"localappdata",
"windir",
"openurl c",
"programfiles",
"suricata udpv4",
"win64",
"click",
"strings",
"anon",
"username",
"userprofile",
"mitre att",
"ck id",
"ck matrix",
"appdata",
"comspec",
"model",
"path",
"april",
"hybrid",
"general",
"learn",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ck techniques",
"mtb apr",
"exploit",
"trojan",
"backdoor",
"please",
"x msedge",
"all ipv4",
"ransom",
"date hash",
"avast avg",
"win32orbus apr",
"dynamicloader",
"yara rule",
"high",
"tofsee",
"rndhex",
"rndchar",
"loaderid",
"lidfileupd",
"localcfg",
"write",
"stream",
"push",
"mtb alerts",
"ee fc",
"ff d5",
"lredmond",
"malware",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"yara detections",
"av detections",
"ids detections",
"hostile",
"unknown",
"extraction",
"data upload",
"failed",
"include review",
"stop data",
"typ url",
"url data",
"typ no",
"th all",
"stop",
"port",
"destination",
"ds detections",
"tls sni",
"nrv2x",
"upxoepplace",
"alerts",
"contacted",
"markus",
"hostile alerts",
"less see",
"all ip",
"tulach",
"brian sabey",
"quasi",
"link",
"script urls",
"record value",
"script domains",
"fireeye",
"create c",
"as15169",
"next",
"all url",
"http",
"related pulses",
"related tags",
"google safe",
"code",
"y se",
"included review",
"io excluded",
"suggeste",
"ipv4",
"unknown ns",
"redacted admin",
"fax redacted",
"name redacted",
"phone redacted",
"code redacted",
"redacted tech",
"christopher ahmann",
"solarwinds like?"
],
"references": [
"asp.net \u2022 cdnsrc.asp.net",
"https://www.countercept.com/assets/Uploads/whitepapers/MWRI-Countercept-Machine-Learning-Whitepaper-2017-04-01.pdf",
"http://www.phonefactor.com/PfPaWs/ConfirmActivation",
"IPv4 13.107.253.70 exploit_source \u2022 IPv4 13.107.226.70 malware_hosting",
"https://wsps.ourschoolpages.com/Account/ForgotPasswor (typo",
"https://hybrid-analysis.com/sample/529a0b900eef6657ce6c98b1b5bccebe6db2e021aa02a316b7eb2604df810d3f/69de30ef0a22c3b506077a8c",
"www.fireeye.com",
"danilovstyle.ru",
"ns4-04.azure-dns.info",
"ns4-04.azure-dns.info danilovst) ns4-04.azure-dns.info",
"www.fireeye.com .",
"https://hypic-anaivsis.com/sambrerb/a0p9veebo",
"Are these table SolarWinds attackers? Using same tacktics, good? Unsure.",
"Tulach\u2019s ASP.Net Open Source destruction"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Ransom:Win32/SodinokibiCrypt.SK!MTB",
"display_name": "Ransom:Win32/SodinokibiCrypt.SK!MTB",
"target": "/malware/Ransom:Win32/SodinokibiCrypt.SK!MTB"
},
{
"id": "Win.Ransomware.Tofsee-10015002",
"display_name": "Win.Ransomware.Tofsee-10015002",
"target": null
},
{
"id": "Trojan:Win32/Comisproc!gmb I",
"display_name": "Trojan:Win32/Comisproc!gmb I",
"target": "/malware/Trojan:Win32/Comisproc!gmb I"
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1132.001",
"name": "Standard Encoding",
"display_name": "T1132.001 - Standard Encoding"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 88,
"FileHash-MD5": 211,
"FileHash-SHA1": 186,
"FileHash-SHA256": 1366,
"URL": 1848,
"domain": 418,
"email": 4,
"hostname": 622,
"SSLCertFingerprint": 21
},
"indicator_count": 4764,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "4 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d747314a8fc4fa30250fe9",
"name": "VirusTotal report\n for program.exe",
"description": " Report date relevance: May 18 2025.",
"modified": "2026-04-09T07:29:31.205000",
"created": "2026-04-09T06:29:05.116000",
"tags": [
"explorer",
"maxime thiebaut",
"files",
"imageendswith",
"windows sccm",
"pe file",
"drops pe",
"sample",
"drops",
"pe32",
"intel",
"ms windows",
"infects",
"found",
"mitre attack",
"persistence",
"info",
"next",
"windows sandbox",
"calls clear",
"users",
"nothing",
"registry keys",
"change",
"mutexes nothing",
"parent pid",
"full path",
"command line",
"files c",
"devicecng c",
"bit locker hijacked",
"illegal one drive cross tenant",
"Esign violation",
"non secure workflow",
"wiper",
"MDMenrollment misuse",
"broken seal",
"pdfkit.net DMV",
"vzwbiz",
"modified after creation non secure workflow",
"Docusign exploited by non secure workflow",
"Human Error/Spyware/Risk+",
"Abobe Exploited by non secure process",
"CaRoot Cert Abuse",
"cryptography unsound"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715909&Signature=gpI0cV%2Bz5SujLXqKc%2FMViiMPztLVAF6Rp00wpW3LF4PyrCqLg7GTlahQtBw0v4rtG0E8HaaDkNRYZ6xPc%2BaCuTHHzf0b8HN0%2BOiY%2B%2Bk4Q5eiI%2BJCJiWefs3vtk9u5bFyGQqM4nzF3u1uk2E8d3TKiy09A5K7YNLjbAsewBUu5mmJZsTeErl3nBhQcKu1stwt1ycd78SLCg8fUl3U7DDaqfd3hJbY98lWj8e6NwMu6VxskCRDdSQsdWj2",
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715951&Signature=XmRkiqq6Fjiq21rddntr3oHg%2BIPR1SrVwk6v5ZZ%2FJ4PkIpl7sqX1DjtJMGHoYvndxGmCeSCYQ08LS9hYRAWXupAhPzRcTkFcmq6KY%2FyMoab3l0SDixcrT9tLxB4iEobBJOzX0Fb%2B8QDyAbyjsuoKSMNCQC0CrVZyT7X54GsN93BU0FXiJWIIluOisGnjwoqL3rdMF8%2BPEJgkcUJTOIuIRaX57nsrXAMIv7dbn9BGZFDXH0",
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715964&Signature=A%2BPIQBCth46RBnI1rK4wnu%2B0XtyUhEdo1TORDahLnR6yM%2BbI8gLsWpjDTmV8aSDFIcFddcr%2BCs9TqMa65j3jNrLz9NcyZekNiDekQlkYCbMCIiYduRDT9nLy485HDee9RRJ3YSbeqJQSjzOXemRKeyL8rg3ml6WTeCly22CrQPLljCwWWUbsQLYOMqu0OADj%2BKEZv%2B5gVOmJsQIBQugE%2F0xSYw1lKowIs5nlYy9Z0hbFUycO"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "PathWiper",
"display_name": "PathWiper",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [
"Government",
"Telecommunications",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 81,
"URL": 421,
"hostname": 491,
"FileHash-MD5": 477,
"FileHash-SHA1": 298,
"FileHash-SHA256": 719,
"IPv4": 177,
"CVE": 5,
"email": 12,
"CIDR": 2
},
"indicator_count": 2683,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "10 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d6619d62ea0c3bbf0ebf75",
"name": "Mac OS Unwanted Programs | Mac Booster application potentially installed in background without target\u2019s knowledge",
"description": "Not installed by users I\u2019m researching for. Downloaded as an unwanted program Overview of com.iobit.MacBooster-3\ncom.iobit.MacBooster-3 is the package identifier for MacBooster 3, a software application developed by IObit. This application is specifically designed for optimizing and maintaining Mac computers.\nKey Features\nMacBooster 3 includes several essential features aimed at enhancing the performance and security of Mac systems:\nSystem Cleanup: .\nPerformance Boosting: \nMalware Protection: .\nCompatibility\nMacBooster 3 is compatible with macOS versions starting from OS X 10.9. False - \nWhat are the potential risks of using MacBooster 3 on a Mac computer?\nUsing MacBooster 3 on a Mac computer can lead to potentially unwanted program (PUP) behavior, including browser interference, frequent pop-ups, and the installation of unnecessary software.",
"modified": "2026-04-08T14:09:33.432000",
"created": "2026-04-08T14:09:33.432000",
"tags": [
"issuer apple",
"valid from",
"valid",
"serial number",
"macho",
"macho 64bit",
"mac os",
"x macho",
"intel",
"file version",
"team identifier",
"apple root",
"ca feb",
"am ma9eduzpcw",
"signers",
"issuer valid",
"from valid",
"status issuer",
"apple inc",
"valid apple",
"a9 a8",
"process32nextw",
"regsetvalueexa",
"read c",
"regdword",
"tls handshake",
"failure",
"msie",
"malware",
"write",
"win32",
"unknown",
"dynamicloader",
"high",
"myapp",
"device driver",
"host",
"worm",
"delphi",
"error",
"code",
"defender",
"next",
"file score",
"cryp",
"virus",
"checkin tls",
"forbidden yara",
"msvisualcpp2008",
"less ip",
"contacted",
"scanning host",
"trojan",
"exploit host",
"apple inc",
"monitored target",
"targeting",
"name servers",
"servers",
"expiration date",
"value emails",
"name domain",
"org apple",
"infinite loop",
"city cupertino",
"country us",
"tulach"
],
"references": [
"com.iobit.MacBooster-3",
"IDS Detections: Win32.Floxif.A Checkin TLS Handshake Failure 403 Forbidden",
"Yara Detections: Malware_Floxif_mpsvc_dll , stack_string , MS_Visual_Cpp_2008 ,",
"Yara Detections: KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program",
"Alerts: dead_host network_icmp nolookup_communication persistence_autorun",
"Alerts: modifies_proxy_wpad antivm_vmware_in_instruction dumped_buffer",
"Alerts: network_cnc_http network_http allocates_rwx antisandbox_sleep creates_exe",
"Alerts: injection_process_search antivm_network_adapters privilege_luid_check",
"Alerts: checks_debugger has_pdb raises_exception",
"IP\u2019s Contacted: 104.200.23.95 174.139.10.194 198.35.26.96",
"Domains Contacted: en.wikipedia.org 5isohu.com www.aieov.com",
"Monitored targets. Tsara Brashears, UAlberta (disable_duck) seen",
"I can\u2019t speak for behavior of targets. Seems unlikely programs were intentionally installed.",
"https://otx.alienvault.com/indicator/cve/CVE-2023-22518",
"Issue! Team member found CVE-2023-22518 have origins from the State of Colorado",
"Issue! Multiple IoC\u2019s missing.",
"A user StreamMiningEx copied pulses: octoseek, scoreblue, KAILULA4, callmeDoris , dorkingbeauty1 and more",
"I can\u2019t help but notice a trend. IoC\u2019s found by actual targets are removed from pulses. Recent users are listed in place",
"Issue! What I am troubled about the s the deletion service that has plagued OTX/ LevelBlue",
"Brian Sabey, Tulach, other adversaries working illegally to remove IoC\u2019s",
"Disturbed pulses of mercenary attacks S/A NSO Pegasus NOT reported to CISA or Citizens Lab.",
"Reporting is an expected protocol. Is this more of a \u2018bounty\u2019 focused, a honeypot?",
"Researching using an easy powerful tool like this has led to confrontations.",
"I liked the tool. There is something strange happening with the pulses & IoC\u2019s",
"I did not clone my pulse to read Bit.io",
"I am not cloning pulses belonging to others without crediting. I\u2019m one of a few who credit. This has happened to other team members",
"There are serious researchers on here for a short time hoping to resolve serious cyber issues",
"I am unable to reach Level Blue regarding issues. Mailer Daemon only",
"It\u2019s not just me. I have contacted from very secured emails, networks, devices",
"I typically follow targets who have truly dangerous situations who no longer pulse.",
"This would be sent in an email but \u2026.",
"About pulse, found in peripheral.",
"When your pulse says contacted, who is contacted besides OTX?",
"An earlier version contacted entities affected or affecting targets."
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Virus:Win32/Floxif.H",
"display_name": "Virus:Win32/Floxif.H",
"target": "/malware/Virus:Win32/Floxif.H"
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
},
{
"id": "Ransom:Win32/CVE-2017-0147",
"display_name": "Ransom:Win32/CVE-2017-0147",
"target": "/malware/Ransom:Win32/CVE-2017-0147"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 75,
"FileHash-MD5": 102,
"FileHash-SHA256": 2076,
"IPv4": 111,
"URL": 2496,
"CVE": 2,
"domain": 483,
"hostname": 938,
"email": 4,
"SSLCertFingerprint": 2
},
"indicator_count": 6289,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "11 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d586108786e7be59439809",
"name": "Bot.io",
"description": "",
"modified": "2026-04-07T22:32:48.996000",
"created": "2026-04-07T22:32:48.996000",
"tags": [
"added active",
"related pulses",
"found",
"zergeca botnet",
"zergeca",
"upx packer",
"khtml",
"gecko",
"united",
"ids detections",
"yara detections",
"https domain",
"tls sni",
"ip lookup",
"external ip",
"malware",
"encrypt",
"techniques",
"modify system",
"process",
"https",
"performs dns",
"tls version",
"reads cpu",
"proc indicative",
"urls",
"downloads",
"persistence",
"data upload",
"extraction",
"find s",
"failed",
"typ don",
"ipv4 url",
"canreb",
"type ipv4",
"url domail",
"domail showing",
"elf conta",
"typ url",
"zercega",
"enter sc",
"type",
"include",
"review",
"n1 exclude",
"suggestedincc",
"a50 typ",
"ipv4",
"matches yara",
"dete data",
"yara detectea",
"cro intormation",
"exclude sugges",
"sc car",
"extra lte",
"referen",
"l extraction",
"droo anv",
"extr referen",
"lte all",
"je matches",
"yara detel",
"yara dete",
"include review",
"exchange lte",
"je elf",
"passive dns",
"certificate",
"files",
"trojan",
"related tags",
"worm",
"medium",
"write c",
"write",
"high",
"binary",
"yara rule",
"default",
"moved",
"schaan",
"as834 ipxo",
"dynamicloader",
"program",
"ee fc",
"users",
"ff d5",
"python",
"windows",
"autoit",
"confuserex",
"stream",
"guard",
"launcher",
"updater",
"global",
"america flag",
"ashburn",
"america related",
"tags",
"indicator facts",
"historical otx",
"controller fake",
"akamai rank",
"russia",
"present nov",
"aaaa",
"link",
"a domains",
"ip address",
"meta",
"cve -2014-2321",
"handle",
"address range",
"cidr",
"network name",
"allocation type",
"pa status",
"whois server",
"included iocs",
"manually add",
"iocs o",
"iocs",
"sugges",
"stop show",
"types",
"external",
"ripe",
"pa abusec",
"neterra",
"sofia",
"bulgaria phone",
"filtered person",
"neven dilkov",
"bg phone",
"filtered route",
"a5ip",
"aa2023",
"aamirai",
"a2scanner",
"apple inc",
"issuer",
"valid",
"algorit",
"thum",
"name",
"a9 a8",
"status",
"macho",
"macho 64bit",
"mac os",
"x macho",
"intel",
"typ no",
"td td",
"td tr",
"a td",
"dynamic dns",
"date",
"name servers",
"arial",
"error",
"null",
"enough",
"hosts",
"win32",
"fast",
"contacted",
"MacSync_AppleScript_Stealer",
"cve-2018-10562",
"source",
"roboto",
"robotodraft",
"helvetica",
"iframe",
"manually ada",
"review iocs",
"abv0",
"qaeaav0",
"cptbdev",
"w4uninitialized",
"qaeaav01",
"abv01",
"qaexn",
"qbenxz",
"phoneidentify",
"qbepaxxz"
],
"references": [
"https://apple.k8s.joewa.com/\u2022 https://com.apple \u2022 freedns.afraid.org",
"IPv4 188.114.96.1 In CDN range: provider=cloudflare \u2022 dns.google \u2022 push.apple.com",
"Zercega \u2022 IPv4 84.54.51.82",
"Zercega \u2022 http://bot.hamsterrace.space:5966/",
"Zercega \u2022 multi-user.target",
"Zercega \u2022 ootheca.pw",
"CVE-2023-22518\tCVE-2018-10562\t CVE-2024-6387\tCVE-2025-20393",
"Crowdsourced IDS rules: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29",
"Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke",
"Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)",
"Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community",
"Crowdsourced IDS rules:",
"Matches rule ET POLICY External IP Lookup ipinfo.io",
"Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)",
"Matches rule ET INFO External IP Check (checkip .amazonaws .com)",
"Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt",
"Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) Unique rule identifier: This rule belongs to a private collection.",
"Yara detected: Xmrig cryptocurrency miner",
"Yara detected: Reads CPU information from /proc indicative of miner or evasive malware Compliance",
"meta.com \u2022 meta.com.apple",
"geomi.service \u2022 74b23c7dc3cca50a6d78e18116e31ca189a4549de35ff49903af2c4c0bd06a63",
"ELF contains segments with high entropy indicating compressed/encrypted content",
"/etc/systemd/system/geomi.service File type: ASCII text",
"http://www.bing.lt/search?q=",
"Win.Malware.Salat-10058846-0",
"Yara Detections: MacSync_AppleScript_Stealer",
"Alerts: antisandbox_unhook hardware_id_profiling ntdll_memory_unhooking binary_yara",
"Alerts: recon _fingerprint registers_vectored_exception_handler creates_suspended_process",
"Alerts: resumethread_remote_process enumerates_running_processes reads_self",
"Alerts: packer_unknown_pe_section_name script_tool_executed",
"Alerts: queries_computer_name queries_keyboard_layout queries_locale_api",
"Alerts: antidebug_setunhandledexceptionfilter stealth_timeout language_check_registry",
"Contacted: 188.114.96.1 Domains Contacted dns.google",
"distracted-chebyshev.84-54-51-82.plesk.page \u2022 domain plesk.page"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Zergeca",
"display_name": "Zergeca",
"target": null
},
{
"id": "AutoIT",
"display_name": "AutoIT",
"target": null
},
{
"id": "Win.Malware.Salat-10058846-0",
"display_name": "Win.Malware.Salat-10058846-0",
"target": null
},
{
"id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!",
"display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!",
"target": null
},
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T",
"display_name": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T",
"target": "/malware/Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "CVE-2024-6387",
"display_name": "CVE-2024-6387",
"target": null
},
{
"id": "CVE-2025-20393",
"display_name": "CVE-2025-20393",
"target": null
},
{
"id": "CVE-2014-2321",
"display_name": "CVE-2014-2321",
"target": null
},
{
"id": "Botnet",
"display_name": "Botnet",
"target": null
},
{
"id": "CVE-2018-10562",
"display_name": "CVE-2018-10562",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "T1543.002",
"name": "Systemd Service",
"display_name": "T1543.002 - Systemd Service"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1222.002",
"name": "Linux and Mac File and Directory Permissions Modification",
"display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1037.002",
"name": "Logon Script (Mac)",
"display_name": "T1037.002 - Logon Script (Mac)"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "69d5859750dfad7fe7989ef4",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 169,
"URL": 1871,
"domain": 393,
"hostname": 925,
"FileHash-MD5": 391,
"FileHash-SHA1": 390,
"FileHash-SHA256": 2452,
"CVE": 1,
"SSLCertFingerprint": 1,
"IPv6": 9,
"email": 4,
"CIDR": 1
},
"indicator_count": 6607,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "11 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d5859750dfad7fe7989ef4",
"name": "Apple / Cloud/ Data Network within Zergeca / Zerg Botnet \u2022 MacSync_AppleScript_Stealer",
"description": "",
"modified": "2026-04-07T22:30:47.312000",
"created": "2026-04-07T22:30:47.312000",
"tags": [
"added active",
"related pulses",
"found",
"zergeca botnet",
"zergeca",
"upx packer",
"khtml",
"gecko",
"united",
"ids detections",
"yara detections",
"https domain",
"tls sni",
"ip lookup",
"external ip",
"malware",
"encrypt",
"techniques",
"modify system",
"process",
"https",
"performs dns",
"tls version",
"reads cpu",
"proc indicative",
"urls",
"downloads",
"persistence",
"data upload",
"extraction",
"find s",
"failed",
"typ don",
"ipv4 url",
"canreb",
"type ipv4",
"url domail",
"domail showing",
"elf conta",
"typ url",
"zercega",
"enter sc",
"type",
"include",
"review",
"n1 exclude",
"suggestedincc",
"a50 typ",
"ipv4",
"matches yara",
"dete data",
"yara detectea",
"cro intormation",
"exclude sugges",
"sc car",
"extra lte",
"referen",
"l extraction",
"droo anv",
"extr referen",
"lte all",
"je matches",
"yara detel",
"yara dete",
"include review",
"exchange lte",
"je elf",
"passive dns",
"certificate",
"files",
"trojan",
"related tags",
"worm",
"medium",
"write c",
"write",
"high",
"binary",
"yara rule",
"default",
"moved",
"schaan",
"as834 ipxo",
"dynamicloader",
"program",
"ee fc",
"users",
"ff d5",
"python",
"windows",
"autoit",
"confuserex",
"stream",
"guard",
"launcher",
"updater",
"global",
"america flag",
"ashburn",
"america related",
"tags",
"indicator facts",
"historical otx",
"controller fake",
"akamai rank",
"russia",
"present nov",
"aaaa",
"link",
"a domains",
"ip address",
"meta",
"cve -2014-2321",
"handle",
"address range",
"cidr",
"network name",
"allocation type",
"pa status",
"whois server",
"included iocs",
"manually add",
"iocs o",
"iocs",
"sugges",
"stop show",
"types",
"external",
"ripe",
"pa abusec",
"neterra",
"sofia",
"bulgaria phone",
"filtered person",
"neven dilkov",
"bg phone",
"filtered route",
"a5ip",
"aa2023",
"aamirai",
"a2scanner",
"apple inc",
"issuer",
"valid",
"algorit",
"thum",
"name",
"a9 a8",
"status",
"macho",
"macho 64bit",
"mac os",
"x macho",
"intel",
"typ no",
"td td",
"td tr",
"a td",
"dynamic dns",
"date",
"name servers",
"arial",
"error",
"null",
"enough",
"hosts",
"win32",
"fast",
"contacted",
"MacSync_AppleScript_Stealer",
"cve-2018-10562",
"source",
"roboto",
"robotodraft",
"helvetica",
"iframe",
"manually ada",
"review iocs",
"abv0",
"qaeaav0",
"cptbdev",
"w4uninitialized",
"qaeaav01",
"abv01",
"qaexn",
"qbenxz",
"phoneidentify",
"qbepaxxz"
],
"references": [
"https://apple.k8s.joewa.com/\u2022 https://com.apple \u2022 freedns.afraid.org",
"IPv4 188.114.96.1 In CDN range: provider=cloudflare \u2022 dns.google \u2022 push.apple.com",
"Zercega \u2022 IPv4 84.54.51.82",
"Zercega \u2022 http://bot.hamsterrace.space:5966/",
"Zercega \u2022 multi-user.target",
"Zercega \u2022 ootheca.pw",
"CVE-2023-22518\tCVE-2018-10562\t CVE-2024-6387\tCVE-2025-20393",
"Crowdsourced IDS rules: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29",
"Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke",
"Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)",
"Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community",
"Crowdsourced IDS rules:",
"Matches rule ET POLICY External IP Lookup ipinfo.io",
"Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)",
"Matches rule ET INFO External IP Check (checkip .amazonaws .com)",
"Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt",
"Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) Unique rule identifier: This rule belongs to a private collection.",
"Yara detected: Xmrig cryptocurrency miner",
"Yara detected: Reads CPU information from /proc indicative of miner or evasive malware Compliance",
"meta.com \u2022 meta.com.apple",
"geomi.service \u2022 74b23c7dc3cca50a6d78e18116e31ca189a4549de35ff49903af2c4c0bd06a63",
"ELF contains segments with high entropy indicating compressed/encrypted content",
"/etc/systemd/system/geomi.service File type: ASCII text",
"http://www.bing.lt/search?q=",
"Win.Malware.Salat-10058846-0",
"Yara Detections: MacSync_AppleScript_Stealer",
"Alerts: antisandbox_unhook hardware_id_profiling ntdll_memory_unhooking binary_yara",
"Alerts: recon _fingerprint registers_vectored_exception_handler creates_suspended_process",
"Alerts: resumethread_remote_process enumerates_running_processes reads_self",
"Alerts: packer_unknown_pe_section_name script_tool_executed",
"Alerts: queries_computer_name queries_keyboard_layout queries_locale_api",
"Alerts: antidebug_setunhandledexceptionfilter stealth_timeout language_check_registry",
"Contacted: 188.114.96.1 Domains Contacted dns.google",
"distracted-chebyshev.84-54-51-82.plesk.page \u2022 domain plesk.page"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Zergeca",
"display_name": "Zergeca",
"target": null
},
{
"id": "AutoIT",
"display_name": "AutoIT",
"target": null
},
{
"id": "Win.Malware.Salat-10058846-0",
"display_name": "Win.Malware.Salat-10058846-0",
"target": null
},
{
"id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!",
"display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!",
"target": null
},
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T",
"display_name": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T",
"target": "/malware/Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "CVE-2024-6387",
"display_name": "CVE-2024-6387",
"target": null
},
{
"id": "CVE-2025-20393",
"display_name": "CVE-2025-20393",
"target": null
},
{
"id": "CVE-2014-2321",
"display_name": "CVE-2014-2321",
"target": null
},
{
"id": "Botnet",
"display_name": "Botnet",
"target": null
},
{
"id": "CVE-2018-10562",
"display_name": "CVE-2018-10562",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "T1543.002",
"name": "Systemd Service",
"display_name": "T1543.002 - Systemd Service"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1222.002",
"name": "Linux and Mac File and Directory Permissions Modification",
"display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1037.002",
"name": "Logon Script (Mac)",
"display_name": "T1037.002 - Logon Script (Mac)"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 169,
"URL": 1871,
"domain": 393,
"hostname": 925,
"FileHash-MD5": 391,
"FileHash-SHA1": 390,
"FileHash-SHA256": 2452,
"CVE": 1,
"SSLCertFingerprint": 1,
"IPv6": 9,
"email": 4,
"CIDR": 1
},
"indicator_count": 6607,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "11 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d43adce952052db1643eb1",
"name": "VirusTotal report\n for addon.crx",
"description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>",
"modified": "2026-04-06T22:59:40.683000",
"created": "2026-04-06T22:59:40.683000",
"tags": [
"zip archive",
"opera widget",
"vym mind",
"sweet home",
"design",
"mozilla firefox",
"mozilla archive",
"format",
"file type",
"php script",
"ascii",
"ascii text",
"unicode text",
"utf8 text",
"crlf line",
"json",
"java source",
"extra info"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 316,
"FileHash-SHA1": 314,
"FileHash-SHA256": 1415,
"IPv4": 88,
"hostname": 132,
"domain": 50,
"URL": 86
},
"indicator_count": 2401,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "12 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d43ada131daf14003078c7",
"name": "VirusTotal report\n for addon.crx",
"description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>",
"modified": "2026-04-06T22:59:38.191000",
"created": "2026-04-06T22:59:38.191000",
"tags": [
"zip archive",
"opera widget",
"vym mind",
"sweet home",
"design",
"mozilla firefox",
"mozilla archive",
"format",
"file type",
"php script",
"ascii",
"ascii text",
"unicode text",
"utf8 text",
"crlf line",
"json",
"java source",
"extra info"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 316,
"FileHash-SHA1": 314,
"FileHash-SHA256": 1415,
"IPv4": 88,
"hostname": 132,
"domain": 50,
"URL": 86
},
"indicator_count": 2401,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "12 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d43adaef39c73f026077c0",
"name": "VirusTotal report\n for addon.crx",
"description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>",
"modified": "2026-04-06T22:59:38.174000",
"created": "2026-04-06T22:59:38.174000",
"tags": [
"zip archive",
"opera widget",
"vym mind",
"sweet home",
"design",
"mozilla firefox",
"mozilla archive",
"format",
"file type",
"php script",
"ascii",
"ascii text",
"unicode text",
"utf8 text",
"crlf line",
"json",
"java source",
"extra info"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 316,
"FileHash-SHA1": 314,
"FileHash-SHA256": 1415,
"IPv4": 88,
"hostname": 132,
"domain": 50,
"URL": 86
},
"indicator_count": 2401,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "12 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d43ad5541cf4a7ee45cef5",
"name": "VirusTotal report\n for addon.crx",
"description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>",
"modified": "2026-04-06T22:59:33.577000",
"created": "2026-04-06T22:59:33.577000",
"tags": [
"zip archive",
"opera widget",
"vym mind",
"sweet home",
"design",
"mozilla firefox",
"mozilla archive",
"format",
"file type",
"php script",
"ascii",
"ascii text",
"unicode text",
"utf8 text",
"crlf line",
"json",
"java source",
"extra info"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 316,
"FileHash-SHA1": 314,
"FileHash-SHA256": 1415,
"IPv4": 88,
"hostname": 132,
"domain": 50,
"URL": 86
},
"indicator_count": 2401,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "12 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d43ad5128bbd414bbd946f",
"name": "VirusTotal report\n for addon.crx",
"description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>",
"modified": "2026-04-06T22:59:33.569000",
"created": "2026-04-06T22:59:33.569000",
"tags": [
"zip archive",
"opera widget",
"vym mind",
"sweet home",
"design",
"mozilla firefox",
"mozilla archive",
"format",
"file type",
"php script",
"ascii",
"ascii text",
"unicode text",
"utf8 text",
"crlf line",
"json",
"java source",
"extra info"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 316,
"FileHash-SHA1": 314,
"FileHash-SHA256": 1415,
"IPv4": 88,
"hostname": 132,
"domain": 50,
"URL": 86
},
"indicator_count": 2401,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "12 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d43acb355ea778bf740a6d",
"name": "VirusTotal report\n for addon.crx",
"description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>",
"modified": "2026-04-06T22:59:23.936000",
"created": "2026-04-06T22:59:23.936000",
"tags": [
"zip archive",
"opera widget",
"vym mind",
"sweet home",
"design",
"mozilla firefox",
"mozilla archive",
"format",
"file type",
"php script",
"ascii",
"ascii text",
"unicode text",
"utf8 text",
"crlf line",
"json",
"java source",
"extra info"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 316,
"FileHash-SHA1": 314,
"FileHash-SHA256": 1415,
"IPv4": 88,
"hostname": 132,
"domain": 50,
"URL": 86
},
"indicator_count": 2401,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "12 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d43ac218b1452b90077c29",
"name": "VirusTotal report\n for addon.crx",
"description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>",
"modified": "2026-04-06T22:59:14.467000",
"created": "2026-04-06T22:59:14.467000",
"tags": [
"zip archive",
"opera widget",
"vym mind",
"sweet home",
"design",
"mozilla firefox",
"mozilla archive",
"format",
"file type",
"php script",
"ascii",
"ascii text",
"unicode text",
"utf8 text",
"crlf line",
"json",
"java source",
"extra info"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 316,
"FileHash-SHA1": 314,
"FileHash-SHA256": 1415,
"IPv4": 88,
"hostname": 132,
"domain": 50,
"URL": 86
},
"indicator_count": 2401,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "12 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"Monitored targets. Tsara Brashears, UAlberta (disable_duck) seen",
"Issue! Team member found CVE-2023-22518 have origins from the State of Colorado",
"https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%",
"When your pulse says contacted, who is contacted besides OTX?",
"https://hybrid-analysis.com/sample/529a0b900eef6657ce6c98b1b5bccebe6db2e021aa02a316b7eb2604df810d3f/69de30ef0a22c3b506077a8c",
"Yara Detections: KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program",
"IDS Detections: Win32.Floxif.A Checkin TLS Handshake Failure 403 Forbidden",
"https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz",
"Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community",
"geomi.service \u2022 74b23c7dc3cca50a6d78e18116e31ca189a4549de35ff49903af2c4c0bd06a63",
"I liked the tool. There is something strange happening with the pulses & IoC\u2019s",
"Zercega \u2022 ootheca.pw",
"www.fireeye.com .",
"Alerts: queries_computer_name queries_keyboard_layout queries_locale_api",
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715909&Signature=gpI0cV%2Bz5SujLXqKc%2FMViiMPztLVAF6Rp00wpW3LF4PyrCqLg7GTlahQtBw0v4rtG0E8HaaDkNRYZ6xPc%2BaCuTHHzf0b8HN0%2BOiY%2B%2Bk4Q5eiI%2BJCJiWefs3vtk9u5bFyGQqM4nzF3u1uk2E8d3TKiy09A5K7YNLjbAsewBUu5mmJZsTeErl3nBhQcKu1stwt1ycd78SLCg8fUl3U7DDaqfd3hJbY98lWj8e6NwMu6VxskCRDdSQsdWj2",
"danilovstyle.ru",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK",
"Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)",
"Matches rule ET POLICY External IP Lookup ipinfo.io",
"Alerts: network_cnc_http network_http allocates_rwx antisandbox_sleep creates_exe",
"Alerts: dead_host network_icmp nolookup_communication persistence_autorun",
"distracted-chebyshev.84-54-51-82.plesk.page \u2022 domain plesk.page",
"I typically follow targets who have truly dangerous situations who no longer pulse.",
"Yara Detections: Malware_Floxif_mpsvc_dll , stack_string , MS_Visual_Cpp_2008 ,",
"IPv4 13.107.253.70 exploit_source \u2022 IPv4 13.107.226.70 malware_hosting",
"Yara Detections: MacSync_AppleScript_Stealer",
"Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt",
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715964&Signature=A%2BPIQBCth46RBnI1rK4wnu%2B0XtyUhEdo1TORDahLnR6yM%2BbI8gLsWpjDTmV8aSDFIcFddcr%2BCs9TqMa65j3jNrLz9NcyZekNiDekQlkYCbMCIiYduRDT9nLy485HDee9RRJ3YSbeqJQSjzOXemRKeyL8rg3ml6WTeCly22CrQPLljCwWWUbsQLYOMqu0OADj%2BKEZv%2B5gVOmJsQIBQugE%2F0xSYw1lKowIs5nlYy9Z0hbFUycO",
"Tulach\u2019s ASP.Net Open Source destruction",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk",
"I did not clone my pulse to read Bit.io",
"I am unable to reach Level Blue regarding issues. Mailer Daemon only",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ",
"ELF contains segments with high entropy indicating compressed/encrypted content",
"I can\u2019t speak for behavior of targets. Seems unlikely programs were intentionally installed.",
"Win.Malware.Salat-10058846-0",
"Yara detected: Xmrig cryptocurrency miner",
"com.iobit.MacBooster-3",
"IPv4 188.114.96.1 In CDN range: provider=cloudflare \u2022 dns.google \u2022 push.apple.com",
"Zercega \u2022 http://bot.hamsterrace.space:5966/",
"https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic",
"CVE-2023-22518\tCVE-2018-10562\t CVE-2024-6387\tCVE-2025-20393",
"An earlier version contacted entities affected or affecting targets.",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT",
"Alerts: checks_debugger has_pdb raises_exception",
"https://apple.k8s.joewa.com/\u2022 https://com.apple \u2022 freedns.afraid.org",
"ns4-04.azure-dns.info",
"This would be sent in an email but \u2026.",
"Alerts: injection_process_search antivm_network_adapters privilege_luid_check",
"About pulse, found in peripheral.",
"Issue! What I am troubled about the s the deletion service that has plagued OTX/ LevelBlue",
"A user StreamMiningEx copied pulses: octoseek, scoreblue, KAILULA4, callmeDoris , dorkingbeauty1 and more",
"IP\u2019s Contacted: 104.200.23.95 174.139.10.194 198.35.26.96",
"Crowdsourced IDS rules: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29",
"https://otx.alienvault.com/indicator/cve/CVE-2023-22518",
"Alerts: modifies_proxy_wpad antivm_vmware_in_instruction dumped_buffer",
"http://www.bing.lt/search?q=",
"Contacted: 188.114.96.1 Domains Contacted dns.google",
"Researching using an easy powerful tool like this has led to confrontations.",
"Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)",
"https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG",
"meta.com \u2022 meta.com.apple",
"Alerts: antisandbox_unhook hardware_id_profiling ntdll_memory_unhooking binary_yara",
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ",
"Alerts: recon _fingerprint registers_vectored_exception_handler creates_suspended_process",
"Matches rule ET INFO External IP Check (checkip .amazonaws .com)",
"Disturbed pulses of mercenary attacks S/A NSO Pegasus NOT reported to CISA or Citizens Lab.",
"Alerts: antidebug_setunhandledexceptionfilter stealth_timeout language_check_registry",
"www.fireeye.com",
"https://hypic-anaivsis.com/sambrerb/a0p9veebo",
"Crowdsourced IDS rules:",
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715951&Signature=XmRkiqq6Fjiq21rddntr3oHg%2BIPR1SrVwk6v5ZZ%2FJ4PkIpl7sqX1DjtJMGHoYvndxGmCeSCYQ08LS9hYRAWXupAhPzRcTkFcmq6KY%2FyMoab3l0SDixcrT9tLxB4iEobBJOzX0Fb%2B8QDyAbyjsuoKSMNCQC0CrVZyT7X54GsN93BU0FXiJWIIluOisGnjwoqL3rdMF8%2BPEJgkcUJTOIuIRaX57nsrXAMIv7dbn9BGZFDXH0",
"I am not cloning pulses belonging to others without crediting. I\u2019m one of a few who credit. This has happened to other team members",
"There are serious researchers on here for a short time hoping to resolve serious cyber issues",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19",
"I can\u2019t help but notice a trend. IoC\u2019s found by actual targets are removed from pulses. Recent users are listed in place",
"https://wsps.ourschoolpages.com/Account/ForgotPasswor (typo",
"Reporting is an expected protocol. Is this more of a \u2018bounty\u2019 focused, a honeypot?",
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2",
"http://www.phonefactor.com/PfPaWs/ConfirmActivation",
"Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke",
"/etc/systemd/system/geomi.service File type: ASCII text",
"Issue! Multiple IoC\u2019s missing.",
"Yara detected: Reads CPU information from /proc indicative of miner or evasive malware Compliance",
"Domains Contacted: en.wikipedia.org 5isohu.com www.aieov.com",
"Brian Sabey, Tulach, other adversaries working illegally to remove IoC\u2019s",
"ns4-04.azure-dns.info danilovst) ns4-04.azure-dns.info",
"https://www.countercept.com/assets/Uploads/whitepapers/MWRI-Countercept-Machine-Learning-Whitepaper-2017-04-01.pdf",
"Alerts: resumethread_remote_process enumerates_running_processes reads_self",
"Are these table SolarWinds attackers? Using same tacktics, good? Unsure.",
"It\u2019s not just me. I have contacted from very secured emails, networks, devices",
"Zercega \u2022 multi-user.target",
"Zercega \u2022 IPv4 84.54.51.82",
"Alerts: packer_unknown_pe_section_name script_tool_executed",
"asp.net \u2022 cdnsrc.asp.net",
"Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) Unique rule identifier: This rule belongs to a private collection."
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"Worm:win32/autorun!atmn",
"Win.malware.salat-10058846-0",
"Botnet",
"Ransom:win32/sodinokibicrypt.sk!mtb",
"Cve-2024-6387",
"Cve-2023-22518",
"Zergeca",
"Pathwiper",
"Virus:win32/floxif.h",
"Cve-2018-10562",
"Win.ransomware.tofsee-10015002",
"Exploit:win32/cve-2017-0147",
"Trojan:win32/comisproc!gmb i",
"Cve-2014-2321",
"Win.trojan.tofsee-7102058-0\tbackdoor:win32/tofsee.t",
"Win.trojan.emotet-9850453-0",
"Alf:jasyp:trojandownloader:win32/smallagent!",
"Autoit",
"Cve-2025-20393",
"Ransom:win32/cve-2017-0147"
],
"industries": [
"Telecommunications",
"Technology",
"Government"
],
"unique_indicators": 21578
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/vanbuildtracker.com",
"whois": "http://whois.domaintools.com/vanbuildtracker.com",
"domain": "vanbuildtracker.com",
"hostname": "Unavailable"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 16,
"pulses": [
{
"id": "69e1f53e6b3e17deca1277b7",
"name": "VirusTotal report\n for program.exe",
"description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not appear on BBC Radio 5 live or on iPlayer.]",
"modified": "2026-04-18T04:12:56.823000",
"created": "2026-04-17T08:54:22.034000",
"tags": [
"executable",
"msdos",
"pe32 executable",
"intel",
"ms windows",
"dos borland",
"generic windos",
"dos executable",
"pe32 compiler",
"borland delphi",
"delphi",
"file type",
"json",
"ascii",
"ascii text",
"drops pe",
"pe file",
"sample",
"persistence",
"malicious",
"next",
"network capture",
"wireshark pcap",
"next generation",
"dump file",
"format",
"little endian",
"pcap",
"nothing",
"registry keys",
"mutexes nothing",
"parent pid",
"full path",
"command line",
"files c",
"read files",
"read registry",
"apis nothing",
"https",
"urls",
"creates",
"pe32",
"sigma",
"window",
"mailpassview",
"default",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"file size",
"sha256",
"cname",
"inprocserver32",
"accept",
"shutdown",
"guard",
"darkgate",
"windows sandbox",
"calls process",
"systemroot",
"commands",
"created",
"xcaxdb xcaxdb",
"x82xec x82xec",
"x83xc4 x83xc4",
"xc1 x",
"xffu xffu",
"x8be x8be",
"x81e x81e",
"xc4 xc4",
"x81i x81i",
"xf3x86 xf3x86",
"activator",
"detail info",
"tickcount",
"processid",
"threadid",
"startaddress",
"parameter",
"offset",
"socket",
"text",
"classname",
"behaviour",
"class",
"shell",
"find",
"mitre attack",
"network info",
"processes extra",
"program",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"title",
"phishing",
"cape sandbox",
"t1055",
"style",
"courier",
"ip address",
"port",
"gmt ifnonematch",
"machine summary",
"meta",
"inter"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2",
"https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk",
"https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG",
"https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic",
"https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ",
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1200",
"name": "Hardware Additions",
"display_name": "T1200 - Hardware Additions"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 686,
"FileHash-MD5": 96,
"FileHash-SHA1": 136,
"IPv4": 98,
"URL": 562,
"hostname": 313,
"domain": 105,
"IPv6": 2,
"email": 2,
"YARA": 1
},
"indicator_count": 2001,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69e1f52e424e1151ddd9c696",
"name": "VirusTotal report\n for program.exe",
"description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not appear on BBC Radio 5 live or on iPlayer.]",
"modified": "2026-04-18T04:12:55.719000",
"created": "2026-04-17T08:54:06.864000",
"tags": [
"executable",
"msdos",
"pe32 executable",
"intel",
"ms windows",
"dos borland",
"generic windos",
"dos executable",
"pe32 compiler",
"borland delphi",
"delphi",
"file type",
"json",
"ascii",
"ascii text",
"drops pe",
"pe file",
"sample",
"persistence",
"malicious",
"next",
"network capture",
"wireshark pcap",
"next generation",
"dump file",
"format",
"little endian",
"pcap",
"nothing",
"registry keys",
"mutexes nothing",
"parent pid",
"full path",
"command line",
"files c",
"read files",
"read registry",
"apis nothing",
"https",
"urls",
"creates",
"pe32",
"sigma",
"window",
"mailpassview",
"default",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"file size",
"sha256",
"cname",
"inprocserver32",
"accept",
"shutdown",
"guard",
"darkgate",
"windows sandbox",
"calls process",
"systemroot",
"commands",
"created",
"xcaxdb xcaxdb",
"x82xec x82xec",
"x83xc4 x83xc4",
"xc1 x",
"xffu xffu",
"x8be x8be",
"x81e x81e",
"xc4 xc4",
"x81i x81i",
"xf3x86 xf3x86",
"activator",
"detail info",
"tickcount",
"processid",
"threadid",
"startaddress",
"parameter",
"offset",
"socket",
"text",
"classname",
"behaviour",
"class",
"shell",
"find",
"mitre attack",
"network info",
"processes extra",
"program",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"title",
"phishing",
"cape sandbox",
"t1055",
"style",
"courier",
"ip address",
"port",
"gmt ifnonematch",
"machine summary",
"meta",
"inter"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2",
"https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk",
"https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG",
"https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic",
"https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ",
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1200",
"name": "Hardware Additions",
"display_name": "T1200 - Hardware Additions"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 714,
"FileHash-MD5": 128,
"FileHash-SHA1": 152,
"IPv4": 98,
"URL": 692,
"hostname": 456,
"domain": 121,
"IPv6": 2,
"email": 2,
"YARA": 5
},
"indicator_count": 2370,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69e1f540bec93625fc7c7466",
"name": "VirusTotal report\n for program.exe",
"description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not appear on BBC Radio 5 live or on iPlayer.]",
"modified": "2026-04-18T01:05:57.196000",
"created": "2026-04-17T08:54:24.226000",
"tags": [
"executable",
"msdos",
"pe32 executable",
"intel",
"ms windows",
"dos borland",
"generic windos",
"dos executable",
"pe32 compiler",
"borland delphi",
"delphi",
"file type",
"json",
"ascii",
"ascii text",
"drops pe",
"pe file",
"sample",
"persistence",
"malicious",
"next",
"network capture",
"wireshark pcap",
"next generation",
"dump file",
"format",
"little endian",
"pcap",
"nothing",
"registry keys",
"mutexes nothing",
"parent pid",
"full path",
"command line",
"files c",
"read files",
"read registry",
"apis nothing",
"https",
"urls",
"creates",
"pe32",
"sigma",
"window",
"mailpassview",
"default",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"file size",
"sha256",
"cname",
"inprocserver32",
"accept",
"shutdown",
"guard",
"darkgate",
"windows sandbox",
"calls process",
"systemroot",
"commands",
"created",
"xcaxdb xcaxdb",
"x82xec x82xec",
"x83xc4 x83xc4",
"xc1 x",
"xffu xffu",
"x8be x8be",
"x81e x81e",
"xc4 xc4",
"x81i x81i",
"xf3x86 xf3x86",
"activator",
"detail info",
"tickcount",
"processid",
"threadid",
"startaddress",
"parameter",
"offset",
"socket",
"text",
"classname",
"behaviour",
"class",
"shell",
"find",
"mitre attack",
"network info",
"processes extra",
"program",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"title",
"phishing",
"cape sandbox",
"t1055",
"style",
"courier",
"ip address",
"port",
"gmt ifnonematch",
"machine summary",
"meta",
"inter"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2",
"https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk",
"https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG",
"https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic",
"https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ",
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1200",
"name": "Hardware Additions",
"display_name": "T1200 - Hardware Additions"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 686,
"FileHash-MD5": 96,
"FileHash-SHA1": 136,
"IPv4": 97,
"URL": 561,
"hostname": 316,
"domain": 105,
"IPv6": 2,
"email": 2
},
"indicator_count": 2001,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69e1f540aa36f336eb92ff53",
"name": "VirusTotal report\n for program.exe",
"description": "The full text of this year's EU Referendum, which will take place on 26 November, has been published.. and it will not appear on BBC Radio 5 live or on iPlayer.]",
"modified": "2026-04-18T00:53:20.700000",
"created": "2026-04-17T08:54:24.517000",
"tags": [
"executable",
"msdos",
"pe32 executable",
"intel",
"ms windows",
"dos borland",
"generic windos",
"dos executable",
"pe32 compiler",
"borland delphi",
"delphi",
"file type",
"json",
"ascii",
"ascii text",
"drops pe",
"pe file",
"sample",
"persistence",
"malicious",
"next",
"network capture",
"wireshark pcap",
"next generation",
"dump file",
"format",
"little endian",
"pcap",
"nothing",
"registry keys",
"mutexes nothing",
"parent pid",
"full path",
"command line",
"files c",
"read files",
"read registry",
"apis nothing",
"https",
"urls",
"creates",
"pe32",
"sigma",
"window",
"mailpassview",
"default",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"file size",
"sha256",
"cname",
"inprocserver32",
"accept",
"shutdown",
"guard",
"darkgate",
"windows sandbox",
"calls process",
"systemroot",
"commands",
"created",
"xcaxdb xcaxdb",
"x82xec x82xec",
"x83xc4 x83xc4",
"xc1 x",
"xffu xffu",
"x8be x8be",
"x81e x81e",
"xc4 xc4",
"x81i x81i",
"xf3x86 xf3x86",
"activator",
"detail info",
"tickcount",
"processid",
"threadid",
"startaddress",
"parameter",
"offset",
"socket",
"text",
"classname",
"behaviour",
"class",
"shell",
"find",
"mitre attack",
"network info",
"processes extra",
"program",
"t1055 process",
"overview",
"overview zenbox",
"verdict",
"guest system",
"title",
"phishing",
"cape sandbox",
"t1055",
"style",
"courier",
"ip address",
"port",
"gmt ifnonematch",
"machine summary",
"meta",
"inter"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415519&Signature=e1YxGtIahtkD9VKQTSuo9BFhC4KNicXASSfPf7LiJhYyR2OQOLXoHJjgEUtHCAfeZU7VSacymMfJJhx7M2NXSaPyv5cdsCUWfzeTKwyFqM06pSuq7HqYUJIh2%2BG3bz87h0m%2FMFuU5d0MXdwN9ykL%2FJ8EB4RuyKhfY%2FjBGZMZA0nVn5dQtQ1GySJiLj%2BWsKXQxsYVy%2FBok8h2n2m7EE923RSv%2BkkdQHO3enQf2ikR%2FU%2BtEN4S7xO2",
"https://vtbehaviour.commondatastorage.googleapis.com/b71ddf3175c9e6b41f143207c6e74a9c327a362b3a1ce7e0282ceae2ad513b3b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415599&Signature=O7Nc7o9GEFU3sFGIZv58PwBR8rG8MIwYQTmDyTNIUlHEEpmUY2Bttz0797jnr4%2BjT%2BCd1r%2BRad4nV4HLruG5QACAgOnQKjtSn%2FhWNes5q1y2qu46J%2BwCUFqmrr%2BpM6MjMmILZUqSezFzC5Fs%2Fnn4iBIQpYxJ8e4sJMXVIONcDkWLhycQk5rVr%2FV7G6tU0yAkoavXhpyrSGqR2Ee9QAoAXLWdixJ0rLJ85yQxWFr0E%2F7%",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415622&Signature=NJmj0XG%2BcAwpEa26%2B7ucV3CTWcwrSwSV%2BU62aYx0yDVYzZH70ROLK9%2F2lUy0IuC6n88oOTLoikSC4GRgUVypFQpmJoKQpkPvHZ1SfyklCtIWurZJYZvHSZs32JL0l6t3eEwW61xDg%2FICvOFlPQ0Aju7Hk1ntOY82jD%2B9dVw179jdF3A5jzGDrcr7mP17tnwZcOI0pVfF0ZhtbJL6SCHXBce%2BWS5zRxV2VgXHqrGYl0XLgpK6MD30wBFT",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415648&Signature=gOGhlxTumFXkKGryYSeJV8%2BMONZwbp%2BS3ntsErndc02nffG6DHW%2FbU0CVbVSOp3lIZkIt2qx7a%2BTsm2IItEWtGIN55fG14UxsBfo1Gf8bukZC4u5KoQKrVSYuV9aASUd5oCoTo0iIp%2BVCokHRdLbF259Fld%2FjlgJGL%2FVoLiGxXwkbQaxZi5VN94eNl65FMGXLtoVUgbUk3FhXEIuLwwJJU8XnveqbCOzDS9PtPnPO7seXDaK",
"https://vtbehaviour.commondatastorage.googleapis.com/9e4f036dd6fbb45ce414cb5d040b3255b5ccc9ecacbfaf022b631545f9a19a02_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415662&Signature=ii4xZZXyeZqty%2B%2BwMuioMf90xxcdXimnQRoYesmvSMUfZNPn9hRsSBoDdFdqtcRFep%2BYsQiF4%2BKaDZPUzloaQ%2FeZkEhJokSi2P1NP1ymoIPZ5j%2F8XwTxCO0c%2BGbA%2BECIOWUC9IlgPTZfdCvd1wQiXe4sa1U0QVwZBDk%2B7GDXDJUVIOH6bc8cAZi8Q4QzBqOTaLamgqF1%2BC5uFbLSShJOLGiBZv6PRiQ2L2qk",
"https://vtbehaviour.commondatastorage.googleapis.com/0244cbf1fbf8809c335b9bbd8142c72e3bbb36881e0aacfba6000e0aaa048ba9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415703&Signature=L2WgcAgR2nm5cyc0SHe8nYGU6Db6r7Cvr%2F9INkp%2ByiPXoTK3tUwxH06Vr3YnW2wDr8eANqgqXGU09YoEUVEKuHs8veU6QWbaN3LrOaICSmq1tlHwJUE7sILNI3MnOjwZvzYeFCMmSLUOQ62k46HzTVnrFNBqaPIUNQiRsQFUz06TVaA9FxXxYKk2brVLRXiNew1RgDlMp%2BM9EnePR06vYsB9QXEgrblE7M51AU%2BpM09%2BGxukEzUG",
"https://vtbehaviour.commondatastorage.googleapis.com/1af55649a731abb95d71e2e49693a7bcf87270eb4f8712b747f7e04a0a2a3031_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415762&Signature=4Iu15AELs8158yzYffz716hQ5%2BDY4JHNeJeMzaSmkJrocvfpO7MMmB4MO5Zo%2Bs339dX%2Flb51NK%2Fd3eREGBJkNV3bvbEFaxv1hCO%2Fqge8%2FLnfKLSSRPJ48%2BGAVA22z0gYKvSPfYdGvownSV9GBevxmcIWZ%2F0VK57Mb1gHqvtWKs%2BMGgd4v%2FJJWCmjWx8xLomFVgrpD1boM0PxdVh3X21asN1DplbqcAZ%2Fd5WoOJYic",
"https://vtbehaviour.commondatastorage.googleapis.com/00000048b1c9e60c14a6619f0292dea96df7f10c11cfa9ae28693219c0ae844b_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776415832&Signature=AOcM9Dc%2B2gUBJnZxuNmagisQ8QYjno4RVZd6DZFo553Ws2tWbJ6lUHXGOGTxLZCRccqXY9h0WhcjRXW4EgojbjJxXCTLq1y%2BtxXjZShlepAg7uq2pbXGsBhUcbpS5Jj0upmosZUCtU4mq8fMyjA0Jufv7u%2F%2FhIwKCp6Q9NIixpAXFwNy8BWn%2FOh6em7B0TwRABvcvTsQC2PO%2FOq5J61VWow6JiR2o97x%2Fm1ChJyz%2FvGTsz",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416015&Signature=evkFEcpvJ0BNlw47zD%2Bgg2ETU%2FGcbGZI3U%2BLCDkaRH4IhSCbgDF9ABajkx7SCAFA2G%2BndDWCzqKkknqPMARKAJk2b5h%2Bu1Gq8uDozkg9GvP8exgs3%2Bw%2F40637%2BmzlgjutElGFcVRMMDWRF5QEvyEDJVUIXmKmLYmKDYM58fBA4IM2VfpV8BB6HJcySkkMk2J4Mhk9nut%2FIrmFjV99WEunuPKfIgnAataXIXzBGZJl2eJK1OEGK19",
"https://vtbehaviour.commondatastorage.googleapis.com/2490cba406c48127d4f19ec90640181b6fda91960640d126478a6695aab49c4a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416061&Signature=eIQtmFWS2GiSN%2F3bdQCKKOu9%2FiEoDqQYcEtVnvTTBu%2BZ5JFRAyRu7Tgxw5YyVb%2BXK66m6JTN4yIleNl669%2FfdMbOamF6hlF%2FZbucN1etgX%2B8Snq2xrhFN5xZvvWrQukcYlJQnz9s2WSByNnA2Lvi7dn3qQnZMVNcJwWLhL1ayyCBqpiDVaDMGTgQfLrVdec0Xknzzl70Ce70nSgQdxJ4Q%2FSzYtz9Khtk6hyaiBbYxsyiWQ",
"https://vtbehaviour.commondatastorage.googleapis.com/fb83210a8a2d58af1d2fe5edf812be88b5465c130c3e8a091626bc0a2d6452ae_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776416202&Signature=f43IRerFiqRQ5ke71WfT2lNFf5Jf60FnKcTCpJGhgnSemoBx1iDNvbOs8rePJYHFEiffIuvjjnquRt51dziCswMktwhg8g7Tl3vVfnoYpuBzv6QT86so9sVcKWOt43wFnzCEH1RWrmQDe2jRBGL2Kvhqi%2B3i2iAFdZWCrxoAJtMJVqGVwXM5S7JnLR%2BklB1A5RQQReOEncgwClqKUHMPrSGjXgH%2FDernerWjOXghDL3V2fJ7EJ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1200",
"name": "Hardware Additions",
"display_name": "T1200 - Hardware Additions"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 860,
"FileHash-MD5": 180,
"FileHash-SHA1": 224,
"IPv4": 97,
"URL": 639,
"hostname": 362,
"domain": 107,
"IPv6": 2,
"email": 2
},
"indicator_count": 2473,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "1 day ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69decb6dd1bd6da78fc72d0a",
"name": "Solarwinds Similarties? Tactics ASP.Net IoC\u2019s ISOLATED",
"description": "Does this have similarities to the SolarWinds Attack? Anyone?\n\nASP.NET is a web application framework created by Microsoft for building dynamic web applications.\nIt enables developers to create web pages that can interact with databases and respond to user inputs.\nASP.NET supports various programming languages, including C# and VB.NET.\nContext: ASP.NET is widely used for developing modern web applications and services. It allows developers to create interactive and data-driven web pages that can run on various operating systems, including Windows, Linux, and macOS. The framework is open-source and supports various architectures, including MVC (Model-View-Controller) and Web API, which facilitate the organization and development of complex applications.\nIn many instances ASP.net has been seen connected to malicious Tulach , Apple , a browser agent that transmits data to New Relic's collectors by using either of the domains bam.nr-data.net or bam-cell.nr-data.net.",
"modified": "2026-04-14T23:19:09.495000",
"created": "2026-04-14T23:19:09.495000",
"tags": [
"united",
"aaaa",
"certificate",
"error",
"read c",
"rgba",
"unicode",
"memcommit",
"delete",
"dock",
"execution",
"command decode",
"suricata ipv4",
"suricata tcpv4",
"flag",
"localappdata",
"windir",
"openurl c",
"programfiles",
"suricata udpv4",
"win64",
"click",
"strings",
"anon",
"username",
"userprofile",
"mitre att",
"ck id",
"ck matrix",
"appdata",
"comspec",
"model",
"path",
"april",
"hybrid",
"general",
"learn",
"suspicious",
"informative",
"adversaries",
"command",
"spawns",
"ck techniques",
"mtb apr",
"exploit",
"trojan",
"backdoor",
"please",
"x msedge",
"all ipv4",
"ransom",
"date hash",
"avast avg",
"win32orbus apr",
"dynamicloader",
"yara rule",
"high",
"tofsee",
"rndhex",
"rndchar",
"loaderid",
"lidfileupd",
"localcfg",
"write",
"stream",
"push",
"mtb alerts",
"ee fc",
"ff d5",
"lredmond",
"malware",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"yara detections",
"av detections",
"ids detections",
"hostile",
"unknown",
"extraction",
"data upload",
"failed",
"include review",
"stop data",
"typ url",
"url data",
"typ no",
"th all",
"stop",
"port",
"destination",
"ds detections",
"tls sni",
"nrv2x",
"upxoepplace",
"alerts",
"contacted",
"markus",
"hostile alerts",
"less see",
"all ip",
"tulach",
"brian sabey",
"quasi",
"link",
"script urls",
"record value",
"script domains",
"fireeye",
"create c",
"as15169",
"next",
"all url",
"http",
"related pulses",
"related tags",
"google safe",
"code",
"y se",
"included review",
"io excluded",
"suggeste",
"ipv4",
"unknown ns",
"redacted admin",
"fax redacted",
"name redacted",
"phone redacted",
"code redacted",
"redacted tech",
"christopher ahmann",
"solarwinds like?"
],
"references": [
"asp.net \u2022 cdnsrc.asp.net",
"https://www.countercept.com/assets/Uploads/whitepapers/MWRI-Countercept-Machine-Learning-Whitepaper-2017-04-01.pdf",
"http://www.phonefactor.com/PfPaWs/ConfirmActivation",
"IPv4 13.107.253.70 exploit_source \u2022 IPv4 13.107.226.70 malware_hosting",
"https://wsps.ourschoolpages.com/Account/ForgotPasswor (typo",
"https://hybrid-analysis.com/sample/529a0b900eef6657ce6c98b1b5bccebe6db2e021aa02a316b7eb2604df810d3f/69de30ef0a22c3b506077a8c",
"www.fireeye.com",
"danilovstyle.ru",
"ns4-04.azure-dns.info",
"ns4-04.azure-dns.info danilovst) ns4-04.azure-dns.info",
"www.fireeye.com .",
"https://hypic-anaivsis.com/sambrerb/a0p9veebo",
"Are these table SolarWinds attackers? Using same tacktics, good? Unsure.",
"Tulach\u2019s ASP.Net Open Source destruction"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Ransom:Win32/SodinokibiCrypt.SK!MTB",
"display_name": "Ransom:Win32/SodinokibiCrypt.SK!MTB",
"target": "/malware/Ransom:Win32/SodinokibiCrypt.SK!MTB"
},
{
"id": "Win.Ransomware.Tofsee-10015002",
"display_name": "Win.Ransomware.Tofsee-10015002",
"target": null
},
{
"id": "Trojan:Win32/Comisproc!gmb I",
"display_name": "Trojan:Win32/Comisproc!gmb I",
"target": "/malware/Trojan:Win32/Comisproc!gmb I"
}
],
"attack_ids": [
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1132.001",
"name": "Standard Encoding",
"display_name": "T1132.001 - Standard Encoding"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 88,
"FileHash-MD5": 211,
"FileHash-SHA1": 186,
"FileHash-SHA256": 1366,
"URL": 1848,
"domain": 418,
"email": 4,
"hostname": 622,
"SSLCertFingerprint": 21
},
"indicator_count": 4764,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "4 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d747314a8fc4fa30250fe9",
"name": "VirusTotal report\n for program.exe",
"description": " Report date relevance: May 18 2025.",
"modified": "2026-04-09T07:29:31.205000",
"created": "2026-04-09T06:29:05.116000",
"tags": [
"explorer",
"maxime thiebaut",
"files",
"imageendswith",
"windows sccm",
"pe file",
"drops pe",
"sample",
"drops",
"pe32",
"intel",
"ms windows",
"infects",
"found",
"mitre attack",
"persistence",
"info",
"next",
"windows sandbox",
"calls clear",
"users",
"nothing",
"registry keys",
"change",
"mutexes nothing",
"parent pid",
"full path",
"command line",
"files c",
"devicecng c",
"bit locker hijacked",
"illegal one drive cross tenant",
"Esign violation",
"non secure workflow",
"wiper",
"MDMenrollment misuse",
"broken seal",
"pdfkit.net DMV",
"vzwbiz",
"modified after creation non secure workflow",
"Docusign exploited by non secure workflow",
"Human Error/Spyware/Risk+",
"Abobe Exploited by non secure process",
"CaRoot Cert Abuse",
"cryptography unsound"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715909&Signature=gpI0cV%2Bz5SujLXqKc%2FMViiMPztLVAF6Rp00wpW3LF4PyrCqLg7GTlahQtBw0v4rtG0E8HaaDkNRYZ6xPc%2BaCuTHHzf0b8HN0%2BOiY%2B%2Bk4Q5eiI%2BJCJiWefs3vtk9u5bFyGQqM4nzF3u1uk2E8d3TKiy09A5K7YNLjbAsewBUu5mmJZsTeErl3nBhQcKu1stwt1ycd78SLCg8fUl3U7DDaqfd3hJbY98lWj8e6NwMu6VxskCRDdSQsdWj2",
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715951&Signature=XmRkiqq6Fjiq21rddntr3oHg%2BIPR1SrVwk6v5ZZ%2FJ4PkIpl7sqX1DjtJMGHoYvndxGmCeSCYQ08LS9hYRAWXupAhPzRcTkFcmq6KY%2FyMoab3l0SDixcrT9tLxB4iEobBJOzX0Fb%2B8QDyAbyjsuoKSMNCQC0CrVZyT7X54GsN93BU0FXiJWIIluOisGnjwoqL3rdMF8%2BPEJgkcUJTOIuIRaX57nsrXAMIv7dbn9BGZFDXH0",
"https://vtbehaviour.commondatastorage.googleapis.com/2566a2924072ac9821eb7ecde8bedf7197ceb09d99cd17ff48864a2323546bf9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775715964&Signature=A%2BPIQBCth46RBnI1rK4wnu%2B0XtyUhEdo1TORDahLnR6yM%2BbI8gLsWpjDTmV8aSDFIcFddcr%2BCs9TqMa65j3jNrLz9NcyZekNiDekQlkYCbMCIiYduRDT9nLy485HDee9RRJ3YSbeqJQSjzOXemRKeyL8rg3ml6WTeCly22CrQPLljCwWWUbsQLYOMqu0OADj%2BKEZv%2B5gVOmJsQIBQugE%2F0xSYw1lKowIs5nlYy9Z0hbFUycO"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "PathWiper",
"display_name": "PathWiper",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1080",
"name": "Taint Shared Content",
"display_name": "T1080 - Taint Shared Content"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [
"Government",
"Telecommunications",
"Technology"
],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 81,
"URL": 421,
"hostname": 491,
"FileHash-MD5": 477,
"FileHash-SHA1": 298,
"FileHash-SHA256": 719,
"IPv4": 177,
"CVE": 5,
"email": 12,
"CIDR": 2
},
"indicator_count": 2683,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "10 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d6619d62ea0c3bbf0ebf75",
"name": "Mac OS Unwanted Programs | Mac Booster application potentially installed in background without target\u2019s knowledge",
"description": "Not installed by users I\u2019m researching for. Downloaded as an unwanted program Overview of com.iobit.MacBooster-3\ncom.iobit.MacBooster-3 is the package identifier for MacBooster 3, a software application developed by IObit. This application is specifically designed for optimizing and maintaining Mac computers.\nKey Features\nMacBooster 3 includes several essential features aimed at enhancing the performance and security of Mac systems:\nSystem Cleanup: .\nPerformance Boosting: \nMalware Protection: .\nCompatibility\nMacBooster 3 is compatible with macOS versions starting from OS X 10.9. False - \nWhat are the potential risks of using MacBooster 3 on a Mac computer?\nUsing MacBooster 3 on a Mac computer can lead to potentially unwanted program (PUP) behavior, including browser interference, frequent pop-ups, and the installation of unnecessary software.",
"modified": "2026-04-08T14:09:33.432000",
"created": "2026-04-08T14:09:33.432000",
"tags": [
"issuer apple",
"valid from",
"valid",
"serial number",
"macho",
"macho 64bit",
"mac os",
"x macho",
"intel",
"file version",
"team identifier",
"apple root",
"ca feb",
"am ma9eduzpcw",
"signers",
"issuer valid",
"from valid",
"status issuer",
"apple inc",
"valid apple",
"a9 a8",
"process32nextw",
"regsetvalueexa",
"read c",
"regdword",
"tls handshake",
"failure",
"msie",
"malware",
"write",
"win32",
"unknown",
"dynamicloader",
"high",
"myapp",
"device driver",
"host",
"worm",
"delphi",
"error",
"code",
"defender",
"next",
"file score",
"cryp",
"virus",
"checkin tls",
"forbidden yara",
"msvisualcpp2008",
"less ip",
"contacted",
"scanning host",
"trojan",
"exploit host",
"apple inc",
"monitored target",
"targeting",
"name servers",
"servers",
"expiration date",
"value emails",
"name domain",
"org apple",
"infinite loop",
"city cupertino",
"country us",
"tulach"
],
"references": [
"com.iobit.MacBooster-3",
"IDS Detections: Win32.Floxif.A Checkin TLS Handshake Failure 403 Forbidden",
"Yara Detections: Malware_Floxif_mpsvc_dll , stack_string , MS_Visual_Cpp_2008 ,",
"Yara Detections: KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program",
"Alerts: dead_host network_icmp nolookup_communication persistence_autorun",
"Alerts: modifies_proxy_wpad antivm_vmware_in_instruction dumped_buffer",
"Alerts: network_cnc_http network_http allocates_rwx antisandbox_sleep creates_exe",
"Alerts: injection_process_search antivm_network_adapters privilege_luid_check",
"Alerts: checks_debugger has_pdb raises_exception",
"IP\u2019s Contacted: 104.200.23.95 174.139.10.194 198.35.26.96",
"Domains Contacted: en.wikipedia.org 5isohu.com www.aieov.com",
"Monitored targets. Tsara Brashears, UAlberta (disable_duck) seen",
"I can\u2019t speak for behavior of targets. Seems unlikely programs were intentionally installed.",
"https://otx.alienvault.com/indicator/cve/CVE-2023-22518",
"Issue! Team member found CVE-2023-22518 have origins from the State of Colorado",
"Issue! Multiple IoC\u2019s missing.",
"A user StreamMiningEx copied pulses: octoseek, scoreblue, KAILULA4, callmeDoris , dorkingbeauty1 and more",
"I can\u2019t help but notice a trend. IoC\u2019s found by actual targets are removed from pulses. Recent users are listed in place",
"Issue! What I am troubled about the s the deletion service that has plagued OTX/ LevelBlue",
"Brian Sabey, Tulach, other adversaries working illegally to remove IoC\u2019s",
"Disturbed pulses of mercenary attacks S/A NSO Pegasus NOT reported to CISA or Citizens Lab.",
"Reporting is an expected protocol. Is this more of a \u2018bounty\u2019 focused, a honeypot?",
"Researching using an easy powerful tool like this has led to confrontations.",
"I liked the tool. There is something strange happening with the pulses & IoC\u2019s",
"I did not clone my pulse to read Bit.io",
"I am not cloning pulses belonging to others without crediting. I\u2019m one of a few who credit. This has happened to other team members",
"There are serious researchers on here for a short time hoping to resolve serious cyber issues",
"I am unable to reach Level Blue regarding issues. Mailer Daemon only",
"It\u2019s not just me. I have contacted from very secured emails, networks, devices",
"I typically follow targets who have truly dangerous situations who no longer pulse.",
"This would be sent in an email but \u2026.",
"About pulse, found in peripheral.",
"When your pulse says contacted, who is contacted besides OTX?",
"An earlier version contacted entities affected or affecting targets."
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Virus:Win32/Floxif.H",
"display_name": "Virus:Win32/Floxif.H",
"target": "/malware/Virus:Win32/Floxif.H"
},
{
"id": "Exploit:Win32/CVE-2017-0147",
"display_name": "Exploit:Win32/CVE-2017-0147",
"target": "/malware/Exploit:Win32/CVE-2017-0147"
},
{
"id": "Ransom:Win32/CVE-2017-0147",
"display_name": "Ransom:Win32/CVE-2017-0147",
"target": "/malware/Ransom:Win32/CVE-2017-0147"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 75,
"FileHash-MD5": 102,
"FileHash-SHA256": 2076,
"IPv4": 111,
"URL": 2496,
"CVE": 2,
"domain": 483,
"hostname": 938,
"email": 4,
"SSLCertFingerprint": 2
},
"indicator_count": 6289,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "11 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d586108786e7be59439809",
"name": "Bot.io",
"description": "",
"modified": "2026-04-07T22:32:48.996000",
"created": "2026-04-07T22:32:48.996000",
"tags": [
"added active",
"related pulses",
"found",
"zergeca botnet",
"zergeca",
"upx packer",
"khtml",
"gecko",
"united",
"ids detections",
"yara detections",
"https domain",
"tls sni",
"ip lookup",
"external ip",
"malware",
"encrypt",
"techniques",
"modify system",
"process",
"https",
"performs dns",
"tls version",
"reads cpu",
"proc indicative",
"urls",
"downloads",
"persistence",
"data upload",
"extraction",
"find s",
"failed",
"typ don",
"ipv4 url",
"canreb",
"type ipv4",
"url domail",
"domail showing",
"elf conta",
"typ url",
"zercega",
"enter sc",
"type",
"include",
"review",
"n1 exclude",
"suggestedincc",
"a50 typ",
"ipv4",
"matches yara",
"dete data",
"yara detectea",
"cro intormation",
"exclude sugges",
"sc car",
"extra lte",
"referen",
"l extraction",
"droo anv",
"extr referen",
"lte all",
"je matches",
"yara detel",
"yara dete",
"include review",
"exchange lte",
"je elf",
"passive dns",
"certificate",
"files",
"trojan",
"related tags",
"worm",
"medium",
"write c",
"write",
"high",
"binary",
"yara rule",
"default",
"moved",
"schaan",
"as834 ipxo",
"dynamicloader",
"program",
"ee fc",
"users",
"ff d5",
"python",
"windows",
"autoit",
"confuserex",
"stream",
"guard",
"launcher",
"updater",
"global",
"america flag",
"ashburn",
"america related",
"tags",
"indicator facts",
"historical otx",
"controller fake",
"akamai rank",
"russia",
"present nov",
"aaaa",
"link",
"a domains",
"ip address",
"meta",
"cve -2014-2321",
"handle",
"address range",
"cidr",
"network name",
"allocation type",
"pa status",
"whois server",
"included iocs",
"manually add",
"iocs o",
"iocs",
"sugges",
"stop show",
"types",
"external",
"ripe",
"pa abusec",
"neterra",
"sofia",
"bulgaria phone",
"filtered person",
"neven dilkov",
"bg phone",
"filtered route",
"a5ip",
"aa2023",
"aamirai",
"a2scanner",
"apple inc",
"issuer",
"valid",
"algorit",
"thum",
"name",
"a9 a8",
"status",
"macho",
"macho 64bit",
"mac os",
"x macho",
"intel",
"typ no",
"td td",
"td tr",
"a td",
"dynamic dns",
"date",
"name servers",
"arial",
"error",
"null",
"enough",
"hosts",
"win32",
"fast",
"contacted",
"MacSync_AppleScript_Stealer",
"cve-2018-10562",
"source",
"roboto",
"robotodraft",
"helvetica",
"iframe",
"manually ada",
"review iocs",
"abv0",
"qaeaav0",
"cptbdev",
"w4uninitialized",
"qaeaav01",
"abv01",
"qaexn",
"qbenxz",
"phoneidentify",
"qbepaxxz"
],
"references": [
"https://apple.k8s.joewa.com/\u2022 https://com.apple \u2022 freedns.afraid.org",
"IPv4 188.114.96.1 In CDN range: provider=cloudflare \u2022 dns.google \u2022 push.apple.com",
"Zercega \u2022 IPv4 84.54.51.82",
"Zercega \u2022 http://bot.hamsterrace.space:5966/",
"Zercega \u2022 multi-user.target",
"Zercega \u2022 ootheca.pw",
"CVE-2023-22518\tCVE-2018-10562\t CVE-2024-6387\tCVE-2025-20393",
"Crowdsourced IDS rules: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29",
"Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke",
"Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)",
"Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community",
"Crowdsourced IDS rules:",
"Matches rule ET POLICY External IP Lookup ipinfo.io",
"Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)",
"Matches rule ET INFO External IP Check (checkip .amazonaws .com)",
"Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt",
"Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) Unique rule identifier: This rule belongs to a private collection.",
"Yara detected: Xmrig cryptocurrency miner",
"Yara detected: Reads CPU information from /proc indicative of miner or evasive malware Compliance",
"meta.com \u2022 meta.com.apple",
"geomi.service \u2022 74b23c7dc3cca50a6d78e18116e31ca189a4549de35ff49903af2c4c0bd06a63",
"ELF contains segments with high entropy indicating compressed/encrypted content",
"/etc/systemd/system/geomi.service File type: ASCII text",
"http://www.bing.lt/search?q=",
"Win.Malware.Salat-10058846-0",
"Yara Detections: MacSync_AppleScript_Stealer",
"Alerts: antisandbox_unhook hardware_id_profiling ntdll_memory_unhooking binary_yara",
"Alerts: recon _fingerprint registers_vectored_exception_handler creates_suspended_process",
"Alerts: resumethread_remote_process enumerates_running_processes reads_self",
"Alerts: packer_unknown_pe_section_name script_tool_executed",
"Alerts: queries_computer_name queries_keyboard_layout queries_locale_api",
"Alerts: antidebug_setunhandledexceptionfilter stealth_timeout language_check_registry",
"Contacted: 188.114.96.1 Domains Contacted dns.google",
"distracted-chebyshev.84-54-51-82.plesk.page \u2022 domain plesk.page"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Zergeca",
"display_name": "Zergeca",
"target": null
},
{
"id": "AutoIT",
"display_name": "AutoIT",
"target": null
},
{
"id": "Win.Malware.Salat-10058846-0",
"display_name": "Win.Malware.Salat-10058846-0",
"target": null
},
{
"id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!",
"display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!",
"target": null
},
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T",
"display_name": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T",
"target": "/malware/Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "CVE-2024-6387",
"display_name": "CVE-2024-6387",
"target": null
},
{
"id": "CVE-2025-20393",
"display_name": "CVE-2025-20393",
"target": null
},
{
"id": "CVE-2014-2321",
"display_name": "CVE-2014-2321",
"target": null
},
{
"id": "Botnet",
"display_name": "Botnet",
"target": null
},
{
"id": "CVE-2018-10562",
"display_name": "CVE-2018-10562",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "T1543.002",
"name": "Systemd Service",
"display_name": "T1543.002 - Systemd Service"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1222.002",
"name": "Linux and Mac File and Directory Permissions Modification",
"display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1037.002",
"name": "Logon Script (Mac)",
"display_name": "T1037.002 - Logon Script (Mac)"
}
],
"industries": [],
"TLP": "green",
"cloned_from": "69d5859750dfad7fe7989ef4",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 169,
"URL": 1871,
"domain": 393,
"hostname": 925,
"FileHash-MD5": 391,
"FileHash-SHA1": 390,
"FileHash-SHA256": 2452,
"CVE": 1,
"SSLCertFingerprint": 1,
"IPv6": 9,
"email": 4,
"CIDR": 1
},
"indicator_count": 6607,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "11 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d5859750dfad7fe7989ef4",
"name": "Apple / Cloud/ Data Network within Zergeca / Zerg Botnet \u2022 MacSync_AppleScript_Stealer",
"description": "",
"modified": "2026-04-07T22:30:47.312000",
"created": "2026-04-07T22:30:47.312000",
"tags": [
"added active",
"related pulses",
"found",
"zergeca botnet",
"zergeca",
"upx packer",
"khtml",
"gecko",
"united",
"ids detections",
"yara detections",
"https domain",
"tls sni",
"ip lookup",
"external ip",
"malware",
"encrypt",
"techniques",
"modify system",
"process",
"https",
"performs dns",
"tls version",
"reads cpu",
"proc indicative",
"urls",
"downloads",
"persistence",
"data upload",
"extraction",
"find s",
"failed",
"typ don",
"ipv4 url",
"canreb",
"type ipv4",
"url domail",
"domail showing",
"elf conta",
"typ url",
"zercega",
"enter sc",
"type",
"include",
"review",
"n1 exclude",
"suggestedincc",
"a50 typ",
"ipv4",
"matches yara",
"dete data",
"yara detectea",
"cro intormation",
"exclude sugges",
"sc car",
"extra lte",
"referen",
"l extraction",
"droo anv",
"extr referen",
"lte all",
"je matches",
"yara detel",
"yara dete",
"include review",
"exchange lte",
"je elf",
"passive dns",
"certificate",
"files",
"trojan",
"related tags",
"worm",
"medium",
"write c",
"write",
"high",
"binary",
"yara rule",
"default",
"moved",
"schaan",
"as834 ipxo",
"dynamicloader",
"program",
"ee fc",
"users",
"ff d5",
"python",
"windows",
"autoit",
"confuserex",
"stream",
"guard",
"launcher",
"updater",
"global",
"america flag",
"ashburn",
"america related",
"tags",
"indicator facts",
"historical otx",
"controller fake",
"akamai rank",
"russia",
"present nov",
"aaaa",
"link",
"a domains",
"ip address",
"meta",
"cve -2014-2321",
"handle",
"address range",
"cidr",
"network name",
"allocation type",
"pa status",
"whois server",
"included iocs",
"manually add",
"iocs o",
"iocs",
"sugges",
"stop show",
"types",
"external",
"ripe",
"pa abusec",
"neterra",
"sofia",
"bulgaria phone",
"filtered person",
"neven dilkov",
"bg phone",
"filtered route",
"a5ip",
"aa2023",
"aamirai",
"a2scanner",
"apple inc",
"issuer",
"valid",
"algorit",
"thum",
"name",
"a9 a8",
"status",
"macho",
"macho 64bit",
"mac os",
"x macho",
"intel",
"typ no",
"td td",
"td tr",
"a td",
"dynamic dns",
"date",
"name servers",
"arial",
"error",
"null",
"enough",
"hosts",
"win32",
"fast",
"contacted",
"MacSync_AppleScript_Stealer",
"cve-2018-10562",
"source",
"roboto",
"robotodraft",
"helvetica",
"iframe",
"manually ada",
"review iocs",
"abv0",
"qaeaav0",
"cptbdev",
"w4uninitialized",
"qaeaav01",
"abv01",
"qaexn",
"qbenxz",
"phoneidentify",
"qbepaxxz"
],
"references": [
"https://apple.k8s.joewa.com/\u2022 https://com.apple \u2022 freedns.afraid.org",
"IPv4 188.114.96.1 In CDN range: provider=cloudflare \u2022 dns.google \u2022 push.apple.com",
"Zercega \u2022 IPv4 84.54.51.82",
"Zercega \u2022 http://bot.hamsterrace.space:5966/",
"Zercega \u2022 multi-user.target",
"Zercega \u2022 ootheca.pw",
"CVE-2023-22518\tCVE-2018-10562\t CVE-2024-6387\tCVE-2025-20393",
"Crowdsourced IDS rules: 6b81d548c0fbd7a2275bb0d29deca0de96c1584ce7aadaf4f5dac3cb28ee9c29",
"Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke",
"Matches rule Suspicious Network Connection to IP Lookup Service APIs by Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)",
"Matches rule Local System Accounts Discovery - Linux by Alejandro Ortuno, oscd.community",
"Crowdsourced IDS rules:",
"Matches rule ET POLICY External IP Lookup ipinfo.io",
"Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)",
"Matches rule ET INFO External IP Check (checkip .amazonaws .com)",
"Matches rule SERVER-OTHER Squid HTTP Vary response header denial of service attempt",
"Matches rule ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI) Unique rule identifier: This rule belongs to a private collection.",
"Yara detected: Xmrig cryptocurrency miner",
"Yara detected: Reads CPU information from /proc indicative of miner or evasive malware Compliance",
"meta.com \u2022 meta.com.apple",
"geomi.service \u2022 74b23c7dc3cca50a6d78e18116e31ca189a4549de35ff49903af2c4c0bd06a63",
"ELF contains segments with high entropy indicating compressed/encrypted content",
"/etc/systemd/system/geomi.service File type: ASCII text",
"http://www.bing.lt/search?q=",
"Win.Malware.Salat-10058846-0",
"Yara Detections: MacSync_AppleScript_Stealer",
"Alerts: antisandbox_unhook hardware_id_profiling ntdll_memory_unhooking binary_yara",
"Alerts: recon _fingerprint registers_vectored_exception_handler creates_suspended_process",
"Alerts: resumethread_remote_process enumerates_running_processes reads_self",
"Alerts: packer_unknown_pe_section_name script_tool_executed",
"Alerts: queries_computer_name queries_keyboard_layout queries_locale_api",
"Alerts: antidebug_setunhandledexceptionfilter stealth_timeout language_check_registry",
"Contacted: 188.114.96.1 Domains Contacted dns.google",
"distracted-chebyshev.84-54-51-82.plesk.page \u2022 domain plesk.page"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Zergeca",
"display_name": "Zergeca",
"target": null
},
{
"id": "AutoIT",
"display_name": "AutoIT",
"target": null
},
{
"id": "Win.Malware.Salat-10058846-0",
"display_name": "Win.Malware.Salat-10058846-0",
"target": null
},
{
"id": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!",
"display_name": "ALF:JASYP:TrojanDownloader:Win32/SmallAgent!",
"target": null
},
{
"id": "Win.Trojan.Emotet-9850453-0",
"display_name": "Win.Trojan.Emotet-9850453-0",
"target": null
},
{
"id": "Worm:Win32/AutoRun!atmn",
"display_name": "Worm:Win32/AutoRun!atmn",
"target": "/malware/Worm:Win32/AutoRun!atmn"
},
{
"id": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T",
"display_name": "Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T",
"target": "/malware/Win.Trojan.Tofsee-7102058-0\tBackdoor:Win32/Tofsee.T"
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
},
{
"id": "CVE-2024-6387",
"display_name": "CVE-2024-6387",
"target": null
},
{
"id": "CVE-2025-20393",
"display_name": "CVE-2025-20393",
"target": null
},
{
"id": "CVE-2014-2321",
"display_name": "CVE-2014-2321",
"target": null
},
{
"id": "Botnet",
"display_name": "Botnet",
"target": null
},
{
"id": "CVE-2018-10562",
"display_name": "CVE-2018-10562",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0004",
"name": "Privilege Escalation",
"display_name": "TA0004 - Privilege Escalation"
},
{
"id": "T1543.002",
"name": "Systemd Service",
"display_name": "T1543.002 - Systemd Service"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1222",
"name": "File and Directory Permissions Modification",
"display_name": "T1222 - File and Directory Permissions Modification"
},
{
"id": "T1222.002",
"name": "Linux and Mac File and Directory Permissions Modification",
"display_name": "T1222.002 - Linux and Mac File and Directory Permissions Modification"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1571",
"name": "Non-Standard Port",
"display_name": "T1571 - Non-Standard Port"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1037.002",
"name": "Logon Script (Mac)",
"display_name": "T1037.002 - Logon Script (Mac)"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"IPv4": 169,
"URL": 1871,
"domain": 393,
"hostname": 925,
"FileHash-MD5": 391,
"FileHash-SHA1": 390,
"FileHash-SHA256": 2452,
"CVE": 1,
"SSLCertFingerprint": 1,
"IPv6": 9,
"email": 4,
"CIDR": 1
},
"indicator_count": 6607,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "11 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69d43adce952052db1643eb1",
"name": "VirusTotal report\n for addon.crx",
"description": "<<< This is the full list of results from this year's \u00c2\u00a31.2bn (1bn euros) Google search, which includes the results of the search for the world's most popular search engine.>>",
"modified": "2026-04-06T22:59:40.683000",
"created": "2026-04-06T22:59:40.683000",
"tags": [
"zip archive",
"opera widget",
"vym mind",
"sweet home",
"design",
"mozilla firefox",
"mozilla archive",
"format",
"file type",
"php script",
"ascii",
"ascii text",
"unicode text",
"utf8 text",
"crlf line",
"json",
"java source",
"extra info"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1064",
"name": "Scripting",
"display_name": "T1064 - Scripting"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 316,
"FileHash-SHA1": 314,
"FileHash-SHA256": 1415,
"IPv4": 88,
"hostname": 132,
"domain": 50,
"URL": 86
},
"indicator_count": 2401,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "12 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://vanbuildtracker.com",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://vanbuildtracker.com",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776631303.932556
}