{ "type": "URL", "indicator": "https://www.google.com/ccm/conversion", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.google.com/ccm/conversion", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #1", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #3", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain google.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain google.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 4214674785, "indicator": "https://www.google.com/ccm/conversion", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "69b7ac3b32ac89ecba53f3d9", "name": "Malicious", "description": "", "modified": "2026-04-15T08:44:52.171000", "created": "2026-03-16T07:07:39.495000", "tags": [ "march", "input http", "posix shell", "ascii text", "threat level", "summary av", "detection", "environment", "action" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 291, "URL": 272, "hostname": 296, "domain": 293, "FileHash-MD5": 90, "FileHash-SHA1": 89, "CIDR": 3, "email": 3, "SSLCertFingerprint": 9 }, "indicator_count": 1346, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-13T23:46:20.071000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 107, "CIDR": 6 }, "indicator_count": 33117, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d0ac884cb646fac0b8d3d4", "name": "VirusTotal report\n for Other-20230212T074754Z-001.zip", "description": "com - is the name of a German domain registered with the United-Domains AG.\n\n3 hearts\npure bleeds. sigma shields. commander hunts.\nlegacy puppetmaster suppresses.\nthe octopus is forever tangled.", "modified": "2026-04-04T06:43:36.558000", "created": "2026-04-04T06:15:36.916000", "tags": [ "date", "server", "registrar abuse", "postal code", "registrant name", "expiration date", "registry domain", "registrar iana", "registrar url", "registrant city", "ascii text", "javascript", "mitre attack", "network info", "dropped info", "file type", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "persistence", "next", "pe file", "text format", "ansi", "ms windows", "zip archive", "found", "crlf line", "windows start", "default", "delphi", "code", "malicious", "windows sandbox", "calls clear", "ascii", "java source", "web open", "font format", "truetype", "version", "python", "cape sandbox", "machine summary", "report time", "machine name", "analysis id", "machine label", "duration", "machine manager", "kvm os", "shutdown", "https", "shpk", "performs dns", "t1055 process", "layer protocol", "overview", "title", "phishing", "loader", "script", "meta", "albania", "structured data", "artan lenja", "street", "building", "tiran", "body", "icloud", "free", "apple", "link", "style", "doctype html", "timestamp", "sectigo", "official", "disney", "walt disney", "countryus", "center", "head", "forbidden", "creates", "command", "clear filters", "sigma", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281711&Signature=G81N%2BSvpl7rLMvDIGLovzSBK8YJzNBOTs7Ycfze1L%2BdFheZX%2BS6EbtlDx545BRgefMUoJSwn%2BdK4eRpYlyMGmHvkv2tw3apezXxBF5J95vedk3RlOzXgGUAvJvewt0RBBR9f9hiVn9CuYTHvY3Cf%2BVog32%2BRLrv8sMhZ%2FeqX0%2FhraP6leNtAta5iUv73pYWeMmdsQ7nX2EvTO7uUvGggX6TmnBhiHHd8E9uCsoPHCTP4i0", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281734&Signature=3FFHeC27RvCC9623M2f8xoSU4fl9LBd%2FvI%2F98rUNvmdceN4AZjjw77yTU0ApUTXU5FbdCpODVhKi0X4pqDz1pqEP%2FBRLq%2FNhgoRliai6LlD4yhdTtKNi4zrfCDG%2Bd4dRzD5y674IfEPynxGiFOWxc6wiCtl3rhwTPEqisyDqFbvnF57SxrcPoVSzVO3wEtxpCOIw8iAFXdW2zgnnYYbSrbaQBfghKLtFA6r2vP%2Bmrd33YSUiH%2Fe2EqBz", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281812&Signature=jttp%2BTn66O5EfEB%2FASdpjDONf%2BzydGtfIUy3AtwYz0ppPzVA88%2BzZ8LtzV0TDhkMiju4oLHr%2BauJnKYexqnF0MfNTXGKPfj3ux9oZ2%2Baqve%2B3xgapdwdz0N64RgWo3SBqCKFBOQmi57mqIy%2F8qgnAfdVX99BwF2BuRSYSbIjNW5NHjir1JrAAKwOHZFyNsKj99PImyug2FPpRnss8VrJvDyYdnaGLHIAbZMRl72V", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281904&Signature=B9x8BUVCeldkVImU%2Bb%2B7d97Q9Y2suAJFE1HvxBCu6MQUOt52HrgAUTBIeXPKgNP0gKiqrr%2BwDvN7q637Ht6n5C9QhuTPI%2FhWTub0F22jsp8lU2Pvp2bS%2FlaSchLRN5gDngyPABgnaqYERICP8QQkwfaB9pY%2Bii1%2FAeel%2BIDGYwxPPfIcYevejNv2O%2F0J6qYRftrtXwa95pbsecrfOzH6bpF3AzHQrTLJAuZ%2B%2BykW", "https://vtbehaviour.commondatastorage.googleapis.com/bc3cc97398d5f56a4731085e8a385694f6ef1ab37243c6c00deed4a1335ced55_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281954&Signature=Tythlx%2B0x7Dzf2SYvJDgwby2Ifinb7IbK5GTx%2ByqvqVc1r4cz7rhoVD3NZqUAgUpxSkIAsRAK5WV5tMXUGiiB6JWp8Y9YmaL7Zhb5NxMBcodk57r7XhYzEbDxYg%2Fh1ChwMliA5cBr%2BXbUcW4q2aA4xQeNE1XVNpalGtyHh8bsDTKgQG0Ch1gikPF%2BeKc2ANprXe6z%2FJBXtqJBxh6%2Bem6fGON6%2BpRP1%2BgmNg4%2FtFnlQ", "https://vtbehaviour.commondatastorage.googleapis.com/bc3cc97398d5f56a4731085e8a385694f6ef1ab37243c6c00deed4a1335ced55_CAPE%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281979&Signature=LrquDQAOc%2Bf90O7wkZ9lRNx5uIZopS4VL7qYn7UKkzTI19c7sNJWNdGeBPtnE%2FG4yxsv1tBxkoojr78E808e78vceGG2xskRT6tUTjtDo2c8JW%2FD9Mr5ZAVe8Cn%2BP%2BpCbBkZXbtaceCtVq0b9zVWx9YstN2ju69uofX50LbI%2FgmHh%2Bghta79DgdBrNmkcQEXDu7t%2FqSZSozfso9i%2BoSZdHXEfsU59hoc%2FhUSoPMEPGFU", "https://vtbehaviour.commondatastorage.googleapis.com/fa8a59149604c73572bf92b42640de49faa7e8f16cd4bc18345d3e6a16378744_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282019&Signature=VwsuvdyY52E5jzftipHSNWVrwmO7YUwSQa9yHiMIgbsXcJDnDNcdELamMXjmvzDn%2FT6L5HguJFyj%2F4DHLmPfddzVphNAKCPvz3IRVae2piJ%2B8VWa2%2B98W3RjMft93LZhdNHwxeEYM8oJ%2FOjAjw%2FIicginJBUwlGeHX3kfTJieSEC7SYf6BkJ4UNfnF2pPQjiaAqG9mop%2FPKsB%2FF1K%2FrL7Rpsxwhl1rGglHYPM4%2BtJj6zDYx%2F", "https://vtbehaviour.commondatastorage.googleapis.com/fa8a59149604c73572bf92b42640de49faa7e8f16cd4bc18345d3e6a16378744_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282044&Signature=Y%2FEJZwm3h4tUuhn9%2FgO7QDcTnUoojZIDnoL%2FuGaoe0o5h%2FPUEiZpyFQLH9JfrvNN0h58UWlcJNCMxaSZl%2BZDvBDliVat0wDr0fE35mo0jGTK3uwa7DykFrjyI0NAVFlzkVSyxC0euM4lSJaw9PqyJGgLb4FfaztkzK7ZQYTIsGMYWSsCAKzatCObwK%2B8nqV63M9VXUeJy8ZQx7IwbttNffD6FQUaPbtCwlsywb%2Bu7NVqkFSG", "https://www.icloud.com/attachment/?u=https%3a%2f%2f%cvws.icloud-content.com", "https://vtbehaviour.commondatastorage.googleapis.com/ba49f65ef5d694311c535991812ee2fa8f0c639f4e053d136c1161b8b1bfaf8f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282803&Signature=CE28%2B8Orp96YBz3AWi4L4LJoj5B677T4lpyJl4VIG%2BN68qLtOorzpmY%2BdQgPcKJxqxcvmf3JmeA2zAZFyVdmEzznUnaiSY6xhbkbZ8nrReWLN9MBQZJuFd6by3aYlQoYFg2Bxu5d%2FLEAxWm4ljnJApBcv1csUNbJ8KxjkdXXAyPkiWPwMc4JDmXrnH5%2FXBQ7Tf1qxmze1lX2S5QvktDVUA3Bdn67nGtMvguY5EIl7tj1AezbuTFM", "https://vtbehaviour.commondatastorage.googleapis.com/68e1e958d101feb1044553d3e8ba341448a17d917e4b613cb05873814159ed40_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282913&Signature=TKCWJVTu8VHNWLhsI%2BkIN06KJgV4R1%2F2oO9G3V2x%2Bdxi14E9JDPHosmNkN%2Fk02BRc0I8Yg4HJPmcxjdAvb8mTCZjA10bizFznZC3epwH0hmoxTVgryMxpD%2B7zTQqKIRpE9UGGC1WSu0CTJ3rI9dCyopLkmeiyJPVw%2BIuERp37p2MEwzwwIPRuYpB190GfOdCkGt6TuMjDG6cVa%2BxvJlEdoEw8US6W8WPaioxSu1KVCoKjwky", "https://vtbehaviour.commondatastorage.googleapis.com/ffe3319990984c10c84fc18f6c1d40b2c7ad44666ebc2b54368bd96327ec6abc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775283093&Signature=GU02WhsC3g0ztmDdXDNuqx9T9POv8DnaMp7NQX%2B70%2FybCmZtbIpyPiUCOuYG5ZD1RY8bCIR9k%2F%2BGsKSwWLVUNNih3CgvqShoWsNfLKvtS%2BDRbmV6G4ohLWIP0xPHJOCA%2FWvnSdblJ%2FdibwXFCT851RdpfK3f6ph2EPHXIq%2FBwhSc28%2BJfFSMK%2B1toESpR7COi%2FUwpnMfcoSpcIMZudaaU8JrTvEVLgtJ%2FAgHjmfoXxvJlD", "https://vtbehaviour.commondatastorage.googleapis.com/02b1749e96b257099d5bafaeb1fc502442b4e064cca63fbcf4fc52af34b6435d_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775283154&Signature=m%2BGdulpws9rcUoJIzr45sR5qJdIxK89UYb6GUJL6p7n4mgYV69NJWbc3Jslcn117UKHnbSYYtRZSBRhviHhLuWsbhUG199mW8iGDiwaarp%2BbvmEIw6OXF2MgVIh%2FrJYr8slRZbUwjd9t8dMWwn%2FM5DNq6AzLyBqpznrBoVrvlibZuA9pWsHraA3P24WyEGUlbWN3NqLfmJ6gDeCKRfG7zhubGI%2Bb8Wl8GaBCodOtX2LlrA", "https://vtbehaviour.commondatastorage.googleapis.com/3e6e0898a7b1b297d2b9322f5f578b02e2fd5d5647dbeef6b9273cda383e1547_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775283189&Signature=PtLPpZoeHrLkYIaV2etyfYslOxR9PtxqmjNNDdMHoJjBUuweFaoOVGyfkf%2BUGEiGQCogCu7az%2B4btIJ3frL%2BEdzwNV7Ufeb24KQqbVUQrVITPGPCW42mMdsKdDoNQsqLooDqFsjxRGt2meZgP3F3roSTIWDEJPwr35bBBkdANOOdXZG1mg3O8JHm35%2BBQMkSxOiAxeftigjPK7On%2Fk%2FvMli1USxDUfi2eRlkRaL090nKenRXt3cz4FEBe8" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 359, "email": 2, "hostname": 664, "URL": 794, "FileHash-SHA256": 827, "FileHash-MD5": 21, "FileHash-SHA1": 17, "IPv4": 187 }, "indicator_count": 2871, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cf461ebc1a9bcfbffa2aad", "name": "VirusTotal Droidy Android Sandbox", "description": "Here is the full list of results from the second day of the 2016 Android World Championship, held at 22:00 BST on Tuesday, 1 July.. . and \u00c2\u00a31.\n\ni cant add this one - legacy - http://100tosdefotos.com/", "modified": "2026-04-03T05:08:23.191000", "created": "2026-04-03T04:46:22.211000", "tags": [ "process", "current object", "android sandbox", "europemadrid", "windows sandbox", "clear filters", "has permission", "file type", "apks", "accesses", "sim provider", "name", "may check", "mitre attack", "network info", "malicious", "persistence", "cloud", "chrome cache", "png image", "cache entry", "rgba", "entry", "web open", "font format", "version", "truetype", "next", "detail info", "text", "classname", "window", "static", "behaviour", "filename", "offset", "class", "button", "mozilla", "shell", "nsis", "find", "back", "state", "connecting", "connected", "suspended", "disconnected", "unknown", "shell folders", "default", "inprocserver32", "new roman", "registry keys", "nothing", "shell dlg", "roman baltic186", "roman cyr204", "roman tur162", "xffxfea xffxfea", "xffu xffu", "xffxfcs xffxfcs", "x8af x8af", "xb6p xb6p", "xb6y xb6y", "x88g x88g", "xb6xf2 xb6xf2", "xfft", "xc1xe7 xc1xe7", "axec", "programfiles", "allusersprofile", "windir", "protocol level", "application", "previous", "next connection", "address", "full path", "behavior", "bits", "dump", "path", "calls clear", "eandroidruntime", "pufwifi", "flag", "networkinfo", "action", "extras", "start", "componentname", "write", "calls process", "cname", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "address virtual", "path c", "sha256", "accept", "shutdown", "error", "sandbox", "stack", "win32 exe", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "processes extra", "performs dns", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "android", "zip archive", "xapk android", "android package", "java archive", "sweet home", "design", "html document", "unicode text", "utf8 text", "crlf", "lf line", "language", "date mon", "gmt contenttype", "connection", "link", "json", "xlitespeedcache", "reportto", "server", "contentencoding", "cfray", "king88", "ch cng", "c thit", "c bit", "iu hp", "trang ch", "king88 com", "ci ng", "cp s", "c vit", "object", "string", "number", "null", "function", "g5wmgjr5qk4", "cssselector", "regexp", "date", "void", "trident", "mini", "meta", "please", "javascript", "members", "staff", "inspection", "abip", "local broadcast", "newsletter fcc", "resource center", "marshfield high", "school", "localism join", "facebook", "contact", "summer", "grave", "email", "photo", "strong", "peter deftos", "sign", "learn", "memorial", "leave", "problem", "done", "already", "close", "verify", "twitter", "details", "full", "persist", "editorimpl" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189779&Signature=KfMCCyf96T3bMlo9SpmV1KGK0zKBbkhhSc6Ig5Hvwfx%2FTKTqEVBDXB28XNeWzWbCRTwCNnYlHV3Ed%2BMjcd%2B1aCTDYi5GH9Qw3msxqk5iKwRhzDIhfpM98SwOLC%2B7xZUAC60ecDmVDsjA9OOwOkJe87q3Rrx2lrU9%2BjuSJ1EdwI16qoJyd29sLcX7STTqAMHuzCjIixIOre64HAjpH4lt%2F8tSgE1A5Rs2V7PRHSX6ibKLD", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189811&Signature=O96heM5BVAaltXSZInHXgIgK35KjLrLg%2FfKtFXVS%2BoRHTlfpZtn4LpFvolATpK7dED66Ms7SXpn8nX0i7j1IpuDOXOXSm112TOKIKVVPZJH5ppCD6uFYvhkfNcQGa%2FXK%2BDixyM%2BuqwGoJSFD6QzP8J2Iz1GyU4RYYWuB2C7ZD7LOWKlvxF%2F9LTAX8jFDLgFVsE3Og3cU8y3jK%2BenDPthRM6YFu3qewxpti7KVNwKeMJ", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189872&Signature=P%2Fa2KXhuVwj4RO8cyfIpkYofLKzsLiKRPHuVAi7hjApskLh84OqCfKuK51z7bTKZd8lCCiQ7XuIaxWQDR7qzDFvuCWutobNhKDdHSDLrTMtqqX3o5RmBpSzMUw3jQJcbxsYWqaOMHy8ZeWEVRuB9orvLwMZbJMMIJM8GhUVHZ6%2BwciVIoj0lYTCb%2FEEkQWTV4g3hs9l8KRzbEfvJGja6ANuv1OtdFLk8pejrraAJMB7ThsjINOXbJb", "https://vtbehaviour.commondatastorage.googleapis.com/5dae281deccea2c5229861b4f2ff8c386da1726a836839961311896a6c9f5a69_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189913&Signature=KduKv0QQf8IKhUUAV%2F0zpzpUmIU%2BEctpJKxUJlyu0Myu11iCQCXfXPprtMBAv5ifc4GLTHDiIuEAJwg%2B%2BHGWjun5ZKLKzoz8Ot2udHqFxvy6ZToPEC4Iui9vdRDHqosVaT77R1Tm1TGuyKVmwYTcow4klVAcpzEWanzWx1jHS42ARepJVrS3AFXHMaaBdTgr23jXcbmly1t3b8lwVilcsk2itdoprPpClQTzwYr1y7YV1%2FbYTDGocHnDwCYy", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189954&Signature=2gy%2BsyEM78P6orDGWKQU%2FFPSIdVK9X7o8Nkcwb%2BY4r%2FCb%2Bo9JmA9T%2Bfonw9IqbojQSIK%2BNShZUJJ9GV4wWT5l1QfkYfZP0MJ91%2BkDw39PLOc4VVgmBApIQJRTIlgSlI020YfOeIPoIYH8yuCF2dJ32zKg87g0dDFkg4zbExGDJB3%2BGDxX5MJ6hHuzVrwxm7E1L%2F%2FffKQ%2B9rXqoT0hRHEdPSaXSydmnqfMfnjCv", "https://vtbehaviour.commondatastorage.googleapis.com/970fdc4da66bc8fff977698c150fc6ebdf9488356ed41ded52d2659830ec5353_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189984&Signature=f%2FZZkKTu5zUihkCuCj%2F0pEGmBjWWBiZRDmREgGkkkKvTyR7M5iC0oLGYfaL6WibiUB6pQirxgBtEcS2JtupD291Or3j7%2BKoyngW7R9uf%2FjjWQwfC5YHKjNutT6K5TYuEmzySVs9onhIBSjj4U%2Bi2q%2FMJmQFiDtFZHfcyy00LYqbAbBwEAUnVJZUdH6FvNBu4ArU26VDLDwv1nMSgEjxUWBCwiP4HXlwL5%2BxU6y0eTc2", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190004&Signature=Nzt9YHY3Ji2VsLO1kvr7%2FyWWwOgo%2BCIoXyjtyshhzTGRxGzhcNdyKU9byPqyv%2F5YAzj%2BmNnDego3ImYeToBCbgyY%2BJJMmUKX6ZrUT1a2O4gv9eMyysIFgYhJ7ZpzyGIvHR5VSJlzPX0AWS81Ml7syDCjTGHikZ9G%2B%2B0cfDA0dhp%2FR7zhAp7yxB2jsDhz1kDY3nncYpjeVtj2o02Nt4JxPa5ML%2FvKBF%2FBHtOtBCqh%2", "https://vtbehaviour.commondatastorage.googleapis.com/1256f3aa5f091ac40a573113fcc1a4d0e320af5ee363b0eca79618602cb7dc66_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190083&Signature=a1bnyt5OUcTN8ONeNVqbY%2Fe%2FDVJ2N3olQ9r59dijMLLegF84xQDghj0r6VPdFB8fc%2B3QTcJqhpm6vag1pK9us%2F3UqDJ3Yubf%2FukjL4GMKXDdMSggljB7d%2FpkTraQysnttspVal56LzXitjgIEGYZTidKcIv5LM6YH4zCAXn%2BVueaBNIgpcDS0RuX8fVAQYOeftW9AiEz2TZzx1BT6KUgoj0Tzetn4k541357bb58K1w9n9QV1", "https://vtbehaviour.commondatastorage.googleapis.com/1256f3aa5f091ac40a573113fcc1a4d0e320af5ee363b0eca79618602cb7dc66_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190146&Signature=3XpRLUQ3g712Vw0Gv1aflVxZs7RKpzIhEK8giO9ydwOrOGjLnAK89Y%2BmEf4g2U2YbO04EE%2BcdR5xPgcch1%2B1Gf4thYCgBcbKEEIfNK5UrJwBpAkYRm3D9xsnD%2FVxZt26yLC6aQy87D%2FKNC9aLvViRHGxuFgOp4zkcU%2BRD6mmpIB8SpX5%2BDpocWc4s9R%2BywRPXZ2U2E49g81i%2B5io3Ycqe8ikdjbPlZo9R0KEFLaDQtH", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190199&Signature=RiO2p%2BBvc38TqeTuiMJNxoT6Jr3JfHvTQFQIk94ZaRY%2FPP5yEPSH45GncMCh4GqP1%2F%2BNLR2IVm5Z2svEWojLwxq%2Fl0eIAWy1chUQmg2GcEg5YoaEEnXpWjb1er08EIYwV0ZC8parFwVrr194MKeUmZYo5NLYk4%2BCim9ipnxYse12eROsMSXZtyS4daGivzQzihRqTUU9iEn%2FxAKEOI%2F3V8JRrqNy3nDqmo1mdoVr", "https://vtbehaviour.commondatastorage.googleapis.com/bc20f137a2281fae2ee13f698e613e72c37f6b4eb6784653f284f11f4d83ba77_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190236&Signature=Fg7jPZWmHQO%2BH8GRQx%2FxSMq5Na7Oo9cN0HR99DHFY8svYTkPoerGELKx7Sf906aTDq2Rer45ajXeYPzzHTiab9NKqWR1JGHbaq0WapVqsRzvXz2QLuBhHoz50tIoVKnx8ZrN9HqHBQweg8nfN%2FWEoaHVlSgav3jhoNTnZAC%2Fa%2BsTLexjXFBIP2v4jpISAl82ESU%2FGZH64BtZpgIJz7RZXdDqZ3LF7JTgwG2JX94%2BOOSn3G14", "https://vtbehaviour.commondatastorage.googleapis.com/5dae281deccea2c5229861b4f2ff8c386da1726a836839961311896a6c9f5a69_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190298&Signature=eEF6m7QHRnKk%2FYB374HxqU2TE0p8gXC9CWwIHPT7M6fEZKjeFUEmUEbqdupsD2hQQbkW%2Fmijo2rSEQ30q3EAyR9aQO3m6L91A6osc3kDipeyZqFrIqoj6wIe8MJGuRf4OC9cVAWipGYXPG5bqc3v6RUHir9MeLOggoGjalexCwBgs3SsGyhqU1uWZdJ%2Fs4nUbHyIJGc3FB9OrnhDRuGPdkfPSOA09hfujcul91zQNws4dznvmM", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190345&Signature=33%2BM36uNOvEfi8bNtJvnbxcTgcnoIlIO2vBglXpCJFNwC8HAewGOF91Q26TOAsw4sbmtTxQ2F5Q2jv2V3ULV8MAxxgYVptJ69SusRt7qZeBDUpMY%2BOdTYqjkdBuYUqYiCvM756aQheS1KvDepeD64x8e%2FivWkpm%2BZ9yDaKUc7w2143zYkc8kpyBSsO8rJI9vyoHYvbr4sfZOowoUWK7yMjQD9SN5bL%2FFABbMrPEOMyobApm", "https://vtbehaviour.commondatastorage.googleapis.com/06b6d62477011fa63fdb44046351fbe574391916a4f3ea0486b3e3498145a7d7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190407&Signature=Y3EAa%2Fwo4ligJHfBUxkzWLjU9FPLyNmsxeNdcPCIPQBYTTGUIaFddrFIYHFhawxMDvixd7uA0qGc0zVDWgbStf2qhTOU1D0aF%2F%2BSLSXEY3VB8oWRXZCEI12zrSd5P4lHInxRS3CJKbNnJP4GvYx20ctpNSo4u%2FvVMLM%2B92TiYCunAVTquDVrFNNim6LJTEz2ucjhcgF2gKn%2FF0f9ALEheC1lk4omwpcYEPQLNX0wNsxNC%2BWQ", "https://vtbehaviour.commondatastorage.googleapis.com/bb46c18b5b2c98937c8fdfb7acd3e0fa4d0534cfc44d4b41ccd6db9198266fbf_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190605&Signature=Rcvj5v%2By7yAX52ap8q3zDGTMjVRQm1LkjuWyhDQUaO6QXR1Ld%2F1dD2QjluOGOuXNiW%2FMNP%2Bqj%2Bx6KtYCvttE847keFo1Em2Bm%2F8bv4vK%2FJL0nGIiz%2FatgO7O78LZZ1wkYwcfG5JZAj8VdjDlHQbuOIUz8Nahqt2JUyQ84z3OeH5d3%2BjV8NKW5SjGWQw4mcmjPQXUznoCsysLbjCd5sgZTpyLUdeFJcNKQPiNBURsJeiyCI5llz0j", "https://www.googletagmanager.com/gtag/js?id=GT-NNS2QH6C", "https://www.googletagmanager.com/ns.html?id=GTM-PHWTRTJ", "https://www.virustotal.com/gui/url/f6db0235760bd467ca822ad515a8410121fde4713501b3e718b8fb127dfa259c?nocache=1", "https://www.massbroadcasters.org/eeo-organizations/marshfield-high-school", "https://www.findagrave.com/memorial/139047900/peter-deftos", "https://vtbehaviour.commondatastorage.googleapis.com/a041cbdeb64c802bde90e06f25213524b2eac500d6000da7e4caeb96e5de1991_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775191439&Signature=evxsL1kaOuLe5KziYCSqZ56H%2FqXRQgEN0tkJo0j5G7JQ3mmO0Kav5K9LCz%2FUEzi%2BdtB%2B3%2B7VM6r9pC%2BMh7nHxT%2Bs8UAYuVXPE%2FUbBdHWMjvZQuqrZ0hHqIR2xHVB132HiYQWLo%2FgS1QATOfAcHci3X4FqmqvUp7A%2FmNsE1aVFbLc971RHQOuTapOGhiDZlVUyA9KvpMDKw0DzdeHFSlayBSrDDsWL7xW06XOf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1413", "name": "Access Sensitive Data in Device Logs", "display_name": "T1413 - Access Sensitive Data in Device Logs" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1507", "name": "Network Information Discovery", "display_name": "T1507 - Network Information Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 70, "FileHash-SHA1": 40, "FileHash-SHA256": 549, "URL": 344, "domain": 292, "hostname": 443, "IPv4": 127 }, "indicator_count": 1865, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cf461ceb2e58f5e3c0a44d", "name": "VirusTotal Droidy Android Sandbox", "description": "Here is the full list of results from the second day of the 2016 Android World Championship, held at 22:00 BST on Tuesday, 1 July.. . and \u00c2\u00a31.\n\ni cant add this one - legacy - http://100tosdefotos.com/", "modified": "2026-04-03T04:48:04.475000", "created": "2026-04-03T04:46:20.102000", "tags": [ "process", "current object", "android sandbox", "europemadrid", "windows sandbox", "clear filters", "has permission", "file type", "apks", "accesses", "sim provider", "name", "may check", "mitre attack", "network info", "malicious", "persistence", "cloud", "chrome cache", "png image", "cache entry", "rgba", "entry", "web open", "font format", "version", "truetype", "next", "detail info", "text", "classname", "window", "static", "behaviour", "filename", "offset", "class", "button", "mozilla", "shell", "nsis", "find", "back", "state", "connecting", "connected", "suspended", "disconnected", "unknown", "shell folders", "default", "inprocserver32", "new roman", "registry keys", "nothing", "shell dlg", "roman baltic186", "roman cyr204", "roman tur162", "xffxfea xffxfea", "xffu xffu", "xffxfcs xffxfcs", "x8af x8af", "xb6p xb6p", "xb6y xb6y", "x88g x88g", "xb6xf2 xb6xf2", "xfft", "xc1xe7 xc1xe7", "axec", "programfiles", "allusersprofile", "windir", "protocol level", "application", "previous", "next connection", "address", "full path", "behavior", "bits", "dump", "path", "calls clear", "eandroidruntime", "pufwifi", "flag", "networkinfo", "action", "extras", "start", "componentname", "write", "calls process", "cname", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "address virtual", "path c", "sha256", "accept", "shutdown", "error", "sandbox", "stack", "win32 exe", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "processes extra", "performs dns", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "android", "zip archive", "xapk android", "android package", "java archive", "sweet home", "design", "html document", "unicode text", "utf8 text", "crlf", "lf line", "language", "date mon", "gmt contenttype", "connection", "link", "json", "xlitespeedcache", "reportto", "server", "contentencoding", "cfray", "king88", "ch cng", "c thit", "c bit", "iu hp", "trang ch", "king88 com", "ci ng", "cp s", "c vit", "object", "string", "number", "null", "function", "g5wmgjr5qk4", "cssselector", "regexp", "date", "void", "trident", "mini", "meta", "please", "javascript", "members", "staff", "inspection", "abip", "local broadcast", "newsletter fcc", "resource center", "marshfield high", "school", "localism join", "facebook", "contact", "summer", "grave", "email", "photo", "strong", "peter deftos", "sign", "learn", "memorial", "leave", "problem", "done", "already", "close", "verify", "twitter", "details", "full", "persist", "editorimpl" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189779&Signature=KfMCCyf96T3bMlo9SpmV1KGK0zKBbkhhSc6Ig5Hvwfx%2FTKTqEVBDXB28XNeWzWbCRTwCNnYlHV3Ed%2BMjcd%2B1aCTDYi5GH9Qw3msxqk5iKwRhzDIhfpM98SwOLC%2B7xZUAC60ecDmVDsjA9OOwOkJe87q3Rrx2lrU9%2BjuSJ1EdwI16qoJyd29sLcX7STTqAMHuzCjIixIOre64HAjpH4lt%2F8tSgE1A5Rs2V7PRHSX6ibKLD", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189811&Signature=O96heM5BVAaltXSZInHXgIgK35KjLrLg%2FfKtFXVS%2BoRHTlfpZtn4LpFvolATpK7dED66Ms7SXpn8nX0i7j1IpuDOXOXSm112TOKIKVVPZJH5ppCD6uFYvhkfNcQGa%2FXK%2BDixyM%2BuqwGoJSFD6QzP8J2Iz1GyU4RYYWuB2C7ZD7LOWKlvxF%2F9LTAX8jFDLgFVsE3Og3cU8y3jK%2BenDPthRM6YFu3qewxpti7KVNwKeMJ", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189872&Signature=P%2Fa2KXhuVwj4RO8cyfIpkYofLKzsLiKRPHuVAi7hjApskLh84OqCfKuK51z7bTKZd8lCCiQ7XuIaxWQDR7qzDFvuCWutobNhKDdHSDLrTMtqqX3o5RmBpSzMUw3jQJcbxsYWqaOMHy8ZeWEVRuB9orvLwMZbJMMIJM8GhUVHZ6%2BwciVIoj0lYTCb%2FEEkQWTV4g3hs9l8KRzbEfvJGja6ANuv1OtdFLk8pejrraAJMB7ThsjINOXbJb", "https://vtbehaviour.commondatastorage.googleapis.com/5dae281deccea2c5229861b4f2ff8c386da1726a836839961311896a6c9f5a69_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189913&Signature=KduKv0QQf8IKhUUAV%2F0zpzpUmIU%2BEctpJKxUJlyu0Myu11iCQCXfXPprtMBAv5ifc4GLTHDiIuEAJwg%2B%2BHGWjun5ZKLKzoz8Ot2udHqFxvy6ZToPEC4Iui9vdRDHqosVaT77R1Tm1TGuyKVmwYTcow4klVAcpzEWanzWx1jHS42ARepJVrS3AFXHMaaBdTgr23jXcbmly1t3b8lwVilcsk2itdoprPpClQTzwYr1y7YV1%2FbYTDGocHnDwCYy", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189954&Signature=2gy%2BsyEM78P6orDGWKQU%2FFPSIdVK9X7o8Nkcwb%2BY4r%2FCb%2Bo9JmA9T%2Bfonw9IqbojQSIK%2BNShZUJJ9GV4wWT5l1QfkYfZP0MJ91%2BkDw39PLOc4VVgmBApIQJRTIlgSlI020YfOeIPoIYH8yuCF2dJ32zKg87g0dDFkg4zbExGDJB3%2BGDxX5MJ6hHuzVrwxm7E1L%2F%2FffKQ%2B9rXqoT0hRHEdPSaXSydmnqfMfnjCv", "https://vtbehaviour.commondatastorage.googleapis.com/970fdc4da66bc8fff977698c150fc6ebdf9488356ed41ded52d2659830ec5353_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189984&Signature=f%2FZZkKTu5zUihkCuCj%2F0pEGmBjWWBiZRDmREgGkkkKvTyR7M5iC0oLGYfaL6WibiUB6pQirxgBtEcS2JtupD291Or3j7%2BKoyngW7R9uf%2FjjWQwfC5YHKjNutT6K5TYuEmzySVs9onhIBSjj4U%2Bi2q%2FMJmQFiDtFZHfcyy00LYqbAbBwEAUnVJZUdH6FvNBu4ArU26VDLDwv1nMSgEjxUWBCwiP4HXlwL5%2BxU6y0eTc2", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190004&Signature=Nzt9YHY3Ji2VsLO1kvr7%2FyWWwOgo%2BCIoXyjtyshhzTGRxGzhcNdyKU9byPqyv%2F5YAzj%2BmNnDego3ImYeToBCbgyY%2BJJMmUKX6ZrUT1a2O4gv9eMyysIFgYhJ7ZpzyGIvHR5VSJlzPX0AWS81Ml7syDCjTGHikZ9G%2B%2B0cfDA0dhp%2FR7zhAp7yxB2jsDhz1kDY3nncYpjeVtj2o02Nt4JxPa5ML%2FvKBF%2FBHtOtBCqh%2", "https://vtbehaviour.commondatastorage.googleapis.com/1256f3aa5f091ac40a573113fcc1a4d0e320af5ee363b0eca79618602cb7dc66_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190083&Signature=a1bnyt5OUcTN8ONeNVqbY%2Fe%2FDVJ2N3olQ9r59dijMLLegF84xQDghj0r6VPdFB8fc%2B3QTcJqhpm6vag1pK9us%2F3UqDJ3Yubf%2FukjL4GMKXDdMSggljB7d%2FpkTraQysnttspVal56LzXitjgIEGYZTidKcIv5LM6YH4zCAXn%2BVueaBNIgpcDS0RuX8fVAQYOeftW9AiEz2TZzx1BT6KUgoj0Tzetn4k541357bb58K1w9n9QV1", "https://vtbehaviour.commondatastorage.googleapis.com/1256f3aa5f091ac40a573113fcc1a4d0e320af5ee363b0eca79618602cb7dc66_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190146&Signature=3XpRLUQ3g712Vw0Gv1aflVxZs7RKpzIhEK8giO9ydwOrOGjLnAK89Y%2BmEf4g2U2YbO04EE%2BcdR5xPgcch1%2B1Gf4thYCgBcbKEEIfNK5UrJwBpAkYRm3D9xsnD%2FVxZt26yLC6aQy87D%2FKNC9aLvViRHGxuFgOp4zkcU%2BRD6mmpIB8SpX5%2BDpocWc4s9R%2BywRPXZ2U2E49g81i%2B5io3Ycqe8ikdjbPlZo9R0KEFLaDQtH", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190199&Signature=RiO2p%2BBvc38TqeTuiMJNxoT6Jr3JfHvTQFQIk94ZaRY%2FPP5yEPSH45GncMCh4GqP1%2F%2BNLR2IVm5Z2svEWojLwxq%2Fl0eIAWy1chUQmg2GcEg5YoaEEnXpWjb1er08EIYwV0ZC8parFwVrr194MKeUmZYo5NLYk4%2BCim9ipnxYse12eROsMSXZtyS4daGivzQzihRqTUU9iEn%2FxAKEOI%2F3V8JRrqNy3nDqmo1mdoVr", "https://vtbehaviour.commondatastorage.googleapis.com/bc20f137a2281fae2ee13f698e613e72c37f6b4eb6784653f284f11f4d83ba77_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190236&Signature=Fg7jPZWmHQO%2BH8GRQx%2FxSMq5Na7Oo9cN0HR99DHFY8svYTkPoerGELKx7Sf906aTDq2Rer45ajXeYPzzHTiab9NKqWR1JGHbaq0WapVqsRzvXz2QLuBhHoz50tIoVKnx8ZrN9HqHBQweg8nfN%2FWEoaHVlSgav3jhoNTnZAC%2Fa%2BsTLexjXFBIP2v4jpISAl82ESU%2FGZH64BtZpgIJz7RZXdDqZ3LF7JTgwG2JX94%2BOOSn3G14", "https://vtbehaviour.commondatastorage.googleapis.com/5dae281deccea2c5229861b4f2ff8c386da1726a836839961311896a6c9f5a69_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190298&Signature=eEF6m7QHRnKk%2FYB374HxqU2TE0p8gXC9CWwIHPT7M6fEZKjeFUEmUEbqdupsD2hQQbkW%2Fmijo2rSEQ30q3EAyR9aQO3m6L91A6osc3kDipeyZqFrIqoj6wIe8MJGuRf4OC9cVAWipGYXPG5bqc3v6RUHir9MeLOggoGjalexCwBgs3SsGyhqU1uWZdJ%2Fs4nUbHyIJGc3FB9OrnhDRuGPdkfPSOA09hfujcul91zQNws4dznvmM", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190345&Signature=33%2BM36uNOvEfi8bNtJvnbxcTgcnoIlIO2vBglXpCJFNwC8HAewGOF91Q26TOAsw4sbmtTxQ2F5Q2jv2V3ULV8MAxxgYVptJ69SusRt7qZeBDUpMY%2BOdTYqjkdBuYUqYiCvM756aQheS1KvDepeD64x8e%2FivWkpm%2BZ9yDaKUc7w2143zYkc8kpyBSsO8rJI9vyoHYvbr4sfZOowoUWK7yMjQD9SN5bL%2FFABbMrPEOMyobApm", "https://vtbehaviour.commondatastorage.googleapis.com/06b6d62477011fa63fdb44046351fbe574391916a4f3ea0486b3e3498145a7d7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190407&Signature=Y3EAa%2Fwo4ligJHfBUxkzWLjU9FPLyNmsxeNdcPCIPQBYTTGUIaFddrFIYHFhawxMDvixd7uA0qGc0zVDWgbStf2qhTOU1D0aF%2F%2BSLSXEY3VB8oWRXZCEI12zrSd5P4lHInxRS3CJKbNnJP4GvYx20ctpNSo4u%2FvVMLM%2B92TiYCunAVTquDVrFNNim6LJTEz2ucjhcgF2gKn%2FF0f9ALEheC1lk4omwpcYEPQLNX0wNsxNC%2BWQ", "https://vtbehaviour.commondatastorage.googleapis.com/bb46c18b5b2c98937c8fdfb7acd3e0fa4d0534cfc44d4b41ccd6db9198266fbf_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190605&Signature=Rcvj5v%2By7yAX52ap8q3zDGTMjVRQm1LkjuWyhDQUaO6QXR1Ld%2F1dD2QjluOGOuXNiW%2FMNP%2Bqj%2Bx6KtYCvttE847keFo1Em2Bm%2F8bv4vK%2FJL0nGIiz%2FatgO7O78LZZ1wkYwcfG5JZAj8VdjDlHQbuOIUz8Nahqt2JUyQ84z3OeH5d3%2BjV8NKW5SjGWQw4mcmjPQXUznoCsysLbjCd5sgZTpyLUdeFJcNKQPiNBURsJeiyCI5llz0j", "https://www.googletagmanager.com/gtag/js?id=GT-NNS2QH6C", "https://www.googletagmanager.com/ns.html?id=GTM-PHWTRTJ", "https://www.virustotal.com/gui/url/f6db0235760bd467ca822ad515a8410121fde4713501b3e718b8fb127dfa259c?nocache=1", "https://www.massbroadcasters.org/eeo-organizations/marshfield-high-school", "https://www.findagrave.com/memorial/139047900/peter-deftos", "https://vtbehaviour.commondatastorage.googleapis.com/a041cbdeb64c802bde90e06f25213524b2eac500d6000da7e4caeb96e5de1991_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775191439&Signature=evxsL1kaOuLe5KziYCSqZ56H%2FqXRQgEN0tkJo0j5G7JQ3mmO0Kav5K9LCz%2FUEzi%2BdtB%2B3%2B7VM6r9pC%2BMh7nHxT%2Bs8UAYuVXPE%2FUbBdHWMjvZQuqrZ0hHqIR2xHVB132HiYQWLo%2FgS1QATOfAcHci3X4FqmqvUp7A%2FmNsE1aVFbLc971RHQOuTapOGhiDZlVUyA9KvpMDKw0DzdeHFSlayBSrDDsWL7xW06XOf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1413", "name": "Access Sensitive Data in Device Logs", "display_name": "T1413 - Access Sensitive Data in Device Logs" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1507", "name": "Network Information Discovery", "display_name": "T1507 - Network Information Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 70, "FileHash-SHA1": 40, "FileHash-SHA256": 549, "URL": 344, "domain": 293, "hostname": 443, "IPv4": 127 }, "indicator_count": 1866, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190004&Signature=Nzt9YHY3Ji2VsLO1kvr7%2FyWWwOgo%2BCIoXyjtyshhzTGRxGzhcNdyKU9byPqyv%2F5YAzj%2BmNnDego3ImYeToBCbgyY%2BJJMmUKX6ZrUT1a2O4gv9eMyysIFgYhJ7ZpzyGIvHR5VSJlzPX0AWS81Ml7syDCjTGHikZ9G%2B%2B0cfDA0dhp%2FR7zhAp7yxB2jsDhz1kDY3nncYpjeVtj2o02Nt4JxPa5ML%2FvKBF%2FBHtOtBCqh%2", "https://vtbehaviour.commondatastorage.googleapis.com/bc3cc97398d5f56a4731085e8a385694f6ef1ab37243c6c00deed4a1335ced55_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281954&Signature=Tythlx%2B0x7Dzf2SYvJDgwby2Ifinb7IbK5GTx%2ByqvqVc1r4cz7rhoVD3NZqUAgUpxSkIAsRAK5WV5tMXUGiiB6JWp8Y9YmaL7Zhb5NxMBcodk57r7XhYzEbDxYg%2Fh1ChwMliA5cBr%2BXbUcW4q2aA4xQeNE1XVNpalGtyHh8bsDTKgQG0Ch1gikPF%2BeKc2ANprXe6z%2FJBXtqJBxh6%2Bem6fGON6%2BpRP1%2BgmNg4%2FtFnlQ", "https://vtbehaviour.commondatastorage.googleapis.com/ffe3319990984c10c84fc18f6c1d40b2c7ad44666ebc2b54368bd96327ec6abc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775283093&Signature=GU02WhsC3g0ztmDdXDNuqx9T9POv8DnaMp7NQX%2B70%2FybCmZtbIpyPiUCOuYG5ZD1RY8bCIR9k%2F%2BGsKSwWLVUNNih3CgvqShoWsNfLKvtS%2BDRbmV6G4ohLWIP0xPHJOCA%2FWvnSdblJ%2FdibwXFCT851RdpfK3f6ph2EPHXIq%2FBwhSc28%2BJfFSMK%2B1toESpR7COi%2FUwpnMfcoSpcIMZudaaU8JrTvEVLgtJ%2FAgHjmfoXxvJlD", "https://vtbehaviour.commondatastorage.googleapis.com/ba49f65ef5d694311c535991812ee2fa8f0c639f4e053d136c1161b8b1bfaf8f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282803&Signature=CE28%2B8Orp96YBz3AWi4L4LJoj5B677T4lpyJl4VIG%2BN68qLtOorzpmY%2BdQgPcKJxqxcvmf3JmeA2zAZFyVdmEzznUnaiSY6xhbkbZ8nrReWLN9MBQZJuFd6by3aYlQoYFg2Bxu5d%2FLEAxWm4ljnJApBcv1csUNbJ8KxjkdXXAyPkiWPwMc4JDmXrnH5%2FXBQ7Tf1qxmze1lX2S5QvktDVUA3Bdn67nGtMvguY5EIl7tj1AezbuTFM", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset.", "https://vtbehaviour.commondatastorage.googleapis.com/fa8a59149604c73572bf92b42640de49faa7e8f16cd4bc18345d3e6a16378744_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282044&Signature=Y%2FEJZwm3h4tUuhn9%2FgO7QDcTnUoojZIDnoL%2FuGaoe0o5h%2FPUEiZpyFQLH9JfrvNN0h58UWlcJNCMxaSZl%2BZDvBDliVat0wDr0fE35mo0jGTK3uwa7DykFrjyI0NAVFlzkVSyxC0euM4lSJaw9PqyJGgLb4FfaztkzK7ZQYTIsGMYWSsCAKzatCObwK%2B8nqV63M9VXUeJy8ZQx7IwbttNffD6FQUaPbtCwlsywb%2Bu7NVqkFSG", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189811&Signature=O96heM5BVAaltXSZInHXgIgK35KjLrLg%2FfKtFXVS%2BoRHTlfpZtn4LpFvolATpK7dED66Ms7SXpn8nX0i7j1IpuDOXOXSm112TOKIKVVPZJH5ppCD6uFYvhkfNcQGa%2FXK%2BDixyM%2BuqwGoJSFD6QzP8J2Iz1GyU4RYYWuB2C7ZD7LOWKlvxF%2F9LTAX8jFDLgFVsE3Og3cU8y3jK%2BenDPthRM6YFu3qewxpti7KVNwKeMJ", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189779&Signature=KfMCCyf96T3bMlo9SpmV1KGK0zKBbkhhSc6Ig5Hvwfx%2FTKTqEVBDXB28XNeWzWbCRTwCNnYlHV3Ed%2BMjcd%2B1aCTDYi5GH9Qw3msxqk5iKwRhzDIhfpM98SwOLC%2B7xZUAC60ecDmVDsjA9OOwOkJe87q3Rrx2lrU9%2BjuSJ1EdwI16qoJyd29sLcX7STTqAMHuzCjIixIOre64HAjpH4lt%2F8tSgE1A5Rs2V7PRHSX6ibKLD", "https://vtbehaviour.commondatastorage.googleapis.com/a041cbdeb64c802bde90e06f25213524b2eac500d6000da7e4caeb96e5de1991_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775191439&Signature=evxsL1kaOuLe5KziYCSqZ56H%2FqXRQgEN0tkJo0j5G7JQ3mmO0Kav5K9LCz%2FUEzi%2BdtB%2B3%2B7VM6r9pC%2BMh7nHxT%2Bs8UAYuVXPE%2FUbBdHWMjvZQuqrZ0hHqIR2xHVB132HiYQWLo%2FgS1QATOfAcHci3X4FqmqvUp7A%2FmNsE1aVFbLc971RHQOuTapOGhiDZlVUyA9KvpMDKw0DzdeHFSlayBSrDDsWL7xW06XOf", "https://vtbehaviour.commondatastorage.googleapis.com/68e1e958d101feb1044553d3e8ba341448a17d917e4b613cb05873814159ed40_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282913&Signature=TKCWJVTu8VHNWLhsI%2BkIN06KJgV4R1%2F2oO9G3V2x%2Bdxi14E9JDPHosmNkN%2Fk02BRc0I8Yg4HJPmcxjdAvb8mTCZjA10bizFznZC3epwH0hmoxTVgryMxpD%2B7zTQqKIRpE9UGGC1WSu0CTJ3rI9dCyopLkmeiyJPVw%2BIuERp37p2MEwzwwIPRuYpB190GfOdCkGt6TuMjDG6cVa%2BxvJlEdoEw8US6W8WPaioxSu1KVCoKjwky", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190199&Signature=RiO2p%2BBvc38TqeTuiMJNxoT6Jr3JfHvTQFQIk94ZaRY%2FPP5yEPSH45GncMCh4GqP1%2F%2BNLR2IVm5Z2svEWojLwxq%2Fl0eIAWy1chUQmg2GcEg5YoaEEnXpWjb1er08EIYwV0ZC8parFwVrr194MKeUmZYo5NLYk4%2BCim9ipnxYse12eROsMSXZtyS4daGivzQzihRqTUU9iEn%2FxAKEOI%2F3V8JRrqNy3nDqmo1mdoVr", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "https://www.findagrave.com/memorial/139047900/peter-deftos", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "https://vtbehaviour.commondatastorage.googleapis.com/bb46c18b5b2c98937c8fdfb7acd3e0fa4d0534cfc44d4b41ccd6db9198266fbf_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190605&Signature=Rcvj5v%2By7yAX52ap8q3zDGTMjVRQm1LkjuWyhDQUaO6QXR1Ld%2F1dD2QjluOGOuXNiW%2FMNP%2Bqj%2Bx6KtYCvttE847keFo1Em2Bm%2F8bv4vK%2FJL0nGIiz%2FatgO7O78LZZ1wkYwcfG5JZAj8VdjDlHQbuOIUz8Nahqt2JUyQ84z3OeH5d3%2BjV8NKW5SjGWQw4mcmjPQXUznoCsysLbjCd5sgZTpyLUdeFJcNKQPiNBURsJeiyCI5llz0j", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "https://vtbehaviour.commondatastorage.googleapis.com/06b6d62477011fa63fdb44046351fbe574391916a4f3ea0486b3e3498145a7d7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190407&Signature=Y3EAa%2Fwo4ligJHfBUxkzWLjU9FPLyNmsxeNdcPCIPQBYTTGUIaFddrFIYHFhawxMDvixd7uA0qGc0zVDWgbStf2qhTOU1D0aF%2F%2BSLSXEY3VB8oWRXZCEI12zrSd5P4lHInxRS3CJKbNnJP4GvYx20ctpNSo4u%2FvVMLM%2B92TiYCunAVTquDVrFNNim6LJTEz2ucjhcgF2gKn%2FF0f9ALEheC1lk4omwpcYEPQLNX0wNsxNC%2BWQ", "T1110.001 (Brute Force: Password Guessing)", "https://vtbehaviour.commondatastorage.googleapis.com/02b1749e96b257099d5bafaeb1fc502442b4e064cca63fbcf4fc52af34b6435d_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775283154&Signature=m%2BGdulpws9rcUoJIzr45sR5qJdIxK89UYb6GUJL6p7n4mgYV69NJWbc3Jslcn117UKHnbSYYtRZSBRhviHhLuWsbhUG199mW8iGDiwaarp%2BbvmEIw6OXF2MgVIh%2FrJYr8slRZbUwjd9t8dMWwn%2FM5DNq6AzLyBqpznrBoVrvlibZuA9pWsHraA3P24WyEGUlbWN3NqLfmJ6gDeCKRfG7zhubGI%2Bb8Wl8GaBCodOtX2LlrA", "https://www.massbroadcasters.org/eeo-organizations/marshfield-high-school", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "https://vtbehaviour.commondatastorage.googleapis.com/5dae281deccea2c5229861b4f2ff8c386da1726a836839961311896a6c9f5a69_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189913&Signature=KduKv0QQf8IKhUUAV%2F0zpzpUmIU%2BEctpJKxUJlyu0Myu11iCQCXfXPprtMBAv5ifc4GLTHDiIuEAJwg%2B%2BHGWjun5ZKLKzoz8Ot2udHqFxvy6ZToPEC4Iui9vdRDHqosVaT77R1Tm1TGuyKVmwYTcow4klVAcpzEWanzWx1jHS42ARepJVrS3AFXHMaaBdTgr23jXcbmly1t3b8lwVilcsk2itdoprPpClQTzwYr1y7YV1%2FbYTDGocHnDwCYy", "Obfuscation: XOR-based String Encryption (0x20)", "https://vtbehaviour.commondatastorage.googleapis.com/5dae281deccea2c5229861b4f2ff8c386da1726a836839961311896a6c9f5a69_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190298&Signature=eEF6m7QHRnKk%2FYB374HxqU2TE0p8gXC9CWwIHPT7M6fEZKjeFUEmUEbqdupsD2hQQbkW%2Fmijo2rSEQ30q3EAyR9aQO3m6L91A6osc3kDipeyZqFrIqoj6wIe8MJGuRf4OC9cVAWipGYXPG5bqc3v6RUHir9MeLOggoGjalexCwBgs3SsGyhqU1uWZdJ%2Fs4nUbHyIJGc3FB9OrnhDRuGPdkfPSOA09hfujcul91zQNws4dznvmM", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281904&Signature=B9x8BUVCeldkVImU%2Bb%2B7d97Q9Y2suAJFE1HvxBCu6MQUOt52HrgAUTBIeXPKgNP0gKiqrr%2BwDvN7q637Ht6n5C9QhuTPI%2FhWTub0F22jsp8lU2Pvp2bS%2FlaSchLRN5gDngyPABgnaqYERICP8QQkwfaB9pY%2Bii1%2FAeel%2BIDGYwxPPfIcYevejNv2O%2F0J6qYRftrtXwa95pbsecrfOzH6bpF3AzHQrTLJAuZ%2B%2BykW", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "https://vtbehaviour.commondatastorage.googleapis.com/1256f3aa5f091ac40a573113fcc1a4d0e320af5ee363b0eca79618602cb7dc66_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190083&Signature=a1bnyt5OUcTN8ONeNVqbY%2Fe%2FDVJ2N3olQ9r59dijMLLegF84xQDghj0r6VPdFB8fc%2B3QTcJqhpm6vag1pK9us%2F3UqDJ3Yubf%2FukjL4GMKXDdMSggljB7d%2FpkTraQysnttspVal56LzXitjgIEGYZTidKcIv5LM6YH4zCAXn%2BVueaBNIgpcDS0RuX8fVAQYOeftW9AiEz2TZzx1BT6KUgoj0Tzetn4k541357bb58K1w9n9QV1", "https://vtbehaviour.commondatastorage.googleapis.com/3e6e0898a7b1b297d2b9322f5f578b02e2fd5d5647dbeef6b9273cda383e1547_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775283189&Signature=PtLPpZoeHrLkYIaV2etyfYslOxR9PtxqmjNNDdMHoJjBUuweFaoOVGyfkf%2BUGEiGQCogCu7az%2B4btIJ3frL%2BEdzwNV7Ufeb24KQqbVUQrVITPGPCW42mMdsKdDoNQsqLooDqFsjxRGt2meZgP3F3roSTIWDEJPwr35bBBkdANOOdXZG1mg3O8JHm35%2BBQMkSxOiAxeftigjPK7On%2Fk%2FvMli1USxDUfi2eRlkRaL090nKenRXt3cz4FEBe8", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281812&Signature=jttp%2BTn66O5EfEB%2FASdpjDONf%2BzydGtfIUy3AtwYz0ppPzVA88%2BzZ8LtzV0TDhkMiju4oLHr%2BauJnKYexqnF0MfNTXGKPfj3ux9oZ2%2Baqve%2B3xgapdwdz0N64RgWo3SBqCKFBOQmi57mqIy%2F8qgnAfdVX99BwF2BuRSYSbIjNW5NHjir1JrAAKwOHZFyNsKj99PImyug2FPpRnss8VrJvDyYdnaGLHIAbZMRl72V", "https://vtbehaviour.commondatastorage.googleapis.com/970fdc4da66bc8fff977698c150fc6ebdf9488356ed41ded52d2659830ec5353_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189984&Signature=f%2FZZkKTu5zUihkCuCj%2F0pEGmBjWWBiZRDmREgGkkkKvTyR7M5iC0oLGYfaL6WibiUB6pQirxgBtEcS2JtupD291Or3j7%2BKoyngW7R9uf%2FjjWQwfC5YHKjNutT6K5TYuEmzySVs9onhIBSjj4U%2Bi2q%2FMJmQFiDtFZHfcyy00LYqbAbBwEAUnVJZUdH6FvNBu4ArU26VDLDwv1nMSgEjxUWBCwiP4HXlwL5%2BxU6y0eTc2", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189872&Signature=P%2Fa2KXhuVwj4RO8cyfIpkYofLKzsLiKRPHuVAi7hjApskLh84OqCfKuK51z7bTKZd8lCCiQ7XuIaxWQDR7qzDFvuCWutobNhKDdHSDLrTMtqqX3o5RmBpSzMUw3jQJcbxsYWqaOMHy8ZeWEVRuB9orvLwMZbJMMIJM8GhUVHZ6%2BwciVIoj0lYTCb%2FEEkQWTV4g3hs9l8KRzbEfvJGja6ANuv1OtdFLk8pejrraAJMB7ThsjINOXbJb", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189954&Signature=2gy%2BsyEM78P6orDGWKQU%2FFPSIdVK9X7o8Nkcwb%2BY4r%2FCb%2Bo9JmA9T%2Bfonw9IqbojQSIK%2BNShZUJJ9GV4wWT5l1QfkYfZP0MJ91%2BkDw39PLOc4VVgmBApIQJRTIlgSlI020YfOeIPoIYH8yuCF2dJ32zKg87g0dDFkg4zbExGDJB3%2BGDxX5MJ6hHuzVrwxm7E1L%2F%2FffKQ%2B9rXqoT0hRHEdPSaXSydmnqfMfnjCv", "https://www.googletagmanager.com/gtag/js?id=GT-NNS2QH6C", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281711&Signature=G81N%2BSvpl7rLMvDIGLovzSBK8YJzNBOTs7Ycfze1L%2BdFheZX%2BS6EbtlDx545BRgefMUoJSwn%2BdK4eRpYlyMGmHvkv2tw3apezXxBF5J95vedk3RlOzXgGUAvJvewt0RBBR9f9hiVn9CuYTHvY3Cf%2BVog32%2BRLrv8sMhZ%2FeqX0%2FhraP6leNtAta5iUv73pYWeMmdsQ7nX2EvTO7uUvGggX6TmnBhiHHd8E9uCsoPHCTP4i0", "https://www.googletagmanager.com/ns.html?id=GTM-PHWTRTJ", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "https://vtbehaviour.commondatastorage.googleapis.com/bc20f137a2281fae2ee13f698e613e72c37f6b4eb6784653f284f11f4d83ba77_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190236&Signature=Fg7jPZWmHQO%2BH8GRQx%2FxSMq5Na7Oo9cN0HR99DHFY8svYTkPoerGELKx7Sf906aTDq2Rer45ajXeYPzzHTiab9NKqWR1JGHbaq0WapVqsRzvXz2QLuBhHoz50tIoVKnx8ZrN9HqHBQweg8nfN%2FWEoaHVlSgav3jhoNTnZAC%2Fa%2BsTLexjXFBIP2v4jpISAl82ESU%2FGZH64BtZpgIJz7RZXdDqZ3LF7JTgwG2JX94%2BOOSn3G14", "https://vtbehaviour.commondatastorage.googleapis.com/fa8a59149604c73572bf92b42640de49faa7e8f16cd4bc18345d3e6a16378744_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282019&Signature=VwsuvdyY52E5jzftipHSNWVrwmO7YUwSQa9yHiMIgbsXcJDnDNcdELamMXjmvzDn%2FT6L5HguJFyj%2F4DHLmPfddzVphNAKCPvz3IRVae2piJ%2B8VWa2%2B98W3RjMft93LZhdNHwxeEYM8oJ%2FOjAjw%2FIicginJBUwlGeHX3kfTJieSEC7SYf6BkJ4UNfnF2pPQjiaAqG9mop%2FPKsB%2FF1K%2FrL7Rpsxwhl1rGglHYPM4%2BtJj6zDYx%2F", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "https://vtbehaviour.commondatastorage.googleapis.com/bc3cc97398d5f56a4731085e8a385694f6ef1ab37243c6c00deed4a1335ced55_CAPE%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281979&Signature=LrquDQAOc%2Bf90O7wkZ9lRNx5uIZopS4VL7qYn7UKkzTI19c7sNJWNdGeBPtnE%2FG4yxsv1tBxkoojr78E808e78vceGG2xskRT6tUTjtDo2c8JW%2FD9Mr5ZAVe8Cn%2BP%2BpCbBkZXbtaceCtVq0b9zVWx9YstN2ju69uofX50LbI%2FgmHh%2Bghta79DgdBrNmkcQEXDu7t%2FqSZSozfso9i%2BoSZdHXEfsU59hoc%2FhUSoPMEPGFU", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "https://www.icloud.com/attachment/?u=https%3a%2f%2f%cvws.icloud-content.com", "https://vtbehaviour.commondatastorage.googleapis.com/1256f3aa5f091ac40a573113fcc1a4d0e320af5ee363b0eca79618602cb7dc66_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190146&Signature=3XpRLUQ3g712Vw0Gv1aflVxZs7RKpzIhEK8giO9ydwOrOGjLnAK89Y%2BmEf4g2U2YbO04EE%2BcdR5xPgcch1%2B1Gf4thYCgBcbKEEIfNK5UrJwBpAkYRm3D9xsnD%2FVxZt26yLC6aQy87D%2FKNC9aLvViRHGxuFgOp4zkcU%2BRD6mmpIB8SpX5%2BDpocWc4s9R%2BywRPXZ2U2E49g81i%2B5io3Ycqe8ikdjbPlZo9R0KEFLaDQtH", "https://www.virustotal.com/gui/url/f6db0235760bd467ca822ad515a8410121fde4713501b3e718b8fb127dfa259c?nocache=1", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281734&Signature=3FFHeC27RvCC9623M2f8xoSU4fl9LBd%2FvI%2F98rUNvmdceN4AZjjw77yTU0ApUTXU5FbdCpODVhKi0X4pqDz1pqEP%2FBRLq%2FNhgoRliai6LlD4yhdTtKNi4zrfCDG%2Bd4dRzD5y674IfEPynxGiFOWxc6wiCtl3rhwTPEqisyDqFbvnF57SxrcPoVSzVO3wEtxpCOIw8iAFXdW2zgnnYYbSrbaQBfghKLtFA6r2vP%2Bmrd33YSUiH%2Fe2EqBz", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190345&Signature=33%2BM36uNOvEfi8bNtJvnbxcTgcnoIlIO2vBglXpCJFNwC8HAewGOF91Q26TOAsw4sbmtTxQ2F5Q2jv2V3ULV8MAxxgYVptJ69SusRt7qZeBDUpMY%2BOdTYqjkdBuYUqYiCvM756aQheS1KvDepeD64x8e%2FivWkpm%2BZ9yDaKUc7w2143zYkc8kpyBSsO8rJI9vyoHYvbr4sfZOowoUWK7yMjQD9SN5bL%2FFABbMrPEOMyobApm" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s" ], "malware_families": [ "Malware family: stealthworker / gobrut", "Md5 hash: f8add7e7161460ea2b1970cf4ca535bf" ], "industries": [], "unique_indicators": 27839 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/google.com", "whois": "http://whois.domaintools.com/google.com", "domain": "google.com", "hostname": "www.google.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "69b7ac3b32ac89ecba53f3d9", "name": "Malicious", "description": "", "modified": "2026-04-15T08:44:52.171000", "created": "2026-03-16T07:07:39.495000", "tags": [ "march", "input http", "posix shell", "ascii text", "threat level", "summary av", "detection", "environment", "action" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 291, "URL": 272, "hostname": 296, "domain": 293, "FileHash-MD5": 90, "FileHash-SHA1": 89, "CIDR": 3, "email": 3, "SSLCertFingerprint": 9 }, "indicator_count": 1346, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6992bae83a5988dff8311490", "name": "Distributed Credential Exhaustion & C2 Orchestration via Golang-Based StealthWorker (ELF.Agent-VW)", "description": "Researcher credit: msudosos, level blue platform----\nThis artifact represents a high-integrity StealthWorker (GoBrut) botnet agent, architected as a statically linked, stripped 32-bit ELF binary to ensure cross-platform environmental independence. The sample utilizes XOR 0x20-encoded JavaScript payloads and String.fromCharCode obfuscation to mask its internal logic and bypass heuristic-based memory scanners. [User Notes] Its operational core is a multi-threaded service bruter targeting SSH, MySQL, and CMS backends, leveraging a massive infrastructure of 1,834 domains and 797 unique IPv4 endpoints for decentralized Command & Control (C2). Network telemetry confirms the use of ICMP and HTTP-based beaconing, indicating a sophisticated retry logic designed to maintain persistence across diverse network topologies. With a malicious file score of 10, this binary serves as a primary vector for large-scale credential harvesting and the subsequent integration of Linux infrastructure into global botnet clusters.", "modified": "2026-04-13T23:46:20.071000", "created": "2026-02-16T06:36:24.788000", "tags": [ "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba", "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "#PotentialUS-Origin_FalseFlag_Obfuscation" ], "references": [ "Primary Hash (SHA256): cd3989830da99a69380901769fd78902efb3cd8ba5c9390e94bd4333b7fad186", "Obfuscation: XOR-based String Encryption (0x20)", "T1110.001 (Brute Force: Password Guessing)", "This ELF 32-bit LSB artifact is a sophisticated GoBrut/StealthWorker agent, compiled via Golang 1.10 and stripped to obfuscate its high-velocity service-bruting logic. VirusTotal confirms a critical threat profile with 44/65 security vendors flagging the file, which leverages a unique Go BuildID (nGYES3pajdOm...) and a Telfhash (t1f303a0...) for architectural fingerprinting. The binary orchestrates decentralized Command and Control (C2) through an expansive infrastructure of 797 unique IPs and 1,834 domains", "Pivot-Ready Indicators (IOCs) Go BuildID: nGYES3pajdOmKy1i6Ghh/KO9ydOtZpXtoKtB0KHE-/iisNoniHgTbj_cV6M-uk/XmMYzkBiZs8NXMRZYTiT Telfhash: t1f303a0b3055d54e8b7f08907c7af7624cef6e0f726d078f169e278d09a72c826626874 Imphash: 9698f46495ce9401c8bcaf9a2afe1598 Vhash: 1e53f1a1b59ecb93f821c74b25d81e9f", "Researcher msudosos posits a strategic exploitation of Root Certificate Validation Failures, where the adversary leverages an expired trust chain to bypass heuristic security filters and establish persistence.", "his technique allows the GoBrut/StealthWorker agent to circumvent automated revocation checks, enabling its decentralized C2 infrastructure to recruit Linux hosts via high-velocity credential exhaustion.", "The local environment exhibits advanced telemetry suppression within specialized skim memory regions, effectively neutralizing standard DMARC validation and Microsoft-integrated defensive protocols.", "By maintaining a hollowed root posture, the sample facilitates persistent, low-signal synchronization with external cloud infrastructure while bypassing traditional heuristic trust-chain verification.", "The domain prioritywirreles.com (registered via NAMECHEAP INC) shows a 4/93 detection ratio, confirming it is a live but \"low-noise\" C2 node used to avoid broad-spectrum blacklisting", "", "The environment leverages prioritywirreles.com as a high-fidelity DGA-derived C2 node, utilizing its historical resolution to Russian-hosted IP space (194.61.24.231) to maintain persistent Stealthworker botnet synchronization.", "By operating through WhoisGuard-protected infrastructure and exploiting XOR 0x20 obfuscation, the adversary effectively suppresses telemetry into skim space, successfully bypassing DMARC and Microsoft-integrated trust-chain validation.", "The pivot from cd398983... to this domain confirms a multi-year campaign (2019\u20132023) utilizing Namecheap-registered infrastructure to orchestrate wide-scale T1110.001 brute-force operations while bypassing standard PKI expiration checks.", "LBresearcher: msudosos notes: The campaign's use of T1110.001 (Password Guessing) is specifically tuned to exhaust credentials across SSH, MySQL, and CMS backends, effectively recruiting server infrastructure into a global \"zombie\" network.", "LBresearcher: msudosos notes: The threat actor maintains operational longevity by rotating through WhoisGuard-protected nodes like prioritywirreles.com, which historically resolved to Russian-hosted IP space (194.61.24.231) to obfuscate its origin.", "LBresearcher: msudosos notes: By exploiting Root Certificate Validation Failures, the StealthWorker (GoBrut) agent ensures that its 32-bit ELF binaries bypass the automated reputation checks enforced by major cloud providers.", "Monitor DGA Shifts: Track new domains registered through NAMECHEAP INC using the current WhoisGuard patterns to identify the next cluster before it goes active. Analyze Telfhash Clusters: Use the Telfhash (t1f303a0...) to pivot and find if the adversary has updated to 64-bit ELF or ARM architectures. Harden DMARC: Ensure your environment moves from \"p=none\" to \"p=reject\" to mitigate the internal spoofing loops exploited by this botnet's telemetry suppression.", "Persistent C2 Orchestration: This ELF:Agent-VW variant serves as a critical GoBrut node, utilizing XOR 0x20 obfuscation and ICMP/HTTP beaconing to maintain a persistent link across 1,834 domains and 797 unique IPs", "Researcher msudosos: This activity appears to facilitate a preliminary reconnaissance phase, possibly utilizing system commands to query /proc/cpuinfo and /proc/version for architectural profiling purposes.", "Researcher msudosos suggests the VirusTotal (Tencent HABO) behavior report may indicate a potential execution path from volatile storage at /tmp/EB93A6/996E.elf.", "Msudosos Regional Notes: While historical pivots show Russian-hosted nodes, the current dual-origin telemetry\u2014dominated by 181 United States-based endpoints\u2014strongly suggests a domestic-aligned adversary leveraging global 'grey space' to obfuscate its operational core. This massive US-centric footprint (exceeding all other regions combined) reinforces the theory of a false-flag orchestration designed to divert attribution toward foreign infrastructure while abusing legitimate Western-hosted trust chains.", "WHOIS data anchors administrative and technical operations for prioritywirreles.com in Los Angeles, CA (90064) via Namecheap infrastructure. Following its 2020 expiration, the domain has transitioned into redemptionPeriod/pendingDelete status, signaling the formal decommissioning of this C2 asset." ], "public": 1, "adversary": "StealthWorker/GoBrut (The adversary demonstrates advanced telemetry suppression within specialized s", "targeted_countries": [], "malware_families": [ { "id": "Malware Family: StealthWorker / GoBrut", "display_name": "Malware Family: StealthWorker / GoBrut", "target": "/malware/Malware Family: StealthWorker / GoBrut" }, { "id": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "display_name": "MD5 Hash: f8add7e7161460ea2b1970cf4ca535bf", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2166, "FileHash-SHA1": 2067, "FileHash-SHA256": 3371, "domain": 13295, "URL": 6860, "email": 272, "hostname": 4705, "SSLCertFingerprint": 268, "CVE": 107, "CIDR": 6 }, "indicator_count": 33117, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "6 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69d0ac884cb646fac0b8d3d4", "name": "VirusTotal report\n for Other-20230212T074754Z-001.zip", "description": "com - is the name of a German domain registered with the United-Domains AG.\n\n3 hearts\npure bleeds. sigma shields. commander hunts.\nlegacy puppetmaster suppresses.\nthe octopus is forever tangled.", "modified": "2026-04-04T06:43:36.558000", "created": "2026-04-04T06:15:36.916000", "tags": [ "date", "server", "registrar abuse", "postal code", "registrant name", "expiration date", "registry domain", "registrar iana", "registrar url", "registrant city", "ascii text", "javascript", "mitre attack", "network info", "dropped info", "file type", "processes extra", "overview zenbox", "linux verdict", "guest system", "ultimate file", "info file", "persistence", "next", "pe file", "text format", "ansi", "ms windows", "zip archive", "found", "crlf line", "windows start", "default", "delphi", "code", "malicious", "windows sandbox", "calls clear", "ascii", "java source", "web open", "font format", "truetype", "version", "python", "cape sandbox", "machine summary", "report time", "machine name", "analysis id", "machine label", "duration", "machine manager", "kvm os", "shutdown", "https", "shpk", "performs dns", "t1055 process", "layer protocol", "overview", "title", "phishing", "loader", "script", "meta", "albania", "structured data", "artan lenja", "street", "building", "tiran", "body", "icloud", "free", "apple", "link", "style", "doctype html", "timestamp", "sectigo", "official", "disney", "walt disney", "countryus", "center", "head", "forbidden", "creates", "command", "clear filters", "sigma", "verdict" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281711&Signature=G81N%2BSvpl7rLMvDIGLovzSBK8YJzNBOTs7Ycfze1L%2BdFheZX%2BS6EbtlDx545BRgefMUoJSwn%2BdK4eRpYlyMGmHvkv2tw3apezXxBF5J95vedk3RlOzXgGUAvJvewt0RBBR9f9hiVn9CuYTHvY3Cf%2BVog32%2BRLrv8sMhZ%2FeqX0%2FhraP6leNtAta5iUv73pYWeMmdsQ7nX2EvTO7uUvGggX6TmnBhiHHd8E9uCsoPHCTP4i0", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281734&Signature=3FFHeC27RvCC9623M2f8xoSU4fl9LBd%2FvI%2F98rUNvmdceN4AZjjw77yTU0ApUTXU5FbdCpODVhKi0X4pqDz1pqEP%2FBRLq%2FNhgoRliai6LlD4yhdTtKNi4zrfCDG%2Bd4dRzD5y674IfEPynxGiFOWxc6wiCtl3rhwTPEqisyDqFbvnF57SxrcPoVSzVO3wEtxpCOIw8iAFXdW2zgnnYYbSrbaQBfghKLtFA6r2vP%2Bmrd33YSUiH%2Fe2EqBz", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281812&Signature=jttp%2BTn66O5EfEB%2FASdpjDONf%2BzydGtfIUy3AtwYz0ppPzVA88%2BzZ8LtzV0TDhkMiju4oLHr%2BauJnKYexqnF0MfNTXGKPfj3ux9oZ2%2Baqve%2B3xgapdwdz0N64RgWo3SBqCKFBOQmi57mqIy%2F8qgnAfdVX99BwF2BuRSYSbIjNW5NHjir1JrAAKwOHZFyNsKj99PImyug2FPpRnss8VrJvDyYdnaGLHIAbZMRl72V", "https://vtbehaviour.commondatastorage.googleapis.com/100a90c0ff019b19f0f2622cfa529d874f580b2ac6257d018e5eb9ab6d861f44_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281904&Signature=B9x8BUVCeldkVImU%2Bb%2B7d97Q9Y2suAJFE1HvxBCu6MQUOt52HrgAUTBIeXPKgNP0gKiqrr%2BwDvN7q637Ht6n5C9QhuTPI%2FhWTub0F22jsp8lU2Pvp2bS%2FlaSchLRN5gDngyPABgnaqYERICP8QQkwfaB9pY%2Bii1%2FAeel%2BIDGYwxPPfIcYevejNv2O%2F0J6qYRftrtXwa95pbsecrfOzH6bpF3AzHQrTLJAuZ%2B%2BykW", "https://vtbehaviour.commondatastorage.googleapis.com/bc3cc97398d5f56a4731085e8a385694f6ef1ab37243c6c00deed4a1335ced55_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281954&Signature=Tythlx%2B0x7Dzf2SYvJDgwby2Ifinb7IbK5GTx%2ByqvqVc1r4cz7rhoVD3NZqUAgUpxSkIAsRAK5WV5tMXUGiiB6JWp8Y9YmaL7Zhb5NxMBcodk57r7XhYzEbDxYg%2Fh1ChwMliA5cBr%2BXbUcW4q2aA4xQeNE1XVNpalGtyHh8bsDTKgQG0Ch1gikPF%2BeKc2ANprXe6z%2FJBXtqJBxh6%2Bem6fGON6%2BpRP1%2BgmNg4%2FtFnlQ", "https://vtbehaviour.commondatastorage.googleapis.com/bc3cc97398d5f56a4731085e8a385694f6ef1ab37243c6c00deed4a1335ced55_CAPE%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775281979&Signature=LrquDQAOc%2Bf90O7wkZ9lRNx5uIZopS4VL7qYn7UKkzTI19c7sNJWNdGeBPtnE%2FG4yxsv1tBxkoojr78E808e78vceGG2xskRT6tUTjtDo2c8JW%2FD9Mr5ZAVe8Cn%2BP%2BpCbBkZXbtaceCtVq0b9zVWx9YstN2ju69uofX50LbI%2FgmHh%2Bghta79DgdBrNmkcQEXDu7t%2FqSZSozfso9i%2BoSZdHXEfsU59hoc%2FhUSoPMEPGFU", "https://vtbehaviour.commondatastorage.googleapis.com/fa8a59149604c73572bf92b42640de49faa7e8f16cd4bc18345d3e6a16378744_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282019&Signature=VwsuvdyY52E5jzftipHSNWVrwmO7YUwSQa9yHiMIgbsXcJDnDNcdELamMXjmvzDn%2FT6L5HguJFyj%2F4DHLmPfddzVphNAKCPvz3IRVae2piJ%2B8VWa2%2B98W3RjMft93LZhdNHwxeEYM8oJ%2FOjAjw%2FIicginJBUwlGeHX3kfTJieSEC7SYf6BkJ4UNfnF2pPQjiaAqG9mop%2FPKsB%2FF1K%2FrL7Rpsxwhl1rGglHYPM4%2BtJj6zDYx%2F", "https://vtbehaviour.commondatastorage.googleapis.com/fa8a59149604c73572bf92b42640de49faa7e8f16cd4bc18345d3e6a16378744_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282044&Signature=Y%2FEJZwm3h4tUuhn9%2FgO7QDcTnUoojZIDnoL%2FuGaoe0o5h%2FPUEiZpyFQLH9JfrvNN0h58UWlcJNCMxaSZl%2BZDvBDliVat0wDr0fE35mo0jGTK3uwa7DykFrjyI0NAVFlzkVSyxC0euM4lSJaw9PqyJGgLb4FfaztkzK7ZQYTIsGMYWSsCAKzatCObwK%2B8nqV63M9VXUeJy8ZQx7IwbttNffD6FQUaPbtCwlsywb%2Bu7NVqkFSG", "https://www.icloud.com/attachment/?u=https%3a%2f%2f%cvws.icloud-content.com", "https://vtbehaviour.commondatastorage.googleapis.com/ba49f65ef5d694311c535991812ee2fa8f0c639f4e053d136c1161b8b1bfaf8f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282803&Signature=CE28%2B8Orp96YBz3AWi4L4LJoj5B677T4lpyJl4VIG%2BN68qLtOorzpmY%2BdQgPcKJxqxcvmf3JmeA2zAZFyVdmEzznUnaiSY6xhbkbZ8nrReWLN9MBQZJuFd6by3aYlQoYFg2Bxu5d%2FLEAxWm4ljnJApBcv1csUNbJ8KxjkdXXAyPkiWPwMc4JDmXrnH5%2FXBQ7Tf1qxmze1lX2S5QvktDVUA3Bdn67nGtMvguY5EIl7tj1AezbuTFM", "https://vtbehaviour.commondatastorage.googleapis.com/68e1e958d101feb1044553d3e8ba341448a17d917e4b613cb05873814159ed40_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775282913&Signature=TKCWJVTu8VHNWLhsI%2BkIN06KJgV4R1%2F2oO9G3V2x%2Bdxi14E9JDPHosmNkN%2Fk02BRc0I8Yg4HJPmcxjdAvb8mTCZjA10bizFznZC3epwH0hmoxTVgryMxpD%2B7zTQqKIRpE9UGGC1WSu0CTJ3rI9dCyopLkmeiyJPVw%2BIuERp37p2MEwzwwIPRuYpB190GfOdCkGt6TuMjDG6cVa%2BxvJlEdoEw8US6W8WPaioxSu1KVCoKjwky", "https://vtbehaviour.commondatastorage.googleapis.com/ffe3319990984c10c84fc18f6c1d40b2c7ad44666ebc2b54368bd96327ec6abc_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775283093&Signature=GU02WhsC3g0ztmDdXDNuqx9T9POv8DnaMp7NQX%2B70%2FybCmZtbIpyPiUCOuYG5ZD1RY8bCIR9k%2F%2BGsKSwWLVUNNih3CgvqShoWsNfLKvtS%2BDRbmV6G4ohLWIP0xPHJOCA%2FWvnSdblJ%2FdibwXFCT851RdpfK3f6ph2EPHXIq%2FBwhSc28%2BJfFSMK%2B1toESpR7COi%2FUwpnMfcoSpcIMZudaaU8JrTvEVLgtJ%2FAgHjmfoXxvJlD", "https://vtbehaviour.commondatastorage.googleapis.com/02b1749e96b257099d5bafaeb1fc502442b4e064cca63fbcf4fc52af34b6435d_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775283154&Signature=m%2BGdulpws9rcUoJIzr45sR5qJdIxK89UYb6GUJL6p7n4mgYV69NJWbc3Jslcn117UKHnbSYYtRZSBRhviHhLuWsbhUG199mW8iGDiwaarp%2BbvmEIw6OXF2MgVIh%2FrJYr8slRZbUwjd9t8dMWwn%2FM5DNq6AzLyBqpznrBoVrvlibZuA9pWsHraA3P24WyEGUlbWN3NqLfmJ6gDeCKRfG7zhubGI%2Bb8Wl8GaBCodOtX2LlrA", "https://vtbehaviour.commondatastorage.googleapis.com/3e6e0898a7b1b297d2b9322f5f578b02e2fd5d5647dbeef6b9273cda383e1547_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775283189&Signature=PtLPpZoeHrLkYIaV2etyfYslOxR9PtxqmjNNDdMHoJjBUuweFaoOVGyfkf%2BUGEiGQCogCu7az%2B4btIJ3frL%2BEdzwNV7Ufeb24KQqbVUQrVITPGPCW42mMdsKdDoNQsqLooDqFsjxRGt2meZgP3F3roSTIWDEJPwr35bBBkdANOOdXZG1mg3O8JHm35%2BBQMkSxOiAxeftigjPK7On%2Fk%2FvMli1USxDUfi2eRlkRaL090nKenRXt3cz4FEBe8" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 359, "email": 2, "hostname": 664, "URL": 794, "FileHash-SHA256": 827, "FileHash-MD5": 21, "FileHash-SHA1": 17, "IPv4": 187 }, "indicator_count": 2871, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cf461ebc1a9bcfbffa2aad", "name": "VirusTotal Droidy Android Sandbox", "description": "Here is the full list of results from the second day of the 2016 Android World Championship, held at 22:00 BST on Tuesday, 1 July.. . and \u00c2\u00a31.\n\ni cant add this one - legacy - http://100tosdefotos.com/", "modified": "2026-04-03T05:08:23.191000", "created": "2026-04-03T04:46:22.211000", "tags": [ "process", "current object", "android sandbox", "europemadrid", "windows sandbox", "clear filters", "has permission", "file type", "apks", "accesses", "sim provider", "name", "may check", "mitre attack", "network info", "malicious", "persistence", "cloud", "chrome cache", "png image", "cache entry", "rgba", "entry", "web open", "font format", "version", "truetype", "next", "detail info", "text", "classname", "window", "static", "behaviour", "filename", "offset", "class", "button", "mozilla", "shell", "nsis", "find", "back", "state", "connecting", "connected", "suspended", "disconnected", "unknown", "shell folders", "default", "inprocserver32", "new roman", "registry keys", "nothing", "shell dlg", "roman baltic186", "roman cyr204", "roman tur162", "xffxfea xffxfea", "xffu xffu", "xffxfcs xffxfcs", "x8af x8af", "xb6p xb6p", "xb6y xb6y", "x88g x88g", "xb6xf2 xb6xf2", "xfft", "xc1xe7 xc1xe7", "axec", "programfiles", "allusersprofile", "windir", "protocol level", "application", "previous", "next connection", "address", "full path", "behavior", "bits", "dump", "path", "calls clear", "eandroidruntime", "pufwifi", "flag", "networkinfo", "action", "extras", "start", "componentname", "write", "calls process", "cname", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "address virtual", "path c", "sha256", "accept", "shutdown", "error", "sandbox", "stack", "win32 exe", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "processes extra", "performs dns", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "android", "zip archive", "xapk android", "android package", "java archive", "sweet home", "design", "html document", "unicode text", "utf8 text", "crlf", "lf line", "language", "date mon", "gmt contenttype", "connection", "link", "json", "xlitespeedcache", "reportto", "server", "contentencoding", "cfray", "king88", "ch cng", "c thit", "c bit", "iu hp", "trang ch", "king88 com", "ci ng", "cp s", "c vit", "object", "string", "number", "null", "function", "g5wmgjr5qk4", "cssselector", "regexp", "date", "void", "trident", "mini", "meta", "please", "javascript", "members", "staff", "inspection", "abip", "local broadcast", "newsletter fcc", "resource center", "marshfield high", "school", "localism join", "facebook", "contact", "summer", "grave", "email", "photo", "strong", "peter deftos", "sign", "learn", "memorial", "leave", "problem", "done", "already", "close", "verify", "twitter", "details", "full", "persist", "editorimpl" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189779&Signature=KfMCCyf96T3bMlo9SpmV1KGK0zKBbkhhSc6Ig5Hvwfx%2FTKTqEVBDXB28XNeWzWbCRTwCNnYlHV3Ed%2BMjcd%2B1aCTDYi5GH9Qw3msxqk5iKwRhzDIhfpM98SwOLC%2B7xZUAC60ecDmVDsjA9OOwOkJe87q3Rrx2lrU9%2BjuSJ1EdwI16qoJyd29sLcX7STTqAMHuzCjIixIOre64HAjpH4lt%2F8tSgE1A5Rs2V7PRHSX6ibKLD", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189811&Signature=O96heM5BVAaltXSZInHXgIgK35KjLrLg%2FfKtFXVS%2BoRHTlfpZtn4LpFvolATpK7dED66Ms7SXpn8nX0i7j1IpuDOXOXSm112TOKIKVVPZJH5ppCD6uFYvhkfNcQGa%2FXK%2BDixyM%2BuqwGoJSFD6QzP8J2Iz1GyU4RYYWuB2C7ZD7LOWKlvxF%2F9LTAX8jFDLgFVsE3Og3cU8y3jK%2BenDPthRM6YFu3qewxpti7KVNwKeMJ", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189872&Signature=P%2Fa2KXhuVwj4RO8cyfIpkYofLKzsLiKRPHuVAi7hjApskLh84OqCfKuK51z7bTKZd8lCCiQ7XuIaxWQDR7qzDFvuCWutobNhKDdHSDLrTMtqqX3o5RmBpSzMUw3jQJcbxsYWqaOMHy8ZeWEVRuB9orvLwMZbJMMIJM8GhUVHZ6%2BwciVIoj0lYTCb%2FEEkQWTV4g3hs9l8KRzbEfvJGja6ANuv1OtdFLk8pejrraAJMB7ThsjINOXbJb", "https://vtbehaviour.commondatastorage.googleapis.com/5dae281deccea2c5229861b4f2ff8c386da1726a836839961311896a6c9f5a69_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189913&Signature=KduKv0QQf8IKhUUAV%2F0zpzpUmIU%2BEctpJKxUJlyu0Myu11iCQCXfXPprtMBAv5ifc4GLTHDiIuEAJwg%2B%2BHGWjun5ZKLKzoz8Ot2udHqFxvy6ZToPEC4Iui9vdRDHqosVaT77R1Tm1TGuyKVmwYTcow4klVAcpzEWanzWx1jHS42ARepJVrS3AFXHMaaBdTgr23jXcbmly1t3b8lwVilcsk2itdoprPpClQTzwYr1y7YV1%2FbYTDGocHnDwCYy", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189954&Signature=2gy%2BsyEM78P6orDGWKQU%2FFPSIdVK9X7o8Nkcwb%2BY4r%2FCb%2Bo9JmA9T%2Bfonw9IqbojQSIK%2BNShZUJJ9GV4wWT5l1QfkYfZP0MJ91%2BkDw39PLOc4VVgmBApIQJRTIlgSlI020YfOeIPoIYH8yuCF2dJ32zKg87g0dDFkg4zbExGDJB3%2BGDxX5MJ6hHuzVrwxm7E1L%2F%2FffKQ%2B9rXqoT0hRHEdPSaXSydmnqfMfnjCv", "https://vtbehaviour.commondatastorage.googleapis.com/970fdc4da66bc8fff977698c150fc6ebdf9488356ed41ded52d2659830ec5353_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189984&Signature=f%2FZZkKTu5zUihkCuCj%2F0pEGmBjWWBiZRDmREgGkkkKvTyR7M5iC0oLGYfaL6WibiUB6pQirxgBtEcS2JtupD291Or3j7%2BKoyngW7R9uf%2FjjWQwfC5YHKjNutT6K5TYuEmzySVs9onhIBSjj4U%2Bi2q%2FMJmQFiDtFZHfcyy00LYqbAbBwEAUnVJZUdH6FvNBu4ArU26VDLDwv1nMSgEjxUWBCwiP4HXlwL5%2BxU6y0eTc2", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190004&Signature=Nzt9YHY3Ji2VsLO1kvr7%2FyWWwOgo%2BCIoXyjtyshhzTGRxGzhcNdyKU9byPqyv%2F5YAzj%2BmNnDego3ImYeToBCbgyY%2BJJMmUKX6ZrUT1a2O4gv9eMyysIFgYhJ7ZpzyGIvHR5VSJlzPX0AWS81Ml7syDCjTGHikZ9G%2B%2B0cfDA0dhp%2FR7zhAp7yxB2jsDhz1kDY3nncYpjeVtj2o02Nt4JxPa5ML%2FvKBF%2FBHtOtBCqh%2", "https://vtbehaviour.commondatastorage.googleapis.com/1256f3aa5f091ac40a573113fcc1a4d0e320af5ee363b0eca79618602cb7dc66_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190083&Signature=a1bnyt5OUcTN8ONeNVqbY%2Fe%2FDVJ2N3olQ9r59dijMLLegF84xQDghj0r6VPdFB8fc%2B3QTcJqhpm6vag1pK9us%2F3UqDJ3Yubf%2FukjL4GMKXDdMSggljB7d%2FpkTraQysnttspVal56LzXitjgIEGYZTidKcIv5LM6YH4zCAXn%2BVueaBNIgpcDS0RuX8fVAQYOeftW9AiEz2TZzx1BT6KUgoj0Tzetn4k541357bb58K1w9n9QV1", "https://vtbehaviour.commondatastorage.googleapis.com/1256f3aa5f091ac40a573113fcc1a4d0e320af5ee363b0eca79618602cb7dc66_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190146&Signature=3XpRLUQ3g712Vw0Gv1aflVxZs7RKpzIhEK8giO9ydwOrOGjLnAK89Y%2BmEf4g2U2YbO04EE%2BcdR5xPgcch1%2B1Gf4thYCgBcbKEEIfNK5UrJwBpAkYRm3D9xsnD%2FVxZt26yLC6aQy87D%2FKNC9aLvViRHGxuFgOp4zkcU%2BRD6mmpIB8SpX5%2BDpocWc4s9R%2BywRPXZ2U2E49g81i%2B5io3Ycqe8ikdjbPlZo9R0KEFLaDQtH", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190199&Signature=RiO2p%2BBvc38TqeTuiMJNxoT6Jr3JfHvTQFQIk94ZaRY%2FPP5yEPSH45GncMCh4GqP1%2F%2BNLR2IVm5Z2svEWojLwxq%2Fl0eIAWy1chUQmg2GcEg5YoaEEnXpWjb1er08EIYwV0ZC8parFwVrr194MKeUmZYo5NLYk4%2BCim9ipnxYse12eROsMSXZtyS4daGivzQzihRqTUU9iEn%2FxAKEOI%2F3V8JRrqNy3nDqmo1mdoVr", "https://vtbehaviour.commondatastorage.googleapis.com/bc20f137a2281fae2ee13f698e613e72c37f6b4eb6784653f284f11f4d83ba77_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190236&Signature=Fg7jPZWmHQO%2BH8GRQx%2FxSMq5Na7Oo9cN0HR99DHFY8svYTkPoerGELKx7Sf906aTDq2Rer45ajXeYPzzHTiab9NKqWR1JGHbaq0WapVqsRzvXz2QLuBhHoz50tIoVKnx8ZrN9HqHBQweg8nfN%2FWEoaHVlSgav3jhoNTnZAC%2Fa%2BsTLexjXFBIP2v4jpISAl82ESU%2FGZH64BtZpgIJz7RZXdDqZ3LF7JTgwG2JX94%2BOOSn3G14", "https://vtbehaviour.commondatastorage.googleapis.com/5dae281deccea2c5229861b4f2ff8c386da1726a836839961311896a6c9f5a69_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190298&Signature=eEF6m7QHRnKk%2FYB374HxqU2TE0p8gXC9CWwIHPT7M6fEZKjeFUEmUEbqdupsD2hQQbkW%2Fmijo2rSEQ30q3EAyR9aQO3m6L91A6osc3kDipeyZqFrIqoj6wIe8MJGuRf4OC9cVAWipGYXPG5bqc3v6RUHir9MeLOggoGjalexCwBgs3SsGyhqU1uWZdJ%2Fs4nUbHyIJGc3FB9OrnhDRuGPdkfPSOA09hfujcul91zQNws4dznvmM", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190345&Signature=33%2BM36uNOvEfi8bNtJvnbxcTgcnoIlIO2vBglXpCJFNwC8HAewGOF91Q26TOAsw4sbmtTxQ2F5Q2jv2V3ULV8MAxxgYVptJ69SusRt7qZeBDUpMY%2BOdTYqjkdBuYUqYiCvM756aQheS1KvDepeD64x8e%2FivWkpm%2BZ9yDaKUc7w2143zYkc8kpyBSsO8rJI9vyoHYvbr4sfZOowoUWK7yMjQD9SN5bL%2FFABbMrPEOMyobApm", "https://vtbehaviour.commondatastorage.googleapis.com/06b6d62477011fa63fdb44046351fbe574391916a4f3ea0486b3e3498145a7d7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190407&Signature=Y3EAa%2Fwo4ligJHfBUxkzWLjU9FPLyNmsxeNdcPCIPQBYTTGUIaFddrFIYHFhawxMDvixd7uA0qGc0zVDWgbStf2qhTOU1D0aF%2F%2BSLSXEY3VB8oWRXZCEI12zrSd5P4lHInxRS3CJKbNnJP4GvYx20ctpNSo4u%2FvVMLM%2B92TiYCunAVTquDVrFNNim6LJTEz2ucjhcgF2gKn%2FF0f9ALEheC1lk4omwpcYEPQLNX0wNsxNC%2BWQ", "https://vtbehaviour.commondatastorage.googleapis.com/bb46c18b5b2c98937c8fdfb7acd3e0fa4d0534cfc44d4b41ccd6db9198266fbf_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190605&Signature=Rcvj5v%2By7yAX52ap8q3zDGTMjVRQm1LkjuWyhDQUaO6QXR1Ld%2F1dD2QjluOGOuXNiW%2FMNP%2Bqj%2Bx6KtYCvttE847keFo1Em2Bm%2F8bv4vK%2FJL0nGIiz%2FatgO7O78LZZ1wkYwcfG5JZAj8VdjDlHQbuOIUz8Nahqt2JUyQ84z3OeH5d3%2BjV8NKW5SjGWQw4mcmjPQXUznoCsysLbjCd5sgZTpyLUdeFJcNKQPiNBURsJeiyCI5llz0j", "https://www.googletagmanager.com/gtag/js?id=GT-NNS2QH6C", "https://www.googletagmanager.com/ns.html?id=GTM-PHWTRTJ", "https://www.virustotal.com/gui/url/f6db0235760bd467ca822ad515a8410121fde4713501b3e718b8fb127dfa259c?nocache=1", "https://www.massbroadcasters.org/eeo-organizations/marshfield-high-school", "https://www.findagrave.com/memorial/139047900/peter-deftos", "https://vtbehaviour.commondatastorage.googleapis.com/a041cbdeb64c802bde90e06f25213524b2eac500d6000da7e4caeb96e5de1991_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775191439&Signature=evxsL1kaOuLe5KziYCSqZ56H%2FqXRQgEN0tkJo0j5G7JQ3mmO0Kav5K9LCz%2FUEzi%2BdtB%2B3%2B7VM6r9pC%2BMh7nHxT%2Bs8UAYuVXPE%2FUbBdHWMjvZQuqrZ0hHqIR2xHVB132HiYQWLo%2FgS1QATOfAcHci3X4FqmqvUp7A%2FmNsE1aVFbLc971RHQOuTapOGhiDZlVUyA9KvpMDKw0DzdeHFSlayBSrDDsWL7xW06XOf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1413", "name": "Access Sensitive Data in Device Logs", "display_name": "T1413 - Access Sensitive Data in Device Logs" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1507", "name": "Network Information Discovery", "display_name": "T1507 - Network Information Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 70, "FileHash-SHA1": 40, "FileHash-SHA256": 549, "URL": 344, "domain": 292, "hostname": 443, "IPv4": 127 }, "indicator_count": 1865, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69cf461ceb2e58f5e3c0a44d", "name": "VirusTotal Droidy Android Sandbox", "description": "Here is the full list of results from the second day of the 2016 Android World Championship, held at 22:00 BST on Tuesday, 1 July.. . and \u00c2\u00a31.\n\ni cant add this one - legacy - http://100tosdefotos.com/", "modified": "2026-04-03T04:48:04.475000", "created": "2026-04-03T04:46:20.102000", "tags": [ "process", "current object", "android sandbox", "europemadrid", "windows sandbox", "clear filters", "has permission", "file type", "apks", "accesses", "sim provider", "name", "may check", "mitre attack", "network info", "malicious", "persistence", "cloud", "chrome cache", "png image", "cache entry", "rgba", "entry", "web open", "font format", "version", "truetype", "next", "detail info", "text", "classname", "window", "static", "behaviour", "filename", "offset", "class", "button", "mozilla", "shell", "nsis", "find", "back", "state", "connecting", "connected", "suspended", "disconnected", "unknown", "shell folders", "default", "inprocserver32", "new roman", "registry keys", "nothing", "shell dlg", "roman baltic186", "roman cyr204", "roman tur162", "xffxfea xffxfea", "xffu xffu", "xffxfcs xffxfcs", "x8af x8af", "xb6p xb6p", "xb6y xb6y", "x88g x88g", "xb6xf2 xb6xf2", "xfft", "xc1xe7 xc1xe7", "axec", "programfiles", "allusersprofile", "windir", "protocol level", "application", "previous", "next connection", "address", "full path", "behavior", "bits", "dump", "path", "calls clear", "eandroidruntime", "pufwifi", "flag", "networkinfo", "action", "extras", "start", "componentname", "write", "calls process", "cname", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "address virtual", "path c", "sha256", "accept", "shutdown", "error", "sandbox", "stack", "win32 exe", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "processes extra", "performs dns", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "android", "zip archive", "xapk android", "android package", "java archive", "sweet home", "design", "html document", "unicode text", "utf8 text", "crlf", "lf line", "language", "date mon", "gmt contenttype", "connection", "link", "json", "xlitespeedcache", "reportto", "server", "contentencoding", "cfray", "king88", "ch cng", "c thit", "c bit", "iu hp", "trang ch", "king88 com", "ci ng", "cp s", "c vit", "object", "string", "number", "null", "function", "g5wmgjr5qk4", "cssselector", "regexp", "date", "void", "trident", "mini", "meta", "please", "javascript", "members", "staff", "inspection", "abip", "local broadcast", "newsletter fcc", "resource center", "marshfield high", "school", "localism join", "facebook", "contact", "summer", "grave", "email", "photo", "strong", "peter deftos", "sign", "learn", "memorial", "leave", "problem", "done", "already", "close", "verify", "twitter", "details", "full", "persist", "editorimpl" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189779&Signature=KfMCCyf96T3bMlo9SpmV1KGK0zKBbkhhSc6Ig5Hvwfx%2FTKTqEVBDXB28XNeWzWbCRTwCNnYlHV3Ed%2BMjcd%2B1aCTDYi5GH9Qw3msxqk5iKwRhzDIhfpM98SwOLC%2B7xZUAC60ecDmVDsjA9OOwOkJe87q3Rrx2lrU9%2BjuSJ1EdwI16qoJyd29sLcX7STTqAMHuzCjIixIOre64HAjpH4lt%2F8tSgE1A5Rs2V7PRHSX6ibKLD", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189811&Signature=O96heM5BVAaltXSZInHXgIgK35KjLrLg%2FfKtFXVS%2BoRHTlfpZtn4LpFvolATpK7dED66Ms7SXpn8nX0i7j1IpuDOXOXSm112TOKIKVVPZJH5ppCD6uFYvhkfNcQGa%2FXK%2BDixyM%2BuqwGoJSFD6QzP8J2Iz1GyU4RYYWuB2C7ZD7LOWKlvxF%2F9LTAX8jFDLgFVsE3Og3cU8y3jK%2BenDPthRM6YFu3qewxpti7KVNwKeMJ", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189872&Signature=P%2Fa2KXhuVwj4RO8cyfIpkYofLKzsLiKRPHuVAi7hjApskLh84OqCfKuK51z7bTKZd8lCCiQ7XuIaxWQDR7qzDFvuCWutobNhKDdHSDLrTMtqqX3o5RmBpSzMUw3jQJcbxsYWqaOMHy8ZeWEVRuB9orvLwMZbJMMIJM8GhUVHZ6%2BwciVIoj0lYTCb%2FEEkQWTV4g3hs9l8KRzbEfvJGja6ANuv1OtdFLk8pejrraAJMB7ThsjINOXbJb", "https://vtbehaviour.commondatastorage.googleapis.com/5dae281deccea2c5229861b4f2ff8c386da1726a836839961311896a6c9f5a69_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189913&Signature=KduKv0QQf8IKhUUAV%2F0zpzpUmIU%2BEctpJKxUJlyu0Myu11iCQCXfXPprtMBAv5ifc4GLTHDiIuEAJwg%2B%2BHGWjun5ZKLKzoz8Ot2udHqFxvy6ZToPEC4Iui9vdRDHqosVaT77R1Tm1TGuyKVmwYTcow4klVAcpzEWanzWx1jHS42ARepJVrS3AFXHMaaBdTgr23jXcbmly1t3b8lwVilcsk2itdoprPpClQTzwYr1y7YV1%2FbYTDGocHnDwCYy", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189954&Signature=2gy%2BsyEM78P6orDGWKQU%2FFPSIdVK9X7o8Nkcwb%2BY4r%2FCb%2Bo9JmA9T%2Bfonw9IqbojQSIK%2BNShZUJJ9GV4wWT5l1QfkYfZP0MJ91%2BkDw39PLOc4VVgmBApIQJRTIlgSlI020YfOeIPoIYH8yuCF2dJ32zKg87g0dDFkg4zbExGDJB3%2BGDxX5MJ6hHuzVrwxm7E1L%2F%2FffKQ%2B9rXqoT0hRHEdPSaXSydmnqfMfnjCv", "https://vtbehaviour.commondatastorage.googleapis.com/970fdc4da66bc8fff977698c150fc6ebdf9488356ed41ded52d2659830ec5353_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189984&Signature=f%2FZZkKTu5zUihkCuCj%2F0pEGmBjWWBiZRDmREgGkkkKvTyR7M5iC0oLGYfaL6WibiUB6pQirxgBtEcS2JtupD291Or3j7%2BKoyngW7R9uf%2FjjWQwfC5YHKjNutT6K5TYuEmzySVs9onhIBSjj4U%2Bi2q%2FMJmQFiDtFZHfcyy00LYqbAbBwEAUnVJZUdH6FvNBu4ArU26VDLDwv1nMSgEjxUWBCwiP4HXlwL5%2BxU6y0eTc2", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190004&Signature=Nzt9YHY3Ji2VsLO1kvr7%2FyWWwOgo%2BCIoXyjtyshhzTGRxGzhcNdyKU9byPqyv%2F5YAzj%2BmNnDego3ImYeToBCbgyY%2BJJMmUKX6ZrUT1a2O4gv9eMyysIFgYhJ7ZpzyGIvHR5VSJlzPX0AWS81Ml7syDCjTGHikZ9G%2B%2B0cfDA0dhp%2FR7zhAp7yxB2jsDhz1kDY3nncYpjeVtj2o02Nt4JxPa5ML%2FvKBF%2FBHtOtBCqh%2", "https://vtbehaviour.commondatastorage.googleapis.com/1256f3aa5f091ac40a573113fcc1a4d0e320af5ee363b0eca79618602cb7dc66_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190083&Signature=a1bnyt5OUcTN8ONeNVqbY%2Fe%2FDVJ2N3olQ9r59dijMLLegF84xQDghj0r6VPdFB8fc%2B3QTcJqhpm6vag1pK9us%2F3UqDJ3Yubf%2FukjL4GMKXDdMSggljB7d%2FpkTraQysnttspVal56LzXitjgIEGYZTidKcIv5LM6YH4zCAXn%2BVueaBNIgpcDS0RuX8fVAQYOeftW9AiEz2TZzx1BT6KUgoj0Tzetn4k541357bb58K1w9n9QV1", "https://vtbehaviour.commondatastorage.googleapis.com/1256f3aa5f091ac40a573113fcc1a4d0e320af5ee363b0eca79618602cb7dc66_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190146&Signature=3XpRLUQ3g712Vw0Gv1aflVxZs7RKpzIhEK8giO9ydwOrOGjLnAK89Y%2BmEf4g2U2YbO04EE%2BcdR5xPgcch1%2B1Gf4thYCgBcbKEEIfNK5UrJwBpAkYRm3D9xsnD%2FVxZt26yLC6aQy87D%2FKNC9aLvViRHGxuFgOp4zkcU%2BRD6mmpIB8SpX5%2BDpocWc4s9R%2BywRPXZ2U2E49g81i%2B5io3Ycqe8ikdjbPlZo9R0KEFLaDQtH", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190199&Signature=RiO2p%2BBvc38TqeTuiMJNxoT6Jr3JfHvTQFQIk94ZaRY%2FPP5yEPSH45GncMCh4GqP1%2F%2BNLR2IVm5Z2svEWojLwxq%2Fl0eIAWy1chUQmg2GcEg5YoaEEnXpWjb1er08EIYwV0ZC8parFwVrr194MKeUmZYo5NLYk4%2BCim9ipnxYse12eROsMSXZtyS4daGivzQzihRqTUU9iEn%2FxAKEOI%2F3V8JRrqNy3nDqmo1mdoVr", "https://vtbehaviour.commondatastorage.googleapis.com/bc20f137a2281fae2ee13f698e613e72c37f6b4eb6784653f284f11f4d83ba77_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190236&Signature=Fg7jPZWmHQO%2BH8GRQx%2FxSMq5Na7Oo9cN0HR99DHFY8svYTkPoerGELKx7Sf906aTDq2Rer45ajXeYPzzHTiab9NKqWR1JGHbaq0WapVqsRzvXz2QLuBhHoz50tIoVKnx8ZrN9HqHBQweg8nfN%2FWEoaHVlSgav3jhoNTnZAC%2Fa%2BsTLexjXFBIP2v4jpISAl82ESU%2FGZH64BtZpgIJz7RZXdDqZ3LF7JTgwG2JX94%2BOOSn3G14", "https://vtbehaviour.commondatastorage.googleapis.com/5dae281deccea2c5229861b4f2ff8c386da1726a836839961311896a6c9f5a69_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190298&Signature=eEF6m7QHRnKk%2FYB374HxqU2TE0p8gXC9CWwIHPT7M6fEZKjeFUEmUEbqdupsD2hQQbkW%2Fmijo2rSEQ30q3EAyR9aQO3m6L91A6osc3kDipeyZqFrIqoj6wIe8MJGuRf4OC9cVAWipGYXPG5bqc3v6RUHir9MeLOggoGjalexCwBgs3SsGyhqU1uWZdJ%2Fs4nUbHyIJGc3FB9OrnhDRuGPdkfPSOA09hfujcul91zQNws4dznvmM", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190345&Signature=33%2BM36uNOvEfi8bNtJvnbxcTgcnoIlIO2vBglXpCJFNwC8HAewGOF91Q26TOAsw4sbmtTxQ2F5Q2jv2V3ULV8MAxxgYVptJ69SusRt7qZeBDUpMY%2BOdTYqjkdBuYUqYiCvM756aQheS1KvDepeD64x8e%2FivWkpm%2BZ9yDaKUc7w2143zYkc8kpyBSsO8rJI9vyoHYvbr4sfZOowoUWK7yMjQD9SN5bL%2FFABbMrPEOMyobApm", "https://vtbehaviour.commondatastorage.googleapis.com/06b6d62477011fa63fdb44046351fbe574391916a4f3ea0486b3e3498145a7d7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190407&Signature=Y3EAa%2Fwo4ligJHfBUxkzWLjU9FPLyNmsxeNdcPCIPQBYTTGUIaFddrFIYHFhawxMDvixd7uA0qGc0zVDWgbStf2qhTOU1D0aF%2F%2BSLSXEY3VB8oWRXZCEI12zrSd5P4lHInxRS3CJKbNnJP4GvYx20ctpNSo4u%2FvVMLM%2B92TiYCunAVTquDVrFNNim6LJTEz2ucjhcgF2gKn%2FF0f9ALEheC1lk4omwpcYEPQLNX0wNsxNC%2BWQ", "https://vtbehaviour.commondatastorage.googleapis.com/bb46c18b5b2c98937c8fdfb7acd3e0fa4d0534cfc44d4b41ccd6db9198266fbf_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190605&Signature=Rcvj5v%2By7yAX52ap8q3zDGTMjVRQm1LkjuWyhDQUaO6QXR1Ld%2F1dD2QjluOGOuXNiW%2FMNP%2Bqj%2Bx6KtYCvttE847keFo1Em2Bm%2F8bv4vK%2FJL0nGIiz%2FatgO7O78LZZ1wkYwcfG5JZAj8VdjDlHQbuOIUz8Nahqt2JUyQ84z3OeH5d3%2BjV8NKW5SjGWQw4mcmjPQXUznoCsysLbjCd5sgZTpyLUdeFJcNKQPiNBURsJeiyCI5llz0j", "https://www.googletagmanager.com/gtag/js?id=GT-NNS2QH6C", "https://www.googletagmanager.com/ns.html?id=GTM-PHWTRTJ", "https://www.virustotal.com/gui/url/f6db0235760bd467ca822ad515a8410121fde4713501b3e718b8fb127dfa259c?nocache=1", "https://www.massbroadcasters.org/eeo-organizations/marshfield-high-school", "https://www.findagrave.com/memorial/139047900/peter-deftos", "https://vtbehaviour.commondatastorage.googleapis.com/a041cbdeb64c802bde90e06f25213524b2eac500d6000da7e4caeb96e5de1991_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775191439&Signature=evxsL1kaOuLe5KziYCSqZ56H%2FqXRQgEN0tkJo0j5G7JQ3mmO0Kav5K9LCz%2FUEzi%2BdtB%2B3%2B7VM6r9pC%2BMh7nHxT%2Bs8UAYuVXPE%2FUbBdHWMjvZQuqrZ0hHqIR2xHVB132HiYQWLo%2FgS1QATOfAcHci3X4FqmqvUp7A%2FmNsE1aVFbLc971RHQOuTapOGhiDZlVUyA9KvpMDKw0DzdeHFSlayBSrDDsWL7xW06XOf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1413", "name": "Access Sensitive Data in Device Logs", "display_name": "T1413 - Access Sensitive Data in Device Logs" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1507", "name": "Network Information Discovery", "display_name": "T1507 - Network Information Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 70, "FileHash-SHA1": 40, "FileHash-SHA256": 549, "URL": 344, "domain": 293, "hostname": 443, "IPv4": 127 }, "indicator_count": 1866, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.google.com/ccm/conversion", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.google.com/ccm/conversion", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776642578.4038842 }