{
"type": "Domain",
"indicator": "mapping3.map",
"general": {
"sections": [
"general",
"geo",
"url_list",
"passive_dns",
"malware",
"whois",
"http_scans"
],
"whois": "http://whois.domaintools.com/mapping3.map",
"alexa": "http://www.alexa.com/siteinfo/mapping3.map",
"indicator": "mapping3.map",
"type": "domain",
"type_title": "Domain",
"validation": [],
"base_indicator": {
"id": 3318640144,
"indicator": "mapping3.map",
"type": "domain",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 33,
"pulses": [
{
"id": "69a02837827feb0b78fa3ad2",
"name": "The Belasco Chain",
"description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.",
"modified": "2026-04-19T09:34:35.173000",
"created": "2026-02-26T11:02:15.932000",
"tags": [
"file size",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"file type",
"sha1",
"sha256",
"crc32",
"filenames c"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2805,
"FileHash-SHA1": 2568,
"FileHash-SHA256": 7488,
"domain": 1883,
"hostname": 1466,
"URL": 1179,
"email": 46,
"CVE": 46,
"CIDR": 3,
"YARA": 7,
"IPv4": 94,
"JA3": 1
},
"indicator_count": 17586,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 53,
"modified_text": "14 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "698e93e1ab02db8c49e8c3ed",
"name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
"description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
"modified": "2026-04-19T08:11:41.130000",
"created": "2026-02-13T03:00:49.872000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27678,
"FileHash-SHA256": 47676,
"FileHash-MD5": 42534,
"FileHash-SHA1": 23213,
"hostname": 33703,
"URL": 75433,
"SSLCertFingerprint": 30,
"CVE": 7582,
"email": 313,
"FileHash-IMPHASH": 8,
"CIDR": 26205,
"JA3": 1,
"IPv4": 80,
"URI": 5
},
"indicator_count": 284461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "15 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69df292dac938e1d181a38e2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'\n\nObservations: Unplugged, Airbook, flashed wrote or write javascript in red around 2:45am EST when trying to upload and took me to a google screen.",
"modified": "2026-04-16T07:16:26.014000",
"created": "2026-04-15T05:59:09.898000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235521&Signature=XyL%2BziErEMLdDGzpkOrsFWzF%2Bs8%2F%2BHa%2Ft1S5%2FfgkdYZVZNUoI9ouy4IwZLiV4Fi2woIHU9YMnGYvqC6u0SHx0R%2FTbBYsAWIRLcS0jXCiNEz33EKRDTLcQqaAqg1bgEzbagC8RvfUjg5sQp8chQSkn3nYGGovJ1W9KDWu39peg7l0wU95LMSY%2BtbjEdzA0ghSq8IG%2BBSGkETgfJdXrKjyTRw1x5DEwN%2BENKfa54%2FmxDHO7iP3",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235484&Signature=hjxNiAS7V%2Bsk78jk2ksTamwBDr%2Bbip09k8w%2FY%2FkvqfB676c53pmH%2Fwa7Py9BXy9tIptTKWA5SsC3Zck6ghdFqW3CcffOr0qRIsUIFknMfbuE3oC4UsaSuLoa%2B54UO0%2FJMTN9B5Y1HSbWJqFkxVX1WVQ5ry5yt9yJUK3m0DTRx9bsJ%2FoCKT3ionJdg5tZcst941SNesx3DRgpuAQmN9UVlNpRNCEwutgqN8XoC4EnI5l6Nt"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 5178,
"IPv4": 572,
"URL": 5164,
"FileHash-MD5": 1546,
"FileHash-SHA1": 381,
"domain": 1818,
"hostname": 3413,
"email": 22,
"URI": 2,
"IPv6": 15,
"CVE": 1
},
"indicator_count": 18112,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "3 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69df292b85c74fec867e4ed2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'",
"modified": "2026-04-16T07:16:21.879000",
"created": "2026-04-15T05:59:07.274000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/37f12bc75b877cf1823020f35dfc55ecde4dd992020b7059b13cbc2a59a1602b_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776233810&Signature=RD85gBCBa6ClHHnNqywd6%2FYlQHrUais%2BuABeaQrUngJuiQTTEyzmUagxx2k2VZ0tgbmEb%2Fdh9lTTFZXkRC4cQ18iE4OIl6IKM5Yzxmd8vDT6dmCvEzCiRUxmplXzVUHTJFz1dNIy0zvMDzEuAWEpKf2wo823yU%2F4PaxOceMkJ%2Ftq5Jehb6pUn6ILf%2B5FOEGJpxjXrbtWS%2BT%2BA5ScNml2cc8140P9mQ%2BmMx2EAW",
"",
"https://vtbehaviour.commondatastorage.googleapis.com/db9d8c125c0e5a440719875d01365c7c5423bcc8df55e54cb228ac2aa30bc969_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235167&Signature=c%2F4wKBu3gsuZInxjqfgg8MbdYRlJ5EYYEV%2Fkl1g3Nx%2Fp%2B7lCYKGrilDgDTTqlooVjs8pyDi58Yi2SSs40L5JzExM18zVXhiUs1SYZNyy3OWKiAZ5QMH69N8R8XHmOd2L6lwfLVy9x%2F%2Fu29ji02gGj0W7eFht2uGb3Hnhegtt%2BNxNhOOCcD8LDnTvh%2Fhm9RYmW40LG5q238yRggg3TFrumeG2RHO9czdiobkRrsAD8eIohj",
"x-amzn-trace-id Root=1-69df501d-7e46547e623628d85631dc6b;Parent=0bf4ea1fded328b1;Sampled=0;Lineage=1:6afe1924:0",
"Nextron: Thank you for the YARA rules. Yara and LB, too.",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776243461&Signature=Dz1357rbtfS3ulmmu8c%2BhYCsFXq5j6Rkafb9W6C2Rp8K9C3NfbpUuCN1TORawK7%2BnEJXGNb7r2PQThu1hU64xqNTi6I7KNZcOwC5SHIDUgioEm6FoK%2F68BF%2Fj9tn3trLgKetrPx2zuy%2BP9gjqBMe5T2fAtNa%2FJi4uZYhdDQhKIZB1JmXDjEcFMhp6PLdPqEVVUh6nwevWaLhJ1z%2BPVhc9atSdnbwiXbJ7Cp%2BKrfR1xH8OQ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 3012,
"IPv4": 343,
"URL": 3825,
"FileHash-MD5": 734,
"FileHash-SHA1": 453,
"domain": 862,
"hostname": 1629,
"email": 25,
"CVE": 1
},
"indicator_count": 10884,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "3 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d20ba2a469e45b8dfd8c31",
"name": "VirusTotal Windows Sandbox",
"description": "A security alert has been issued by the UK government over the weekend, with the result of a malicious web address being sent to a member of the public via an address address linked tolinkedin.",
"modified": "2026-04-16T03:08:56.593000",
"created": "2026-04-05T07:13:38.063000",
"tags": [
"windows sandbox",
"calls process",
"time",
"request header",
"host",
"windows nt",
"win64",
"khtml",
"gecko",
"acceptencoding",
"accept",
"response header",
"date",
"dword",
"malware",
"file type",
"utf8",
"crlf line",
"unicode text",
"yara",
"binary",
"found",
"sample",
"mitre attack",
"malicious",
"window",
"next",
"detail info",
"tickcount",
"behaviour",
"processid",
"threadid",
"startaddress",
"parameter",
"offset",
"windows xp",
"professional",
"write",
"info",
"shell",
"cultureneutral",
"count",
"default",
"subsys11001af4",
"rev003",
"rev033",
"folders api",
"skylakeibrs",
"daba3ff",
"inprocserver32",
"first",
"virustotal",
"enterprise",
"service",
"close",
"win32 exe",
"pe32",
"ms windows",
"win16 ne",
"icons library",
"os2 executable",
"generic windos",
"executable",
"pe64 library",
"cname",
"none rticon",
"file size",
"sha256",
"mwdb",
"bazaar",
"sha3384",
"crc32",
"shutdown",
"error",
"back",
"lsappdata",
"inetfiles",
"windowname",
"protocol level",
"application",
"next connection",
"address",
"http url",
"get http",
"full path",
"path",
"filename",
"targetprocess",
"writeaddress",
"size",
"targetpid",
"findfirstfileex",
"class",
"find",
"open",
"imagepath",
"cmdline",
"ping",
"flags"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/000bdbb9556e3474630b36d57190d5dae719886a6cdecf824af6a456243ebf88_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372160&Signature=wARiO6wRTZGhS9vOpI%2BvoWxpe55%2BBlHjfTVS2m1fsb3%2FyiqXoI5x8uRNh6fj6Qp6DpePIZAM2MHvDzi%2B5TT6VWKI4zyyc%2BeVp9gihB0djBnCJr%2BKCB18kdFNBE%2BicOTMmx5aJ1hSjWQcOBYm9PMkZ6%2BhLzxX3gxTMneBKGhh0ckFJRTRfM2gKMfEPrOQ6aVgfkTWJUR9FQYz5g2qKGSDh1CCNlEzXhO33BEPI9fN",
"https://vtbehaviour.commondatastorage.googleapis.com/03a5d431bb42e7730a3ae3b3563cee73e7a782079cf56f57bad5fe665d261e54_SecneurX.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372244&Signature=fXjnCgFbGybFp%2BCRO6a%2FQ3LKU2uLiKNtjgwKzprL3LFL%2BTMgup6nbp7%2F9Hxy8bnBzlFtSzO0fcnf%2FpIsNim0UdrINmB63N9mKkBW1cOkjxV88PAy2nsFZA3FjOEYq4N0lgc8gAtS5eRTt%2Bwb7WjEnd3QQ7aPLuoVl2hjed4hC8Cit6efcSD9GbJCITMeX4%2FVHBYSjmDr4Pgip9ANSZ6wvzkRktqPpC23Qwl62gkuXE%2BKp0s%2Bq%",
"https://vtbehaviour.commondatastorage.googleapis.com/14116af49a976b71f7ddd760161a1d50328baa280ac2c9a1f9f3a8996a3929b6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372327&Signature=bhG0zZxkKhoz9temkLENxZsdN9KeMsxW4nt2II1lmaPLEGAhNM4EmX5e7z1UM9LLsnqrvuZBhQs7ZnBuwSpY5T8iiKIu2%2FfZ83pX1Tw8s%2Bn%2BfXlEl3jlhzXWewZ9i8ZlXd6YIeWETsAak1j93aNnJHB2IPoZn7VISupTj400x7E%2FSm0ilDz4zCCDAjz1eTp1N41HvmoviGQGwTSnjTW5oyBHDm8RglOnnNqcEsm6%2BkGBJToFomLsipvuVIz8",
"https://vtbehaviour.commondatastorage.googleapis.com/39c58d0f868d4e8d1b959dce19d0bbcc57bb8b9b832f9efbe4e2244051237b95_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372451&Signature=Dv9FcZuWlVKlY26EcoSmR4Kcb44tKDv4kyBrDOputdJDLMvfDX9%2Fs4Ss4cLURTdCso74wPUHQpcMVcyeGGK%2F3RwYbxXwJjMGGAJSCfCxIDRiL%2BLOQKY3M7zGyXrkpuwr5lQS4CaKp1LFajsxxwnKpd%2F5eXNMLqlyxh%2ByO3dJWTkY8WqNnnwnSjW0lqpwB9%2BBjgEdIeWsnMRqF0t4JQ8dJsmCbbTXmAKIEZ46Rpio044%2BrsqH",
"https://vtbehaviour.commondatastorage.googleapis.com/539dc26a14b6277e87348594ab7d6e932d16aabb18612d77f29fe421a9f1d46a_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372560&Signature=tXBHkUCyFp7E2Um%2FMUvRPbUvaQmYPeBV7KGbi%2Bssa%2FkYQyqgH4u8fy6h0A8bVbsyQMMPf2EEF2JkzkiD6SXcfLADGdVqHYQya%2F6s2Ox5QnOFkJSATlDdXCWVp%2F4wHxZHInIRcrBPZFjjYFQM0u7VYCEMtkMCS0pzld2nGLlcOuOXBFxGTQPy0A03dikBC4Yw4f%2BdiMLMxO0hxZSo9FxPq1ylB4gs57NBBniylVO4Qi%2BLzleU5",
"https://vtbehaviour.commondatastorage.googleapis.com/0ab7fad77871a45137c9f2e40e3cbf47e3d71315f71c8eca9c8d62bc24a53184_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372878&Signature=cLNwLw1L9ZCpQXZej7DaLTWH5w887X5wPnSpN1pwH2N4acSu8Llp25uprGRArg6qCuPbVQ2YPyIeCdwLCZvq%2FU0hP8m17ZPontiyR5zKb7jxcW57eEUuVnuSV9%2FnukwtPPJ%2BTY7a0%2B9rwSAU%2FL%2FJQ1yMke6VIX%2B%2F6KSWHgmLV%2F%2FR%2FbOxB0oZ4%2Fe%2Fsb2%2Fw12dZix7IY6c7wOj1OlWGQSkAZZsEoDw",
"https://vtbehaviour.commondatastorage.googleapis.com/01f09136cb86f25635f91144946847d58c559228d50d9b84b0c021d4091b840b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373052&Signature=U7haY6XsgyJ83G1vAOPLrLLS%2BaMP9xAKOlnzSb4I9clIBLt9Y8xzP4qjfBxbeUfdF6s%2B6dtg4dXzqTjrAYSC3XOTEEtHZeK4ePz5qfS9n%2FWNrOKQb30VBhfUNL5DYUCd3XSOPjIVlbRz9ylDpwApfVK2AMarGiLLlnKRDv7M0S63SkQx8eWyabXd2afPPy96ZGNZVZfOhw5llZiztL6mYo%2BVivlyFsDcodH9F4XrS%2FPsSLeJRx5d",
"https://vtbehaviour.commondatastorage.googleapis.com/7605fa9aeaae25656c40a553534d35418cca40dc48023d0b3237b402361c6816_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373200&Signature=uMO8ESBCpu0oIIRS0CToWTN9KlOHyq4uWjWMjfdcUCGyliW%2FSy8KDIg6OMWLUQ6SBC45Jm0Mr%2FNV6m74hTSnpmGdVf6k6mA3QrTQwUMaMk2QbBLU1IwUG8wvylr6KXEqQYYCkZksYiZEyNm%2B2hKNvWtKFc%2BZlL7M12RBSER84%2FDRQlJnK6qbDW3DYX1tPsXxTynGj5YxQDlUqfWU8CjZtSAfUK%2Bw%2FoybwyMsJc68%2B01HQ",
"https://vtbehaviour.commondatastorage.googleapis.com/7605fa9aeaae25656c40a553534d35418cca40dc48023d0b3237b402361c6816_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373283&Signature=KIPnPqQCcifTzuRS43FhFyzCXei0rDK20JuVvXA3UkB%2Bj6R1a4SAH2sn%2BJO1ohLSxLswzbryMf81lr4eGQCMbr3Wwfwo7kHN1yHV4M187cNxRZlbZ4%2BzOZZgfWt3bJNLx2Z4%2B4aqarco7OzqkhcQizlq8frRttJQjcLcNxgWD3oV2QDxZxurniW%2BhRRUS%2Bv9uGXWIRhWYmbEA%2BaoQsvpX0AIeSUCn4qb%2Fh31hJe7JitkCE",
"https://vtbehaviour.commondatastorage.googleapis.com/000007781f616194758c52c551ab2f198970675c9218eab9f1e4470f0a696e71_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373373&Signature=mjvxt7z8ajbHZY%2BdL0G02pE7trUx7SkineLNrDSnq8FxmEuCuDdnNDWKdPawPb4w2NnK5HFkV3BAdTJrRNBxBceLP%2FevhdkmR4C%2BiZZ8pz9GBeqwl0l6oJMBga2ZHfKcA%2BxqQgP5r1zzN%2BZPMH0zxPdHYZA2WlzkfzPBDQcTEDdz8aTIaX%2BOP5JUo4gYjqxxxrdBLVGv0i54PedBqgFw5IRrPpdH%2FwlQGTLKQ%2BSjslq2d0",
"https://vtbehaviour.commondatastorage.googleapis.com/39c58d0f868d4e8d1b959dce19d0bbcc57bb8b9b832f9efbe4e2244051237b95_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373454&Signature=oXNg992chHQhOJxpI2XcWdFB%2FxJme1ol4iA4aOgaKWQcqa9WXsYlPcTANPmFkyrHIciosnksXEJrIAfFsjAYeEqG%2F7oPGCQLBILFHUhwZVcoJR9PgFwUsHBu%2FqiWSOifVPER4vpDL0gbsuNlU6gHT5aWRW%2BwoOwbHSIt5jj%2FJ3%2FxGDBAUaZrSuQurOM0Nb3qRhNN1NOTUj7mGTuUBXdtvnzCFLjxl3Kk6dYYFgmwhWI04P3JIB"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 72,
"FileHash-MD5": 60,
"FileHash-SHA1": 31,
"FileHash-SHA256": 149,
"IPv4": 47,
"domain": 19,
"hostname": 91
},
"indicator_count": 469,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "3 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b4daa88e794fdfb43ff156",
"name": "CAPE Sandbox- doesnt add up the ai summary check the settings for manipulation",
"description": "",
"modified": "2026-04-13T03:29:47.531000",
"created": "2026-03-14T03:48:56.520000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 90,
"FileHash-SHA1": 81,
"FileHash-SHA256": 71,
"URL": 22,
"domain": 6,
"hostname": 60
},
"indicator_count": 330,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "6 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b4b342d4caca5474f1e7d7",
"name": "Domains of interest",
"description": "for later analysis. pulse pt",
"modified": "2026-04-13T01:07:12.977000",
"created": "2026-03-14T01:00:50.336000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 263,
"URL": 37,
"domain": 13,
"hostname": 125,
"FileHash-SHA1": 123,
"FileHash-MD5": 90,
"CVE": 1
},
"indicator_count": 652,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "6 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d581fe66b2a372fe14cb07",
"name": "Yoroi / Yomi Hunter Sandbox",
"description": "c0085eb467d2fc9c9f395047e057183b3cd1503a4087d0db565161c13527a76f\n(Image2629)_Windows_Microsoft.NET_Framework_v3.5_default.win32manifes\nFile Name\tc4ca4238a0b923820dcc509a6f75849b\nFile Size\t490\nFile Type\tXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators\nMD5\ta19a2658ba69030c6ac9d11fd7d7e3c1\nSHA1\t879dcf690e5bf1941b27cf13c8bcf72f8356c650\nSHA512\tfa583ba012a80d44e599285eb6a013baf41ffbe72ee8561fc89af0ec5543003ba4165bfe7b1ba79252a1b3b6e5626bf52dc712eacd107c0b093a5a2757284d73\nCRC32\t266BB9C6\n\n Initial Access \n Execution \nExecution through Module Load\n Persistence \nModify Existing Service\n Privilege Escalation \n Defense Evasion \nDisabling Security Tools\nModify Registry\n Credential Access \n Discovery \nProcess Discovery\nSecurity Software Discovery\n Lateral Movement \n Collection \nMan in the Browser\n Exfiltration \n Command And Control \nStandard Non-Application Layer Protocol\nStandard Application Layer Protocol",
"modified": "2026-04-07T22:17:12.155000",
"created": "2026-04-07T22:15:26.104000",
"tags": [
"file size",
"file type",
"ssdeep",
"clamav none",
"yara",
"virustotal",
"sqlite rollback",
"sha512",
"analysis",
"sha1"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 50,
"FileHash-SHA1": 32,
"FileHash-SHA256": 32,
"IPv4": 5,
"URL": 30,
"domain": 17,
"hostname": 59
},
"indicator_count": 225,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "12 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69aa842cef967c844adef1de",
"name": "CAPE Sandbox part 2 - see part 1",
"description": "heartbreaking",
"modified": "2026-04-05T11:04:28.804000",
"created": "2026-03-06T07:37:16.417000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1548",
"name": "Abuse Elevation Control Mechanism",
"display_name": "T1548 - Abuse Elevation Control Mechanism"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 3905,
"FileHash-SHA1": 3515,
"FileHash-SHA256": 8002,
"URL": 982,
"hostname": 2532,
"domain": 164,
"email": 1
},
"indicator_count": 19101,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "14 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69aa53582de113e05d102700",
"name": "CORRUPT.",
"description": "the only wizard I like is Harry",
"modified": "2026-04-05T07:38:31.088000",
"created": "2026-03-06T04:08:56.281000",
"tags": [
"inno setup",
"linker",
"pe32",
"intel",
"ms windows",
"win32 exe",
"pecompact",
"pe32 installer",
"module",
"professional",
"delphi"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1181,
"FileHash-SHA1": 1182,
"FileHash-SHA256": 3383,
"URL": 218,
"domain": 59,
"hostname": 646,
"email": 1
},
"indicator_count": 6670,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "14 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d20ba3e768ce672f6faaf0",
"name": "VirusTotal Windows Sandbox",
"description": "A security alert has been issued by the UK government over the weekend, with the result of a malicious web address being sent to a member of the public via an address address linked tolinkedin.",
"modified": "2026-04-05T07:13:39.327000",
"created": "2026-04-05T07:13:39.327000",
"tags": [
"windows sandbox",
"calls process",
"time",
"request header",
"host",
"windows nt",
"win64",
"khtml",
"gecko",
"acceptencoding",
"accept",
"response header",
"date",
"dword",
"malware",
"file type",
"utf8",
"crlf line",
"unicode text",
"yara",
"binary",
"found",
"sample",
"mitre attack",
"malicious",
"window",
"next",
"detail info",
"tickcount",
"behaviour",
"processid",
"threadid",
"startaddress",
"parameter",
"offset",
"windows xp",
"professional",
"write",
"info",
"shell",
"cultureneutral",
"count",
"default",
"subsys11001af4",
"rev003",
"rev033",
"folders api",
"skylakeibrs",
"daba3ff",
"inprocserver32",
"first",
"virustotal",
"enterprise",
"service",
"close",
"win32 exe",
"pe32",
"ms windows",
"win16 ne",
"icons library",
"os2 executable",
"generic windos",
"executable",
"pe64 library",
"cname",
"none rticon",
"file size",
"sha256",
"mwdb",
"bazaar",
"sha3384",
"crc32",
"shutdown",
"error",
"back",
"lsappdata",
"inetfiles",
"windowname",
"protocol level",
"application",
"next connection",
"address",
"http url",
"get http",
"full path",
"path",
"filename",
"targetprocess",
"writeaddress",
"size",
"targetpid",
"findfirstfileex",
"class",
"find",
"open",
"imagepath",
"cmdline",
"ping",
"flags"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/000bdbb9556e3474630b36d57190d5dae719886a6cdecf824af6a456243ebf88_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372160&Signature=wARiO6wRTZGhS9vOpI%2BvoWxpe55%2BBlHjfTVS2m1fsb3%2FyiqXoI5x8uRNh6fj6Qp6DpePIZAM2MHvDzi%2B5TT6VWKI4zyyc%2BeVp9gihB0djBnCJr%2BKCB18kdFNBE%2BicOTMmx5aJ1hSjWQcOBYm9PMkZ6%2BhLzxX3gxTMneBKGhh0ckFJRTRfM2gKMfEPrOQ6aVgfkTWJUR9FQYz5g2qKGSDh1CCNlEzXhO33BEPI9fN",
"https://vtbehaviour.commondatastorage.googleapis.com/03a5d431bb42e7730a3ae3b3563cee73e7a782079cf56f57bad5fe665d261e54_SecneurX.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372244&Signature=fXjnCgFbGybFp%2BCRO6a%2FQ3LKU2uLiKNtjgwKzprL3LFL%2BTMgup6nbp7%2F9Hxy8bnBzlFtSzO0fcnf%2FpIsNim0UdrINmB63N9mKkBW1cOkjxV88PAy2nsFZA3FjOEYq4N0lgc8gAtS5eRTt%2Bwb7WjEnd3QQ7aPLuoVl2hjed4hC8Cit6efcSD9GbJCITMeX4%2FVHBYSjmDr4Pgip9ANSZ6wvzkRktqPpC23Qwl62gkuXE%2BKp0s%2Bq%",
"https://vtbehaviour.commondatastorage.googleapis.com/14116af49a976b71f7ddd760161a1d50328baa280ac2c9a1f9f3a8996a3929b6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372327&Signature=bhG0zZxkKhoz9temkLENxZsdN9KeMsxW4nt2II1lmaPLEGAhNM4EmX5e7z1UM9LLsnqrvuZBhQs7ZnBuwSpY5T8iiKIu2%2FfZ83pX1Tw8s%2Bn%2BfXlEl3jlhzXWewZ9i8ZlXd6YIeWETsAak1j93aNnJHB2IPoZn7VISupTj400x7E%2FSm0ilDz4zCCDAjz1eTp1N41HvmoviGQGwTSnjTW5oyBHDm8RglOnnNqcEsm6%2BkGBJToFomLsipvuVIz8",
"https://vtbehaviour.commondatastorage.googleapis.com/39c58d0f868d4e8d1b959dce19d0bbcc57bb8b9b832f9efbe4e2244051237b95_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372451&Signature=Dv9FcZuWlVKlY26EcoSmR4Kcb44tKDv4kyBrDOputdJDLMvfDX9%2Fs4Ss4cLURTdCso74wPUHQpcMVcyeGGK%2F3RwYbxXwJjMGGAJSCfCxIDRiL%2BLOQKY3M7zGyXrkpuwr5lQS4CaKp1LFajsxxwnKpd%2F5eXNMLqlyxh%2ByO3dJWTkY8WqNnnwnSjW0lqpwB9%2BBjgEdIeWsnMRqF0t4JQ8dJsmCbbTXmAKIEZ46Rpio044%2BrsqH",
"https://vtbehaviour.commondatastorage.googleapis.com/539dc26a14b6277e87348594ab7d6e932d16aabb18612d77f29fe421a9f1d46a_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372560&Signature=tXBHkUCyFp7E2Um%2FMUvRPbUvaQmYPeBV7KGbi%2Bssa%2FkYQyqgH4u8fy6h0A8bVbsyQMMPf2EEF2JkzkiD6SXcfLADGdVqHYQya%2F6s2Ox5QnOFkJSATlDdXCWVp%2F4wHxZHInIRcrBPZFjjYFQM0u7VYCEMtkMCS0pzld2nGLlcOuOXBFxGTQPy0A03dikBC4Yw4f%2BdiMLMxO0hxZSo9FxPq1ylB4gs57NBBniylVO4Qi%2BLzleU5",
"https://vtbehaviour.commondatastorage.googleapis.com/0ab7fad77871a45137c9f2e40e3cbf47e3d71315f71c8eca9c8d62bc24a53184_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372878&Signature=cLNwLw1L9ZCpQXZej7DaLTWH5w887X5wPnSpN1pwH2N4acSu8Llp25uprGRArg6qCuPbVQ2YPyIeCdwLCZvq%2FU0hP8m17ZPontiyR5zKb7jxcW57eEUuVnuSV9%2FnukwtPPJ%2BTY7a0%2B9rwSAU%2FL%2FJQ1yMke6VIX%2B%2F6KSWHgmLV%2F%2FR%2FbOxB0oZ4%2Fe%2Fsb2%2Fw12dZix7IY6c7wOj1OlWGQSkAZZsEoDw",
"https://vtbehaviour.commondatastorage.googleapis.com/01f09136cb86f25635f91144946847d58c559228d50d9b84b0c021d4091b840b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373052&Signature=U7haY6XsgyJ83G1vAOPLrLLS%2BaMP9xAKOlnzSb4I9clIBLt9Y8xzP4qjfBxbeUfdF6s%2B6dtg4dXzqTjrAYSC3XOTEEtHZeK4ePz5qfS9n%2FWNrOKQb30VBhfUNL5DYUCd3XSOPjIVlbRz9ylDpwApfVK2AMarGiLLlnKRDv7M0S63SkQx8eWyabXd2afPPy96ZGNZVZfOhw5llZiztL6mYo%2BVivlyFsDcodH9F4XrS%2FPsSLeJRx5d",
"https://vtbehaviour.commondatastorage.googleapis.com/7605fa9aeaae25656c40a553534d35418cca40dc48023d0b3237b402361c6816_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373200&Signature=uMO8ESBCpu0oIIRS0CToWTN9KlOHyq4uWjWMjfdcUCGyliW%2FSy8KDIg6OMWLUQ6SBC45Jm0Mr%2FNV6m74hTSnpmGdVf6k6mA3QrTQwUMaMk2QbBLU1IwUG8wvylr6KXEqQYYCkZksYiZEyNm%2B2hKNvWtKFc%2BZlL7M12RBSER84%2FDRQlJnK6qbDW3DYX1tPsXxTynGj5YxQDlUqfWU8CjZtSAfUK%2Bw%2FoybwyMsJc68%2B01HQ",
"https://vtbehaviour.commondatastorage.googleapis.com/7605fa9aeaae25656c40a553534d35418cca40dc48023d0b3237b402361c6816_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373283&Signature=KIPnPqQCcifTzuRS43FhFyzCXei0rDK20JuVvXA3UkB%2Bj6R1a4SAH2sn%2BJO1ohLSxLswzbryMf81lr4eGQCMbr3Wwfwo7kHN1yHV4M187cNxRZlbZ4%2BzOZZgfWt3bJNLx2Z4%2B4aqarco7OzqkhcQizlq8frRttJQjcLcNxgWD3oV2QDxZxurniW%2BhRRUS%2Bv9uGXWIRhWYmbEA%2BaoQsvpX0AIeSUCn4qb%2Fh31hJe7JitkCE",
"https://vtbehaviour.commondatastorage.googleapis.com/000007781f616194758c52c551ab2f198970675c9218eab9f1e4470f0a696e71_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373373&Signature=mjvxt7z8ajbHZY%2BdL0G02pE7trUx7SkineLNrDSnq8FxmEuCuDdnNDWKdPawPb4w2NnK5HFkV3BAdTJrRNBxBceLP%2FevhdkmR4C%2BiZZ8pz9GBeqwl0l6oJMBga2ZHfKcA%2BxqQgP5r1zzN%2BZPMH0zxPdHYZA2WlzkfzPBDQcTEDdz8aTIaX%2BOP5JUo4gYjqxxxrdBLVGv0i54PedBqgFw5IRrPpdH%2FwlQGTLKQ%2BSjslq2d0",
"https://vtbehaviour.commondatastorage.googleapis.com/39c58d0f868d4e8d1b959dce19d0bbcc57bb8b9b832f9efbe4e2244051237b95_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373454&Signature=oXNg992chHQhOJxpI2XcWdFB%2FxJme1ol4iA4aOgaKWQcqa9WXsYlPcTANPmFkyrHIciosnksXEJrIAfFsjAYeEqG%2F7oPGCQLBILFHUhwZVcoJR9PgFwUsHBu%2FqiWSOifVPER4vpDL0gbsuNlU6gHT5aWRW%2BwoOwbHSIt5jj%2FJ3%2FxGDBAUaZrSuQurOM0Nb3qRhNN1NOTUj7mGTuUBXdtvnzCFLjxl3Kk6dYYFgmwhWI04P3JIB"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 72,
"FileHash-MD5": 56,
"FileHash-SHA1": 27,
"FileHash-SHA256": 113,
"IPv4": 47,
"domain": 19,
"hostname": 89
},
"indicator_count": 423,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "14 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d20ba20b81857c628e1d9e",
"name": "VirusTotal Windows Sandbox",
"description": "A security alert has been issued by the UK government over the weekend, with the result of a malicious web address being sent to a member of the public via an address address linked tolinkedin.",
"modified": "2026-04-05T07:13:38.735000",
"created": "2026-04-05T07:13:38.735000",
"tags": [
"windows sandbox",
"calls process",
"time",
"request header",
"host",
"windows nt",
"win64",
"khtml",
"gecko",
"acceptencoding",
"accept",
"response header",
"date",
"dword",
"malware",
"file type",
"utf8",
"crlf line",
"unicode text",
"yara",
"binary",
"found",
"sample",
"mitre attack",
"malicious",
"window",
"next",
"detail info",
"tickcount",
"behaviour",
"processid",
"threadid",
"startaddress",
"parameter",
"offset",
"windows xp",
"professional",
"write",
"info",
"shell",
"cultureneutral",
"count",
"default",
"subsys11001af4",
"rev003",
"rev033",
"folders api",
"skylakeibrs",
"daba3ff",
"inprocserver32",
"first",
"virustotal",
"enterprise",
"service",
"close",
"win32 exe",
"pe32",
"ms windows",
"win16 ne",
"icons library",
"os2 executable",
"generic windos",
"executable",
"pe64 library",
"cname",
"none rticon",
"file size",
"sha256",
"mwdb",
"bazaar",
"sha3384",
"crc32",
"shutdown",
"error",
"back",
"lsappdata",
"inetfiles",
"windowname",
"protocol level",
"application",
"next connection",
"address",
"http url",
"get http",
"full path",
"path",
"filename",
"targetprocess",
"writeaddress",
"size",
"targetpid",
"findfirstfileex",
"class",
"find",
"open",
"imagepath",
"cmdline",
"ping",
"flags"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/000bdbb9556e3474630b36d57190d5dae719886a6cdecf824af6a456243ebf88_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372160&Signature=wARiO6wRTZGhS9vOpI%2BvoWxpe55%2BBlHjfTVS2m1fsb3%2FyiqXoI5x8uRNh6fj6Qp6DpePIZAM2MHvDzi%2B5TT6VWKI4zyyc%2BeVp9gihB0djBnCJr%2BKCB18kdFNBE%2BicOTMmx5aJ1hSjWQcOBYm9PMkZ6%2BhLzxX3gxTMneBKGhh0ckFJRTRfM2gKMfEPrOQ6aVgfkTWJUR9FQYz5g2qKGSDh1CCNlEzXhO33BEPI9fN",
"https://vtbehaviour.commondatastorage.googleapis.com/03a5d431bb42e7730a3ae3b3563cee73e7a782079cf56f57bad5fe665d261e54_SecneurX.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372244&Signature=fXjnCgFbGybFp%2BCRO6a%2FQ3LKU2uLiKNtjgwKzprL3LFL%2BTMgup6nbp7%2F9Hxy8bnBzlFtSzO0fcnf%2FpIsNim0UdrINmB63N9mKkBW1cOkjxV88PAy2nsFZA3FjOEYq4N0lgc8gAtS5eRTt%2Bwb7WjEnd3QQ7aPLuoVl2hjed4hC8Cit6efcSD9GbJCITMeX4%2FVHBYSjmDr4Pgip9ANSZ6wvzkRktqPpC23Qwl62gkuXE%2BKp0s%2Bq%",
"https://vtbehaviour.commondatastorage.googleapis.com/14116af49a976b71f7ddd760161a1d50328baa280ac2c9a1f9f3a8996a3929b6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372327&Signature=bhG0zZxkKhoz9temkLENxZsdN9KeMsxW4nt2II1lmaPLEGAhNM4EmX5e7z1UM9LLsnqrvuZBhQs7ZnBuwSpY5T8iiKIu2%2FfZ83pX1Tw8s%2Bn%2BfXlEl3jlhzXWewZ9i8ZlXd6YIeWETsAak1j93aNnJHB2IPoZn7VISupTj400x7E%2FSm0ilDz4zCCDAjz1eTp1N41HvmoviGQGwTSnjTW5oyBHDm8RglOnnNqcEsm6%2BkGBJToFomLsipvuVIz8",
"https://vtbehaviour.commondatastorage.googleapis.com/39c58d0f868d4e8d1b959dce19d0bbcc57bb8b9b832f9efbe4e2244051237b95_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372451&Signature=Dv9FcZuWlVKlY26EcoSmR4Kcb44tKDv4kyBrDOputdJDLMvfDX9%2Fs4Ss4cLURTdCso74wPUHQpcMVcyeGGK%2F3RwYbxXwJjMGGAJSCfCxIDRiL%2BLOQKY3M7zGyXrkpuwr5lQS4CaKp1LFajsxxwnKpd%2F5eXNMLqlyxh%2ByO3dJWTkY8WqNnnwnSjW0lqpwB9%2BBjgEdIeWsnMRqF0t4JQ8dJsmCbbTXmAKIEZ46Rpio044%2BrsqH",
"https://vtbehaviour.commondatastorage.googleapis.com/539dc26a14b6277e87348594ab7d6e932d16aabb18612d77f29fe421a9f1d46a_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372560&Signature=tXBHkUCyFp7E2Um%2FMUvRPbUvaQmYPeBV7KGbi%2Bssa%2FkYQyqgH4u8fy6h0A8bVbsyQMMPf2EEF2JkzkiD6SXcfLADGdVqHYQya%2F6s2Ox5QnOFkJSATlDdXCWVp%2F4wHxZHInIRcrBPZFjjYFQM0u7VYCEMtkMCS0pzld2nGLlcOuOXBFxGTQPy0A03dikBC4Yw4f%2BdiMLMxO0hxZSo9FxPq1ylB4gs57NBBniylVO4Qi%2BLzleU5",
"https://vtbehaviour.commondatastorage.googleapis.com/0ab7fad77871a45137c9f2e40e3cbf47e3d71315f71c8eca9c8d62bc24a53184_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372878&Signature=cLNwLw1L9ZCpQXZej7DaLTWH5w887X5wPnSpN1pwH2N4acSu8Llp25uprGRArg6qCuPbVQ2YPyIeCdwLCZvq%2FU0hP8m17ZPontiyR5zKb7jxcW57eEUuVnuSV9%2FnukwtPPJ%2BTY7a0%2B9rwSAU%2FL%2FJQ1yMke6VIX%2B%2F6KSWHgmLV%2F%2FR%2FbOxB0oZ4%2Fe%2Fsb2%2Fw12dZix7IY6c7wOj1OlWGQSkAZZsEoDw",
"https://vtbehaviour.commondatastorage.googleapis.com/01f09136cb86f25635f91144946847d58c559228d50d9b84b0c021d4091b840b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373052&Signature=U7haY6XsgyJ83G1vAOPLrLLS%2BaMP9xAKOlnzSb4I9clIBLt9Y8xzP4qjfBxbeUfdF6s%2B6dtg4dXzqTjrAYSC3XOTEEtHZeK4ePz5qfS9n%2FWNrOKQb30VBhfUNL5DYUCd3XSOPjIVlbRz9ylDpwApfVK2AMarGiLLlnKRDv7M0S63SkQx8eWyabXd2afPPy96ZGNZVZfOhw5llZiztL6mYo%2BVivlyFsDcodH9F4XrS%2FPsSLeJRx5d",
"https://vtbehaviour.commondatastorage.googleapis.com/7605fa9aeaae25656c40a553534d35418cca40dc48023d0b3237b402361c6816_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373200&Signature=uMO8ESBCpu0oIIRS0CToWTN9KlOHyq4uWjWMjfdcUCGyliW%2FSy8KDIg6OMWLUQ6SBC45Jm0Mr%2FNV6m74hTSnpmGdVf6k6mA3QrTQwUMaMk2QbBLU1IwUG8wvylr6KXEqQYYCkZksYiZEyNm%2B2hKNvWtKFc%2BZlL7M12RBSER84%2FDRQlJnK6qbDW3DYX1tPsXxTynGj5YxQDlUqfWU8CjZtSAfUK%2Bw%2FoybwyMsJc68%2B01HQ",
"https://vtbehaviour.commondatastorage.googleapis.com/7605fa9aeaae25656c40a553534d35418cca40dc48023d0b3237b402361c6816_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373283&Signature=KIPnPqQCcifTzuRS43FhFyzCXei0rDK20JuVvXA3UkB%2Bj6R1a4SAH2sn%2BJO1ohLSxLswzbryMf81lr4eGQCMbr3Wwfwo7kHN1yHV4M187cNxRZlbZ4%2BzOZZgfWt3bJNLx2Z4%2B4aqarco7OzqkhcQizlq8frRttJQjcLcNxgWD3oV2QDxZxurniW%2BhRRUS%2Bv9uGXWIRhWYmbEA%2BaoQsvpX0AIeSUCn4qb%2Fh31hJe7JitkCE",
"https://vtbehaviour.commondatastorage.googleapis.com/000007781f616194758c52c551ab2f198970675c9218eab9f1e4470f0a696e71_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373373&Signature=mjvxt7z8ajbHZY%2BdL0G02pE7trUx7SkineLNrDSnq8FxmEuCuDdnNDWKdPawPb4w2NnK5HFkV3BAdTJrRNBxBceLP%2FevhdkmR4C%2BiZZ8pz9GBeqwl0l6oJMBga2ZHfKcA%2BxqQgP5r1zzN%2BZPMH0zxPdHYZA2WlzkfzPBDQcTEDdz8aTIaX%2BOP5JUo4gYjqxxxrdBLVGv0i54PedBqgFw5IRrPpdH%2FwlQGTLKQ%2BSjslq2d0",
"https://vtbehaviour.commondatastorage.googleapis.com/39c58d0f868d4e8d1b959dce19d0bbcc57bb8b9b832f9efbe4e2244051237b95_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373454&Signature=oXNg992chHQhOJxpI2XcWdFB%2FxJme1ol4iA4aOgaKWQcqa9WXsYlPcTANPmFkyrHIciosnksXEJrIAfFsjAYeEqG%2F7oPGCQLBILFHUhwZVcoJR9PgFwUsHBu%2FqiWSOifVPER4vpDL0gbsuNlU6gHT5aWRW%2BwoOwbHSIt5jj%2FJ3%2FxGDBAUaZrSuQurOM0Nb3qRhNN1NOTUj7mGTuUBXdtvnzCFLjxl3Kk6dYYFgmwhWI04P3JIB"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 72,
"FileHash-MD5": 56,
"FileHash-SHA1": 27,
"FileHash-SHA256": 113,
"IPv4": 47,
"domain": 19,
"hostname": 89
},
"indicator_count": 423,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "14 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d20ba21b989eb65ac172a8",
"name": "VirusTotal Windows Sandbox",
"description": "A security alert has been issued by the UK government over the weekend, with the result of a malicious web address being sent to a member of the public via an address address linked tolinkedin.",
"modified": "2026-04-05T07:13:38.308000",
"created": "2026-04-05T07:13:38.308000",
"tags": [
"windows sandbox",
"calls process",
"time",
"request header",
"host",
"windows nt",
"win64",
"khtml",
"gecko",
"acceptencoding",
"accept",
"response header",
"date",
"dword",
"malware",
"file type",
"utf8",
"crlf line",
"unicode text",
"yara",
"binary",
"found",
"sample",
"mitre attack",
"malicious",
"window",
"next",
"detail info",
"tickcount",
"behaviour",
"processid",
"threadid",
"startaddress",
"parameter",
"offset",
"windows xp",
"professional",
"write",
"info",
"shell",
"cultureneutral",
"count",
"default",
"subsys11001af4",
"rev003",
"rev033",
"folders api",
"skylakeibrs",
"daba3ff",
"inprocserver32",
"first",
"virustotal",
"enterprise",
"service",
"close",
"win32 exe",
"pe32",
"ms windows",
"win16 ne",
"icons library",
"os2 executable",
"generic windos",
"executable",
"pe64 library",
"cname",
"none rticon",
"file size",
"sha256",
"mwdb",
"bazaar",
"sha3384",
"crc32",
"shutdown",
"error",
"back",
"lsappdata",
"inetfiles",
"windowname",
"protocol level",
"application",
"next connection",
"address",
"http url",
"get http",
"full path",
"path",
"filename",
"targetprocess",
"writeaddress",
"size",
"targetpid",
"findfirstfileex",
"class",
"find",
"open",
"imagepath",
"cmdline",
"ping",
"flags"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/000bdbb9556e3474630b36d57190d5dae719886a6cdecf824af6a456243ebf88_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372160&Signature=wARiO6wRTZGhS9vOpI%2BvoWxpe55%2BBlHjfTVS2m1fsb3%2FyiqXoI5x8uRNh6fj6Qp6DpePIZAM2MHvDzi%2B5TT6VWKI4zyyc%2BeVp9gihB0djBnCJr%2BKCB18kdFNBE%2BicOTMmx5aJ1hSjWQcOBYm9PMkZ6%2BhLzxX3gxTMneBKGhh0ckFJRTRfM2gKMfEPrOQ6aVgfkTWJUR9FQYz5g2qKGSDh1CCNlEzXhO33BEPI9fN",
"https://vtbehaviour.commondatastorage.googleapis.com/03a5d431bb42e7730a3ae3b3563cee73e7a782079cf56f57bad5fe665d261e54_SecneurX.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372244&Signature=fXjnCgFbGybFp%2BCRO6a%2FQ3LKU2uLiKNtjgwKzprL3LFL%2BTMgup6nbp7%2F9Hxy8bnBzlFtSzO0fcnf%2FpIsNim0UdrINmB63N9mKkBW1cOkjxV88PAy2nsFZA3FjOEYq4N0lgc8gAtS5eRTt%2Bwb7WjEnd3QQ7aPLuoVl2hjed4hC8Cit6efcSD9GbJCITMeX4%2FVHBYSjmDr4Pgip9ANSZ6wvzkRktqPpC23Qwl62gkuXE%2BKp0s%2Bq%",
"https://vtbehaviour.commondatastorage.googleapis.com/14116af49a976b71f7ddd760161a1d50328baa280ac2c9a1f9f3a8996a3929b6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372327&Signature=bhG0zZxkKhoz9temkLENxZsdN9KeMsxW4nt2II1lmaPLEGAhNM4EmX5e7z1UM9LLsnqrvuZBhQs7ZnBuwSpY5T8iiKIu2%2FfZ83pX1Tw8s%2Bn%2BfXlEl3jlhzXWewZ9i8ZlXd6YIeWETsAak1j93aNnJHB2IPoZn7VISupTj400x7E%2FSm0ilDz4zCCDAjz1eTp1N41HvmoviGQGwTSnjTW5oyBHDm8RglOnnNqcEsm6%2BkGBJToFomLsipvuVIz8",
"https://vtbehaviour.commondatastorage.googleapis.com/39c58d0f868d4e8d1b959dce19d0bbcc57bb8b9b832f9efbe4e2244051237b95_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372451&Signature=Dv9FcZuWlVKlY26EcoSmR4Kcb44tKDv4kyBrDOputdJDLMvfDX9%2Fs4Ss4cLURTdCso74wPUHQpcMVcyeGGK%2F3RwYbxXwJjMGGAJSCfCxIDRiL%2BLOQKY3M7zGyXrkpuwr5lQS4CaKp1LFajsxxwnKpd%2F5eXNMLqlyxh%2ByO3dJWTkY8WqNnnwnSjW0lqpwB9%2BBjgEdIeWsnMRqF0t4JQ8dJsmCbbTXmAKIEZ46Rpio044%2BrsqH",
"https://vtbehaviour.commondatastorage.googleapis.com/539dc26a14b6277e87348594ab7d6e932d16aabb18612d77f29fe421a9f1d46a_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372560&Signature=tXBHkUCyFp7E2Um%2FMUvRPbUvaQmYPeBV7KGbi%2Bssa%2FkYQyqgH4u8fy6h0A8bVbsyQMMPf2EEF2JkzkiD6SXcfLADGdVqHYQya%2F6s2Ox5QnOFkJSATlDdXCWVp%2F4wHxZHInIRcrBPZFjjYFQM0u7VYCEMtkMCS0pzld2nGLlcOuOXBFxGTQPy0A03dikBC4Yw4f%2BdiMLMxO0hxZSo9FxPq1ylB4gs57NBBniylVO4Qi%2BLzleU5",
"https://vtbehaviour.commondatastorage.googleapis.com/0ab7fad77871a45137c9f2e40e3cbf47e3d71315f71c8eca9c8d62bc24a53184_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372878&Signature=cLNwLw1L9ZCpQXZej7DaLTWH5w887X5wPnSpN1pwH2N4acSu8Llp25uprGRArg6qCuPbVQ2YPyIeCdwLCZvq%2FU0hP8m17ZPontiyR5zKb7jxcW57eEUuVnuSV9%2FnukwtPPJ%2BTY7a0%2B9rwSAU%2FL%2FJQ1yMke6VIX%2B%2F6KSWHgmLV%2F%2FR%2FbOxB0oZ4%2Fe%2Fsb2%2Fw12dZix7IY6c7wOj1OlWGQSkAZZsEoDw",
"https://vtbehaviour.commondatastorage.googleapis.com/01f09136cb86f25635f91144946847d58c559228d50d9b84b0c021d4091b840b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373052&Signature=U7haY6XsgyJ83G1vAOPLrLLS%2BaMP9xAKOlnzSb4I9clIBLt9Y8xzP4qjfBxbeUfdF6s%2B6dtg4dXzqTjrAYSC3XOTEEtHZeK4ePz5qfS9n%2FWNrOKQb30VBhfUNL5DYUCd3XSOPjIVlbRz9ylDpwApfVK2AMarGiLLlnKRDv7M0S63SkQx8eWyabXd2afPPy96ZGNZVZfOhw5llZiztL6mYo%2BVivlyFsDcodH9F4XrS%2FPsSLeJRx5d",
"https://vtbehaviour.commondatastorage.googleapis.com/7605fa9aeaae25656c40a553534d35418cca40dc48023d0b3237b402361c6816_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373200&Signature=uMO8ESBCpu0oIIRS0CToWTN9KlOHyq4uWjWMjfdcUCGyliW%2FSy8KDIg6OMWLUQ6SBC45Jm0Mr%2FNV6m74hTSnpmGdVf6k6mA3QrTQwUMaMk2QbBLU1IwUG8wvylr6KXEqQYYCkZksYiZEyNm%2B2hKNvWtKFc%2BZlL7M12RBSER84%2FDRQlJnK6qbDW3DYX1tPsXxTynGj5YxQDlUqfWU8CjZtSAfUK%2Bw%2FoybwyMsJc68%2B01HQ",
"https://vtbehaviour.commondatastorage.googleapis.com/7605fa9aeaae25656c40a553534d35418cca40dc48023d0b3237b402361c6816_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373283&Signature=KIPnPqQCcifTzuRS43FhFyzCXei0rDK20JuVvXA3UkB%2Bj6R1a4SAH2sn%2BJO1ohLSxLswzbryMf81lr4eGQCMbr3Wwfwo7kHN1yHV4M187cNxRZlbZ4%2BzOZZgfWt3bJNLx2Z4%2B4aqarco7OzqkhcQizlq8frRttJQjcLcNxgWD3oV2QDxZxurniW%2BhRRUS%2Bv9uGXWIRhWYmbEA%2BaoQsvpX0AIeSUCn4qb%2Fh31hJe7JitkCE",
"https://vtbehaviour.commondatastorage.googleapis.com/000007781f616194758c52c551ab2f198970675c9218eab9f1e4470f0a696e71_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373373&Signature=mjvxt7z8ajbHZY%2BdL0G02pE7trUx7SkineLNrDSnq8FxmEuCuDdnNDWKdPawPb4w2NnK5HFkV3BAdTJrRNBxBceLP%2FevhdkmR4C%2BiZZ8pz9GBeqwl0l6oJMBga2ZHfKcA%2BxqQgP5r1zzN%2BZPMH0zxPdHYZA2WlzkfzPBDQcTEDdz8aTIaX%2BOP5JUo4gYjqxxxrdBLVGv0i54PedBqgFw5IRrPpdH%2FwlQGTLKQ%2BSjslq2d0",
"https://vtbehaviour.commondatastorage.googleapis.com/39c58d0f868d4e8d1b959dce19d0bbcc57bb8b9b832f9efbe4e2244051237b95_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373454&Signature=oXNg992chHQhOJxpI2XcWdFB%2FxJme1ol4iA4aOgaKWQcqa9WXsYlPcTANPmFkyrHIciosnksXEJrIAfFsjAYeEqG%2F7oPGCQLBILFHUhwZVcoJR9PgFwUsHBu%2FqiWSOifVPER4vpDL0gbsuNlU6gHT5aWRW%2BwoOwbHSIt5jj%2FJ3%2FxGDBAUaZrSuQurOM0Nb3qRhNN1NOTUj7mGTuUBXdtvnzCFLjxl3Kk6dYYFgmwhWI04P3JIB"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 72,
"FileHash-MD5": 56,
"FileHash-SHA1": 27,
"FileHash-SHA256": 113,
"IPv4": 47,
"domain": 19,
"hostname": 89
},
"indicator_count": 423,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "14 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69aa019f4509897e354fe029",
"name": "credit Q Vashti Cloned Pulse ",
"description": "",
"modified": "2026-03-29T20:03:36.333000",
"created": "2026-03-05T22:20:15.324000",
"tags": [
"pattern match",
"heuristic match",
"all url",
"files domain",
"pulses otx",
"germany unknown",
"aaaa",
"ip address",
"emails",
"gmt server",
"vary",
"modified",
"accept",
"title",
"present feb",
"present jan",
"united",
"part",
"moved",
"passive dns",
"cname",
"final",
"bill",
"antivm",
"xlsx",
"xlsm",
"urls",
"otx logo",
"all hostname",
"server",
"organization",
"city",
"stateprovince",
"postal code",
"phone",
"registrar abuse",
"privacy admin",
"paris admin",
"april",
"direct",
"february",
"http",
"dfn verein",
"zur foerderung",
"domain",
"page url",
"tags",
"de summary",
"erlangen",
"germany",
"securitytrails",
"de seen",
"general info",
"geo erlangen",
"as as680",
"de note",
"route",
"data upload",
"extraction",
"failed",
"extra data",
"referen",
"include review",
"exclude data",
"summary",
"url age",
"as680",
"se source",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"over",
"ascii text",
"mitre att",
"size",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"node traffic",
"tlsv1",
"search",
"rgba",
"medium",
"read c",
"module load",
"t1129",
"execution",
"next",
"dock",
"write",
"persistence",
"calls",
"apis",
"reads",
"model",
"value",
"getprocaddress",
"show technique",
"ck matrix",
"access type",
"windir",
"regexp",
"open",
"date",
"format",
"virtual disk drive",
"sha256",
"sha1",
"body",
"filehashsha1",
"found",
"unknown",
"stop",
"root",
"form",
"9999",
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"hybrid analysis",
"api key",
"vetting process",
"please note",
"please",
"bad traffic",
"et info",
"tls handshake",
"failure",
"flag",
"analysis tip",
"openurl c",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"show",
"pulse pulses",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"malicious yara",
"detections none",
"less ip",
"dynamicloader",
"get na",
"c3bhaw",
"high",
"copy",
"guard",
"push",
"Palantir",
"Foundry",
"Whitehouse",
"X.Com",
"Justice.gov",
"Apple",
"AI",
"node traffic"
],
"references": [
"tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net",
"https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022",
"http://truefoundry.prodigaltech.com/",
"git.spywarewatchdog.org",
"marriott-control-prd.accenture.cn",
"marriott-datacenter-prd.accenture.cn",
"accenture.cn",
"c.j.location.host \u2022 videodata.video \u2022 referrer.search",
"target.id \u2022 tostring.call \u2022 title.search",
"https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737",
"https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70",
"calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019",
"http://truefoundry.prodigaltech.com/",
"Attacker being used by several legal entities attacking a target\u2019s family",
"Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render",
"Luxury Apartments and Townhome communities do use Foundry Palantir",
"Some Colorado communities have been taken over by the State Government",
"Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)",
"Denver Justice System. Palantir allegedly moved potato Headquarters to Miami",
"Foundry Foot Soldiers are still in Colorado targeting innocents",
"Foundry Palantir still has a presence in Colorado",
"I need some help.",
"Accurately tipped about air travel safety. In past. Proven true.",
"Tipped of new looming airline threats",
"Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.",
"Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.",
"FBI files opened up on a targeted phone, Iunseel, only in search history.",
"Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /",
"No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!",
"Hours after files were deemed malicious. We powered on targeted Smart TV",
"You have to go through a series of steps to change themes and wallpapers , including powering off TV",
"Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .",
"A man claiming to have the name Sebastian is communicating with targets love one",
"Uses code, no phone calls. Connected via instagram.",
"I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious",
"By remote view of NEW targeys view, all key calls are routed through him.",
"Targets associated warned. Not very open to advice.",
"I would post his public information. It may be unwise.",
"Connects to all NEW targets key contacts main targets contacts.",
"We have foot soldiers. Be aware",
"https://www.justice.gov/opa/pr/departmen.t",
"https://api.manus.im/api/oauth2_callback/apple",
"https://apple.btprmjo.cc/",
"https://creative.miqdigital.com/.well-known/apple-app-site-association",
"internationalfrontier.com",
"http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf",
"http://www.internationalfrontier.com",
"http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf",
"https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~",
"Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Node Traffic",
"display_name": "Node Traffic",
"target": null
}
],
"attack_ids": [
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1048",
"name": "Exfiltration Over Alternative Protocol",
"display_name": "T1048 - Exfiltration Over Alternative Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1048.003",
"name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
"display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1055.011",
"name": "Extra Window Memory Injection",
"display_name": "T1055.011 - Extra Window Memory Injection"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1055.004",
"name": "Asynchronous Procedure Call",
"display_name": "T1055.004 - Asynchronous Procedure Call"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1055.014",
"name": "VDSO Hijacking",
"display_name": "T1055.014 - VDSO Hijacking"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "69a2127d12dce12538b57d72",
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5644,
"domain": 701,
"hostname": 1920,
"FileHash-SHA256": 1161,
"FileHash-MD5": 235,
"email": 4,
"FileHash-SHA1": 200,
"CVE": 1,
"CIDR": 2,
"SSLCertFingerprint": 9
},
"indicator_count": 9877,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "21 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69a2127d12dce12538b57d72",
"name": "FBI Files | Tor device connection | Unique attack against (non -criminal) monitored targets ~ Apple Jacked Targets",
"description": "Remote Attack - FBI Files | Tor device connection | Unique attack against (non -criminal) monitored targets.\n\nChecked search history on a targeted device and found an FBI link apparently delivered via unknown AI technology.\n|| yara detections\nzur foerderung\nA\n+ Add Tag\n\u8840\nCount: 1\nGRO Probability: 1\nText: Suricata Alerts Event\nCategory Description CID\nIND131.188.40.12g otx.alienvault.com\nlocal:49181 (TCP) Misc\nAttack ET TOR Known Tor\nRelay/Router (Not Exit)\n\"A\" | [[Next pulse will list on malware, rats , bats, Trojans used]",
"modified": "2026-03-29T20:03:36.333000",
"created": "2026-02-27T21:54:05.261000",
"tags": [
"pattern match",
"heuristic match",
"all url",
"files domain",
"pulses otx",
"germany unknown",
"aaaa",
"ip address",
"emails",
"gmt server",
"vary",
"modified",
"accept",
"title",
"present feb",
"present jan",
"united",
"part",
"moved",
"passive dns",
"cname",
"final",
"bill",
"antivm",
"xlsx",
"xlsm",
"urls",
"otx logo",
"all hostname",
"server",
"organization",
"city",
"stateprovince",
"postal code",
"phone",
"registrar abuse",
"privacy admin",
"paris admin",
"april",
"direct",
"february",
"http",
"dfn verein",
"zur foerderung",
"domain",
"page url",
"tags",
"de summary",
"erlangen",
"germany",
"securitytrails",
"de seen",
"general info",
"geo erlangen",
"as as680",
"de note",
"route",
"data upload",
"extraction",
"failed",
"extra data",
"referen",
"include review",
"exclude data",
"summary",
"url age",
"as680",
"se source",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"over",
"ascii text",
"mitre att",
"size",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"node traffic",
"tlsv1",
"search",
"rgba",
"medium",
"read c",
"module load",
"t1129",
"execution",
"next",
"dock",
"write",
"persistence",
"calls",
"apis",
"reads",
"model",
"value",
"getprocaddress",
"show technique",
"ck matrix",
"access type",
"windir",
"regexp",
"open",
"date",
"format",
"virtual disk drive",
"sha256",
"sha1",
"body",
"filehashsha1",
"found",
"unknown",
"stop",
"root",
"form",
"9999",
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"hybrid analysis",
"api key",
"vetting process",
"please note",
"please",
"bad traffic",
"et info",
"tls handshake",
"failure",
"flag",
"analysis tip",
"openurl c",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"show",
"pulse pulses",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"malicious yara",
"detections none",
"less ip",
"dynamicloader",
"get na",
"c3bhaw",
"high",
"copy",
"guard",
"push",
"Palantir",
"Foundry",
"Whitehouse",
"X.Com",
"Justice.gov",
"Apple",
"AI",
"node traffic"
],
"references": [
"tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net",
"https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022",
"http://truefoundry.prodigaltech.com/",
"git.spywarewatchdog.org",
"marriott-control-prd.accenture.cn",
"marriott-datacenter-prd.accenture.cn",
"accenture.cn",
"c.j.location.host \u2022 videodata.video \u2022 referrer.search",
"target.id \u2022 tostring.call \u2022 title.search",
"https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737",
"https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70",
"calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019",
"http://truefoundry.prodigaltech.com/",
"Attacker being used by several legal entities attacking a target\u2019s family",
"Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render",
"Luxury Apartments and Townhome communities do use Foundry Palantir",
"Some Colorado communities have been taken over by the State Government",
"Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)",
"Denver Justice System. Palantir allegedly moved potato Headquarters to Miami",
"Foundry Foot Soldiers are still in Colorado targeting innocents",
"Foundry Palantir still has a presence in Colorado",
"I need some help.",
"Accurately tipped about air travel safety. In past. Proven true.",
"Tipped of new looming airline threats",
"Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.",
"Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.",
"FBI files opened up on a targeted phone, Iunseel, only in search history.",
"Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /",
"No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!",
"Hours after files were deemed malicious. We powered on targeted Smart TV",
"You have to go through a series of steps to change themes and wallpapers , including powering off TV",
"Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .",
"A man claiming to have the name Sebastian is communicating with targets love one",
"Uses code, no phone calls. Connected via instagram.",
"I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious",
"By remote view of NEW targeys view, all key calls are routed through him.",
"Targets associated warned. Not very open to advice.",
"I would post his public information. It may be unwise.",
"Connects to all NEW targets key contacts main targets contacts.",
"We have foot soldiers. Be aware",
"https://www.justice.gov/opa/pr/departmen.t",
"https://api.manus.im/api/oauth2_callback/apple",
"https://apple.btprmjo.cc/",
"https://creative.miqdigital.com/.well-known/apple-app-site-association",
"internationalfrontier.com",
"http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf",
"http://www.internationalfrontier.com",
"http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf",
"https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~",
"Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Node Traffic",
"display_name": "Node Traffic",
"target": null
}
],
"attack_ids": [
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1048",
"name": "Exfiltration Over Alternative Protocol",
"display_name": "T1048 - Exfiltration Over Alternative Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1048.003",
"name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
"display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1055.011",
"name": "Extra Window Memory Injection",
"display_name": "T1055.011 - Extra Window Memory Injection"
},
{
"id": "T1055.001",
"name": "Dynamic-link Library Injection",
"display_name": "T1055.001 - Dynamic-link Library Injection"
},
{
"id": "T1055.004",
"name": "Asynchronous Procedure Call",
"display_name": "T1055.004 - Asynchronous Procedure Call"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1055.014",
"name": "VDSO Hijacking",
"display_name": "T1055.014 - VDSO Hijacking"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 5643,
"domain": 700,
"hostname": 1918,
"FileHash-SHA256": 1161,
"FileHash-MD5": 235,
"email": 4,
"FileHash-SHA1": 200,
"CVE": 1,
"CIDR": 2,
"SSLCertFingerprint": 9
},
"indicator_count": 9873,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "21 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "698037098c99c37cb91037c2",
"name": "Busy Box MITM Attacks via Drive-by-Compromise | Facebook | Apple",
"description": "Busy Box - MITM Attack\n\nDrive-by-Compromise | Facebook | Jamie Oliver Recipes | My sister-in-law made this once and I couldn\u2019t stop eating it. \nAdversarial Facebook pop up posts. .\n\n|| Pykspa.C Check in. \"Pykspa is a type of Remote Access Trojan (RAT). A powerful a worm that spreads via social media or via DGA algorithms. Parking crews are fond of these types of attacks. Christopher Ahmann",
"modified": "2026-03-04T04:07:14.513000",
"created": "2026-02-02T05:32:57.303000",
"tags": [
"no expiration",
"filehashsha256",
"ipv4",
"url http",
"domain",
"hostname",
"filehashmd5",
"filehashsha1",
"iocs",
"url https",
"search",
"type indicator",
"review iocs",
"role title",
"create new",
"pulse use",
"pdf report",
"pcap",
"extraction",
"sc data",
"extre data",
"include review",
"exclude sugges",
"data upload",
"failed",
"find s",
"oo data",
"enter source",
"url or",
"text drag",
"expiration",
"showing",
"entries",
"protect",
"pulse show",
"email abuse",
"related pulses",
"indicator role",
"returnurl no",
"drop",
"pulse provide",
"public tlp",
"green",
"adversary tags",
"buzz",
"x8664",
"add tag",
"groups add",
"add industry",
"trojan",
"tags"
],
"references": [
"https://www.facebook.com/groups/378607181955796/posts/773093455840498/?hpir=1&http_ref=eyJ0cyI6MTc2OTk2MDkxOTAwMCwiciI6IiJ9",
"www.crazyfrost.com IPv4 104.21.5.49 IPv4 172.67.132.250",
"Antivirus Detections: Trojan:Win32/Dorv.A",
"IDS Detections: Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host)",
"IDS Detections: IP Check Domain (showmyipaddress .com in HTTP Host) External IP Lookup",
"IDS Detections: Domain in DNS Lookup (whatismyipaddress .com) IP Check",
"IDS Detections: Domain (whatismyipaddress .com in HTTP Host)",
"Yara Detections XOR_embeded_exefile_xored_with_round_256_bytes_key",
"Alerts: antiav_servicestop antisandbox_sleep process_creation_suspicious_location",
"Alerts: network_bind persistence_autorun binary_yara procmem_yara suricata_alert",
"Alerts: disables_uac infostealer_keylog modify_uac_prompt anomalous_deletefile",
"Alerts: mouse_movement_detect dead_connect enumerates_running_processes process_needed",
"Alerts: dynamic_function_loading reads_memory_remote_process packer_entropy network_http",
"IP\u2019s Contacted: 188.223.42.134 78.57.88.30 84.73.234.83 78.84.44.225 89.252.203.80",
"IP\u2019s Contacted: 77.76.39.110 104.156.155.94 77.77.13.89 78.61.87.173 78.63.104.75",
"Domains Contacted: www.whatismyip.com www.showmyipaddress.com www.whatismyip.ca",
"Domains Contacted: whatismyipaddress.com whatismyip.everdot.org www.facebook.com",
"Domains Contacted: fexexwjehud.org lxclombt.net jpnzlsaqogv.com esccuyigsy.org",
"Antivirus Detections: Win.Malware.Pits-10035540-0",
"Yara: Detections Delphi",
"Alerts: infostealer_cookies antiav_detectfile",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"nigger.cat \u2022 http://a.nigger.cat/ \u2022 http://a.nigger.cat/imrred.exe \u2022 http://a.nigger.cat/iwzptk.pdf \u2022",
"http://a.nigger.cat/ltbexb.jpg \u2022 http://a.nigger.cat/ocnxdv.exe \u2022 http://a.nigger.cat/ocnxdv.exe/",
"http://a.nigger.cat/ovefvy.html \u2022 http://a.nigger.cat/snkikb.rar \u2022 http://a.nigger.cat/unipms.exe",
"http://a.nigger.cat/ypphgg.exe \u2022 http://u.nigger.cat/ \u2022 https://a.nigger.cat/",
"http://www.a.nigger.cat/ocnxdv.exe \u2022 https://a.nigger.cat/pwzbrt.txt",
"output.228572717.txt [fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f]",
"https://www.virustotal.com/gui/file/fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f/summary",
"https://hybrid-analysis.com/sample/3aaca21b3918eecd127867bdd724611398cf897a0686fedfde1d424b7ad6130a",
"https://hybrid-analysis.com/sample/e4999984a69a65a69bec9fef1200f7ec36a10bc401cdd15db3510fdc87ec5008/697fb0fec4a9bda3410454cf",
"https://hybrid-analysis.com/sample/f6ccff8dec08334fab98d4f6cb9b2774acd00e98d1afabd219c2634d5b3e2147/697faa178cc598cfb90b0423",
"https://hybrid-analysis.com/sample/01a1a2106bcddc591cab08d31c13966bd0413fe312bce9be396e964e114631a6/697f8c04475b90e7fb0d7ff9",
"apple4you.it \u2022 https://www.apple4you.it/ \u2022 cpcalendars.apple4you.it \u2022 ftp.apple4you.it \u2022",
"https://ftp.apple4you.it \u2022 http://cpcalendars.apple4you.it \u2022 http://cpcontacts.apple4you.it \u2022",
"http://ftp.apple4you.it \u2022 http://www.apple4you.it/ \u2022https://cpcalendars.apple4you.it \u2022",
"https://cpcontacts.apple4you.it",
"AppleWebKit Christopher P. \u2018BUZZ\u2019 Ahmann interference",
"adsparkahz.shop \u2022 https://adsparkahz.shop/ \u2022 parkedbits.com",
"https://parkedbits.com \u2022 spiritzuridgerunelahubcloudgusparkx.rest",
"https://fs25.mygamesteam.com/download/underground-parking/",
"http://spiritzuridgerunelahubcloudgusparkx.rest/",
"127.0.0.1 Private IP Address \u2022 http://facebook.com/iWebTechnologies",
"9e8c2f9e77b4b6a7538e4136d3bda379c560dc1a5931643da119da2f28881e4d\tELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0\tDDoS:Linux/Gafgyt.YA!MTB",
"ELF:DDoS-S\\ [Trj] , Unix.Trojan.Gafgyt-6981154-0 , DDoS:Linux/Gafgyt.YA!MTB",
"IDS Detections: Suspicious Activity potential UPnProxy",
"Yara Detections: is__elf , ECHOBOT",
"Alerts: dead_host network_icmp tcp_by",
"Unix.Dropper.Mirai-7135925-0 , DDoS:Linux/Gafgyt.YA!MTB Yara Detections is__elf , ECHOBOT",
"TAGS: aaaa accept activity address adversaries aes128gcm ahmann all hostname all ipv4 as15169",
"TAGS: as29278 deninet as29728 cottage as47325 ascii text asn as29278 asn as29728 asn13335",
"TAGS: av detections av exploit belgium belgium unknown binbusybox bits body canada unknown",
"TAGS: christopher p christopher p. \u2018buzz\u2019 ahmann ck id ck matrix ck techniques clare click cloud",
"TAGS: cloudflare cloudflarenet command config connection copy crazyfrost cyber attacks",
"TAGS: data upload date date hash ddos dead connection default defense evasion delphi destination",
"TAGS: detection detections detections name development att direct dirty dns resolutions domain",
"TAGS: add dynamicloader ecdsa echobot echobot related encrypt entries error evasion att",
"TAGS: expiration date explorer extraction facebook facebook failed february filehash files files ip",
"TAGS: flag gecko general general full general info generator geo hungary guard hackers hash hide",
"TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passiv",
"TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections",
"TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passive dns path pattern match pink screen port possible prefetch8 present dec present feb present jan",
"TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver",
"TAGS: json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey",
"TAGS: macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec",
"TAGS: mtb yara name servers name tactics network traffic new browser next associated next",
"TAGS: yara niggercat none file null object os x outbound passive dns path pattern match",
"TAGS: pink screen port possible prefetch8 present program protocol h3 ptr record none push",
"TAGS: pyspark python python initiated quic ransom recipes record value redacted for",
"TAGS. redirect refresh related tags remoteIPAddress resource restart reverse dns route runner",
"TAGS: sample analysis se domains search security quic add source level span spawns spy",
"TAGS: state of colorado stream strings suspicious t1590 gather tcp syn title tools tr trex triangulation",
"TAGS: trojan trojandropper trojanspy united unknown unknown aaaa unknown ns updater",
"TAGS: upnproxy url analysis url https url text urls verified verify veryhigh victim network vubbuv win32 win64 windows windows nt windows server worm write write c yara detections yara rule"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Hungary"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "DDos:Linux/Gafgyt.YA!MTB",
"display_name": "DDos:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDos:Linux/Gafgyt.YA!MTB"
},
{
"id": "ELF:DDoS-S\\ [Trj]",
"display_name": "ELF:DDoS-S\\ [Trj]",
"target": null
},
{
"id": "Pykspa.C",
"display_name": "Pykspa.C",
"target": null
},
{
"id": "Trojan:Win32/Dorv.A",
"display_name": "Trojan:Win32/Dorv.A",
"target": "/malware/Trojan:Win32/Dorv.A"
},
{
"id": "Unix.Trojan.Gafgyt-698115",
"display_name": "Unix.Trojan.Gafgyt-698115",
"target": null
},
{
"id": "4-0 Win.Malware.Pits-10035540-0",
"display_name": "4-0 Win.Malware.Pits-10035540-0",
"target": null
},
{
"id": "Win.Packed.Usteal-7531303-0",
"display_name": "Win.Packed.Usteal-7531303-0",
"target": null
},
{
"id": "tR",
"display_name": "tR",
"target": null
},
{
"id": "DeathHiddenTear (Large&Small HT) >",
"display_name": "DeathHiddenTear (Large&Small HT) >",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1456",
"name": "Drive-by Compromise",
"display_name": "T1456 - Drive-by Compromise"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1557",
"name": "Man-in-the-Middle",
"display_name": "T1557 - Man-in-the-Middle"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1586",
"name": "Compromise Accounts",
"display_name": "T1586 - Compromise Accounts"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1608",
"name": "Stage Capabilities",
"display_name": "T1608 - Stage Capabilities"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1586,
"FileHash-SHA1": 1479,
"FileHash-SHA256": 1938,
"URL": 4548,
"domain": 1052,
"hostname": 2501,
"email": 9,
"SSLCertFingerprint": 7,
"CIDR": 2
},
"indicator_count": 13122,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "46 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "696ac438a696c993b672106d",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:05:28.261000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "63 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "696ac4327b5bc2e8be34f78a",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:05:22.323000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "63 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "696ac416596cd89cf76bce55",
"name": "VERIZON \u2022 One Reach AI \u2022 LEGAL \u2022 Crazy Frost \u2022 Denver, US MEGA PULSE",
"description": "Found in peripheral looking for patterns.\nLegal mischief , Monitoring, Spyware. a Pegasus service needs to be examined further. Just glancing. [OTX Auto generated-HOSTNAME: Verizon.com-vdda.co.cc -has been added to the Pulse website, the first time the site has done so.]",
"modified": "2026-02-15T22:03:06.041000",
"created": "2026-01-16T23:04:53.997000",
"tags": [
"united",
"win32",
"urls",
"twitter",
"trojan",
"united states",
"dynamicloader",
"default",
"delete c",
"json",
"ascii text",
"high",
"data",
"write c",
"stream",
"write",
"malware",
"dirty",
"servers",
"unknown aaaa",
"Crazy Frost",
"create c",
"port",
"destination",
"unknown",
"encrypt",
"passive dns",
"Verizon",
"Twitter",
"url analysis",
"url add",
"http",
"files related",
"related tags",
"Project Cicada",
"present nov",
"present dec",
"present sep",
"present jul",
"present jun",
"or icon",
"gold w",
"dots larger",
"background",
"pegasus",
"meta",
"backdoor",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"ipv4",
"data upload",
"extraction",
"ottow",
"Christopher Ahmann",
"Pegasus",
"url https",
"hostname",
"files domain",
"present jan",
"moved",
"ip address",
"record value",
"apache",
"paris",
"followupboss",
"type",
"hostname add",
"next associated",
"title error",
"reverse dns",
"windows nt",
"wow64",
"khtml",
"gecko",
"connect",
"head",
"tlsv1",
"accept",
"date",
"powershell",
"iframe",
"span",
"push",
"next",
"shark",
"Connection",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"mitre att",
"ck techniques",
"pattern match",
"size",
"null",
"refresh",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"Denver, Co 80211",
"body",
"title",
"One Reach AI"
],
"references": [
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"pegasuspartners.followupboss.com",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"search.roi.ros.gov.uk",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
}
],
"attack_ids": [
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 11078,
"hostname": 4331,
"domain": 1932,
"FileHash-SHA256": 1999,
"FileHash-MD5": 357,
"FileHash-SHA1": 169,
"email": 5,
"SSLCertFingerprint": 6,
"CVE": 1
},
"indicator_count": 19878,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "63 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "695ca8b688eb56b3a0247098",
"name": "System32 - Subfolders",
"description": "E:\\Suss-SG2\\System32 - Subfolders.zip",
"modified": "2026-02-05T06:03:21.110000",
"created": "2026-01-06T06:16:22.880000",
"tags": [
"tue apr",
"scanid",
"mon mar",
"archivesize",
"archivesha1",
"archivesha256",
"archivecreated",
"f archiveowner",
"sigtype1",
"sigclass1",
"look",
"powershell",
"first",
"strings",
"dllinject",
"june",
"span",
"error",
"fail",
"rooter",
"info",
"alphabet",
"false",
"path",
"service",
"dword",
"shell",
"model",
"assistant",
"code",
"syst",
"checker",
"rest",
"core",
"tencent",
"null",
"accept",
"open",
"pass",
"internal",
"meta",
"root",
"desktop",
"window",
"maximu",
"stream",
"android",
"comp",
"date",
"whirlpool",
"kevin",
"sett",
"locale",
"cloud",
"malware",
"class"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 148,
"CIDR": 2,
"FileHash-MD5": 9860,
"FileHash-SHA1": 10592,
"FileHash-SHA256": 8443,
"domain": 147,
"email": 6,
"hostname": 49
},
"indicator_count": 29247,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 130,
"modified_text": "73 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "695c7b40f5d2f292a7512e81",
"name": "USteal Reputation Smear | Malicious Media | TrojanSpy - CrazyFrost.com",
"description": "Who is CrazyFrost? USteal Reputation Smear | Malicious Media | TrojanSpy would affect anyone who clicks on honeypot / dga domain. iPhone spyware. We\u2019ve been working on exposing spyware. Emotet / AutoIT , cabs, password stealer, and more found. Investigators and attorneys from the past Investigators reported victims life, was being promoted over the dark web. From bathing to cooking , conversations to arguments, getting dressed to passing gas. Haha. Small cameras were accessed remotely in her former. Castle Pines, Co hideaway. A third investigator confirmed tiny cameras were installed when victim was in staycationing. When family arrived home garage door and secured doors were boldly left open. Crazy True. [otx auto generated- The following is the full text of the public-key-precert-scts, which has been posted on the website of Redporn.video, the site of an unauthorised sex tape.]",
"modified": "2026-02-05T02:03:26.707000",
"created": "2026-01-06T03:02:24.932000",
"tags": [
"gmtn",
"log id",
"ca issuers",
"b0n timestamp",
"signature",
"d097",
"f2334482",
"fc46",
"b10b2898797d",
"fingerprintsha1",
"tsara",
"we1 certificate",
"dynamicloader",
"medium",
"write c",
"host",
"yara rule",
"myapp",
"delphi",
"worm",
"win32",
"error",
"write",
"code",
"malware",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"spawns",
"ssl certificate",
"execution att",
"t1204 user",
"united",
"mitre att",
"ck matrix",
"flag",
"ogoogle trust",
"href",
"network traffic",
"span",
"babe",
"super",
"close",
"general",
"local",
"path",
"encrypt",
"click",
"strings",
"form",
"extraction",
"data upload",
"all ht",
"enter source",
"one on",
"tezunau",
"daut un",
"dauwol lype",
"ur extraction",
"extrac",
"n tezunau",
"one opa",
"included review",
"faileextra",
"include data",
"review exclude",
"sugges",
"delete c",
"json",
"ascii text",
"high",
"data",
"search",
"stream",
"unknown",
"push",
"next",
"dirty",
"enter s",
"type",
"extr data",
"include",
"ff d5",
"ee fc",
"eb d8",
"f0 ff",
"ff bb",
"fd ff",
"ff eb",
"ed b8",
"agent",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"tlsv1",
"read c",
"execution",
"dock",
"persistence",
"sc data",
"present jan",
"present mar",
"present dec",
"unknown aaaa",
"passive dns",
"urls",
"trojanspy",
"date",
"present feb",
"susp",
"moved",
"ip address",
"backdoor",
"usteal",
"body",
"title",
"hybrid",
"regopenkeyexa",
"memcommit",
"regsz",
"english",
"copy",
"ufr stealer",
"markus",
"april",
"updater",
"entries",
"rsds",
"c reg",
"environment",
"launch"
],
"references": [
"https://www.redporn.video/tsara-brashears-slandered-.htm \u2022 www.redporn.video \u2022 http://www.redporn",
"guidepaparazzisurface.com",
"http://www.crazyfrost.com\t\u2022 http://www.crazyfrost",
"http://chaturbate.com/notabottom/\t\u2022 http://chaturbate.com/notabottom/\\",
"iPhone Spyware - https://bam.nr-data.net/1/6f524845d1?a=24279235&v=1169.7b094c0&to=MwYEbUdYXxJQWhULDApMIExbWkUIXldOAQsFF0hPXFxGEgtrDg0OMgoDThteVBU%3D&rst=6546&ck=1&ref=https://chaturbate.com/notabottom/&ap=123&fe=4218&dc=4218&af=err",
"iPhone Spyware - https://bam.nr-data.net/jserrors/ping/6f524845d1?a=24279235&v=1169.7b094c0&to=MwYEbUdYXxJQWhULDApMIExbWkUIXldOAQsFF0hPXFxGEgtrDg0OMgoDThteVBU%3D&rst=6546&ck=1&ref=https://chaturbate.com/notabottom/",
"https://chaturbate.com/notabottom/",
"https://www.google-analytics.com/r/collect?v=1&_v=j83&a=1390847564&t=pageview&_s=1&dl=https%3A%2F%2Fchaturbate.com%2Fnotabottom%2F&ul=en-us&de=utf-8&dt=Chaturbate%20-%20100%25%20Free%20Chat%20%26%20Webcams&sd=32-bit&sr=1024x768&vp=780x439&je=0&_u=YEBAAE~&jid=915940444&gjid=1686072238&cid=922362881.1595496808&tid=UA-23607725-1&_gid=1317601001.1595496808&_r=1&cd1=chaturbate.com&cd2=&cd3=-&cd4=&cd5=anonymous&z=762468946"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "AutoIT",
"display_name": "AutoIT",
"target": null
},
{
"id": "TrojanSpy:Win32/Usteal",
"display_name": "TrojanSpy:Win32/Usteal",
"target": "/malware/TrojanSpy:Win32/Usteal"
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1204",
"name": "User Execution",
"display_name": "T1204 - User Execution"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1204.003",
"name": "Malicious Image",
"display_name": "T1204.003 - Malicious Image"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 2543,
"hostname": 848,
"FileHash-SHA256": 1320,
"SSLCertFingerprint": 25,
"domain": 463,
"FileHash-MD5": 418,
"FileHash-SHA1": 197,
"email": 2
},
"indicator_count": 5816,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "73 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "694f0aa090aedc7e498b2e9a",
"name": "Qakbot | *NEW Malware found and analyzed \u2022 IRS",
"description": "IRS.GOV We have run several test on multiple machines/ devices PC , MacBook , iPhone , Android, Desktop hoping for better results. I believe proximity of most of the devices were well distanced , but have doubts. For this test IRS. GOV redirects payments to sawww4. or sa.www4. web addresses (example: 2fsa.www4.irs.gov) that now reads (connection error) during research. Pages still exist and will not process information. Still threatens levy no matter what (legal) information is entered. \n\nI\u2019m aware of Trump IRS proposals for 2026. The issue is taxpayers are being directed to alleged IRS employees or in person licensed CPA\u2019s. \n(sa. prefix Saudi Arabia?) SA. could be a prefix for anything including South Africa.",
"modified": "2026-01-25T21:03:27.507000",
"created": "2025-12-26T22:22:24.480000",
"tags": [
"related tags",
"none google",
"win32",
"united",
"united states",
"irs",
"qakbot",
"qbot",
"inject",
"keylogger",
"botx",
"active",
"bot network",
"et trojan",
"hello ssl",
"destination",
"port",
"unknown",
"ciphersuite",
"sessionid",
"asnone",
"write",
"virustotal",
"drweb",
"vipre",
"mcafee",
"panda",
"malware",
"pandex!gen1",
"et",
"brazil as16625",
"akamai",
"united kingdom",
"dynamicloader",
"medium",
"tls handshake",
"failure",
"yara rule",
"high",
"cape",
"guard",
"error",
"delphi",
"qakbot",
"tlsv1",
"entries",
"iobit unikstall",
"global",
"read c",
"rgba",
"unicode",
"memcommit",
"delete",
"msie",
"windows nt",
"next",
"dock",
"execution",
"server header",
"download",
"suspicious",
"specified",
"logic",
"web products",
"present nov",
"present dec",
"present jun",
"present oct",
"present may",
"aaaa",
"next associated",
"urls show",
"scheme",
"windir",
"openurl c",
"prefetch2",
"analysis",
"tor analysis",
"dns requests",
"domain address",
"contacted hosts",
"ip address",
"ascii text",
"pattern match",
"href",
"mitre att",
"ck id",
"show technique",
"ck matrix",
"beginstring",
"show process",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"iframe",
"click",
"strings",
"tools",
"title",
"look",
"verify",
"restart",
"learn",
"command",
"name tactics",
"informative",
"adversaries",
"spawns",
"defense evasion",
"t1480 execution",
"adult content",
"lol fun hackers"
],
"references": [
"Start at https://www.irs.gov/ redirected to 2fsa.www4.irs.gov (connection error) irs.gov (active) Positive for all Malware",
"IRS.GOV - Crypt3.BXVC ET Inject2.BIVE Win.Keylogger.Qbot-9987768-0 Win.Trojan.Qakbot-9988002-1 Win32:BotX-gen\\ [Trj]",
"Pandex!gen1 Web Products",
"Crypt3.BXVC IDS: Suspicious double Server Header",
"Crypt3.BXVC IDS: Possible Kelihos.F EXE Download Common Structure",
"Crypt3.BXVC IDS: Win32/Kelihos.F Checkin",
"Crypt3.BXVC IDS: Fun Web Products Spyware User-Agent (FunWebProducts)",
"Crypt3.BXVC IDS: Possible Kelihos Infection Executable Download With Malformed Header",
"Crypt3.BXVC IDS: DNS Query for Suspicious .co.cc Domain",
"Crypt3.BXVC IDS: Executable Download from dotted-quad Host",
"Crypt3.BXVC IDS: Abuseat.org Block Message",
"Crypt3.BXVC IDS: Executable Retrieved With Minimal HTTP",
"Crypt3.BXVC IDS: PE EXE or DLL Windows file download HTTP",
"Crypt3.BXVC IDS: Headers - Potential Second Stage Download",
"Alerts: persistence_autorun sniffer_winpcap network_bind antivirus_virustotal network_http",
"Alerts: network_icmp infostealer_browser recon_fingerprint infostealer_ftp network_smtp",
"ET Trojan \u2022 https://otx.alienvault.com/indicator/file/43dbcee5aee3caab830ac840737bb591cfa99ae81f1280aeb38ad73ad9c317af"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"United Kingdom of Great Britain and Northern Ireland",
"Canada",
"Brazil",
"Ireland",
"India",
"Georgia",
"Singapore",
"Spain",
"Japan"
],
"malware_families": [
{
"id": "Inject2.BIVE",
"display_name": "Inject2.BIVE",
"target": null
},
{
"id": "Win.Keylogger.Qbot-9987768-0",
"display_name": "Win.Keylogger.Qbot-9987768-0",
"target": null
},
{
"id": "Win.Trojan.Qakbot-9988002-1",
"display_name": "Win.Trojan.Qakbot-9988002-1",
"target": null
},
{
"id": "Win32:BotX-gen\\ [Trj]",
"display_name": "Win32:BotX-gen\\ [Trj]",
"target": null
},
{
"id": "Crypt3.BXVC",
"display_name": "Crypt3.BXVC",
"target": null
},
{
"id": "Pandex!gen1",
"display_name": "Pandex!gen1",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Web Products",
"display_name": "Web Products",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
}
],
"industries": [
"Finance",
"Government",
"IRS"
],
"TLP": "green",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 158,
"URL": 140,
"hostname": 287,
"FileHash-SHA256": 85,
"FileHash-MD5": 110,
"FileHash-SHA1": 77,
"SSLCertFingerprint": 8
},
"indicator_count": 865,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "84 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "6923408464566e39caf32285",
"name": "Discord- DNS | Malvertizing | Ransom/Msilzilla (sifting IoC\u2019s created by scnrscnr)",
"description": "TAGS\nActive\n443 ma2592000\nChristopher Pool\nPool's Closed\nTimothy Pool\na li\n google\namerica att\napache\napache ip\nasn as46606\nauditmode force\nbehavior\nbinary\nbinary file\nbk role\nchat\ncheck\nchrome\nck ids\ncommon stealer\ncookie\ndata upload\ndefender\ndelete c\ndirectui\ndiscord\ndns lookup\ndomain add\ndrop\ndynamicloader\neb d8\nee fc\nerror oct\nexplorer\nexternal ip\nextraction\nf0 ff\nfailed\nff bb\nff d5\nff ff\nfiles\nfoundry\ngmt content\ngmt etag\ngmt server\ngoogle chrome\nguard\nhigh\ninsert\nlolminer\nmalware\nmedia\nmeta\nmoved\nmovie\nmsie\nmsvisualbasic60\nmtb aug -present \nneversend\npowershell\nrelated nids\nresponse ip\nself\nservice domain\nsingapore\nsmartassembly\nspan\nspan a\nsx08x00x00a\ntargeting\ntls sni\ntrojan\ntrojandropper\ntwitter\ntx08x00x00n\nunique\nuser agent\nux08x00x00h\nvirtool\nvirustotal api\nvoice\nvx08x00x00j\nwrite\nwrite c\nwx08x00x00\nx08x00x00b\nx08x00x00x00\nyara\nyara rule\nyx08x00x00l\nz3je\nz3uwq7\nzx08x00x00",
"modified": "2025-12-23T16:04:54.329000",
"created": "2025-11-23T17:12:36.917000",
"tags": [
"no expiration",
"expiration",
"url https",
"url http",
"filehashsha256",
"hostname",
"domain",
"filehashmd5",
"filehashsha1",
"ipv4",
"code",
"pool",
"timothy pool",
"z3je z3uwq7",
"creation date",
"ip address",
"emails",
"expiration date",
"status",
"hostname add",
"pulse pulses",
"passive dns",
"urls",
"date"
],
"references": [
"https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba",
"Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted",
"http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com",
"https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com",
"www.techcult.com",
"http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com",
"https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N",
"https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC",
"https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE",
"truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com",
"yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com",
"lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json",
"162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/",
"http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing",
"http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site",
"2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt",
"IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)",
"IDS Detections: Observed Discord Domain (discord .com in TLS SNI)",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less",
"Yara: Detections ConventionEngine_Term_Users",
"Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents",
"Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly",
"Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc",
"Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process",
"Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name",
"Yara : MS_Visual_Basic_6_0 ,",
"Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser",
"Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly",
"Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile",
"Alerts: mouse_movement_detect",
"Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left",
"scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.",
"Foundry stalking."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "TrojanDropper:Win32/VB.IL0",
"display_name": "TrojanDropper:Win32/VB.IL0",
"target": "/malware/TrojanDropper:Win32/VB.IL0"
},
{
"id": "ALF:Trojan:Win32/Cassini_56a3061!ibt",
"display_name": "ALF:Trojan:Win32/Cassini_56a3061!ibt",
"target": null
},
{
"id": "Win.Ransomware.Msilzilla-10014498-0",
"display_name": "Win.Ransomware.Msilzilla-10014498-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1443",
"name": "Remotely Install Application",
"display_name": "T1443 - Remotely Install Application"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 773,
"FileHash-SHA1": 684,
"FileHash-SHA256": 1910,
"CVE": 2,
"SSLCertFingerprint": 4,
"URL": 3783,
"domain": 878,
"email": 7,
"hostname": 1913
},
"indicator_count": 9954,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "117 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68f93b1cebf80f48450bd517",
"name": "Yuner - File deletion and Disk Wiping / Cyberstalking ",
"description": "",
"modified": "2025-11-21T18:02:11.054000",
"created": "2025-10-22T20:14:20.632000",
"tags": [
"server nginx",
"date fri",
"etag w",
"urls",
"passive dns",
"acceptranges",
"contentlength",
"date thu",
"gmt expires",
"server",
"code",
"link",
"script script",
"south africa",
"ipv4",
"files",
"location south",
"accept",
"present aug",
"certificate",
"hostname add",
"domain",
"files ip",
"unknown a",
"script urls",
"ip address",
"unknown soa",
"unknown ns",
"reverse dns",
"africa flag",
"asn as16637",
"dns resolutions",
"domains top",
"level",
"unique tld",
"related pulses",
"tags none",
"indicator facts",
"title",
"ipv4 add",
"opinion",
"netacea",
"lockbit",
"wannacry attack",
"nhs trusts",
"council",
"uk government",
"protect",
"cni safe",
"acls",
"praio",
"prink",
"prsc",
"prla",
"lg2en",
"cti98",
"search",
"seiko epson",
"corporation",
"arc file",
"malware",
"delete c",
"default",
"show",
"write",
"next",
"unknown",
"united",
"tlsv1",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"as15169",
"port",
"execution",
"dock",
"capture",
"persistence",
"yara detections",
"filehash",
"md5 add",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"low risk",
"cabinet archive",
"microsoft",
"read c",
"dynamicloader",
"medium",
"ltda me",
"high",
"write c",
"entries",
"checks",
"delphi",
"win32",
"url pulse",
"data upload",
"extraction",
"find suggested",
"type",
"domain hostname",
"url add",
"http",
"related nids",
"files location",
"ireland flag",
"files domain",
"chrome",
"ireland unknown",
"pulse submit",
"url analysis",
"body",
"date",
"status",
"name servers",
"creation date",
"expiration date",
"flag united",
"destination",
"systemdrive",
"html document",
"crlf line",
"updater",
"copy",
"unknown aaaa",
"moved",
"domain add",
"extri data",
"enter sc",
"extr include",
"review exclude",
"sugges",
"present jul",
"saudi arabia",
"present mar",
"present oct",
"present jun",
"present feb",
"present nov",
"present may",
"eeee",
"eeeeeee",
"eeeeee",
"eefe",
"ebeee",
"ee eme",
"eeheee",
"eeefee e",
"eeeee e",
"vmprotect",
"push",
"local",
"defender",
"regsetvalueexa",
"utf8 unicode"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Lockbit",
"display_name": "Lockbit",
"target": null
},
{
"id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"target": null
},
{
"id": "Other Dangerous Malware",
"display_name": "Other Dangerous Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1561",
"name": "Disk Wipe",
"display_name": "T1561 - Disk Wipe"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
}
],
"industries": [
"Oil"
],
"TLP": "green",
"cloned_from": "68f9288e0d98f3b44c2cb90c",
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 648,
"hostname": 1604,
"FileHash-SHA256": 1826,
"URL": 4153,
"FileHash-MD5": 102,
"FileHash-SHA1": 60,
"SSLCertFingerprint": 18,
"CVE": 2,
"email": 5
},
"indicator_count": 8418,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "149 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68f9288e0d98f3b44c2cb90c",
"name": "Ultrasounds attack - South African criminal group-Denver, Vo affects critical infrastructure , Oil and public safety",
"description": "South African and Ethiopian crime group with Denver , Co presence is not only infiltrating infrastructure from banking to oil, they are human traffickers, hitmen and yes, I received this tip from team member Pheona who a \u2018sassa.gov.za\u2018 South African link recurrently as a top search suggestion in a \u2018targets\u2019 browser. The most frightening piece is that a name listed is of an Ethiopian man who attempted to force a very targeted victim to go somewhere with him,, be his girlfriend and did show up outside of her residence in a different City & County. He also knew the exact name of where she purchased specific items. If you can see this. Please help the best way you can. Something is incredibly wrong. [OTX auto populated Title: We can\u2019t rely on goodwill to protect our critical infrastructure - Help Net Security]",
"modified": "2025-11-21T18:02:11.054000",
"created": "2025-10-22T18:55:10.527000",
"tags": [
"server nginx",
"date fri",
"etag w",
"urls",
"passive dns",
"acceptranges",
"contentlength",
"date thu",
"gmt expires",
"server",
"code",
"link",
"script script",
"south africa",
"ipv4",
"files",
"location south",
"accept",
"present aug",
"certificate",
"hostname add",
"domain",
"files ip",
"unknown a",
"script urls",
"ip address",
"unknown soa",
"unknown ns",
"reverse dns",
"africa flag",
"asn as16637",
"dns resolutions",
"domains top",
"level",
"unique tld",
"related pulses",
"tags none",
"indicator facts",
"title",
"ipv4 add",
"opinion",
"netacea",
"lockbit",
"wannacry attack",
"nhs trusts",
"council",
"uk government",
"protect",
"cni safe",
"acls",
"praio",
"prink",
"prsc",
"prla",
"lg2en",
"cti98",
"search",
"seiko epson",
"corporation",
"arc file",
"malware",
"delete c",
"default",
"show",
"write",
"next",
"unknown",
"united",
"tlsv1",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"as15169",
"port",
"execution",
"dock",
"capture",
"persistence",
"yara detections",
"filehash",
"md5 add",
"pulse pulses",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"low risk",
"cabinet archive",
"microsoft",
"read c",
"dynamicloader",
"medium",
"ltda me",
"high",
"write c",
"entries",
"checks",
"delphi",
"win32",
"url pulse",
"data upload",
"extraction",
"find suggested",
"type",
"domain hostname",
"url add",
"http",
"related nids",
"files location",
"ireland flag",
"files domain",
"chrome",
"ireland unknown",
"pulse submit",
"url analysis",
"body",
"date",
"status",
"name servers",
"creation date",
"expiration date",
"flag united",
"destination",
"systemdrive",
"html document",
"crlf line",
"updater",
"copy",
"unknown aaaa",
"moved",
"domain add",
"extri data",
"enter sc",
"extr include",
"review exclude",
"sugges",
"present jul",
"saudi arabia",
"present mar",
"present oct",
"present jun",
"present feb",
"present nov",
"present may",
"eeee",
"eeeeeee",
"eeeeee",
"eefe",
"ebeee",
"ee eme",
"eeheee",
"eeefee e",
"eeeee e",
"vmprotect",
"push",
"local",
"defender",
"regsetvalueexa",
"utf8 unicode"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Lockbit",
"display_name": "Lockbit",
"target": null
},
{
"id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads",
"target": null
},
{
"id": "Other Dangerous Malware",
"display_name": "Other Dangerous Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1199",
"name": "Trusted Relationship",
"display_name": "T1199 - Trusted Relationship"
},
{
"id": "T1561",
"name": "Disk Wipe",
"display_name": "T1561 - Disk Wipe"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1040",
"name": "Network Sniffing",
"display_name": "T1040 - Network Sniffing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
}
],
"industries": [
"Oil"
],
"TLP": "green",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 648,
"hostname": 1604,
"FileHash-SHA256": 1826,
"URL": 4153,
"FileHash-MD5": 102,
"FileHash-SHA1": 60,
"SSLCertFingerprint": 18,
"CVE": 2,
"email": 5
},
"indicator_count": 8418,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "149 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "665c44f012d938d1c7dd591e",
"name": "PIT Projekt.exe (www.pitprojekt.pl , pitprojekt.pl) oraz Ceidg.gov.pl - Dane publiczne wpisu",
"description": "https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=f3ee4c4e-e009-4d69-82da-eef3bad1ecc4 NIP:6161230754\nhttps://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=7a025cc6-5167-43cf-947f-387a3b830778 NIP;6112323510\nhttp://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=7a025cc6-5167-43cf-947f-387a3b830778\n2.16.6.145146f05-9aac-4942-a42d-f2550a19c0c4 NIP:6131434311\nipv4: 2.16.6.14, 2.16.6.6, 2.16.6.1,",
"modified": "2025-10-06T11:12:39.639000",
"created": "2024-06-02T10:09:52.601000",
"tags": [
"ceidg.gov.pl - centralna ewidencja i informacja o dzia\u0142alno\u015bci g",
"prosz czeka",
"pobierz plik",
"wojcieszyce",
"urls competing",
"ceidg centralna",
"gospodarczej",
"wyszukiwanie",
"przejd",
"centrum pomocy",
"informacja o",
"mapa",
"strona gwna",
"przegldanie",
"ceidg szybki",
"uwagi prawne",
"deklaracja",
"serwer",
"returnurl",
"idf3ee4c4ee00",
"id7a025cc6516",
"wctxrm0",
"idf3ee4c4",
"id35146f059aa",
"ideb8f4cf26ef",
"id7a025cc",
"id35146f0",
"publicznywsz3",
"id97c275c",
"url wiek",
"ssdeep",
"sha1",
"pehasz",
"typlibid",
"pit projekt",
"chcesz",
"pity online",
"program",
"interesuje ci",
"pity zapisane",
"jeli",
"oddajemy w",
"twoje rce",
"dziki jego"
],
"references": [
"http://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=7a025cc6-5167-43cf-947f-387a3b830778",
"https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=f3ee4c4e-e009-4d69-82da-eef3bad1ecc4",
"https://aplikacja.ceidg.gov.pl/CEIDG/GroupMenu.aspx?key=_group_search",
"https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=35146f05-9aac-4942-a42d-f2550a19c0c4",
"http://www.pitprojekt.pl",
"http://pitprojekt.pl"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Wojcieszyce",
"display_name": "Wojcieszyce",
"target": null
},
{
"id": "Serwer",
"display_name": "Serwer",
"target": null
},
{
"id": "Serwer A Przed\u0142u\u017cenie sesji #{text}",
"display_name": "Serwer A Przed\u0142u\u017cenie sesji #{text}",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 8271,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1259,
"URL": 6009,
"hostname": 3030,
"FileHash-SHA256": 10233,
"FileHash-MD5": 2742,
"FileHash-SHA1": 2348,
"email": 75,
"SSLCertFingerprint": 11,
"YARA": 2,
"CVE": 13,
"FileHash-PEHASH": 1,
"IPv4": 34,
"IPv6": 6
},
"indicator_count": 25763,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 134,
"modified_text": "195 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "68aff672de7f1b65a97c00b1",
"name": "WarzoneRAT impacts Social Media of users with compromised systems",
"description": "Injection affects compromised user/s social media accounts including YouTube. Uploads to social media accounts from infected systems divert to adversary\u2019s alt YouTube media center labeled \u2018watch\u2019 instead of YouTube . Remote access observed. Threat actor has full access , cnc , devices, personal information, images, contacts, network, private information including all financial information. \n \nAlt / adversarial Pinterest, Tumblr, YouTube, Facebook, Twitter / X, Instagram , LinkedIn",
"modified": "2025-09-27T05:00:09.125000",
"created": "2025-08-28T06:25:54.794000",
"tags": [
"d10927",
"mp41",
"mp41 connection",
"r connection",
"ip address",
"dynamicloader",
"write c",
"globalc",
"medium",
"high",
"write",
"dll read",
"trojan",
"delphi",
"win32",
"dialer",
"tracking",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"defense evasion",
"spawns",
"t1590 gather",
"mitre att",
"ck matrix",
"null",
"click",
"title",
"span",
"meta",
"general",
"local",
"path",
"strings",
"refresh",
"tools",
"virgin islands",
"united",
"unknown ns",
"a domains",
"montserrat",
"passive dns",
"ipv4",
"urls",
"files",
"hosting",
"trojandropper",
"location virgin",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"item",
"has description",
"unknown",
"explorer",
"error",
"powershell",
"yara rule",
"windows",
"t1055",
"warzonerat",
"avemaria",
"virtool",
"netwire",
"malware",
"hostile",
"autoit",
"defender",
"date",
"bq aug",
"next associated",
"ipv4 add",
"resolved ips",
"get http",
"request",
"win64",
"khtml",
"gecko",
"resolutions",
"number",
"ja3s",
"algorithm",
"cnr12 cus",
"cname",
"accept",
"port",
"gmt ifnonematch",
"screenshots no",
"involved dns",
"name response",
"nxdomain",
"tcp connections",
"involved direct",
"country name",
"moved",
"alone email",
"body doctype",
"gmt server",
"content type",
"service privacy",
"cve"
],
"references": [
"http://remote.edikamin.com/",
"http://flat.trafficadvance.net/AccessMySOL.IVRMobileEntra?D=10927&C=7&MP=41%7C",
"http://deposito.hostance.net/dialer/",
"Found in Alt YouTube = Titled \u2018watch\u2019 | Infected System uploads to YT",
"Domains Contacted:Wealthy2019.com.strangled.net \u2022 wealth.warzonedns.com\t \u2022 wealthyme.ddns.net",
"DYNAMIC_DNS Query to a *.strangled .net Domain\t192.168.122.91\t1.1.1.1 \u2022 DNS Query to DynDNS Domain *.ddns .net",
"Observed DNS Query to a *.warzonedns .com domain - Likely Hostile\t192.168.122.91\t1.1.1.1",
"simswap.in (possible Mirai or relationship to)"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Virgin Islands, British"
],
"malware_families": [
{
"id": "Trojan:Win32/Diamin.F",
"display_name": "Trojan:Win32/Diamin.F",
"target": "/malware/Trojan:Win32/Diamin.F"
},
{
"id": "Dialer",
"display_name": "Dialer",
"target": null
},
{
"id": "Win32:CabMod\\ [Drp]",
"display_name": "Win32:CabMod\\ [Drp]",
"target": null
},
{
"id": "TrojanDropper:Win32/Hupigon.gen!A",
"display_name": "TrojanDropper:Win32/Hupigon.gen!A",
"target": "/malware/TrojanDropper:Win32/Hupigon.gen!A"
},
{
"id": "ALF:HeraklezEval:PUA:Win32/Keygen",
"display_name": "ALF:HeraklezEval:PUA:Win32/Keygen",
"target": null
},
{
"id": "Trojan:Win32/Startpage.AEA",
"display_name": "Trojan:Win32/Startpage.AEA",
"target": "/malware/Trojan:Win32/Startpage.AEA"
},
{
"id": "Banload",
"display_name": "Banload",
"target": null
},
{
"id": "TrojanDownloader:Win32/Banload.D",
"display_name": "TrojanDownloader:Win32/Banload.D",
"target": "/malware/TrojanDownloader:Win32/Banload.D"
},
{
"id": "Win32:Evo-gen",
"display_name": "Win32:Evo-gen",
"target": null
},
{
"id": "!#AddsCopy-ToStartup",
"display_name": "!#AddsCopy-ToStartup",
"target": null
},
{
"id": "VirTool:Win32/AutInject.CZ!bit",
"display_name": "VirTool:Win32/AutInject.CZ!bit",
"target": "/malware/VirTool:Win32/AutInject.CZ!bit"
},
{
"id": "Win.Trojan.Agent-316098",
"display_name": "Win.Trojan.Agent-316098",
"target": null
},
{
"id": "virtool:Win32/Injector.gen!BQ",
"display_name": "virtool:Win32/Injector.gen!BQ",
"target": "/malware/virtool:Win32/Injector.gen!BQ"
},
{
"id": "WarzoneRAT - S0670",
"display_name": "WarzoneRAT - S0670",
"target": null
},
{
"id": "CVE-2023-22518",
"display_name": "CVE-2023-22518",
"target": null
}
],
"attack_ids": [
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
}
],
"industries": [
"Technology",
"Telecommunications",
"Media"
],
"TLP": "white",
"cloned_from": null,
"export_count": 34,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 4194,
"hostname": 1563,
"FileHash-SHA256": 2494,
"domain": 624,
"FileHash-MD5": 274,
"FileHash-SHA1": 226,
"email": 1,
"CVE": 1
},
"indicator_count": 9377,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 142,
"modified_text": "204 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "686a1f2dab47342691c71bec",
"name": "Lumma Stealer attacking Telegram (t.me) & Dropbox",
"description": "Lumma Stealer, CNC, critical multiple malware IoC\u2019s attack. Telegram, remote Dropbox stealing among multiple targeted attacks. Dropbox spyware. \nNitrogen ransomware present.\n#apple_webkit #chrome #steam #lumma #ransom #stealer",
"modified": "2025-08-05T06:03:08.761000",
"created": "2025-07-06T07:01:01.459000",
"tags": [
"server response",
"petya",
"ransom",
"lumma",
"rozena",
"dynamicloader",
"domain",
"dns lookup",
"related cnc",
"et malware",
"medium",
"search",
"tls sni",
"stealer related",
"show",
"write",
"win64",
"suspicious",
"wave",
"unknown",
"malware",
"path",
"desktop",
"copy",
"next",
"nitrogen",
"snake",
"learn",
"command",
"ck id",
"name tactics",
"informative",
"spawns",
"found",
"defense evasion",
"t1480 execution",
"united",
"flag",
"server",
"date",
"contacted hosts",
"ip address",
"process details",
"austria austria",
"show technique",
"mitre att",
"ck matrix",
"pattern match",
"ascii text",
"show process",
"network traffic",
"utf8",
"crlf line",
"general",
"local",
"present jul",
"aaaa",
"virgin islands",
"antigua",
"status",
"org domains",
"proxy",
"code",
"present apr",
"date checked",
"url hostname",
"server response",
"google safe",
"results apr",
"files show",
"date hash",
"avast avg",
"msil",
"trojandropper",
"themida jun",
"win32",
"entries",
"passive dns",
"urls",
"files",
"barbuda asn",
"multiple attacks",
"tls handshake",
"failure",
"high",
"windows",
"dropbox",
"telegram",
"connections dropped",
"a domains",
"servers",
"certificate",
"moved",
"dropbox",
"lutimanisdk",
"trojan",
"body",
"present jun",
"error",
"bad traffic",
"redirects",
"creation date",
"showing",
"next associated",
"spyware",
"link",
"meta",
"script",
"gmt contenttype",
"lowfi",
"hookwowlow jun",
"a li",
"ul div",
"dropbox plus",
"div div",
"span span",
"erreur",
"span",
"window",
"adobe systems",
"stock photos",
"adobe stock",
"photos cs3",
"yara detections",
"april",
"synapse",
"installer",
"apple",
"steam community",
"apple webkit",
"dropbox 4xx"
],
"references": [
"146.112.61.107 (146.112.48.0/20) AS 36692 ( CISCO UMBRELLA ) US",
"IDS Detections: Win32/Lumma Stealer Related \u2022 CnC Domain in DNS Lookup (pacwpw .xyz)",
"Lumma Stealer CNC {FILEHASH SHA256 bc9c5c8dfdcf0d2a321478207b0870274fba25b93075fc987768623237973646} t.me / Dropbox",
"Win32/Lumma Stealer Related CnC Domain in DNS Lookup (comkxjs .xyz) (unurew .xyz) (trsuv .xyz)",
"Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sqgzl .xyz) (cexpxg .xyz) (cexpxg .xyz) (urarfx .xyz)",
"Win.Exploit.Rozena {FileHash-SHA256 21fb4fdce85ab75430e18d9362a35f61dcaeb628c28836403472c054d6ceab8c}",
"Lumma Stealer https://t.me/pizdenka202020 / t.me",
"Query to a *.top domain - Likely Hostile\t192.168.122.95\t1.1.1.1\t\t\t\t SHOWING 1 TO 22 OF 22 ENTRIES HTTP Request Get 1 Post 2 Put 0 Delete 0 URL HOST PORT METHOD USER AGENT https://steamcommunity.com/profiles/76561199863199067\tsteamcommunity.com\t443\tGET\tN/A { \"src\": \"192.168.122.95\", \"sport\": 49227, \"dst\": \"23.59.52.127\", \"dport\":, \"protocol\": \"https\", \"method\": \"GET\", \"host\": \"steamcommunity.com\", \"uri\": \"/profiles/76561199863199067\", \"status\": 200, \"request\": \"GET /profiles/7656119986319",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Safari/537.36",
"(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 30038 Host: accsrf.top"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Exploit.Rozena",
"display_name": "Win.Exploit.Rozena",
"target": null
},
{
"id": "ALF:Ransom:Win32/Petya.SIB!MTB",
"display_name": "ALF:Ransom:Win32/Petya.SIB!MTB",
"target": null
},
{
"id": "Lumma Stealer",
"display_name": "Lumma Stealer",
"target": null
},
{
"id": "Nitrogen Loader",
"display_name": "Nitrogen Loader",
"target": null
},
{
"id": "Nitrogen Ransomware",
"display_name": "Nitrogen Ransomware",
"target": null
},
{
"id": "Themida.",
"display_name": "Themida.",
"target": null
}
],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1036.003",
"name": "Rename System Utilities",
"display_name": "T1036.003 - Rename System Utilities"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1011",
"name": "Exfiltration Over Other Network Medium",
"display_name": "T1011 - Exfiltration Over Other Network Medium"
},
{
"id": "T1590.002",
"name": "DNS",
"display_name": "T1590.002 - DNS"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
}
],
"industries": [
"Telecommunications",
"Technology"
],
"TLP": "white",
"cloned_from": null,
"export_count": 23,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 130,
"FileHash-SHA1": 110,
"FileHash-SHA256": 119,
"URL": 237,
"domain": 64,
"SSLCertFingerprint": 5,
"hostname": 63,
"email": 2
},
"indicator_count": 730,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "257 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66ae21418ee5c4ef2c847a09",
"name": "server.wojcieszyce.pl Email: info@wojcieszyce.pl",
"description": "aaf8324ca0b6fb26f66dcf30f3d95491 SHA-1 f88f78f2b158c1e9df115b477509f140a1fb67d6 SHA-256 eb050903bbc118520a8889bd2fb0176262af63b6b34b9762cbfdec11bcf48f80 Vhash 1fb0238141c442bee60860692e8228f8 SSDEEP 393216:SXUROas78y5sf0Xin76QKRu8vxoX0PllhjKNeNOZYASi6:KiMhjiOka TLSH T127B76A56F211ACB0CFA2453940AB5505A23C76434FC2F9E4B72D808E6FAD58F66326FD File type Google Chrome Extension crx chrome extension browser Magic Zip archive data, at least v1.0 to extract",
"modified": "2025-05-01T08:50:16.800000",
"created": "2024-08-03T12:23:29.055000",
"tags": [
"sha256",
"office open",
"xml document",
"ms word",
"document",
"google chrome",
"extension",
"strong",
"korzystania z",
"ciasteczka",
"godziny",
"jeleniogrska",
"wojcieszyce",
"naszej strony",
"korzystanie z",
"en de",
"menu imprezy",
"flash",
"vhash",
"ssdeep",
"file type",
"ini text",
"magic generic",
"magika txt",
"file size",
"text c",
"javascript c",
"peexe c",
"doscom c",
"tekst c",
"javascript",
"rgba",
"unicode",
"z bom",
"dane obrazu",
"tekst utf8",
"crlf",
"skrt",
"v2 dokument",
"dane",
"jpeg",
"kimhjioka tlsh",
"magic zip",
"magic elf",
"sysv",
"adres url",
"strona",
"zaloguj",
"date thu",
"connection",
"server nginx",
"gmt etag",
"expires sat",
"expires fri",
"contentlength",
"server",
"gmt contenttype",
"cachecontrol",
"png image",
"crlf line",
"document file",
"v2 document",
"type md5",
"process name",
"cr line",
"ikona rt",
"neutralny",
"entropia chi2",
"typ pliku",
"typ jzyk",
"png ikona",
"rt neutralny",
"rticon neutral",
"ico rtgroupicon",
"neutral",
"whasz",
"oszczdno",
"logowanie",
"zagroenia",
"dane publiczne",
"zoliwy dane",
"historia wpisu",
"reagowania",
"sha1",
"virustotal",
"html internet",
"magic html",
"unicode text",
"please",
"pehash"
],
"references": [
"http://www.wojcieszyce.pl/",
"https://www.wojcieszyce.pl/",
"https://wojcieszyce.pl/",
"http://wojcieszyce.pl/",
"https://www.virustotal.com/gui/search/entity%253Afile%2520tag%253Apdf"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Wojcieszyce",
"display_name": "Wojcieszyce",
"target": null
}
],
"attack_ids": [
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA1": 908,
"FileHash-SHA256": 2450,
"FileHash-MD5": 968,
"URL": 373,
"hostname": 144,
"IPv4": 8,
"domain": 15,
"email": 7,
"CVE": 16
},
"indicator_count": 4889,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 124,
"modified_text": "353 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66831f04ad169d3b685c9645",
"name": "Win.exe , Bootstrapper.exe , pl.microsoft.com , microsoft.com/pki/certs/MicRooCerAut_2010",
"description": "rule UPX { meta: author = \"kevoreilly\" description = \"UPX dump on OEP (original entry point)\" cape_options = \"bp0=$upx32+9,bp0=$upx64+11,action0=step2oep\" strings: $upx32 = {6A 00 39 C4 75 FA 83 EC ?? rule Windows_Generic_Threat_5c18a7f9 { meta: author = \"Elastic Security\" id = \"5c18a7f9-01af-468b-9a63-cfecbeb739d7\" fingerprint = \"68c9114ac342d527cf6f0cea96b63dfeb8e5d80060572fad2bbc7d287c752d4a\" creation_date = \"2024-01-21\" last_modified = \"2024-02-08\" threat_name = \"Windows.\ndca60557a1f47948d7158ba9f56ad8656bd0b343488264e23037fd66174e3cd5\nb4f7ace176d0eeba828e7c03f39befb30355223860d14e6ca4422fdb81778df7\nPr\u00f3bka Cuckoo-843b85c493b8a9048b2ab73a9d1a8.cab - polecenie Microsoft Office.\nResearchers have decoded a new set of data on how to store data in a safe and easy-to-use digital format, as well as the results of a series of tests on the subject.",
"modified": "2024-10-14T20:36:07.924000",
"created": "2024-07-01T21:26:27.623000",
"tags": [
"no expiration",
"filehashsha256",
"hacktool",
"expiration",
"win32autokms no",
"filehashmd5",
"filehashsha1",
"virus",
"sha1",
"win32",
"trojan",
"ransom",
"pejzasz",
"vhash",
"imphash",
"ssdeep",
"hash",
"skrt",
"y pkmsauto",
"crlf",
"dodaj",
"hostsettings",
"v wczono",
"t regdword",
"powershell",
"nowy",
"pe32",
"intel",
"ms windows",
"nazwa typ",
"md5 nazwa",
"procesu",
"vs2013",
"rticon neutral",
"compiler",
"submission",
"file version",
"chi2",
"contained",
"authentihash",
"pehash",
"uacme akagi",
"cobalt strike",
"detects",
"roth",
"sliver stagers",
"highvol",
"detects imphash",
"zero",
"virustotal",
"detection rule",
"license",
"arnim rupp",
"whasz",
"github",
"postpuj zgodnie",
"przegld",
"danie id",
"github og",
"url https",
"error",
"toast",
"clientrender",
"date",
"promise",
"65536",
"client env",
"alloy",
"rangeerror",
"staff",
"upx dump",
"security",
"license v2",
"e8 ff",
"fc ff",
"ff ff",
"e8 f7",
"c3 e8",
"e8 db",
"f0 c9",
"c8 ff",
"c9 c3",
"c4 a8",
"a7 ff",
"f1 e8",
"ec c7",
"f0 c0",
"c1 e9",
"ec e8",
"ff e8",
"a3 a4",
"db e2",
"b0 e9",
"e8 ba",
"b9 f3",
"e4 f8",
"ff e9",
"eb ed",
"b6 b3",
"b6 bb",
"c8 f7",
"c6 a8",
"f6 c1",
"b0 d7",
"df e0",
"c4 f0",
"fc e8",
"cf e5",
"f8 ff",
"f7 ff",
"cc cc",
"c3 b8",
"b9 ff",
"ff f3",
"ab aa",
"f7 f9",
"b8 c7",
"be ad",
"ef be",
"ad de",
"e9 cd",
"c4 f4",
"fe ff",
"d1 fa",
"fa fc",
"f3 a6",
"fb ff",
"fc c6",
"fc eb",
"e8 ed",
"fb d1",
"b6 f8",
"c7 c7",
"ec d0",
"b6 d2",
"ff e1",
"c0 ac",
"c1 e3",
"c3 aa",
"c2 c1",
"d3 f7",
"fc c7",
"win32 cabinet",
"selfextractor",
"pecompact",
"yarahub",
"yara",
"repository",
"hub",
"repo",
"malware_onenote_delivery_jan23",
"yara rule",
"team",
"sifalconteam",
"yarahub entry",
"rule details",
"malpedia family",
"rule matching",
"content copy",
"download rule",
"malware",
"cc by",
"vbscript",
"sub autoopen",
"getobject",
"batch"
],
"references": [
"https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_safe-storage_safe-storage_ts-ui_-682c2c-2c0ad573fa49.js",
"https://yaraify.abuse.ch/yarahub/rule/MALWARE_OneNote_Delivery_Jan23"
],
"public": 1,
"adversary": "rule MALWARE_OneNote_Delivery_Jan23 { meta: author = \"SECUINFRA Falcon Team (@SI_FalconTeam)\" descri",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 361,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 14732,
"FileHash-MD5": 4316,
"FileHash-SHA1": 3405,
"YARA": 181,
"URL": 4793,
"domain": 1717,
"hostname": 4354,
"IPv4": 107,
"IPv6": 845,
"email": 26,
"CVE": 13,
"FilePath": 1
},
"indicator_count": 34490,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "552 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "66787d5a6185154041c0a9fd",
"name": "Copy of getting files onto OTX - Windows system32 sha256 dump (filtered)",
"description": "",
"modified": "2024-06-27T23:29:05.404000",
"created": "2024-06-23T19:54:02.296000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "667879806fcf703f9b4b99de",
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "skocherhan",
"id": "249290",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 6,
"FileHash-SHA256": 865,
"domain": 39,
"hostname": 3
},
"indicator_count": 913,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 180,
"modified_text": "661 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "667879806fcf703f9b4b99de",
"name": "My workaround to getting files onto OTX - Windows system32 sha256 dump",
"description": "I have been trying to create a pulse in regards to multiple files failing integrity checks as well as invalid signatures, some with no signatures, and unconfirmed IoC's pertaining to APT28. This is just to get the hashes and files names into the community. What i was having to do is use vt-cli on Linux to upload the files (which I'm still doing on due to API quota restrictions) and then just calculating the sha256's of the files directly, and then copy and pasting them into the create page. Take it as you will. Stay tuned.",
"modified": "2024-06-23T19:37:36.619000",
"created": "2024-06-23T19:37:36.619000",
"tags": [
"dev56a0",
"subsys3937",
"deva780",
"subsysd000",
"management",
"task",
"clientad rms",
"policy template",
"refresh",
"scan",
"defender",
"loader"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Merkd1904",
"id": "196517",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 19,
"FileHash-SHA256": 15578,
"domain": 228,
"hostname": 23
},
"indicator_count": 15848,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 79,
"modified_text": "665 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "653d93d7558363942a332cd9",
"name": "CVE-2023-43694",
"description": "",
"modified": "2023-11-27T23:02:02.229000",
"created": "2023-10-28T23:05:59.680000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 18,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "ellenmmm",
"id": "233693",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 2,
"URL": 775,
"FileHash-SHA1": 549,
"domain": 453,
"hostname": 292,
"email": 5,
"FileHash-SHA256": 2610,
"FileHash-MD5": 586
},
"indicator_count": 5272,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 83,
"modified_text": "874 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"references": [
"",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776243461&Signature=Dz1357rbtfS3ulmmu8c%2BhYCsFXq5j6Rkafb9W6C2Rp8K9C3NfbpUuCN1TORawK7%2BnEJXGNb7r2PQThu1hU64xqNTi6I7KNZcOwC5SHIDUgioEm6FoK%2F68BF%2Fj9tn3trLgKetrPx2zuy%2BP9gjqBMe5T2fAtNa%2FJi4uZYhdDQhKIZB1JmXDjEcFMhp6PLdPqEVVUh6nwevWaLhJ1z%2BPVhc9atSdnbwiXbJ7Cp%2BKrfR1xH8OQ",
"Yara: Detections ConventionEngine_Term_Users",
"https://www.justice.gov/opa/pr/departmen.t",
"AppleWebKit Christopher P. \u2018BUZZ\u2019 Ahmann interference",
"scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.",
"pegasuspartners.followupboss.com",
"Query to a *.top domain - Likely Hostile\t192.168.122.95\t1.1.1.1\t\t\t\t SHOWING 1 TO 22 OF 22 ENTRIES HTTP Request Get 1 Post 2 Put 0 Delete 0 URL HOST PORT METHOD USER AGENT https://steamcommunity.com/profiles/76561199863199067\tsteamcommunity.com\t443\tGET\tN/A { \"src\": \"192.168.122.95\", \"sport\": 49227, \"dst\": \"23.59.52.127\", \"dport\":, \"protocol\": \"https\", \"method\": \"GET\", \"host\": \"steamcommunity.com\", \"uri\": \"/profiles/76561199863199067\", \"status\": 200, \"request\": \"GET /profiles/7656119986319",
"(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 30038 Host: accsrf.top",
"TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passive dns path pattern match pink screen port possible prefetch8 present dec present feb present jan",
"http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com",
"https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=f3ee4c4e-e009-4d69-82da-eef3bad1ecc4",
"Antivirus Detections: Trojan:Win32/Dorv.A",
"127.0.0.1 Private IP Address \u2022 http://facebook.com/iWebTechnologies",
"Alerts: network_icmp infostealer_browser recon_fingerprint infostealer_ftp network_smtp",
"Domains Contacted:Wealthy2019.com.strangled.net \u2022 wealth.warzonedns.com\t \u2022 wealthyme.ddns.net",
"x-amzn-trace-id Root=1-69df501d-7e46547e623628d85631dc6b;Parent=0bf4ea1fded328b1;Sampled=0;Lineage=1:6afe1924:0",
"https://fs25.mygamesteam.com/download/underground-parking/",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"http://www.internationalfrontier.com",
"TAGS: as29278 deninet as29728 cottage as47325 ascii text asn as29278 asn as29728 asn13335",
"Luxury Apartments and Townhome communities do use Foundry Palantir",
"https://vtbehaviour.commondatastorage.googleapis.com/01f09136cb86f25635f91144946847d58c559228d50d9b84b0c021d4091b840b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373052&Signature=U7haY6XsgyJ83G1vAOPLrLLS%2BaMP9xAKOlnzSb4I9clIBLt9Y8xzP4qjfBxbeUfdF6s%2B6dtg4dXzqTjrAYSC3XOTEEtHZeK4ePz5qfS9n%2FWNrOKQb30VBhfUNL5DYUCd3XSOPjIVlbRz9ylDpwApfVK2AMarGiLLlnKRDv7M0S63SkQx8eWyabXd2afPPy96ZGNZVZfOhw5llZiztL6mYo%2BVivlyFsDcodH9F4XrS%2FPsSLeJRx5d",
"http://www.wojcieszyce.pl/",
"Crypt3.BXVC IDS: Possible Kelihos Infection Executable Download With Malformed Header",
"apple4you.it \u2022 https://www.apple4you.it/ \u2022 cpcalendars.apple4you.it \u2022 ftp.apple4you.it \u2022",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Win32/Lumma Stealer Related CnC Domain in DNS Lookup (comkxjs .xyz) (unurew .xyz) (trsuv .xyz)",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"target.id \u2022 tostring.call \u2022 title.search",
"https://hybrid-analysis.com/sample/2f05feed2065b7385b156ebf3a7c6c19def3d412227cee0d46e8a53fb3e9ac41/697bc423b6e7a4dc46010737",
"http://ftp.apple4you.it \u2022 http://www.apple4you.it/ \u2022https://cpcalendars.apple4you.it \u2022",
"guidepaparazzisurface.com",
"accenture.cn",
"http://a.nigger.cat/ovefvy.html \u2022 http://a.nigger.cat/snkikb.rar \u2022 http://a.nigger.cat/unipms.exe",
"Crypt3.BXVC IDS: Executable Download from dotted-quad Host",
"https://vtbehaviour.commondatastorage.googleapis.com/37f12bc75b877cf1823020f35dfc55ecde4dd992020b7059b13cbc2a59a1602b_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776233810&Signature=RD85gBCBa6ClHHnNqywd6%2FYlQHrUais%2BuABeaQrUngJuiQTTEyzmUagxx2k2VZ0tgbmEb%2Fdh9lTTFZXkRC4cQ18iE4OIl6IKM5Yzxmd8vDT6dmCvEzCiRUxmplXzVUHTJFz1dNIy0zvMDzEuAWEpKf2wo823yU%2F4PaxOceMkJ%2Ftq5Jehb6pUn6ILf%2B5FOEGJpxjXrbtWS%2BT%2BA5ScNml2cc8140P9mQ%2BmMx2EAW",
"https://tylerjoycedenver.followupboss.com/unsubscribe/T6pEHkEaLZAN5Jxflvspix0zKbJZwfY9pjBpUTk7q06azxItZ7aiRb7brQhy1NNFqrcrUe4cKmI455MBqcwK9_it6dqx6QWdANshp0om1Bv-5ezKkyVJDphCHvPQNvMupI1owe03rtqYAyu8Cj3cWw~~",
"Start at https://www.irs.gov/ redirected to 2fsa.www4.irs.gov (connection error) irs.gov (active) Positive for all Malware",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections",
"https://vtbehaviour.commondatastorage.googleapis.com/7605fa9aeaae25656c40a553534d35418cca40dc48023d0b3237b402361c6816_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373200&Signature=uMO8ESBCpu0oIIRS0CToWTN9KlOHyq4uWjWMjfdcUCGyliW%2FSy8KDIg6OMWLUQ6SBC45Jm0Mr%2FNV6m74hTSnpmGdVf6k6mA3QrTQwUMaMk2QbBLU1IwUG8wvylr6KXEqQYYCkZksYiZEyNm%2B2hKNvWtKFc%2BZlL7M12RBSER84%2FDRQlJnK6qbDW3DYX1tPsXxTynGj5YxQDlUqfWU8CjZtSAfUK%2Bw%2FoybwyMsJc68%2B01HQ",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Attacker being used by several legal entities attacking a target\u2019s family",
"https://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=35146f05-9aac-4942-a42d-f2550a19c0c4",
"TAGS. redirect refresh related tags remoteIPAddress resource restart reverse dns route runner",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"Uses code, no phone calls. Connected via instagram.",
"https://api.manus.im/api/oauth2_callback/apple",
"http://a.nigger.cat/ltbexb.jpg \u2022 http://a.nigger.cat/ocnxdv.exe \u2022 http://a.nigger.cat/ocnxdv.exe/",
"https://cpcontacts.apple4you.it",
"marriott-datacenter-prd.accenture.cn",
"https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com",
"Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents",
"https://www.facebook.com/groups/378607181955796/posts/773093455840498/?hpir=1&http_ref=eyJ0cyI6MTc2OTk2MDkxOTAwMCwiciI6IiJ9",
"Alerts: mouse_movement_detect dead_connect enumerates_running_processes process_needed",
"Crypt3.BXVC IDS: Suspicious double Server Header",
"http://pitprojekt.pl",
"TAGS: json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey",
"TAGS: yara niggercat none file null object os x outbound passive dns path pattern match",
"ELF:DDoS-S\\ [Trj] , Unix.Trojan.Gafgyt-6981154-0 , DDoS:Linux/Gafgyt.YA!MTB",
"Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly",
"Alerts: dynamic_function_loading reads_memory_remote_process packer_entropy network_http",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Safari/537.36",
"162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/",
"TAGS: macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"No phones or circuit board tech. Smart watches.You can\u2019t bring large bottles of hygiene products. Deal with a new reality!",
"https://www.virustotal.com/gui/search/entity%253Afile%2520tag%253Apdf",
"TAGS: flag gecko general general full general info generator geo hungary guard hackers hash hide",
"http://remote.edikamin.com/",
"Domains Contacted: whatismyipaddress.com whatismyip.everdot.org www.facebook.com",
"I would post his public information. It may be unwise.",
"Crypt3.BXVC IDS: Executable Retrieved With Minimal HTTP",
"Win.Exploit.Rozena {FileHash-SHA256 21fb4fdce85ab75430e18d9362a35f61dcaeb628c28836403472c054d6ceab8c}",
"IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less",
"IDS Detections: Win32/Pykspa.C Public IP Check IP Check Domain (whatismyip in HTTP Host)",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"Quasi Government: Specifically Pinnacol and Commerce & Industry ( AIG)",
"Foundry Palantir still has a presence in Colorado",
"nigger.cat \u2022 http://a.nigger.cat/ \u2022 http://a.nigger.cat/imrred.exe \u2022 http://a.nigger.cat/iwzptk.pdf \u2022",
"www.techcult.com",
"You have to go through a series of steps to change themes and wallpapers , including powering off TV",
"TAGS: add dynamicloader ecdsa echobot echobot related encrypt entries error evasion att",
"https://sa.josht.ca\t\u2022 https://sa.josht.ca/ \u2022 https://staging.josht.ca/\t\u2022 https://test.josht.ca/",
"tor.sebastianhahn.net \u2022 dap.digitalgov.gov \u2022 fbi.gov \u2022 x.com \u2022 sebastianhahn.net",
"https://vtbehaviour.commondatastorage.googleapis.com/000007781f616194758c52c551ab2f198970675c9218eab9f1e4470f0a696e71_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373373&Signature=mjvxt7z8ajbHZY%2BdL0G02pE7trUx7SkineLNrDSnq8FxmEuCuDdnNDWKdPawPb4w2NnK5HFkV3BAdTJrRNBxBceLP%2FevhdkmR4C%2BiZZ8pz9GBeqwl0l6oJMBga2ZHfKcA%2BxqQgP5r1zzN%2BZPMH0zxPdHYZA2WlzkfzPBDQcTEDdz8aTIaX%2BOP5JUo4gYjqxxxrdBLVGv0i54PedBqgFw5IRrPpdH%2FwlQGTLKQ%2BSjslq2d0",
"Hostname admin.test-aws-responsible-oyster-8905-us-east-1.space.dev.a0core.net",
"https://creative.miqdigital.com/.well-known/apple-app-site-association",
"https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE",
"Denver Justice System. Palantir allegedly moved potato Headquarters to Miami",
"TAGS: sample analysis se domains search security quic add source level span spawns spy",
"https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC",
"http://www.internationalfrontier.com/i/pdf/Montana-Presentation-2011.pdf",
"Crypt3.BXVC IDS: Fun Web Products Spyware User-Agent (FunWebProducts)",
"A man claiming to have the name Sebastian is communicating with targets love one",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70/69a19551cb5537805706bca9",
"Domains Contacted: www.whatismyip.com www.showmyipaddress.com www.whatismyip.ca",
"https://hybrid-analysis.com/sample/01a1a2106bcddc591cab08d31c13966bd0413fe312bce9be396e964e114631a6/697f8c04475b90e7fb0d7ff9",
"Clyde &Co | Chris Ahmann | Brian Sabey /Hall & Evans & Hall Render",
"http://a.nigger.cat/ypphgg.exe \u2022 http://u.nigger.cat/ \u2022 https://a.nigger.cat/",
"Alerts: network_bind persistence_autorun binary_yara procmem_yara suricata_alert",
"FBI files opened up on a targeted phone, Iunseel, only in search history.",
"Verification failure observed in automated verification handlers during sandbox replay.",
"https://vtbehaviour.commondatastorage.googleapis.com/000bdbb9556e3474630b36d57190d5dae719886a6cdecf824af6a456243ebf88_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372160&Signature=wARiO6wRTZGhS9vOpI%2BvoWxpe55%2BBlHjfTVS2m1fsb3%2FyiqXoI5x8uRNh6fj6Qp6DpePIZAM2MHvDzi%2B5TT6VWKI4zyyc%2BeVp9gihB0djBnCJr%2BKCB18kdFNBE%2BicOTMmx5aJ1hSjWQcOBYm9PMkZ6%2BhLzxX3gxTMneBKGhh0ckFJRTRfM2gKMfEPrOQ6aVgfkTWJUR9FQYz5g2qKGSDh1CCNlEzXhO33BEPI9fN",
"http://www.a.nigger.cat/ocnxdv.exe \u2022 https://a.nigger.cat/pwzbrt.txt",
"Unix.Dropper.Mirai-7135925-0 , DDoS:Linux/Gafgyt.YA!MTB Yara Detections is__elf , ECHOBOT",
"https://pegasuspartners.followupboss.com/unsubscribe/eh-MhVRQnJl0_bAFwnKkNcLhcpKKkFNZoZGVdqXUj3YdKSnKqAu_ZtK_m2bfbflpBDP5tU_QK4_N_bD0zVR_qs69dqt0K9vHSjNpk4p_WlGOHiyG5drGp98yBthkeHFIf3TXQbQPk8UzVtbZUILxzg~~ No Expiration\t0",
"lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"Tipped of new looming airline threats",
"http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site",
"Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly",
"http://truefoundry.prodigaltech.com/",
"Denver, US 80211 http://library.verizon.onereach.ai",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"simswap.in (possible Mirai or relationship to)",
"https://github.githubassets.com/assets/ui_packages_react-core_create-browser-history_ts-ui_packages_safe-storage_safe-storage_ts-ui_-682c2c-2c0ad573fa49.js",
"TAGS: expiration date explorer extraction facebook facebook failed february filehash files files ip",
"9e8c2f9e77b4b6a7538e4136d3bda379c560dc1a5931643da119da2f28881e4d\tELF:DDoS-S\\ [Trj]\t\tUnix.Trojan.Gafgyt-6981154-0\tDDoS:Linux/Gafgyt.YA!MTB",
"Accurately tipped about air travel safety. In past. Proven true.",
"http://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/SearchDetails.aspx?Id=7a025cc6-5167-43cf-947f-387a3b830778",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"ET Trojan \u2022 https://otx.alienvault.com/indicator/file/43dbcee5aee3caab830ac840737bb591cfa99ae81f1280aeb38ad73ad9c317af",
"TAGS: detection detections detections name development att direct dirty dns resolutions domain",
"Yara Detections: is__elf , ECHOBOT",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"http://chaturbate.com/notabottom/\t\u2022 http://chaturbate.com/notabottom/\\",
"Alerts: persistence_autorun sniffer_winpcap network_bind antivirus_virustotal network_http",
"Project Cicada: verizon.pr1414.my.nonprod-asurion53.com",
"I\u2019m not sure what brings man to from NY to Denver today. I consider him malicious",
"Sound crazy. We know Palantir commits ALL manner of crime. They are money motivated.",
"TAGS: mtb yara name servers name tactics network traffic new browser next associated next",
"https://vtbehaviour.commondatastorage.googleapis.com/db9d8c125c0e5a440719875d01365c7c5423bcc8df55e54cb228ac2aa30bc969_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235167&Signature=c%2F4wKBu3gsuZInxjqfgg8MbdYRlJ5EYYEV%2Fkl1g3Nx%2Fp%2B7lCYKGrilDgDTTqlooVjs8pyDi58Yi2SSs40L5JzExM18zVXhiUs1SYZNyy3OWKiAZ5QMH69N8R8XHmOd2L6lwfLVy9x%2F%2Fu29ji02gGj0W7eFht2uGb3Hnhegtt%2BNxNhOOCcD8LDnTvh%2Fhm9RYmW40LG5q238yRggg3TFrumeG2RHO9czdiobkRrsAD8eIohj",
"iPhone Spyware - https://bam.nr-data.net/1/6f524845d1?a=24279235&v=1169.7b094c0&to=MwYEbUdYXxJQWhULDApMIExbWkUIXldOAQsFF0hPXFxGEgtrDg0OMgoDThteVBU%3D&rst=6546&ck=1&ref=https://chaturbate.com/notabottom/&ap=123&fe=4218&dc=4218&af=err",
"https://www.wojcieszyce.pl/",
"adsparkahz.shop \u2022 https://adsparkahz.shop/ \u2022 parkedbits.com",
"IDS Detections: Win32/Lumma Stealer Related \u2022 CnC Domain in DNS Lookup (pacwpw .xyz)",
"Yara: Detections Delphi",
"Connects to all NEW targets key contacts main targets contacts.",
"Foundry stalking.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"https://parkedbits.com \u2022 spiritzuridgerunelahubcloudgusparkx.rest",
"c.j.location.host \u2022 videodata.video \u2022 referrer.search",
"Significant? The screen once had a floral theme. Now a black background with a single fish as Wallpaper .",
"https://wojcieszyce.pl/",
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"IP\u2019s Contacted: 77.76.39.110 104.156.155.94 77.77.13.89 78.61.87.173 78.63.104.75",
"https://hybrid-analysis.com/sample/430c376c1754f1f160e3d68bafc970eba37811bdb08d73a86bf6f4be1e7267b3/69a1ea603a3303fa120dad19",
"Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sqgzl .xyz) (cexpxg .xyz) (cexpxg .xyz) (urarfx .xyz)",
"https://vtbehaviour.commondatastorage.googleapis.com/539dc26a14b6277e87348594ab7d6e932d16aabb18612d77f29fe421a9f1d46a_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372560&Signature=tXBHkUCyFp7E2Um%2FMUvRPbUvaQmYPeBV7KGbi%2Bssa%2FkYQyqgH4u8fy6h0A8bVbsyQMMPf2EEF2JkzkiD6SXcfLADGdVqHYQya%2F6s2Ox5QnOFkJSATlDdXCWVp%2F4wHxZHInIRcrBPZFjjYFQM0u7VYCEMtkMCS0pzld2nGLlcOuOXBFxGTQPy0A03dikBC4Yw4f%2BdiMLMxO0hxZSo9FxPq1ylB4gs57NBBniylVO4Qi%2BLzleU5",
"Crypt3.BXVC IDS: Win32/Kelihos.F Checkin",
"https://hybrid-analysis.com/sample/3aaca21b3918eecd127867bdd724611398cf897a0686fedfde1d424b7ad6130a",
"TAGS: trojan trojandropper trojanspy united unknown unknown aaaa unknown ns updater",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"TAGS: data upload date date hash ddos dead connection default defense evasion delphi destination",
"marriott-control-prd.accenture.cn",
"Antivirus Detections: Win.Malware.Pits-10035540-0",
"https://p2d.josht.ca/api/depots/info/?depot= \u2022 https://p2d.josht",
"Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted",
"Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc",
"Alerts: mouse_movement_detect",
"http://spiritzuridgerunelahubcloudgusparkx.rest/",
"DYNAMIC_DNS Query to a *.strangled .net Domain\t192.168.122.91\t1.1.1.1 \u2022 DNS Query to DynDNS Domain *.ddns .net",
"https://ftp.apple4you.it \u2022 http://cpcalendars.apple4you.it \u2022 http://cpcontacts.apple4you.it \u2022",
"TAGS: christopher p christopher p. \u2018buzz\u2019 ahmann ck id ck matrix ck techniques clare click cloud",
"Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/7605fa9aeaae25656c40a553534d35418cca40dc48023d0b3237b402361c6816_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373283&Signature=KIPnPqQCcifTzuRS43FhFyzCXei0rDK20JuVvXA3UkB%2Bj6R1a4SAH2sn%2BJO1ohLSxLswzbryMf81lr4eGQCMbr3Wwfwo7kHN1yHV4M187cNxRZlbZ4%2BzOZZgfWt3bJNLx2Z4%2B4aqarco7OzqkhcQizlq8frRttJQjcLcNxgWD3oV2QDxZxurniW%2BhRRUS%2Bv9uGXWIRhWYmbEA%2BaoQsvpX0AIeSUCn4qb%2Fh31hJe7JitkCE",
"IRS.GOV - Crypt3.BXVC ET Inject2.BIVE Win.Keylogger.Qbot-9987768-0 Win.Trojan.Qakbot-9988002-1 Win32:BotX-gen\\ [Trj]",
"By remote view of NEW targeys view, all key calls are routed through him.",
"TAGS: av detections av exploit belgium belgium unknown binbusybox bits body canada unknown",
"http://www.crazyfrost.com\t\u2022 http://www.crazyfrost",
"2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt",
"TAGS: pyspark python python initiated quic ransom recipes record value redacted for",
"Targets associated warned. Not very open to advice.",
"TAGS: upnproxy url analysis url https url text urls verified verify veryhigh victim network vubbuv win32 win64 windows windows nt windows server worm write write c yara detections yara rule",
"http://flat.trafficadvance.net/AccessMySOL.IVRMobileEntra?D=10927&C=7&MP=41%7C",
"Observed DNS Query to a *.warzonedns .com domain - Likely Hostile\t192.168.122.91\t1.1.1.1",
"https://aplikacja.ceidg.gov.pl/CEIDG/GroupMenu.aspx?key=_group_search",
"Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile",
"https://www.redporn.video/tsara-brashears-slandered-.htm \u2022 www.redporn.video \u2022 http://www.redporn",
"https://vtbehaviour.commondatastorage.googleapis.com/14116af49a976b71f7ddd760161a1d50328baa280ac2c9a1f9f3a8996a3929b6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372327&Signature=bhG0zZxkKhoz9temkLENxZsdN9KeMsxW4nt2II1lmaPLEGAhNM4EmX5e7z1UM9LLsnqrvuZBhQs7ZnBuwSpY5T8iiKIu2%2FfZ83pX1Tw8s%2Bn%2BfXlEl3jlhzXWewZ9i8ZlXd6YIeWETsAak1j93aNnJHB2IPoZn7VISupTj400x7E%2FSm0ilDz4zCCDAjz1eTp1N41HvmoviGQGwTSnjTW5oyBHDm8RglOnnNqcEsm6%2BkGBJToFomLsipvuVIz8",
"https://hybrid-analysis.com/sample/f6ccff8dec08334fab98d4f6cb9b2774acd00e98d1afabd219c2634d5b3e2147/697faa178cc598cfb90b0423",
"www.crazyfrost.com IPv4 104.21.5.49 IPv4 172.67.132.250",
"http://www.internationalfrontier.com/i/pdf/2017-04-03-IFR-2017.pdf",
"TAGS: ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver",
"Crypt3.BXVC IDS: PE EXE or DLL Windows file download HTTP",
"Domains Contacted: fexexwjehud.org lxclombt.net jpnzlsaqogv.com esccuyigsy.org",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"iPhone Spyware - https://bam.nr-data.net/jserrors/ping/6f524845d1?a=24279235&v=1169.7b094c0&to=MwYEbUdYXxJQWhULDApMIExbWkUIXldOAQsFF0hPXFxGEgtrDg0OMgoDThteVBU%3D&rst=6546&ck=1&ref=https://chaturbate.com/notabottom/",
"http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235521&Signature=XyL%2BziErEMLdDGzpkOrsFWzF%2Bs8%2F%2BHa%2Ft1S5%2FfgkdYZVZNUoI9ouy4IwZLiV4Fi2woIHU9YMnGYvqC6u0SHx0R%2FTbBYsAWIRLcS0jXCiNEz33EKRDTLcQqaAqg1bgEzbagC8RvfUjg5sQp8chQSkn3nYGGovJ1W9KDWu39peg7l0wU95LMSY%2BtbjEdzA0ghSq8IG%2BBSGkETgfJdXrKjyTRw1x5DEwN%2BENKfa54%2FmxDHO7iP3",
"Nextron: Thank you for the YARA rules. Yara and LB, too.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"search.roi.ros.gov.uk",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/07d20574d361258ee514f507936703dbea55db4a6d123602c0d2a67e9f14196d",
"https://tor.sebastianhahn.net \u2022 faui2k9.de\t \u2022 gitbot.faui2k9.de \u2022 tor-dirauth.sebastianhahn.net \u2022",
"Lumma Stealer https://t.me/pizdenka202020 / t.me",
"Air Safety: it\u2019s important to have passengers or hackers unable to communicate via airline networks /",
"Denver, US 80211 https://otx.alienvault.com/indicator/domain/onereach.ai",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"IDS Detections: Domain in DNS Lookup (whatismyipaddress .com) IP Check",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"git.spywarewatchdog.org",
"truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com",
"146.112.61.107 (146.112.48.0/20) AS 36692 ( CISCO UMBRELLA ) US",
"TAGS: pink screen port possible prefetch8 present program protocol h3 ptr record none push",
"http://wojcieszyce.pl/",
"https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba",
"IDS Detections: Observed Discord Domain (discord .com in TLS SNI)",
"https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N",
"https://vtbehaviour.commondatastorage.googleapis.com/39c58d0f868d4e8d1b959dce19d0bbcc57bb8b9b832f9efbe4e2244051237b95_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373454&Signature=oXNg992chHQhOJxpI2XcWdFB%2FxJme1ol4iA4aOgaKWQcqa9WXsYlPcTANPmFkyrHIciosnksXEJrIAfFsjAYeEqG%2F7oPGCQLBILFHUhwZVcoJR9PgFwUsHBu%2FqiWSOifVPER4vpDL0gbsuNlU6gHT5aWRW%2BwoOwbHSIt5jj%2FJ3%2FxGDBAUaZrSuQurOM0Nb3qRhNN1NOTUj7mGTuUBXdtvnzCFLjxl3Kk6dYYFgmwhWI04P3JIB",
"IP\u2019s Contacted: 188.223.42.134 78.57.88.30 84.73.234.83 78.84.44.225 89.252.203.80",
"Crypt3.BXVC IDS: Possible Kelihos.F EXE Download Common Structure",
"yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com",
"Found in Alt YouTube = Titled \u2018watch\u2019 | Infected System uploads to YT",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235484&Signature=hjxNiAS7V%2Bsk78jk2ksTamwBDr%2Bbip09k8w%2FY%2FkvqfB676c53pmH%2Fwa7Py9BXy9tIptTKWA5SsC3Zck6ghdFqW3CcffOr0qRIsUIFknMfbuE3oC4UsaSuLoa%2B54UO0%2FJMTN9B5Y1HSbWJqFkxVX1WVQ5ry5yt9yJUK3m0DTRx9bsJ%2FoCKT3ionJdg5tZcst941SNesx3DRgpuAQmN9UVlNpRNCEwutgqN8XoC4EnI5l6Nt",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Tipped on hits and other savage plans to be executed against targets. Targets can be any (1) person.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"calathea-containers.palantirfedstart.com \u2018 BYE ALREADY\u2019",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"internationalfrontier.com",
"TAGS: aaaa accept activity address adversaries aes128gcm ahmann all hostname all ipv4 as15169",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Crypt3.BXVC IDS: DNS Query for Suspicious .co.cc Domain",
"Crypt3.BXVC IDS: Headers - Potential Second Stage Download",
"IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)",
"Lumma Stealer CNC {FILEHASH SHA256 bc9c5c8dfdcf0d2a321478207b0870274fba25b93075fc987768623237973646} t.me / Dropbox",
"IDS Detections: IP Check Domain (showmyipaddress .com in HTTP Host) External IP Lookup",
"https://yaraify.abuse.ch/yarahub/rule/MALWARE_OneNote_Delivery_Jan23",
"https://vtbehaviour.commondatastorage.googleapis.com/0ab7fad77871a45137c9f2e40e3cbf47e3d71315f71c8eca9c8d62bc24a53184_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372878&Signature=cLNwLw1L9ZCpQXZej7DaLTWH5w887X5wPnSpN1pwH2N4acSu8Llp25uprGRArg6qCuPbVQ2YPyIeCdwLCZvq%2FU0hP8m17ZPontiyR5zKb7jxcW57eEUuVnuSV9%2FnukwtPPJ%2BTY7a0%2B9rwSAU%2FL%2FJQ1yMke6VIX%2B%2F6KSWHgmLV%2F%2FR%2FbOxB0oZ4%2Fe%2Fsb2%2Fw12dZix7IY6c7wOj1OlWGQSkAZZsEoDw",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr",
"Alerts: disables_uac infostealer_keylog modify_uac_prompt anomalous_deletefile",
"Some Colorado communities have been taken over by the State Government",
"IDS Detections: Domain (whatismyipaddress .com in HTTP Host)",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://apple.btprmjo.cc/",
"TAGS: cloudflare cloudflarenet command config connection copy crazyfrost cyber attacks",
"http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com",
"https://vtbehaviour.commondatastorage.googleapis.com/39c58d0f868d4e8d1b959dce19d0bbcc57bb8b9b832f9efbe4e2244051237b95_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372451&Signature=Dv9FcZuWlVKlY26EcoSmR4Kcb44tKDv4kyBrDOputdJDLMvfDX9%2Fs4Ss4cLURTdCso74wPUHQpcMVcyeGGK%2F3RwYbxXwJjMGGAJSCfCxIDRiL%2BLOQKY3M7zGyXrkpuwr5lQS4CaKp1LFajsxxwnKpd%2F5eXNMLqlyxh%2ByO3dJWTkY8WqNnnwnSjW0lqpwB9%2BBjgEdIeWsnMRqF0t4JQ8dJsmCbbTXmAKIEZ46Rpio044%2BrsqH",
"http://www.pitprojekt.pl",
"Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name",
"https://www.virustotal.com/gui/file/fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f/summary",
"https://hybrid-analysis.com/sample/e4999984a69a65a69bec9fef1200f7ec36a10bc401cdd15db3510fdc87ec5008/697fb0fec4a9bda3410454cf",
"Pandex!gen1 Web Products",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Alerts: antiav_servicestop antisandbox_sleep process_creation_suspicious_location",
"Yara : MS_Visual_Basic_6_0 ,",
"https://chaturbate.com/notabottom/",
"https://hybrid-analysis.com/sample/c8e97fd85003de128ef716093cc1ec68f676c737b614f4a55c75c5c0f837de70",
"Alerts: dead_host network_icmp tcp_by",
"Crypt3.BXVC IDS: Abuseat.org Block Message",
"Foundry Foot Soldiers are still in Colorado targeting innocents",
"output.228572717.txt [fb970a4bffed1d606a8d90369d43e3a73ea9c8dbcf1394745f1568500e918e1f]",
"Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"Yara Detections XOR_embeded_exefile_xored_with_round_256_bytes_key",
"http://deposito.hostance.net/dialer/",
"Alerts: infostealer_cookies antiav_detectfile",
"I need some help.",
"TAGS: samples high host hover httpsupgrades hu note hu seen hungary hungary asn hybrid ids detections ilwysowa text informative intel mac ip address ip check ipv4 ipv4 add is__elf jamie oliver json khtml launcher learn leve blu linux x8664 live live screenshot local logs look m. brian sabey macintosh malware medium melvin sabey meta mitre att mobile ms windows mtb dec mtb yara name servers name tactics network traffic new browser next associated next yara niggercat none file null object os x outbound passiv",
"Related to: https://otx.alienvault.com/pulse/69a1a73eb0578b92962dae97",
"https://vtbehaviour.commondatastorage.googleapis.com/03a5d431bb42e7730a3ae3b3563cee73e7a782079cf56f57bad5fe665d261e54_SecneurX.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372244&Signature=fXjnCgFbGybFp%2BCRO6a%2FQ3LKU2uLiKNtjgwKzprL3LFL%2BTMgup6nbp7%2F9Hxy8bnBzlFtSzO0fcnf%2FpIsNim0UdrINmB63N9mKkBW1cOkjxV88PAy2nsFZA3FjOEYq4N0lgc8gAtS5eRTt%2Bwb7WjEnd3QQ7aPLuoVl2hjed4hC8Cit6efcSD9GbJCITMeX4%2FVHBYSjmDr4Pgip9ANSZ6wvzkRktqPpC23Qwl62gkuXE%2BKp0s%2Bq%",
"https://otx.alienvault.com/otxapi/indicators/file/screenshot/fbb538f322026e57d467e9dbccdbaf181e08149c50216385b7235a43e80ea0c8",
"TAGS: state of colorado stream strings suspicious t1590 gather tcp syn title tools tr trex triangulation",
"IDS Detections: Suspicious Activity potential UPnProxy",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left",
"Hours after files were deemed malicious. We powered on targeted Smart TV",
"https://www.google-analytics.com/r/collect?v=1&_v=j83&a=1390847564&t=pageview&_s=1&dl=https%3A%2F%2Fchaturbate.com%2Fnotabottom%2F&ul=en-us&de=utf-8&dt=Chaturbate%20-%20100%25%20Free%20Chat%20%26%20Webcams&sd=32-bit&sr=1024x768&vp=780x439&je=0&_u=YEBAAE~&jid=915940444&gjid=1686072238&cid=922362881.1595496808&tid=UA-23607725-1&_gid=1317601001.1595496808&_r=1&cd1=chaturbate.com&cd2=&cd3=-&cd4=&cd5=anonymous&z=762468946",
"ftp.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"We have foot soldiers. Be aware",
"forum.remote.docs.home.git.fr.yandex.avito.sberbank.pay.avito.blablacar.blablacar.gitlab.ces4ld2kbfghhbju9r40.haard.info",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": []
},
"other": {
"adversary": [
"rule MALWARE_OneNote_Delivery_Jan23 { meta: author = \"SECUINFRA Falcon Team (@SI_FalconTeam)\" descri"
],
"malware_families": [
"Win.exploit.rozena",
"Inject2.bive",
"Win.ransomware.msilzilla-10014498-0",
"Trojandropper:win32/vb.il0",
"Dialer",
"Trojan:win32/dorv.a",
"Crypt3.bxvc",
"Pandex!gen1",
"Trojandropper:win32/hupigon.gen!a",
"Elf:ddos-s\\ [trj]",
"Ddos:linux/gafgyt.ya!mtb",
"Serwer a przed\u0142u\u017cenie sesji #{text}",
"Virtool:win32/autinject.cz!bit",
"Other malware",
"Trojan:win32/diamin.f",
"Alf:ransom:win32/petya.sib!mtb",
"Pykspa.c",
"Deathhiddentear (large&small ht) >",
"Lockbit",
"Nitrogen loader",
"Win32:evo-gen",
"Web products",
"Win32:cabmod\\ [drp]",
"Win32:botx-gen\\ [trj]",
"Banload",
"Tr",
"Pegasus",
"Node traffic",
"Alf:heraklezeval:pua:win32/keygen",
"Other dangerous malware",
"Serwer",
"Et",
"Alf:trojan:win32/cassini_56a3061!ibt",
"Lumma stealer",
"Alf:heraklezeval:trojan:win32/clipbanker",
"Cve-2023-22518",
"Win.keylogger.qbot-9987768-0",
"Nitrogen ransomware",
"Win.packed.usteal-7531303-0",
"Wojcieszyce",
"Trojandownloader:win32/banload.d",
"Themida.",
"Autoit",
"!#addscopy-tostartup",
"Trojan:win32/startpage.aea",
"Alf:heraklezeval:pua:win32/ultradownloads",
"Warzonerat - s0670",
"4-0 win.malware.pits-10035540-0",
"Virtool:win32/injector.gen!bq",
"Trojanspy:win32/usteal",
"Win.trojan.qakbot-9988002-1",
"Unix.trojan.gafgyt-698115",
"Win.trojan.agent-316098"
],
"industries": [
"Technology",
"Telecommunications",
"Media",
"Oil",
"Legal, financial, healthcare, government, municipal, real-estate, enterprise-technology, critical-in",
"Government",
"Irs",
"Finance"
]
}
}
},
"false_positive": []
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 33,
"pulses": [
{
"id": "69a02837827feb0b78fa3ad2",
"name": "The Belasco Chain",
"description": "The adversary delivers a masterclass in \"Regular Belasco\" stagecraft, utilizing authentic Adobe PIDs to construct a \"living library\" of legitimacy where mundane metadata like SOPHIA.json acts as Gatsby\u2019s \"real but uncut\" volumes to mask a hollowed-out interior. This is a triumph of performative evasion; while researchers marvel at the realism of the set-dressing, MSI50B8.tmp and MSI4F2F.tmp wait in the wings of the Windows\\Installer directory, invisible to the human eye and using NGEN hijacking to bake illicit scripts directly into the OS framework. By employing Cryptnet certificates as \"stage lighting\" to mask C2 handshakes, the malware doesn't just attend the system\u2019s party\u2014it rewrites the invitation to own the house. Unlike the tragic end at West Egg, this Belasco chain is a play that refuses to end; it simply resets the stage, ensuring the performance continues as long as the \"green light\" of the C2 remains active.",
"modified": "2026-04-19T09:34:35.173000",
"created": "2026-02-26T11:02:15.932000",
"tags": [
"file size",
"mwdb",
"bazaar",
"sha3384",
"ssdeep",
"file type",
"sha1",
"sha256",
"crc32",
"filenames c"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 2,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 2805,
"FileHash-SHA1": 2568,
"FileHash-SHA256": 7488,
"domain": 1883,
"hostname": 1466,
"URL": 1179,
"email": 46,
"CVE": 46,
"CIDR": 3,
"YARA": 7,
"IPv4": 94,
"JA3": 1
},
"indicator_count": 17586,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 53,
"modified_text": "14 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "698e93e1ab02db8c49e8c3ed",
"name": "\u201cBroken Seal\u201d DocuSign-themed Delivery with Fileless Process Hollowing (Zeppelin/Bloat-A)",
"description": "Forensic analysis indicates a DocuSign-themed phishing campaign using a deliberately invalid X.509 PKI seal (\u201cBroken Seal\u201d) to trigger fail-open verification logic in automated handlers. The delivery mechanism bypasses Secure Email Gateway (SEG) reputation checks by using encrypted channels and human-gated infrastructure. The payload is a fileless Process Hollowing (RunPE) malware that injects into RWX memory of legitimate processes to evade disk-based EDR.",
"modified": "2026-04-19T08:11:41.130000",
"created": "2026-02-13T03:00:49.872000",
"tags": [
"Zeppelin, Bloat-A, W32.Bloat-A, Zero-Day-Delivery, Protocol-Devi",
"9698f46495ce9401c8bcaf9a2afe1598",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional)",
"MD5: b47266fef17ad4b2e4ca6ee1d06c39a7 SHA-1: cb92796715c799d7e71",
"Filename: b47266fef17ad4b2e4ca6ee1d06c39a7.virus File Type: Win3",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Link",
"DocuSign-themed phishing lure Invalid X.509 seal (\u201cBroken Seal\u201d)"
],
"references": [
"Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensures that the structurally invalid X.509 \"Broken Seal\" is only delivered via encrypted channels, while the gated Port 80 tier prevents the discovery of the underlying Zeppelin/Bloat-A redirection logic by non-human-interacted sessions.",
"Imphash: 9698f46495ce9401c8bcaf9a2afe1598 | Imports (additional): GdipSetSmoothingMode, I_UuidCreate, RpcStringFreeW, UuidCreate, UuidToStringW, InternetCheckConnectionW | Resource: RT_MANIFEST (1, ENGLISH US, SHA-256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df, XML, entropy 4.91)",
"Observed hosting and routing telemetry indicates the delivery infrastructure is operating through AS209242 (Cloudflare London LLC), suggesting the actor is leveraging Cloudflare\u2019s transit layer for resilience and to reduce direct exposure of origin infrastructure.",
"Research into the gogetlife.co telemetry confirms a dual-port obfuscation strategy designed to bypass multi-layer security indexing. Forensic HTTP scans identify a Port 80 \"Fail-Closed\" state, where standard web traffic is gated by a Cloudflare-managed 403 Forbidden challenge, effectively neutralizing automated crawlers. Conversely, Port 443 remains accessible, serving a WordPress-based interface backed by a freshly issued Google Trust Services certificate (Feb 4, 2026). This asymmetric configuration ensure",
"Compilation / Toolchain Compiler: Microsoft Visual C++ 2017 Linker: Microsoft Linker 14.16.27032 IDE: Visual Studio 2017 (15.9) Classification: PEBIN TrID: Win64 EXE (32.2%) / Win32 DLL (20.1%) / Win16 NE (15.4%) PE Section Entropy (Suspicion): .data 7.36 \u2192 high (suggests packing/encryption), .reloc 6.66 \u2192 possible runtime modification, .text 6.01, .rdata 5.88, .rsrc 4.72 Imports (Capabilities): CreateRemoteThread, CreateThread, ExitProcess",
"Broken Seal exploitation: The invalid X.509 seal appears engineered to exploit verification logic gaps, forcing fail-open behavior and allowing SEG bypass under certain configurations. Human-gated delivery posture: Cloudflare 403 challenges suggest the actor enforces human interaction before payload delivery, reducing automated discovery and sandbox analysis. Industrialized infrastructure: Correlation across thousands of domains and URLs indicates a highly automated, rotating delivery ecosystem.",
"MITRE ATT&CK: Process Hollowing (T1055.012): Documentation on the RunPE injection method used by the payload to achieve a fileless state in RWX memory. RFC 5652 - Cryptographic Message Syntax (CMS): This standard defines the structure of the digital signatures that this campaign's \"Broken Seal\" exploit bypasses.",
"As of Feb 13 (early AM) \u2014 Indicators of Compromise: 17K | Types: Email (30), FileHash-SHA256 (2,146), URL (8,070), Hostname (2,755), Domain (3,528), Other (1,110) | Geo: US (233), Canada (15), China (10), Japan (2), Spain (2), Other (13)",
"Verification failure observed in automated verification handlers during sandbox replay.",
"The payload (SHA256: dfff54...4af) achieves a fileless execution state via Process Hollowing (RunPE), injecting into RWX memory regions of legitimate system processes to evade disk-based EDR telemetry. Anti-analysis controls\u2014including Bochs artifact checks, geofencing logic, and direct CPU clock interrogation\u2014are implemented to validate a high-interaction user environment prior to execution.",
"Multiple antivirus engines flagged the sample with generic heuristic names (e.g., Trojan:Win32/Vigorf.A, Win32:Malware-gen, Trojan.Generic), consistent with multi-engine heuristic detection on VirusTotal.",
"Malicious sample (SHA256: fa8e2ddfe42e77a9771a7c4d6421c7a808cf4508f8cd6dc6f4cf8bd4e2ae7f8f) detected as TrojanDownloader:Win32/Tugspay.A with YARA hits for Win32_PUA_Domaiq, aPLib, PECompact_2xx and IDS alerts including TLS Handshake Failure + 403 Forbidden, contacting 36 domains (e.g., api.123mediaplayer.com, static.sslsecure1.com) and IPs such as 104.18.23.19 and 193.166.255.171.",
"SHA256 3d10374b55a18a2dd90d35d28472600496c680a7efab4e772595f735cb062343 identified as Win.Malware.Vtflooder-9783271-0 / Trojan:Win32/Vflooder.B with UPX/Nrv2x packing YARA hits, IDS detections for Win32/Vflooder.B check-in and DOS behavior, and network C2 indicators including 172.66.0.227 and 34.54.88.138.",
"SHA-256: fc1fedce1419d4e2009828aad8644deca78b4eeed176e5b009797e0eb0d7d3ff \u2014 Detected as Win.Malware.Vtflooder / Trojan:Win32/Vflooder; UPX-packed PE32 executable, with 812 IDS hits (including C2 checkin + HTTP EXE upload).",
"nationalgrid.com \u2014 Whitelisted domain (US, AS13335 Cloudflare) with 500+ passive DNS entries, 692 URLs, 195 subdomains, and 2 malicious files hosted on IP 104.17.1.192, which is concerning given the infrastructure and trust level.",
"eversource.com (IP: 159.108.5.46, ASN: AS2024) has 2 flagged malicious files within its infrastructure, despite being whitelisted. The domain hosts 95 subdomains and maintains an active SPF record, indicating potential security risks under an otherwise trusted facade.",
"Whitelisted IP Address 204.79.197.212 Location United States ASN AS8068 microsoft corporation Nameservers ns4-205.azure-dns.info. , ns1-205.azure-dns.com. More WHOIS Registrar: MarkMonitor, Inc., Creation Date: Mar 26, 1996 Related Pulses OTX User-Created Pulses (50) Related Tags 2025 Related Tags 4328 , 5943 , 80211 , #supportsitewebsiteabuse #rootcertificatefailure #cryptographicf , The dynamics of the mudoSOSIntersectalign with sophisticated adv More Indicator Facts 982 malicious files communicat",
"",
"The AlienVault OTX report for flypdx.com documents 11 related tags, including ids detections and av detections, across 4 active AWS IP addresses (3.175.34.30\u2013.106). These indicators confirm the airport's network has been flagged for unauthorized activity, specifically pointing to a bridge between their web infrastructure and internal passenger tracking. The display of PII on aviation hardware during my June flight matches a known data-bleeding pattern where Personally Identifiable Information (PII) leaks fr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"China",
"United States of America",
"Spain",
"Japan",
"Canada"
],
"malware_families": [],
"attack_ids": [],
"industries": [
"Legal, Financial, Healthcare, Government, Municipal, Real-Estate, Enterprise-Technology, Critical-In"
],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 27678,
"FileHash-SHA256": 47676,
"FileHash-MD5": 42534,
"FileHash-SHA1": 23213,
"hostname": 33703,
"URL": 75433,
"SSLCertFingerprint": 30,
"CVE": 7582,
"email": 313,
"FileHash-IMPHASH": 8,
"CIDR": 26205,
"JA3": 1,
"IPv4": 80,
"URI": 5
},
"indicator_count": 284461,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 68,
"modified_text": "15 hours ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69df292dac938e1d181a38e2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'\n\nObservations: Unplugged, Airbook, flashed wrote or write javascript in red around 2:45am EST when trying to upload and took me to a google screen.",
"modified": "2026-04-16T07:16:26.014000",
"created": "2026-04-15T05:59:09.898000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235521&Signature=XyL%2BziErEMLdDGzpkOrsFWzF%2Bs8%2F%2BHa%2Ft1S5%2FfgkdYZVZNUoI9ouy4IwZLiV4Fi2woIHU9YMnGYvqC6u0SHx0R%2FTbBYsAWIRLcS0jXCiNEz33EKRDTLcQqaAqg1bgEzbagC8RvfUjg5sQp8chQSkn3nYGGovJ1W9KDWu39peg7l0wU95LMSY%2BtbjEdzA0ghSq8IG%2BBSGkETgfJdXrKjyTRw1x5DEwN%2BENKfa54%2FmxDHO7iP3",
"https://vtbehaviour.commondatastorage.googleapis.com/003c70373fd8307426c9597ea691d0065e4b17fbeaea25155d3180d59d19aecd_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235484&Signature=hjxNiAS7V%2Bsk78jk2ksTamwBDr%2Bbip09k8w%2FY%2FkvqfB676c53pmH%2Fwa7Py9BXy9tIptTKWA5SsC3Zck6ghdFqW3CcffOr0qRIsUIFknMfbuE3oC4UsaSuLoa%2B54UO0%2FJMTN9B5Y1HSbWJqFkxVX1WVQ5ry5yt9yJUK3m0DTRx9bsJ%2FoCKT3ionJdg5tZcst941SNesx3DRgpuAQmN9UVlNpRNCEwutgqN8XoC4EnI5l6Nt"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 4,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 5178,
"IPv4": 572,
"URL": 5164,
"FileHash-MD5": 1546,
"FileHash-SHA1": 381,
"domain": 1818,
"hostname": 3413,
"email": 22,
"URI": 2,
"IPv6": 15,
"CVE": 1
},
"indicator_count": 18112,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "3 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69df292b85c74fec867e4ed2",
"name": "VirusTotal report\n for index.html",
"description": " 'broken seal'",
"modified": "2026-04-16T07:16:21.879000",
"created": "2026-04-15T05:59:07.274000",
"tags": [
"sign",
"submission",
"unread",
"community score",
"status",
"content type",
"date",
"community join",
"community",
"api key",
"body",
"dns resolutions",
"ip traffic",
"performs dns",
"found",
"https",
"urls",
"mitre attack",
"network info",
"processes extra",
"mnhqrsc7",
"t1055 process",
"layer protocol",
"phishing",
"next",
"get http",
"rules not",
"http",
"injection",
"memory pattern",
"cape sandbox",
"zenbox",
"detections not",
"found mitre",
"info ids",
"size",
"analysis date",
"domains",
"facebook",
"language",
"vhash",
"ssdeep",
"file type",
"html internet",
"magic html",
"unicode text",
"utf8 text",
"algorithm",
"key identifier",
"x509v3 subject",
"v3 serial",
"number",
"cus olet",
"encrypt cne7",
"validity",
"subject public",
"key info",
"handle",
"server",
"entity",
"registrar abuse",
"llc creation",
"join",
"umbrella",
"trid file",
"redacted for",
"privacy tech",
"privacy admin",
"country",
"stateprovince",
"postal code",
"organization",
"email",
"code",
"canva",
"overview",
"dropped info",
"malicious",
"default",
"file size",
"mwdb",
"bazaar",
"sha3384",
"acrongl integ",
"adc4240758",
"sha256",
"accept",
"shutdown",
"back",
"windows sandbox",
"calls process",
"docguard",
"greyware mitre",
"evasion",
"vs98",
"compiler",
"sp6 build",
"chi2",
"contained",
"authentihash",
"rich pe",
"win32 exe",
"system process",
"pe file",
"ms windows",
"downloads",
"united",
"drops pe",
"tls version",
"persistence",
"fraud",
"nothing",
"registry keys",
"parent pid",
"full path",
"command line",
"mutexes nothing",
"created",
"files c",
"read files",
"read registry",
"tcp connections",
"udp connections",
"files nothing",
"description",
"host process",
"windows",
"user",
"integritylevel",
"detailsendswith",
"helper objects",
"cache",
"imageendswith",
"autorun keys",
"modification id",
"asep",
"victor sergeev",
"tim shelton",
"nextron",
"from",
"system32",
"syswow64",
"winsxs",
"lolbins",
"roth",
"markus neis",
"filesavira",
"rule set",
"github",
"matches rule",
"florian roth",
"capture",
"malware",
"cgb osectigo",
"public server",
"dv r36",
"pdf document",
"magic pdf",
"trid adobe",
"format",
"crc32",
"win1",
"detail info",
"tickcount",
"filename",
"behaviour",
"imagepath",
"cmdline",
"offset",
"targetprocess",
"writeaddress",
"write",
"shell",
"open"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228071&Signature=k4OPGTTS9fpKAbpLbTCobvi0%2BEjGbp7VcWYSCEp1TvQjpVcQtED0S8jcuTQ0McsWiP%2B6aw%2Fx98DNyVWEyPW4Tk8SxeBRXHcp0LXtwZJGGgR6Bg22qNhLkdLO31x8icluFzt4jqqp9hvJBXQodGoJWmlyxa3b9mS%2BeqUdi0ui3etDt%2Fhqv5QEOSCDX7bljWWmxRJa%2BZfAYDazGaCIGSQoltS%2BeMihl5SLMi%2B%2BjYP6%2BKTvM9xwUC",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776228177&Signature=MeuwZPsdr0gtQe0sk4q%2F4CUZfcMW69%2BxIGhrTaYMPXdTjl9aWJE5615NjAm4MvLR4DtSbJ7cc1BFbk7BVmjJn8nL41YfGq%2BBf5gZPn0%2FQV9ktpUtUMF9Lv0QkTRTFvsf0jeKYeC2md5imom9AjEbo5ewSdFcbMP503mxuC0pdhpq7S49aLwME4HDzuoSSRnwj%2BlEmfp5egLduihMAZHjBHMzBdPMJAufJFlU8IQZClMZlgiQVG7EB%2Fv1e6",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229294&Signature=OdVBHVnXq3aV47RlsO8ckBUvhV7Kn9b%2F4xcw6rkjRGl101K0lV0KpQpJFnEJ2JNjbsHO7vdMuiA2nR7aFNAx3pK6oJ2uEM5B%2F1BElXy3wNiL6OMqOj6VDv1lBLizeW3yvJG2V6sF%2By0mIhjiIDTOWyndGkDQoxymSgXyRoelmqrYH09k2E5CRoipEjdu2HUz6DgB0hePe4bG7h%2FBmerbDws5a3iwYrIjxjcFH06RSyYEapwLeYDZLUN8zzbnyg",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229341&Signature=FsDJqLFCpjpHyHkGAAeaeZJ0FuHsnHPW6OqfNr9%2FNQIMbW7S%2BpRdtBt0QC6eD2wVbJ0w0mn5Yh0umB2%2B4oj4WMpC%2Bbrabv85VtOz%2F7vZpXZYD00Eey8BoejnKjQXMEvwQelKFGpAKX9nv%2FzwiCOS22Yks44WKHJ9A32A8UatUxBJensQPOqvN6AxKy8xxjxFGM3cZm0F86LlAfualBwN7iwbWFmc4eGjmYxY6luyqTxxyh58Vh",
"https://vtbehaviour.commondatastorage.googleapis.com/b0b9aa9f245afb8f001e1d0c3be360fac8128469e52b5242115a7ff6e6c04978_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229360&Signature=mH4LFzdNbM%2FrTWl5A1VAc7ojWzYacRphus9okWr%2BvKUFUyk6TK8Pas4WKG1FcvFR2wwpkpjhE0AE0viuh35qs9qrKBS2fIH14W17FlfmoSXYlBcSDESzTv%2FVzT%2F0Apeil6p9N3Fux7xxH6ZuNyB%2B4%2FPrsSOrCfOkh4oSRipPAOPTUdPYpQTe0rA1LiyBADnpOeEOc4sEeKoTGaMgqmSXd6sFNnsjxsspmJ6p%2F0NL9s",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229700&Signature=bWnonefGUZtYeK3iLEK3l6B1K8s5LAANJsHqgu2f0adNPoq5aO1WnMIFL001ZRPLhg3zHdzVWEliZbOKd464xRNceJ7qnwM2u%2BoTUWVsdG7sWp8m3KT9cy98h7ihyVxEJudR7SVtw3hFHyjnbgFd8um7IWE3l2SqVOMKxir6agkJHMAg85Uq%2B29m%2Fxor5i2T2eJagX5555p5VHGXCleUwHe47ThbWegYdvCtAeZOtTKyRSdkhAYjfh3BJ1x2dWJ2",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229786&Signature=xYXDEDJcly%2BwCTkFPUyrSr228UUue%2BCAjKBOxrc5lIwprWxivXrJrS40lCNF%2BKMLkA9i6z04spAOemhRUK66rLcdqghb9T%2FBO4LbtGMX%2B1PAsVhS%2BP4qygPXIHJ5%2B8wxoZW2tYaq0ZvgAT6JnxbkWd5C0zOxXk%2F9hT6Vp9O5ikL6ZfyZ6slwyrcaPf2dQp0s8qV47TDrYLbF3PtfUd7Gqo1FH%2BCeT2v3waoi7mEQ%2BR",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776229983&Signature=pjZPJEd79tkxjTOXjGMHb4Ed29a3OnC2MaGvoEp2E%2BtUNlKu%2BjXXLzR8Y%2FZlOZH1iQYAVjw%2BGSPneb4wnbT1VPNraQ3Xf5M6aAPdM6%2FksMddUDZcLVnFuSdgwU93ADeZobmWXc%2BJH1%2FguUu9OPzHo0G%2BgRmTNqH9qd3UF67OJAc5REJ07uMtzQuuBx6rXGruAKZEVmDJkBSj%2BYeGTwZmIa5rki62YowEiVDCcQ",
"https://vtbehaviour.commondatastorage.googleapis.com/a77a417f32cbded88f0d4e3663963a8965e72a25398acc329d907143e4ac3b23_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230863&Signature=MAUJlRZPDmQ8L%2FN5a%2F5%2FFKR6Avr46BE%2BopAgWZomEP4ZjskOPFdqUdHqNnWlGWBv%2FQh4X7Z7p3aft1KWZdvUXnSZMerAL7Kuh%2BCK%2BLXLSALQZ9DL6ZpXdOktgaTxL6heoTmcz%2FvpOVmsFn%2FgbzxQjLZ9GliY9AQE1C3VJAZmqdMbG1Y%2FIpByCKcEokrgAN%2B7XhJGE94VD8A4luLzKvlyVYuqoFv6raDRdQMFBOXOJCXkyjJk",
"https://vtbehaviour.commondatastorage.googleapis.com/00241dc01b67c278c388ca680a2a4065b3b8ecce9fabd2830e57bad85e6d8909_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230932&Signature=xa5mbsGixH6SGhj%2BdrfZBwVhiHGEybcZdAbHUfpoGoECgFwqMLudtOiuX7AZZO2RxSaIoY%2FOQa%2B7jGfS%2FoeYRgjRTmAJCei6M172sbgIU6nRQdVDrqNeJXkSlr20Q1sW0%2B4gtImsebtle4ipmPMbrM6VDUWKjegUi8afL5a27GLZg9veVMc%2FI0aT1qx8EjsdITQ%2BSdvZoX39A%2FlC3j0gK6R9WcVdu3DEx6lxUHsOx3HPKk%2BJAZyZ",
"https://vtbehaviour.commondatastorage.googleapis.com/5db6524a52780ba7a4bd05e5faa20cbb7159f1c503394d850b5e95442357fb38_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776230974&Signature=zYx3MmXFQoBT4EG2nvG5OZiyNhwKxbZzjL6%2BNZgR4Vz%2FdHSEDvbVaSpxmWXWVYIvSYVfBhn1WxEelG4wi1yRrrS7CXwxSbXtv1E6hBhtT8u%2F%2Fj%2F4eRs2Jtulv5WvBY99pZ53qx9cvc8vV%2FgELVw%2Fy%2Bjat%2BN72%2BtX0XBhiiOt%2BtpVFkjl12ns9sbW6xNwzsrENkL5xhuctZ7TX2AX188SrJb9s5VM0wK7F8",
"https://vtbehaviour.commondatastorage.googleapis.com/00fa27f76beaca564ba93b54d2c468637c2b1dcb5568c4a597a08068af36cda5_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231578&Signature=NwCoyWHAZRo4FS0XqNnT7d8ki2ytuinY7CisegY4Mq1T5JctWpC4Kee1LG6L3Tmb8%2BfW9yMZq0ChSvSYUjdDTFzNYQoq8vKxf8iGkMy%2BmOA3tSAu3gbLWS2bTtDjc4TFrtK0PKow3hO0FW0QtCkt9NPBi%2BPgoW7MXYIZ3uFt9ARoi%2FY1ChJZdBRtdii1C%2BWEDeLCIQ9xOpDRKxdYBmliuWm6kmeld%2F5yh1%2FSBDYYTOMDDZwzdDUr%2FB",
"https://vtbehaviour.commondatastorage.googleapis.com/000c8c89cace706e71df3b230abb53b0891757e08e1d10013ba76d98a3b08622_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776231935&Signature=wI0FB9EBFXXgWFo0thv9T11BAEOIJxW%2BSMCRUhCv8%2FEaaWaZhr975NH1qjEeFwIgm3cWdqm8KhXTxkbqGddaPoKiIoe59pX4ZVhr0LmnSTGFTFkLVGsGIajJCSutHgqOs6kW5KtDpyC67KxlAF1IA858Tz7eOXxYk3JYsf5g9iC%2BhkfqrDGGucK%2BDxtYZbIvDRb3QxLpD2qtF4NVPFoO38H3aJon0pykwGkrRNU0Pae%2F5YyJjl6m",
"https://vtbehaviour.commondatastorage.googleapis.com/f403bda8d1840e13c382804876bddf5521304bbbe01d8c127e9b482baf4db923_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232147&Signature=qctdwqGOIWSBEBix28Qxr45GEATFVdZTkDPbDIdJUHZ668NUB29x7xOOu3BZACgBBczicReTkIygLYXiDb20rGtoja2iQxFCTOWE4%2FLwc9Nxh7I1%2FSoHR6%2Bi5Wk4XJTAcdzAGeExua8rUKoFT5sIKrtv83PwbAvTCO7GvcydYPqGs2mLLbQhp7372gRlMAdZg6XILhNRYSlLjZKO%2BpqkBfkK8qpwy%2BaB6%2BDnSqhM%2BVFxaWXh",
"https://vtbehaviour.commondatastorage.googleapis.com/106d36306f3b9357ff409aa1e41521243092c85e8e92fee633b033c9753e98a6_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776232356&Signature=dOUaP3bH%2F2XkNjkbn9FzySukzQbvCwdZKL3t4DjYw8QyaWjsDXs4zMrVafpcb0nOty%2Ff6lOTZkHbIBpyOnKxL9VoqGlftDb03fLBfKM96ov1%2B%2F7gAUJtMfAdk9BUBNUNda9t16wrDNGAVeGod5gZULkmaRB%2BSYwitpYbdZZw9oqT6GM86gMSQdng8tKJ5jvB7qzOr5k3fD2VUuTDsvjZN4f0hncuHKTT6LK4T2FPew5lUi44QzME",
"https://vtbehaviour.commondatastorage.googleapis.com/37f12bc75b877cf1823020f35dfc55ecde4dd992020b7059b13cbc2a59a1602b_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776233810&Signature=RD85gBCBa6ClHHnNqywd6%2FYlQHrUais%2BuABeaQrUngJuiQTTEyzmUagxx2k2VZ0tgbmEb%2Fdh9lTTFZXkRC4cQ18iE4OIl6IKM5Yzxmd8vDT6dmCvEzCiRUxmplXzVUHTJFz1dNIy0zvMDzEuAWEpKf2wo823yU%2F4PaxOceMkJ%2Ftq5Jehb6pUn6ILf%2B5FOEGJpxjXrbtWS%2BT%2BA5ScNml2cc8140P9mQ%2BmMx2EAW",
"",
"https://vtbehaviour.commondatastorage.googleapis.com/db9d8c125c0e5a440719875d01365c7c5423bcc8df55e54cb228ac2aa30bc969_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776235167&Signature=c%2F4wKBu3gsuZInxjqfgg8MbdYRlJ5EYYEV%2Fkl1g3Nx%2Fp%2B7lCYKGrilDgDTTqlooVjs8pyDi58Yi2SSs40L5JzExM18zVXhiUs1SYZNyy3OWKiAZ5QMH69N8R8XHmOd2L6lwfLVy9x%2F%2Fu29ji02gGj0W7eFht2uGb3Hnhegtt%2BNxNhOOCcD8LDnTvh%2Fhm9RYmW40LG5q238yRggg3TFrumeG2RHO9czdiobkRrsAD8eIohj",
"x-amzn-trace-id Root=1-69df501d-7e46547e623628d85631dc6b;Parent=0bf4ea1fded328b1;Sampled=0;Lineage=1:6afe1924:0",
"Nextron: Thank you for the YARA rules. Yara and LB, too.",
"https://vtbehaviour.commondatastorage.googleapis.com/930fd5e980c675c0eeb55d1c3c4b462dae4e9add472228ef9d9d3941d8603c48_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776243461&Signature=Dz1357rbtfS3ulmmu8c%2BhYCsFXq5j6Rkafb9W6C2Rp8K9C3NfbpUuCN1TORawK7%2BnEJXGNb7r2PQThu1hU64xqNTi6I7KNZcOwC5SHIDUgioEm6FoK%2F68BF%2Fj9tn3trLgKetrPx2zuy%2BP9gjqBMe5T2fAtNa%2FJi4uZYhdDQhKIZB1JmXDjEcFMhp6PLdPqEVVUh6nwevWaLhJ1z%2BPVhc9atSdnbwiXbJ7Cp%2BKrfR1xH8OQ"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1095",
"name": "Non-Application Layer Protocol",
"display_name": "T1095 - Non-Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1518",
"name": "Software Discovery",
"display_name": "T1518 - Software Discovery"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1016",
"name": "System Network Configuration Discovery",
"display_name": "T1016 - System Network Configuration Discovery"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1046",
"name": "Network Service Scanning",
"display_name": "T1046 - Network Service Scanning"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 3012,
"IPv4": 343,
"URL": 3825,
"FileHash-MD5": 734,
"FileHash-SHA1": 453,
"domain": 862,
"hostname": 1629,
"email": 25,
"CVE": 1
},
"indicator_count": 10884,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "3 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d20ba2a469e45b8dfd8c31",
"name": "VirusTotal Windows Sandbox",
"description": "A security alert has been issued by the UK government over the weekend, with the result of a malicious web address being sent to a member of the public via an address address linked tolinkedin.",
"modified": "2026-04-16T03:08:56.593000",
"created": "2026-04-05T07:13:38.063000",
"tags": [
"windows sandbox",
"calls process",
"time",
"request header",
"host",
"windows nt",
"win64",
"khtml",
"gecko",
"acceptencoding",
"accept",
"response header",
"date",
"dword",
"malware",
"file type",
"utf8",
"crlf line",
"unicode text",
"yara",
"binary",
"found",
"sample",
"mitre attack",
"malicious",
"window",
"next",
"detail info",
"tickcount",
"behaviour",
"processid",
"threadid",
"startaddress",
"parameter",
"offset",
"windows xp",
"professional",
"write",
"info",
"shell",
"cultureneutral",
"count",
"default",
"subsys11001af4",
"rev003",
"rev033",
"folders api",
"skylakeibrs",
"daba3ff",
"inprocserver32",
"first",
"virustotal",
"enterprise",
"service",
"close",
"win32 exe",
"pe32",
"ms windows",
"win16 ne",
"icons library",
"os2 executable",
"generic windos",
"executable",
"pe64 library",
"cname",
"none rticon",
"file size",
"sha256",
"mwdb",
"bazaar",
"sha3384",
"crc32",
"shutdown",
"error",
"back",
"lsappdata",
"inetfiles",
"windowname",
"protocol level",
"application",
"next connection",
"address",
"http url",
"get http",
"full path",
"path",
"filename",
"targetprocess",
"writeaddress",
"size",
"targetpid",
"findfirstfileex",
"class",
"find",
"open",
"imagepath",
"cmdline",
"ping",
"flags"
],
"references": [
"https://vtbehaviour.commondatastorage.googleapis.com/000bdbb9556e3474630b36d57190d5dae719886a6cdecf824af6a456243ebf88_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372160&Signature=wARiO6wRTZGhS9vOpI%2BvoWxpe55%2BBlHjfTVS2m1fsb3%2FyiqXoI5x8uRNh6fj6Qp6DpePIZAM2MHvDzi%2B5TT6VWKI4zyyc%2BeVp9gihB0djBnCJr%2BKCB18kdFNBE%2BicOTMmx5aJ1hSjWQcOBYm9PMkZ6%2BhLzxX3gxTMneBKGhh0ckFJRTRfM2gKMfEPrOQ6aVgfkTWJUR9FQYz5g2qKGSDh1CCNlEzXhO33BEPI9fN",
"https://vtbehaviour.commondatastorage.googleapis.com/03a5d431bb42e7730a3ae3b3563cee73e7a782079cf56f57bad5fe665d261e54_SecneurX.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372244&Signature=fXjnCgFbGybFp%2BCRO6a%2FQ3LKU2uLiKNtjgwKzprL3LFL%2BTMgup6nbp7%2F9Hxy8bnBzlFtSzO0fcnf%2FpIsNim0UdrINmB63N9mKkBW1cOkjxV88PAy2nsFZA3FjOEYq4N0lgc8gAtS5eRTt%2Bwb7WjEnd3QQ7aPLuoVl2hjed4hC8Cit6efcSD9GbJCITMeX4%2FVHBYSjmDr4Pgip9ANSZ6wvzkRktqPpC23Qwl62gkuXE%2BKp0s%2Bq%",
"https://vtbehaviour.commondatastorage.googleapis.com/14116af49a976b71f7ddd760161a1d50328baa280ac2c9a1f9f3a8996a3929b6_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372327&Signature=bhG0zZxkKhoz9temkLENxZsdN9KeMsxW4nt2II1lmaPLEGAhNM4EmX5e7z1UM9LLsnqrvuZBhQs7ZnBuwSpY5T8iiKIu2%2FfZ83pX1Tw8s%2Bn%2BfXlEl3jlhzXWewZ9i8ZlXd6YIeWETsAak1j93aNnJHB2IPoZn7VISupTj400x7E%2FSm0ilDz4zCCDAjz1eTp1N41HvmoviGQGwTSnjTW5oyBHDm8RglOnnNqcEsm6%2BkGBJToFomLsipvuVIz8",
"https://vtbehaviour.commondatastorage.googleapis.com/39c58d0f868d4e8d1b959dce19d0bbcc57bb8b9b832f9efbe4e2244051237b95_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372451&Signature=Dv9FcZuWlVKlY26EcoSmR4Kcb44tKDv4kyBrDOputdJDLMvfDX9%2Fs4Ss4cLURTdCso74wPUHQpcMVcyeGGK%2F3RwYbxXwJjMGGAJSCfCxIDRiL%2BLOQKY3M7zGyXrkpuwr5lQS4CaKp1LFajsxxwnKpd%2F5eXNMLqlyxh%2ByO3dJWTkY8WqNnnwnSjW0lqpwB9%2BBjgEdIeWsnMRqF0t4JQ8dJsmCbbTXmAKIEZ46Rpio044%2BrsqH",
"https://vtbehaviour.commondatastorage.googleapis.com/539dc26a14b6277e87348594ab7d6e932d16aabb18612d77f29fe421a9f1d46a_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372560&Signature=tXBHkUCyFp7E2Um%2FMUvRPbUvaQmYPeBV7KGbi%2Bssa%2FkYQyqgH4u8fy6h0A8bVbsyQMMPf2EEF2JkzkiD6SXcfLADGdVqHYQya%2F6s2Ox5QnOFkJSATlDdXCWVp%2F4wHxZHInIRcrBPZFjjYFQM0u7VYCEMtkMCS0pzld2nGLlcOuOXBFxGTQPy0A03dikBC4Yw4f%2BdiMLMxO0hxZSo9FxPq1ylB4gs57NBBniylVO4Qi%2BLzleU5",
"https://vtbehaviour.commondatastorage.googleapis.com/0ab7fad77871a45137c9f2e40e3cbf47e3d71315f71c8eca9c8d62bc24a53184_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775372878&Signature=cLNwLw1L9ZCpQXZej7DaLTWH5w887X5wPnSpN1pwH2N4acSu8Llp25uprGRArg6qCuPbVQ2YPyIeCdwLCZvq%2FU0hP8m17ZPontiyR5zKb7jxcW57eEUuVnuSV9%2FnukwtPPJ%2BTY7a0%2B9rwSAU%2FL%2FJQ1yMke6VIX%2B%2F6KSWHgmLV%2F%2FR%2FbOxB0oZ4%2Fe%2Fsb2%2Fw12dZix7IY6c7wOj1OlWGQSkAZZsEoDw",
"https://vtbehaviour.commondatastorage.googleapis.com/01f09136cb86f25635f91144946847d58c559228d50d9b84b0c021d4091b840b_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373052&Signature=U7haY6XsgyJ83G1vAOPLrLLS%2BaMP9xAKOlnzSb4I9clIBLt9Y8xzP4qjfBxbeUfdF6s%2B6dtg4dXzqTjrAYSC3XOTEEtHZeK4ePz5qfS9n%2FWNrOKQb30VBhfUNL5DYUCd3XSOPjIVlbRz9ylDpwApfVK2AMarGiLLlnKRDv7M0S63SkQx8eWyabXd2afPPy96ZGNZVZfOhw5llZiztL6mYo%2BVivlyFsDcodH9F4XrS%2FPsSLeJRx5d",
"https://vtbehaviour.commondatastorage.googleapis.com/7605fa9aeaae25656c40a553534d35418cca40dc48023d0b3237b402361c6816_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373200&Signature=uMO8ESBCpu0oIIRS0CToWTN9KlOHyq4uWjWMjfdcUCGyliW%2FSy8KDIg6OMWLUQ6SBC45Jm0Mr%2FNV6m74hTSnpmGdVf6k6mA3QrTQwUMaMk2QbBLU1IwUG8wvylr6KXEqQYYCkZksYiZEyNm%2B2hKNvWtKFc%2BZlL7M12RBSER84%2FDRQlJnK6qbDW3DYX1tPsXxTynGj5YxQDlUqfWU8CjZtSAfUK%2Bw%2FoybwyMsJc68%2B01HQ",
"https://vtbehaviour.commondatastorage.googleapis.com/7605fa9aeaae25656c40a553534d35418cca40dc48023d0b3237b402361c6816_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373283&Signature=KIPnPqQCcifTzuRS43FhFyzCXei0rDK20JuVvXA3UkB%2Bj6R1a4SAH2sn%2BJO1ohLSxLswzbryMf81lr4eGQCMbr3Wwfwo7kHN1yHV4M187cNxRZlbZ4%2BzOZZgfWt3bJNLx2Z4%2B4aqarco7OzqkhcQizlq8frRttJQjcLcNxgWD3oV2QDxZxurniW%2BhRRUS%2Bv9uGXWIRhWYmbEA%2BaoQsvpX0AIeSUCn4qb%2Fh31hJe7JitkCE",
"https://vtbehaviour.commondatastorage.googleapis.com/000007781f616194758c52c551ab2f198970675c9218eab9f1e4470f0a696e71_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373373&Signature=mjvxt7z8ajbHZY%2BdL0G02pE7trUx7SkineLNrDSnq8FxmEuCuDdnNDWKdPawPb4w2NnK5HFkV3BAdTJrRNBxBceLP%2FevhdkmR4C%2BiZZ8pz9GBeqwl0l6oJMBga2ZHfKcA%2BxqQgP5r1zzN%2BZPMH0zxPdHYZA2WlzkfzPBDQcTEDdz8aTIaX%2BOP5JUo4gYjqxxxrdBLVGv0i54PedBqgFw5IRrPpdH%2FwlQGTLKQ%2BSjslq2d0",
"https://vtbehaviour.commondatastorage.googleapis.com/39c58d0f868d4e8d1b959dce19d0bbcc57bb8b9b832f9efbe4e2244051237b95_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775373454&Signature=oXNg992chHQhOJxpI2XcWdFB%2FxJme1ol4iA4aOgaKWQcqa9WXsYlPcTANPmFkyrHIciosnksXEJrIAfFsjAYeEqG%2F7oPGCQLBILFHUhwZVcoJR9PgFwUsHBu%2FqiWSOifVPER4vpDL0gbsuNlU6gHT5aWRW%2BwoOwbHSIt5jj%2FJ3%2FxGDBAUaZrSuQurOM0Nb3qRhNN1NOTUj7mGTuUBXdtvnzCFLjxl3Kk6dYYFgmwhWI04P3JIB"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 72,
"FileHash-MD5": 60,
"FileHash-SHA1": 31,
"FileHash-SHA256": 149,
"IPv4": 47,
"domain": 19,
"hostname": 91
},
"indicator_count": 469,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "3 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b4daa88e794fdfb43ff156",
"name": "CAPE Sandbox- doesnt add up the ai summary check the settings for manipulation",
"description": "",
"modified": "2026-04-13T03:29:47.531000",
"created": "2026-03-14T03:48:56.520000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 90,
"FileHash-SHA1": 81,
"FileHash-SHA256": 71,
"URL": 22,
"domain": 6,
"hostname": 60
},
"indicator_count": 330,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "6 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69b4b342d4caca5474f1e7d7",
"name": "Domains of interest",
"description": "for later analysis. pulse pt",
"modified": "2026-04-13T01:07:12.977000",
"created": "2026-03-14T01:00:50.336000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 263,
"URL": 37,
"domain": 13,
"hostname": 125,
"FileHash-SHA1": 123,
"FileHash-MD5": 90,
"CVE": 1
},
"indicator_count": 652,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "6 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69d581fe66b2a372fe14cb07",
"name": "Yoroi / Yomi Hunter Sandbox",
"description": "c0085eb467d2fc9c9f395047e057183b3cd1503a4087d0db565161c13527a76f\n(Image2629)_Windows_Microsoft.NET_Framework_v3.5_default.win32manifes\nFile Name\tc4ca4238a0b923820dcc509a6f75849b\nFile Size\t490\nFile Type\tXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators\nMD5\ta19a2658ba69030c6ac9d11fd7d7e3c1\nSHA1\t879dcf690e5bf1941b27cf13c8bcf72f8356c650\nSHA512\tfa583ba012a80d44e599285eb6a013baf41ffbe72ee8561fc89af0ec5543003ba4165bfe7b1ba79252a1b3b6e5626bf52dc712eacd107c0b093a5a2757284d73\nCRC32\t266BB9C6\n\n Initial Access \n Execution \nExecution through Module Load\n Persistence \nModify Existing Service\n Privilege Escalation \n Defense Evasion \nDisabling Security Tools\nModify Registry\n Credential Access \n Discovery \nProcess Discovery\nSecurity Software Discovery\n Lateral Movement \n Collection \nMan in the Browser\n Exfiltration \n Command And Control \nStandard Non-Application Layer Protocol\nStandard Application Layer Protocol",
"modified": "2026-04-07T22:17:12.155000",
"created": "2026-04-07T22:15:26.104000",
"tags": [
"file size",
"file type",
"ssdeep",
"clamav none",
"yara",
"virustotal",
"sqlite rollback",
"sha512",
"analysis",
"sha1"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 50,
"FileHash-SHA1": 32,
"FileHash-SHA256": 32,
"IPv4": 5,
"URL": 30,
"domain": 17,
"hostname": 59
},
"indicator_count": 225,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "12 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69aa842cef967c844adef1de",
"name": "CAPE Sandbox part 2 - see part 1",
"description": "heartbreaking",
"modified": "2026-04-05T11:04:28.804000",
"created": "2026-03-06T07:37:16.417000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1003",
"name": "OS Credential Dumping",
"display_name": "T1003 - OS Credential Dumping"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1014",
"name": "Rootkit",
"display_name": "T1014 - Rootkit"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1047",
"name": "Windows Management Instrumentation",
"display_name": "T1047 - Windows Management Instrumentation"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1203",
"name": "Exploitation for Client Execution",
"display_name": "T1203 - Exploitation for Client Execution"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1496",
"name": "Resource Hijacking",
"display_name": "T1496 - Resource Hijacking"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1542",
"name": "Pre-OS Boot",
"display_name": "T1542 - Pre-OS Boot"
},
{
"id": "T1548",
"name": "Abuse Elevation Control Mechanism",
"display_name": "T1548 - Abuse Elevation Control Mechanism"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 3905,
"FileHash-SHA1": 3515,
"FileHash-SHA256": 8002,
"URL": 982,
"hostname": 2532,
"domain": 164,
"email": 1
},
"indicator_count": 19101,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "14 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
},
{
"id": "69aa53582de113e05d102700",
"name": "CORRUPT.",
"description": "the only wizard I like is Harry",
"modified": "2026-04-05T07:38:31.088000",
"created": "2026-03-06T04:08:56.281000",
"tags": [
"inno setup",
"linker",
"pe32",
"intel",
"ms windows",
"win32 exe",
"pecompact",
"pe32 installer",
"module",
"professional",
"delphi"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 0,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 1181,
"FileHash-SHA1": 1182,
"FileHash-SHA256": 3383,
"URL": 218,
"domain": 59,
"hostname": 646,
"email": 1
},
"indicator_count": 6670,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "14 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "domain",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "mapping3.map",
"type": "Domain"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "mapping3.map",
"found": false,
"verdict": "clean",
"urls": [],
"error": null
},
"from_cache": true,
"_cached_at": 1776641968.1832619
}