{ "type": "Domain", "indicator": "scoopsinsider.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/scoopsinsider.com", "alexa": "http://www.alexa.com/siteinfo/scoopsinsider.com", "indicator": "scoopsinsider.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4124708211, "indicator": "scoopsinsider.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 16, "pulses": [ { "id": "69e30d748895cd7a5746fd20", "name": "Evolution of Russian APT29 \u2013 Attacks &Techniques Uncovered [Credit AlienVault 6.26.2023] [Q.Vashti 04.17.2026 additional research", "description": "When it comes to exceptionally sophisticated malware attacks, APT29 stands at the forefront. The SolarWinds breach marked only the beginning of persistent malware attacks carried out by the threat actor. Since the attack on SolarWinds, the APT has relentlessly persisted in its attacks on governments, defense entities, critical manufacturing organizations, and IT service providers. Their latest attacks involve exploiting lesser-known Windows features and specifically targeting diplomats stationed in Ukraine. - https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered", "modified": "2026-05-18T03:24:08.757000", "created": "2026-04-18T04:49:56.011000", "tags": [ "injection", "removal", "manipulation", "apt29", "lab52", "avertium", "ukraine", "magicweb", "nato", "solarwinds", "snowyamber", "halfrig", "quarterrig", "orion", "team", "ransomware", "mimikatz", "magicweb", "hijack", "cobalt strike", "trojan", "dropper", "dukes", "malware", "ylarv", "drop", "msdos", "stub", "rareencoding", "memory pattern", "communication", "urls http", "hashes", "client execut", "modify registry", "preos boot", "technir process", "artifacts v", "v help", "rootkit", "os credential", "response", "nxdomain", "name n", "dumping", "sigma", "use short", "name path", "creates", "query firmware", "verdict", "report", "malicious", "defense evasion", "network info", "process", "system", "hostname" ], "references": [ "https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered", "https://otx.alienvault.com/pulse/64c131d13447ec7826c8ac6f", "I copied IoC\u2019s & from a pulse by AlienVault. I added related , resourced information I found interesting", "XOR_embeded_exefile_xored_with_round_256_bytes_key", "FILEHASH - SHA256 966e070a52de1c51976f6ea1fc48ec77f6b89f4bf5e5007650755e9cd0d73281 ->", "Name: Invitation - Santa Lucia Celebration.msg \u2022 File Type CDFV2 Microsoft Outlook Message", "YARA DESCRIPTION: Detects encoded keyword - GetCurrentThreadId RULE_AUTHOR: Florian Roth", "YARA Signature Match - THOR APT Scanner Get RULE_AUTHOR: Florian Roth", "YARA RULE: SUSP_Encoded_GetCurrentThreadId RULE_AUTHOR: Florian Roth", "YARA RULE_SET: Livehunt - Suspicious82 Indicators RULE_AUTHOR: Florian Roth", "YARA RULE_TYPE: THOR APT Scanner's rule set only RULE_AUTHOR: Florian Roth", "YARA RULE : SUSP_Decimal_Encoded_Executable_May21_1 RULE_AUTHOR: Florian Roth", "SIGMA Matches rule Use Short Name Path in Command Line by frack113, Nasreddine Bencherchali", "Matches rule Use Short Name Path in Image by frack113, Nasreddine Bencherchali - Sigma rule cannot be loaded.", "kefas.id: Crowdsourced Sigma below | Malicious Score High", "Activity related to APT29 - according to source Cluster25 - This DOMAIN is used as a CnC by APT29", "Evolution of Russian APT29 \u2013 New Attacks and Techniques Uncovered - according to source ArcSight Threat Intelligence - 2 years ago CCleaner", "Credit: Resourced by AlienVault on July 26, 2023 at 8:48:39 \u2022 AlienVault |", "Additions: resourced by Q.Vashti 04.17.2026 - credit crowdsourced information & personal research" ], "public": 1, "adversary": "", "targeted_countries": [ "Norway", "Ukraine", "Poland" ], "malware_families": [ { "id": "Xored", "display_name": "Xored", "target": null }, { "id": "Trojan.Dukes/Xmldrp", "display_name": "Trojan.Dukes/Xmldrp", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1542.003", "name": "Bootkit", "display_name": "T1542.003 - Bootkit" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 23, "URL": 34, "hostname": 97, "FileHash-MD5": 32, "FileHash-SHA1": 29, "FileHash-SHA256": 138, "CVE": 4 }, "indicator_count": 357, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "12 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a05ac967057c13623229fa4", "name": "Eternal Romance. InfinityRedRatLokiMeteorDownDropRemPetDCometRevenBRabbit[Ilu/txt> vbs]CAPE Sandbox", "description": "[A report on the discovery of a malicious script on a server at the University of California, Los Angeles, has been published by GRAMMERSoft Group, a security firm based in the Philippines.] s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader JavaDropper Remcos Petya DarkComet RevengeRAT BadRabbit Iloveyou[txt]vbs.\nMalware like this is almost never unintentional.", "modified": "2026-05-15T10:49:24.586000", "created": "2026-05-14T11:05:58.600000", "tags": [ "vbcrlf", "error resume", "next dim", "page", "loveletter", "script", "createobject", "html", "meta", "name", "title", "body", "iloveyou", "generator", "philippines", "loop", "extra info", "next", "vbs script", "program", "attack network", "info processes", "zenbox verdict", "guest system", "ultimate file", "info file", "defense evasion", "windows sandbox", "calls clear", "next ur", "file type", "ascii text", "crlf line", "ms windows", "pe32", "drops pe", "intel", "yara", "sigma", "njrat", "malicious", "darkcomet", "code", "delphi", "dbatloader", "loader", "fraud", "notpetya", "killmbr", "trojanransom", "ransomware", "initial access", "settings", "default", "parent pid", "full path", "command line", "mwdb", "bazaar", "sha3384", "ssdeep", "format", "shell", "payload", "kevin", "accept", "revengerat", "shutdown", "aspack", "vmprotect", "meteorite", "petya", "infinitylock", "redline", "remcos", "javadropper", "lokibot", "guard", "mono", "eternalromance", "exploit", "badrabbit", "s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader Java" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778755991&Signature=xjEd%2BfezTG%2Bhf9CMiLVkvgMjqq3uWY0btw2QhhcAqvYLh%2BdAJB5d1xHA9O3DAxXep3iyDgqVU01VvCAb%2BKefQNSVhuEaACn6Vg0Hh1CHnNc3GMCXSMdTRZFYYSzniYpYsmeZX%2F0ez%2Fvlig7VA40maOBDvb%2B3HADaVl1jboeClkaL2NCfDYCQYRK2vZ5yX7ggUG%2FM2b0scFtssuydGnlFONW5Ebr6b3RuXJRvMFO9SQ%2BJ", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756062&Signature=1qwcsdiF0JPfNYSk7RDQXO4pZXvL%2Fj1JyEUevcp%2B6HlCDqJ6UKeuGEjU%2FtfcS8Y2I%2B%2FIkWQ7I%2FrKwePXyPYnyKs%2F5BGxqLLSdyj6hlP6mspza3lBQCmI8D%2B%2F%2BIcbUB4s1UZP6cZ3bieHVI%2BUt7YDDau3vsnsQBE3cIa48fIcZYKmsJp7P%2FETHpk%2FGfCZlLU4fOjXvbexeI%2Fjw%2FLOBcq3zipo%2BwQyGxHTmnK%2F", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756107&Signature=qcKaJdEe1%2F0Ewg9HU1LOWWYUSa1AX6o24coccdj5tLucnjjA7oPNFtU1%2FnPf1MngS%2B8Re5bUyuY%2FpE%2FwiXxMY9hSNotJ6H1BkH1IoOGDT8ucHEnRnac1I9XLmxmVOBdHXBoIYAF6cQu1wHM6n7kGPEnerHpqMASVuGIVJqeq9p3f7K8RNeiAlAzFQHPWjKuVRpePEo0aeNddEvVPmacL3C3Jjat%2B8lUZN4JAbvRXfPBU", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756213&Signature=nT2GPVh7JliXkCSmMglFnpxTqzjwGedv4d2km9l3nSbMaMVXff1erDdvDEzPK%2BiZmnXCBqjGhLu0pehbVPaA%2FuFCZI%2FNWrrMXl07NM2A8A0aQwuI5lwt6CpefiJaPgbeNJ%2FYSGyoPLGwLQTA1Upga8%2F1GeMvooHMu1noElIuYrvsfuC3bzCdwW7rC2t4C9bKa0%2FBKK%2BQHVrZA2NIAsBNIRplsBOqZybAuDBKBxb8Liqs580KbDsCQU4%", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756397&Signature=GrgrzQyGr0qFGDnfG3rlbCv4hrrrTPOM0ZaqFW%2FWxF%2BZW62aUsSeXENHRday%2B2le7YUbRKI20ywbl8yvmeRJ1iO5haWVNYFoq7Gt1zljmR%2F5ZveJp80cYWagPzIcSu2W0NzvR8T49UkZukCRr2yTn4Y77ivK4HZ%2FyE3ZL9Au3TqjZg0PaQSZhsub%2BtP7IMgeCTGCevf0UvRrEE6aka8%2FNMFwhtH5Pi7CX8SD%2F4Q%2Bd34I" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 36, "FileHash-MD5": 245, "FileHash-SHA1": 109, "FileHash-SHA256": 224, "URL": 269, "domain": 51, "email": 3, "hostname": 189, "Mutex": 4 }, "indicator_count": 1130, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a05ac72028bf99f635f0ded", "name": "Eternal Romance. InfinityRedRatLokiMeteorDownDropRemPetDCometRevenBRabbit[Ilu/txt> vbs]CAPE Sandbox", "description": "[A report on the discovery of a malicious script on a server at the University of California, Los Angeles, has been published by GRAMMERSoft Group, a security firm based in the Philippines.] s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader JavaDropper Remcos Petya DarkComet RevengeRAT BadRabbit Iloveyou[txt]vbs.\nMalware like this is almost never unintentional.", "modified": "2026-05-14T11:05:22.932000", "created": "2026-05-14T11:05:22.932000", "tags": [ "vbcrlf", "error resume", "next dim", "page", "loveletter", "script", "createobject", "html", "meta", "name", "title", "body", "iloveyou", "generator", "philippines", "loop", "extra info", "next", "vbs script", "program", "attack network", "info processes", "zenbox verdict", "guest system", "ultimate file", "info file", "defense evasion", "windows sandbox", "calls clear", "next ur", "file type", "ascii text", "crlf line", "ms windows", "pe32", "drops pe", "intel", "yara", "sigma", "njrat", "malicious", "darkcomet", "code", "delphi", "dbatloader", "loader", "fraud", "notpetya", "killmbr", "trojanransom", "ransomware", "initial access", "settings", "default", "parent pid", "full path", "command line", "mwdb", "bazaar", "sha3384", "ssdeep", "format", "shell", "payload", "kevin", "accept", "revengerat", "shutdown", "aspack", "vmprotect", "meteorite", "petya", "infinitylock", "redline", "remcos", "javadropper", "lokibot", "guard", "mono", "eternalromance", "exploit", "badrabbit", "s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader Java" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778755991&Signature=xjEd%2BfezTG%2Bhf9CMiLVkvgMjqq3uWY0btw2QhhcAqvYLh%2BdAJB5d1xHA9O3DAxXep3iyDgqVU01VvCAb%2BKefQNSVhuEaACn6Vg0Hh1CHnNc3GMCXSMdTRZFYYSzniYpYsmeZX%2F0ez%2Fvlig7VA40maOBDvb%2B3HADaVl1jboeClkaL2NCfDYCQYRK2vZ5yX7ggUG%2FM2b0scFtssuydGnlFONW5Ebr6b3RuXJRvMFO9SQ%2BJ", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756062&Signature=1qwcsdiF0JPfNYSk7RDQXO4pZXvL%2Fj1JyEUevcp%2B6HlCDqJ6UKeuGEjU%2FtfcS8Y2I%2B%2FIkWQ7I%2FrKwePXyPYnyKs%2F5BGxqLLSdyj6hlP6mspza3lBQCmI8D%2B%2F%2BIcbUB4s1UZP6cZ3bieHVI%2BUt7YDDau3vsnsQBE3cIa48fIcZYKmsJp7P%2FETHpk%2FGfCZlLU4fOjXvbexeI%2Fjw%2FLOBcq3zipo%2BwQyGxHTmnK%2F", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756107&Signature=qcKaJdEe1%2F0Ewg9HU1LOWWYUSa1AX6o24coccdj5tLucnjjA7oPNFtU1%2FnPf1MngS%2B8Re5bUyuY%2FpE%2FwiXxMY9hSNotJ6H1BkH1IoOGDT8ucHEnRnac1I9XLmxmVOBdHXBoIYAF6cQu1wHM6n7kGPEnerHpqMASVuGIVJqeq9p3f7K8RNeiAlAzFQHPWjKuVRpePEo0aeNddEvVPmacL3C3Jjat%2B8lUZN4JAbvRXfPBU", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756213&Signature=nT2GPVh7JliXkCSmMglFnpxTqzjwGedv4d2km9l3nSbMaMVXff1erDdvDEzPK%2BiZmnXCBqjGhLu0pehbVPaA%2FuFCZI%2FNWrrMXl07NM2A8A0aQwuI5lwt6CpefiJaPgbeNJ%2FYSGyoPLGwLQTA1Upga8%2F1GeMvooHMu1noElIuYrvsfuC3bzCdwW7rC2t4C9bKa0%2FBKK%2BQHVrZA2NIAsBNIRplsBOqZybAuDBKBxb8Liqs580KbDsCQU4%", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756397&Signature=GrgrzQyGr0qFGDnfG3rlbCv4hrrrTPOM0ZaqFW%2FWxF%2BZW62aUsSeXENHRday%2B2le7YUbRKI20ywbl8yvmeRJ1iO5haWVNYFoq7Gt1zljmR%2F5ZveJp80cYWagPzIcSu2W0NzvR8T49UkZukCRr2yTn4Y77ivK4HZ%2FyE3ZL9Au3TqjZg0PaQSZhsub%2BtP7IMgeCTGCevf0UvRrEE6aka8%2FNMFwhtH5Pi7CX8SD%2F4Q%2Bd34I" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 36, "FileHash-MD5": 244, "FileHash-SHA1": 108, "FileHash-SHA256": 223, "URL": 269, "domain": 51, "email": 3, "hostname": 189 }, "indicator_count": 1123, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a05ac2c27730f972e8d9474", "name": "Eternal Romance. InfinityRedRatLokiMeteorDownDropRemPetDCometRevenBRabbit[Ilu/txt> vbs]CAPE Sandbox", "description": "[A report on the discovery of a malicious script on a server at the University of California, Los Angeles, has been published by GRAMMERSoft Group, a security firm based in the Philippines.] s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader JavaDropper Remcos Petya DarkComet RevengeRAT BadRabbit Iloveyou[txt]vbs.\nMalware like this is almost never unintentional.", "modified": "2026-05-14T11:04:12.425000", "created": "2026-05-14T11:04:12.425000", "tags": [ "vbcrlf", "error resume", "next dim", "page", "loveletter", "script", "createobject", "html", "meta", "name", "title", "body", "iloveyou", "generator", "philippines", "loop", "extra info", "next", "vbs script", "program", "attack network", "info processes", "zenbox verdict", "guest system", "ultimate file", "info file", "defense evasion", "windows sandbox", "calls clear", "next ur", "file type", "ascii text", "crlf line", "ms windows", "pe32", "drops pe", "intel", "yara", "sigma", "njrat", "malicious", "darkcomet", "code", "delphi", "dbatloader", "loader", "fraud", "notpetya", "killmbr", "trojanransom", "ransomware", "initial access", "settings", "default", "parent pid", "full path", "command line", "mwdb", "bazaar", "sha3384", "ssdeep", "format", "shell", "payload", "kevin", "accept", "revengerat", "shutdown", "aspack", "vmprotect", "meteorite", "petya", "infinitylock", "redline", "remcos", "javadropper", "lokibot", "guard", "mono", "eternalromance", "exploit", "badrabbit", "s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader Java" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778755991&Signature=xjEd%2BfezTG%2Bhf9CMiLVkvgMjqq3uWY0btw2QhhcAqvYLh%2BdAJB5d1xHA9O3DAxXep3iyDgqVU01VvCAb%2BKefQNSVhuEaACn6Vg0Hh1CHnNc3GMCXSMdTRZFYYSzniYpYsmeZX%2F0ez%2Fvlig7VA40maOBDvb%2B3HADaVl1jboeClkaL2NCfDYCQYRK2vZ5yX7ggUG%2FM2b0scFtssuydGnlFONW5Ebr6b3RuXJRvMFO9SQ%2BJ", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756062&Signature=1qwcsdiF0JPfNYSk7RDQXO4pZXvL%2Fj1JyEUevcp%2B6HlCDqJ6UKeuGEjU%2FtfcS8Y2I%2B%2FIkWQ7I%2FrKwePXyPYnyKs%2F5BGxqLLSdyj6hlP6mspza3lBQCmI8D%2B%2F%2BIcbUB4s1UZP6cZ3bieHVI%2BUt7YDDau3vsnsQBE3cIa48fIcZYKmsJp7P%2FETHpk%2FGfCZlLU4fOjXvbexeI%2Fjw%2FLOBcq3zipo%2BwQyGxHTmnK%2F", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756107&Signature=qcKaJdEe1%2F0Ewg9HU1LOWWYUSa1AX6o24coccdj5tLucnjjA7oPNFtU1%2FnPf1MngS%2B8Re5bUyuY%2FpE%2FwiXxMY9hSNotJ6H1BkH1IoOGDT8ucHEnRnac1I9XLmxmVOBdHXBoIYAF6cQu1wHM6n7kGPEnerHpqMASVuGIVJqeq9p3f7K8RNeiAlAzFQHPWjKuVRpePEo0aeNddEvVPmacL3C3Jjat%2B8lUZN4JAbvRXfPBU", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756213&Signature=nT2GPVh7JliXkCSmMglFnpxTqzjwGedv4d2km9l3nSbMaMVXff1erDdvDEzPK%2BiZmnXCBqjGhLu0pehbVPaA%2FuFCZI%2FNWrrMXl07NM2A8A0aQwuI5lwt6CpefiJaPgbeNJ%2FYSGyoPLGwLQTA1Upga8%2F1GeMvooHMu1noElIuYrvsfuC3bzCdwW7rC2t4C9bKa0%2FBKK%2BQHVrZA2NIAsBNIRplsBOqZybAuDBKBxb8Liqs580KbDsCQU4%", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756397&Signature=GrgrzQyGr0qFGDnfG3rlbCv4hrrrTPOM0ZaqFW%2FWxF%2BZW62aUsSeXENHRday%2B2le7YUbRKI20ywbl8yvmeRJ1iO5haWVNYFoq7Gt1zljmR%2F5ZveJp80cYWagPzIcSu2W0NzvR8T49UkZukCRr2yTn4Y77ivK4HZ%2FyE3ZL9Au3TqjZg0PaQSZhsub%2BtP7IMgeCTGCevf0UvRrEE6aka8%2FNMFwhtH5Pi7CX8SD%2F4Q%2Bd34I" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 36, "FileHash-MD5": 244, "FileHash-SHA1": 108, "FileHash-SHA256": 223, "URL": 269, "domain": 51, "email": 3, "hostname": 189 }, "indicator_count": 1123, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a02eb598920fbedf3e41342", "name": "CAPE Sandbox - Dropped Files are Unacceptable", "description": "these files were \"dropped\" to me pcchecking-main/Ultra scan script", "modified": "2026-05-12T10:43:56.692000", "created": "2026-05-12T08:56:57.100000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 376, "FileHash-SHA1": 144, "FileHash-SHA256": 285, "IPv4": 67, "URL": 154, "domain": 297, "hostname": 152, "email": 4, "YARA": 11 }, "indicator_count": 1490, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a02eb577acf40ff18578c13", "name": "CAPE Sandbox - Dropped Files are Unacceptable", "description": "these files were \"dropped\" to me pcchecking-main/Ultra scan script", "modified": "2026-05-12T10:00:02.785000", "created": "2026-05-12T08:56:55.407000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 368, "FileHash-SHA1": 142, "FileHash-SHA256": 281, "IPv4": 61, "URL": 104, "domain": 295, "hostname": 132, "email": 2 }, "indicator_count": 1385, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a02eb5bb415c3d8211f2a69", "name": "CAPE Sandbox - Dropped Files are Unacceptable", "description": "these files were \"dropped\" to me pcchecking-main/Ultra scan script", "modified": "2026-05-12T10:00:01.413000", "created": "2026-05-12T08:56:59.194000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 368, "FileHash-SHA1": 142, "FileHash-SHA256": 281, "IPv4": 59, "URL": 102, "domain": 71, "hostname": 117 }, "indicator_count": 1140, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a02eb5aebd8b5cd4e1a10b8", "name": "CAPE Sandbox - Dropped Files are Unacceptable", "description": "these files were \"dropped\" to me pcchecking-main/Ultra scan script", "modified": "2026-05-12T10:00:00.080000", "created": "2026-05-12T08:56:58.095000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 368, "FileHash-SHA1": 142, "FileHash-SHA256": 281, "IPv4": 59, "URL": 102, "domain": 71, "hostname": 118 }, "indicator_count": 1141, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d0f2fff74afb88c843c8e2", "name": "VirusTotal report\n for report.eml", "description": "A security alert for the Verizon Hanover cell phone store in Massachusetts has been triggered by a \"pulses\" created on the site by its owner, the company's parent company, Verizon.><<>>> abuse of power", "modified": "2026-05-04T09:07:45.626000", "created": "2026-04-04T09:49:52.991000", "tags": [ "non dsp", "cor cura", "cookie", "dynamic", "status code", "body length", "kb body", "sha256", "gz6mbt0grch", "utc ua743607001", "acceptencoding", "toggle", "nxdomain", "windows", "analysis", "files mitre", "xe9xaf", "jyx9611xb1", "xe3xfcxfexabe", "source source", "file name", "strings", "first", "path", "enterprise", "service", "close", "richard massina", "rocketreach", "email", "phone number", "clifford", "kenny", "llp associate", "get richard", "massina", "information og", "file type", "sigma", "united", "https", "mitre attack", "network info", "windows folder", "office macro", "creates", "office outbound", "phishing", "malicious", "next", "settings", "first counter", "default", "inprocserver32", "inprochandler32", "mbisslshort", "bearer", "cname", "mwdb", "bazaar", "bridge", "info", "accept", "date", "agent", "shutdown", "root", "secchuamodel", "excellent", "windows sandbox", "calls process", "hull times", "carol britton", "meyer", "kenny law", "town counsel", "james lampke", "june", "hiring", "performs dns", "urls", "found", "belgium", "processes extra", "t1055 process", "script", "hull", "head", "title", "nothing", "file execution", "error", "parent pid", "full path", "command line", "registry keys", "error reporting", "registrya", "localsm0504064" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294585&Signature=AiwHrxQG29SI8a31irV4dLtsG8ZrFGJEr6fs%2BRrqi8pGFUV4vyAhN5ojGIFqHXwyboStPTczrsFw58d2k9jvnQVO%2FOejBE7gnCMr3LfPk%2FWzNPo91GeB0LejkpFqYHfNYclItOZ2DMtVJVETSl7W%2BI%2BeXrp2yY550i0cNxjgQQuh2VP89ZTciLvtPrwiOimldyszdN9nPyvg4YCCFedqDFw43RWY6iRxkp9QlLMxwlGr4mRnQE79%", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294708&Signature=o%2Bv9PSmG5OUcRvq9CRjSf%2Fbrwygq5PC%2FIsSCmchPVmWeCG29JPa8wmqekjGOn1ZF1mBQOgFzwIg%2B1adIQOkjuGxr3R%2BYojBmrnxa57tRTMUzJGpfbM4eZ1tMfthD2m%2BZlMzGONh0fYAfGCZifJFhlNRe4vvW9HIhXiXyFL8u0Ba3WEAhX8bMm8vjGEfRRwy829vHqyszf15Vj6KJz5uHYYhg8%2BU9ZPEBL8nc2TD08zv3i8vggudk7F9x", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294759&Signature=mGlPvn1FqfTNp6h5HQVACkGKlPNvV6MjgprLTJSS1nECbbus7K4lnSfE1kyxH0KO4D%2FqkChrgjxQFb9jGA0OvBOYkqQzmymBMe4LDVEkG7ROUZFnGwlaCHEFxYrP4R%2FTJt%2FAK2lP%2FCRhWJjhxPChq5fN%2BL7DcqgCfRQXQhGPoEdDxsUliwznSEmJucut9dlrBUFoWxJppc7dnf%2BG1Vg560BjMlBiSya3yKiqZju6L%2BtmZEbA", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295109&Signature=ER9bwT7bZVOczjY2zwfcyVstYuepcZ%2BcYNRbY6iEvfgqSgoj4LzSscvE15RcCn5hwhJIWVW3x87BxFZwSoCCeOb0bz5jragOFnehYWBRNnRlCbxpug1HnBoppu0FUW4VIhZblbViBzBMvTIoMmK%2BbALZEXZ9UkVKTetOaaabYU3EFHmGcTXyoCa6AUJCWsb6TvKYEnc%2Bh3bA2Q0QBDxs%2Boic8smNVwx%2BRxmRR1fZWYJO4%", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295293&Signature=DdcEXIvyAEeGuBt%2Bi%2BrIQ%2BwAsA3OUEIVlwFpouK%2BFNpWmeiOLlRUVhV894E%2F2hBgEtZ4M5AYUrENKi6fmtnzxDdS1z0cIJm97azyFboiv7MJypgRT5r0FKUI26wRYrdndqQSoGx0NlXz4qGCwHWoeUq8kcUTQGGzabihHjhuNESllxlUD9CRTlcRdoFUPmt3zDzg%2BhK0iOHc6MktlQigbQcYmhbyJnhyDFHrndVF59TRFoup5siG35Bh7r", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295326&Signature=k1fPUbPf5dSVFGBgjZdipKzgbSBOBbw1Kfe%2BrmACUC%2BJTOZ5%2FTvgETSvmMSWA2V5FSJcs279kO9RR4ifVgP4xWlLA0%2BmC%2F5IWKN1xoMjtSgOmUdiSCDGDllrwlLGD%2FLVNqA0SbHuTVwDjj%2FfST7dXCu9iO9Q1Sg%2F06d9nGOtLtOOadRMrR6A7lUFhg%2Bez5C6iL9HIqhmU55tiD5g496Aa31X7e0reuCO3ac6lV4adxDC", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295393&Signature=JtOgjkWQM%2Bz67YdmZ77hLVquFe4mqzCbIFTEM3paQOO05tT%2BWnu5tvrUKryfhaQifyq7NKcDLAmGQyd4aH3ura5cY9xv7BWoonWPaJTCE0IfSq9Bs1yzphYmg8AKRCgSokoXMPVBMcCSrDGpHD%2F5P1cEO%2BoZmG%2BzY47LGeks8XOKHvMPrayt%2Bm9r%2F16FodqJOF96sgUrX8x6MNWqId8UqE2gWmI8TtXJrNMSXxip6Fh7Hmi3" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 407, "domain": 195, "hostname": 309, "FileHash-SHA256": 607, "FileHash-MD5": 306, "FileHash-SHA1": 31, "email": 1 }, "indicator_count": 1856, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d0dec2efedd87c3a05cc10", "name": "VirusTotal report\n for report.eml", "description": "The full text of the full report on Csp-report, which will be published in 2026, has been published on the website of Google.com, the firm that owns the search engine>>>> abuse of power", "modified": "2026-05-04T09:07:45.626000", "created": "2026-04-04T09:49:54.810000", "tags": [ "non dsp", "cor cura", "cookie", "dynamic", "status code", "body length", "kb body", "sha256", "gz6mbt0grch", "utc ua743607001", "acceptencoding", "toggle", "nxdomain", "windows", "analysis", "files mitre", "xe9xaf", "jyx9611xb1", "xe3xfcxfexabe", "source source", "file name", "strings", "first", "path", "enterprise", "service", "close", "richard massina", "rocketreach", "email", "phone number", "clifford", "kenny", "llp associate", "get richard", "massina", "information og", "file type", "sigma", "united", "https", "mitre attack", "network info", "windows folder", "office macro", "creates", "office outbound", "phishing", "malicious", "next", "settings", "first counter", "default", "inprocserver32", "inprochandler32", "mbisslshort", "bearer", "cname", "mwdb", "bazaar", "bridge", "info", "accept", "date", "agent", "shutdown", "root", "secchuamodel", "excellent", "windows sandbox", "calls process", "hull times", "carol britton", "meyer", "kenny law", "town counsel", "james lampke", "june", "hiring", "performs dns", "urls", "found", "belgium", "processes extra", "t1055 process", "script", "hull", "head", "title", "nothing", "file execution", "error", "parent pid", "full path", "command line", "registry keys", "error reporting", "registrya", "localsm0504064" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294585&Signature=AiwHrxQG29SI8a31irV4dLtsG8ZrFGJEr6fs%2BRrqi8pGFUV4vyAhN5ojGIFqHXwyboStPTczrsFw58d2k9jvnQVO%2FOejBE7gnCMr3LfPk%2FWzNPo91GeB0LejkpFqYHfNYclItOZ2DMtVJVETSl7W%2BI%2BeXrp2yY550i0cNxjgQQuh2VP89ZTciLvtPrwiOimldyszdN9nPyvg4YCCFedqDFw43RWY6iRxkp9QlLMxwlGr4mRnQE79%", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294708&Signature=o%2Bv9PSmG5OUcRvq9CRjSf%2Fbrwygq5PC%2FIsSCmchPVmWeCG29JPa8wmqekjGOn1ZF1mBQOgFzwIg%2B1adIQOkjuGxr3R%2BYojBmrnxa57tRTMUzJGpfbM4eZ1tMfthD2m%2BZlMzGONh0fYAfGCZifJFhlNRe4vvW9HIhXiXyFL8u0Ba3WEAhX8bMm8vjGEfRRwy829vHqyszf15Vj6KJz5uHYYhg8%2BU9ZPEBL8nc2TD08zv3i8vggudk7F9x", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294759&Signature=mGlPvn1FqfTNp6h5HQVACkGKlPNvV6MjgprLTJSS1nECbbus7K4lnSfE1kyxH0KO4D%2FqkChrgjxQFb9jGA0OvBOYkqQzmymBMe4LDVEkG7ROUZFnGwlaCHEFxYrP4R%2FTJt%2FAK2lP%2FCRhWJjhxPChq5fN%2BL7DcqgCfRQXQhGPoEdDxsUliwznSEmJucut9dlrBUFoWxJppc7dnf%2BG1Vg560BjMlBiSya3yKiqZju6L%2BtmZEbA", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295109&Signature=ER9bwT7bZVOczjY2zwfcyVstYuepcZ%2BcYNRbY6iEvfgqSgoj4LzSscvE15RcCn5hwhJIWVW3x87BxFZwSoCCeOb0bz5jragOFnehYWBRNnRlCbxpug1HnBoppu0FUW4VIhZblbViBzBMvTIoMmK%2BbALZEXZ9UkVKTetOaaabYU3EFHmGcTXyoCa6AUJCWsb6TvKYEnc%2Bh3bA2Q0QBDxs%2Boic8smNVwx%2BRxmRR1fZWYJO4%", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295293&Signature=DdcEXIvyAEeGuBt%2Bi%2BrIQ%2BwAsA3OUEIVlwFpouK%2BFNpWmeiOLlRUVhV894E%2F2hBgEtZ4M5AYUrENKi6fmtnzxDdS1z0cIJm97azyFboiv7MJypgRT5r0FKUI26wRYrdndqQSoGx0NlXz4qGCwHWoeUq8kcUTQGGzabihHjhuNESllxlUD9CRTlcRdoFUPmt3zDzg%2BhK0iOHc6MktlQigbQcYmhbyJnhyDFHrndVF59TRFoup5siG35Bh7r", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295326&Signature=k1fPUbPf5dSVFGBgjZdipKzgbSBOBbw1Kfe%2BrmACUC%2BJTOZ5%2FTvgETSvmMSWA2V5FSJcs279kO9RR4ifVgP4xWlLA0%2BmC%2F5IWKN1xoMjtSgOmUdiSCDGDllrwlLGD%2FLVNqA0SbHuTVwDjj%2FfST7dXCu9iO9Q1Sg%2F06d9nGOtLtOOadRMrR6A7lUFhg%2Bez5C6iL9HIqhmU55tiD5g496Aa31X7e0reuCO3ac6lV4adxDC", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295393&Signature=JtOgjkWQM%2Bz67YdmZ77hLVquFe4mqzCbIFTEM3paQOO05tT%2BWnu5tvrUKryfhaQifyq7NKcDLAmGQyd4aH3ura5cY9xv7BWoonWPaJTCE0IfSq9Bs1yzphYmg8AKRCgSokoXMPVBMcCSrDGpHD%2F5P1cEO%2BoZmG%2BzY47LGeks8XOKHvMPrayt%2Bm9r%2F16FodqJOF96sgUrX8x6MNWqId8UqE2gWmI8TtXJrNMSXxip6Fh7Hmi3" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 407, "domain": 195, "hostname": 309, "FileHash-SHA256": 607, "FileHash-MD5": 306, "FileHash-SHA1": 31, "email": 1 }, "indicator_count": 1856, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d0dec535ae0f94d37ccefb", "name": "VirusTotal report\n for report.eml", "description": "The full text of the full report on Csp-report, which will be published in 2026, has been published on the website of Google.com, the firm that owns the search engine>>>> abuse of power", "modified": "2026-05-04T09:07:45.626000", "created": "2026-04-04T09:49:57.171000", "tags": [ "non dsp", "cor cura", "cookie", "dynamic", "status code", "body length", "kb body", "sha256", "gz6mbt0grch", "utc ua743607001", "acceptencoding", "toggle", "nxdomain", "windows", "analysis", "files mitre", "xe9xaf", "jyx9611xb1", "xe3xfcxfexabe", "source source", "file name", "strings", "first", "path", "enterprise", "service", "close", "richard massina", "rocketreach", "email", "phone number", "clifford", "kenny", "llp associate", "get richard", "massina", "information og", "file type", "sigma", "united", "https", "mitre attack", "network info", "windows folder", "office macro", "creates", "office outbound", "phishing", "malicious", "next", "settings", "first counter", "default", "inprocserver32", "inprochandler32", "mbisslshort", "bearer", "cname", "mwdb", "bazaar", "bridge", "info", "accept", "date", "agent", "shutdown", "root", "secchuamodel", "excellent", "windows sandbox", "calls process", "hull times", "carol britton", "meyer", "kenny law", "town counsel", "james lampke", "june", "hiring", "performs dns", "urls", "found", "belgium", "processes extra", "t1055 process", "script", "hull", "head", "title", "nothing", "file execution", "error", "parent pid", "full path", "command line", "registry keys", "error reporting", "registrya", "localsm0504064" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294585&Signature=AiwHrxQG29SI8a31irV4dLtsG8ZrFGJEr6fs%2BRrqi8pGFUV4vyAhN5ojGIFqHXwyboStPTczrsFw58d2k9jvnQVO%2FOejBE7gnCMr3LfPk%2FWzNPo91GeB0LejkpFqYHfNYclItOZ2DMtVJVETSl7W%2BI%2BeXrp2yY550i0cNxjgQQuh2VP89ZTciLvtPrwiOimldyszdN9nPyvg4YCCFedqDFw43RWY6iRxkp9QlLMxwlGr4mRnQE79%", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294708&Signature=o%2Bv9PSmG5OUcRvq9CRjSf%2Fbrwygq5PC%2FIsSCmchPVmWeCG29JPa8wmqekjGOn1ZF1mBQOgFzwIg%2B1adIQOkjuGxr3R%2BYojBmrnxa57tRTMUzJGpfbM4eZ1tMfthD2m%2BZlMzGONh0fYAfGCZifJFhlNRe4vvW9HIhXiXyFL8u0Ba3WEAhX8bMm8vjGEfRRwy829vHqyszf15Vj6KJz5uHYYhg8%2BU9ZPEBL8nc2TD08zv3i8vggudk7F9x", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294759&Signature=mGlPvn1FqfTNp6h5HQVACkGKlPNvV6MjgprLTJSS1nECbbus7K4lnSfE1kyxH0KO4D%2FqkChrgjxQFb9jGA0OvBOYkqQzmymBMe4LDVEkG7ROUZFnGwlaCHEFxYrP4R%2FTJt%2FAK2lP%2FCRhWJjhxPChq5fN%2BL7DcqgCfRQXQhGPoEdDxsUliwznSEmJucut9dlrBUFoWxJppc7dnf%2BG1Vg560BjMlBiSya3yKiqZju6L%2BtmZEbA", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295109&Signature=ER9bwT7bZVOczjY2zwfcyVstYuepcZ%2BcYNRbY6iEvfgqSgoj4LzSscvE15RcCn5hwhJIWVW3x87BxFZwSoCCeOb0bz5jragOFnehYWBRNnRlCbxpug1HnBoppu0FUW4VIhZblbViBzBMvTIoMmK%2BbALZEXZ9UkVKTetOaaabYU3EFHmGcTXyoCa6AUJCWsb6TvKYEnc%2Bh3bA2Q0QBDxs%2Boic8smNVwx%2BRxmRR1fZWYJO4%", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295293&Signature=DdcEXIvyAEeGuBt%2Bi%2BrIQ%2BwAsA3OUEIVlwFpouK%2BFNpWmeiOLlRUVhV894E%2F2hBgEtZ4M5AYUrENKi6fmtnzxDdS1z0cIJm97azyFboiv7MJypgRT5r0FKUI26wRYrdndqQSoGx0NlXz4qGCwHWoeUq8kcUTQGGzabihHjhuNESllxlUD9CRTlcRdoFUPmt3zDzg%2BhK0iOHc6MktlQigbQcYmhbyJnhyDFHrndVF59TRFoup5siG35Bh7r", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295326&Signature=k1fPUbPf5dSVFGBgjZdipKzgbSBOBbw1Kfe%2BrmACUC%2BJTOZ5%2FTvgETSvmMSWA2V5FSJcs279kO9RR4ifVgP4xWlLA0%2BmC%2F5IWKN1xoMjtSgOmUdiSCDGDllrwlLGD%2FLVNqA0SbHuTVwDjj%2FfST7dXCu9iO9Q1Sg%2F06d9nGOtLtOOadRMrR6A7lUFhg%2Bez5C6iL9HIqhmU55tiD5g496Aa31X7e0reuCO3ac6lV4adxDC", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295393&Signature=JtOgjkWQM%2Bz67YdmZ77hLVquFe4mqzCbIFTEM3paQOO05tT%2BWnu5tvrUKryfhaQifyq7NKcDLAmGQyd4aH3ura5cY9xv7BWoonWPaJTCE0IfSq9Bs1yzphYmg8AKRCgSokoXMPVBMcCSrDGpHD%2F5P1cEO%2BoZmG%2BzY47LGeks8XOKHvMPrayt%2Bm9r%2F16FodqJOF96sgUrX8x6MNWqId8UqE2gWmI8TtXJrNMSXxip6Fh7Hmi3" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 407, "domain": 195, "hostname": 309, "FileHash-SHA256": 607, "FileHash-MD5": 306, "FileHash-SHA1": 31, "email": 1 }, "indicator_count": 1856, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d0dec7d1e663f23697fcd5", "name": "VirusTotal report\n for report.eml", "description": "The full text of the full report on Csp-report, which will be published in 2026, has been published on the website of Google.com, the firm that owns the search engine>>>> abuse of power", "modified": "2026-05-04T09:07:45.626000", "created": "2026-04-04T09:49:59.346000", "tags": [ "non dsp", "cor cura", "cookie", "dynamic", "status code", "body length", "kb body", "sha256", "gz6mbt0grch", "utc ua743607001", "acceptencoding", "toggle", "nxdomain", "windows", "analysis", "files mitre", "xe9xaf", "jyx9611xb1", "xe3xfcxfexabe", "source source", "file name", "strings", "first", "path", "enterprise", "service", "close", "richard massina", "rocketreach", "email", "phone number", "clifford", "kenny", "llp associate", "get richard", "massina", "information og", "file type", "sigma", "united", "https", "mitre attack", "network info", "windows folder", "office macro", "creates", "office outbound", "phishing", "malicious", "next", "settings", "first counter", "default", "inprocserver32", "inprochandler32", "mbisslshort", "bearer", "cname", "mwdb", "bazaar", "bridge", "info", "accept", "date", "agent", "shutdown", "root", "secchuamodel", "excellent", "windows sandbox", "calls process", "hull times", "carol britton", "meyer", "kenny law", "town counsel", "james lampke", "june", "hiring", "performs dns", "urls", "found", "belgium", "processes extra", "t1055 process", "script", "hull", "head", "title", "nothing", "file execution", "error", "parent pid", "full path", "command line", "registry keys", "error reporting", "registrya", "localsm0504064" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294585&Signature=AiwHrxQG29SI8a31irV4dLtsG8ZrFGJEr6fs%2BRrqi8pGFUV4vyAhN5ojGIFqHXwyboStPTczrsFw58d2k9jvnQVO%2FOejBE7gnCMr3LfPk%2FWzNPo91GeB0LejkpFqYHfNYclItOZ2DMtVJVETSl7W%2BI%2BeXrp2yY550i0cNxjgQQuh2VP89ZTciLvtPrwiOimldyszdN9nPyvg4YCCFedqDFw43RWY6iRxkp9QlLMxwlGr4mRnQE79%", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294708&Signature=o%2Bv9PSmG5OUcRvq9CRjSf%2Fbrwygq5PC%2FIsSCmchPVmWeCG29JPa8wmqekjGOn1ZF1mBQOgFzwIg%2B1adIQOkjuGxr3R%2BYojBmrnxa57tRTMUzJGpfbM4eZ1tMfthD2m%2BZlMzGONh0fYAfGCZifJFhlNRe4vvW9HIhXiXyFL8u0Ba3WEAhX8bMm8vjGEfRRwy829vHqyszf15Vj6KJz5uHYYhg8%2BU9ZPEBL8nc2TD08zv3i8vggudk7F9x", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294759&Signature=mGlPvn1FqfTNp6h5HQVACkGKlPNvV6MjgprLTJSS1nECbbus7K4lnSfE1kyxH0KO4D%2FqkChrgjxQFb9jGA0OvBOYkqQzmymBMe4LDVEkG7ROUZFnGwlaCHEFxYrP4R%2FTJt%2FAK2lP%2FCRhWJjhxPChq5fN%2BL7DcqgCfRQXQhGPoEdDxsUliwznSEmJucut9dlrBUFoWxJppc7dnf%2BG1Vg560BjMlBiSya3yKiqZju6L%2BtmZEbA", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295109&Signature=ER9bwT7bZVOczjY2zwfcyVstYuepcZ%2BcYNRbY6iEvfgqSgoj4LzSscvE15RcCn5hwhJIWVW3x87BxFZwSoCCeOb0bz5jragOFnehYWBRNnRlCbxpug1HnBoppu0FUW4VIhZblbViBzBMvTIoMmK%2BbALZEXZ9UkVKTetOaaabYU3EFHmGcTXyoCa6AUJCWsb6TvKYEnc%2Bh3bA2Q0QBDxs%2Boic8smNVwx%2BRxmRR1fZWYJO4%", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295293&Signature=DdcEXIvyAEeGuBt%2Bi%2BrIQ%2BwAsA3OUEIVlwFpouK%2BFNpWmeiOLlRUVhV894E%2F2hBgEtZ4M5AYUrENKi6fmtnzxDdS1z0cIJm97azyFboiv7MJypgRT5r0FKUI26wRYrdndqQSoGx0NlXz4qGCwHWoeUq8kcUTQGGzabihHjhuNESllxlUD9CRTlcRdoFUPmt3zDzg%2BhK0iOHc6MktlQigbQcYmhbyJnhyDFHrndVF59TRFoup5siG35Bh7r", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295326&Signature=k1fPUbPf5dSVFGBgjZdipKzgbSBOBbw1Kfe%2BrmACUC%2BJTOZ5%2FTvgETSvmMSWA2V5FSJcs279kO9RR4ifVgP4xWlLA0%2BmC%2F5IWKN1xoMjtSgOmUdiSCDGDllrwlLGD%2FLVNqA0SbHuTVwDjj%2FfST7dXCu9iO9Q1Sg%2F06d9nGOtLtOOadRMrR6A7lUFhg%2Bez5C6iL9HIqhmU55tiD5g496Aa31X7e0reuCO3ac6lV4adxDC", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295393&Signature=JtOgjkWQM%2Bz67YdmZ77hLVquFe4mqzCbIFTEM3paQOO05tT%2BWnu5tvrUKryfhaQifyq7NKcDLAmGQyd4aH3ura5cY9xv7BWoonWPaJTCE0IfSq9Bs1yzphYmg8AKRCgSokoXMPVBMcCSrDGpHD%2F5P1cEO%2BoZmG%2BzY47LGeks8XOKHvMPrayt%2Bm9r%2F16FodqJOF96sgUrX8x6MNWqId8UqE2gWmI8TtXJrNMSXxip6Fh7Hmi3" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 407, "domain": 195, "hostname": 309, "FileHash-SHA256": 607, "FileHash-MD5": 306, "FileHash-SHA1": 31, "email": 1 }, "indicator_count": 1856, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d0dec9f83643549f2d60c3", "name": "VirusTotal report\n for report.eml", "description": "The full text of the full report on Csp-report, which will be published in 2026, has been published on the website of Google.com, the firm that owns the search engine>>>> abuse of power", "modified": "2026-05-04T09:07:45.626000", "created": "2026-04-04T09:50:01.067000", "tags": [ "non dsp", "cor cura", "cookie", "dynamic", "status code", "body length", "kb body", "sha256", "gz6mbt0grch", "utc ua743607001", "acceptencoding", "toggle", "nxdomain", "windows", "analysis", "files mitre", "xe9xaf", "jyx9611xb1", "xe3xfcxfexabe", "source source", "file name", "strings", "first", "path", "enterprise", "service", "close", "richard massina", "rocketreach", "email", "phone number", "clifford", "kenny", "llp associate", "get richard", "massina", "information og", "file type", "sigma", "united", "https", "mitre attack", "network info", "windows folder", "office macro", "creates", "office outbound", "phishing", "malicious", "next", "settings", "first counter", "default", "inprocserver32", "inprochandler32", "mbisslshort", "bearer", "cname", "mwdb", "bazaar", "bridge", "info", "accept", "date", "agent", "shutdown", "root", "secchuamodel", "excellent", "windows sandbox", "calls process", "hull times", "carol britton", "meyer", "kenny law", "town counsel", "james lampke", "june", "hiring", "performs dns", "urls", "found", "belgium", "processes extra", "t1055 process", "script", "hull", "head", "title", "nothing", "file execution", "error", "parent pid", "full path", "command line", "registry keys", "error reporting", "registrya", "localsm0504064" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294585&Signature=AiwHrxQG29SI8a31irV4dLtsG8ZrFGJEr6fs%2BRrqi8pGFUV4vyAhN5ojGIFqHXwyboStPTczrsFw58d2k9jvnQVO%2FOejBE7gnCMr3LfPk%2FWzNPo91GeB0LejkpFqYHfNYclItOZ2DMtVJVETSl7W%2BI%2BeXrp2yY550i0cNxjgQQuh2VP89ZTciLvtPrwiOimldyszdN9nPyvg4YCCFedqDFw43RWY6iRxkp9QlLMxwlGr4mRnQE79%", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294708&Signature=o%2Bv9PSmG5OUcRvq9CRjSf%2Fbrwygq5PC%2FIsSCmchPVmWeCG29JPa8wmqekjGOn1ZF1mBQOgFzwIg%2B1adIQOkjuGxr3R%2BYojBmrnxa57tRTMUzJGpfbM4eZ1tMfthD2m%2BZlMzGONh0fYAfGCZifJFhlNRe4vvW9HIhXiXyFL8u0Ba3WEAhX8bMm8vjGEfRRwy829vHqyszf15Vj6KJz5uHYYhg8%2BU9ZPEBL8nc2TD08zv3i8vggudk7F9x", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294759&Signature=mGlPvn1FqfTNp6h5HQVACkGKlPNvV6MjgprLTJSS1nECbbus7K4lnSfE1kyxH0KO4D%2FqkChrgjxQFb9jGA0OvBOYkqQzmymBMe4LDVEkG7ROUZFnGwlaCHEFxYrP4R%2FTJt%2FAK2lP%2FCRhWJjhxPChq5fN%2BL7DcqgCfRQXQhGPoEdDxsUliwznSEmJucut9dlrBUFoWxJppc7dnf%2BG1Vg560BjMlBiSya3yKiqZju6L%2BtmZEbA", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295109&Signature=ER9bwT7bZVOczjY2zwfcyVstYuepcZ%2BcYNRbY6iEvfgqSgoj4LzSscvE15RcCn5hwhJIWVW3x87BxFZwSoCCeOb0bz5jragOFnehYWBRNnRlCbxpug1HnBoppu0FUW4VIhZblbViBzBMvTIoMmK%2BbALZEXZ9UkVKTetOaaabYU3EFHmGcTXyoCa6AUJCWsb6TvKYEnc%2Bh3bA2Q0QBDxs%2Boic8smNVwx%2BRxmRR1fZWYJO4%", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295293&Signature=DdcEXIvyAEeGuBt%2Bi%2BrIQ%2BwAsA3OUEIVlwFpouK%2BFNpWmeiOLlRUVhV894E%2F2hBgEtZ4M5AYUrENKi6fmtnzxDdS1z0cIJm97azyFboiv7MJypgRT5r0FKUI26wRYrdndqQSoGx0NlXz4qGCwHWoeUq8kcUTQGGzabihHjhuNESllxlUD9CRTlcRdoFUPmt3zDzg%2BhK0iOHc6MktlQigbQcYmhbyJnhyDFHrndVF59TRFoup5siG35Bh7r", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295326&Signature=k1fPUbPf5dSVFGBgjZdipKzgbSBOBbw1Kfe%2BrmACUC%2BJTOZ5%2FTvgETSvmMSWA2V5FSJcs279kO9RR4ifVgP4xWlLA0%2BmC%2F5IWKN1xoMjtSgOmUdiSCDGDllrwlLGD%2FLVNqA0SbHuTVwDjj%2FfST7dXCu9iO9Q1Sg%2F06d9nGOtLtOOadRMrR6A7lUFhg%2Bez5C6iL9HIqhmU55tiD5g496Aa31X7e0reuCO3ac6lV4adxDC", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295393&Signature=JtOgjkWQM%2Bz67YdmZ77hLVquFe4mqzCbIFTEM3paQOO05tT%2BWnu5tvrUKryfhaQifyq7NKcDLAmGQyd4aH3ura5cY9xv7BWoonWPaJTCE0IfSq9Bs1yzphYmg8AKRCgSokoXMPVBMcCSrDGpHD%2F5P1cEO%2BoZmG%2BzY47LGeks8XOKHvMPrayt%2Bm9r%2F16FodqJOF96sgUrX8x6MNWqId8UqE2gWmI8TtXJrNMSXxip6Fh7Hmi3" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 407, "domain": 195, "hostname": 309, "FileHash-SHA256": 607, "FileHash-MD5": 306, "FileHash-SHA1": 31, "email": 1, "YARA": 1, "CVE": 1 }, "indicator_count": 1858, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68aff672de7f1b65a97c00b1", "name": "WarzoneRAT impacts Social Media of users with compromised systems", "description": "Injection affects compromised user/s social media accounts including YouTube. Uploads to social media accounts from infected systems divert to adversary\u2019s alt YouTube media center labeled \u2018watch\u2019 instead of YouTube . Remote access observed. Threat actor has full access , cnc , devices, personal information, images, contacts, network, private information including all financial information. \n \nAlt / adversarial Pinterest, Tumblr, YouTube, Facebook, Twitter / X, Instagram , LinkedIn", "modified": "2025-09-27T05:00:09.125000", "created": "2025-08-28T06:25:54.794000", "tags": [ "d10927", "mp41", "mp41 connection", "r connection", "ip address", "dynamicloader", "write c", "globalc", "medium", "high", "write", "dll read", "trojan", "delphi", "win32", "dialer", "tracking", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "spawns", "t1590 gather", "mitre att", "ck matrix", "null", "click", "title", "span", "meta", "general", "local", "path", "strings", "refresh", "tools", "virgin islands", "united", "unknown ns", "a domains", "montserrat", "passive dns", "ipv4", "urls", "files", "hosting", "trojandropper", "location virgin", "msie", "windows nt", "wow64", "slcc2", "media center", "item", "has description", "unknown", "explorer", "error", "powershell", "yara rule", "windows", "t1055", "warzonerat", "avemaria", "virtool", "netwire", "malware", "hostile", "autoit", "defender", "date", "bq aug", "next associated", "ipv4 add", "resolved ips", "get http", "request", "win64", "khtml", "gecko", "resolutions", "number", "ja3s", "algorithm", "cnr12 cus", "cname", "accept", "port", "gmt ifnonematch", "screenshots no", "involved dns", "name response", "nxdomain", "tcp connections", "involved direct", "country name", "moved", "alone email", "body doctype", "gmt server", "content type", "service privacy", "cve" ], "references": [ "http://remote.edikamin.com/", "http://flat.trafficadvance.net/AccessMySOL.IVRMobileEntra?D=10927&C=7&MP=41%7C", "http://deposito.hostance.net/dialer/", "Found in Alt YouTube = Titled \u2018watch\u2019 | Infected System uploads to YT", "Domains Contacted:Wealthy2019.com.strangled.net \u2022 wealth.warzonedns.com\t \u2022 wealthyme.ddns.net", "DYNAMIC_DNS Query to a *.strangled .net Domain\t192.168.122.91\t1.1.1.1 \u2022 DNS Query to DynDNS Domain *.ddns .net", "Observed DNS Query to a *.warzonedns .com domain - Likely Hostile\t192.168.122.91\t1.1.1.1", "simswap.in (possible Mirai or relationship to)" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Virgin Islands, British" ], "malware_families": [ { "id": "Trojan:Win32/Diamin.F", "display_name": "Trojan:Win32/Diamin.F", "target": "/malware/Trojan:Win32/Diamin.F" }, { "id": "Dialer", "display_name": "Dialer", "target": null }, { "id": "Win32:CabMod\\ [Drp]", "display_name": "Win32:CabMod\\ [Drp]", "target": null }, { "id": "TrojanDropper:Win32/Hupigon.gen!A", "display_name": "TrojanDropper:Win32/Hupigon.gen!A", "target": "/malware/TrojanDropper:Win32/Hupigon.gen!A" }, { "id": "ALF:HeraklezEval:PUA:Win32/Keygen", "display_name": "ALF:HeraklezEval:PUA:Win32/Keygen", "target": null }, { "id": "Trojan:Win32/Startpage.AEA", "display_name": "Trojan:Win32/Startpage.AEA", "target": "/malware/Trojan:Win32/Startpage.AEA" }, { "id": "Banload", "display_name": "Banload", "target": null }, { "id": "TrojanDownloader:Win32/Banload.D", "display_name": "TrojanDownloader:Win32/Banload.D", "target": "/malware/TrojanDownloader:Win32/Banload.D" }, { "id": "Win32:Evo-gen", "display_name": "Win32:Evo-gen", "target": null }, { "id": "!#AddsCopy-ToStartup", "display_name": "!#AddsCopy-ToStartup", "target": null }, { "id": "VirTool:Win32/AutInject.CZ!bit", "display_name": "VirTool:Win32/AutInject.CZ!bit", "target": "/malware/VirTool:Win32/AutInject.CZ!bit" }, { "id": "Win.Trojan.Agent-316098", "display_name": "Win.Trojan.Agent-316098", "target": null }, { "id": "virtool:Win32/Injector.gen!BQ", "display_name": "virtool:Win32/Injector.gen!BQ", "target": "/malware/virtool:Win32/Injector.gen!BQ" }, { "id": "WarzoneRAT - S0670", "display_name": "WarzoneRAT - S0670", "target": null }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [ "Technology", "Telecommunications", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 34, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4194, "hostname": 1563, "FileHash-SHA256": 2494, "domain": 624, "FileHash-MD5": 274, "FileHash-SHA1": 226, "email": 1, "CVE": 1 }, "indicator_count": 9377, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "245 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Observed DNS Query to a *.warzonedns .com domain - Likely Hostile\t192.168.122.91\t1.1.1.1", "YARA RULE_TYPE: THOR APT Scanner's rule set only RULE_AUTHOR: Florian Roth", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756062&Signature=1qwcsdiF0JPfNYSk7RDQXO4pZXvL%2Fj1JyEUevcp%2B6HlCDqJ6UKeuGEjU%2FtfcS8Y2I%2B%2FIkWQ7I%2FrKwePXyPYnyKs%2F5BGxqLLSdyj6hlP6mspza3lBQCmI8D%2B%2F%2BIcbUB4s1UZP6cZ3bieHVI%2BUt7YDDau3vsnsQBE3cIa48fIcZYKmsJp7P%2FETHpk%2FGfCZlLU4fOjXvbexeI%2Fjw%2FLOBcq3zipo%2BwQyGxHTmnK%2F", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756107&Signature=qcKaJdEe1%2F0Ewg9HU1LOWWYUSa1AX6o24coccdj5tLucnjjA7oPNFtU1%2FnPf1MngS%2B8Re5bUyuY%2FpE%2FwiXxMY9hSNotJ6H1BkH1IoOGDT8ucHEnRnac1I9XLmxmVOBdHXBoIYAF6cQu1wHM6n7kGPEnerHpqMASVuGIVJqeq9p3f7K8RNeiAlAzFQHPWjKuVRpePEo0aeNddEvVPmacL3C3Jjat%2B8lUZN4JAbvRXfPBU", "SIGMA Matches rule Use Short Name Path in Command Line by frack113, Nasreddine Bencherchali", "YARA Signature Match - THOR APT Scanner Get RULE_AUTHOR: Florian Roth", "http://remote.edikamin.com/", "Additions: resourced by Q.Vashti 04.17.2026 - credit crowdsourced information & personal research", "simswap.in (possible Mirai or relationship to)", "XOR_embeded_exefile_xored_with_round_256_bytes_key", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295393&Signature=JtOgjkWQM%2Bz67YdmZ77hLVquFe4mqzCbIFTEM3paQOO05tT%2BWnu5tvrUKryfhaQifyq7NKcDLAmGQyd4aH3ura5cY9xv7BWoonWPaJTCE0IfSq9Bs1yzphYmg8AKRCgSokoXMPVBMcCSrDGpHD%2F5P1cEO%2BoZmG%2BzY47LGeks8XOKHvMPrayt%2Bm9r%2F16FodqJOF96sgUrX8x6MNWqId8UqE2gWmI8TtXJrNMSXxip6Fh7Hmi3", "http://flat.trafficadvance.net/AccessMySOL.IVRMobileEntra?D=10927&C=7&MP=41%7C", "Found in Alt YouTube = Titled \u2018watch\u2019 | Infected System uploads to YT", "Activity related to APT29 - according to source Cluster25 - This DOMAIN is used as a CnC by APT29", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295326&Signature=k1fPUbPf5dSVFGBgjZdipKzgbSBOBbw1Kfe%2BrmACUC%2BJTOZ5%2FTvgETSvmMSWA2V5FSJcs279kO9RR4ifVgP4xWlLA0%2BmC%2F5IWKN1xoMjtSgOmUdiSCDGDllrwlLGD%2FLVNqA0SbHuTVwDjj%2FfST7dXCu9iO9Q1Sg%2F06d9nGOtLtOOadRMrR6A7lUFhg%2Bez5C6iL9HIqhmU55tiD5g496Aa31X7e0reuCO3ac6lV4adxDC", "https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered", "https://otx.alienvault.com/pulse/64c131d13447ec7826c8ac6f", "YARA RULE : SUSP_Decimal_Encoded_Executable_May21_1 RULE_AUTHOR: Florian Roth", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778755991&Signature=xjEd%2BfezTG%2Bhf9CMiLVkvgMjqq3uWY0btw2QhhcAqvYLh%2BdAJB5d1xHA9O3DAxXep3iyDgqVU01VvCAb%2BKefQNSVhuEaACn6Vg0Hh1CHnNc3GMCXSMdTRZFYYSzniYpYsmeZX%2F0ez%2Fvlig7VA40maOBDvb%2B3HADaVl1jboeClkaL2NCfDYCQYRK2vZ5yX7ggUG%2FM2b0scFtssuydGnlFONW5Ebr6b3RuXJRvMFO9SQ%2BJ", "DYNAMIC_DNS Query to a *.strangled .net Domain\t192.168.122.91\t1.1.1.1 \u2022 DNS Query to DynDNS Domain *.ddns .net", "Name: Invitation - Santa Lucia Celebration.msg \u2022 File Type CDFV2 Microsoft Outlook Message", "Credit: Resourced by AlienVault on July 26, 2023 at 8:48:39 \u2022 AlienVault |", "FILEHASH - SHA256 966e070a52de1c51976f6ea1fc48ec77f6b89f4bf5e5007650755e9cd0d73281 ->", "Evolution of Russian APT29 \u2013 New Attacks and Techniques Uncovered - according to source ArcSight Threat Intelligence - 2 years ago CCleaner", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756397&Signature=GrgrzQyGr0qFGDnfG3rlbCv4hrrrTPOM0ZaqFW%2FWxF%2BZW62aUsSeXENHRday%2B2le7YUbRKI20ywbl8yvmeRJ1iO5haWVNYFoq7Gt1zljmR%2F5ZveJp80cYWagPzIcSu2W0NzvR8T49UkZukCRr2yTn4Y77ivK4HZ%2FyE3ZL9Au3TqjZg0PaQSZhsub%2BtP7IMgeCTGCevf0UvRrEE6aka8%2FNMFwhtH5Pi7CX8SD%2F4Q%2Bd34I", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294759&Signature=mGlPvn1FqfTNp6h5HQVACkGKlPNvV6MjgprLTJSS1nECbbus7K4lnSfE1kyxH0KO4D%2FqkChrgjxQFb9jGA0OvBOYkqQzmymBMe4LDVEkG7ROUZFnGwlaCHEFxYrP4R%2FTJt%2FAK2lP%2FCRhWJjhxPChq5fN%2BL7DcqgCfRQXQhGPoEdDxsUliwznSEmJucut9dlrBUFoWxJppc7dnf%2BG1Vg560BjMlBiSya3yKiqZju6L%2BtmZEbA", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294585&Signature=AiwHrxQG29SI8a31irV4dLtsG8ZrFGJEr6fs%2BRrqi8pGFUV4vyAhN5ojGIFqHXwyboStPTczrsFw58d2k9jvnQVO%2FOejBE7gnCMr3LfPk%2FWzNPo91GeB0LejkpFqYHfNYclItOZ2DMtVJVETSl7W%2BI%2BeXrp2yY550i0cNxjgQQuh2VP89ZTciLvtPrwiOimldyszdN9nPyvg4YCCFedqDFw43RWY6iRxkp9QlLMxwlGr4mRnQE79%", "http://deposito.hostance.net/dialer/", "Domains Contacted:Wealthy2019.com.strangled.net \u2022 wealth.warzonedns.com\t \u2022 wealthyme.ddns.net", "YARA RULE_SET: Livehunt - Suspicious82 Indicators RULE_AUTHOR: Florian Roth", "I copied IoC\u2019s & from a pulse by AlienVault. I added related , resourced information I found interesting", "kefas.id: Crowdsourced Sigma below | Malicious Score High", "YARA RULE: SUSP_Encoded_GetCurrentThreadId RULE_AUTHOR: Florian Roth", "https://vtbehaviour.commondatastorage.googleapis.com/5fdb5bffef52d84d2621f8b5fc357a235db152b3cca4bd0eb848f8aba2f59574_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775294708&Signature=o%2Bv9PSmG5OUcRvq9CRjSf%2Fbrwygq5PC%2FIsSCmchPVmWeCG29JPa8wmqekjGOn1ZF1mBQOgFzwIg%2B1adIQOkjuGxr3R%2BYojBmrnxa57tRTMUzJGpfbM4eZ1tMfthD2m%2BZlMzGONh0fYAfGCZifJFhlNRe4vvW9HIhXiXyFL8u0Ba3WEAhX8bMm8vjGEfRRwy829vHqyszf15Vj6KJz5uHYYhg8%2BU9ZPEBL8nc2TD08zv3i8vggudk7F9x", "YARA DESCRIPTION: Detects encoded keyword - GetCurrentThreadId RULE_AUTHOR: Florian Roth", "https://vtbehaviour.commondatastorage.googleapis.com/3304b08c831d02c887710bcded0f5d628c94e860822a739aed2602cd0affcb31_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295293&Signature=DdcEXIvyAEeGuBt%2Bi%2BrIQ%2BwAsA3OUEIVlwFpouK%2BFNpWmeiOLlRUVhV894E%2F2hBgEtZ4M5AYUrENKi6fmtnzxDdS1z0cIJm97azyFboiv7MJypgRT5r0FKUI26wRYrdndqQSoGx0NlXz4qGCwHWoeUq8kcUTQGGzabihHjhuNESllxlUD9CRTlcRdoFUPmt3zDzg%2BhK0iOHc6MktlQigbQcYmhbyJnhyDFHrndVF59TRFoup5siG35Bh7r", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756213&Signature=nT2GPVh7JliXkCSmMglFnpxTqzjwGedv4d2km9l3nSbMaMVXff1erDdvDEzPK%2BiZmnXCBqjGhLu0pehbVPaA%2FuFCZI%2FNWrrMXl07NM2A8A0aQwuI5lwt6CpefiJaPgbeNJ%2FYSGyoPLGwLQTA1Upga8%2F1GeMvooHMu1noElIuYrvsfuC3bzCdwW7rC2t4C9bKa0%2FBKK%2BQHVrZA2NIAsBNIRplsBOqZybAuDBKBxb8Liqs580KbDsCQU4%", "Matches rule Use Short Name Path in Image by frack113, Nasreddine Bencherchali - Sigma rule cannot be loaded.", "https://vtbehaviour.commondatastorage.googleapis.com/3c7b5fbbe5796e6e299266c8bcebde3c872e29ac28c2542065f093647545160f_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775295109&Signature=ER9bwT7bZVOczjY2zwfcyVstYuepcZ%2BcYNRbY6iEvfgqSgoj4LzSscvE15RcCn5hwhJIWVW3x87BxFZwSoCCeOb0bz5jragOFnehYWBRNnRlCbxpug1HnBoppu0FUW4VIhZblbViBzBMvTIoMmK%2BbALZEXZ9UkVKTetOaaabYU3EFHmGcTXyoCa6AUJCWsb6TvKYEnc%2Bh3bA2Q0QBDxs%2Boic8smNVwx%2BRxmRR1fZWYJO4%" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Warzonerat - s0670", "Trojan.dukes/xmldrp", "Win.trojan.agent-316098", "Win32:cabmod\\ [drp]", "Trojan:win32/startpage.aea", "Win32:evo-gen", "Virtool:win32/autinject.cz!bit", "Xored", "Banload", "Virtool:win32/injector.gen!bq", "Dialer", "!#addscopy-tostartup", "Trojandownloader:win32/banload.d", "Cve-2023-22518", "Trojandropper:win32/hupigon.gen!a", "Trojan:win32/diamin.f", "Alf:heraklezeval:pua:win32/keygen" ], "industries": [ "Telecommunications", "Technology", "Media" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 16, "pulses": [ { "id": "69e30d748895cd7a5746fd20", "name": "Evolution of Russian APT29 \u2013 Attacks &Techniques Uncovered [Credit AlienVault 6.26.2023] [Q.Vashti 04.17.2026 additional research", "description": "When it comes to exceptionally sophisticated malware attacks, APT29 stands at the forefront. The SolarWinds breach marked only the beginning of persistent malware attacks carried out by the threat actor. Since the attack on SolarWinds, the APT has relentlessly persisted in its attacks on governments, defense entities, critical manufacturing organizations, and IT service providers. Their latest attacks involve exploiting lesser-known Windows features and specifically targeting diplomats stationed in Ukraine. - https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered", "modified": "2026-05-18T03:24:08.757000", "created": "2026-04-18T04:49:56.011000", "tags": [ "injection", "removal", "manipulation", "apt29", "lab52", "avertium", "ukraine", "magicweb", "nato", "solarwinds", "snowyamber", "halfrig", "quarterrig", "orion", "team", "ransomware", "mimikatz", "magicweb", "hijack", "cobalt strike", "trojan", "dropper", "dukes", "malware", "ylarv", "drop", "msdos", "stub", "rareencoding", "memory pattern", "communication", "urls http", "hashes", "client execut", "modify registry", "preos boot", "technir process", "artifacts v", "v help", "rootkit", "os credential", "response", "nxdomain", "name n", "dumping", "sigma", "use short", "name path", "creates", "query firmware", "verdict", "report", "malicious", "defense evasion", "network info", "process", "system", "hostname" ], "references": [ "https://www.avertium.com/resources/threat-reports/evolution-of-russian-apt29-new-attacks-and-techniques-uncovered", "https://otx.alienvault.com/pulse/64c131d13447ec7826c8ac6f", "I copied IoC\u2019s & from a pulse by AlienVault. I added related , resourced information I found interesting", "XOR_embeded_exefile_xored_with_round_256_bytes_key", "FILEHASH - SHA256 966e070a52de1c51976f6ea1fc48ec77f6b89f4bf5e5007650755e9cd0d73281 ->", "Name: Invitation - Santa Lucia Celebration.msg \u2022 File Type CDFV2 Microsoft Outlook Message", "YARA DESCRIPTION: Detects encoded keyword - GetCurrentThreadId RULE_AUTHOR: Florian Roth", "YARA Signature Match - THOR APT Scanner Get RULE_AUTHOR: Florian Roth", "YARA RULE: SUSP_Encoded_GetCurrentThreadId RULE_AUTHOR: Florian Roth", "YARA RULE_SET: Livehunt - Suspicious82 Indicators RULE_AUTHOR: Florian Roth", "YARA RULE_TYPE: THOR APT Scanner's rule set only RULE_AUTHOR: Florian Roth", "YARA RULE : SUSP_Decimal_Encoded_Executable_May21_1 RULE_AUTHOR: Florian Roth", "SIGMA Matches rule Use Short Name Path in Command Line by frack113, Nasreddine Bencherchali", "Matches rule Use Short Name Path in Image by frack113, Nasreddine Bencherchali - Sigma rule cannot be loaded.", "kefas.id: Crowdsourced Sigma below | Malicious Score High", "Activity related to APT29 - according to source Cluster25 - This DOMAIN is used as a CnC by APT29", "Evolution of Russian APT29 \u2013 New Attacks and Techniques Uncovered - according to source ArcSight Threat Intelligence - 2 years ago CCleaner", "Credit: Resourced by AlienVault on July 26, 2023 at 8:48:39 \u2022 AlienVault |", "Additions: resourced by Q.Vashti 04.17.2026 - credit crowdsourced information & personal research" ], "public": 1, "adversary": "", "targeted_countries": [ "Norway", "Ukraine", "Poland" ], "malware_families": [ { "id": "Xored", "display_name": "Xored", "target": null }, { "id": "Trojan.Dukes/Xmldrp", "display_name": "Trojan.Dukes/Xmldrp", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1542.003", "name": "Bootkit", "display_name": "T1542.003 - Bootkit" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1518.001", "name": "Security Software Discovery", "display_name": "T1518.001 - Security Software Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 23, "URL": 34, "hostname": 97, "FileHash-MD5": 32, "FileHash-SHA1": 29, "FileHash-SHA256": 138, "CVE": 4 }, "indicator_count": 357, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "12 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a05ac967057c13623229fa4", "name": "Eternal Romance. InfinityRedRatLokiMeteorDownDropRemPetDCometRevenBRabbit[Ilu/txt> vbs]CAPE Sandbox", "description": "[A report on the discovery of a malicious script on a server at the University of California, Los Angeles, has been published by GRAMMERSoft Group, a security firm based in the Philippines.] s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader JavaDropper Remcos Petya DarkComet RevengeRAT BadRabbit Iloveyou[txt]vbs.\nMalware like this is almost never unintentional.", "modified": "2026-05-15T10:49:24.586000", "created": "2026-05-14T11:05:58.600000", "tags": [ "vbcrlf", "error resume", "next dim", "page", "loveletter", "script", "createobject", "html", "meta", "name", "title", "body", "iloveyou", "generator", "philippines", "loop", "extra info", "next", "vbs script", "program", "attack network", "info processes", "zenbox verdict", "guest system", "ultimate file", "info file", "defense evasion", "windows sandbox", "calls clear", "next ur", "file type", "ascii text", "crlf line", "ms windows", "pe32", "drops pe", "intel", "yara", "sigma", "njrat", "malicious", "darkcomet", "code", "delphi", "dbatloader", "loader", "fraud", "notpetya", "killmbr", "trojanransom", "ransomware", "initial access", "settings", "default", "parent pid", "full path", "command line", "mwdb", "bazaar", "sha3384", "ssdeep", "format", "shell", "payload", "kevin", "accept", "revengerat", "shutdown", "aspack", "vmprotect", "meteorite", "petya", "infinitylock", "redline", "remcos", "javadropper", "lokibot", "guard", "mono", "eternalromance", "exploit", "badrabbit", "s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader Java" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778755991&Signature=xjEd%2BfezTG%2Bhf9CMiLVkvgMjqq3uWY0btw2QhhcAqvYLh%2BdAJB5d1xHA9O3DAxXep3iyDgqVU01VvCAb%2BKefQNSVhuEaACn6Vg0Hh1CHnNc3GMCXSMdTRZFYYSzniYpYsmeZX%2F0ez%2Fvlig7VA40maOBDvb%2B3HADaVl1jboeClkaL2NCfDYCQYRK2vZ5yX7ggUG%2FM2b0scFtssuydGnlFONW5Ebr6b3RuXJRvMFO9SQ%2BJ", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756062&Signature=1qwcsdiF0JPfNYSk7RDQXO4pZXvL%2Fj1JyEUevcp%2B6HlCDqJ6UKeuGEjU%2FtfcS8Y2I%2B%2FIkWQ7I%2FrKwePXyPYnyKs%2F5BGxqLLSdyj6hlP6mspza3lBQCmI8D%2B%2F%2BIcbUB4s1UZP6cZ3bieHVI%2BUt7YDDau3vsnsQBE3cIa48fIcZYKmsJp7P%2FETHpk%2FGfCZlLU4fOjXvbexeI%2Fjw%2FLOBcq3zipo%2BwQyGxHTmnK%2F", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756107&Signature=qcKaJdEe1%2F0Ewg9HU1LOWWYUSa1AX6o24coccdj5tLucnjjA7oPNFtU1%2FnPf1MngS%2B8Re5bUyuY%2FpE%2FwiXxMY9hSNotJ6H1BkH1IoOGDT8ucHEnRnac1I9XLmxmVOBdHXBoIYAF6cQu1wHM6n7kGPEnerHpqMASVuGIVJqeq9p3f7K8RNeiAlAzFQHPWjKuVRpePEo0aeNddEvVPmacL3C3Jjat%2B8lUZN4JAbvRXfPBU", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756213&Signature=nT2GPVh7JliXkCSmMglFnpxTqzjwGedv4d2km9l3nSbMaMVXff1erDdvDEzPK%2BiZmnXCBqjGhLu0pehbVPaA%2FuFCZI%2FNWrrMXl07NM2A8A0aQwuI5lwt6CpefiJaPgbeNJ%2FYSGyoPLGwLQTA1Upga8%2F1GeMvooHMu1noElIuYrvsfuC3bzCdwW7rC2t4C9bKa0%2FBKK%2BQHVrZA2NIAsBNIRplsBOqZybAuDBKBxb8Liqs580KbDsCQU4%", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756397&Signature=GrgrzQyGr0qFGDnfG3rlbCv4hrrrTPOM0ZaqFW%2FWxF%2BZW62aUsSeXENHRday%2B2le7YUbRKI20ywbl8yvmeRJ1iO5haWVNYFoq7Gt1zljmR%2F5ZveJp80cYWagPzIcSu2W0NzvR8T49UkZukCRr2yTn4Y77ivK4HZ%2FyE3ZL9Au3TqjZg0PaQSZhsub%2BtP7IMgeCTGCevf0UvRrEE6aka8%2FNMFwhtH5Pi7CX8SD%2F4Q%2Bd34I" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 36, "FileHash-MD5": 245, "FileHash-SHA1": 109, "FileHash-SHA256": 224, "URL": 269, "domain": 51, "email": 3, "hostname": 189, "Mutex": 4 }, "indicator_count": 1130, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "15 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a05ac72028bf99f635f0ded", "name": "Eternal Romance. InfinityRedRatLokiMeteorDownDropRemPetDCometRevenBRabbit[Ilu/txt> vbs]CAPE Sandbox", "description": "[A report on the discovery of a malicious script on a server at the University of California, Los Angeles, has been published by GRAMMERSoft Group, a security firm based in the Philippines.] s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader JavaDropper Remcos Petya DarkComet RevengeRAT BadRabbit Iloveyou[txt]vbs.\nMalware like this is almost never unintentional.", "modified": "2026-05-14T11:05:22.932000", "created": "2026-05-14T11:05:22.932000", "tags": [ "vbcrlf", "error resume", "next dim", "page", "loveletter", "script", "createobject", "html", "meta", "name", "title", "body", "iloveyou", "generator", "philippines", "loop", "extra info", "next", "vbs script", "program", "attack network", "info processes", "zenbox verdict", "guest system", "ultimate file", "info file", "defense evasion", "windows sandbox", "calls clear", "next ur", "file type", "ascii text", "crlf line", "ms windows", "pe32", "drops pe", "intel", "yara", "sigma", "njrat", "malicious", "darkcomet", "code", "delphi", "dbatloader", "loader", "fraud", "notpetya", "killmbr", "trojanransom", "ransomware", "initial access", "settings", "default", "parent pid", "full path", "command line", "mwdb", "bazaar", "sha3384", "ssdeep", "format", "shell", "payload", "kevin", "accept", "revengerat", "shutdown", "aspack", "vmprotect", "meteorite", "petya", "infinitylock", "redline", "remcos", "javadropper", "lokibot", "guard", "mono", "eternalromance", "exploit", "badrabbit", "s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader Java" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778755991&Signature=xjEd%2BfezTG%2Bhf9CMiLVkvgMjqq3uWY0btw2QhhcAqvYLh%2BdAJB5d1xHA9O3DAxXep3iyDgqVU01VvCAb%2BKefQNSVhuEaACn6Vg0Hh1CHnNc3GMCXSMdTRZFYYSzniYpYsmeZX%2F0ez%2Fvlig7VA40maOBDvb%2B3HADaVl1jboeClkaL2NCfDYCQYRK2vZ5yX7ggUG%2FM2b0scFtssuydGnlFONW5Ebr6b3RuXJRvMFO9SQ%2BJ", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756062&Signature=1qwcsdiF0JPfNYSk7RDQXO4pZXvL%2Fj1JyEUevcp%2B6HlCDqJ6UKeuGEjU%2FtfcS8Y2I%2B%2FIkWQ7I%2FrKwePXyPYnyKs%2F5BGxqLLSdyj6hlP6mspza3lBQCmI8D%2B%2F%2BIcbUB4s1UZP6cZ3bieHVI%2BUt7YDDau3vsnsQBE3cIa48fIcZYKmsJp7P%2FETHpk%2FGfCZlLU4fOjXvbexeI%2Fjw%2FLOBcq3zipo%2BwQyGxHTmnK%2F", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756107&Signature=qcKaJdEe1%2F0Ewg9HU1LOWWYUSa1AX6o24coccdj5tLucnjjA7oPNFtU1%2FnPf1MngS%2B8Re5bUyuY%2FpE%2FwiXxMY9hSNotJ6H1BkH1IoOGDT8ucHEnRnac1I9XLmxmVOBdHXBoIYAF6cQu1wHM6n7kGPEnerHpqMASVuGIVJqeq9p3f7K8RNeiAlAzFQHPWjKuVRpePEo0aeNddEvVPmacL3C3Jjat%2B8lUZN4JAbvRXfPBU", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756213&Signature=nT2GPVh7JliXkCSmMglFnpxTqzjwGedv4d2km9l3nSbMaMVXff1erDdvDEzPK%2BiZmnXCBqjGhLu0pehbVPaA%2FuFCZI%2FNWrrMXl07NM2A8A0aQwuI5lwt6CpefiJaPgbeNJ%2FYSGyoPLGwLQTA1Upga8%2F1GeMvooHMu1noElIuYrvsfuC3bzCdwW7rC2t4C9bKa0%2FBKK%2BQHVrZA2NIAsBNIRplsBOqZybAuDBKBxb8Liqs580KbDsCQU4%", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756397&Signature=GrgrzQyGr0qFGDnfG3rlbCv4hrrrTPOM0ZaqFW%2FWxF%2BZW62aUsSeXENHRday%2B2le7YUbRKI20ywbl8yvmeRJ1iO5haWVNYFoq7Gt1zljmR%2F5ZveJp80cYWagPzIcSu2W0NzvR8T49UkZukCRr2yTn4Y77ivK4HZ%2FyE3ZL9Au3TqjZg0PaQSZhsub%2BtP7IMgeCTGCevf0UvRrEE6aka8%2FNMFwhtH5Pi7CX8SD%2F4Q%2Bd34I" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 36, "FileHash-MD5": 244, "FileHash-SHA1": 108, "FileHash-SHA256": 223, "URL": 269, "domain": 51, "email": 3, "hostname": 189 }, "indicator_count": 1123, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a05ac2c27730f972e8d9474", "name": "Eternal Romance. InfinityRedRatLokiMeteorDownDropRemPetDCometRevenBRabbit[Ilu/txt> vbs]CAPE Sandbox", "description": "[A report on the discovery of a malicious script on a server at the University of California, Los Angeles, has been published by GRAMMERSoft Group, a security firm based in the Philippines.] s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader JavaDropper Remcos Petya DarkComet RevengeRAT BadRabbit Iloveyou[txt]vbs.\nMalware like this is almost never unintentional.", "modified": "2026-05-14T11:04:12.425000", "created": "2026-05-14T11:04:12.425000", "tags": [ "vbcrlf", "error resume", "next dim", "page", "loveletter", "script", "createobject", "html", "meta", "name", "title", "body", "iloveyou", "generator", "philippines", "loop", "extra info", "next", "vbs script", "program", "attack network", "info processes", "zenbox verdict", "guest system", "ultimate file", "info file", "defense evasion", "windows sandbox", "calls clear", "next ur", "file type", "ascii text", "crlf line", "ms windows", "pe32", "drops pe", "intel", "yara", "sigma", "njrat", "malicious", "darkcomet", "code", "delphi", "dbatloader", "loader", "fraud", "notpetya", "killmbr", "trojanransom", "ransomware", "initial access", "settings", "default", "parent pid", "full path", "command line", "mwdb", "bazaar", "sha3384", "ssdeep", "format", "shell", "payload", "kevin", "accept", "revengerat", "shutdown", "aspack", "vmprotect", "meteorite", "petya", "infinitylock", "redline", "remcos", "javadropper", "lokibot", "guard", "mono", "eternalromance", "exploit", "badrabbit", "s): InfinityLock RedLine Njrat LokiBot Meteorite Downloader Java" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778755991&Signature=xjEd%2BfezTG%2Bhf9CMiLVkvgMjqq3uWY0btw2QhhcAqvYLh%2BdAJB5d1xHA9O3DAxXep3iyDgqVU01VvCAb%2BKefQNSVhuEaACn6Vg0Hh1CHnNc3GMCXSMdTRZFYYSzniYpYsmeZX%2F0ez%2Fvlig7VA40maOBDvb%2B3HADaVl1jboeClkaL2NCfDYCQYRK2vZ5yX7ggUG%2FM2b0scFtssuydGnlFONW5Ebr6b3RuXJRvMFO9SQ%2BJ", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756062&Signature=1qwcsdiF0JPfNYSk7RDQXO4pZXvL%2Fj1JyEUevcp%2B6HlCDqJ6UKeuGEjU%2FtfcS8Y2I%2B%2FIkWQ7I%2FrKwePXyPYnyKs%2F5BGxqLLSdyj6hlP6mspza3lBQCmI8D%2B%2F%2BIcbUB4s1UZP6cZ3bieHVI%2BUt7YDDau3vsnsQBE3cIa48fIcZYKmsJp7P%2FETHpk%2FGfCZlLU4fOjXvbexeI%2Fjw%2FLOBcq3zipo%2BwQyGxHTmnK%2F", "https://vtbehaviour.commondatastorage.googleapis.com/556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756107&Signature=qcKaJdEe1%2F0Ewg9HU1LOWWYUSa1AX6o24coccdj5tLucnjjA7oPNFtU1%2FnPf1MngS%2B8Re5bUyuY%2FpE%2FwiXxMY9hSNotJ6H1BkH1IoOGDT8ucHEnRnac1I9XLmxmVOBdHXBoIYAF6cQu1wHM6n7kGPEnerHpqMASVuGIVJqeq9p3f7K8RNeiAlAzFQHPWjKuVRpePEo0aeNddEvVPmacL3C3Jjat%2B8lUZN4JAbvRXfPBU", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756213&Signature=nT2GPVh7JliXkCSmMglFnpxTqzjwGedv4d2km9l3nSbMaMVXff1erDdvDEzPK%2BiZmnXCBqjGhLu0pehbVPaA%2FuFCZI%2FNWrrMXl07NM2A8A0aQwuI5lwt6CpefiJaPgbeNJ%2FYSGyoPLGwLQTA1Upga8%2F1GeMvooHMu1noElIuYrvsfuC3bzCdwW7rC2t4C9bKa0%2FBKK%2BQHVrZA2NIAsBNIRplsBOqZybAuDBKBxb8Liqs580KbDsCQU4%", "https://vtbehaviour.commondatastorage.googleapis.com/7737f90de7e9fc0935561c017e9ddc4a58337ebc25873f0bbcfe860790f3f888_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778756397&Signature=GrgrzQyGr0qFGDnfG3rlbCv4hrrrTPOM0ZaqFW%2FWxF%2BZW62aUsSeXENHRday%2B2le7YUbRKI20ywbl8yvmeRJ1iO5haWVNYFoq7Gt1zljmR%2F5ZveJp80cYWagPzIcSu2W0NzvR8T49UkZukCRr2yTn4Y77ivK4HZ%2FyE3ZL9Au3TqjZg0PaQSZhsub%2BtP7IMgeCTGCevf0UvRrEE6aka8%2FNMFwhtH5Pi7CX8SD%2F4Q%2Bd34I" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1529", "name": "System Shutdown/Reboot", "display_name": "T1529 - System Shutdown/Reboot" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 36, "FileHash-MD5": 244, "FileHash-SHA1": 108, "FileHash-SHA256": 223, "URL": 269, "domain": 51, "email": 3, "hostname": 189 }, "indicator_count": 1123, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a02eb598920fbedf3e41342", "name": "CAPE Sandbox - Dropped Files are Unacceptable", "description": "these files were \"dropped\" to me pcchecking-main/Ultra scan script", "modified": "2026-05-12T10:43:56.692000", "created": "2026-05-12T08:56:57.100000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 376, "FileHash-SHA1": 144, "FileHash-SHA256": 285, "IPv4": 67, "URL": 154, "domain": 297, "hostname": 152, "email": 4, "YARA": 11 }, "indicator_count": 1490, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a02eb577acf40ff18578c13", "name": "CAPE Sandbox - Dropped Files are Unacceptable", "description": "these files were \"dropped\" to me pcchecking-main/Ultra scan script", "modified": "2026-05-12T10:00:02.785000", "created": "2026-05-12T08:56:55.407000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 368, "FileHash-SHA1": 142, "FileHash-SHA256": 281, "IPv4": 61, "URL": 104, "domain": 295, "hostname": 132, "email": 2 }, "indicator_count": 1385, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a02eb5bb415c3d8211f2a69", "name": "CAPE Sandbox - Dropped Files are Unacceptable", "description": "these files were \"dropped\" to me pcchecking-main/Ultra scan script", "modified": "2026-05-12T10:00:01.413000", "created": "2026-05-12T08:56:59.194000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 368, "FileHash-SHA1": 142, "FileHash-SHA256": 281, "IPv4": 59, "URL": 102, "domain": 71, "hostname": 117 }, "indicator_count": 1140, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a02eb5aebd8b5cd4e1a10b8", "name": "CAPE Sandbox - Dropped Files are Unacceptable", "description": "these files were \"dropped\" to me pcchecking-main/Ultra scan script", "modified": "2026-05-12T10:00:00.080000", "created": "2026-05-12T08:56:58.095000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 368, "FileHash-SHA1": 142, "FileHash-SHA256": 281, "IPv4": 59, "URL": 102, "domain": 71, "hostname": 118 }, "indicator_count": 1141, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d0f2fff74afb88c843c8e2", "name": "VirusTotal report\n for report.eml", "description": "A security alert for the Verizon Hanover cell phone store in Massachusetts has been triggered by a \"pulses\" created on the site by its owner, the company's parent company, Verizon.><<