{ "type": "Domain", "indicator": "session.py", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/session.py", "alexa": "http://www.alexa.com/siteinfo/session.py", "indicator": "session.py", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3876756013, "indicator": "session.py", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "6a103de1e71756a0b58ce416", "name": "secret camera * VirusTotal Windows Sandbox", "description": "[100s of thousands of people have signed a petition calling for an end to the use of the word \"sex\" in the wake of a fatal accident in London's West Bromwich, which left 11 people dead] full text of the full report on this year's EU Referendum, which will take place on 26 May 2017, has been published by BBC Radio 5 live in the UK and Ireland.>y2k status", "modified": "2026-05-07T00:00:42.275000", "created": "2026-04-07T00:34:12.507000", "tags": [ "html document", "ascii text", "language" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 310, "FileHash-SHA1": 308, "FileHash-SHA256": 1270, "domain": 168, "hostname": 31, "URL": 98 }, "indicator_count": 2185, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4510678007ab57751a513", "name": "CAPE Sandbox -y2k", "description": "> full text of the full report on this year's EU Referendum, which will take place on 26 May 2017, has been published by BBC Radio 5 live in the UK and Ireland.>y2k status", "modified": "2026-05-07T00:00:42.275000", "created": "2026-04-07T00:34:14.009000", "tags": [ "html document", "ascii text", "language" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 310, "FileHash-SHA1": 308, "FileHash-SHA256": 1270, "domain": 168, "hostname": 31, "URL": 98 }, "indicator_count": 2185, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d45107d82d67453e8ade06", "name": "CAPE Sandbox -y2k", "description": "> full text of the full report on this year's EU Referendum, which will take place on 26 May 2017, has been published by BBC Radio 5 live in the UK and Ireland.>y2k status", "modified": "2026-05-07T00:00:42.275000", "created": "2026-04-07T00:34:15.789000", "tags": [ "html document", "ascii text", "language" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 310, "FileHash-SHA1": 308, "FileHash-SHA256": 1270, "domain": 168, "hostname": 31, "URL": 98 }, "indicator_count": 2185, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4510870e9906d58e7a554", "name": "CAPE Sandbox -y2k", "description": "> full text of the full report on this year's EU Referendum, which will take place on 26 May 2017, has been published by BBC Radio 5 live in the UK and Ireland.>y2k status", "modified": "2026-05-07T00:00:42.275000", "created": "2026-04-07T00:34:16.928000", "tags": [ "html document", "ascii text", "language" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 310, "FileHash-SHA1": 308, "FileHash-SHA256": 1270, "domain": 168, "hostname": 31, "URL": 98 }, "indicator_count": 2185, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4569a944adf94a75efcf9", "name": "VirusTotal report\n for download.rar", "description": "0347ed7f6728c494128d5cde9e4effdc2bcc8f944d78bca8d, as well as 1.3m2.", "modified": "2026-05-07T00:00:42.275000", "created": "2026-04-07T00:58:02.158000", "tags": [ "json text", "json" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 287, "FileHash-SHA1": 283, "FileHash-SHA256": 2301, "URL": 113, "domain": 169, "hostname": 75 }, "indicator_count": 3228, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4569dc87656b4a255a124", "name": "VirusTotal report\n for download.rar", "description": "0347ed7f6728c494128d5cde9e4effdc2bcc8f944d78bca8d, as well as 1.3m2.", "modified": "2026-05-07T00:00:42.275000", "created": "2026-04-07T00:58:05.842000", "tags": [ "json text", "json" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 281, "FileHash-SHA1": 277, "FileHash-SHA256": 2208, "URL": 113, "domain": 169, "hostname": 75 }, "indicator_count": 3123, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b94ddfec797954b95d67c1", "name": "CAPE Sandbox", "description": "Checks available memory\nQueries the username/Connects to crypto currency mining pool\n/A possible heap spray exploit has been detected/Queries the keyboard layout/Queries the computer locale (possible geofencing)\nSetUnhandledExceptionFilter detected (possible anti-debug)/Accessed credential storage registry keys\nPossible date expiration check, exits too soon after checking local time/Checks system language via registry key (possible geofencing)\nAnomalous file deletion behavior detected (10+)\nAttempts to connect to a dead IP:Port (5 unique times)\nPerforms HTTP requests potentially not found in PCAP.\nCreates a process in a suspended state, likely for injection\nResumed a thread in another process\nReads from the memory of another process\nrest in references", "modified": "2026-04-16T13:37:13.951000", "created": "2026-03-17T12:49:35.769000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 337, "FileHash-SHA1": 356, "FileHash-SHA256": 324, "hostname": 315, "URL": 320, "domain": 24, "email": 7 }, "indicator_count": 1683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "46 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779449270&Signature=y5dmd%2Br9iDNaXftiyxWZe5cWdAiIpA4H9u6vCT%2FdvFUKL7WV7S2HOKzRyETdhPd%2BF%2FoG5DQwjiN8Yvi10oC6iRsDQY6lbl34%2BOoaljXY4sg13Yyq9v9MMC5DrVBiOta4mYQFQL240y55PVUqOeWoTlaCvh9aA8Mn2iw5ITNNXJVpckpc9C37%2FxyFz8zFSmDEzj3pB2pggacPF34xQm4NB4hDB9ssqGeTsAbv41aOUu4XRV2pyMo9E0xtK2", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_VenusEye%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779448113&Signature=HGVwYzpWE71%2BbcncRqOn%2BGkFdoAcM0zUAWI1eJD1jsHDcrJKlqO9M0XORZQA5YJxAW65VvTW9omuEH7SypRLJu1W0P3VYs46P7H4Dz1TsNoaNKYhhqpYfKql%2BYbpF7jIqwNfYdG5Uya0aqcIeI7Wx22%2BpByMhnrECSPxpU6wII3hOhgINOcc1mqsMEFfCB4fd%2F3zvfmJ7Rc5HiEea5Qx%2Fm7tB7DjImzqZFtSAQh6qFcSNN", "https://vtbehaviour.commondatastorage.googleapis.com/00695c0012a8ebc08469eb0d32d3974ae70e93d129015dbfe6da128556ab3726_Zenbox%20macOS.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775529640&Signature=G0ONarqL7o1MkYvMlqktPKmEpNw5A3hwHYnIBwD8r%2F0xQfBDCaCPoL6%2BMxjj5Ftsb47O6KGvZzp2CS1xFcRHfbhEnUGRJR9o2%2FjSPy6NAV226GNwtSGdDXxPJFfETfpFlDEj%2FOCd26qtcBDdT4lX2saiGfx0%2FunV94XcNq3cUTVm%2Fsf0BO74945PnFWtBu3Oq%2FBm9AlaLwnyEZ5TDLfhXyqiTv1Qsx%2FWmBk0PIieA9MtTm", "https://vtbehaviour.commondatastorage.googleapis.com/01f57cc95906a44558c5c1f19ef3191fe6f2f1cc03e1d10d1da421b7c604903f_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775529261&Signature=RJNKrp%2FaK0APCyfk557hpXXr%2BMWPGME1nJO1%2BQCUEm9xRuKB0DlxP%2BfDSiZsLcJsAhaI%2FWxbH%2F%2FdbHllDXKgjJl92HzsTFyTAT0eMx%2BzlFLXKn0VyBmCHKLgKoFS4fDODUKy6SKJxdUav7aDP1aVhAXMPp%2BT3yWjDdSos0HQalqAt%2FcsVg1w28zfPjvVVGv%2B%2FvJeCIgzhXeE2pX6Npumx67Yym8jiiqV75WoDu", "https://vtbehaviour.commondatastorage.googleapis.com/00695c0012a8ebc08469eb0d32d3974ae70e93d129015dbfe6da128556ab3726_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775529758&Signature=zXDmSolL1BXRVntoMjKFPJaZtQ0tI1lf56M%2BqCFh1c0JirSCS7DGBgxMdHuaZG8hsB%2FV1nO0JEfDegHE1Ibm55QO9TriIg9yCH6dZSsofTmiHiBOUZtTMSH1Pg1z%2FnuElFFvVDHQ2Ryhog0fw%2BwfS0Fpe5ZOoTF8KK883iH45dmOAcVEphu7K5A%2FrzfFG93bFibxA7MRKbLLGBbrIVz4yFSuuFHimac0dVn%", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779448087&Signature=zly9PmlRQWb4KS0rNwSC6GG0MNzjm7KFDjr%2B%2Few6J4vqKF%2FJhJnnrYPcE0jJDw2QNhVbkyk0ZP2AmxrgmnTVhLcFijlR18xS82aHK99JxYTYDkmlFMr4U3ENyb3KVWsT%2BCuRbwN66pmHE4sdf33jQRi4ZUPxLJwtnLmhmpds%2BM38I%2Fv7pfRhbp7OYurf%2BJ0%2FQT2bwsg7sZEjDUQJ7HSqjOP8unxpFfBHNwC4wr9qawvlz8", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779449323&Signature=QsivAArVUulKH5N9EOkYOICShe0hR8W0UFhFsPq6t2rlRIdIvciMDBQZ4ooTbp7TpacdxQgFF%2Bi5tH9LdqhGhhF5JPkquaQ5Twm8UjTLbiV4v0PAECarE7LnIShAtYF1LNwCZ6BDcQLYYCofAYGAFJnVZjnwztoy32OFI6WldLKbOfNYUmLe2Api5KarnJezGIPSvZLOJLHh9e6ApJk0PwnTupqxWn0JORAZidwNrGjvoBMeb6gtWmgFnwTO", "https://vtbehaviour.commondatastorage.googleapis.com/0347ed7ffd09f6728c494128b1d11792893d5cde9e4effdc2bcc8f9ebb12a0e1_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775529533&Signature=diQ6r2CuvkDxYGybQtlzxVxtH8iGMt6XlgZBEpk7B5n%2FVtwOuZaPpuNyM%2Fr4VbSp2H67%2FddXTZ3XJG8LdUMwLVXsSDKIq%2BjyQHccTuCS0HXEDbllONqfU6gWICxxtdC%2F4wdaL8fVyCE%2FHHcnWm5PufAa002Tn02MbSx9cFdNZS4R86MEMARaMiXSCiGQuiLR2STQCGqU%2Byg16ky%2FYjPbLtB6WD5skgEs3AgDmDNlDLjtbb", "https://vtbehaviour.commondatastorage.googleapis.com/00913627185b352deaf0ec837f85a7f606b27112956875de5d610fba8151306c_VirusTotal%20Box%20of%20Apples.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775529477&Signature=s8ZCWLcVqjdBgBGejTcqippuMvftwgsdUQHUAjBnm45yUvqDsHIMIA29%2BJcb%2BrruXxHPD5tQv1BwAzlV1o7EuhxX4qMqDcFWSLqoc%2FqAnEVxLg0zXohtwMkHxv0z%2Bp5AL0jLyAwNYz7bH56tnmUs3tHPYc48OeM4AanV030U%2FnmXlF8kJ6cjAemipfTNe1QRx3ecbONm9c3B51FK0BbzZEdRX0pTHIM4AK1M", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779448247&Signature=KaOoC8k1CwemdPniC2jnlheSiP5jHQwh83WcgjNWDujHQ8F6N7qW1Q3lVUf%2FBjEofHhKuYofMNOHzuLgXjiq%2F4ie2jeMJ2kiAYHGeUvc8RFAO28YMWxIJPmcTSCLcxaOQNbzOOtMF2DO6%2Fw9IodVAr1Yv3SgvamznVqYCu5Din1Q7C0hAc68dxqEbYxXnk9hekwNuVZf81kyLJEmJbSWOxr0ONyt6e7qhV07xe4C1TIJXe%2BH6Zkc8Jp", "https://vtbehaviour.commondatastorage.googleapis.com/e0ac3780a1152800adc9fb31b5fd9d849b8f8defc014657b9b2e998ff72c2bb4_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779449382&Signature=GsaicymiUqs49NLqLPAVvf%2Bv2RwudQDEfcp3TeWyX92n2qwqpH9HWCV422PIRfG9GUe5OGbnGO0mIkaCuWs9fgtMTHtoT6o2uIiPZQNhcAL2tWEv22GoGjIhK0MvnOKG1EKRAA9bdlP5tGpvgOM5usOM55tsgbPUQWGsB19CvRAPS6OZ1eIqrdpLiOeAKK2uIGkaOnOkD4njy1e15fQ0BGPY1rMjdenHRZDu9EXv2zfwqLiUNbp%2B", "https://vtbehaviour.commondatastorage.googleapis.com/88819f8dbc43e0609fbc6f6a1a9fb2740512b8e1e0f2d9e92926c31b8a11d446_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779447466&Signature=nXchQzhNktG26CNrpPC2%2FRBVk5CXbCQ6xUNenWVvnvY2n5P71FF7HHw01QiPu3iGSvBSzqmHiB9HByI%2FJgWTdhqYvc9LZy0rI61W0%2FTNVhSNdb1omKNcCW1ikL2n7eR9BFV1ygPOAPnexLqjbK35hzq40mysRVPCVBcmrjs7NkxUh9nHkwmtOOR3Lz5NsYgdUX2AMqykR9pVoyTLy7tkl5Ap9keTZlEoE2RrK6MTO9HBhYPJD%2", "https://vtbehaviour.commondatastorage.googleapis.com/00695c0012a8ebc08469eb0d32d3974ae70e93d129015dbfe6da128556ab3726_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775529701&Signature=BDpq68evTIZGfF61fRMAYEM%2BQtXgDfwPgp7qnaSE1mJStRV1ikHnSjRDxrMwGqkg0kaXqLEpQ%2BLuSCdJ9wJJzfrkQuV1%2Bbcg0cctnCOLgWhiXjekyol4iul%2FPXEGu6%2F1a20JEEoUfg9Dq6%2FosKMN9fmk%2BtqQcFa6PODcE3qJcO23YhWwDpmSYZ7t8JNsALFm98c6r%2BfBLLjnCSpVql2zQJifkl%2BteR57LTZG7W2lbENV", "https://vtbehaviour.commondatastorage.googleapis.com/99bde29b5d7f5522c0452c95899f63a0cc99a465b516f7eb2980d519fe5a478c_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779447513&Signature=vT05qRgkqzlTQQ09TU4VC1ZL9bRV9J6Tgx%2BLYi1Yop0ggmMd9LT5iNFG2AQr%2FZH%2F0pMgqHAgZy%2BRwWUtDV1qO5eBxL%2B8mGzJDZilm%2BhP3%2B%2BKQu%2F76vg8GcDLdxu%2FeLmkj8Dhp9pN4i2cytkeH5zr%2BRHZBvK4uQ47n1zLtlGUSsJ7YXGw%2BWQFVRvu%2B%2B11Jh1PF6x4jF%2B3IbYQ5CZcGLoGbo0PGkN", "https://vtbehaviour.commondatastorage.googleapis.com/3fe3b0bc7ca7ec4d23c1cd7c07d5cdf9cb3463beb18cd58e2501150d343d0851_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779448581&Signature=u1m6X7g3%2B46ZDMb0IvTTp%2FbBxgM9iZvfcHnyyGsaqQA%2BxHuw9ZcqfIkIme3jx7%2BblFBuowZqDr1PbGP28vbxcZhaskjIn3w04QkzN%2F6EWbNlPvabmBH3M0F%2FhfTEM8ayozqby2SPWv6azOEd%2FS3MXYnUsOzgOpSh1uIk0iduf4w1ePo4yJAdHv7fc0AUGPzRmssC0jpjqXzao%2F0qbg1JRMMBq0edJZqYiws6vIf%2B2d9O", "https://vtbehaviour.commondatastorage.googleapis.com/c6096cb32fc9fe4f9cc789acd6e7710be6efb8703e6f529fc3b21d78781d1fa8_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1779448055&Signature=Oo2OUSuLUWDZOZGoPlCv1tD%2FynOTQPpGUV9I%2FgvLt4ZafLu6Vnt%2FoOXLJA9nFZPH5AiUv%2FWd4huRf8%2BPiUQcGMkSOOYn3mJHyE2t6wNKj1BDNjEJ0ozgBjkzBrZ62UZn4p34YCFKx1mj%2BrH75IoSHpRUfJYvgHnJhElGEMhrJc7ieH0I%2FNpcLuxSy9sfujNonmjwsQj9ZWnkGvLPpmiljGhJIomaUZ6GITQcz6QqbInrBN3nHX6mGGk4" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "6a103de1e71756a0b58ce416", "name": "secret camera * VirusTotal Windows Sandbox", "description": "[100s of thousands of people have signed a petition calling for an end to the use of the word \"sex\" in the wake of a fatal accident in London's West Bromwich, which left 11 people dead] full text of the full report on this year's EU Referendum, which will take place on 26 May 2017, has been published by BBC Radio 5 live in the UK and Ireland.>y2k status", "modified": "2026-05-07T00:00:42.275000", "created": "2026-04-07T00:34:12.507000", "tags": [ "html document", "ascii text", "language" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 310, "FileHash-SHA1": 308, "FileHash-SHA256": 1270, "domain": 168, "hostname": 31, "URL": 98 }, "indicator_count": 2185, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4510678007ab57751a513", "name": "CAPE Sandbox -y2k", "description": "> full text of the full report on this year's EU Referendum, which will take place on 26 May 2017, has been published by BBC Radio 5 live in the UK and Ireland.>y2k status", "modified": "2026-05-07T00:00:42.275000", "created": "2026-04-07T00:34:14.009000", "tags": [ "html document", "ascii text", "language" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 310, "FileHash-SHA1": 308, "FileHash-SHA256": 1270, "domain": 168, "hostname": 31, "URL": 98 }, "indicator_count": 2185, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d45107d82d67453e8ade06", "name": "CAPE Sandbox -y2k", "description": "> full text of the full report on this year's EU Referendum, which will take place on 26 May 2017, has been published by BBC Radio 5 live in the UK and Ireland.>y2k status", "modified": "2026-05-07T00:00:42.275000", "created": "2026-04-07T00:34:15.789000", "tags": [ "html document", "ascii text", "language" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 310, "FileHash-SHA1": 308, "FileHash-SHA256": 1270, "domain": 168, "hostname": 31, "URL": 98 }, "indicator_count": 2185, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4510870e9906d58e7a554", "name": "CAPE Sandbox -y2k", "description": "> full text of the full report on this year's EU Referendum, which will take place on 26 May 2017, has been published by BBC Radio 5 live in the UK and Ireland.>y2k status", "modified": "2026-05-07T00:00:42.275000", "created": "2026-04-07T00:34:16.928000", "tags": [ "html document", "ascii text", "language" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 310, "FileHash-SHA1": 308, "FileHash-SHA256": 1270, "domain": 168, "hostname": 31, "URL": 98 }, "indicator_count": 2185, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4569a944adf94a75efcf9", "name": "VirusTotal report\n for download.rar", "description": "0347ed7f6728c494128d5cde9e4effdc2bcc8f944d78bca8d, as well as 1.3m2.", "modified": "2026-05-07T00:00:42.275000", "created": "2026-04-07T00:58:02.158000", "tags": [ "json text", "json" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 287, "FileHash-SHA1": 283, "FileHash-SHA256": 2301, "URL": 113, "domain": 169, "hostname": 75 }, "indicator_count": 3228, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d4569dc87656b4a255a124", "name": "VirusTotal report\n for download.rar", "description": "0347ed7f6728c494128d5cde9e4effdc2bcc8f944d78bca8d, as well as 1.3m2.", "modified": "2026-05-07T00:00:42.275000", "created": "2026-04-07T00:58:05.842000", "tags": [ "json text", "json" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 281, "FileHash-SHA1": 277, "FileHash-SHA256": 2208, "URL": 113, "domain": 169, "hostname": 75 }, "indicator_count": 3123, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "26 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69b94ddfec797954b95d67c1", "name": "CAPE Sandbox", "description": "Checks available memory\nQueries the username/Connects to crypto currency mining pool\n/A possible heap spray exploit has been detected/Queries the keyboard layout/Queries the computer locale (possible geofencing)\nSetUnhandledExceptionFilter detected (possible anti-debug)/Accessed credential storage registry keys\nPossible date expiration check, exits too soon after checking local time/Checks system language via registry key (possible geofencing)\nAnomalous file deletion behavior detected (10+)\nAttempts to connect to a dead IP:Port (5 unique times)\nPerforms HTTP requests potentially not found in PCAP.\nCreates a process in a suspended state, likely for injection\nResumed a thread in another process\nReads from the memory of another process\nrest in references", "modified": "2026-04-16T13:37:13.951000", "created": "2026-03-17T12:49:35.769000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 337, "FileHash-SHA1": 356, "FileHash-SHA256": 324, "hostname": 315, "URL": 320, "domain": 24, "email": 7 }, "indicator_count": 1683, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "46 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "session.py", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "session.py", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780398766.7504373 }