{ "type": "Domain", "indicator": "str.map", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/str.map", "alexa": "http://www.alexa.com/siteinfo/str.map", "indicator": "str.map", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3904724025, "indicator": "str.map", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "695cc5b5337bc1ac1273946a", "name": "Macbook Air Macbook Air", "description": "Macbook Air Macbook Air", "modified": "2026-02-05T07:00:52.044000", "created": "2026-01-06T08:20:05.305000", "tags": [ "doctype", "public", "data", "drive", "problems1", "no problems", "upload", "tue aug", "scanid", "archivetype", "june", "look", "accept", "internal", "ransomware", "error", "trace", "sparkle", "fusion", "alphabet", "path", "archivesize", "archivemd5", "archivesha256", "open", "whirlpool", "syst", "stream", "mercury", "import", "info", "dangerous file", "modified", "tue jul", "mon sep", "mon mar", "sigtype1", "false", "warp", "powershell", "specs", "subscore1", "Mac", "Apple" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12573, "FileHash-SHA1": 14594, "FileHash-SHA256": 12489, "URL": 88, "domain": 98, "email": 15, "hostname": 119 }, "indicator_count": 39976, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "73 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694b12cb25e65ba6a29d3649", "name": "Avast", "description": "E:\\Suss-SG2\\Avast (1)\\", "modified": "2026-01-28T00:00:40.140000", "created": "2025-12-23T22:08:11.384000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 537, "FileHash-SHA1": 339, "FileHash-SHA256": 297, "URL": 30, "domain": 23, "email": 5, "hostname": 22 }, "indicator_count": 1253, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6946cb8e3eff732bd3d47bff", "name": "Thor Lite - 07.27.25 - APT Detections [by Disable_Duck]", "description": "", "modified": "2025-12-20T16:15:10.914000", "created": "2025-12-20T16:15:10.914000", "tags": [ "data", "upload", "sg2backup drive", "no problems", "problems1", "supportavast", "progressb", "files", "onedrivenoprobs", "sg2suss", "trash", "fall", "Covenant Health", "AHS", "Alberta Health Services", "Rogers", "UAlberta", "APT", "Edmonton", "Telus" ], "references": [ "Bitch-On-Wheels_files_md5s.csv", "832dde85e22a6de8081cdb46fcc7d8f2ae104bbdae54c5dc75d2a6272a0bd431", "f66f2b730bec1c6927aa86503dfb22fc8d03a2f9e871ae6269d2a3ed29dc48e5", "902574c9ffd06678d769ae3db96b3957269c45617ad8e2feead4d02f5f3da106", "", "https://hybrid-analysis.com/sample/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://tria.ge/250729-s1vysaywgy", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3", "https://polyswarm.network/scan/results/file/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/a3528542-a121-4351-91fe-de5aab327fe2/overview", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/3c22777d-9fa3-4d67-a00a-8aa505154874/overview", "https://metadefender.com/results/file/bzI1MDcyOV9QRkdmNWZwSkhvMG11YWczRVZMRw_mdaas", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/5fdda54a-0164-4d4e-a248-d07ec3780d8a/overview", "https://app.threat.zone/submission/ef60d9bd-bd97-4859-8e58-4f670d1f1783/overview", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/21f7ed2c-7815-49f0-8697-998b341df34a/overview", "https://tip.neiki.dev/file/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://hybrid-analysis.com/sample/f66f2b730bec1c6927aa86503dfb22fc8d03a2f9e871ae6269d2a3ed29dc48e5", "https://hybrid-analysis.com/sample/902574c9ffd06678d769ae3db96b3957269c45617ad8e2feead4d02f5f3da106/6888ec5bd7a73585560d2ddd", "https://hybrid-analysis.com/sample/832dde85e22a6de8081cdb46fcc7d8f2ae104bbdae54c5dc75d2a6272a0bd431/6888ec5cfd974c2a5b0f1cfa", "https://hybrid-analysis.com/sample/12f05b32365a6fc40b30d108ea0dc730f662c6ee48c0feccf7cb43263a0a8166/6888ec5d423dabf7de0872d7" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": "6887d46c19a44d6affd7bd2d", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4790, "FileHash-SHA1": 3172, "FileHash-SHA256": 2764, "domain": 453, "URL": 2688, "CVE": 59, "email": 31, "hostname": 638 }, "indicator_count": 14595, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "120 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a49be7644a5435d514b17f", "name": "Scan - 08.18.25", "description": "Thor APT Scanner w. a slight edit", "modified": "2025-09-25T05:23:01.854000", "created": "2025-08-19T15:44:39.689000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "runtime data", "ansi", "data", "upload", "sg2backup drive", "no problems", "unicode", "problems1", "value", "path", "open", "suspicious", "false", "hybrid", "trash", "close", "click", "august", "general", "format", "autodetect", "strings", "contact", "hybrid analysis", "api key", "vetting process", "please note", "please", "virus", "ransomware", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "switch", "inquest labs", "resources api", "notes supported", "cve list", "drop your", "file", "service", "privacy policy", "UAlberta" ], "references": [ "https://hybrid-analysis.com/sample/81a2725b94bf9f6cf0efae1c32731d59521da6d16cff43025a1fdf1856922423/68a4968f55899ebf7f05e3ec", "https://hybrid-analysis.com/sample/81a2725b94bf9f6cf0efae1c32731d59521da6d16cff43025a1fdf1856922423", "https://www.filescan.io/uploads/68a490a2a4bdac9f5b9e8513/reports/5e92a183-d74e-494c-8e7a-f40606b3915b/overview", "https://metadefender.com/results/file/bzI1MDgxOTZFa0hhbjliVzliaVdYM0dwTnZ0_mdaas", "https://metadefender.com/results/file/bzI1MDgxOWtoRHVibTFqTWN4VktZUEl6VWJr_mdaas", "https://polyswarm.network/scan/results/file/015c834dc13c1a1a0a5a698a7f6fe539495a2408ba1ee7c1bda8dadf614b8415" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Education", "Government", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 52, "FileHash-SHA1": 20, "FileHash-SHA256": 18, "domain": 59, "URL": 100, "email": 5, "hostname": 68 }, "indicator_count": 322, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "206 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6887d46c19a44d6affd7bd2d", "name": "Thor Lite - 07.27.25 - APT Detections [un-enriched]", "description": "Thor Lite Scan on Windows PC (a psuedo mirror of sorts) of a University of Alberta, Alberta Health Services, Covenant Health, Government of Alberta Portable Workstation. Files uploaded to VT.\nUpdated Note: Included IOCs from Filescanio\nRan files through: Neiki, FileScanio, Polyswarm, Triage, Metadefender, Hybrid Analysis, Threatzone, Virustotal\nTPs = This Pulse - IOCs from references", "modified": "2025-08-28T16:04:17.368000", "created": "2025-07-28T19:50:04.469000", "tags": [ "data", "upload", "sg2backup drive", "no problems", "problems1", "supportavast", "progressb", "files", "onedrivenoprobs", "sg2suss", "trash", "fall", "Covenant Health", "AHS", "Alberta Health Services", "Rogers", "UAlberta", "APT", "Edmonton", "Telus" ], "references": [ "Bitch-On-Wheels_files_md5s.csv", "832dde85e22a6de8081cdb46fcc7d8f2ae104bbdae54c5dc75d2a6272a0bd431", "f66f2b730bec1c6927aa86503dfb22fc8d03a2f9e871ae6269d2a3ed29dc48e5", "902574c9ffd06678d769ae3db96b3957269c45617ad8e2feead4d02f5f3da106", "", "https://hybrid-analysis.com/sample/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://tria.ge/250729-s1vysaywgy", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3", "https://polyswarm.network/scan/results/file/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/a3528542-a121-4351-91fe-de5aab327fe2/overview", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/3c22777d-9fa3-4d67-a00a-8aa505154874/overview", "https://metadefender.com/results/file/bzI1MDcyOV9QRkdmNWZwSkhvMG11YWczRVZMRw_mdaas", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/5fdda54a-0164-4d4e-a248-d07ec3780d8a/overview", "https://app.threat.zone/submission/ef60d9bd-bd97-4859-8e58-4f670d1f1783/overview", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/21f7ed2c-7815-49f0-8697-998b341df34a/overview", "https://tip.neiki.dev/file/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://hybrid-analysis.com/sample/f66f2b730bec1c6927aa86503dfb22fc8d03a2f9e871ae6269d2a3ed29dc48e5", "https://hybrid-analysis.com/sample/902574c9ffd06678d769ae3db96b3957269c45617ad8e2feead4d02f5f3da106/6888ec5bd7a73585560d2ddd", "https://hybrid-analysis.com/sample/832dde85e22a6de8081cdb46fcc7d8f2ae104bbdae54c5dc75d2a6272a0bd431/6888ec5cfd974c2a5b0f1cfa", "https://hybrid-analysis.com/sample/12f05b32365a6fc40b30d108ea0dc730f662c6ee48c0feccf7cb43263a0a8166/6888ec5d423dabf7de0872d7" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4790, "FileHash-SHA1": 3172, "FileHash-SHA256": 2764, "domain": 453, "URL": 2688, "CVE": 59, "email": 31, "hostname": 638 }, "indicator_count": 14595, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "234 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c6bb5aa601e91b1314ff44", "name": "SCANID: S-KhOoOrXsco8: Thor Lite Linux 64 - Sample Lab Device 2 - incomplete (not enriched)", "description": "Thor Lite Linux 64 - Sample Lab Device 2 - incomplete\nhttps://tip.neiki.dev/file/09de67f8d3ce9a276e9665dc2e0013577b38d60b0518ffe7961bdc7f8755a52d\nSCANID: S-KhOoOrXsco8", "modified": "2025-04-22T06:02:28.535000", "created": "2025-03-04T08:35:38.390000", "tags": [ "misc", "filename ioc", "scanid", "sigtype1", "reasonscount", "sg2backup drive", "thu feb", "log entry", "exists1", "matched1", "warp", "trash", "rooter", "service", "puppet", "apache", "ruby", "execution", "android", "glasses", "agent", "hermes", "atlas", "score", "open", "orion", "entity", "download", "enterprise", "nexus", "beyond", "patch", "rest", "bsod", "bind", "june", "upgrade", "project", "surtr", "path", "mandrake", "accept", "openssl", "null", "responder", "shell", "servu", "cargo", "bypass", "green", "python", "iframe", "webex", "blink", "code", "netty", "fall", "grab", "metasploit", "webdav", "postscript", "middle", "assistant", "energy", "august", "diego", "february", "hold", "write", "extras", "fusion", "trace", "click", "rust", "anna", "virustotal", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "obfus", "probe", "win32", "snoopy", "vuln", "april", "format", "flash", "domino", "calendar", "cryptocat", "orca", "hello", "stream", "confi", "sharepoint", "launcher", "hypervisor", "malicious", "lame", "attack", "prior", "simple", "hpack", "homepage", "easy", "live", "cookie", "explorer", "config", "rush", "spark", "chat", "media", "webview", "trigger", "northstar", "monitoring", "false", "impact", "dino", "example", "splash", "macos", "notifier", "error", "spring", "this", "neutrino", "tools", "template", "crow", "magento", "zimbra", "drop", "stack", "linear", "blocker", "deleter", "main", "face", "arch", "hosts", "bifrost", "recursive", "cobaltstrike", "luckycat", "brain", "apt", "php", "rat", "hacktool", "worm", "meterpreter", "obfuscated", "evasive", "exaramel", "anti-vm" ], "references": [ "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/iocs", "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/summary", "https://www.virustotal.com/graph/embed/ga8f86f452d6d4819b2dedf4c1981843304472a457d9b4b339f35679f4693ce9c?theme=dark", "https://tip.neiki.dev/file/09de67f8d3ce9a276e9665dc2e0013577b38d60b0518ffe7961bdc7f8755a52d", "https://cyber-fortress.com/docs/result/index.php?id=67c6bb9cc8d04e92a4bed8fc", "https://www.filescan.io/uploads/67c6bd19e95d0f9029e3804f/reports/834b740f-9bcb-42d9-b6a1-a0a8dbd07b07/overview", "https://www.filescan.io/uploads/67df8585fae452b82c2115b7/reports/65f03ad1-b5bc-41a8-ae82-21970a18efcb/ioc", "https://hybrid-analysis.com/sample/a6b9deae18604003aa3963d5d83775f5c66bfbe93ea4608fe8a69e6af3722f45/67df874be4fc8d105e0230d1" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [ "Education", "Healthcare", "Government", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 14071, "FileHash-MD5": 979, "FileHash-SHA1": 2568, "FileHash-SHA256": 636, "URL": 43905, "domain": 2031, "email": 31, "hostname": 3621 }, "indicator_count": 67842, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "362 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6706b52d4f2c0f49ac7cece9", "name": "Thor Lite 64 - 10.09.24", "description": "Just a Thor Lite 64 scan of 'things missed' on sample device.", "modified": "2024-11-08T16:00:58.458000", "created": "2024-10-09T16:54:05.079000", "tags": [ "data", "no problems", "sg2backup drive", "upload", "entry", "sun oct", "sigtype1", "exists1", "subscore1", "size2", "score", "service", "error", "procdump", "metasploit", "trash", "school", "info", "confuserex", "virustotal", "probe", "copyleft", "path", "recursive", "supportavast", "problems1", "onedrive", "copied", "backup", "progressb", "scanid", "size1", "fri may", "company1", "mz created1", "desc1", "originalname1", "md51", "imphash1", "pipes", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "model", "arch", "hosts", "pass", "ransomware" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 25, "URL": 89, "CVE": 13, "FileHash-MD5": 1136, "FileHash-SHA1": 647, "FileHash-SHA256": 604, "hostname": 47, "email": 2 }, "indicator_count": 2563, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "527 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "666a8c16f1d9c3d26f51ea30", "name": "Thor Lite Scan Kano & SG2 - 06.12.24", "description": "Just a Thor-Lite scan of W11 Kano PC sample and SG2 Backup Drive\n\n06.12.24: https://www.virustotal.com/graph/embed/gfe2fba6acfb04c7a95689313b7e20d286b56f9fdf4204834a94080660ff4c752?theme=dark", "modified": "2024-07-13T05:00:16.603000", "created": "2024-06-13T06:05:10.629000", "tags": [ "entity", "please", "javascript", "data", "upload", "drive", "no problems", "supportavast", "problems1", "progressb", "bitdefender", "nortoninstaller", "files", "scanid", "size1", "exists1", "company1", "mz created1", "desc1", "originalname1", "fri may", "imphash1", "internalname1", "metasploit", "virustotal", "score", "pipes", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "service", "procdump", "probe", "model", "arch", "hosts", "confuserex", "sliver", "module", "sun sep", "sigtype1", "threat network", "subscore1", "rule matched1", "info", "click" ], "references": [ "https://www.virustotal.com/graph/embed/gfe2fba6acfb04c7a95689313b7e20d286b56f9fdf4204834a94080660ff4c752?theme=dark", "https://www.virustotal.com/gui/collection/5be03d2b8f33092b21ea4645ec76c9b32b98b4cd158f65bafda599ec3ca4f28b/summary", "https://www.virustotal.com/gui/collection/5be03d2b8f33092b21ea4645ec76c9b32b98b4cd158f65bafda599ec3ca4f28b/iocs", "https://www.virustotal.com/gui/collection/5be03d2b8f33092b21ea4645ec76c9b32b98b4cd158f65bafda599ec3ca4f28b/graph" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Education", "Government", "Healthcare", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 969, "FileHash-SHA1": 541, "FileHash-SHA256": 645, "domain": 29, "URL": 168, "CVE": 10, "email": 2, "hostname": 90 }, "indicator_count": 2454, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "645 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://metadefender.com/results/file/bzI1MDgxOWtoRHVibTFqTWN4VktZUEl6VWJr_mdaas", "https://hybrid-analysis.com/sample/81a2725b94bf9f6cf0efae1c32731d59521da6d16cff43025a1fdf1856922423", "https://www.filescan.io/uploads/67c6bd19e95d0f9029e3804f/reports/834b740f-9bcb-42d9-b6a1-a0a8dbd07b07/overview", "https://hybrid-analysis.com/sample/a6b9deae18604003aa3963d5d83775f5c66bfbe93ea4608fe8a69e6af3722f45/67df874be4fc8d105e0230d1", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/a3528542-a121-4351-91fe-de5aab327fe2/overview", "https://metadefender.com/results/file/bzI1MDcyOV9QRkdmNWZwSkhvMG11YWczRVZMRw_mdaas", "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/iocs", "https://www.virustotal.com/graph/embed/gfe2fba6acfb04c7a95689313b7e20d286b56f9fdf4204834a94080660ff4c752?theme=dark", "https://hybrid-analysis.com/sample/81a2725b94bf9f6cf0efae1c32731d59521da6d16cff43025a1fdf1856922423/68a4968f55899ebf7f05e3ec", "https://hybrid-analysis.com/sample/f66f2b730bec1c6927aa86503dfb22fc8d03a2f9e871ae6269d2a3ed29dc48e5", "https://www.virustotal.com/graph/embed/ga8f86f452d6d4819b2dedf4c1981843304472a457d9b4b339f35679f4693ce9c?theme=dark", "https://cyber-fortress.com/docs/result/index.php?id=67c6bb9cc8d04e92a4bed8fc", "https://polyswarm.network/scan/results/file/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://tria.ge/250729-s1vysaywgy", "https://hybrid-analysis.com/sample/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://www.virustotal.com/gui/collection/5be03d2b8f33092b21ea4645ec76c9b32b98b4cd158f65bafda599ec3ca4f28b/summary", "https://www.virustotal.com/gui/collection/5be03d2b8f33092b21ea4645ec76c9b32b98b4cd158f65bafda599ec3ca4f28b/iocs", "https://www.virustotal.com/gui/collection/5be03d2b8f33092b21ea4645ec76c9b32b98b4cd158f65bafda599ec3ca4f28b/graph", "https://hybrid-analysis.com/sample/832dde85e22a6de8081cdb46fcc7d8f2ae104bbdae54c5dc75d2a6272a0bd431/6888ec5cfd974c2a5b0f1cfa", "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/summary", "https://www.filescan.io/uploads/68a490a2a4bdac9f5b9e8513/reports/5e92a183-d74e-494c-8e7a-f40606b3915b/overview", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3", "https://tip.neiki.dev/file/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/5fdda54a-0164-4d4e-a248-d07ec3780d8a/overview", "https://tip.neiki.dev/file/09de67f8d3ce9a276e9665dc2e0013577b38d60b0518ffe7961bdc7f8755a52d", "https://www.filescan.io/uploads/67df8585fae452b82c2115b7/reports/65f03ad1-b5bc-41a8-ae82-21970a18efcb/ioc", "https://metadefender.com/results/file/bzI1MDgxOTZFa0hhbjliVzliaVdYM0dwTnZ0_mdaas", "832dde85e22a6de8081cdb46fcc7d8f2ae104bbdae54c5dc75d2a6272a0bd431", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/3c22777d-9fa3-4d67-a00a-8aa505154874/overview", "https://polyswarm.network/scan/results/file/015c834dc13c1a1a0a5a698a7f6fe539495a2408ba1ee7c1bda8dadf614b8415", "https://hybrid-analysis.com/sample/902574c9ffd06678d769ae3db96b3957269c45617ad8e2feead4d02f5f3da106/6888ec5bd7a73585560d2ddd", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/21f7ed2c-7815-49f0-8697-998b341df34a/overview", "Bitch-On-Wheels_files_md5s.csv", "https://app.threat.zone/submission/ef60d9bd-bd97-4859-8e58-4f670d1f1783/overview", "902574c9ffd06678d769ae3db96b3957269c45617ad8e2feead4d02f5f3da106", "f66f2b730bec1c6927aa86503dfb22fc8d03a2f9e871ae6269d2a3ed29dc48e5", "https://hybrid-analysis.com/sample/12f05b32365a6fc40b30d108ea0dc730f662c6ee48c0feccf7cb43263a0a8166/6888ec5d423dabf7de0872d7" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [ "Technology", "Telecommunications", "Government", "Healthcare", "Education" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "695cc5b5337bc1ac1273946a", "name": "Macbook Air Macbook Air", "description": "Macbook Air Macbook Air", "modified": "2026-02-05T07:00:52.044000", "created": "2026-01-06T08:20:05.305000", "tags": [ "doctype", "public", "data", "drive", "problems1", "no problems", "upload", "tue aug", "scanid", "archivetype", "june", "look", "accept", "internal", "ransomware", "error", "trace", "sparkle", "fusion", "alphabet", "path", "archivesize", "archivemd5", "archivesha256", "open", "whirlpool", "syst", "stream", "mercury", "import", "info", "dangerous file", "modified", "tue jul", "mon sep", "mon mar", "sigtype1", "false", "warp", "powershell", "specs", "subscore1", "Mac", "Apple" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12573, "FileHash-SHA1": 14594, "FileHash-SHA256": 12489, "URL": 88, "domain": 98, "email": 15, "hostname": 119 }, "indicator_count": 39976, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "73 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694b12cb25e65ba6a29d3649", "name": "Avast", "description": "E:\\Suss-SG2\\Avast (1)\\", "modified": "2026-01-28T00:00:40.140000", "created": "2025-12-23T22:08:11.384000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 537, "FileHash-SHA1": 339, "FileHash-SHA256": 297, "URL": 30, "domain": 23, "email": 5, "hostname": 22 }, "indicator_count": 1253, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6946cb8e3eff732bd3d47bff", "name": "Thor Lite - 07.27.25 - APT Detections [by Disable_Duck]", "description": "", "modified": "2025-12-20T16:15:10.914000", "created": "2025-12-20T16:15:10.914000", "tags": [ "data", "upload", "sg2backup drive", "no problems", "problems1", "supportavast", "progressb", "files", "onedrivenoprobs", "sg2suss", "trash", "fall", "Covenant Health", "AHS", "Alberta Health Services", "Rogers", "UAlberta", "APT", "Edmonton", "Telus" ], "references": [ "Bitch-On-Wheels_files_md5s.csv", "832dde85e22a6de8081cdb46fcc7d8f2ae104bbdae54c5dc75d2a6272a0bd431", "f66f2b730bec1c6927aa86503dfb22fc8d03a2f9e871ae6269d2a3ed29dc48e5", "902574c9ffd06678d769ae3db96b3957269c45617ad8e2feead4d02f5f3da106", "", "https://hybrid-analysis.com/sample/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://tria.ge/250729-s1vysaywgy", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3", "https://polyswarm.network/scan/results/file/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/a3528542-a121-4351-91fe-de5aab327fe2/overview", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/3c22777d-9fa3-4d67-a00a-8aa505154874/overview", "https://metadefender.com/results/file/bzI1MDcyOV9QRkdmNWZwSkhvMG11YWczRVZMRw_mdaas", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/5fdda54a-0164-4d4e-a248-d07ec3780d8a/overview", "https://app.threat.zone/submission/ef60d9bd-bd97-4859-8e58-4f670d1f1783/overview", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/21f7ed2c-7815-49f0-8697-998b341df34a/overview", "https://tip.neiki.dev/file/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://hybrid-analysis.com/sample/f66f2b730bec1c6927aa86503dfb22fc8d03a2f9e871ae6269d2a3ed29dc48e5", "https://hybrid-analysis.com/sample/902574c9ffd06678d769ae3db96b3957269c45617ad8e2feead4d02f5f3da106/6888ec5bd7a73585560d2ddd", "https://hybrid-analysis.com/sample/832dde85e22a6de8081cdb46fcc7d8f2ae104bbdae54c5dc75d2a6272a0bd431/6888ec5cfd974c2a5b0f1cfa", "https://hybrid-analysis.com/sample/12f05b32365a6fc40b30d108ea0dc730f662c6ee48c0feccf7cb43263a0a8166/6888ec5d423dabf7de0872d7" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": "6887d46c19a44d6affd7bd2d", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4790, "FileHash-SHA1": 3172, "FileHash-SHA256": 2764, "domain": 453, "URL": 2688, "CVE": 59, "email": 31, "hostname": 638 }, "indicator_count": 14595, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "120 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68a49be7644a5435d514b17f", "name": "Scan - 08.18.25", "description": "Thor APT Scanner w. a slight edit", "modified": "2025-09-25T05:23:01.854000", "created": "2025-08-19T15:44:39.689000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "runtime data", "ansi", "data", "upload", "sg2backup drive", "no problems", "unicode", "problems1", "value", "path", "open", "suspicious", "false", "hybrid", "trash", "close", "click", "august", "general", "format", "autodetect", "strings", "contact", "hybrid analysis", "api key", "vetting process", "please note", "please", "virus", "ransomware", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "switch", "inquest labs", "resources api", "notes supported", "cve list", "drop your", "file", "service", "privacy policy", "UAlberta" ], "references": [ "https://hybrid-analysis.com/sample/81a2725b94bf9f6cf0efae1c32731d59521da6d16cff43025a1fdf1856922423/68a4968f55899ebf7f05e3ec", "https://hybrid-analysis.com/sample/81a2725b94bf9f6cf0efae1c32731d59521da6d16cff43025a1fdf1856922423", "https://www.filescan.io/uploads/68a490a2a4bdac9f5b9e8513/reports/5e92a183-d74e-494c-8e7a-f40606b3915b/overview", "https://metadefender.com/results/file/bzI1MDgxOTZFa0hhbjliVzliaVdYM0dwTnZ0_mdaas", "https://metadefender.com/results/file/bzI1MDgxOWtoRHVibTFqTWN4VktZUEl6VWJr_mdaas", "https://polyswarm.network/scan/results/file/015c834dc13c1a1a0a5a698a7f6fe539495a2408ba1ee7c1bda8dadf614b8415" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [ "Education", "Government", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 52, "FileHash-SHA1": 20, "FileHash-SHA256": 18, "domain": 59, "URL": 100, "email": 5, "hostname": 68 }, "indicator_count": 322, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "206 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6887d46c19a44d6affd7bd2d", "name": "Thor Lite - 07.27.25 - APT Detections [un-enriched]", "description": "Thor Lite Scan on Windows PC (a psuedo mirror of sorts) of a University of Alberta, Alberta Health Services, Covenant Health, Government of Alberta Portable Workstation. Files uploaded to VT.\nUpdated Note: Included IOCs from Filescanio\nRan files through: Neiki, FileScanio, Polyswarm, Triage, Metadefender, Hybrid Analysis, Threatzone, Virustotal\nTPs = This Pulse - IOCs from references", "modified": "2025-08-28T16:04:17.368000", "created": "2025-07-28T19:50:04.469000", "tags": [ "data", "upload", "sg2backup drive", "no problems", "problems1", "supportavast", "progressb", "files", "onedrivenoprobs", "sg2suss", "trash", "fall", "Covenant Health", "AHS", "Alberta Health Services", "Rogers", "UAlberta", "APT", "Edmonton", "Telus" ], "references": [ "Bitch-On-Wheels_files_md5s.csv", "832dde85e22a6de8081cdb46fcc7d8f2ae104bbdae54c5dc75d2a6272a0bd431", "f66f2b730bec1c6927aa86503dfb22fc8d03a2f9e871ae6269d2a3ed29dc48e5", "902574c9ffd06678d769ae3db96b3957269c45617ad8e2feead4d02f5f3da106", "", "https://hybrid-analysis.com/sample/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://tria.ge/250729-s1vysaywgy", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3", "https://polyswarm.network/scan/results/file/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/a3528542-a121-4351-91fe-de5aab327fe2/overview", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/3c22777d-9fa3-4d67-a00a-8aa505154874/overview", "https://metadefender.com/results/file/bzI1MDcyOV9QRkdmNWZwSkhvMG11YWczRVZMRw_mdaas", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/5fdda54a-0164-4d4e-a248-d07ec3780d8a/overview", "https://app.threat.zone/submission/ef60d9bd-bd97-4859-8e58-4f670d1f1783/overview", "https://www.filescan.io/uploads/6888ec9fa16348d835f2f6d3/reports/21f7ed2c-7815-49f0-8697-998b341df34a/overview", "https://tip.neiki.dev/file/9c8ee51b61019f9820cd151b3f3a5a9a0309787a46bd37fa877c5c95b633b5cb", "https://hybrid-analysis.com/sample/f66f2b730bec1c6927aa86503dfb22fc8d03a2f9e871ae6269d2a3ed29dc48e5", "https://hybrid-analysis.com/sample/902574c9ffd06678d769ae3db96b3957269c45617ad8e2feead4d02f5f3da106/6888ec5bd7a73585560d2ddd", "https://hybrid-analysis.com/sample/832dde85e22a6de8081cdb46fcc7d8f2ae104bbdae54c5dc75d2a6272a0bd431/6888ec5cfd974c2a5b0f1cfa", "https://hybrid-analysis.com/sample/12f05b32365a6fc40b30d108ea0dc730f662c6ee48c0feccf7cb43263a0a8166/6888ec5d423dabf7de0872d7" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4790, "FileHash-SHA1": 3172, "FileHash-SHA256": 2764, "domain": 453, "URL": 2688, "CVE": 59, "email": 31, "hostname": 638 }, "indicator_count": 14595, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "234 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67c6bb5aa601e91b1314ff44", "name": "SCANID: S-KhOoOrXsco8: Thor Lite Linux 64 - Sample Lab Device 2 - incomplete (not enriched)", "description": "Thor Lite Linux 64 - Sample Lab Device 2 - incomplete\nhttps://tip.neiki.dev/file/09de67f8d3ce9a276e9665dc2e0013577b38d60b0518ffe7961bdc7f8755a52d\nSCANID: S-KhOoOrXsco8", "modified": "2025-04-22T06:02:28.535000", "created": "2025-03-04T08:35:38.390000", "tags": [ "misc", "filename ioc", "scanid", "sigtype1", "reasonscount", "sg2backup drive", "thu feb", "log entry", "exists1", "matched1", "warp", "trash", "rooter", "service", "puppet", "apache", "ruby", "execution", "android", "glasses", "agent", "hermes", "atlas", "score", "open", "orion", "entity", "download", "enterprise", "nexus", "beyond", "patch", "rest", "bsod", "bind", "june", "upgrade", "project", "surtr", "path", "mandrake", "accept", "openssl", "null", "responder", "shell", "servu", "cargo", "bypass", "green", "python", "iframe", "webex", "blink", "code", "netty", "fall", "grab", "metasploit", "webdav", "postscript", "middle", "assistant", "energy", "august", "diego", "february", "hold", "write", "extras", "fusion", "trace", "click", "rust", "anna", "virustotal", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "obfus", "probe", "win32", "snoopy", "vuln", "april", "format", "flash", "domino", "calendar", "cryptocat", "orca", "hello", "stream", "confi", "sharepoint", "launcher", "hypervisor", "malicious", "lame", "attack", "prior", "simple", "hpack", "homepage", "easy", "live", "cookie", "explorer", "config", "rush", "spark", "chat", "media", "webview", "trigger", "northstar", "monitoring", "false", "impact", "dino", "example", "splash", "macos", "notifier", "error", "spring", "this", "neutrino", "tools", "template", "crow", "magento", "zimbra", "drop", "stack", "linear", "blocker", "deleter", "main", "face", "arch", "hosts", "bifrost", "recursive", "cobaltstrike", "luckycat", "brain", "apt", "php", "rat", "hacktool", "worm", "meterpreter", "obfuscated", "evasive", "exaramel", "anti-vm" ], "references": [ "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/iocs", "https://www.virustotal.com/gui/collection/9c02b7b214c51b2fa7b6f2f38943a83ada3fff5ab9cbb9cf52e320bd702c9cd0/summary", "https://www.virustotal.com/graph/embed/ga8f86f452d6d4819b2dedf4c1981843304472a457d9b4b339f35679f4693ce9c?theme=dark", "https://tip.neiki.dev/file/09de67f8d3ce9a276e9665dc2e0013577b38d60b0518ffe7961bdc7f8755a52d", "https://cyber-fortress.com/docs/result/index.php?id=67c6bb9cc8d04e92a4bed8fc", "https://www.filescan.io/uploads/67c6bd19e95d0f9029e3804f/reports/834b740f-9bcb-42d9-b6a1-a0a8dbd07b07/overview", "https://www.filescan.io/uploads/67df8585fae452b82c2115b7/reports/65f03ad1-b5bc-41a8-ae82-21970a18efcb/ioc", "https://hybrid-analysis.com/sample/a6b9deae18604003aa3963d5d83775f5c66bfbe93ea4608fe8a69e6af3722f45/67df874be4fc8d105e0230d1" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1595", "name": "Active Scanning", "display_name": "T1595 - Active Scanning" } ], "industries": [ "Education", "Healthcare", "Government", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 14071, "FileHash-MD5": 979, "FileHash-SHA1": 2568, "FileHash-SHA256": 636, "URL": 43905, "domain": 2031, "email": 31, "hostname": 3621 }, "indicator_count": 67842, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "362 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6706b52d4f2c0f49ac7cece9", "name": "Thor Lite 64 - 10.09.24", "description": "Just a Thor Lite 64 scan of 'things missed' on sample device.", "modified": "2024-11-08T16:00:58.458000", "created": "2024-10-09T16:54:05.079000", "tags": [ "data", "no problems", "sg2backup drive", "upload", "entry", "sun oct", "sigtype1", "exists1", "subscore1", "size2", "score", "service", "error", "procdump", "metasploit", "trash", "school", "info", "confuserex", "virustotal", "probe", "copyleft", "path", "recursive", "supportavast", "problems1", "onedrive", "copied", "backup", "progressb", "scanid", "size1", "fri may", "company1", "mz created1", "desc1", "originalname1", "md51", "imphash1", "pipes", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "model", "arch", "hosts", "pass", "ransomware" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1572", "name": "Protocol Tunneling", "display_name": "T1572 - Protocol Tunneling" }, { "id": "T1136", "name": "Create Account", "display_name": "T1136 - Create Account" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 25, "URL": 89, "CVE": 13, "FileHash-MD5": 1136, "FileHash-SHA1": 647, "FileHash-SHA256": 604, "hostname": 47, "email": 2 }, "indicator_count": 2563, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "527 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "666a8c16f1d9c3d26f51ea30", "name": "Thor Lite Scan Kano & SG2 - 06.12.24", "description": "Just a Thor-Lite scan of W11 Kano PC sample and SG2 Backup Drive\n\n06.12.24: https://www.virustotal.com/graph/embed/gfe2fba6acfb04c7a95689313b7e20d286b56f9fdf4204834a94080660ff4c752?theme=dark", "modified": "2024-07-13T05:00:16.603000", "created": "2024-06-13T06:05:10.629000", "tags": [ "entity", "please", "javascript", "data", "upload", "drive", "no problems", "supportavast", "problems1", "progressb", "bitdefender", "nortoninstaller", "files", "scanid", "size1", "exists1", "company1", "mz created1", "desc1", "originalname1", "fri may", "imphash1", "internalname1", "metasploit", "virustotal", "score", "pipes", "rootkit", "timestomp", "doublepulsar", "logger", "teamviewer", "service", "procdump", "probe", "model", "arch", "hosts", "confuserex", "sliver", "module", "sun sep", "sigtype1", "threat network", "subscore1", "rule matched1", "info", "click" ], "references": [ "https://www.virustotal.com/graph/embed/gfe2fba6acfb04c7a95689313b7e20d286b56f9fdf4204834a94080660ff4c752?theme=dark", "https://www.virustotal.com/gui/collection/5be03d2b8f33092b21ea4645ec76c9b32b98b4cd158f65bafda599ec3ca4f28b/summary", "https://www.virustotal.com/gui/collection/5be03d2b8f33092b21ea4645ec76c9b32b98b4cd158f65bafda599ec3ca4f28b/iocs", "https://www.virustotal.com/gui/collection/5be03d2b8f33092b21ea4645ec76c9b32b98b4cd158f65bafda599ec3ca4f28b/graph" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Education", "Government", "Healthcare", "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 969, "FileHash-SHA1": 541, "FileHash-SHA256": 645, "domain": 29, "URL": 168, "CVE": 10, "email": 2, "hostname": 90 }, "indicator_count": 2454, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "645 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "str.map", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "str.map", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776618528.419139 }