{
  "type": "Domain",
  "indicator": "trello.com",
  "general": {
    "sections": [
      "general",
      "geo",
      "url_list",
      "passive_dns",
      "malware",
      "whois",
      "http_scans"
    ],
    "whois": "http://whois.domaintools.com/trello.com",
    "alexa": "http://www.alexa.com/siteinfo/trello.com",
    "indicator": "trello.com",
    "type": "domain",
    "type_title": "Domain",
    "validation": [
      {
        "source": "akamai",
        "message": "Akamai rank: #2574",
        "name": "Akamai Popular Domain"
      },
      {
        "source": "alexa",
        "message": "Alexa rank: #360",
        "name": "Listed on Alexa"
      },
      {
        "source": "majestic",
        "message": "Whitelisted domain trello.com",
        "name": "Whitelisted domain"
      },
      {
        "source": "whitelist",
        "message": "Whitelisted domain trello.com",
        "name": "Whitelisted domain"
      }
    ],
    "base_indicator": {
      "id": 2783287199,
      "indicator": "trello.com",
      "type": "domain",
      "title": "",
      "description": "",
      "content": "",
      "access_type": "public",
      "access_reason": ""
    },
    "pulse_info": {
      "count": 13,
      "pulses": [
        {
          "id": "69db956f031caeb41837fe82",
          "name": "VirusTotal report\n                    for Digi-Loader-1-exe-Download-Added-TOP.pdf",
          "description": "<The full text of the full file of Adobe's Acrobat 2, which was released on Tuesday, has now been published on the website of Adobe, the firm's parent company, Adobe.> A collection from U or Oreg. - thanks to the tipster. While the dates askew from cert. abuse the overall Month/day appear aligned, however the diff year predated to invalid certs (suspect- more than a theory). Interesting, research subjects pii on pdx flight aligns.\nConsistent \"Research time signed outside timestamp\" burden of proof has been met, goodnight. \nSecond Write- Can read a malicious pdf docs quicker than anyone. Thank you Second Write Sandbox",
          "modified": "2026-05-12T14:28:43.689000",
          "created": "2026-04-12T12:51:59.240000",
          "tags": [
            "file type",
            "united",
            "json",
            "com executable",
            "network info",
            "malicious",
            "urls",
            "t1055 process",
            "ascii",
            "mitre attack",
            "phishing",
            "next",
            "windows sandbox",
            "calls process",
            "foxpro fpt",
            "links file",
            "152 x",
            "sqlite version",
            "utf8",
            "sqlite rollback",
            "default",
            "file size",
            "mwdb",
            "bazaar",
            "sha3384",
            "ssdeep",
            "strong",
            "library",
            "win1",
            "cultureneutral",
            "accept",
            "shutdown",
            "back",
            "msie",
            "windows nt",
            "wow64",
            "slcc2",
            "media center",
            "get http",
            "type annot",
            "subtype link",
            "rect",
            "stream",
            "xport",
            "possible",
            "matrix",
            "packer",
            "strings",
            "enterprise",
            "sandbox",
            "title",
            "core",
            "agent",
            "snort",
            "context",
            "destination ip",
            "http requests",
            "dns resolutions",
            "acrongl integ",
            "adc4240758",
            "sha1",
            "potential pdx intersect",
            "spellbound. librarian things"
          ],
          "references": [
            "https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997378&Signature=KsJYbpoN6hteGv0hQe%2B7MgknKi2y7G9y%2Bv0JJZqMcuUdnf3gyNBPBzyKTVuoWOtaG8ix3%2BctGPzbrSe5UI3cg4Z0gK%2B6X75apikmjWPqBKofhIc5BqSpHspjoDYtiKLxroPreiitG4QqViG8yPq7ZCkMLfT71MSIE9dJ9XhV4fO2MSLHJA0qzdykwolGgi0i5r12p1nNsE1eHXJY0HwJl%2Fqka%2FKRtekjeEG1K1qHo6QJlzKhiCRubQwgU7",
            "https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997612&Signature=l%2FoIF7cZSCGanh2IyxGroiq3YNwdCp9oVTfF02Zi7d4yp4LMuvnnLFWqVzfWbvIHB94EaU0ICQHP6MwgUb5Z4bF2OVcHxdHieB3iTKEX6sGurBIeKYNAPuakGTzCRv%2FSnZJHpZbsoH11i%2F%2BIwHQLGAKerBuNCuq%2FDi8tvVKCDiF9JQGxOYhQsjlzQJtUBiVEVnBTKbjIdeg9iAMES8qHj0eAglff6gxDk1t%2FU5HmKB1T",
            "https://vtbehaviour.commondatastorage.googleapis.com/26b3bfa810cd37fe4046221ab2269b360e9a6c51961db6fd95e7499e2d76d544_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997821&Signature=IjR3qiuvOqpJ0ChD%2FQ%2B0QKlCAsWejT6Ei8KIh27ZO2t%2BnO1oDrCrR7D3x3lf6xKLr93CFw7bU1IUQONv3WbJ%2BJ0oyQ0yhyalr5VTTy1mHEphjCvObM%2B8PPv6o5cjYXYDpKVcQjBFrkgGvJxrleE5kQvx6irIRcFMTUdnDVuNEcV6sALKN3oYRo%2B%2Fvk7TA%2FfAVTtpBhUfsC4dvVAJnRQgBC4gEzEYuZN3oaDzlYUCoghsW5",
            "https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997952&Signature=Pc%2FXTIxysZhpywMxwwW%2BrBcX9VHIrYH%2BL3sUsVHUCm1TUbCCtQe7ZIpfTtqIl%2FWLsaehPWv%2FBt4Q6PbZH1IFYbFrKet6C2NOwwOh9WtZQ0cak9wRRun6IjZTU33hWBk4GyEAh%2FpE5nF4ND%2BQSOQuZ5DiMtHeXRlWjRI6KwJ8ApdtNpccNlYGYGKmqj%2BLK7CZTI%2FmpO8GkbS2UkwUwBa6TFoYFvBiQ5SHdRUJ2MT7t3RzWvn8hGyb",
            "https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775998043&Signature=atj43IFZmS1xhCQtPEtGr1gjAzp5YJ5SAqKqPXrExtpioezLoyIJKw91Cc1EPO9Ff86CNaeS%2BNKNidgGEvFkAFNQpY8CEvbl7dcNVj3FUVUS3ybBoI8xLShMhwUy%2F0aYbXdMfYG3KdE%2FXDvt56Et6LjAj6N0lh1mp0m48Zz2hNTlghpHTSGlP3SY1VjfKxBYwh%2BWAJOSrHiXvzeVhuN5Qj6JWU%2FLg824mJRsUPe7iyNe2u",
            "https://vtbehaviour.commondatastorage.googleapis.com/3aefe8dfb9c99f3a84f5f74b15afeaeca682c8c50f18fa59b2e0b06da9619f1d_SecondWrite.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775998118&Signature=oZItRZYU06S7GWIVhygTK0XUPoeDlmpVWee4ri8K1nSYOFjKP7WjYTzw03EoC6pzqFjdjNKm2lQytBKbv%2BcMJT%2F%2BWZ7nF71PUUmExKgSsvfD6PXKzUcX8vuHnJwcu3NlTOuhNKNfed2iOEAGybINfsgUO6DFzlTsGd51hjV3I%2BT4t%2FTn1aszBeDzRu01gkhvTI5%2BmXmxZfhYmVTFVADNEociZ8DSGmafzUamrXrSTRcAurmFTNmC4",
            "https://vtbehaviour.commondatastorage.googleapis.com/3aefe8dfb9c99f3a84f5f74b15afeaeca682c8c50f18fa59b2e0b06da9619f1d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775998463&Signature=qYYMHcxIAT2xuxsg%2F5YbX%2B0y0xuq1Bdd9afbiFWSZHWHsm16y4KPWqE8YDY6heMDu8H6K1bmLZjUn59Bei5cJgnVJtX4Qv6%2FJ9i%2FJXNS6kxDf5xDJvv%2FF%2FcK%2FVKyZS%2BVYzAwJ2OLrXxw4BNVIrT4nxtE34M2lc%2FjwH6H%2FLWNBighCC1k8cvWNbNJkBtGmfWtAfK%2FueAgi5glMRbAmq7xAC5XJGlhgUzo%2Fu2U9N",
            ""
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1012",
              "name": "Query Registry",
              "display_name": "T1012 - Query Registry"
            },
            {
              "id": "T1014",
              "name": "Rootkit",
              "display_name": "T1014 - Rootkit"
            },
            {
              "id": "T1047",
              "name": "Windows Management Instrumentation",
              "display_name": "T1047 - Windows Management Instrumentation"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1203",
              "name": "Exploitation for Client Execution",
              "display_name": "T1203 - Exploitation for Client Execution"
            },
            {
              "id": "T1485",
              "name": "Data Destruction",
              "display_name": "T1485 - Data Destruction"
            },
            {
              "id": "T1496",
              "name": "Resource Hijacking",
              "display_name": "T1496 - Resource Hijacking"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1542",
              "name": "Pre-OS Boot",
              "display_name": "T1542 - Pre-OS Boot"
            },
            {
              "id": "T1548",
              "name": "Abuse Elevation Control Mechanism",
              "display_name": "T1548 - Abuse Elevation Control Mechanism"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1564",
              "name": "Hide Artifacts",
              "display_name": "T1564 - Hide Artifacts"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 458,
            "FileHash-MD5": 575,
            "FileHash-SHA1": 478,
            "FileHash-SHA256": 1401,
            "domain": 96,
            "hostname": 235,
            "email": 6,
            "CVE": 3
          },
          "indicator_count": 3252,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "20 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69db609269c77812f937026e",
          "name": "CAPE Sandbox ----- emulex fc 2.72.011.002-3",
          "description": "emulex fc 2.72.011.002-3, Malware Behavior Catalog Tree\nAnti-Behavioral Analysis\nOB0001\nVirtual Machine Detection\nB0009\nSoftware Packing\nF0001\nAnti-Static Analysis\nOB0002\nSoftware Packing\nF0001\nDefense Evasion\nOB0006\nSoftware Packing\nF0001\nDiscovery\nOB0007\nFile and Directory Discovery\nE1083\nExecution\nOB0009\nCommand and Scripting Interpreter\nE1059\nFile System\nOC0001\nDelete File\nC0047\nGet File Attributes\nC0049\nSet File Attributes\nC0050\nRead File\nC0051\nWrites File\nC0052\nProcess\nOC0003\nTerminate Process\nC0018\nCommunication\nOC0006\nHTTP Communication\nC0002\n\nWho are you protecting? Look at your root certificate map to 2018-19. Im not mad, I am just disappointed in the lack of cyber security awareness and cryptographic failures. If I see one more unsigned DNSSEC. Edge node completely exposed. Maybe let CISA and the NSA handle things since they are competent. unknown agency- #burnedyourowncountry.\nPalo Alto, level blue, falcon sandbox, cape, yomi, sec, arc- you are heroes for picking up malware that evades everything.",
          "modified": "2026-05-12T12:15:01.636000",
          "created": "2026-04-12T09:06:26.754000",
          "tags": [
            "hbanyware",
            "hbas",
            "true",
            "reportlocation",
            "programfiles",
            "command line",
            "enable silent",
            "mode",
            "full",
            "local only",
            "false",
            "path",
            "example",
            "windows sandbox",
            "clear filters",
            "show",
            "fibre channel",
            "emulex fibre",
            "emulex network",
            "fibre chann",
            "host b",
            "network",
            "emulex",
            "network cards",
            "find",
            "UNITED STATES SENT.",
            "Still love USA.",
            "bankers doc",
            "ESign Violation",
            "cyber warfare",
            "Fraud",
            "pdfkit.net",
            "CIVIL rights violation",
            "geofence",
            "whistleblower",
            "adobe exploited from unsafe practices",
            "certificate abuse",
            "wiper",
            "Docusign exploited from unsafe practices",
            "abuse",
            "modification of the record",
            "date changes",
            "deleting evidence",
            "wateringholeleftwideopen#RiskManagementKnowledgeDeficient",
            "firmware neutral",
            "fraud",
            "espionage",
            "Iloveyou.txt",
            "APTnull.",
            "PlutoniumoftheInternet",
            "apiabuse",
            "Put Zen at risk",
            "Microsoft exploited from misuse of power and secure protocols",
            "Spyonyourinternalframework.",
            "fsquirt.[exe]",
            "bluetooth tampering",
            "wormhole",
            "backdoor",
            "GITlikeMITbutSouth",
            "pool",
            "CloseDoorsProper",
            "spellbound.[exe]",
            "Wizard",
            "GUI of Bluetooth File Transfer Wizard",
            "<fsquirt",
            "Silkwood",
            "RF's, EMF's, EF's - beyond reasonable measure",
            "lateral moving world wide higher ed warrants further research, G",
            "emulex fc 2.72.011.002-3"
          ],
          "references": [
            "https://vtbehaviour.commondatastorage.googleapis.com/d6a033eb92cc58314c55460d4b1b32befca63cd522f89bc3a09c7cf6477e67a9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775984872&Signature=X7ut04viSpboUfiHbVbGH602vbGaavKO28%2FuQZ9YCLjbW%2Bl9JHGrffH4HHtGQ39GPFGg3uUwyMpuOewArLSuI0W%2F0SjlRr%2B3ob5iUQ8eckXWI47mIElQtuCwRStAGCclC8lI%2BsnrEI7u%2FvPhk16ucrMhQtHiSehYuWwNi1lQkbG3Y5ZoDqClBlw1uSMm1jm1Gpu1EBVSIeAqmbV33HSK%2FDTrwzhuwObiyOu4RKE9E7MOmj%2",
            "https://vtbehaviour.commondatastorage.googleapis.com/d6a033eb92cc58314c55460d4b1b32befca63cd522f89bc3a09c7cf6477e67a9_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775984910&Signature=hjdKVB1Hclv%2FNw7qh%2FV50rCooI70BC8NJcq77KWRUu6VAlxs8vV%2FWfNLh9VzjKS2pBgR7wAaaDp6GwPof61nS4TwykWgUO%2FavR45JKGxhUsjhYKLE5VQoAZkh13wvx1nTVwH%2FP6fx71mJlF71bDqJe7pjpKdd3jyGRDGC6ksN3fMJ%2FRVnusGPDwzZXpy9F6CUYZ1tT9xuK7k3zz9xdIV5e0noQ9s7P343Ca7ROLOUhs9"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1539",
              "name": "Steal Web Session Cookie",
              "display_name": "T1539 - Steal Web Session Cookie"
            },
            {
              "id": "T1548",
              "name": "Abuse Elevation Control Mechanism",
              "display_name": "T1548 - Abuse Elevation Control Mechanism"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 2,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 771,
            "FileHash-SHA1": 836,
            "FileHash-SHA256": 2524,
            "URL": 810,
            "domain": 764,
            "email": 112,
            "hostname": 2635,
            "URI": 3,
            "CVE": 7,
            "CIDR": 12,
            "JA3": 1
          },
          "indicator_count": 8475,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 69,
          "modified_text": "20 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69d096edd596a1a9e9a0aa92",
          "name": "VirusTotal report\n                    for index.html",
          "description": "The full name of the German domain registrar: COFFEEDESIGNCODE.com, or coffeedesign code, has been published.. and it is not yet known.",
          "modified": "2026-05-04T04:03:27.972000",
          "created": "2026-04-04T04:43:25.258000",
          "tags": [
            "date",
            "server",
            "registrar abuse",
            "registrant name",
            "expiration date",
            "registry domain",
            "registrar iana",
            "registrar url",
            "registrant city",
            "ag registrant",
            "thumbprint",
            "html document",
            "unicode text",
            "utf8 text",
            "title microsoft",
            "ms05019",
            "none",
            "docs",
            "betafred ms",
            "content tocrel",
            "conceptual",
            "performs dns",
            "https",
            "file type",
            "tls version",
            "mitre attack",
            "network info",
            "urls",
            "t1055 process",
            "layer protocol",
            "united",
            "phishing",
            "malicious",
            "next",
            "cache entry",
            "chrome cache",
            "entry",
            "extra info",
            "process",
            "nothing",
            "registry keys",
            "mutexes nothing",
            "data",
            "datacrashpad",
            "edge",
            "created",
            "parent pid",
            "full path",
            "command line",
            "status code",
            "ssl certificates",
            "tls certificates",
            "website security",
            "signtool",
            "sectigo",
            "microsoft",
            "signtool let",
            "web site",
            "rsasha256",
            "rsasha384",
            "rsasha512",
            "signcode",
            "ssl certificate",
            "logo",
            "sxa0",
            "object",
            "regexp",
            "null",
            "tdfunction",
            "ddfunction",
            "array",
            "string",
            "dfunction",
            "iana id",
            "contact phone",
            "dnssec",
            "domain status",
            "registrar whois",
            "registrar",
            "language",
            "html internet",
            "doctype",
            "learn",
            "seomatic og",
            "timestamp",
            "sectigo ssl",
            "sectigo og",
            "sectigohq og",
            "utf8",
            "crlf line",
            "text",
            "ipxw1920",
            "fwebp",
            "win32 exe",
            "pe32",
            "ms windows",
            "win16 ne",
            "icons library",
            "os2 executable",
            "generic windos",
            "executable",
            "pe64 compiler",
            "sha256",
            "pc bitmap",
            "windows bitmap",
            "bitmap",
            "zip archive",
            "text text",
            "ascii text",
            "has permission",
            "reads",
            "accesses",
            "found",
            "t1413 access",
            "sensitive data",
            "device logs",
            "persistence",
            "fraud",
            "cloud"
          ],
          "references": [
            "http://clients2.google.com/time/1/current?cup2key=8:JROu1MtiAi1ExACtDuYde399VG2TxRqflS_l7p_q0tU&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855%0Ahttp://x1.c.lencr.org/%0Ahttp://c.pki.goog/r/r1.crl",
            "https://vtbehaviour.commondatastorage.googleapis.com/5a28f4a80025385ca11cce22b13e5eed52999965afbe16cccbc5e7165c7a0ac9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775276100&Signature=NczLfuk5dyPFskbtz7UwIjCT2DzeU5uAQP%2FL%2BC5bjk7Ng%2FHccJbUFWcb%2FqpvZaJ%2BWg4tg6aaPKihJzwDyiF7UaJOwdX3172ddwGJAfggvgpJ68YtVBE1nyhHAoFO6KsLL73DjNj58e8Uhq6Bcx4nXa86FETCR%2FzzXDlLDXyQSxf%2FKhG8zuxEsss9vRDCF%2B3TJGvJ5EmQ5HwGvk2ex9wf6H1FrBxEyx6BH5i6txcC9vMG9SXQ6eYR2p",
            "https://vtbehaviour.commondatastorage.googleapis.com/5a28f4a80025385ca11cce22b13e5eed52999965afbe16cccbc5e7165c7a0ac9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775276177&Signature=iO1RoMLTZsC3s7nBZ8wieXl6wwWrnnCqu%2F5pXBAa2Luk2wKtKTXUyyZEOOhqaCFNbUPjsIfY1v0KxEBxzkumSiDs3XXBs%2FYt49goHGNudddQOKcmLsjbT2GhALTnmmVvl79aLJaLwnMe9B7PkJpSTGuBrutOjF5VJ0yofcbM4XjQQlOIkc8WWi94WMVxXpWAjFK9D5zmoyn9G5w1TahDZjePP%2FfkKNpJe2OqRQ59iXyHcG1nvA%2FUIx",
            "http://timestamp.sectigo.com/",
            "https://www.google-analytics.com/analytics.js",
            "http://clients2.google.com/time/1/current?cup2key=8:JROu1MtiAi1ExACtDuYde399VG2TxRqflS_l7p_q0tU&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
            "https://vtbehaviour.commondatastorage.googleapis.com/5a28f4a80025385ca11cce22b13e5eed52999965afbe16cccbc5e7165c7a0ac9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775277214&Signature=y3%2FkmodrmzpLTVDtkzYvlqSkUTQ8Tri%2FDiLIqIpCBmJ6%2Bwk5p%2FJDSAwE5V8Wdp0vWLWjfA4DvRyS%2FvmNV4kFOr422iVZH2Ap2evf8%2Bq2bp9CW%2BAuBCjgz9K329V4%2B%2B9duUsUhVBqZ%2BNKz%2Fj4z7ZDBI%2BjqPV8XjvTI7pXAfzknmFAfZU%2FjalCNigHCX%2FIOgymeTOfzSOLYLClpNTr%2BYle8VSI%2BHf9TgUWP2WgNF",
            "https://vtbehaviour.commondatastorage.googleapis.com/028e16744de653383b403efd4b755075deeb7d8ce264d7edd4615725e5b4c4c6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775277967&Signature=oSvtx7eGCctItNKSDZN4tpJp11yn5QQjCHsLi45z7kUOa9nbuhPdVjh9gBKlXtNuGfXbpItYf6NFI%2B4pKCin266TJQP7FzDSnUzzziJTuqmZwxihDeoZ1RauqVOzGoAmrj9sG8nOYXqbOHNxQ3E6SugSzW3UFbyQJzfKt%2FsqsPsKAvl4su%2FlkWsqTHUR%2FT%2FLTTQV0ZXLwnrLv%2FdBA7DdsiE35g%2FPOiUdzJjkjhSILF%2BR"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1070",
              "name": "Indicator Removal on Host",
              "display_name": "T1070 - Indicator Removal on Host"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1560",
              "name": "Archive Collected Data",
              "display_name": "T1560 - Archive Collected Data"
            },
            {
              "id": "T1406",
              "name": "Obfuscated Files or Information",
              "display_name": "T1406 - Obfuscated Files or Information"
            },
            {
              "id": "T1409",
              "name": "Access Stored Application Data",
              "display_name": "T1409 - Access Stored Application Data"
            },
            {
              "id": "T1413",
              "name": "Access Sensitive Data in Device Logs",
              "display_name": "T1413 - Access Sensitive Data in Device Logs"
            },
            {
              "id": "T1421",
              "name": "System Network Connections Discovery",
              "display_name": "T1421 - System Network Connections Discovery"
            },
            {
              "id": "T1424",
              "name": "Process Discovery",
              "display_name": "T1424 - Process Discovery"
            },
            {
              "id": "T1426",
              "name": "System Information Discovery",
              "display_name": "T1426 - System Information Discovery"
            },
            {
              "id": "T1429",
              "name": "Capture Audio",
              "display_name": "T1429 - Capture Audio"
            },
            {
              "id": "T1430",
              "name": "Location Tracking",
              "display_name": "T1430 - Location Tracking"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 50,
            "email": 2,
            "hostname": 196,
            "FileHash-SHA1": 51,
            "URL": 234,
            "FileHash-MD5": 54,
            "FileHash-SHA256": 715
          },
          "indicator_count": 1302,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "28 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69d096edff67896dccb36a4d",
          "name": "VirusTotal report\n                    for index.html",
          "description": "The full name of the German domain registrar: COFFEEDESIGNCODE.com, or coffeedesign code, has been published.. and it is not yet known.",
          "modified": "2026-05-04T04:03:27.972000",
          "created": "2026-04-04T04:43:25.967000",
          "tags": [
            "date",
            "server",
            "registrar abuse",
            "registrant name",
            "expiration date",
            "registry domain",
            "registrar iana",
            "registrar url",
            "registrant city",
            "ag registrant",
            "thumbprint",
            "html document",
            "unicode text",
            "utf8 text",
            "title microsoft",
            "ms05019",
            "none",
            "docs",
            "betafred ms",
            "content tocrel",
            "conceptual",
            "performs dns",
            "https",
            "file type",
            "tls version",
            "mitre attack",
            "network info",
            "urls",
            "t1055 process",
            "layer protocol",
            "united",
            "phishing",
            "malicious",
            "next",
            "cache entry",
            "chrome cache",
            "entry",
            "extra info",
            "process",
            "nothing",
            "registry keys",
            "mutexes nothing",
            "data",
            "datacrashpad",
            "edge",
            "created",
            "parent pid",
            "full path",
            "command line",
            "status code",
            "ssl certificates",
            "tls certificates",
            "website security",
            "signtool",
            "sectigo",
            "microsoft",
            "signtool let",
            "web site",
            "rsasha256",
            "rsasha384",
            "rsasha512",
            "signcode",
            "ssl certificate",
            "logo",
            "sxa0",
            "object",
            "regexp",
            "null",
            "tdfunction",
            "ddfunction",
            "array",
            "string",
            "dfunction",
            "iana id",
            "contact phone",
            "dnssec",
            "domain status",
            "registrar whois",
            "registrar",
            "language",
            "html internet",
            "doctype",
            "learn",
            "seomatic og",
            "timestamp",
            "sectigo ssl",
            "sectigo og",
            "sectigohq og",
            "utf8",
            "crlf line",
            "text",
            "ipxw1920",
            "fwebp",
            "win32 exe",
            "pe32",
            "ms windows",
            "win16 ne",
            "icons library",
            "os2 executable",
            "generic windos",
            "executable",
            "pe64 compiler",
            "sha256",
            "pc bitmap",
            "windows bitmap",
            "bitmap",
            "zip archive",
            "text text",
            "ascii text",
            "has permission",
            "reads",
            "accesses",
            "found",
            "t1413 access",
            "sensitive data",
            "device logs",
            "persistence",
            "fraud",
            "cloud"
          ],
          "references": [
            "http://clients2.google.com/time/1/current?cup2key=8:JROu1MtiAi1ExACtDuYde399VG2TxRqflS_l7p_q0tU&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855%0Ahttp://x1.c.lencr.org/%0Ahttp://c.pki.goog/r/r1.crl",
            "https://vtbehaviour.commondatastorage.googleapis.com/5a28f4a80025385ca11cce22b13e5eed52999965afbe16cccbc5e7165c7a0ac9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775276100&Signature=NczLfuk5dyPFskbtz7UwIjCT2DzeU5uAQP%2FL%2BC5bjk7Ng%2FHccJbUFWcb%2FqpvZaJ%2BWg4tg6aaPKihJzwDyiF7UaJOwdX3172ddwGJAfggvgpJ68YtVBE1nyhHAoFO6KsLL73DjNj58e8Uhq6Bcx4nXa86FETCR%2FzzXDlLDXyQSxf%2FKhG8zuxEsss9vRDCF%2B3TJGvJ5EmQ5HwGvk2ex9wf6H1FrBxEyx6BH5i6txcC9vMG9SXQ6eYR2p",
            "https://vtbehaviour.commondatastorage.googleapis.com/5a28f4a80025385ca11cce22b13e5eed52999965afbe16cccbc5e7165c7a0ac9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775276177&Signature=iO1RoMLTZsC3s7nBZ8wieXl6wwWrnnCqu%2F5pXBAa2Luk2wKtKTXUyyZEOOhqaCFNbUPjsIfY1v0KxEBxzkumSiDs3XXBs%2FYt49goHGNudddQOKcmLsjbT2GhALTnmmVvl79aLJaLwnMe9B7PkJpSTGuBrutOjF5VJ0yofcbM4XjQQlOIkc8WWi94WMVxXpWAjFK9D5zmoyn9G5w1TahDZjePP%2FfkKNpJe2OqRQ59iXyHcG1nvA%2FUIx",
            "http://timestamp.sectigo.com/",
            "https://www.google-analytics.com/analytics.js",
            "http://clients2.google.com/time/1/current?cup2key=8:JROu1MtiAi1ExACtDuYde399VG2TxRqflS_l7p_q0tU&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
            "https://vtbehaviour.commondatastorage.googleapis.com/5a28f4a80025385ca11cce22b13e5eed52999965afbe16cccbc5e7165c7a0ac9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775277214&Signature=y3%2FkmodrmzpLTVDtkzYvlqSkUTQ8Tri%2FDiLIqIpCBmJ6%2Bwk5p%2FJDSAwE5V8Wdp0vWLWjfA4DvRyS%2FvmNV4kFOr422iVZH2Ap2evf8%2Bq2bp9CW%2BAuBCjgz9K329V4%2B%2B9duUsUhVBqZ%2BNKz%2Fj4z7ZDBI%2BjqPV8XjvTI7pXAfzknmFAfZU%2FjalCNigHCX%2FIOgymeTOfzSOLYLClpNTr%2BYle8VSI%2BHf9TgUWP2WgNF",
            "https://vtbehaviour.commondatastorage.googleapis.com/028e16744de653383b403efd4b755075deeb7d8ce264d7edd4615725e5b4c4c6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775277967&Signature=oSvtx7eGCctItNKSDZN4tpJp11yn5QQjCHsLi45z7kUOa9nbuhPdVjh9gBKlXtNuGfXbpItYf6NFI%2B4pKCin266TJQP7FzDSnUzzziJTuqmZwxihDeoZ1RauqVOzGoAmrj9sG8nOYXqbOHNxQ3E6SugSzW3UFbyQJzfKt%2FsqsPsKAvl4su%2FlkWsqTHUR%2FT%2FLTTQV0ZXLwnrLv%2FdBA7DdsiE35g%2FPOiUdzJjkjhSILF%2BR"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1070",
              "name": "Indicator Removal on Host",
              "display_name": "T1070 - Indicator Removal on Host"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1560",
              "name": "Archive Collected Data",
              "display_name": "T1560 - Archive Collected Data"
            },
            {
              "id": "T1406",
              "name": "Obfuscated Files or Information",
              "display_name": "T1406 - Obfuscated Files or Information"
            },
            {
              "id": "T1409",
              "name": "Access Stored Application Data",
              "display_name": "T1409 - Access Stored Application Data"
            },
            {
              "id": "T1413",
              "name": "Access Sensitive Data in Device Logs",
              "display_name": "T1413 - Access Sensitive Data in Device Logs"
            },
            {
              "id": "T1421",
              "name": "System Network Connections Discovery",
              "display_name": "T1421 - System Network Connections Discovery"
            },
            {
              "id": "T1424",
              "name": "Process Discovery",
              "display_name": "T1424 - Process Discovery"
            },
            {
              "id": "T1426",
              "name": "System Information Discovery",
              "display_name": "T1426 - System Information Discovery"
            },
            {
              "id": "T1429",
              "name": "Capture Audio",
              "display_name": "T1429 - Capture Audio"
            },
            {
              "id": "T1430",
              "name": "Location Tracking",
              "display_name": "T1430 - Location Tracking"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 50,
            "email": 2,
            "hostname": 196,
            "FileHash-SHA1": 51,
            "URL": 234,
            "FileHash-MD5": 54,
            "FileHash-SHA256": 715
          },
          "indicator_count": 1302,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 68,
          "modified_text": "28 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b4d19b5d08593e3b2fa873",
          "name": "VirusTotal report\n                    for Autocad-2004-Covadis-2004-Crack--Fr-Rar-58-11l.pdf",
          "description": "sleep deprived, descriptions later.",
          "modified": "2026-04-13T03:29:47.531000",
          "created": "2026-03-14T03:10:19.098000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 6,
            "FileHash-SHA1": 4,
            "FileHash-SHA256": 100,
            "URL": 32,
            "domain": 50,
            "hostname": 284
          },
          "indicator_count": 476,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "49 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b4d8136250ed80cb642956",
          "name": "VirusTotal report\n                    for Autocad-2004-Covadis-2004-Crack--Fr-Rar-58-11l.pdf",
          "description": "",
          "modified": "2026-04-13T03:29:47.531000",
          "created": "2026-03-14T03:37:55.333000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 2,
            "FileHash-SHA1": 2,
            "FileHash-SHA256": 50,
            "URL": 16,
            "domain": 4,
            "hostname": 9
          },
          "indicator_count": 83,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 68,
          "modified_text": "49 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6962b68da732abc66a0c2caf",
          "name": "Der Zugriff \u2022 Kanna \u2022 MyDoom \u2022 Sigur - Pahamify Pegasus",
          "description": "Pahamify Pegasus | Execution Attack, Access Attack | Drive by Compromise | \nSifting through Pahamify Pegasus this is no longer your computer , injection, google connects, remote connections, remote mouse movement, remote access, Google espionage, bad traffic, Apple complicit access. This is your Google account and browser, this is your appleid. Still researching\u2026. || \n*https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_ ||\nMalware: Der Zugriff ,\nKanna ,\nMyDoom ,\nSigur \n#firebase #google_connection #bible_gateway_honeypot #crypto #hidden_users #who_else",
          "modified": "2026-02-09T19:00:09.890000",
          "created": "2026-01-10T20:29:01.675000",
          "tags": [
            "ip address",
            "status code",
            "kb body",
            "iocs",
            "deny age",
            "cloudfront",
            "utc google",
            "tag manager",
            "g8t6ln06z40",
            "utc na",
            "google tag",
            "injection",
            "t1055 malware",
            "tree",
            "help v",
            "defense evasion",
            "injection t1055",
            "resolved ips",
            "get http",
            "dns resolutions",
            "v memory",
            "pattern domains",
            "full reports",
            "v help",
            "memory pattern",
            "urls https",
            "hashes",
            "tiktok",
            "microsoft",
            "dashboard falcon",
            "request",
            "windows nt",
            "win64",
            "khtml",
            "gecko",
            "response",
            "appleid",
            "united",
            "name servers",
            "aaaa",
            "servers",
            "moved",
            "script urls",
            "passive dns",
            "urls",
            "data upload",
            "extraction",
            "failed",
            "jsvendor",
            "jsapp",
            "script script",
            "cssapp",
            "jsfirebase",
            "pegasus",
            "encrypt",
            "title error",
            "ipv4",
            "files",
            "reverse dns",
            "united states",
            "malware",
            "learn",
            "ck id",
            "name tactics",
            "suspicious",
            "informative",
            "command",
            "adversaries",
            "spawns",
            "execution att",
            "t1204 user",
            "script",
            "beginstring",
            "bad traffic",
            "et info",
            "null",
            "title",
            "refresh",
            "span",
            "strings",
            "error",
            "tools",
            "meta",
            "look",
            "verify",
            "restart",
            "mitre att",
            "ascii text",
            "pattern match",
            "ck matrix",
            "tls handshake",
            "hybrid",
            "general",
            "local",
            "path",
            "click",
            "ck techniques",
            "access att",
            "div div",
            "a li",
            "ul div",
            "record value",
            "emails",
            "accept",
            "referen https",
            "microsoft-falcon.net",
            "proxy",
            "status",
            "certificate",
            "updated date",
            "whois server",
            "zipcode",
            "entries http",
            "scans show",
            "search",
            "matches x",
            "type",
            "gmt cache",
            "all ipv4",
            "america flag",
            "america asn",
            "sameorigin",
            "urls show",
            "date checked",
            "url hostname",
            "server response",
            "google safe",
            "results jan",
            "ipv4 add",
            "win32mydoom jan",
            "trojan",
            "worm",
            "expiration date",
            "files show",
            "date hash",
            "avast avg",
            "win32mydoom",
            "backdoor",
            "found",
            "gmt connection",
            "control",
            "content type",
            "twitter",
            "dynamicloader",
            "medium",
            "high",
            "msie",
            "wow64",
            "slcc2",
            "media center",
            "write",
            "global",
            "domain name",
            "hostname",
            "apple",
            "racebook",
            "mouse movement",
            "remote mouse",
            "domain",
            "hostname add",
            "url analysis",
            "crlf line",
            "ff d5",
            "unicode text",
            "utf8",
            "ee fc",
            "yara rule",
            "f0 ff",
            "ff bb",
            "music",
            "push",
            "autorun",
            "unknown",
            "present sep",
            "present may",
            "present jan",
            "present aug",
            "cname",
            "present nov",
            "present jun",
            "apache",
            "body",
            "pragma",
            "found registry",
            "able",
            "model",
            "indicator",
            "source",
            "show technique",
            "file",
            "internet",
            "errore",
            "erreur",
            "download",
            "service",
            "crypto",
            "compiler",
            "installer",
            "yang",
            "updater",
            "shutdown",
            "thunk",
            "este",
            "install",
            "reboot",
            "code",
            "downloader",
            "sigur",
            "kanna",
            "der zugriff",
            "google",
            "chrome",
            "Pahamify Pegasus",
            "christoper p. ahmann",
            "law enforcement",
            "retaliation",
            "phone",
            "espionage",
            "united states",
            "m brian sabey",
            "quasi government",
            "target",
            "monitored targeting",
            "aig",
            "therahand (old name)",
            "target: tsara brashears",
            "douglas county, co",
            "sheriff",
            "industry and commerce",
            "worker\u2019s compensation",
            "crime",
            "financial crime",
            "danger",
            "nem tih",
            "amazon",
            "aws",
            "amazon aws",
            "deal",
            "deal with it lawfully",
            "pay victim",
            "protecting reimer"
          ],
          "references": [
            "https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com",
            "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_",
            "Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur",
            "Pahamify Pegasus",
            "Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)",
            "https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android",
            "https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4",
            "tv.apple.com",
            "dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net",
            "Antivirus Detections: Win.Trojan.Gamarue-9832405-0 ,  Trojan:Win32/Pariham.A",
            "IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)",
            "IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)",
            "IDS: TLS Handshake Failure",
            "Yara Detections BackdoorWin32Simda",
            "Google_Chrome_64bit_v136.0.7103.49.exe",
            "https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7",
            "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_",
            "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
            "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com",
            "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022",
            "https://wallpapers-nature.com/tsara-brashears/urlscan-io"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Trojan:Win32/Pariham.A",
              "display_name": "Trojan:Win32/Pariham.A",
              "target": "/malware/Trojan:Win32/Pariham.A"
            },
            {
              "id": "MyDoom",
              "display_name": "MyDoom",
              "target": null
            },
            {
              "id": "Virus:Win95/Cerebrus",
              "display_name": "Virus:Win95/Cerebrus",
              "target": "/malware/Virus:Win95/Cerebrus"
            },
            {
              "id": "AutoRunIt",
              "display_name": "AutoRunIt",
              "target": null
            },
            {
              "id": "Sigur",
              "display_name": "Sigur",
              "target": null
            },
            {
              "id": "Kanna",
              "display_name": "Kanna",
              "target": null
            },
            {
              "id": "Der Zugriff",
              "display_name": "Der Zugriff",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "TA0004",
              "name": "Privilege Escalation",
              "display_name": "TA0004 - Privilege Escalation"
            },
            {
              "id": "TA0005",
              "name": "Defense Evasion",
              "display_name": "TA0005 - Defense Evasion"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1069",
              "name": "Permission Groups Discovery",
              "display_name": "T1069 - Permission Groups Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1204",
              "name": "User Execution",
              "display_name": "T1204 - User Execution"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1069.002",
              "name": "Domain Groups",
              "display_name": "T1069.002 - Domain Groups"
            },
            {
              "id": "T1568.002",
              "name": "Domain Generation Algorithms",
              "display_name": "T1568.002 - Domain Generation Algorithms"
            },
            {
              "id": "T1113",
              "name": "Screen Capture",
              "display_name": "T1113 - Screen Capture"
            },
            {
              "id": "T1189",
              "name": "Drive-by Compromise",
              "display_name": "T1189 - Drive-by Compromise"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1566.002",
              "name": "Spearphishing Link",
              "display_name": "T1566.002 - Spearphishing Link"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1071.001",
              "name": "Web Protocols",
              "display_name": "T1071.001 - Web Protocols"
            },
            {
              "id": "T1063",
              "name": "Security Software Discovery",
              "display_name": "T1063 - Security Software Discovery"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1589",
              "name": "Gather Victim Identity Information",
              "display_name": "T1589 - Gather Victim Identity Information"
            },
            {
              "id": "T1590",
              "name": "Gather Victim Network Information",
              "display_name": "T1590 - Gather Victim Network Information"
            },
            {
              "id": "T1591",
              "name": "Gather Victim Org Information",
              "display_name": "T1591 - Gather Victim Org Information"
            },
            {
              "id": "T1592",
              "name": "Gather Victim Host Information",
              "display_name": "T1592 - Gather Victim Host Information"
            },
            {
              "id": "T1210",
              "name": "Exploitation of Remote Services",
              "display_name": "T1210 - Exploitation of Remote Services"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1036.004",
              "name": "Masquerade Task or Service",
              "display_name": "T1036.004 - Masquerade Task or Service"
            },
            {
              "id": "T1444",
              "name": "Masquerade as Legitimate Application",
              "display_name": "T1444 - Masquerade as Legitimate Application"
            },
            {
              "id": "T1449",
              "name": "Exploit SS7 to Redirect Phone Calls/SMS",
              "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
            },
            {
              "id": "T1410",
              "name": "Network Traffic Capture or Redirection",
              "display_name": "T1410 - Network Traffic Capture or Redirection"
            },
            {
              "id": "T1598",
              "name": "Phishing for Information",
              "display_name": "T1598 - Phishing for Information"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            },
            {
              "id": "T1068",
              "name": "Exploitation for Privilege Escalation",
              "display_name": "T1068 - Exploitation for Privilege Escalation"
            },
            {
              "id": "T1110",
              "name": "Brute Force",
              "display_name": "T1110 - Brute Force"
            },
            {
              "id": "T1005",
              "name": "Data from Local System",
              "display_name": "T1005 - Data from Local System"
            },
            {
              "id": "T1007",
              "name": "System Service Discovery",
              "display_name": "T1007 - System Service Discovery"
            },
            {
              "id": "T1010",
              "name": "Application Window Discovery",
              "display_name": "T1010 - Application Window Discovery"
            },
            {
              "id": "T1012",
              "name": "Query Registry",
              "display_name": "T1012 - Query Registry"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1029",
              "name": "Scheduled Transfer",
              "display_name": "T1029 - Scheduled Transfer"
            },
            {
              "id": "T1033",
              "name": "System Owner/User Discovery",
              "display_name": "T1033 - System Owner/User Discovery"
            },
            {
              "id": "T1047",
              "name": "Windows Management Instrumentation",
              "display_name": "T1047 - Windows Management Instrumentation"
            },
            {
              "id": "T1049",
              "name": "System Network Connections Discovery",
              "display_name": "T1049 - System Network Connections Discovery"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1070",
              "name": "Indicator Removal on Host",
              "display_name": "T1070 - Indicator Removal on Host"
            },
            {
              "id": "T1074",
              "name": "Data Staged",
              "display_name": "T1074 - Data Staged"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1102",
              "name": "Web Service",
              "display_name": "T1102 - Web Service"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1124",
              "name": "System Time Discovery",
              "display_name": "T1124 - System Time Discovery"
            },
            {
              "id": "T1132",
              "name": "Data Encoding",
              "display_name": "T1132 - Data Encoding"
            },
            {
              "id": "T1134",
              "name": "Access Token Manipulation",
              "display_name": "T1134 - Access Token Manipulation"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1213",
              "name": "Data from Information Repositories",
              "display_name": "T1213 - Data from Information Repositories"
            },
            {
              "id": "T1222",
              "name": "File and Directory Permissions Modification",
              "display_name": "T1222 - File and Directory Permissions Modification"
            },
            {
              "id": "T1486",
              "name": "Data Encrypted for Impact",
              "display_name": "T1486 - Data Encrypted for Impact"
            },
            {
              "id": "T1489",
              "name": "Service Stop",
              "display_name": "T1489 - Service Stop"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1529",
              "name": "System Shutdown/Reboot",
              "display_name": "T1529 - System Shutdown/Reboot"
            },
            {
              "id": "T1543",
              "name": "Create or Modify System Process",
              "display_name": "T1543 - Create or Modify System Process"
            },
            {
              "id": "T1546",
              "name": "Event Triggered Execution",
              "display_name": "T1546 - Event Triggered Execution"
            },
            {
              "id": "T1547",
              "name": "Boot or Logon Autostart Execution",
              "display_name": "T1547 - Boot or Logon Autostart Execution"
            },
            {
              "id": "T1555",
              "name": "Credentials from Password Stores",
              "display_name": "T1555 - Credentials from Password Stores"
            },
            {
              "id": "T1559",
              "name": "Inter-Process Communication",
              "display_name": "T1559 - Inter-Process Communication"
            },
            {
              "id": "T1560",
              "name": "Archive Collected Data",
              "display_name": "T1560 - Archive Collected Data"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1564",
              "name": "Hide Artifacts",
              "display_name": "T1564 - Hide Artifacts"
            },
            {
              "id": "T1569",
              "name": "System Services",
              "display_name": "T1569 - System Services"
            },
            {
              "id": "T1570",
              "name": "Lateral Tool Transfer",
              "display_name": "T1570 - Lateral Tool Transfer"
            },
            {
              "id": "T1614",
              "name": "System Location Discovery",
              "display_name": "T1614 - System Location Discovery"
            },
            {
              "id": "T1569.002",
              "name": "Service Execution",
              "display_name": "T1569.002 - Service Execution"
            },
            {
              "id": "T1543.003",
              "name": "Windows Service",
              "display_name": "T1543.003 - Windows Service"
            },
            {
              "id": "T1546.015",
              "name": "Component Object Model Hijacking",
              "display_name": "T1546.015 - Component Object Model Hijacking"
            },
            {
              "id": "T1055.003",
              "name": "Thread Execution Hijacking",
              "display_name": "T1055.003 - Thread Execution Hijacking"
            },
            {
              "id": "T1134.001",
              "name": "Token Impersonation/Theft",
              "display_name": "T1134.001 - Token Impersonation/Theft"
            },
            {
              "id": "T1055.001",
              "name": "Dynamic-link Library Injection",
              "display_name": "T1055.001 - Dynamic-link Library Injection"
            },
            {
              "id": "T1134.002",
              "name": "Create Process with Token",
              "display_name": "T1134.002 - Create Process with Token"
            },
            {
              "id": "T1070.006",
              "name": "Timestomp",
              "display_name": "T1070.006 - Timestomp"
            },
            {
              "id": "T1564.003",
              "name": "Hidden Window",
              "display_name": "T1564.003 - Hidden Window"
            },
            {
              "id": "T1497.003",
              "name": "Time Based Evasion",
              "display_name": "T1497.003 - Time Based Evasion"
            },
            {
              "id": "T1562.001",
              "name": "Disable or Modify Tools",
              "display_name": "T1562.001 - Disable or Modify Tools"
            },
            {
              "id": "T1497.002",
              "name": "User Activity Based Checks",
              "display_name": "T1497.002 - User Activity Based Checks"
            },
            {
              "id": "T1070.004",
              "name": "File Deletion",
              "display_name": "T1070.004 - File Deletion"
            },
            {
              "id": "T1027.005",
              "name": "Indicator Removal from Tools",
              "display_name": "T1027.005 - Indicator Removal from Tools"
            },
            {
              "id": "T1518.001",
              "name": "Security Software Discovery",
              "display_name": "T1518.001 - Security Software Discovery"
            },
            {
              "id": "T1074.001",
              "name": "Local Data Staging",
              "display_name": "T1074.001 - Local Data Staging"
            },
            {
              "id": "T1560.002",
              "name": "Archive via Library",
              "display_name": "T1560.002 - Archive via Library"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1090",
              "name": "Proxy",
              "display_name": "T1090 - Proxy"
            }
          ],
          "industries": [
            "Civil Society",
            "Legal",
            "Government",
            "Technology",
            "Telecommunications",
            "Financial"
          ],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 6094,
            "domain": 1195,
            "hostname": 2001,
            "FileHash-SHA256": 2598,
            "FileHash-MD5": 546,
            "FileHash-SHA1": 403,
            "email": 16,
            "CVE": 2,
            "SSLCertFingerprint": 3
          },
          "indicator_count": 12858,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 143,
          "modified_text": "111 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "68d486efb1561cbc62ce0ea4",
          "name": "gov[.]ab[.]ca - 09.24.25 (Partial DataBreach) - 1/?",
          "description": "Pages (1-40) from 1 clear-web database [osint] Queried searching for domain: gov[.]ab[.]ca on https://breach.vip/ \nFormat: email [username], password, domain [gov.ab.ca], addr1, 2, 3, alt_email",
          "modified": "2025-10-25T17:04:41.620000",
          "created": "2025-09-25T00:03:59.608000",
          "tags": [
            "gov ab",
            "data",
            "table list",
            "home",
            "click",
            "download images",
            "export table",
            "scroll",
            "show images",
            "filters",
            "st nw",
            "po box",
            "ave nw",
            "stn main",
            "fri may",
            "edmonton",
            "ave sw",
            "ave address2",
            "nw email",
            "st sw",
            "john",
            "sandy"
          ],
          "references": [
            "https://hastebin.ianhon.com/f924",
            "https://breach.vip/",
            "https://privatebin.io/?446c5fae2aa07658#4v99vCmn59DTqyKpyMMtufg353gLAPCCiqjY8w517FmX",
            "https://pastelink.net/6qvfef0z",
            "https://www.virustotal.com/gui/url/69eb15579321ffd2e6257988a39916ddd35011fd1e9883ea37a25b30f3e6a546?nocache=1",
            "https://www.filescan.io/uploads/68d5764174e5a289899354a8/reports/920dde9e-b8b4-498e-b585-17b82cd3bce4/ioc",
            "---",
            "http://hybrid-analysis.com/sample/a19e35e08a3c0a817a95352001afb0120ceac1dc4a7a170d5904790635699527/68d576f8428c2b0227052ce7",
            "http://hybrid-analysis.com/sample/a19e35e08a3c0a817a95352001afb0120ceac1dc4a7a170d5904790635699527",
            "https://metadefender.com/results/url/aHR0cHM6Ly9wYXN0ZWxpbmsubmV0LzZxdmZlZjB6",
            "https://polyswarm.network/scan/results/url/69eb15579321ffd2e6257988a39916ddd35011fd1e9883ea37a25b30f3e6a546",
            "https://opentip.kaspersky.com/https%3A%2F%2Fpastelink.net%2F6qvfef0z/?tab=lookup",
            "https://urlquery.net/report/939b4a1d-6403-4963-82ac-fe03cbb94afb"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "Canada"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Government"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 226,
            "email": 10040,
            "FileHash-MD5": 98,
            "FileHash-SHA1": 213,
            "FileHash-SHA256": 57,
            "URL": 101,
            "hostname": 65,
            "SSLCertFingerprint": 16
          },
          "indicator_count": 10816,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 129,
          "modified_text": "219 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "688c76da7d23578a0dd22eb0",
          "name": "Phishing [310725]",
          "description": "Phishing domains and IP addresses that have been used to send malicious emails.",
          "modified": "2025-08-31T08:01:04.297000",
          "created": "2025-08-01T08:12:10.030000",
          "tags": [
            "arch-email",
            "attachments",
            "attc-html",
            "brand-microsoft",
            "loader",
            "malware",
            "obfuscated-js",
            "pdqconnect",
            "phishing",
            "phishing-ml",
            "phishing-url",
            "rmm-tool",
            "rust",
            "susp-attachments",
            "spearphishing",
            "malicious-domain",
            "[malicious-IP"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United Kingdom of Great Britain and Northern Ireland"
          ],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1193",
              "name": "Spearphishing Attachment",
              "display_name": "T1193 - Spearphishing Attachment"
            },
            {
              "id": "T1192",
              "name": "Spearphishing Link",
              "display_name": "T1192 - Spearphishing Link"
            },
            {
              "id": "T1194",
              "name": "Spearphishing via Service",
              "display_name": "T1194 - Spearphishing via Service"
            },
            {
              "id": "T1195",
              "name": "Supply Chain Compromise",
              "display_name": "T1195 - Supply Chain Compromise"
            },
            {
              "id": "T1566.003",
              "name": "Spearphishing via Service",
              "display_name": "T1566.003 - Spearphishing via Service"
            },
            {
              "id": "T1566.001",
              "name": "Spearphishing Attachment",
              "display_name": "T1566.001 - Spearphishing Attachment"
            }
          ],
          "industries": [
            "Government"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 18,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "FS13JKMK",
            "id": "312129",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_312129/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 79,
            "hostname": 69,
            "URL": 153,
            "FileHash-SHA256": 4,
            "email": 7
          },
          "indicator_count": 312,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 71,
          "modified_text": "274 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "67b2d9dcae1cec7a14f38773",
          "name": "Ti 84 Calculator Backlinks",
          "description": "Ti 84 Calculator Backlinks",
          "modified": "2025-02-17T06:40:28.665000",
          "created": "2025-02-17T06:40:28.665000",
          "tags": [
            "TI-84 calculator online",
            "TI-84 plus calculator",
            "free scientific calculator",
            "online math tools",
            "TI-84 calculator for students",
            "TI-84 online tool",
            "graphing calculator online",
            "online calculator for math",
            "scientific calculator free"
          ],
          "references": [
            "profile backlinks working ti84.csv"
          ],
          "public": 1,
          "adversary": "Ti 84 Calculator Backlinks",
          "targeted_countries": [
            "United States Minor Outlying Islands"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Education"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 4,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "ti84calculator",
            "id": "309228",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 34,
            "domain": 9,
            "hostname": 25
          },
          "indicator_count": 68,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 1,
          "modified_text": "469 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": false,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6619ca50dcb007c8ecfba36e",
          "name": "Active Malware samples detected on 2024-04-12",
          "description": "Some active Malware samples detected on 2024-04-12.  For our Enterprise Threat Data services, please visit https://malwarepatrol.net/ or contact us at commercial@malwarepatrol.net.",
          "modified": "2024-04-12T23:57:04.169000",
          "created": "2024-04-12T23:57:04.169000",
          "tags": [
            "malware"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 25,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "api",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "MalwarePatrol",
            "id": "5096",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_5096/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 4,
            "FileHash-MD5": 5,
            "FileHash-SHA1": 5
          },
          "indicator_count": 14,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 3471,
          "modified_text": "779 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "657091100e9f5aa6eb534fb4",
          "name": "vmt/geosite.dat at main \u00b7 wegare123/vmt \u00b7 GitHub -  brocaproject.com - hmmm  cert ca issue",
          "description": "",
          "modified": "2023-12-06T15:19:44.839000",
          "created": "2023-12-06T15:19:44.839000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 5,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "api",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "StreamMiningEx",
            "id": "262917",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 2410,
            "hostname": 3653,
            "domain": 2723,
            "URL": 442
          },
          "indicator_count": 9228,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 110,
          "modified_text": "908 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "62ef13ad6547ed183dba3f3c",
          "name": "vmt/geosite.dat at main \u00b7 wegare123/vmt \u00b7 GitHub -  brocaproject.com - hmmm  cert ca issue",
          "description": "see im reading that domain as bro ca project",
          "modified": "2022-08-07T01:21:49.761000",
          "created": "2022-08-07T01:21:49.761000",
          "tags": [
            "strong",
            "github",
            "jump",
            "github desktop",
            "sign",
            "iosrulescript",
            "quantumult",
            "boxjs",
            "chouchoui",
            "code issues",
            "contact",
            "star",
            "desktop",
            "stars",
            "footer",
            "view",
            "pull",
            "wiki security",
            "unicode",
            "copy",
            "wegare123vmt",
            "phoenix",
            "jquery",
            "discord",
            "ruby",
            "chinaz",
            "startpage"
          ],
          "references": [
            "geosite.dat.html",
            "https://github.com/blackmatrix7/ios_rule_script"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1010",
              "name": "Application Window Discovery",
              "display_name": "T1010 - Application Window Discovery"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 11,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "dorkingbeauty1",
            "id": "80137",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 2410,
            "hostname": 3653,
            "URL": 442,
            "domain": 2723
          },
          "indicator_count": 9228,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 395,
          "modified_text": "1394 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        }
      ],
      "references": [
        "",
        "https://vtbehaviour.commondatastorage.googleapis.com/d6a033eb92cc58314c55460d4b1b32befca63cd522f89bc3a09c7cf6477e67a9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775984872&Signature=X7ut04viSpboUfiHbVbGH602vbGaavKO28%2FuQZ9YCLjbW%2Bl9JHGrffH4HHtGQ39GPFGg3uUwyMpuOewArLSuI0W%2F0SjlRr%2B3ob5iUQ8eckXWI47mIElQtuCwRStAGCclC8lI%2BsnrEI7u%2FvPhk16ucrMhQtHiSehYuWwNi1lQkbG3Y5ZoDqClBlw1uSMm1jm1Gpu1EBVSIeAqmbV33HSK%2FDTrwzhuwObiyOu4RKE9E7MOmj%2",
        "http://timestamp.sectigo.com/",
        "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com",
        "https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997612&Signature=l%2FoIF7cZSCGanh2IyxGroiq3YNwdCp9oVTfF02Zi7d4yp4LMuvnnLFWqVzfWbvIHB94EaU0ICQHP6MwgUb5Z4bF2OVcHxdHieB3iTKEX6sGurBIeKYNAPuakGTzCRv%2FSnZJHpZbsoH11i%2F%2BIwHQLGAKerBuNCuq%2FDi8tvVKCDiF9JQGxOYhQsjlzQJtUBiVEVnBTKbjIdeg9iAMES8qHj0eAglff6gxDk1t%2FU5HmKB1T",
        "tv.apple.com",
        "http://hybrid-analysis.com/sample/a19e35e08a3c0a817a95352001afb0120ceac1dc4a7a170d5904790635699527/68d576f8428c2b0227052ce7",
        "https://metadefender.com/results/url/aHR0cHM6Ly9wYXN0ZWxpbmsubmV0LzZxdmZlZjB6",
        "IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)",
        "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022",
        "http://hybrid-analysis.com/sample/a19e35e08a3c0a817a95352001afb0120ceac1dc4a7a170d5904790635699527",
        "https://vtbehaviour.commondatastorage.googleapis.com/5a28f4a80025385ca11cce22b13e5eed52999965afbe16cccbc5e7165c7a0ac9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775276100&Signature=NczLfuk5dyPFskbtz7UwIjCT2DzeU5uAQP%2FL%2BC5bjk7Ng%2FHccJbUFWcb%2FqpvZaJ%2BWg4tg6aaPKihJzwDyiF7UaJOwdX3172ddwGJAfggvgpJ68YtVBE1nyhHAoFO6KsLL73DjNj58e8Uhq6Bcx4nXa86FETCR%2FzzXDlLDXyQSxf%2FKhG8zuxEsss9vRDCF%2B3TJGvJ5EmQ5HwGvk2ex9wf6H1FrBxEyx6BH5i6txcC9vMG9SXQ6eYR2p",
        "http://clients2.google.com/time/1/current?cup2key=8:JROu1MtiAi1ExACtDuYde399VG2TxRqflS_l7p_q0tU&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855%0Ahttp://x1.c.lencr.org/%0Ahttp://c.pki.goog/r/r1.crl",
        "https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android",
        "http://clients2.google.com/time/1/current?cup2key=8:JROu1MtiAi1ExACtDuYde399VG2TxRqflS_l7p_q0tU&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
        "https://vtbehaviour.commondatastorage.googleapis.com/5a28f4a80025385ca11cce22b13e5eed52999965afbe16cccbc5e7165c7a0ac9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775276177&Signature=iO1RoMLTZsC3s7nBZ8wieXl6wwWrnnCqu%2F5pXBAa2Luk2wKtKTXUyyZEOOhqaCFNbUPjsIfY1v0KxEBxzkumSiDs3XXBs%2FYt49goHGNudddQOKcmLsjbT2GhALTnmmVvl79aLJaLwnMe9B7PkJpSTGuBrutOjF5VJ0yofcbM4XjQQlOIkc8WWi94WMVxXpWAjFK9D5zmoyn9G5w1TahDZjePP%2FfkKNpJe2OqRQ59iXyHcG1nvA%2FUIx",
        "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
        "https://hastebin.ianhon.com/f924",
        "https://pastelink.net/6qvfef0z",
        "---",
        "Google_Chrome_64bit_v136.0.7103.49.exe",
        "https://wallpapers-nature.com/tsara-brashears/urlscan-io",
        "https://polyswarm.network/scan/results/url/69eb15579321ffd2e6257988a39916ddd35011fd1e9883ea37a25b30f3e6a546",
        "https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997378&Signature=KsJYbpoN6hteGv0hQe%2B7MgknKi2y7G9y%2Bv0JJZqMcuUdnf3gyNBPBzyKTVuoWOtaG8ix3%2BctGPzbrSe5UI3cg4Z0gK%2B6X75apikmjWPqBKofhIc5BqSpHspjoDYtiKLxroPreiitG4QqViG8yPq7ZCkMLfT71MSIE9dJ9XhV4fO2MSLHJA0qzdykwolGgi0i5r12p1nNsE1eHXJY0HwJl%2Fqka%2FKRtekjeEG1K1qHo6QJlzKhiCRubQwgU7",
        "https://vtbehaviour.commondatastorage.googleapis.com/26b3bfa810cd37fe4046221ab2269b360e9a6c51961db6fd95e7499e2d76d544_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997821&Signature=IjR3qiuvOqpJ0ChD%2FQ%2B0QKlCAsWejT6Ei8KIh27ZO2t%2BnO1oDrCrR7D3x3lf6xKLr93CFw7bU1IUQONv3WbJ%2BJ0oyQ0yhyalr5VTTy1mHEphjCvObM%2B8PPv6o5cjYXYDpKVcQjBFrkgGvJxrleE5kQvx6irIRcFMTUdnDVuNEcV6sALKN3oYRo%2B%2Fvk7TA%2FfAVTtpBhUfsC4dvVAJnRQgBC4gEzEYuZN3oaDzlYUCoghsW5",
        "https://vtbehaviour.commondatastorage.googleapis.com/3aefe8dfb9c99f3a84f5f74b15afeaeca682c8c50f18fa59b2e0b06da9619f1d_SecondWrite.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775998118&Signature=oZItRZYU06S7GWIVhygTK0XUPoeDlmpVWee4ri8K1nSYOFjKP7WjYTzw03EoC6pzqFjdjNKm2lQytBKbv%2BcMJT%2F%2BWZ7nF71PUUmExKgSsvfD6PXKzUcX8vuHnJwcu3NlTOuhNKNfed2iOEAGybINfsgUO6DFzlTsGd51hjV3I%2BT4t%2FTn1aszBeDzRu01gkhvTI5%2BmXmxZfhYmVTFVADNEociZ8DSGmafzUamrXrSTRcAurmFTNmC4",
        "Antivirus Detections: Win.Trojan.Gamarue-9832405-0 ,  Trojan:Win32/Pariham.A",
        "https://www.google-analytics.com/analytics.js",
        "https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775998043&Signature=atj43IFZmS1xhCQtPEtGr1gjAzp5YJ5SAqKqPXrExtpioezLoyIJKw91Cc1EPO9Ff86CNaeS%2BNKNidgGEvFkAFNQpY8CEvbl7dcNVj3FUVUS3ybBoI8xLShMhwUy%2F0aYbXdMfYG3KdE%2FXDvt56Et6LjAj6N0lh1mp0m48Zz2hNTlghpHTSGlP3SY1VjfKxBYwh%2BWAJOSrHiXvzeVhuN5Qj6JWU%2FLg824mJRsUPe7iyNe2u",
        "Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)",
        "IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)",
        "https://vtbehaviour.commondatastorage.googleapis.com/5a28f4a80025385ca11cce22b13e5eed52999965afbe16cccbc5e7165c7a0ac9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775277214&Signature=y3%2FkmodrmzpLTVDtkzYvlqSkUTQ8Tri%2FDiLIqIpCBmJ6%2Bwk5p%2FJDSAwE5V8Wdp0vWLWjfA4DvRyS%2FvmNV4kFOr422iVZH2Ap2evf8%2Bq2bp9CW%2BAuBCjgz9K329V4%2B%2B9duUsUhVBqZ%2BNKz%2Fj4z7ZDBI%2BjqPV8XjvTI7pXAfzknmFAfZU%2FjalCNigHCX%2FIOgymeTOfzSOLYLClpNTr%2BYle8VSI%2BHf9TgUWP2WgNF",
        "IDS: TLS Handshake Failure",
        "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_",
        "https://vtbehaviour.commondatastorage.googleapis.com/3aefe8dfb9c99f3a84f5f74b15afeaeca682c8c50f18fa59b2e0b06da9619f1d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775998463&Signature=qYYMHcxIAT2xuxsg%2F5YbX%2B0y0xuq1Bdd9afbiFWSZHWHsm16y4KPWqE8YDY6heMDu8H6K1bmLZjUn59Bei5cJgnVJtX4Qv6%2FJ9i%2FJXNS6kxDf5xDJvv%2FF%2FcK%2FVKyZS%2BVYzAwJ2OLrXxw4BNVIrT4nxtE34M2lc%2FjwH6H%2FLWNBighCC1k8cvWNbNJkBtGmfWtAfK%2FueAgi5glMRbAmq7xAC5XJGlhgUzo%2Fu2U9N",
        "Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur",
        "https://privatebin.io/?446c5fae2aa07658#4v99vCmn59DTqyKpyMMtufg353gLAPCCiqjY8w517FmX",
        "https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com",
        "https://breach.vip/",
        "https://github.com/blackmatrix7/ios_rule_script",
        "https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997952&Signature=Pc%2FXTIxysZhpywMxwwW%2BrBcX9VHIrYH%2BL3sUsVHUCm1TUbCCtQe7ZIpfTtqIl%2FWLsaehPWv%2FBt4Q6PbZH1IFYbFrKet6C2NOwwOh9WtZQ0cak9wRRun6IjZTU33hWBk4GyEAh%2FpE5nF4ND%2BQSOQuZ5DiMtHeXRlWjRI6KwJ8ApdtNpccNlYGYGKmqj%2BLK7CZTI%2FmpO8GkbS2UkwUwBa6TFoYFvBiQ5SHdRUJ2MT7t3RzWvn8hGyb",
        "https://www.virustotal.com/gui/url/69eb15579321ffd2e6257988a39916ddd35011fd1e9883ea37a25b30f3e6a546?nocache=1",
        "https://www.filescan.io/uploads/68d5764174e5a289899354a8/reports/920dde9e-b8b4-498e-b585-17b82cd3bce4/ioc",
        "profile backlinks working ti84.csv",
        "https://vtbehaviour.commondatastorage.googleapis.com/d6a033eb92cc58314c55460d4b1b32befca63cd522f89bc3a09c7cf6477e67a9_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775984910&Signature=hjdKVB1Hclv%2FNw7qh%2FV50rCooI70BC8NJcq77KWRUu6VAlxs8vV%2FWfNLh9VzjKS2pBgR7wAaaDp6GwPof61nS4TwykWgUO%2FavR45JKGxhUsjhYKLE5VQoAZkh13wvx1nTVwH%2FP6fx71mJlF71bDqJe7pjpKdd3jyGRDGC6ksN3fMJ%2FRVnusGPDwzZXpy9F6CUYZ1tT9xuK7k3zz9xdIV5e0noQ9s7P343Ca7ROLOUhs9",
        "geosite.dat.html",
        "https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7",
        "Yara Detections BackdoorWin32Simda",
        "dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net",
        "Pahamify Pegasus",
        "https://opentip.kaspersky.com/https%3A%2F%2Fpastelink.net%2F6qvfef0z/?tab=lookup",
        "https://urlquery.net/report/939b4a1d-6403-4963-82ac-fe03cbb94afb",
        "https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4",
        "https://vtbehaviour.commondatastorage.googleapis.com/028e16744de653383b403efd4b755075deeb7d8ce264d7edd4615725e5b4c4c6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775277967&Signature=oSvtx7eGCctItNKSDZN4tpJp11yn5QQjCHsLi45z7kUOa9nbuhPdVjh9gBKlXtNuGfXbpItYf6NFI%2B4pKCin266TJQP7FzDSnUzzziJTuqmZwxihDeoZ1RauqVOzGoAmrj9sG8nOYXqbOHNxQ3E6SugSzW3UFbyQJzfKt%2FsqsPsKAvl4su%2FlkWsqTHUR%2FT%2FLTTQV0ZXLwnrLv%2FdBA7DdsiE35g%2FPOiUdzJjkjhSILF%2BR"
      ],
      "related": {
        "alienvault": {
          "adversary": [],
          "malware_families": [],
          "industries": []
        },
        "other": {
          "adversary": [
            "Ti 84 Calculator Backlinks"
          ],
          "malware_families": [
            "Der zugriff",
            "Mydoom",
            "Kanna",
            "Virus:win95/cerebrus",
            "Sigur",
            "Autorunit",
            "Trojan:win32/pariham.a"
          ],
          "industries": [
            "Telecommunications",
            "Government",
            "Legal",
            "Education",
            "Financial",
            "Civil society",
            "Technology"
          ]
        }
      }
    },
    "false_positive": []
  },
  "geo": {},
  "geo_ipapicom": {},
  "pulse_count": 13,
  "pulses": [
    {
      "id": "69db956f031caeb41837fe82",
      "name": "VirusTotal report\n                    for Digi-Loader-1-exe-Download-Added-TOP.pdf",
      "description": "<The full text of the full file of Adobe's Acrobat 2, which was released on Tuesday, has now been published on the website of Adobe, the firm's parent company, Adobe.> A collection from U or Oreg. - thanks to the tipster. While the dates askew from cert. abuse the overall Month/day appear aligned, however the diff year predated to invalid certs (suspect- more than a theory). Interesting, research subjects pii on pdx flight aligns.\nConsistent \"Research time signed outside timestamp\" burden of proof has been met, goodnight. \nSecond Write- Can read a malicious pdf docs quicker than anyone. Thank you Second Write Sandbox",
      "modified": "2026-05-12T14:28:43.689000",
      "created": "2026-04-12T12:51:59.240000",
      "tags": [
        "file type",
        "united",
        "json",
        "com executable",
        "network info",
        "malicious",
        "urls",
        "t1055 process",
        "ascii",
        "mitre attack",
        "phishing",
        "next",
        "windows sandbox",
        "calls process",
        "foxpro fpt",
        "links file",
        "152 x",
        "sqlite version",
        "utf8",
        "sqlite rollback",
        "default",
        "file size",
        "mwdb",
        "bazaar",
        "sha3384",
        "ssdeep",
        "strong",
        "library",
        "win1",
        "cultureneutral",
        "accept",
        "shutdown",
        "back",
        "msie",
        "windows nt",
        "wow64",
        "slcc2",
        "media center",
        "get http",
        "type annot",
        "subtype link",
        "rect",
        "stream",
        "xport",
        "possible",
        "matrix",
        "packer",
        "strings",
        "enterprise",
        "sandbox",
        "title",
        "core",
        "agent",
        "snort",
        "context",
        "destination ip",
        "http requests",
        "dns resolutions",
        "acrongl integ",
        "adc4240758",
        "sha1",
        "potential pdx intersect",
        "spellbound. librarian things"
      ],
      "references": [
        "https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997378&Signature=KsJYbpoN6hteGv0hQe%2B7MgknKi2y7G9y%2Bv0JJZqMcuUdnf3gyNBPBzyKTVuoWOtaG8ix3%2BctGPzbrSe5UI3cg4Z0gK%2B6X75apikmjWPqBKofhIc5BqSpHspjoDYtiKLxroPreiitG4QqViG8yPq7ZCkMLfT71MSIE9dJ9XhV4fO2MSLHJA0qzdykwolGgi0i5r12p1nNsE1eHXJY0HwJl%2Fqka%2FKRtekjeEG1K1qHo6QJlzKhiCRubQwgU7",
        "https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997612&Signature=l%2FoIF7cZSCGanh2IyxGroiq3YNwdCp9oVTfF02Zi7d4yp4LMuvnnLFWqVzfWbvIHB94EaU0ICQHP6MwgUb5Z4bF2OVcHxdHieB3iTKEX6sGurBIeKYNAPuakGTzCRv%2FSnZJHpZbsoH11i%2F%2BIwHQLGAKerBuNCuq%2FDi8tvVKCDiF9JQGxOYhQsjlzQJtUBiVEVnBTKbjIdeg9iAMES8qHj0eAglff6gxDk1t%2FU5HmKB1T",
        "https://vtbehaviour.commondatastorage.googleapis.com/26b3bfa810cd37fe4046221ab2269b360e9a6c51961db6fd95e7499e2d76d544_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997821&Signature=IjR3qiuvOqpJ0ChD%2FQ%2B0QKlCAsWejT6Ei8KIh27ZO2t%2BnO1oDrCrR7D3x3lf6xKLr93CFw7bU1IUQONv3WbJ%2BJ0oyQ0yhyalr5VTTy1mHEphjCvObM%2B8PPv6o5cjYXYDpKVcQjBFrkgGvJxrleE5kQvx6irIRcFMTUdnDVuNEcV6sALKN3oYRo%2B%2Fvk7TA%2FfAVTtpBhUfsC4dvVAJnRQgBC4gEzEYuZN3oaDzlYUCoghsW5",
        "https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775997952&Signature=Pc%2FXTIxysZhpywMxwwW%2BrBcX9VHIrYH%2BL3sUsVHUCm1TUbCCtQe7ZIpfTtqIl%2FWLsaehPWv%2FBt4Q6PbZH1IFYbFrKet6C2NOwwOh9WtZQ0cak9wRRun6IjZTU33hWBk4GyEAh%2FpE5nF4ND%2BQSOQuZ5DiMtHeXRlWjRI6KwJ8ApdtNpccNlYGYGKmqj%2BLK7CZTI%2FmpO8GkbS2UkwUwBa6TFoYFvBiQ5SHdRUJ2MT7t3RzWvn8hGyb",
        "https://vtbehaviour.commondatastorage.googleapis.com/f8959944c899789d1fa1a6de7c6818a37f237dd44f39e5301f755fddd64c9791_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775998043&Signature=atj43IFZmS1xhCQtPEtGr1gjAzp5YJ5SAqKqPXrExtpioezLoyIJKw91Cc1EPO9Ff86CNaeS%2BNKNidgGEvFkAFNQpY8CEvbl7dcNVj3FUVUS3ybBoI8xLShMhwUy%2F0aYbXdMfYG3KdE%2FXDvt56Et6LjAj6N0lh1mp0m48Zz2hNTlghpHTSGlP3SY1VjfKxBYwh%2BWAJOSrHiXvzeVhuN5Qj6JWU%2FLg824mJRsUPe7iyNe2u",
        "https://vtbehaviour.commondatastorage.googleapis.com/3aefe8dfb9c99f3a84f5f74b15afeaeca682c8c50f18fa59b2e0b06da9619f1d_SecondWrite.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775998118&Signature=oZItRZYU06S7GWIVhygTK0XUPoeDlmpVWee4ri8K1nSYOFjKP7WjYTzw03EoC6pzqFjdjNKm2lQytBKbv%2BcMJT%2F%2BWZ7nF71PUUmExKgSsvfD6PXKzUcX8vuHnJwcu3NlTOuhNKNfed2iOEAGybINfsgUO6DFzlTsGd51hjV3I%2BT4t%2FTn1aszBeDzRu01gkhvTI5%2BmXmxZfhYmVTFVADNEociZ8DSGmafzUamrXrSTRcAurmFTNmC4",
        "https://vtbehaviour.commondatastorage.googleapis.com/3aefe8dfb9c99f3a84f5f74b15afeaeca682c8c50f18fa59b2e0b06da9619f1d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775998463&Signature=qYYMHcxIAT2xuxsg%2F5YbX%2B0y0xuq1Bdd9afbiFWSZHWHsm16y4KPWqE8YDY6heMDu8H6K1bmLZjUn59Bei5cJgnVJtX4Qv6%2FJ9i%2FJXNS6kxDf5xDJvv%2FF%2FcK%2FVKyZS%2BVYzAwJ2OLrXxw4BNVIrT4nxtE34M2lc%2FjwH6H%2FLWNBighCC1k8cvWNbNJkBtGmfWtAfK%2FueAgi5glMRbAmq7xAC5XJGlhgUzo%2Fu2U9N",
        ""
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1566",
          "name": "Phishing",
          "display_name": "T1566 - Phishing"
        },
        {
          "id": "T1003",
          "name": "OS Credential Dumping",
          "display_name": "T1003 - OS Credential Dumping"
        },
        {
          "id": "T1012",
          "name": "Query Registry",
          "display_name": "T1012 - Query Registry"
        },
        {
          "id": "T1014",
          "name": "Rootkit",
          "display_name": "T1014 - Rootkit"
        },
        {
          "id": "T1047",
          "name": "Windows Management Instrumentation",
          "display_name": "T1047 - Windows Management Instrumentation"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1203",
          "name": "Exploitation for Client Execution",
          "display_name": "T1203 - Exploitation for Client Execution"
        },
        {
          "id": "T1485",
          "name": "Data Destruction",
          "display_name": "T1485 - Data Destruction"
        },
        {
          "id": "T1496",
          "name": "Resource Hijacking",
          "display_name": "T1496 - Resource Hijacking"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        },
        {
          "id": "T1542",
          "name": "Pre-OS Boot",
          "display_name": "T1542 - Pre-OS Boot"
        },
        {
          "id": "T1548",
          "name": "Abuse Elevation Control Mechanism",
          "display_name": "T1548 - Abuse Elevation Control Mechanism"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1564",
          "name": "Hide Artifacts",
          "display_name": "T1564 - Hide Artifacts"
        },
        {
          "id": "T1573",
          "name": "Encrypted Channel",
          "display_name": "T1573 - Encrypted Channel"
        }
      ],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 458,
        "FileHash-MD5": 575,
        "FileHash-SHA1": 478,
        "FileHash-SHA256": 1401,
        "domain": 96,
        "hostname": 235,
        "email": 6,
        "CVE": 3
      },
      "indicator_count": 3252,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "20 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69db609269c77812f937026e",
      "name": "CAPE Sandbox ----- emulex fc 2.72.011.002-3",
      "description": "emulex fc 2.72.011.002-3, Malware Behavior Catalog Tree\nAnti-Behavioral Analysis\nOB0001\nVirtual Machine Detection\nB0009\nSoftware Packing\nF0001\nAnti-Static Analysis\nOB0002\nSoftware Packing\nF0001\nDefense Evasion\nOB0006\nSoftware Packing\nF0001\nDiscovery\nOB0007\nFile and Directory Discovery\nE1083\nExecution\nOB0009\nCommand and Scripting Interpreter\nE1059\nFile System\nOC0001\nDelete File\nC0047\nGet File Attributes\nC0049\nSet File Attributes\nC0050\nRead File\nC0051\nWrites File\nC0052\nProcess\nOC0003\nTerminate Process\nC0018\nCommunication\nOC0006\nHTTP Communication\nC0002\n\nWho are you protecting? Look at your root certificate map to 2018-19. Im not mad, I am just disappointed in the lack of cyber security awareness and cryptographic failures. If I see one more unsigned DNSSEC. Edge node completely exposed. Maybe let CISA and the NSA handle things since they are competent. unknown agency- #burnedyourowncountry.\nPalo Alto, level blue, falcon sandbox, cape, yomi, sec, arc- you are heroes for picking up malware that evades everything.",
      "modified": "2026-05-12T12:15:01.636000",
      "created": "2026-04-12T09:06:26.754000",
      "tags": [
        "hbanyware",
        "hbas",
        "true",
        "reportlocation",
        "programfiles",
        "command line",
        "enable silent",
        "mode",
        "full",
        "local only",
        "false",
        "path",
        "example",
        "windows sandbox",
        "clear filters",
        "show",
        "fibre channel",
        "emulex fibre",
        "emulex network",
        "fibre chann",
        "host b",
        "network",
        "emulex",
        "network cards",
        "find",
        "UNITED STATES SENT.",
        "Still love USA.",
        "bankers doc",
        "ESign Violation",
        "cyber warfare",
        "Fraud",
        "pdfkit.net",
        "CIVIL rights violation",
        "geofence",
        "whistleblower",
        "adobe exploited from unsafe practices",
        "certificate abuse",
        "wiper",
        "Docusign exploited from unsafe practices",
        "abuse",
        "modification of the record",
        "date changes",
        "deleting evidence",
        "wateringholeleftwideopen#RiskManagementKnowledgeDeficient",
        "firmware neutral",
        "fraud",
        "espionage",
        "Iloveyou.txt",
        "APTnull.",
        "PlutoniumoftheInternet",
        "apiabuse",
        "Put Zen at risk",
        "Microsoft exploited from misuse of power and secure protocols",
        "Spyonyourinternalframework.",
        "fsquirt.[exe]",
        "bluetooth tampering",
        "wormhole",
        "backdoor",
        "GITlikeMITbutSouth",
        "pool",
        "CloseDoorsProper",
        "spellbound.[exe]",
        "Wizard",
        "GUI of Bluetooth File Transfer Wizard",
        "<fsquirt",
        "Silkwood",
        "RF's, EMF's, EF's - beyond reasonable measure",
        "lateral moving world wide higher ed warrants further research, G",
        "emulex fc 2.72.011.002-3"
      ],
      "references": [
        "https://vtbehaviour.commondatastorage.googleapis.com/d6a033eb92cc58314c55460d4b1b32befca63cd522f89bc3a09c7cf6477e67a9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775984872&Signature=X7ut04viSpboUfiHbVbGH602vbGaavKO28%2FuQZ9YCLjbW%2Bl9JHGrffH4HHtGQ39GPFGg3uUwyMpuOewArLSuI0W%2F0SjlRr%2B3ob5iUQ8eckXWI47mIElQtuCwRStAGCclC8lI%2BsnrEI7u%2FvPhk16ucrMhQtHiSehYuWwNi1lQkbG3Y5ZoDqClBlw1uSMm1jm1Gpu1EBVSIeAqmbV33HSK%2FDTrwzhuwObiyOu4RKE9E7MOmj%2",
        "https://vtbehaviour.commondatastorage.googleapis.com/d6a033eb92cc58314c55460d4b1b32befca63cd522f89bc3a09c7cf6477e67a9_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775984910&Signature=hjdKVB1Hclv%2FNw7qh%2FV50rCooI70BC8NJcq77KWRUu6VAlxs8vV%2FWfNLh9VzjKS2pBgR7wAaaDp6GwPof61nS4TwykWgUO%2FavR45JKGxhUsjhYKLE5VQoAZkh13wvx1nTVwH%2FP6fx71mJlF71bDqJe7pjpKdd3jyGRDGC6ksN3fMJ%2FRVnusGPDwzZXpy9F6CUYZ1tT9xuK7k3zz9xdIV5e0noQ9s7P343Ca7ROLOUhs9"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        },
        {
          "id": "T1539",
          "name": "Steal Web Session Cookie",
          "display_name": "T1539 - Steal Web Session Cookie"
        },
        {
          "id": "T1548",
          "name": "Abuse Elevation Control Mechanism",
          "display_name": "T1548 - Abuse Elevation Control Mechanism"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 2,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 771,
        "FileHash-SHA1": 836,
        "FileHash-SHA256": 2524,
        "URL": 810,
        "domain": 764,
        "email": 112,
        "hostname": 2635,
        "URI": 3,
        "CVE": 7,
        "CIDR": 12,
        "JA3": 1
      },
      "indicator_count": 8475,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 69,
      "modified_text": "20 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69d096edd596a1a9e9a0aa92",
      "name": "VirusTotal report\n                    for index.html",
      "description": "The full name of the German domain registrar: COFFEEDESIGNCODE.com, or coffeedesign code, has been published.. and it is not yet known.",
      "modified": "2026-05-04T04:03:27.972000",
      "created": "2026-04-04T04:43:25.258000",
      "tags": [
        "date",
        "server",
        "registrar abuse",
        "registrant name",
        "expiration date",
        "registry domain",
        "registrar iana",
        "registrar url",
        "registrant city",
        "ag registrant",
        "thumbprint",
        "html document",
        "unicode text",
        "utf8 text",
        "title microsoft",
        "ms05019",
        "none",
        "docs",
        "betafred ms",
        "content tocrel",
        "conceptual",
        "performs dns",
        "https",
        "file type",
        "tls version",
        "mitre attack",
        "network info",
        "urls",
        "t1055 process",
        "layer protocol",
        "united",
        "phishing",
        "malicious",
        "next",
        "cache entry",
        "chrome cache",
        "entry",
        "extra info",
        "process",
        "nothing",
        "registry keys",
        "mutexes nothing",
        "data",
        "datacrashpad",
        "edge",
        "created",
        "parent pid",
        "full path",
        "command line",
        "status code",
        "ssl certificates",
        "tls certificates",
        "website security",
        "signtool",
        "sectigo",
        "microsoft",
        "signtool let",
        "web site",
        "rsasha256",
        "rsasha384",
        "rsasha512",
        "signcode",
        "ssl certificate",
        "logo",
        "sxa0",
        "object",
        "regexp",
        "null",
        "tdfunction",
        "ddfunction",
        "array",
        "string",
        "dfunction",
        "iana id",
        "contact phone",
        "dnssec",
        "domain status",
        "registrar whois",
        "registrar",
        "language",
        "html internet",
        "doctype",
        "learn",
        "seomatic og",
        "timestamp",
        "sectigo ssl",
        "sectigo og",
        "sectigohq og",
        "utf8",
        "crlf line",
        "text",
        "ipxw1920",
        "fwebp",
        "win32 exe",
        "pe32",
        "ms windows",
        "win16 ne",
        "icons library",
        "os2 executable",
        "generic windos",
        "executable",
        "pe64 compiler",
        "sha256",
        "pc bitmap",
        "windows bitmap",
        "bitmap",
        "zip archive",
        "text text",
        "ascii text",
        "has permission",
        "reads",
        "accesses",
        "found",
        "t1413 access",
        "sensitive data",
        "device logs",
        "persistence",
        "fraud",
        "cloud"
      ],
      "references": [
        "http://clients2.google.com/time/1/current?cup2key=8:JROu1MtiAi1ExACtDuYde399VG2TxRqflS_l7p_q0tU&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855%0Ahttp://x1.c.lencr.org/%0Ahttp://c.pki.goog/r/r1.crl",
        "https://vtbehaviour.commondatastorage.googleapis.com/5a28f4a80025385ca11cce22b13e5eed52999965afbe16cccbc5e7165c7a0ac9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775276100&Signature=NczLfuk5dyPFskbtz7UwIjCT2DzeU5uAQP%2FL%2BC5bjk7Ng%2FHccJbUFWcb%2FqpvZaJ%2BWg4tg6aaPKihJzwDyiF7UaJOwdX3172ddwGJAfggvgpJ68YtVBE1nyhHAoFO6KsLL73DjNj58e8Uhq6Bcx4nXa86FETCR%2FzzXDlLDXyQSxf%2FKhG8zuxEsss9vRDCF%2B3TJGvJ5EmQ5HwGvk2ex9wf6H1FrBxEyx6BH5i6txcC9vMG9SXQ6eYR2p",
        "https://vtbehaviour.commondatastorage.googleapis.com/5a28f4a80025385ca11cce22b13e5eed52999965afbe16cccbc5e7165c7a0ac9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775276177&Signature=iO1RoMLTZsC3s7nBZ8wieXl6wwWrnnCqu%2F5pXBAa2Luk2wKtKTXUyyZEOOhqaCFNbUPjsIfY1v0KxEBxzkumSiDs3XXBs%2FYt49goHGNudddQOKcmLsjbT2GhALTnmmVvl79aLJaLwnMe9B7PkJpSTGuBrutOjF5VJ0yofcbM4XjQQlOIkc8WWi94WMVxXpWAjFK9D5zmoyn9G5w1TahDZjePP%2FfkKNpJe2OqRQ59iXyHcG1nvA%2FUIx",
        "http://timestamp.sectigo.com/",
        "https://www.google-analytics.com/analytics.js",
        "http://clients2.google.com/time/1/current?cup2key=8:JROu1MtiAi1ExACtDuYde399VG2TxRqflS_l7p_q0tU&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
        "https://vtbehaviour.commondatastorage.googleapis.com/5a28f4a80025385ca11cce22b13e5eed52999965afbe16cccbc5e7165c7a0ac9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775277214&Signature=y3%2FkmodrmzpLTVDtkzYvlqSkUTQ8Tri%2FDiLIqIpCBmJ6%2Bwk5p%2FJDSAwE5V8Wdp0vWLWjfA4DvRyS%2FvmNV4kFOr422iVZH2Ap2evf8%2Bq2bp9CW%2BAuBCjgz9K329V4%2B%2B9duUsUhVBqZ%2BNKz%2Fj4z7ZDBI%2BjqPV8XjvTI7pXAfzknmFAfZU%2FjalCNigHCX%2FIOgymeTOfzSOLYLClpNTr%2BYle8VSI%2BHf9TgUWP2WgNF",
        "https://vtbehaviour.commondatastorage.googleapis.com/028e16744de653383b403efd4b755075deeb7d8ce264d7edd4615725e5b4c4c6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775277967&Signature=oSvtx7eGCctItNKSDZN4tpJp11yn5QQjCHsLi45z7kUOa9nbuhPdVjh9gBKlXtNuGfXbpItYf6NFI%2B4pKCin266TJQP7FzDSnUzzziJTuqmZwxihDeoZ1RauqVOzGoAmrj9sG8nOYXqbOHNxQ3E6SugSzW3UFbyQJzfKt%2FsqsPsKAvl4su%2FlkWsqTHUR%2FT%2FLTTQV0ZXLwnrLv%2FdBA7DdsiE35g%2FPOiUdzJjkjhSILF%2BR"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1070",
          "name": "Indicator Removal on Host",
          "display_name": "T1070 - Indicator Removal on Host"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1095",
          "name": "Non-Application Layer Protocol",
          "display_name": "T1095 - Non-Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1573",
          "name": "Encrypted Channel",
          "display_name": "T1573 - Encrypted Channel"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1560",
          "name": "Archive Collected Data",
          "display_name": "T1560 - Archive Collected Data"
        },
        {
          "id": "T1406",
          "name": "Obfuscated Files or Information",
          "display_name": "T1406 - Obfuscated Files or Information"
        },
        {
          "id": "T1409",
          "name": "Access Stored Application Data",
          "display_name": "T1409 - Access Stored Application Data"
        },
        {
          "id": "T1413",
          "name": "Access Sensitive Data in Device Logs",
          "display_name": "T1413 - Access Sensitive Data in Device Logs"
        },
        {
          "id": "T1421",
          "name": "System Network Connections Discovery",
          "display_name": "T1421 - System Network Connections Discovery"
        },
        {
          "id": "T1424",
          "name": "Process Discovery",
          "display_name": "T1424 - Process Discovery"
        },
        {
          "id": "T1426",
          "name": "System Information Discovery",
          "display_name": "T1426 - System Information Discovery"
        },
        {
          "id": "T1429",
          "name": "Capture Audio",
          "display_name": "T1429 - Capture Audio"
        },
        {
          "id": "T1430",
          "name": "Location Tracking",
          "display_name": "T1430 - Location Tracking"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        }
      ],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 50,
        "email": 2,
        "hostname": 196,
        "FileHash-SHA1": 51,
        "URL": 234,
        "FileHash-MD5": 54,
        "FileHash-SHA256": 715
      },
      "indicator_count": 1302,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "28 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69d096edff67896dccb36a4d",
      "name": "VirusTotal report\n                    for index.html",
      "description": "The full name of the German domain registrar: COFFEEDESIGNCODE.com, or coffeedesign code, has been published.. and it is not yet known.",
      "modified": "2026-05-04T04:03:27.972000",
      "created": "2026-04-04T04:43:25.967000",
      "tags": [
        "date",
        "server",
        "registrar abuse",
        "registrant name",
        "expiration date",
        "registry domain",
        "registrar iana",
        "registrar url",
        "registrant city",
        "ag registrant",
        "thumbprint",
        "html document",
        "unicode text",
        "utf8 text",
        "title microsoft",
        "ms05019",
        "none",
        "docs",
        "betafred ms",
        "content tocrel",
        "conceptual",
        "performs dns",
        "https",
        "file type",
        "tls version",
        "mitre attack",
        "network info",
        "urls",
        "t1055 process",
        "layer protocol",
        "united",
        "phishing",
        "malicious",
        "next",
        "cache entry",
        "chrome cache",
        "entry",
        "extra info",
        "process",
        "nothing",
        "registry keys",
        "mutexes nothing",
        "data",
        "datacrashpad",
        "edge",
        "created",
        "parent pid",
        "full path",
        "command line",
        "status code",
        "ssl certificates",
        "tls certificates",
        "website security",
        "signtool",
        "sectigo",
        "microsoft",
        "signtool let",
        "web site",
        "rsasha256",
        "rsasha384",
        "rsasha512",
        "signcode",
        "ssl certificate",
        "logo",
        "sxa0",
        "object",
        "regexp",
        "null",
        "tdfunction",
        "ddfunction",
        "array",
        "string",
        "dfunction",
        "iana id",
        "contact phone",
        "dnssec",
        "domain status",
        "registrar whois",
        "registrar",
        "language",
        "html internet",
        "doctype",
        "learn",
        "seomatic og",
        "timestamp",
        "sectigo ssl",
        "sectigo og",
        "sectigohq og",
        "utf8",
        "crlf line",
        "text",
        "ipxw1920",
        "fwebp",
        "win32 exe",
        "pe32",
        "ms windows",
        "win16 ne",
        "icons library",
        "os2 executable",
        "generic windos",
        "executable",
        "pe64 compiler",
        "sha256",
        "pc bitmap",
        "windows bitmap",
        "bitmap",
        "zip archive",
        "text text",
        "ascii text",
        "has permission",
        "reads",
        "accesses",
        "found",
        "t1413 access",
        "sensitive data",
        "device logs",
        "persistence",
        "fraud",
        "cloud"
      ],
      "references": [
        "http://clients2.google.com/time/1/current?cup2key=8:JROu1MtiAi1ExACtDuYde399VG2TxRqflS_l7p_q0tU&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855%0Ahttp://x1.c.lencr.org/%0Ahttp://c.pki.goog/r/r1.crl",
        "https://vtbehaviour.commondatastorage.googleapis.com/5a28f4a80025385ca11cce22b13e5eed52999965afbe16cccbc5e7165c7a0ac9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775276100&Signature=NczLfuk5dyPFskbtz7UwIjCT2DzeU5uAQP%2FL%2BC5bjk7Ng%2FHccJbUFWcb%2FqpvZaJ%2BWg4tg6aaPKihJzwDyiF7UaJOwdX3172ddwGJAfggvgpJ68YtVBE1nyhHAoFO6KsLL73DjNj58e8Uhq6Bcx4nXa86FETCR%2FzzXDlLDXyQSxf%2FKhG8zuxEsss9vRDCF%2B3TJGvJ5EmQ5HwGvk2ex9wf6H1FrBxEyx6BH5i6txcC9vMG9SXQ6eYR2p",
        "https://vtbehaviour.commondatastorage.googleapis.com/5a28f4a80025385ca11cce22b13e5eed52999965afbe16cccbc5e7165c7a0ac9_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775276177&Signature=iO1RoMLTZsC3s7nBZ8wieXl6wwWrnnCqu%2F5pXBAa2Luk2wKtKTXUyyZEOOhqaCFNbUPjsIfY1v0KxEBxzkumSiDs3XXBs%2FYt49goHGNudddQOKcmLsjbT2GhALTnmmVvl79aLJaLwnMe9B7PkJpSTGuBrutOjF5VJ0yofcbM4XjQQlOIkc8WWi94WMVxXpWAjFK9D5zmoyn9G5w1TahDZjePP%2FfkKNpJe2OqRQ59iXyHcG1nvA%2FUIx",
        "http://timestamp.sectigo.com/",
        "https://www.google-analytics.com/analytics.js",
        "http://clients2.google.com/time/1/current?cup2key=8:JROu1MtiAi1ExACtDuYde399VG2TxRqflS_l7p_q0tU&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
        "https://vtbehaviour.commondatastorage.googleapis.com/5a28f4a80025385ca11cce22b13e5eed52999965afbe16cccbc5e7165c7a0ac9_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775277214&Signature=y3%2FkmodrmzpLTVDtkzYvlqSkUTQ8Tri%2FDiLIqIpCBmJ6%2Bwk5p%2FJDSAwE5V8Wdp0vWLWjfA4DvRyS%2FvmNV4kFOr422iVZH2Ap2evf8%2Bq2bp9CW%2BAuBCjgz9K329V4%2B%2B9duUsUhVBqZ%2BNKz%2Fj4z7ZDBI%2BjqPV8XjvTI7pXAfzknmFAfZU%2FjalCNigHCX%2FIOgymeTOfzSOLYLClpNTr%2BYle8VSI%2BHf9TgUWP2WgNF",
        "https://vtbehaviour.commondatastorage.googleapis.com/028e16744de653383b403efd4b755075deeb7d8ce264d7edd4615725e5b4c4c6_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775277967&Signature=oSvtx7eGCctItNKSDZN4tpJp11yn5QQjCHsLi45z7kUOa9nbuhPdVjh9gBKlXtNuGfXbpItYf6NFI%2B4pKCin266TJQP7FzDSnUzzziJTuqmZwxihDeoZ1RauqVOzGoAmrj9sG8nOYXqbOHNxQ3E6SugSzW3UFbyQJzfKt%2FsqsPsKAvl4su%2FlkWsqTHUR%2FT%2FLTTQV0ZXLwnrLv%2FdBA7DdsiE35g%2FPOiUdzJjkjhSILF%2BR"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1070",
          "name": "Indicator Removal on Host",
          "display_name": "T1070 - Indicator Removal on Host"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1095",
          "name": "Non-Application Layer Protocol",
          "display_name": "T1095 - Non-Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1573",
          "name": "Encrypted Channel",
          "display_name": "T1573 - Encrypted Channel"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1560",
          "name": "Archive Collected Data",
          "display_name": "T1560 - Archive Collected Data"
        },
        {
          "id": "T1406",
          "name": "Obfuscated Files or Information",
          "display_name": "T1406 - Obfuscated Files or Information"
        },
        {
          "id": "T1409",
          "name": "Access Stored Application Data",
          "display_name": "T1409 - Access Stored Application Data"
        },
        {
          "id": "T1413",
          "name": "Access Sensitive Data in Device Logs",
          "display_name": "T1413 - Access Sensitive Data in Device Logs"
        },
        {
          "id": "T1421",
          "name": "System Network Connections Discovery",
          "display_name": "T1421 - System Network Connections Discovery"
        },
        {
          "id": "T1424",
          "name": "Process Discovery",
          "display_name": "T1424 - Process Discovery"
        },
        {
          "id": "T1426",
          "name": "System Information Discovery",
          "display_name": "T1426 - System Information Discovery"
        },
        {
          "id": "T1429",
          "name": "Capture Audio",
          "display_name": "T1429 - Capture Audio"
        },
        {
          "id": "T1430",
          "name": "Location Tracking",
          "display_name": "T1430 - Location Tracking"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        }
      ],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 50,
        "email": 2,
        "hostname": 196,
        "FileHash-SHA1": 51,
        "URL": 234,
        "FileHash-MD5": 54,
        "FileHash-SHA256": 715
      },
      "indicator_count": 1302,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 68,
      "modified_text": "28 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b4d19b5d08593e3b2fa873",
      "name": "VirusTotal report\n                    for Autocad-2004-Covadis-2004-Crack--Fr-Rar-58-11l.pdf",
      "description": "sleep deprived, descriptions later.",
      "modified": "2026-04-13T03:29:47.531000",
      "created": "2026-03-14T03:10:19.098000",
      "tags": [],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1566",
          "name": "Phishing",
          "display_name": "T1566 - Phishing"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 6,
        "FileHash-SHA1": 4,
        "FileHash-SHA256": 100,
        "URL": 32,
        "domain": 50,
        "hostname": 284
      },
      "indicator_count": 476,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "49 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b4d8136250ed80cb642956",
      "name": "VirusTotal report\n                    for Autocad-2004-Covadis-2004-Crack--Fr-Rar-58-11l.pdf",
      "description": "",
      "modified": "2026-04-13T03:29:47.531000",
      "created": "2026-03-14T03:37:55.333000",
      "tags": [],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1566",
          "name": "Phishing",
          "display_name": "T1566 - Phishing"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 2,
        "FileHash-SHA1": 2,
        "FileHash-SHA256": 50,
        "URL": 16,
        "domain": 4,
        "hostname": 9
      },
      "indicator_count": 83,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 68,
      "modified_text": "49 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "6962b68da732abc66a0c2caf",
      "name": "Der Zugriff \u2022 Kanna \u2022 MyDoom \u2022 Sigur - Pahamify Pegasus",
      "description": "Pahamify Pegasus | Execution Attack, Access Attack | Drive by Compromise | \nSifting through Pahamify Pegasus this is no longer your computer , injection, google connects, remote connections, remote mouse movement, remote access, Google espionage, bad traffic, Apple complicit access. This is your Google account and browser, this is your appleid. Still researching\u2026. || \n*https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_ ||\nMalware: Der Zugriff ,\nKanna ,\nMyDoom ,\nSigur \n#firebase #google_connection #bible_gateway_honeypot #crypto #hidden_users #who_else",
      "modified": "2026-02-09T19:00:09.890000",
      "created": "2026-01-10T20:29:01.675000",
      "tags": [
        "ip address",
        "status code",
        "kb body",
        "iocs",
        "deny age",
        "cloudfront",
        "utc google",
        "tag manager",
        "g8t6ln06z40",
        "utc na",
        "google tag",
        "injection",
        "t1055 malware",
        "tree",
        "help v",
        "defense evasion",
        "injection t1055",
        "resolved ips",
        "get http",
        "dns resolutions",
        "v memory",
        "pattern domains",
        "full reports",
        "v help",
        "memory pattern",
        "urls https",
        "hashes",
        "tiktok",
        "microsoft",
        "dashboard falcon",
        "request",
        "windows nt",
        "win64",
        "khtml",
        "gecko",
        "response",
        "appleid",
        "united",
        "name servers",
        "aaaa",
        "servers",
        "moved",
        "script urls",
        "passive dns",
        "urls",
        "data upload",
        "extraction",
        "failed",
        "jsvendor",
        "jsapp",
        "script script",
        "cssapp",
        "jsfirebase",
        "pegasus",
        "encrypt",
        "title error",
        "ipv4",
        "files",
        "reverse dns",
        "united states",
        "malware",
        "learn",
        "ck id",
        "name tactics",
        "suspicious",
        "informative",
        "command",
        "adversaries",
        "spawns",
        "execution att",
        "t1204 user",
        "script",
        "beginstring",
        "bad traffic",
        "et info",
        "null",
        "title",
        "refresh",
        "span",
        "strings",
        "error",
        "tools",
        "meta",
        "look",
        "verify",
        "restart",
        "mitre att",
        "ascii text",
        "pattern match",
        "ck matrix",
        "tls handshake",
        "hybrid",
        "general",
        "local",
        "path",
        "click",
        "ck techniques",
        "access att",
        "div div",
        "a li",
        "ul div",
        "record value",
        "emails",
        "accept",
        "referen https",
        "microsoft-falcon.net",
        "proxy",
        "status",
        "certificate",
        "updated date",
        "whois server",
        "zipcode",
        "entries http",
        "scans show",
        "search",
        "matches x",
        "type",
        "gmt cache",
        "all ipv4",
        "america flag",
        "america asn",
        "sameorigin",
        "urls show",
        "date checked",
        "url hostname",
        "server response",
        "google safe",
        "results jan",
        "ipv4 add",
        "win32mydoom jan",
        "trojan",
        "worm",
        "expiration date",
        "files show",
        "date hash",
        "avast avg",
        "win32mydoom",
        "backdoor",
        "found",
        "gmt connection",
        "control",
        "content type",
        "twitter",
        "dynamicloader",
        "medium",
        "high",
        "msie",
        "wow64",
        "slcc2",
        "media center",
        "write",
        "global",
        "domain name",
        "hostname",
        "apple",
        "racebook",
        "mouse movement",
        "remote mouse",
        "domain",
        "hostname add",
        "url analysis",
        "crlf line",
        "ff d5",
        "unicode text",
        "utf8",
        "ee fc",
        "yara rule",
        "f0 ff",
        "ff bb",
        "music",
        "push",
        "autorun",
        "unknown",
        "present sep",
        "present may",
        "present jan",
        "present aug",
        "cname",
        "present nov",
        "present jun",
        "apache",
        "body",
        "pragma",
        "found registry",
        "able",
        "model",
        "indicator",
        "source",
        "show technique",
        "file",
        "internet",
        "errore",
        "erreur",
        "download",
        "service",
        "crypto",
        "compiler",
        "installer",
        "yang",
        "updater",
        "shutdown",
        "thunk",
        "este",
        "install",
        "reboot",
        "code",
        "downloader",
        "sigur",
        "kanna",
        "der zugriff",
        "google",
        "chrome",
        "Pahamify Pegasus",
        "christoper p. ahmann",
        "law enforcement",
        "retaliation",
        "phone",
        "espionage",
        "united states",
        "m brian sabey",
        "quasi government",
        "target",
        "monitored targeting",
        "aig",
        "therahand (old name)",
        "target: tsara brashears",
        "douglas county, co",
        "sheriff",
        "industry and commerce",
        "worker\u2019s compensation",
        "crime",
        "financial crime",
        "danger",
        "nem tih",
        "amazon",
        "aws",
        "amazon aws",
        "deal",
        "deal with it lawfully",
        "pay victim",
        "protecting reimer"
      ],
      "references": [
        "https://pegasus.pahamify.com/ \u2022 pahamify.com \u2022 pegasus.pahamify.com \u2022 activation.pahamify.com \u2022 httpspegasus.pahamify.com",
        "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_",
        "Der Zugriff\u2022 Kanna \u2022 MyDoom \u2022 Sigur",
        "Pahamify Pegasus",
        "Matches rule ET INFO Observed Google DNS over HTTPS Domain (dns google in TLS SNI)",
        "https://graph.facebook.com/v3.3/590584968016991/mobile_sdk_gk?fields=gatekeepers&format=json&sdk_version=5.0.0&sdk=android&platform=android",
        "https://4.base.maps.ls.hereapi.com/maptile/2.1/maptile/newest/normal.day.mobile/{z}/{x}/{y}/256/PNG8?apiKey=wzEuHW02YdaEjU0Em-SwWQBtxbfF86-OfUuq1z93NI4",
        "tv.apple.com",
        "dashboard-proxy-sc-ncus-j7ynx.falcon- core.microsoft-falcon.net",
        "Antivirus Detections: Win.Trojan.Gamarue-9832405-0 ,  Trojan:Win32/Pariham.A",
        "IDS : Commonly Abused File Sharing Site Domain Observed (sendspace .com in DNS Lookup)",
        "IDS: Commonly Abused File Sharing Site Domain Observed (sendspace .com in TLS SNI)",
        "IDS: TLS Handshake Failure",
        "Yara Detections BackdoorWin32Simda",
        "Google_Chrome_64bit_v136.0.7103.49.exe",
        "https://hybrid-analysis.com/sample/e4306740e79c65c90242aef93fceeb93fa6da74577570c7b4a04399879349c37/696298b7667c4a112d04eac7",
        "https://download.filepuma.com/files/web-browsers/google-chrome-64bit-/Google_Chrome_",
        "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net",
        "https://wallpapers-nature.com/ tsara-brashears/urlscan-io\t \u2022 wallpapers-nature.com",
        "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io \u2022",
        "https://wallpapers-nature.com/tsara-brashears/urlscan-io"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "Trojan:Win32/Pariham.A",
          "display_name": "Trojan:Win32/Pariham.A",
          "target": "/malware/Trojan:Win32/Pariham.A"
        },
        {
          "id": "MyDoom",
          "display_name": "MyDoom",
          "target": null
        },
        {
          "id": "Virus:Win95/Cerebrus",
          "display_name": "Virus:Win95/Cerebrus",
          "target": "/malware/Virus:Win95/Cerebrus"
        },
        {
          "id": "AutoRunIt",
          "display_name": "AutoRunIt",
          "target": null
        },
        {
          "id": "Sigur",
          "display_name": "Sigur",
          "target": null
        },
        {
          "id": "Kanna",
          "display_name": "Kanna",
          "target": null
        },
        {
          "id": "Der Zugriff",
          "display_name": "Der Zugriff",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "TA0004",
          "name": "Privilege Escalation",
          "display_name": "TA0004 - Privilege Escalation"
        },
        {
          "id": "TA0005",
          "name": "Defense Evasion",
          "display_name": "TA0005 - Defense Evasion"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1069",
          "name": "Permission Groups Discovery",
          "display_name": "T1069 - Permission Groups Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1204",
          "name": "User Execution",
          "display_name": "T1204 - User Execution"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1069.002",
          "name": "Domain Groups",
          "display_name": "T1069.002 - Domain Groups"
        },
        {
          "id": "T1568.002",
          "name": "Domain Generation Algorithms",
          "display_name": "T1568.002 - Domain Generation Algorithms"
        },
        {
          "id": "T1113",
          "name": "Screen Capture",
          "display_name": "T1113 - Screen Capture"
        },
        {
          "id": "T1189",
          "name": "Drive-by Compromise",
          "display_name": "T1189 - Drive-by Compromise"
        },
        {
          "id": "T1566",
          "name": "Phishing",
          "display_name": "T1566 - Phishing"
        },
        {
          "id": "T1566.002",
          "name": "Spearphishing Link",
          "display_name": "T1566.002 - Spearphishing Link"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1071.001",
          "name": "Web Protocols",
          "display_name": "T1071.001 - Web Protocols"
        },
        {
          "id": "T1063",
          "name": "Security Software Discovery",
          "display_name": "T1063 - Security Software Discovery"
        },
        {
          "id": "T1119",
          "name": "Automated Collection",
          "display_name": "T1119 - Automated Collection"
        },
        {
          "id": "T1589",
          "name": "Gather Victim Identity Information",
          "display_name": "T1589 - Gather Victim Identity Information"
        },
        {
          "id": "T1590",
          "name": "Gather Victim Network Information",
          "display_name": "T1590 - Gather Victim Network Information"
        },
        {
          "id": "T1591",
          "name": "Gather Victim Org Information",
          "display_name": "T1591 - Gather Victim Org Information"
        },
        {
          "id": "T1592",
          "name": "Gather Victim Host Information",
          "display_name": "T1592 - Gather Victim Host Information"
        },
        {
          "id": "T1210",
          "name": "Exploitation of Remote Services",
          "display_name": "T1210 - Exploitation of Remote Services"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1036.004",
          "name": "Masquerade Task or Service",
          "display_name": "T1036.004 - Masquerade Task or Service"
        },
        {
          "id": "T1444",
          "name": "Masquerade as Legitimate Application",
          "display_name": "T1444 - Masquerade as Legitimate Application"
        },
        {
          "id": "T1449",
          "name": "Exploit SS7 to Redirect Phone Calls/SMS",
          "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
        },
        {
          "id": "T1410",
          "name": "Network Traffic Capture or Redirection",
          "display_name": "T1410 - Network Traffic Capture or Redirection"
        },
        {
          "id": "T1598",
          "name": "Phishing for Information",
          "display_name": "T1598 - Phishing for Information"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "TA0011",
          "name": "Command and Control",
          "display_name": "TA0011 - Command and Control"
        },
        {
          "id": "T1068",
          "name": "Exploitation for Privilege Escalation",
          "display_name": "T1068 - Exploitation for Privilege Escalation"
        },
        {
          "id": "T1110",
          "name": "Brute Force",
          "display_name": "T1110 - Brute Force"
        },
        {
          "id": "T1005",
          "name": "Data from Local System",
          "display_name": "T1005 - Data from Local System"
        },
        {
          "id": "T1007",
          "name": "System Service Discovery",
          "display_name": "T1007 - System Service Discovery"
        },
        {
          "id": "T1010",
          "name": "Application Window Discovery",
          "display_name": "T1010 - Application Window Discovery"
        },
        {
          "id": "T1012",
          "name": "Query Registry",
          "display_name": "T1012 - Query Registry"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1029",
          "name": "Scheduled Transfer",
          "display_name": "T1029 - Scheduled Transfer"
        },
        {
          "id": "T1033",
          "name": "System Owner/User Discovery",
          "display_name": "T1033 - System Owner/User Discovery"
        },
        {
          "id": "T1047",
          "name": "Windows Management Instrumentation",
          "display_name": "T1047 - Windows Management Instrumentation"
        },
        {
          "id": "T1049",
          "name": "System Network Connections Discovery",
          "display_name": "T1049 - System Network Connections Discovery"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1070",
          "name": "Indicator Removal on Host",
          "display_name": "T1070 - Indicator Removal on Host"
        },
        {
          "id": "T1074",
          "name": "Data Staged",
          "display_name": "T1074 - Data Staged"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1102",
          "name": "Web Service",
          "display_name": "T1102 - Web Service"
        },
        {
          "id": "T1106",
          "name": "Native API",
          "display_name": "T1106 - Native API"
        },
        {
          "id": "T1112",
          "name": "Modify Registry",
          "display_name": "T1112 - Modify Registry"
        },
        {
          "id": "T1114",
          "name": "Email Collection",
          "display_name": "T1114 - Email Collection"
        },
        {
          "id": "T1124",
          "name": "System Time Discovery",
          "display_name": "T1124 - System Time Discovery"
        },
        {
          "id": "T1132",
          "name": "Data Encoding",
          "display_name": "T1132 - Data Encoding"
        },
        {
          "id": "T1134",
          "name": "Access Token Manipulation",
          "display_name": "T1134 - Access Token Manipulation"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1213",
          "name": "Data from Information Repositories",
          "display_name": "T1213 - Data from Information Repositories"
        },
        {
          "id": "T1222",
          "name": "File and Directory Permissions Modification",
          "display_name": "T1222 - File and Directory Permissions Modification"
        },
        {
          "id": "T1486",
          "name": "Data Encrypted for Impact",
          "display_name": "T1486 - Data Encrypted for Impact"
        },
        {
          "id": "T1489",
          "name": "Service Stop",
          "display_name": "T1489 - Service Stop"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1529",
          "name": "System Shutdown/Reboot",
          "display_name": "T1529 - System Shutdown/Reboot"
        },
        {
          "id": "T1543",
          "name": "Create or Modify System Process",
          "display_name": "T1543 - Create or Modify System Process"
        },
        {
          "id": "T1546",
          "name": "Event Triggered Execution",
          "display_name": "T1546 - Event Triggered Execution"
        },
        {
          "id": "T1547",
          "name": "Boot or Logon Autostart Execution",
          "display_name": "T1547 - Boot or Logon Autostart Execution"
        },
        {
          "id": "T1555",
          "name": "Credentials from Password Stores",
          "display_name": "T1555 - Credentials from Password Stores"
        },
        {
          "id": "T1559",
          "name": "Inter-Process Communication",
          "display_name": "T1559 - Inter-Process Communication"
        },
        {
          "id": "T1560",
          "name": "Archive Collected Data",
          "display_name": "T1560 - Archive Collected Data"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1564",
          "name": "Hide Artifacts",
          "display_name": "T1564 - Hide Artifacts"
        },
        {
          "id": "T1569",
          "name": "System Services",
          "display_name": "T1569 - System Services"
        },
        {
          "id": "T1570",
          "name": "Lateral Tool Transfer",
          "display_name": "T1570 - Lateral Tool Transfer"
        },
        {
          "id": "T1614",
          "name": "System Location Discovery",
          "display_name": "T1614 - System Location Discovery"
        },
        {
          "id": "T1569.002",
          "name": "Service Execution",
          "display_name": "T1569.002 - Service Execution"
        },
        {
          "id": "T1543.003",
          "name": "Windows Service",
          "display_name": "T1543.003 - Windows Service"
        },
        {
          "id": "T1546.015",
          "name": "Component Object Model Hijacking",
          "display_name": "T1546.015 - Component Object Model Hijacking"
        },
        {
          "id": "T1055.003",
          "name": "Thread Execution Hijacking",
          "display_name": "T1055.003 - Thread Execution Hijacking"
        },
        {
          "id": "T1134.001",
          "name": "Token Impersonation/Theft",
          "display_name": "T1134.001 - Token Impersonation/Theft"
        },
        {
          "id": "T1055.001",
          "name": "Dynamic-link Library Injection",
          "display_name": "T1055.001 - Dynamic-link Library Injection"
        },
        {
          "id": "T1134.002",
          "name": "Create Process with Token",
          "display_name": "T1134.002 - Create Process with Token"
        },
        {
          "id": "T1070.006",
          "name": "Timestomp",
          "display_name": "T1070.006 - Timestomp"
        },
        {
          "id": "T1564.003",
          "name": "Hidden Window",
          "display_name": "T1564.003 - Hidden Window"
        },
        {
          "id": "T1497.003",
          "name": "Time Based Evasion",
          "display_name": "T1497.003 - Time Based Evasion"
        },
        {
          "id": "T1562.001",
          "name": "Disable or Modify Tools",
          "display_name": "T1562.001 - Disable or Modify Tools"
        },
        {
          "id": "T1497.002",
          "name": "User Activity Based Checks",
          "display_name": "T1497.002 - User Activity Based Checks"
        },
        {
          "id": "T1070.004",
          "name": "File Deletion",
          "display_name": "T1070.004 - File Deletion"
        },
        {
          "id": "T1027.005",
          "name": "Indicator Removal from Tools",
          "display_name": "T1027.005 - Indicator Removal from Tools"
        },
        {
          "id": "T1518.001",
          "name": "Security Software Discovery",
          "display_name": "T1518.001 - Security Software Discovery"
        },
        {
          "id": "T1074.001",
          "name": "Local Data Staging",
          "display_name": "T1074.001 - Local Data Staging"
        },
        {
          "id": "T1560.002",
          "name": "Archive via Library",
          "display_name": "T1560.002 - Archive via Library"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1090",
          "name": "Proxy",
          "display_name": "T1090 - Proxy"
        }
      ],
      "industries": [
        "Civil Society",
        "Legal",
        "Government",
        "Technology",
        "Telecommunications",
        "Financial"
      ],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 6094,
        "domain": 1195,
        "hostname": 2001,
        "FileHash-SHA256": 2598,
        "FileHash-MD5": 546,
        "FileHash-SHA1": 403,
        "email": 16,
        "CVE": 2,
        "SSLCertFingerprint": 3
      },
      "indicator_count": 12858,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 143,
      "modified_text": "111 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "68d486efb1561cbc62ce0ea4",
      "name": "gov[.]ab[.]ca - 09.24.25 (Partial DataBreach) - 1/?",
      "description": "Pages (1-40) from 1 clear-web database [osint] Queried searching for domain: gov[.]ab[.]ca on https://breach.vip/ \nFormat: email [username], password, domain [gov.ab.ca], addr1, 2, 3, alt_email",
      "modified": "2025-10-25T17:04:41.620000",
      "created": "2025-09-25T00:03:59.608000",
      "tags": [
        "gov ab",
        "data",
        "table list",
        "home",
        "click",
        "download images",
        "export table",
        "scroll",
        "show images",
        "filters",
        "st nw",
        "po box",
        "ave nw",
        "stn main",
        "fri may",
        "edmonton",
        "ave sw",
        "ave address2",
        "nw email",
        "st sw",
        "john",
        "sandy"
      ],
      "references": [
        "https://hastebin.ianhon.com/f924",
        "https://breach.vip/",
        "https://privatebin.io/?446c5fae2aa07658#4v99vCmn59DTqyKpyMMtufg353gLAPCCiqjY8w517FmX",
        "https://pastelink.net/6qvfef0z",
        "https://www.virustotal.com/gui/url/69eb15579321ffd2e6257988a39916ddd35011fd1e9883ea37a25b30f3e6a546?nocache=1",
        "https://www.filescan.io/uploads/68d5764174e5a289899354a8/reports/920dde9e-b8b4-498e-b585-17b82cd3bce4/ioc",
        "---",
        "http://hybrid-analysis.com/sample/a19e35e08a3c0a817a95352001afb0120ceac1dc4a7a170d5904790635699527/68d576f8428c2b0227052ce7",
        "http://hybrid-analysis.com/sample/a19e35e08a3c0a817a95352001afb0120ceac1dc4a7a170d5904790635699527",
        "https://metadefender.com/results/url/aHR0cHM6Ly9wYXN0ZWxpbmsubmV0LzZxdmZlZjB6",
        "https://polyswarm.network/scan/results/url/69eb15579321ffd2e6257988a39916ddd35011fd1e9883ea37a25b30f3e6a546",
        "https://opentip.kaspersky.com/https%3A%2F%2Fpastelink.net%2F6qvfef0z/?tab=lookup",
        "https://urlquery.net/report/939b4a1d-6403-4963-82ac-fe03cbb94afb"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "Canada"
      ],
      "malware_families": [],
      "attack_ids": [],
      "industries": [
        "Government"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 1,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Disable_Duck",
        "id": "244325",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 226,
        "email": 10040,
        "FileHash-MD5": 98,
        "FileHash-SHA1": 213,
        "FileHash-SHA256": 57,
        "URL": 101,
        "hostname": 65,
        "SSLCertFingerprint": 16
      },
      "indicator_count": 10816,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 129,
      "modified_text": "219 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "688c76da7d23578a0dd22eb0",
      "name": "Phishing [310725]",
      "description": "Phishing domains and IP addresses that have been used to send malicious emails.",
      "modified": "2025-08-31T08:01:04.297000",
      "created": "2025-08-01T08:12:10.030000",
      "tags": [
        "arch-email",
        "attachments",
        "attc-html",
        "brand-microsoft",
        "loader",
        "malware",
        "obfuscated-js",
        "pdqconnect",
        "phishing",
        "phishing-ml",
        "phishing-url",
        "rmm-tool",
        "rust",
        "susp-attachments",
        "spearphishing",
        "malicious-domain",
        "[malicious-IP"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United Kingdom of Great Britain and Northern Ireland"
      ],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1566",
          "name": "Phishing",
          "display_name": "T1566 - Phishing"
        },
        {
          "id": "T1193",
          "name": "Spearphishing Attachment",
          "display_name": "T1193 - Spearphishing Attachment"
        },
        {
          "id": "T1192",
          "name": "Spearphishing Link",
          "display_name": "T1192 - Spearphishing Link"
        },
        {
          "id": "T1194",
          "name": "Spearphishing via Service",
          "display_name": "T1194 - Spearphishing via Service"
        },
        {
          "id": "T1195",
          "name": "Supply Chain Compromise",
          "display_name": "T1195 - Supply Chain Compromise"
        },
        {
          "id": "T1566.003",
          "name": "Spearphishing via Service",
          "display_name": "T1566.003 - Spearphishing via Service"
        },
        {
          "id": "T1566.001",
          "name": "Spearphishing Attachment",
          "display_name": "T1566.001 - Spearphishing Attachment"
        }
      ],
      "industries": [
        "Government"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 18,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "FS13JKMK",
        "id": "312129",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_312129/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 79,
        "hostname": 69,
        "URL": 153,
        "FileHash-SHA256": 4,
        "email": 7
      },
      "indicator_count": 312,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 71,
      "modified_text": "274 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "67b2d9dcae1cec7a14f38773",
      "name": "Ti 84 Calculator Backlinks",
      "description": "Ti 84 Calculator Backlinks",
      "modified": "2025-02-17T06:40:28.665000",
      "created": "2025-02-17T06:40:28.665000",
      "tags": [
        "TI-84 calculator online",
        "TI-84 plus calculator",
        "free scientific calculator",
        "online math tools",
        "TI-84 calculator for students",
        "TI-84 online tool",
        "graphing calculator online",
        "online calculator for math",
        "scientific calculator free"
      ],
      "references": [
        "profile backlinks working ti84.csv"
      ],
      "public": 1,
      "adversary": "Ti 84 Calculator Backlinks",
      "targeted_countries": [
        "United States Minor Outlying Islands"
      ],
      "malware_families": [],
      "attack_ids": [],
      "industries": [
        "Education"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 4,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "ti84calculator",
        "id": "309228",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 34,
        "domain": 9,
        "hostname": 25
      },
      "indicator_count": 68,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 1,
      "modified_text": "469 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": false,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    }
  ],
  "error": null,
  "vt": {
    "error": "VirusTotal rate limit reached. Try again shortly.",
    "indicator": "trello.com",
    "type": "Domain"
  },
  "abuseipdb": null,
  "urlhaus": {
    "indicator": "trello.com",
    "found": true,
    "verdict": "malicious",
    "url_count": 7,
    "online_count": 0,
    "blacklists": {
      "spamhaus_dbl": "not listed",
      "surbl": "not listed"
    },
    "urls": [
      {
        "url": "https://trello.com/1/cards/660a48f3ed8f660125aa4d31/attachments/6615472237acc15ca27cb4ad/download/58888885.exe",
        "status": "offline",
        "threat": "malware_download",
        "date_added": "2024-04-10",
        "tags": [
          "dropped-by-SmokeLoader"
        ]
      },
      {
        "url": "https://trello.com/1/cards/660a48f3ed8f660125aa4d31/attachments/66153df02cfa1d750cac2cfc/download/cccc.exe",
        "status": "offline",
        "threat": "malware_download",
        "date_added": "2024-04-09",
        "tags": [
          "dropped-by-SmokeLoader",
          "PureLogStealer"
        ]
      },
      {
        "url": "https://trello.com/1/cards/64be8dd0cb0e5dbc787d2079/attachments/64be8e769f77584189d0f2d7/download/",
        "status": "offline",
        "threat": "malware_download",
        "date_added": "2023-07-25",
        "tags": [
          "FakeGoogleAi",
          "pw-999"
        ]
      },
      {
        "url": "https://trello.com/1/cards/64be8dd0cb0e5dbc787d2079/attachments/64be8e769f77584189d0f2d7/download/Setup-GoogleAI-13-7.rar",
        "status": "offline",
        "threat": "malware_download",
        "date_added": "2023-07-25",
        "tags": [
          "FakeGoogleA",
          "pw-999"
        ]
      },
      {
        "url": "https://trello.com/1/cards/64ad55750e1ff165be58e92d/attachments/64ad56d2d99287b0521c88ec/download/CapCut_2_2_0_491_capcutpc_0.gz",
        "status": "offline",
        "threat": "malware_download",
        "date_added": "2023-07-12",
        "tags": []
      },
      {
        "url": "https://trello.com/1/cards/646f56522381b8fc002a0186/attachments/646f565a313f123a6f9ae362/download/npp.8.5.3.Installer.x64342423423423424242423423424.rar",
        "status": "offline",
        "threat": "malware_download",
        "date_added": "2023-05-30",
        "tags": []
      },
      {
        "url": "https://trello.com/1/cards/6419447c936d8660d0601d03/attachments/641944c211b1d40fb5d4c6b5/download/GGbard_setup.rar",
        "status": "offline",
        "threat": "malware_download",
        "date_added": "2023-03-23",
        "tags": [
          "msi",
          "password:ggbard",
          "rar"
        ]
      }
    ],
    "error": null
  },
  "from_cache": true,
  "_cached_at": 1780334886.8917668
}