{ "type": "Domain", "indicator": "uidsync.net", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/uidsync.net", "alexa": "http://www.alexa.com/siteinfo/uidsync.net", "indicator": "uidsync.net", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3156794702, "indicator": "uidsync.net", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 17, "pulses": [ { "id": "69fed99080ca19fd27b184cb", "name": "CAPE Sandbox - \"Client Challenge\" Created 4/27/2025.", "description": "[The Cuckoo.com website has been shut down by Microsoft, with the result of an analysis of the network's traffic patterns, and the results of its analysis] A SHA for an educational app/website I dont even have generated what is called \" Client Challenge\"\n 2c4b2093aa07afb9d633fd4e734a9707\n2732a5adf7152c21b4a5aaa0a7b45f3d4be7874a\naa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d\n622b6b82655de58b927dd956ab84db9d\n48:IYhkrFN9YfHFTtJXQHyeyQ4v3W7UNp/xmhIfgjOGkOHMZKKyMaiskaO3n:TsYdxJXQHFY375ro6tZ8MaM93n\nT1E05100012CF6C176147724BB9E73B25A2B5064476216E41C3AEDDA28CF82FD9EC426EC\nHTML \ninternet\nhtml\nHTML document, Unicode text, UTF-8 text\nHyperText Markup Language (100%)\nHTML\n3.03 KB (3101 bytes) /_fs-ch-1T1wmsGaOgGaSxcX/assets/inter-var.woff2\n/_fs-ch-1T1wmsGaOgGaSxcX/assets/styles.css -13jdrops from one html/38 malic files/bluetooth cap.", "modified": "2026-05-10T08:20:56.907000", "created": "2026-05-09T06:52:00.985000", "tags": [ "nothing", "registry keys", "mutexes nothing", "data", "datacrashpad", "edge", "created", "parent pid", "full path", "command line", "https", "network info", "processes extra", "performs dns", "layer protocol", "overview", "mitre attack", "overview zenbox", "verdict", "guest system", "phishing", "defense evasion", "next", "ip info", "ip country", "united", "info process", "mwdb", "bazaar", "sha3384", "ssdeep", "strong", "file type", "library", "size", "default", "sha1", "accept", "mcafee", "span", "install", "softonic", "alerta", "download", "error", "crypt32", "body", "bootkit", "lockfile", "title", "inside", "shutdown", "impact", "global", "restart", "uwaga", "startpage", "window", "find", "false", "null", "payload", "write", "installer", "winmm", "back", "nlrnsrdb", "trumusic", "kevsight tox", "html internet", "html document", "unicode text", "utf8 text", "language", "settings", "first counter", "file size", "sha256", "bridge", "info", "date", "agent", "root", "pe file", "ms windows", "pe32", "found", "png image", "rgba", "cabinet archive", "files c", "delphi", "code", "persistence", "malicious", "unix", "wed jun", "dropped info", "linux verdict", "bluetooth", "4/27/25", "drops", "legacy admin", "hacking tools", "geofence", "education", "government" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308356&Signature=Bq0QXx5QtdlR4B1OLE2oNH2ivhP5koRxoxaBIC4bDOb1nad7b%2B4MKW2csIzcVHkiJ2lEuxuzVaPZAtPN9ZbTMiEwygTIHCvt%2BjujlP3fb2dgOki9C6FhEd5DCKB3RdzsNdqXB2VDF7rZoLj%2BNII3rrWNk714D3qNNxku1k1gsD%2FpGCxIrO0e0y2styb6l6hhzJjcGwSCEPbS6MRA%2BA90qkVuNCgIucEDcJ5lkx0B2OOW4YW0Csc3", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308390&Signature=29e34JRtkg7NaukyKdD3mE9rGo0hrpCAePmGPmvrVPeeHY4ax13egnxzXVjOctDKN%2F26RdliQEdXTd301UZjrUIJxeMbNgmdXQ3AdU5y%2FV8c21ePTIEAIq2Onb%2Bq5kutHekqTdBS3d0tgfIBKVBE9kZsGWzbMQFPKPv%2B%2FDpvMZSgtM2dO2vord9nXbkwcHCYBrVWvVALPOmXc910%2BAWvZOsLaWmvQjsMI0DTAIUwyx0zveFkVWqa2XOJbD", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308554&Signature=lODaur8GDc6MSh92WMx%2BV%2F7WRfkYjVs6kHiY4Sx12RcybRrsXaBC6oik%2FVeSMne1EODoqRn6AOcL%2FnIJ3J1ki%2Flrawz0HqWnxDTycnuefpWaPbw6abOU2796lcdgAMJxF9cGIDFHeaJDHQhbd0qeV07OK%2BhEKGGkjFWmqxOlqcTx526c%2FyRTuJaoFKrRzHVk9z2Xhv16kmnrY1VWhnBNyv3cMtVW076z2DheqC1Nya4ZJR3T", "https://vtbehaviour.commondatastorage.googleapis.com/fe2fcf32cc0d38931131fde27db1e5693774844075b4e3c33c82a3625f397a7d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308630&Signature=tal7xZ9VHrLtK%2Fx5z4thfPUsqP4jnN7mnhQemzL4D6Jt%2BSk8bXHsrCdJlx%2Be1lnoGRVGwvwKCjx3CEIT2hLNbJt09HJOJW8y0ZHcSz%2BVuPuDQOe77pC%2F3yFozFW3vI7CEZI7ISt8C80aND1aciQHVQazVru6MO8fQbjeA78vsrN6MB0ZuxTE%2FXOh0gshhIYHplGRIVhhJx5waxIeoxWL1ZXsSC%2BoXwk4g44W5t38Y5Tkcf%2", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308947&Signature=alDMcpCHWUfDgEjmw6GuL5bYJ7WAgrYGXsYb8PfNczzjNzMmdclOsPPSd8nKJEDsDmNxeb2sw0hYiHkOza%2FRN9q8612YM9nTO2inlISRitzqqNDU6JlAsf97walR1G6zBOoJyqTiDrsSbx5evH65eHfvmspVqAXrb%2BQ47kPd56689I4BQ%2BsXgtfYNLYfi0tZCIDXf9zFVUl7yJpOaXHvd6%2FB7n3VeDqry5%2FrR9w%2Ftznq2oHOWz", "https://vtbehaviour.commondatastorage.googleapis.com/96726d252031408ce594cb2d0f49cc98a87d5742e5c7bf95b067158bf1ecbb5a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309020&Signature=vqlAf29Jh8gzLx2hXd4oK3SHSQ7rtDkDCKFUjJTgs37n6pJU8vOHAMY%2BZDsFv79mq1BdEHoY7nok%2B%2F8fXKVOYaTlt0eAlBTIvhYUtDyujmwblYEgNlDU1rpNNKmZ55W8WmPUBFmUN3AaCIOZIX5vA4HFg6qulPpJnXDQ57TINvsk4Wwf9mClPe97Ye9DE6zAZarXt7XMT2RTpxVJqTD143j7%2BeJGcwEPknT64TWHLEfitFThoeAdncSqpQS74B", "https://vtbehaviour.commondatastorage.googleapis.com/cb38f0c781c188c3fc2ace5f55a12f2a4833c1c5fc869e698cf7994041e4a135_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309094&Signature=2X1UxXszEC0vdMoCHG30M8zifvQi45%2FJScJ8N3QaALRZ8JM5fIK5QIhWdv9eYZgDlMDjqEs9sECAtO16r8UbHNPoPwRNzqUN6f6UIq0L8Tj%2BIYQrjZo7NBhiH6eUgkTaHAoBU02WDYP5Ov0biBhHziqfTBQQ5yDFh0H9CPRlLUefNK%2BHM%2BQYLwGLUpQ5yBTv1Mh5suQ1PLSj3g%2Fz429aGgT0ianBgbW7IIV50lIP4m5cr5UUek3l", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309164&Signature=NWdp0fiFpH6Jr1kaVwKEFGn0Zk0wRKMQLorUPZy7WKGD3M381ZLQM1PRrWmvwz5bujAib4QiCiOLd8A7PMvTMnOKQXz%2BwsI8tZk1vXfRwW6DJpI8nj3KWKoP3btIoik2VBrWn%2Fr1xNdIJ4Ic2MQEfOpslObUTaNkvaOGbdedf8llYwYXllyZneCKuVP5wMIq72nExH21e3%2FIfViwNbHZFbKS6roKZkLx4V7XxVk94woz0KT1LUAS0dYh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 529, "IPv4": 403, "hostname": 394, "domain": 121, "URL": 262, "FileHash-SHA1": 291, "FileHash-SHA256": 396 }, "indicator_count": 2396, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fed98ed79b13165d78dc30", "name": "CAPE Sandbox - \"Client Challenge\" Created 4/27/2025.", "description": "[The Cuckoo.com website has been shut down by Microsoft, with the result of an analysis of the network's traffic patterns, and the results of its analysis] A SHA for an educational app/website I dont even have generated what is called \" Client Challenge\"\n 2c4b2093aa07afb9d633fd4e734a9707\n2732a5adf7152c21b4a5aaa0a7b45f3d4be7874a\naa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d\n622b6b82655de58b927dd956ab84db9d\n48:IYhkrFN9YfHFTtJXQHyeyQ4v3W7UNp/xmhIfgjOGkOHMZKKyMaiskaO3n:TsYdxJXQHFY375ro6tZ8MaM93n\nT1E05100012CF6C176147724BB9E73B25A2B5064476216E41C3AEDDA28CF82FD9EC426EC\nHTML \ninternet\nhtml\nHTML document, Unicode text, UTF-8 text\nHyperText Markup Language (100%)\nHTML\n3.03 KB (3101 bytes) /_fs-ch-1T1wmsGaOgGaSxcX/assets/inter-var.woff2\n/_fs-ch-1T1wmsGaOgGaSxcX/assets/styles.css -13jdrops from one html/38 malic files/bluetooth cap.", "modified": "2026-05-10T08:11:16.996000", "created": "2026-05-09T06:51:58.884000", "tags": [ "nothing", "registry keys", "mutexes nothing", "data", "datacrashpad", "edge", "created", "parent pid", "full path", "command line", "https", "network info", "processes extra", "performs dns", "layer protocol", "overview", "mitre attack", "overview zenbox", "verdict", "guest system", "phishing", "defense evasion", "next", "ip info", "ip country", "united", "info process", "mwdb", "bazaar", "sha3384", "ssdeep", "strong", "file type", "library", "size", "default", "sha1", "accept", "mcafee", "span", "install", "softonic", "alerta", "download", "error", "crypt32", "body", "bootkit", "lockfile", "title", "inside", "shutdown", "impact", "global", "restart", "uwaga", "startpage", "window", "find", "false", "null", "payload", "write", "installer", "winmm", "back", "nlrnsrdb", "trumusic", "kevsight tox", "html internet", "html document", "unicode text", "utf8 text", "language", "settings", "first counter", "file size", "sha256", "bridge", "info", "date", "agent", "root", "pe file", "ms windows", "pe32", "found", "png image", "rgba", "cabinet archive", "files c", "delphi", "code", "persistence", "malicious", "unix", "wed jun", "dropped info", "linux verdict", "bluetooth", "4/27/25", "drops", "legacy admin", "hacking tools", "geofence", "education", "government" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308356&Signature=Bq0QXx5QtdlR4B1OLE2oNH2ivhP5koRxoxaBIC4bDOb1nad7b%2B4MKW2csIzcVHkiJ2lEuxuzVaPZAtPN9ZbTMiEwygTIHCvt%2BjujlP3fb2dgOki9C6FhEd5DCKB3RdzsNdqXB2VDF7rZoLj%2BNII3rrWNk714D3qNNxku1k1gsD%2FpGCxIrO0e0y2styb6l6hhzJjcGwSCEPbS6MRA%2BA90qkVuNCgIucEDcJ5lkx0B2OOW4YW0Csc3", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308390&Signature=29e34JRtkg7NaukyKdD3mE9rGo0hrpCAePmGPmvrVPeeHY4ax13egnxzXVjOctDKN%2F26RdliQEdXTd301UZjrUIJxeMbNgmdXQ3AdU5y%2FV8c21ePTIEAIq2Onb%2Bq5kutHekqTdBS3d0tgfIBKVBE9kZsGWzbMQFPKPv%2B%2FDpvMZSgtM2dO2vord9nXbkwcHCYBrVWvVALPOmXc910%2BAWvZOsLaWmvQjsMI0DTAIUwyx0zveFkVWqa2XOJbD", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308554&Signature=lODaur8GDc6MSh92WMx%2BV%2F7WRfkYjVs6kHiY4Sx12RcybRrsXaBC6oik%2FVeSMne1EODoqRn6AOcL%2FnIJ3J1ki%2Flrawz0HqWnxDTycnuefpWaPbw6abOU2796lcdgAMJxF9cGIDFHeaJDHQhbd0qeV07OK%2BhEKGGkjFWmqxOlqcTx526c%2FyRTuJaoFKrRzHVk9z2Xhv16kmnrY1VWhnBNyv3cMtVW076z2DheqC1Nya4ZJR3T", "https://vtbehaviour.commondatastorage.googleapis.com/fe2fcf32cc0d38931131fde27db1e5693774844075b4e3c33c82a3625f397a7d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308630&Signature=tal7xZ9VHrLtK%2Fx5z4thfPUsqP4jnN7mnhQemzL4D6Jt%2BSk8bXHsrCdJlx%2Be1lnoGRVGwvwKCjx3CEIT2hLNbJt09HJOJW8y0ZHcSz%2BVuPuDQOe77pC%2F3yFozFW3vI7CEZI7ISt8C80aND1aciQHVQazVru6MO8fQbjeA78vsrN6MB0ZuxTE%2FXOh0gshhIYHplGRIVhhJx5waxIeoxWL1ZXsSC%2BoXwk4g44W5t38Y5Tkcf%2", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308947&Signature=alDMcpCHWUfDgEjmw6GuL5bYJ7WAgrYGXsYb8PfNczzjNzMmdclOsPPSd8nKJEDsDmNxeb2sw0hYiHkOza%2FRN9q8612YM9nTO2inlISRitzqqNDU6JlAsf97walR1G6zBOoJyqTiDrsSbx5evH65eHfvmspVqAXrb%2BQ47kPd56689I4BQ%2BsXgtfYNLYfi0tZCIDXf9zFVUl7yJpOaXHvd6%2FB7n3VeDqry5%2FrR9w%2Ftznq2oHOWz", "https://vtbehaviour.commondatastorage.googleapis.com/96726d252031408ce594cb2d0f49cc98a87d5742e5c7bf95b067158bf1ecbb5a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309020&Signature=vqlAf29Jh8gzLx2hXd4oK3SHSQ7rtDkDCKFUjJTgs37n6pJU8vOHAMY%2BZDsFv79mq1BdEHoY7nok%2B%2F8fXKVOYaTlt0eAlBTIvhYUtDyujmwblYEgNlDU1rpNNKmZ55W8WmPUBFmUN3AaCIOZIX5vA4HFg6qulPpJnXDQ57TINvsk4Wwf9mClPe97Ye9DE6zAZarXt7XMT2RTpxVJqTD143j7%2BeJGcwEPknT64TWHLEfitFThoeAdncSqpQS74B", "https://vtbehaviour.commondatastorage.googleapis.com/cb38f0c781c188c3fc2ace5f55a12f2a4833c1c5fc869e698cf7994041e4a135_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309094&Signature=2X1UxXszEC0vdMoCHG30M8zifvQi45%2FJScJ8N3QaALRZ8JM5fIK5QIhWdv9eYZgDlMDjqEs9sECAtO16r8UbHNPoPwRNzqUN6f6UIq0L8Tj%2BIYQrjZo7NBhiH6eUgkTaHAoBU02WDYP5Ov0biBhHziqfTBQQ5yDFh0H9CPRlLUefNK%2BHM%2BQYLwGLUpQ5yBTv1Mh5suQ1PLSj3g%2Fz429aGgT0ianBgbW7IIV50lIP4m5cr5UUek3l", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309164&Signature=NWdp0fiFpH6Jr1kaVwKEFGn0Zk0wRKMQLorUPZy7WKGD3M381ZLQM1PRrWmvwz5bujAib4QiCiOLd8A7PMvTMnOKQXz%2BwsI8tZk1vXfRwW6DJpI8nj3KWKoP3btIoik2VBrWn%2Fr1xNdIJ4Ic2MQEfOpslObUTaNkvaOGbdedf8llYwYXllyZneCKuVP5wMIq72nExH21e3%2FIfViwNbHZFbKS6roKZkLx4V7XxVk94woz0KT1LUAS0dYh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 547, "IPv4": 545, "hostname": 752, "domain": 290, "URL": 979, "FileHash-SHA1": 296, "FileHash-SHA256": 904, "CIDR": 2, "email": 2 }, "indicator_count": 4317, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fed98a5807c9756ff0eb87", "name": "CAPE Sandbox - \"Client Challenge\" Created 4/27/2025.", "description": "[The Cuckoo.com website has been shut down by Microsoft, with the result of an analysis of the network's traffic patterns, and the results of its analysis] A SHA for an educational app/website I dont even have generated what is called \" Client Challenge\"\n 2c4b2093aa07afb9d633fd4e734a9707\n2732a5adf7152c21b4a5aaa0a7b45f3d4be7874a\naa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d\n622b6b82655de58b927dd956ab84db9d\n48:IYhkrFN9YfHFTtJXQHyeyQ4v3W7UNp/xmhIfgjOGkOHMZKKyMaiskaO3n:TsYdxJXQHFY375ro6tZ8MaM93n\nT1E05100012CF6C176147724BB9E73B25A2B5064476216E41C3AEDDA28CF82FD9EC426EC\nHTML \ninternet\nhtml\nHTML document, Unicode text, UTF-8 text\nHyperText Markup Language (100%)\nHTML\n3.03 KB (3101 bytes) /_fs-ch-1T1wmsGaOgGaSxcX/assets/inter-var.woff2\n/_fs-ch-1T1wmsGaOgGaSxcX/assets/styles.css -13jdrops from one html/38 malic files/bluetooth cap.", "modified": "2026-05-09T12:26:36.816000", "created": "2026-05-09T06:51:54.319000", "tags": [ "nothing", "registry keys", "mutexes nothing", "data", "datacrashpad", "edge", "created", "parent pid", "full path", "command line", "https", "network info", "processes extra", "performs dns", "layer protocol", "overview", "mitre attack", "overview zenbox", "verdict", "guest system", "phishing", "defense evasion", "next", "ip info", "ip country", "united", "info process", "mwdb", "bazaar", "sha3384", "ssdeep", "strong", "file type", "library", "size", "default", "sha1", "accept", "mcafee", "span", "install", "softonic", "alerta", "download", "error", "crypt32", "body", "bootkit", "lockfile", "title", "inside", "shutdown", "impact", "global", "restart", "uwaga", "startpage", "window", "find", "false", "null", "payload", "write", "installer", "winmm", "back", "nlrnsrdb", "trumusic", "kevsight tox", "html internet", "html document", "unicode text", "utf8 text", "language", "settings", "first counter", "file size", "sha256", "bridge", "info", "date", "agent", "root", "pe file", "ms windows", "pe32", "found", "png image", "rgba", "cabinet archive", "files c", "delphi", "code", "persistence", "malicious", "unix", "wed jun", "dropped info", "linux verdict", "bluetooth", "4/27/25", "drops", "legacy admin", "hacking tools", "geofence", "education", "government" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308356&Signature=Bq0QXx5QtdlR4B1OLE2oNH2ivhP5koRxoxaBIC4bDOb1nad7b%2B4MKW2csIzcVHkiJ2lEuxuzVaPZAtPN9ZbTMiEwygTIHCvt%2BjujlP3fb2dgOki9C6FhEd5DCKB3RdzsNdqXB2VDF7rZoLj%2BNII3rrWNk714D3qNNxku1k1gsD%2FpGCxIrO0e0y2styb6l6hhzJjcGwSCEPbS6MRA%2BA90qkVuNCgIucEDcJ5lkx0B2OOW4YW0Csc3", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308390&Signature=29e34JRtkg7NaukyKdD3mE9rGo0hrpCAePmGPmvrVPeeHY4ax13egnxzXVjOctDKN%2F26RdliQEdXTd301UZjrUIJxeMbNgmdXQ3AdU5y%2FV8c21ePTIEAIq2Onb%2Bq5kutHekqTdBS3d0tgfIBKVBE9kZsGWzbMQFPKPv%2B%2FDpvMZSgtM2dO2vord9nXbkwcHCYBrVWvVALPOmXc910%2BAWvZOsLaWmvQjsMI0DTAIUwyx0zveFkVWqa2XOJbD", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308554&Signature=lODaur8GDc6MSh92WMx%2BV%2F7WRfkYjVs6kHiY4Sx12RcybRrsXaBC6oik%2FVeSMne1EODoqRn6AOcL%2FnIJ3J1ki%2Flrawz0HqWnxDTycnuefpWaPbw6abOU2796lcdgAMJxF9cGIDFHeaJDHQhbd0qeV07OK%2BhEKGGkjFWmqxOlqcTx526c%2FyRTuJaoFKrRzHVk9z2Xhv16kmnrY1VWhnBNyv3cMtVW076z2DheqC1Nya4ZJR3T", "https://vtbehaviour.commondatastorage.googleapis.com/fe2fcf32cc0d38931131fde27db1e5693774844075b4e3c33c82a3625f397a7d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308630&Signature=tal7xZ9VHrLtK%2Fx5z4thfPUsqP4jnN7mnhQemzL4D6Jt%2BSk8bXHsrCdJlx%2Be1lnoGRVGwvwKCjx3CEIT2hLNbJt09HJOJW8y0ZHcSz%2BVuPuDQOe77pC%2F3yFozFW3vI7CEZI7ISt8C80aND1aciQHVQazVru6MO8fQbjeA78vsrN6MB0ZuxTE%2FXOh0gshhIYHplGRIVhhJx5waxIeoxWL1ZXsSC%2BoXwk4g44W5t38Y5Tkcf%2", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308947&Signature=alDMcpCHWUfDgEjmw6GuL5bYJ7WAgrYGXsYb8PfNczzjNzMmdclOsPPSd8nKJEDsDmNxeb2sw0hYiHkOza%2FRN9q8612YM9nTO2inlISRitzqqNDU6JlAsf97walR1G6zBOoJyqTiDrsSbx5evH65eHfvmspVqAXrb%2BQ47kPd56689I4BQ%2BsXgtfYNLYfi0tZCIDXf9zFVUl7yJpOaXHvd6%2FB7n3VeDqry5%2FrR9w%2Ftznq2oHOWz", "https://vtbehaviour.commondatastorage.googleapis.com/96726d252031408ce594cb2d0f49cc98a87d5742e5c7bf95b067158bf1ecbb5a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309020&Signature=vqlAf29Jh8gzLx2hXd4oK3SHSQ7rtDkDCKFUjJTgs37n6pJU8vOHAMY%2BZDsFv79mq1BdEHoY7nok%2B%2F8fXKVOYaTlt0eAlBTIvhYUtDyujmwblYEgNlDU1rpNNKmZ55W8WmPUBFmUN3AaCIOZIX5vA4HFg6qulPpJnXDQ57TINvsk4Wwf9mClPe97Ye9DE6zAZarXt7XMT2RTpxVJqTD143j7%2BeJGcwEPknT64TWHLEfitFThoeAdncSqpQS74B", "https://vtbehaviour.commondatastorage.googleapis.com/cb38f0c781c188c3fc2ace5f55a12f2a4833c1c5fc869e698cf7994041e4a135_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309094&Signature=2X1UxXszEC0vdMoCHG30M8zifvQi45%2FJScJ8N3QaALRZ8JM5fIK5QIhWdv9eYZgDlMDjqEs9sECAtO16r8UbHNPoPwRNzqUN6f6UIq0L8Tj%2BIYQrjZo7NBhiH6eUgkTaHAoBU02WDYP5Ov0biBhHziqfTBQQ5yDFh0H9CPRlLUefNK%2BHM%2BQYLwGLUpQ5yBTv1Mh5suQ1PLSj3g%2Fz429aGgT0ianBgbW7IIV50lIP4m5cr5UUek3l", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309164&Signature=NWdp0fiFpH6Jr1kaVwKEFGn0Zk0wRKMQLorUPZy7WKGD3M381ZLQM1PRrWmvwz5bujAib4QiCiOLd8A7PMvTMnOKQXz%2BwsI8tZk1vXfRwW6DJpI8nj3KWKoP3btIoik2VBrWn%2Fr1xNdIJ4Ic2MQEfOpslObUTaNkvaOGbdedf8llYwYXllyZneCKuVP5wMIq72nExH21e3%2FIfViwNbHZFbKS6roKZkLx4V7XxVk94woz0KT1LUAS0dYh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 521, "IPv4": 402, "hostname": 393, "domain": 120, "URL": 261, "FileHash-SHA1": 287, "FileHash-SHA256": 391 }, "indicator_count": 2375, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fed9859e3d403a869a56d9", "name": "CAPE Sandbox - \"Client Challenge\" Created 4/27/2025.", "description": "[The Cuckoo.com website has been shut down by Microsoft, with the result of an analysis of the network's traffic patterns, and the results of its analysis] A SHA for an educational app/website I dont even have generated what is called \" Client Challenge\"\n 2c4b2093aa07afb9d633fd4e734a9707\n2732a5adf7152c21b4a5aaa0a7b45f3d4be7874a\naa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d\n622b6b82655de58b927dd956ab84db9d\n48:IYhkrFN9YfHFTtJXQHyeyQ4v3W7UNp/xmhIfgjOGkOHMZKKyMaiskaO3n:TsYdxJXQHFY375ro6tZ8MaM93n\nT1E05100012CF6C176147724BB9E73B25A2B5064476216E41C3AEDDA28CF82FD9EC426EC\nHTML \ninternet\nhtml\nHTML document, Unicode text, UTF-8 text\nHyperText Markup Language (100%)\nHTML\n3.03 KB (3101 bytes) /_fs-ch-1T1wmsGaOgGaSxcX/assets/inter-var.woff2\n/_fs-ch-1T1wmsGaOgGaSxcX/assets/styles.css -13jdrops from one html/38 malic files/bluetooth cap.", "modified": "2026-05-09T07:20:23.936000", "created": "2026-05-09T06:51:49.607000", "tags": [ "nothing", "registry keys", "mutexes nothing", "data", "datacrashpad", "edge", "created", "parent pid", "full path", "command line", "https", "network info", "processes extra", "performs dns", "layer protocol", "overview", "mitre attack", "overview zenbox", "verdict", "guest system", "phishing", "defense evasion", "next", "ip info", "ip country", "united", "info process", "mwdb", "bazaar", "sha3384", "ssdeep", "strong", "file type", "library", "size", "default", "sha1", "accept", "mcafee", "span", "install", "softonic", "alerta", "download", "error", "crypt32", "body", "bootkit", "lockfile", "title", "inside", "shutdown", "impact", "global", "restart", "uwaga", "startpage", "window", "find", "false", "null", "payload", "write", "installer", "winmm", "back", "nlrnsrdb", "trumusic", "kevsight tox", "html internet", "html document", "unicode text", "utf8 text", "language", "settings", "first counter", "file size", "sha256", "bridge", "info", "date", "agent", "root", "pe file", "ms windows", "pe32", "found", "png image", "rgba", "cabinet archive", "files c", "delphi", "code", "persistence", "malicious", "unix", "wed jun", "dropped info", "linux verdict", "bluetooth", "4/27/25", "drops", "legacy admin", "hacking tools", "geofence", "education", "government" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308356&Signature=Bq0QXx5QtdlR4B1OLE2oNH2ivhP5koRxoxaBIC4bDOb1nad7b%2B4MKW2csIzcVHkiJ2lEuxuzVaPZAtPN9ZbTMiEwygTIHCvt%2BjujlP3fb2dgOki9C6FhEd5DCKB3RdzsNdqXB2VDF7rZoLj%2BNII3rrWNk714D3qNNxku1k1gsD%2FpGCxIrO0e0y2styb6l6hhzJjcGwSCEPbS6MRA%2BA90qkVuNCgIucEDcJ5lkx0B2OOW4YW0Csc3", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308390&Signature=29e34JRtkg7NaukyKdD3mE9rGo0hrpCAePmGPmvrVPeeHY4ax13egnxzXVjOctDKN%2F26RdliQEdXTd301UZjrUIJxeMbNgmdXQ3AdU5y%2FV8c21ePTIEAIq2Onb%2Bq5kutHekqTdBS3d0tgfIBKVBE9kZsGWzbMQFPKPv%2B%2FDpvMZSgtM2dO2vord9nXbkwcHCYBrVWvVALPOmXc910%2BAWvZOsLaWmvQjsMI0DTAIUwyx0zveFkVWqa2XOJbD", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308554&Signature=lODaur8GDc6MSh92WMx%2BV%2F7WRfkYjVs6kHiY4Sx12RcybRrsXaBC6oik%2FVeSMne1EODoqRn6AOcL%2FnIJ3J1ki%2Flrawz0HqWnxDTycnuefpWaPbw6abOU2796lcdgAMJxF9cGIDFHeaJDHQhbd0qeV07OK%2BhEKGGkjFWmqxOlqcTx526c%2FyRTuJaoFKrRzHVk9z2Xhv16kmnrY1VWhnBNyv3cMtVW076z2DheqC1Nya4ZJR3T", "https://vtbehaviour.commondatastorage.googleapis.com/fe2fcf32cc0d38931131fde27db1e5693774844075b4e3c33c82a3625f397a7d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308630&Signature=tal7xZ9VHrLtK%2Fx5z4thfPUsqP4jnN7mnhQemzL4D6Jt%2BSk8bXHsrCdJlx%2Be1lnoGRVGwvwKCjx3CEIT2hLNbJt09HJOJW8y0ZHcSz%2BVuPuDQOe77pC%2F3yFozFW3vI7CEZI7ISt8C80aND1aciQHVQazVru6MO8fQbjeA78vsrN6MB0ZuxTE%2FXOh0gshhIYHplGRIVhhJx5waxIeoxWL1ZXsSC%2BoXwk4g44W5t38Y5Tkcf%2", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308947&Signature=alDMcpCHWUfDgEjmw6GuL5bYJ7WAgrYGXsYb8PfNczzjNzMmdclOsPPSd8nKJEDsDmNxeb2sw0hYiHkOza%2FRN9q8612YM9nTO2inlISRitzqqNDU6JlAsf97walR1G6zBOoJyqTiDrsSbx5evH65eHfvmspVqAXrb%2BQ47kPd56689I4BQ%2BsXgtfYNLYfi0tZCIDXf9zFVUl7yJpOaXHvd6%2FB7n3VeDqry5%2FrR9w%2Ftznq2oHOWz", "https://vtbehaviour.commondatastorage.googleapis.com/96726d252031408ce594cb2d0f49cc98a87d5742e5c7bf95b067158bf1ecbb5a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309020&Signature=vqlAf29Jh8gzLx2hXd4oK3SHSQ7rtDkDCKFUjJTgs37n6pJU8vOHAMY%2BZDsFv79mq1BdEHoY7nok%2B%2F8fXKVOYaTlt0eAlBTIvhYUtDyujmwblYEgNlDU1rpNNKmZ55W8WmPUBFmUN3AaCIOZIX5vA4HFg6qulPpJnXDQ57TINvsk4Wwf9mClPe97Ye9DE6zAZarXt7XMT2RTpxVJqTD143j7%2BeJGcwEPknT64TWHLEfitFThoeAdncSqpQS74B", "https://vtbehaviour.commondatastorage.googleapis.com/cb38f0c781c188c3fc2ace5f55a12f2a4833c1c5fc869e698cf7994041e4a135_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309094&Signature=2X1UxXszEC0vdMoCHG30M8zifvQi45%2FJScJ8N3QaALRZ8JM5fIK5QIhWdv9eYZgDlMDjqEs9sECAtO16r8UbHNPoPwRNzqUN6f6UIq0L8Tj%2BIYQrjZo7NBhiH6eUgkTaHAoBU02WDYP5Ov0biBhHziqfTBQQ5yDFh0H9CPRlLUefNK%2BHM%2BQYLwGLUpQ5yBTv1Mh5suQ1PLSj3g%2Fz429aGgT0ianBgbW7IIV50lIP4m5cr5UUek3l", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309164&Signature=NWdp0fiFpH6Jr1kaVwKEFGn0Zk0wRKMQLorUPZy7WKGD3M381ZLQM1PRrWmvwz5bujAib4QiCiOLd8A7PMvTMnOKQXz%2BwsI8tZk1vXfRwW6DJpI8nj3KWKoP3btIoik2VBrWn%2Fr1xNdIJ4Ic2MQEfOpslObUTaNkvaOGbdedf8llYwYXllyZneCKuVP5wMIq72nExH21e3%2FIfViwNbHZFbKS6roKZkLx4V7XxVk94woz0KT1LUAS0dYh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 522, "IPv4": 409, "hostname": 645, "domain": 178, "URL": 786, "FileHash-SHA1": 288, "FileHash-SHA256": 392, "CVE": 1 }, "indicator_count": 3221, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "695089cbedad5c86f39b1363", "name": "Tracking Domains 03.03.26 (Updated Test)", "description": "Privacy Badger - Update on 01.09.26\nTracking domains on a hybrid (mobile laptop) clone of an AHS/Covenant Health, UAlberta (University of Alberta), and Government of Alberta Laptop.\nHealthcare: No Cybersecurity, EDU: No Cybersecurity / Remote only, GoA = Informed & don't quite know what to do or to whom this should be brought up with.", "modified": "2026-04-05T06:35:43.679000", "created": "2025-12-28T01:37:15.993000", "tags": [ "privacy badger", "sites general", "settings widget", "domains manage", "data privacy", "badger", "hide" ], "references": [ "https://hybrid-analysis.com/sample/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "https://yaraify.abuse.ch/scan/results/32bfc760-1757-11f1-b47f-42010aa4000b", "https://polyswarm.network/scan/results/file/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "https://app.threat.zone/submission/c8b0b1e4-0c9b-4210-b5ce-1dc2303445df/overview", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/summary", "https://www.virustotal.com/graph/embed/g6d4bce6162064ac09cd20411c1947e69d7d5a1d475f0447da023ac933d338fce?theme=dark", "https://viz.greynoise.io/ip/analysis/6356f330-63a7-4ce3-91fa-7ab355a1dc1a" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 50404, "hostname": 10879, "URL": 715, "FileHash-MD5": 1 }, "indicator_count": 61999, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "56 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64ed117e2308a042e50e1e9e", "name": "Investigation of Distribution Vectors and Threat Network Infrastructure", "description": "Targets: Individual(s), University of Alberta Infrastructure, Covenant Health (Alberta Health Services), TELUS Communications (Network & Mobile infrastructure), Government of Alberta, Government of Canada. International entities spanning primarily government, healthcare, and educational institutions.", "modified": "2025-11-23T23:20:07.571000", "created": "2023-08-28T21:28:30.294000", "tags": [ "Domains", "ip addresses", "URLs", "Files", "Alberta Health Services", "BEC", "Education", "University of Alberta", "Government of Alberta", "Covenant Health Alberta", "Telus Communications", "Canadian Universities", "Malicious Certificates", "Digital Identity Theft / Credential Theft" ], "references": [ "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376", "https://www.virustotal.com/gui/collection/50919d9e9d6d71522b641a3907ed32093293c400a2ae4faaab142f175c48de4b", "https://www.virustotal.com/gui/collection/bb0c0633dbe98b659fb06e07acd6e1f51ca43d3a1b4be09b4e9bfe8b3fde0cdb", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783", "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9", "https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e", "https://www.virustotal.com/gui/collection/be10f2ed2776b9b4028ac868814ab14bdd576ca5e5bce877ac2954389ba9d328", "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305", "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98", "https://www.virustotal.com/gui/collection/02bef6a3cf1a035ad5bfb238cac2e913f4ed9425847d7cec5e7dc4097aa3c352", "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327/summary", "https://www.virustotal.com/gui/collection/3bf1c0922ee6f4d041effbf9f72a21a1e9f4b38d0593cfbeaca24851cf712eac", "https://www.virustotal.com/gui/collection/2cdadbf6aa2ec4f9815c038b0e9375b1475ac7e049fd123861d6e925e7802c6a", "https://www.virustotal.com/gui/collection/ba238f4d585b87abb85c126f927090cb866facfa9e4e2e0db8e307aff553397d", "https://www.virustotal.com/gui/collection/385f419c1c3733dd9dd151d4403bdb38cb24d12c21f18ce8f4f41d818d7a12a5/summary", "https://www.virustotal.com/gui/collection/9220d9375ebb4289fdbc4a7aac232b75a5c1b01e5e27edd965982bc6fe28f0e2", "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327", "https://www.virustotal.com/gui/collection/fd8ebe64d72b2ad9e90773791522c3ec5863868dc3b9c58a929c6b4e01bb3042", "https://www.virustotal.com/gui/collection/8d65d93130b4775903adbffbb53820d40bb9425dcf1848b806ffee65ee883984", "https://www.virustotal.com/gui/collection/385f419c1c3733dd9dd151d4403bdb38cb24d12c21f18ce8f4f41d818d7a12a5", "https://www.virustotal.com/gui/collection/6434f0cf09638991baf3be289834696b46e11c4c6cbe1e7b9548f9ac27372b53", "https://www.virustotal.com/gui/collection/bc7e252dcc07855314e153efe890d70e7a7e9b8a743e171eac31e5951260c1b7", "https://www.virustotal.com/gui/collection/dbf356b0a281fa94308e2e24738d839491491bfb2defa4e6c42662646e52c8f8", "https://www.virustotal.com/gui/collection/f60b8061133367a1047262a1e90d54cd72de4d59885c267906c6eeb557a35500", "https://www.virustotal.com/gui/collection/da124f42943c08f1cafdc1c42635457b0c69ccce41b4031263af3235717996a2/summary", "https://www.virustotal.com/gui/collection/daab0521ae533cbdfeec047e51a9499aedfd27c8cc05c644950126c1947131f9", "https://www.virustotal.com/gui/collection/12100cb4982365cfe5122fcedda2c084d60cebe09314846cae980c36fc90fc8c/iocs", "https://www.virustotal.com/graph/embed/g9219350397134ff3a645319a88b67833077c9cf0f50d4979aa0239a3d0b6ecea?theme=dark", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs", "https://www.virustotal.com/gui/collection/da35693aa528a682ca91aee332c8155d99ac8e4a13077cc73b2a8921c8fea36b", "https://www.virustotal.com/gui/collection/1497c56a475d73236c67292964eabd7f8961f88c57fa5a2e3f30720dc29a51e7", "https://www.virustotal.com/gui/collection/8228434e85241bd42ae063de8cf2ee2afb86f0848675ed11e3f33b967e8c3c7c", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188", "https://www.virustotal.com/gui/collection/6a4e699473879d39e15ed7cd130f2ee9543f842b92c9ad8b78e310968f4b086f", "https://www.virustotal.com/graph/embed/g3dae42eb79cc447182e3a3dd746e462f0903d71c784d4f5cacf970954deea221?theme=dark", "https://www.virustotal.com/graph/embed/gc0d82762363b4aa88991027c391afdbfe9585395bd8d4273bbe09907fbfaf532?theme=light", "https://www.virustotal.com/graph/embed/g78ea5ea9b68b4a4bbcd2bc078e23b321985e72d90da146c19d8d80ede366c1fa?theme=dark", "https://www.virustotal.com/gui/collection/8f89eb9579ca53d15294ec27a4c1e763998ce57d3644ea746621d9fe0cb57e55/iocs", "https://www.virustotal.com/graph/g994d0094226240eba65c081dfbc3e4936aa010abf4db48049e3a964e7c5ad076", "https://www.virustotal.com/gui/collection/86f3d77a28744357c14d92dba7ac6302d57700308c64b641513119d8fcad411f/iocs", "https://www.virustotal.com/graph/g38632f8b939b443ab3b69f6a3171d02ffd2696a0f3714325a84b9a5f227a7d1c", "https://www.virustotal.com/gui/collection/4b166c2c1752d85215da951b15a065688bfe24ea92c65228a45ded6f2d94685b/iocs", "https://www.virustotal.com/graph/embed/g798b5e01446c4711ba22802009d71f5ba78553df16794088a907ae7456e2a017?theme=dark", "https://www.virustotal.com/gui/collection/86f3d77a28744357c14d92dba7ac6302d57700308c64b641513119d8fcad411f", "https://www.virustotal.com/gui/collection/a6a81c8412b19ac6357a7c6e978c31a38d52a75fbb3b2e44f0f1a2bf0deb8a58/iocs", "https://www.virustotal.com/graph/embed/g699a7b9bfb324855859555181d01666c372310cf233441e08a095459b3394dea?theme=dark", "https://www.virustotal.com/graph/embed/g6a67af8ffa22446da35d6989d7d0bc47efcd295eb893471e9b4912080c1dddef?theme=dark", "https://www.virustotal.com/graph/embed/g23481631a7c745c6ba19f72ce9f853643d17706c08ab44eb8851eb5c56c0f073?theme=dark", "https://www.virustotal.com/graph/embed/g3b316b58b8c54064b322b2e186d62950d7632add2f3f408f8d8a1706563fd3c0?theme=dark", "https://www.virustotal.com/graph/embed/g994d0094226240eba65c081dfbc3e4936aa010abf4db48049e3a964e7c5ad076?theme=dark", "https://www.virustotal.com/graph/g40f442f2b5d64cba818cac88855ba4ce274d109ce4ef4fb496f1af4efb993886", "https://www.virustotal.com/gui/collection/0c9360cb9f8601bd6cdf912eb414d67902487f0c4eec96e952377e300ff4e983/iocs", "https://www.virustotal.com/gui/collection/a1866f4c7dbc79920d0c7e914a3bace0d3dc424a2aac06bf30bf724c6c8b0375/iocs", "https://www.virustotal.com/gui/collection/82dc29932b9184d02b037289fd4605c158e96a57f376b08a8b2b94e43d0ae18b/iocs", "https://viz.greynoise.io/ip/analysis/ae06b3b5-c746-4b44-b2ac-19bb3aea14a1 [11.23.25 - 1000ipv4]" ], "public": 1, "adversary": "Unknown APT Group(s) / Threat Actor (s)", "targeted_countries": [ "Canada", "United States of America", "Philippines", "Panama", "Netherlands", "Anguilla", "Saint Vincent and the Grenadines", "Aruba", "Mexico", "Guatemala", "Costa Rica", "Tanzania, United Republic of" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 111, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 236, "FileHash-SHA1": 139, "FileHash-SHA256": 1421, "URL": 9580, "CIDR": 30, "domain": 10205, "email": 12, "hostname": 517612, "IPv4": 11, "CVE": 62 }, "indicator_count": 539308, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "188 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691b61e16cea7624a6606a69", "name": "For Later", "description": "***", "modified": "2025-11-17T18:46:19.094000", "created": "2025-11-17T17:56:49.875000", "tags": [ "wormhole", "want", "sign", "submit send", "copy", "share show", "report delete", "faq roadmap", "security legal", "twitter discord", "protected" ], "references": [ "https://wormhole.app/Pp5DdP#3EpzsqLhw5lJdQ0Xe_mRQA", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 72127, "hostname": 16700, "URL": 50 }, "indicator_count": 88877, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f5555b6ce863d998e83e26", "name": "macOS Threat Infrastructure Leveraging Remote Agents via remotewd.com and rtmsprod.net", "description": "This pulse identifies an actively observed macOS-focused remote access infrastructure abusing trusted native Apple agents (ARDAgent.app, SSMenuAgent.app) and communicating with a distributed network of C2-like endpoints under domains such as remotewd.com, idsremoteurlconnectionagent.app, and rtmsprod.net.\n\nThe infrastructure is composed of dynamically generated subdomains \u2014 many in the form of device-.remotewd.com \u2014 indicative of automated deployment, system tracking, or per-host remote access configurations.\n\nAdditional indicators include HTTP/S URLs pointing directly to embedded binary paths within macOS agents, suggesting possible delivery vectors, staging, or persistence techniques.\n\nThis campaign shows signs of structured, programmatic targeting and is highly likely to be pre-operational infrastructure for wide-scale surveillance or access operations. All listed indicators should be considered high-risk. If observed in your environment, initiate a full forensic and IR process immediately.", "modified": "2025-05-11T19:03:59.885000", "created": "2025-04-08T16:56:59.641000", "tags": [ "generated from", "do not", "edit uri", "urls", "edit", "rewriteengine", "rewritecond", "rewriterule", "r301", "xml2encalias", "beralloct", "berbvarrayadd", "berbvarrayfree", "berbvdup", "berbvecadd", "berbvecfree", "berbvfree", "berdump", "berdup", "berdupbv", "laerrordomain", "laerrornoncekey", "lamechanismtree", "lacontext", "ladomainstate", "laenvironment", "lanotification", "laprivatekey", "lapublickey", "laright", "apple swift", "o librarylevel", "combine import", "foundation", "swift import", "mcpeerid", "mcsession", "property", "copyright", "protocol", "class", "bonjour", "ascii lowercase", "abc company", "section", "bonjour txt", "note", "ui element", "utf8 encoding", "nscopying", "nsdictionary", "nsstring", "mcextern", "attribute", "mcextern extern", "mcexternweak", "nsenum", "nsinteger", "mcerrorcode", "mcerrorunknown", "mcerrortimedout", "peer", "example", "bonjour apis", "stop", "tags", "session", "nsprogress", "nserror", "nsurl", "nsarray", "create", "nsuinteger", "notifies", "mcsession api", "interface", "dbictrace", "dbivporth", "dbictracelevel", "dbdtffoo", "dbihseterrchar", "dbicstate", "dbictraceflags", "provides macros", "dbi release", "only", "sqlsuccess", "odbc", "sqlok", "tim bunce", "england", "sql cli", "sql datatype", "sqlguid", "sqlwlongvarchar", "main", "beware", "sv sth", "sv dbh", "impsth", "impdbh", "sv keysv", "sv params", "sv attr", "sv attribs", "sv drh", "void", "fri jul", "mixed", "dbixsrevision", "plsvundef", "license", "spagain", "perlioprintf", "dbiclogpio", "putback", "ireland", "gnu general", "super", "magic", "dbicflags", "dbis", "svrv", "null", "imp2com", "dbicactivekids", "dbicfiadestroy", "sv h", "dbicdbistate", "code", "copy", "refer", "trace", "error", "unknown", "hookopcheckh", "startexternc", "hookopcheckcb", "userdata", "endexternc", "isinternalbuild", "kickmcxdforuid", "loadappkit", "ardconfig", "authenticator", "dsauthenticator", "dsnode", "dsrecord", "group", "hostconfig", "apfsvolumelock", "apfsvolumerole", "aoskgetosinfo", "aoskgetuserinfo", "aosaddappleid", "aosdisablepcs", "aosenablepcs", "aoslog", "aoslogforce", "aosrelaycookie", "didfailcallback", "kaosaccountkey", "kapcsbundle", "kapcspath", "kjsonextension", "apcsbucketid", "apcsreports", "apconfiguration", "apversiondata", "apversionhelper", "systemvolumesvm", "name size", "identifier", "gb disk0s3", "devdisk3", "apfs container", "scheme", "physical store", "macintosh hd", "apfs snapshot", "preboot", "refs address", "size wired", "name", "version", "uuid", "linked against", "renderer", "helper", "chrome helper", "contains", "cloud ui", "macintosh", "khtml", "gecko", "ui helper", "plugin", "service", "good", "battery power", "apfs encryption", "jumpcloud go", "chrome web", "store", "privacy badger", "flowcrypt", "encrypt gmail", "simple", "google", "b2b phone", "number", "apollo", "future", "exccrash", "sigkill", "code signature", "invalid", "sigabrt", "protonvpn", "excguard", "excbreakpoint", "sigtrap", "excbadaccess", "appl", "english", "adobe crash", "adobe", "acrobat dcadobe", "processor", "uninstaller", "assistant", "install", "cloud", "dock", "calendar", "music", "terminal", "tips", "installer", "updater", "proton", "tools", "stub", "python", "clock", "powershell", "team", "rave scout", "cookies", "public folder", "key cert", "sign", "crl sign", "root ca", "authority", "public primary", "global root", "verisign", "academic", "premium", "adaptive", "interactive", "background", "standard", "launchd sandbox", "s mdworker", "agent", "command line", "progress", "yubico", "macos13action", "disableoverride", "disableairdrop", "denyactivation", "enable", "loginwindowtext", "jumpcloud", "autoupdate", "loggingoption", "enablefirewall", "arm64e", "apple m2", "mac142", "kjqqtw7pqt", "daemon", "server", "open directory", "user", "account", "kerberos admin", "kerberos change", "device daemon", "network", "desktop", "screensaver", "bridge", "aesxtsarm", "aesecbarm", "sha512vngarmhw", "sha384vngarmhw", "sha256vngarm", "sha1vngarm", "darwin kernel", "wed mar", "wkarraycreate", "wkbooleancreate", "wkcontextcreate", "wkdatacreate", "wkdatagettypeid", "wkdoublecreate", "wkframecopyurl", "wkgettypeid", "wkimagecreate", "wkpagecandelete", "webview", "notice", "this software", "including", "but not", "limited to", "redistribution", "is provided", "by apple", "direct", "damage", "apiavailable", "webkit", "nsswiftname", "document", "a block", "as is", "hasinclude", "wkdownload", "abstract", "wkerrorcode", "wkerrorunknown", "discussion", "bool", "whether", "wkcontentworld", "wkwebview", "javascript", "nsunavailable", "vaargs", "nsswiftasync", "wkswiftasync", "wkcookiepolicy", "wkswiftuiactor", "nshttpcookie", "targetosiphone", "wknavigation", "decides", "boolean value", "apideprecated", "methodkind", "wkerrordomain", "wkscriptmessage", "promise", "fulfill", "const", "url scheme", "mark", "wkuserscript", "targetosvision", "param", "wkframeinfo", "targetosios", "pass", "window", "mime type", "link", "nsimage", "returns", "nsset", "checks", "matches", "a boolean", "defaults", "wkwebextension", "cgsize", "uiimage", "apis", "nsdate", "wkcontentmode", "wkextern", "possible", "cgfloat", "media", "cgrect", "apiunavailable", "framework", "nsswiftuiactor", "targetoswatch", "confirms", "apple upgrade", "nsstring user", "nsobject", "provider", "apple", "password", "uicontrol", "nscontrol", "asuseragerange", "check", "opaque user", "apple id", "initiate", "asauthorization", "operation", "state", "nserrorenum", "nsdata", "relying party", "asapiavailable", "perform", "realm", "http response", "authorization", "http", "oauth", "saml", "a byte", "nsdata userid", "relying", "a string", "nsdata readdata", "bool didwrite", "a cose", "nsdata first", "nsdata second", "nsstring name", "bool appid", "targetosxr", "nsstring appid", "bluetooth", "mdm profile", "nsurl url", "returns yes", "a state", "a json", "web token", "private seckeys", "enables", "keychain", "asswiftsendable", "cose algorithm", "ecdsa", "sha256", "cose curve", "p256", "nullable", "bool success", "remove", "call", "complete", "initializes", "time code", "extensions", "asextern extern", "asextern", "nsswiftsendable", "prepare", "list", "nsextension", "attempt", "nsstring label", "creates", "nsstring code", "a key", "webauthn", "nssecurecoding", "input", "output", "initialize", "nsinteger rank", "json", "inputs", "hash", "nsstring origin", "settings app", "extension", "https urls", "safari", "cancel", "nsuuid uuid", "r uftpexu", "nsmutabledata", "vnsdate", "mprcjy", "postfix", "domain", "canonical", "tables", "ldap", "post", "replace user", "address", "wietse venema", "bugs", "mail", "aliases", "postfix version", "restrict", "sample", "person", "basic system", "general", "reject empty", "postfix smtp", "ipv6 host", "reject", "reply", "access", "prior", "hold", "info", "mail delivery", "charset", "system", "report", "postfix dsn", "mail returned", "this", "generic", "smtp", "isp mail", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "write", "date", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "unix", "cyrus", "path", "uucp", "shell", "local", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "file", "update", "usrsbin", "file format", "no group", "daemondirectory", "deliver mail", "transport", "description", "result format", "virtual", "virtual alias", "redirect mail", "relocated", "matches user", "synopsis", "lastname", "firstname", "apple computer", "tcpip", "supported", "quantum", "facility", "level", "level info", "broadcast", "ignore", "rules", "sender", "automounter map", "use directory", "get home", "home autohome", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "kernel", "readline", "jabber", "group database", "dovecot", "postfix scsd", "networkd", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "status mailfrom", "returnpath via", "pidfile", "flags", "bcgjnuwz", "bin usrsbin", "sbin", "default pf", "care", "audio", "user database", "unix copy", "gate daemon", "bashno", "r etcbashrc", "rfc1323", "m1460", "macos x", "signature", "linux", "opera", "xp sp1", "windows sp1", "nmap syn", "m265", "synack", "mind", "macos", "warp", "ipv6", "internet", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "networkup", "term", "devnull", "common setup", "configure", "set command", "dns hostname", "dns query", "see also", "kame", "sunnet manager", "rpcsrc", "netlicense", "ftpd", "bindash binksh", "binsh bintcsh", "jumpcloud ldap", "smb2", "security", "workgroup", "standalone", "samba server", "enforce", "smb3", "example share", "improper use", "ctrlc", "none", "fax reception", "hardwired", "0007", "must", "visudo", "blocksize", "charset lang", "language lcall", "lines columns", "lscolors", "sshauthsock", "orion", "setup user", "home", "zdotdir", "delete", "beep", "vendor", "kf10", "kf11", "kf12", "kf13", "backspace", "insert", "resume", "termsessionid", "savehist", "sharehistory", "h do", "volume", "de l", "l uuid", "m tra", "n est", "suuid", "prfen", "fusion", "syst", "look", "executant", "alla", "over", "test", "overie", "zapis", "rapid", "disco usa", "de macos", "nie s", "i denne", "adgjmpsvx", "diskgthis disk", "01k8x j", "34disk", "levy kytt", "dict", "array", "plist", "apple root", "code signing", "inode64r", "xofkoxzh", "integer", "doctype", "brain", "abcd", "ogwo", "boaw", "cobwa", "uhawavauatsh", "ip bitmap", "foewdc", "could", "ip block", "funcs", "cogwo", "trash", "double", "hunt", "affa", "carr", "crypto", "docwbac", "q1b0", "q1 0", "h h5", "docwbag", "slice", "format", "zero", "alfa", "hera", "lelei", "hehe", "hisp", "fail", "katy", "zakk", "eodwcbgao", "hhk8di", "alma", "topo", "open", "huhk", "piper", "hehx", "eh ui", "h20hph", "hif h", "hmhhihqhyla hq", "r11b0", "target", "uus10u", "hifh", "loghookfailed", "loghook", "hell", "q1b 0", "f duh", "aqw1", "1160" ], "references": [ "index.html.en", "bind.html", "caching.html", "BUILDING", "configuring.html", "content-negotiation.html", "custom-error.html", "convenience.map", "LDAP.tbd", "lber.h", "ldap.h", "LocalAuthentication.tbd", "arm64e-apple-macos.swiftinterface", "x86_64-apple-ios-macabi.swiftinterface", "arm64e-apple-ios-macabi.swiftinterface", "x86_64-apple-macos.swiftinterface", "MultipeerConnectivity.tbd", "module.modulemap", "MCNearbyServiceAdvertiser.h", "MCPeerID.h", "MCError.h", "MCNearbyServiceBrowser.h", "MCAdvertiserAssistant.h", "MultipeerConnectivity.apinotes", "MultipeerConnectivity.h", "MCSession.h", "MCBrowserViewController.h", "dbivport.h", "dbi_sql.h", "dbd_xsh.h", "dbixs_rev.h", "Driver_xst.h", "DBIXS.h", "hook_op_check.h", "Admin.tbd", "AirPlayReceiver.tbd", "apfs_boot_mount.tbd", "AOSKit.tbd", "APConfigurationSystem.tbd", "AppleFirmwareUpdate.tbd", "launchdaemons.txt", "preboot_archive_errors.log", "mounts.txt", "launchagents.txt", "disk_structure.txt", "user_launchagents.txt", "security_status.txt", "kexts.txt", "process_list.txt", "battery.csv", "diskEncryption.csv", "chromeExtensions.csv", "crashes.csv", "interfaceAddrs.csv", "kernel.csv", "interfaceDetails.csv", "etcHosts.csv", "applications.csv", "mounts.csv", "sharedFolders.csv", "certificates.csv", "sharingPreferences.csv", "launchD.csv", "usbDevices.csv", "managedPolicies.csv", "systemInfo.csv", "users.csv", "sipConfig.csv", "systemControls.csv", "canonical", "aliases", "custom_header_checks", "access", "bounce.cf.default", "generic", "header_checks", "main.cf.default", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "main.cf.proto", "master.cf.proto", "master.cf", "TLS_LICENSE", "postfix-files", "transport", "virtual", "relocated", "afpovertcp.cfg", "asl.conf", "auto_home", "auto_master", "autofs.conf", "bashrc_Apple_Terminal", "com.apple.screensharing.agent.launchd", "bashrc", "command_args.json", "csh.cshrc", "csh.login", "find.codes", "csh.logout", "ftpusers", "gettytab", "irbrc", "kern_loader.conf", "group", "locate.rc", "man.conf", "mail.rc", "manpaths", "networks", "nfs.conf", "newsyslog.conf", "ntp_opendirectory.conf", "ntp.conf", "notify.conf", "paths", "pf.conf", "passwd", "profile", "pf.os", "protocols", "rc.netboot", "rc.common", "rmtab", "resolv.conf", "rtadvd.conf", "rpc", "shells", "smb.conf", "sudo_lecture", "ttys", "syslog.conf", "xtab", "sudoers", "zprofile", "zshrc", "zshrc_Apple_Terminal", "CodeResources", "version.plist", "Info.plist" ], "public": 1, "adversary": "DragonForce Malaysia Hacker Group", "targeted_countries": [], "malware_families": [ { "id": "Lastname", "display_name": "Lastname", "target": null }, { "id": "Firstname", "display_name": "Firstname", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4449, "domain": 3847, "URL": 14263, "FileHash-SHA256": 2356, "FileHash-MD5": 223, "FileHash-SHA1": 523, "email": 223, "CVE": 40, "CIDR": 12, "SSLCertFingerprint": 302 }, "indicator_count": 26238, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "385 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b0fa3624bf0384e427f2e7", "name": "Tracking Domains 4.2 - 08.19.24", "description": "Tracking Domains detected by Privacy Badger Ext. on Microsoft Edge Browser (W11 Device) using Telus ISP (ASN852)\n*Not-Enriched (08.05.24): ~50,000 suggests IOCs by AlienVault\nFrom VT: 2 IPs hosted by 45090 (Shenzhen Tencent Computer Systems Company Limited) & 4611 (CNNIC member) seem to be the problem here 118[.]89.204.198, 118[.]89.0.0/16 & 202[.]123.107.15, 202[.]123.107.0/24 (Respectively)", "modified": "2024-09-04T15:01:01.432000", "created": "2024-08-05T16:13:42.563000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/iocs", "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/summary", "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/graph", "https://www.virustotal.com/graph/embed/ge839428bb3e24a98aae8cbcc242ae4d8febdc0c46e49411ebb09d155e22b4bbc?theme=dark", "https://viz.greynoise.io/query/AS4611", "https://urlscan.io/asn/AS4611", "https://urlscan.io/search/#asn:%22AS4611%22", "https://urlscan.io/asn/AS45090", "https://urlscan.io/search/#asn%3A%22AS45090%22", "https://viz.greynoise.io/query/AS45090", "https://urlscan.io/result/aeb42615-79b7-465d-924e-c9bdde3eefd1/#transactions", "https://urlscan.io/result/d4bf08e4-88dc-4bf8-be34-6b352576882e/#behaviour", "Filescan[.]io report: bc47c757-0a4d-4659-98d4-5d0c86406462 (08.23.24)", "https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-be" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 6180, "FileHash-MD5": 1, "domain": 24921, "URL": 10854 }, "indicator_count": 41956, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "634 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66269b1f33258a8e26033b17", "name": "Tracking Domains - Part 4.1", "description": "More Tracking Domains", "modified": "2024-08-30T13:02:28.335000", "created": "2024-04-22T17:15:11.398000", "tags": [ "Tracking Domains" ], "references": [ "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs", "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark", "https://viz.greynoise.io/analysis/02a64dd4-d7e0-451c-8384-13cf23298551" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 94496, "FileHash-MD5": 63, "domain": 112327, "URL": 166918, "FileHash-SHA1": 33, "FileHash-SHA256": 103, "CIDR": 216 }, "indicator_count": 374156, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "639 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "666774134b5d67851d698dde", "name": "bnpl_driver.js related", "description": "", "modified": "2024-07-10T21:04:12.574000", "created": "2024-06-10T21:45:55.732000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 470, "FileHash-MD5": 13, "FileHash-SHA1": 2, "FileHash-SHA256": 979, "domain": 206, "email": 6, "hostname": 186 }, "indicator_count": 1862, "is_author": false, "is_subscribing": null, "subscriber_count": 183, "modified_text": "689 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66269b204ecfba63974dc1d8", "name": "Tracking Domains - Part 4", "description": "More Tracking Domains", "modified": "2024-05-22T17:04:45.215000", "created": "2024-04-22T17:15:12.353000", "tags": [ "Tracking Domains" ], "references": [ "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs", "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 792, "FileHash-MD5": 1, "domain": 5803, "URL": 2 }, "indicator_count": 6598, "is_author": false, "is_subscribing": null, "subscriber_count": 136, "modified_text": "739 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653f152513c2dcc0f4e3406e", "name": "Threat Network Root & Distribution Vectors Probe", "description": "", "modified": "2023-10-30T02:29:57.489000", "created": "2023-10-30T02:29:57.489000", "tags": [ "Domains", "ip addresses", "URLs", "Files", "Alberta Health Services", "BEC", "Education", "University of Alberta", "Government of Alberta", "Covenant Health Alberta", "Telus Communications", "Canadian Universities", "Malicious Certificates", "Digital Identity Theft / Credential Theft" ], "references": [ "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376", "https://www.virustotal.com/gui/collection/50919d9e9d6d71522b641a3907ed32093293c400a2ae4faaab142f175c48de4b", "https://www.virustotal.com/gui/collection/bb0c0633dbe98b659fb06e07acd6e1f51ca43d3a1b4be09b4e9bfe8b3fde0cdb", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783", "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9", "https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e", "https://www.virustotal.com/gui/collection/be10f2ed2776b9b4028ac868814ab14bdd576ca5e5bce877ac2954389ba9d328", "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305", "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98", "https://www.virustotal.com/gui/collection/02bef6a3cf1a035ad5bfb238cac2e913f4ed9425847d7cec5e7dc4097aa3c352", "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327/summary" ], "public": 1, "adversary": "Unknown APT Group(s) / Threat Actor (s)", "targeted_countries": [ "Canada", "United States of America", "Philippines", "Panama", "Netherlands", "Anguilla", "Saint Vincent and the Grenadines", "Aruba", "Mexico", "Guatemala", "Costa Rica", "Tanzania, United Republic of" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": "65133d6945641812c2ccc6ee", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 230, "FileHash-SHA1": 139, "FileHash-SHA256": 1197, "URL": 9276, "CIDR": 16, "domain": 7895, "email": 2, "hostname": 1965 }, "indicator_count": 20720, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "944 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "653f1524792f3064843d826f", "name": "Threat Network Root & Distribution Vectors Probe", "description": "", "modified": "2023-10-30T02:29:56.006000", "created": "2023-10-30T02:29:56.006000", "tags": [ "Domains", "ip addresses", "URLs", "Files", "Alberta Health Services", "BEC", "Education", "University of Alberta", "Government of Alberta", "Covenant Health Alberta", "Telus Communications", "Canadian Universities", "Malicious Certificates", "Digital Identity Theft / Credential Theft" ], "references": [ "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376", "https://www.virustotal.com/gui/collection/50919d9e9d6d71522b641a3907ed32093293c400a2ae4faaab142f175c48de4b", "https://www.virustotal.com/gui/collection/bb0c0633dbe98b659fb06e07acd6e1f51ca43d3a1b4be09b4e9bfe8b3fde0cdb", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783", "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9", "https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e", "https://www.virustotal.com/gui/collection/be10f2ed2776b9b4028ac868814ab14bdd576ca5e5bce877ac2954389ba9d328", "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305", "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98", "https://www.virustotal.com/gui/collection/02bef6a3cf1a035ad5bfb238cac2e913f4ed9425847d7cec5e7dc4097aa3c352", "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327/summary" ], "public": 1, "adversary": "Unknown APT Group(s) / Threat Actor (s)", "targeted_countries": [ "Canada", "United States of America", "Philippines", "Panama", "Netherlands", "Anguilla", "Saint Vincent and the Grenadines", "Aruba", "Mexico", "Guatemala", "Costa Rica", "Tanzania, United Republic of" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": "65133d6945641812c2ccc6ee", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 230, "FileHash-SHA1": 139, "FileHash-SHA256": 1197, "URL": 9276, "CIDR": 16, "domain": 7895, "email": 2, "hostname": 1965 }, "indicator_count": 20720, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "944 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65133d6945641812c2ccc6ee", "name": "Threat Network Root & Distribution Vectors Probe", "description": "", "modified": "2023-09-27T21:01:26.901000", "created": "2023-09-26T20:22:01.290000", "tags": [ "Domains", "ip addresses", "URLs", "Files", "Alberta Health Services", "BEC", "Education", "University of Alberta", "Government of Alberta", "Covenant Health Alberta", "Telus Communications", "Canadian Universities", "Malicious Certificates", "Digital Identity Theft / Credential Theft" ], "references": [ "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376", "https://www.virustotal.com/gui/collection/50919d9e9d6d71522b641a3907ed32093293c400a2ae4faaab142f175c48de4b", "https://www.virustotal.com/gui/collection/bb0c0633dbe98b659fb06e07acd6e1f51ca43d3a1b4be09b4e9bfe8b3fde0cdb", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783", "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9", "https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e", "https://www.virustotal.com/gui/collection/be10f2ed2776b9b4028ac868814ab14bdd576ca5e5bce877ac2954389ba9d328", "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305", "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98", "https://www.virustotal.com/gui/collection/02bef6a3cf1a035ad5bfb238cac2e913f4ed9425847d7cec5e7dc4097aa3c352", "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327/summary" ], "public": 1, "adversary": "Unknown APT Group(s) / Threat Actor (s)", "targeted_countries": [ "Canada", "United States of America", "Philippines", "Panama", "Netherlands", "Anguilla", "Saint Vincent and the Grenadines", "Aruba", "Mexico", "Guatemala", "Costa Rica", "Tanzania, United Republic of" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": "650fda65975555b2dabc023e", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 230, "FileHash-SHA1": 139, "FileHash-SHA256": 1197, "URL": 9276, "CIDR": 16, "domain": 7895, "email": 2, "hostname": 1965 }, "indicator_count": 20720, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "976 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "650fda65975555b2dabc023e", "name": "Threat Network Root & Distribution Vectors Probe ( disabe_duck curated pulse) ", "description": "", "modified": "2023-09-27T21:01:26.901000", "created": "2023-09-24T06:42:45.462000", "tags": [ "Domains", "ip addresses", "URLs", "Files", "Alberta Health Services", "BEC", "Education", "University of Alberta", "Government of Alberta", "Covenant Health Alberta", "Telus Communications", "Canadian Universities", "Malicious Certificates", "Digital Identity Theft / Credential Theft" ], "references": [ "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376", "https://www.virustotal.com/gui/collection/50919d9e9d6d71522b641a3907ed32093293c400a2ae4faaab142f175c48de4b", "https://www.virustotal.com/gui/collection/bb0c0633dbe98b659fb06e07acd6e1f51ca43d3a1b4be09b4e9bfe8b3fde0cdb", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783", "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9", "https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e", "https://www.virustotal.com/gui/collection/be10f2ed2776b9b4028ac868814ab14bdd576ca5e5bce877ac2954389ba9d328", "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305", "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98", "https://www.virustotal.com/gui/collection/02bef6a3cf1a035ad5bfb238cac2e913f4ed9425847d7cec5e7dc4097aa3c352", "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327/summary" ], "public": 1, "adversary": "Unknown APT Group(s) / Threat Actor (s)", "targeted_countries": [ "Canada", "United States of America", "Philippines", "Panama", "Netherlands", "Anguilla", "Saint Vincent and the Grenadines", "Aruba", "Mexico", "Guatemala", "Costa Rica", "Tanzania, United Republic of" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": "64ed117e2308a042e50e1e9e", "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 230, "FileHash-SHA1": 139, "FileHash-SHA256": 1197, "URL": 9276, "CIDR": 16, "domain": 7895, "email": 2, "hostname": 1965 }, "indicator_count": 20720, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "976 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62c2a296d3cea258c9f1c2ad", "name": "Malicious Sites, PUPs, Malware, Brower Hijackers, Phishing Sites", "description": "", "modified": "2022-07-04T08:19:34.791000", "created": "2022-07-04T08:19:34.791000", "tags": [ "malware", "info", "pups", "phishing sites", "am cst", "shadowwhisperer", "curl", "wget" ], "references": [ "https://raw.githubusercontent.com/ShadowWhisperer/BlockLists/master/Lists/Malware" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 44, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 47, "domain": 34626, "hostname": 19 }, "indicator_count": 34702, "is_author": false, "is_subscribing": null, "subscriber_count": 890, "modified_text": "1427 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "relocated", "group", "ldap.h", "arm64e-apple-ios-macabi.swiftinterface", "rmtab", "https://www.virustotal.com/graph/embed/g3b316b58b8c54064b322b2e186d62950d7632add2f3f408f8d8a1706563fd3c0?theme=dark", "MCPeerID.h", "csh.login", "https://viz.greynoise.io/ip/analysis/6356f330-63a7-4ce3-91fa-7ab355a1dc1a", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308554&Signature=lODaur8GDc6MSh92WMx%2BV%2F7WRfkYjVs6kHiY4Sx12RcybRrsXaBC6oik%2FVeSMne1EODoqRn6AOcL%2FnIJ3J1ki%2Flrawz0HqWnxDTycnuefpWaPbw6abOU2796lcdgAMJxF9cGIDFHeaJDHQhbd0qeV07OK%2BhEKGGkjFWmqxOlqcTx526c%2FyRTuJaoFKrRzHVk9z2Xhv16kmnrY1VWhnBNyv3cMtVW076z2DheqC1Nya4ZJR3T", "mounts.csv", "kern_loader.conf", "transport", "MCBrowserViewController.h", "custom_header_checks", "hook_op_check.h", "MCNearbyServiceBrowser.h", "https://www.virustotal.com/graph/embed/g6d4bce6162064ac09cd20411c1947e69d7d5a1d475f0447da023ac933d338fce?theme=dark", "shells", "gettytab", "profile", "dbi_sql.h", "Filescan[.]io report: bc47c757-0a4d-4659-98d4-5d0c86406462 (08.23.24)", "interfaceDetails.csv", "sipConfig.csv", "https://urlscan.io/asn/AS45090", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs", "sudo_lecture", "users.csv", "https://www.virustotal.com/gui/collection/6434f0cf09638991baf3be289834696b46e11c4c6cbe1e7b9548f9ac27372b53", "https://www.virustotal.com/graph/embed/g3dae42eb79cc447182e3a3dd746e462f0903d71c784d4f5cacf970954deea221?theme=dark", "https://www.virustotal.com/graph/embed/g798b5e01446c4711ba22802009d71f5ba78553df16794088a907ae7456e2a017?theme=dark", "nfs.conf", "https://www.virustotal.com/graph/embed/gc0d82762363b4aa88991027c391afdbfe9585395bd8d4273bbe09907fbfaf532?theme=light", "https://www.virustotal.com/gui/collection/4b166c2c1752d85215da951b15a065688bfe24ea92c65228a45ded6f2d94685b/iocs", "ntp_opendirectory.conf", "custom-error.html", "https://www.virustotal.com/gui/collection/82dc29932b9184d02b037289fd4605c158e96a57f376b08a8b2b94e43d0ae18b/iocs", "dbivport.h", "https://www.virustotal.com/gui/collection/8f89eb9579ca53d15294ec27a4c1e763998ce57d3644ea746621d9fe0cb57e55/iocs", "LocalAuthentication.tbd", "lber.h", "https://www.virustotal.com/gui/collection/385f419c1c3733dd9dd151d4403bdb38cb24d12c21f18ce8f4f41d818d7a12a5/summary", "security_status.txt", "smb.conf", "bashrc", "launchagents.txt", "https://raw.githubusercontent.com/ShadowWhisperer/BlockLists/master/Lists/Malware", "https://vtbehaviour.commondatastorage.googleapis.com/fe2fcf32cc0d38931131fde27db1e5693774844075b4e3c33c82a3625f397a7d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308630&Signature=tal7xZ9VHrLtK%2Fx5z4thfPUsqP4jnN7mnhQemzL4D6Jt%2BSk8bXHsrCdJlx%2Be1lnoGRVGwvwKCjx3CEIT2hLNbJt09HJOJW8y0ZHcSz%2BVuPuDQOe77pC%2F3yFozFW3vI7CEZI7ISt8C80aND1aciQHVQazVru6MO8fQbjeA78vsrN6MB0ZuxTE%2FXOh0gshhIYHplGRIVhhJx5waxIeoxWL1ZXsSC%2BoXwk4g44W5t38Y5Tkcf%2", "x86_64-apple-macos.swiftinterface", "index.html.en", "arm64e-apple-macos.swiftinterface", "afpovertcp.cfg", "applications.csv", "postfix-files", "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/iocs", "https://www.virustotal.com/graph/embed/g994d0094226240eba65c081dfbc3e4936aa010abf4db48049e3a964e7c5ad076?theme=dark", "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark", "LDAP.tbd", "https://www.virustotal.com/gui/collection/be10f2ed2776b9b4028ac868814ab14bdd576ca5e5bce877ac2954389ba9d328", "locate.rc", "https://vtbehaviour.commondatastorage.googleapis.com/cb38f0c781c188c3fc2ace5f55a12f2a4833c1c5fc869e698cf7994041e4a135_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309094&Signature=2X1UxXszEC0vdMoCHG30M8zifvQi45%2FJScJ8N3QaALRZ8JM5fIK5QIhWdv9eYZgDlMDjqEs9sECAtO16r8UbHNPoPwRNzqUN6f6UIq0L8Tj%2BIYQrjZo7NBhiH6eUgkTaHAoBU02WDYP5Ov0biBhHziqfTBQQ5yDFh0H9CPRlLUefNK%2BHM%2BQYLwGLUpQ5yBTv1Mh5suQ1PLSj3g%2Fz429aGgT0ianBgbW7IIV50lIP4m5cr5UUek3l", "diskEncryption.csv", "master.cf.proto", "syslog.conf", "https://www.virustotal.com/gui/collection/3bf1c0922ee6f4d041effbf9f72a21a1e9f4b38d0593cfbeaca24851cf712eac", "AOSKit.tbd", "https://wormhole.app/Pp5DdP#3EpzsqLhw5lJdQ0Xe_mRQA", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/summary", "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98", "https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e", "https://www.virustotal.com/gui/collection/da124f42943c08f1cafdc1c42635457b0c69ccce41b4031263af3235717996a2/summary", "https://www.virustotal.com/graph/embed/g78ea5ea9b68b4a4bbcd2bc078e23b321985e72d90da146c19d8d80ede366c1fa?theme=dark", "Admin.tbd", "bounce.cf.default", "csh.cshrc", "https://urlscan.io/search/#asn%3A%22AS45090%22", "battery.csv", "https://polyswarm.network/scan/results/file/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "etcHosts.csv", "caching.html", "https://app.threat.zone/submission/c8b0b1e4-0c9b-4210-b5ce-1dc2303445df/overview", "sharingPreferences.csv", "makedefs.out", "ttys", "zshrc", "manpaths", "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305", "certificates.csv", "process_list.txt", "MultipeerConnectivity.h", "auto_home", "Driver_xst.h", "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327/summary", "launchdaemons.txt", "canonical", "https://www.virustotal.com/gui/collection/a1866f4c7dbc79920d0c7e914a3bace0d3dc424a2aac06bf30bf724c6c8b0375/iocs", "https://viz.greynoise.io/query/AS4611", "main.cf", "kernel.csv", "notify.conf", "https://www.virustotal.com/gui/collection/86f3d77a28744357c14d92dba7ac6302d57700308c64b641513119d8fcad411f/iocs", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602", "https://www.virustotal.com/graph/embed/g6a67af8ffa22446da35d6989d7d0bc47efcd295eb893471e9b4912080c1dddef?theme=dark", "interfaceAddrs.csv", "chromeExtensions.csv", "https://www.virustotal.com/gui/collection/f60b8061133367a1047262a1e90d54cd72de4d59885c267906c6eeb557a35500", "usbDevices.csv", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308390&Signature=29e34JRtkg7NaukyKdD3mE9rGo0hrpCAePmGPmvrVPeeHY4ax13egnxzXVjOctDKN%2F26RdliQEdXTd301UZjrUIJxeMbNgmdXQ3AdU5y%2FV8c21ePTIEAIq2Onb%2Bq5kutHekqTdBS3d0tgfIBKVBE9kZsGWzbMQFPKPv%2B%2FDpvMZSgtM2dO2vord9nXbkwcHCYBrVWvVALPOmXc910%2BAWvZOsLaWmvQjsMI0DTAIUwyx0zveFkVWqa2XOJbD", "com.apple.screensharing.agent.launchd", "access", "Info.plist", "https://www.virustotal.com/gui/collection/bc7e252dcc07855314e153efe890d70e7a7e9b8a743e171eac31e5951260c1b7", "https://viz.greynoise.io/analysis/02a64dd4-d7e0-451c-8384-13cf23298551", "mounts.txt", "https://www.virustotal.com/graph/embed/ge839428bb3e24a98aae8cbcc242ae4d8febdc0c46e49411ebb09d155e22b4bbc?theme=dark", "https://www.virustotal.com/gui/collection/02bef6a3cf1a035ad5bfb238cac2e913f4ed9425847d7cec5e7dc4097aa3c352", "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/summary", "sudoers", "x86_64-apple-ios-macabi.swiftinterface", "BUILDING", "main.cf.proto", "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs", "systemInfo.csv", "MCAdvertiserAssistant.h", "sharedFolders.csv", "https://yaraify.abuse.ch/scan/results/32bfc760-1757-11f1-b47f-42010aa4000b", "xtab", "AirPlayReceiver.tbd", "dbd_xsh.h", "master.cf", "pf.os", "module.modulemap", "virtual", "user_launchagents.txt", "command_args.json", "https://www.virustotal.com/gui/collection/8228434e85241bd42ae063de8cf2ee2afb86f0848675ed11e3f33b967e8c3c7c", "https://www.virustotal.com/gui/collection/ba238f4d585b87abb85c126f927090cb866facfa9e4e2e0db8e307aff553397d", "auto_master", "https://www.virustotal.com/gui/collection/385f419c1c3733dd9dd151d4403bdb38cb24d12c21f18ce8f4f41d818d7a12a5", "DBIXS.h", "managedPolicies.csv", "https://www.virustotal.com/graph/embed/g23481631a7c745c6ba19f72ce9f853643d17706c08ab44eb8851eb5c56c0f073?theme=dark", "https://www.virustotal.com/gui/collection/da35693aa528a682ca91aee332c8155d99ac8e4a13077cc73b2a8921c8fea36b", "https://www.virustotal.com/graph/embed/g699a7b9bfb324855859555181d01666c372310cf233441e08a095459b3394dea?theme=dark", "https://www.virustotal.com/gui/collection/1497c56a475d73236c67292964eabd7f8961f88c57fa5a2e3f30720dc29a51e7", "configuring.html", "aliases", "https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-be", "bind.html", "resolv.conf", "man.conf", "pf.conf", "https://www.virustotal.com/gui/collection/2cdadbf6aa2ec4f9815c038b0e9375b1475ac7e049fd123861d6e925e7802c6a", "https://www.virustotal.com/graph/g994d0094226240eba65c081dfbc3e4936aa010abf4db48049e3a964e7c5ad076", "MCNearbyServiceAdvertiser.h", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph", "newsyslog.conf", "https://viz.greynoise.io/query/AS45090", "apfs_boot_mount.tbd", "https://vtbehaviour.commondatastorage.googleapis.com/96726d252031408ce594cb2d0f49cc98a87d5742e5c7bf95b067158bf1ecbb5a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309020&Signature=vqlAf29Jh8gzLx2hXd4oK3SHSQ7rtDkDCKFUjJTgs37n6pJU8vOHAMY%2BZDsFv79mq1BdEHoY7nok%2B%2F8fXKVOYaTlt0eAlBTIvhYUtDyujmwblYEgNlDU1rpNNKmZ55W8WmPUBFmUN3AaCIOZIX5vA4HFg6qulPpJnXDQ57TINvsk4Wwf9mClPe97Ye9DE6zAZarXt7XMT2RTpxVJqTD143j7%2BeJGcwEPknT64TWHLEfitFThoeAdncSqpQS74B", "https://www.virustotal.com/gui/collection/0c9360cb9f8601bd6cdf912eb414d67902487f0c4eec96e952377e300ff4e983/iocs", "find.codes", "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188", "asl.conf", "rpc", "autofs.conf", "https://viz.greynoise.io/ip/analysis/ae06b3b5-c746-4b44-b2ac-19bb3aea14a1 [11.23.25 - 1000ipv4]", "https://urlscan.io/search/#asn:%22AS4611%22", "preboot_archive_errors.log", "https://www.virustotal.com/gui/collection/86f3d77a28744357c14d92dba7ac6302d57700308c64b641513119d8fcad411f", "kexts.txt", "MCSession.h", "TLS_LICENSE", "content-negotiation.html", "https://www.virustotal.com/gui/collection/6a4e699473879d39e15ed7cd130f2ee9543f842b92c9ad8b78e310968f4b086f", "networks", "generic", "csh.logout", "ntp.conf", "rc.common", "https://hybrid-analysis.com/sample/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "mail.rc", "launchD.csv", "LICENSE", "https://www.virustotal.com/gui/collection/a6a81c8412b19ac6357a7c6e978c31a38d52a75fbb3b2e44f0f1a2bf0deb8a58/iocs", "convenience.map", "https://www.virustotal.com/gui/collection/9220d9375ebb4289fdbc4a7aac232b75a5c1b01e5e27edd965982bc6fe28f0e2", "https://www.virustotal.com/gui/collection/daab0521ae533cbdfeec047e51a9499aedfd27c8cc05c644950126c1947131f9", "bashrc_Apple_Terminal", "https://www.virustotal.com/gui/collection/8d65d93130b4775903adbffbb53820d40bb9425dcf1848b806ffee65ee883984", "header_checks", "ftpusers", "main.cf.default", "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9", "https://urlscan.io/result/aeb42615-79b7-465d-924e-c9bdde3eefd1/#transactions", "https://www.virustotal.com/gui/collection/fd8ebe64d72b2ad9e90773791522c3ec5863868dc3b9c58a929c6b4e01bb3042", "https://www.virustotal.com/gui/collection/bb0c0633dbe98b659fb06e07acd6e1f51ca43d3a1b4be09b4e9bfe8b3fde0cdb", "zprofile", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308947&Signature=alDMcpCHWUfDgEjmw6GuL5bYJ7WAgrYGXsYb8PfNczzjNzMmdclOsPPSd8nKJEDsDmNxeb2sw0hYiHkOza%2FRN9q8612YM9nTO2inlISRitzqqNDU6JlAsf97walR1G6zBOoJyqTiDrsSbx5evH65eHfvmspVqAXrb%2BQ47kPd56689I4BQ%2BsXgtfYNLYfi0tZCIDXf9zFVUl7yJpOaXHvd6%2FB7n3VeDqry5%2FrR9w%2Ftznq2oHOWz", "zshrc_Apple_Terminal", "https://urlscan.io/asn/AS4611", "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327", "rc.netboot", "irbrc", "crashes.csv", "disk_structure.txt", "APConfigurationSystem.tbd", "version.plist", "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/graph", "dbixs_rev.h", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309164&Signature=NWdp0fiFpH6Jr1kaVwKEFGn0Zk0wRKMQLorUPZy7WKGD3M381ZLQM1PRrWmvwz5bujAib4QiCiOLd8A7PMvTMnOKQXz%2BwsI8tZk1vXfRwW6DJpI8nj3KWKoP3btIoik2VBrWn%2Fr1xNdIJ4Ic2MQEfOpslObUTaNkvaOGbdedf8llYwYXllyZneCKuVP5wMIq72nExH21e3%2FIfViwNbHZFbKS6roKZkLx4V7XxVk94woz0KT1LUAS0dYh", "MultipeerConnectivity.apinotes", "https://urlscan.io/result/d4bf08e4-88dc-4bf8-be34-6b352576882e/#behaviour", "systemControls.csv", "https://www.virustotal.com/gui/collection/12100cb4982365cfe5122fcedda2c084d60cebe09314846cae980c36fc90fc8c/iocs", "protocols", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308356&Signature=Bq0QXx5QtdlR4B1OLE2oNH2ivhP5koRxoxaBIC4bDOb1nad7b%2B4MKW2csIzcVHkiJ2lEuxuzVaPZAtPN9ZbTMiEwygTIHCvt%2BjujlP3fb2dgOki9C6FhEd5DCKB3RdzsNdqXB2VDF7rZoLj%2BNII3rrWNk714D3qNNxku1k1gsD%2FpGCxIrO0e0y2styb6l6hhzJjcGwSCEPbS6MRA%2BA90qkVuNCgIucEDcJ5lkx0B2OOW4YW0Csc3", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783", "https://www.virustotal.com/gui/collection/dbf356b0a281fa94308e2e24738d839491491bfb2defa4e6c42662646e52c8f8", "master.cf.default", "AppleFirmwareUpdate.tbd", "CodeResources", "https://www.virustotal.com/graph/g40f442f2b5d64cba818cac88855ba4ce274d109ce4ef4fb496f1af4efb993886", "https://www.virustotal.com/gui/collection/50919d9e9d6d71522b641a3907ed32093293c400a2ae4faaab142f175c48de4b", "rtadvd.conf", "https://www.virustotal.com/graph/embed/g9219350397134ff3a645319a88b67833077c9cf0f50d4979aa0239a3d0b6ecea?theme=dark", "MCError.h", "https://www.virustotal.com/graph/g38632f8b939b443ab3b69f6a3171d02ffd2696a0f3714325a84b9a5f227a7d1c", "paths", "MultipeerConnectivity.tbd", "passwd" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "DragonForce Malaysia Hacker Group", "Unknown APT Group(s) / Threat Actor (s)" ], "malware_families": [ "Lastname", "Firstname" ], "industries": [ "Telecommunications", "Government", "Education", "Healthcare", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 17, "pulses": [ { "id": "69fed99080ca19fd27b184cb", "name": "CAPE Sandbox - \"Client Challenge\" Created 4/27/2025.", "description": "[The Cuckoo.com website has been shut down by Microsoft, with the result of an analysis of the network's traffic patterns, and the results of its analysis] A SHA for an educational app/website I dont even have generated what is called \" Client Challenge\"\n 2c4b2093aa07afb9d633fd4e734a9707\n2732a5adf7152c21b4a5aaa0a7b45f3d4be7874a\naa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d\n622b6b82655de58b927dd956ab84db9d\n48:IYhkrFN9YfHFTtJXQHyeyQ4v3W7UNp/xmhIfgjOGkOHMZKKyMaiskaO3n:TsYdxJXQHFY375ro6tZ8MaM93n\nT1E05100012CF6C176147724BB9E73B25A2B5064476216E41C3AEDDA28CF82FD9EC426EC\nHTML \ninternet\nhtml\nHTML document, Unicode text, UTF-8 text\nHyperText Markup Language (100%)\nHTML\n3.03 KB (3101 bytes) /_fs-ch-1T1wmsGaOgGaSxcX/assets/inter-var.woff2\n/_fs-ch-1T1wmsGaOgGaSxcX/assets/styles.css -13jdrops from one html/38 malic files/bluetooth cap.", "modified": "2026-05-10T08:20:56.907000", "created": "2026-05-09T06:52:00.985000", "tags": [ "nothing", "registry keys", "mutexes nothing", "data", "datacrashpad", "edge", "created", "parent pid", "full path", "command line", "https", "network info", "processes extra", "performs dns", "layer protocol", "overview", "mitre attack", "overview zenbox", "verdict", "guest system", "phishing", "defense evasion", "next", "ip info", "ip country", "united", "info process", "mwdb", "bazaar", "sha3384", "ssdeep", "strong", "file type", "library", "size", "default", "sha1", "accept", "mcafee", "span", "install", "softonic", "alerta", "download", "error", "crypt32", "body", "bootkit", "lockfile", "title", "inside", "shutdown", "impact", "global", "restart", "uwaga", "startpage", "window", "find", "false", "null", "payload", "write", "installer", "winmm", "back", "nlrnsrdb", "trumusic", "kevsight tox", "html internet", "html document", "unicode text", "utf8 text", "language", "settings", "first counter", "file size", "sha256", "bridge", "info", "date", "agent", "root", "pe file", "ms windows", "pe32", "found", "png image", "rgba", "cabinet archive", "files c", "delphi", "code", "persistence", "malicious", "unix", "wed jun", "dropped info", "linux verdict", "bluetooth", "4/27/25", "drops", "legacy admin", "hacking tools", "geofence", "education", "government" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308356&Signature=Bq0QXx5QtdlR4B1OLE2oNH2ivhP5koRxoxaBIC4bDOb1nad7b%2B4MKW2csIzcVHkiJ2lEuxuzVaPZAtPN9ZbTMiEwygTIHCvt%2BjujlP3fb2dgOki9C6FhEd5DCKB3RdzsNdqXB2VDF7rZoLj%2BNII3rrWNk714D3qNNxku1k1gsD%2FpGCxIrO0e0y2styb6l6hhzJjcGwSCEPbS6MRA%2BA90qkVuNCgIucEDcJ5lkx0B2OOW4YW0Csc3", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308390&Signature=29e34JRtkg7NaukyKdD3mE9rGo0hrpCAePmGPmvrVPeeHY4ax13egnxzXVjOctDKN%2F26RdliQEdXTd301UZjrUIJxeMbNgmdXQ3AdU5y%2FV8c21ePTIEAIq2Onb%2Bq5kutHekqTdBS3d0tgfIBKVBE9kZsGWzbMQFPKPv%2B%2FDpvMZSgtM2dO2vord9nXbkwcHCYBrVWvVALPOmXc910%2BAWvZOsLaWmvQjsMI0DTAIUwyx0zveFkVWqa2XOJbD", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308554&Signature=lODaur8GDc6MSh92WMx%2BV%2F7WRfkYjVs6kHiY4Sx12RcybRrsXaBC6oik%2FVeSMne1EODoqRn6AOcL%2FnIJ3J1ki%2Flrawz0HqWnxDTycnuefpWaPbw6abOU2796lcdgAMJxF9cGIDFHeaJDHQhbd0qeV07OK%2BhEKGGkjFWmqxOlqcTx526c%2FyRTuJaoFKrRzHVk9z2Xhv16kmnrY1VWhnBNyv3cMtVW076z2DheqC1Nya4ZJR3T", "https://vtbehaviour.commondatastorage.googleapis.com/fe2fcf32cc0d38931131fde27db1e5693774844075b4e3c33c82a3625f397a7d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308630&Signature=tal7xZ9VHrLtK%2Fx5z4thfPUsqP4jnN7mnhQemzL4D6Jt%2BSk8bXHsrCdJlx%2Be1lnoGRVGwvwKCjx3CEIT2hLNbJt09HJOJW8y0ZHcSz%2BVuPuDQOe77pC%2F3yFozFW3vI7CEZI7ISt8C80aND1aciQHVQazVru6MO8fQbjeA78vsrN6MB0ZuxTE%2FXOh0gshhIYHplGRIVhhJx5waxIeoxWL1ZXsSC%2BoXwk4g44W5t38Y5Tkcf%2", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308947&Signature=alDMcpCHWUfDgEjmw6GuL5bYJ7WAgrYGXsYb8PfNczzjNzMmdclOsPPSd8nKJEDsDmNxeb2sw0hYiHkOza%2FRN9q8612YM9nTO2inlISRitzqqNDU6JlAsf97walR1G6zBOoJyqTiDrsSbx5evH65eHfvmspVqAXrb%2BQ47kPd56689I4BQ%2BsXgtfYNLYfi0tZCIDXf9zFVUl7yJpOaXHvd6%2FB7n3VeDqry5%2FrR9w%2Ftznq2oHOWz", "https://vtbehaviour.commondatastorage.googleapis.com/96726d252031408ce594cb2d0f49cc98a87d5742e5c7bf95b067158bf1ecbb5a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309020&Signature=vqlAf29Jh8gzLx2hXd4oK3SHSQ7rtDkDCKFUjJTgs37n6pJU8vOHAMY%2BZDsFv79mq1BdEHoY7nok%2B%2F8fXKVOYaTlt0eAlBTIvhYUtDyujmwblYEgNlDU1rpNNKmZ55W8WmPUBFmUN3AaCIOZIX5vA4HFg6qulPpJnXDQ57TINvsk4Wwf9mClPe97Ye9DE6zAZarXt7XMT2RTpxVJqTD143j7%2BeJGcwEPknT64TWHLEfitFThoeAdncSqpQS74B", "https://vtbehaviour.commondatastorage.googleapis.com/cb38f0c781c188c3fc2ace5f55a12f2a4833c1c5fc869e698cf7994041e4a135_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309094&Signature=2X1UxXszEC0vdMoCHG30M8zifvQi45%2FJScJ8N3QaALRZ8JM5fIK5QIhWdv9eYZgDlMDjqEs9sECAtO16r8UbHNPoPwRNzqUN6f6UIq0L8Tj%2BIYQrjZo7NBhiH6eUgkTaHAoBU02WDYP5Ov0biBhHziqfTBQQ5yDFh0H9CPRlLUefNK%2BHM%2BQYLwGLUpQ5yBTv1Mh5suQ1PLSj3g%2Fz429aGgT0ianBgbW7IIV50lIP4m5cr5UUek3l", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309164&Signature=NWdp0fiFpH6Jr1kaVwKEFGn0Zk0wRKMQLorUPZy7WKGD3M381ZLQM1PRrWmvwz5bujAib4QiCiOLd8A7PMvTMnOKQXz%2BwsI8tZk1vXfRwW6DJpI8nj3KWKoP3btIoik2VBrWn%2Fr1xNdIJ4Ic2MQEfOpslObUTaNkvaOGbdedf8llYwYXllyZneCKuVP5wMIq72nExH21e3%2FIfViwNbHZFbKS6roKZkLx4V7XxVk94woz0KT1LUAS0dYh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 529, "IPv4": 403, "hostname": 394, "domain": 121, "URL": 262, "FileHash-SHA1": 291, "FileHash-SHA256": 396 }, "indicator_count": 2396, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fed98ed79b13165d78dc30", "name": "CAPE Sandbox - \"Client Challenge\" Created 4/27/2025.", "description": "[The Cuckoo.com website has been shut down by Microsoft, with the result of an analysis of the network's traffic patterns, and the results of its analysis] A SHA for an educational app/website I dont even have generated what is called \" Client Challenge\"\n 2c4b2093aa07afb9d633fd4e734a9707\n2732a5adf7152c21b4a5aaa0a7b45f3d4be7874a\naa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d\n622b6b82655de58b927dd956ab84db9d\n48:IYhkrFN9YfHFTtJXQHyeyQ4v3W7UNp/xmhIfgjOGkOHMZKKyMaiskaO3n:TsYdxJXQHFY375ro6tZ8MaM93n\nT1E05100012CF6C176147724BB9E73B25A2B5064476216E41C3AEDDA28CF82FD9EC426EC\nHTML \ninternet\nhtml\nHTML document, Unicode text, UTF-8 text\nHyperText Markup Language (100%)\nHTML\n3.03 KB (3101 bytes) /_fs-ch-1T1wmsGaOgGaSxcX/assets/inter-var.woff2\n/_fs-ch-1T1wmsGaOgGaSxcX/assets/styles.css -13jdrops from one html/38 malic files/bluetooth cap.", "modified": "2026-05-10T08:11:16.996000", "created": "2026-05-09T06:51:58.884000", "tags": [ "nothing", "registry keys", "mutexes nothing", "data", "datacrashpad", "edge", "created", "parent pid", "full path", "command line", "https", "network info", "processes extra", "performs dns", "layer protocol", "overview", "mitre attack", "overview zenbox", "verdict", "guest system", "phishing", "defense evasion", "next", "ip info", "ip country", "united", "info process", "mwdb", "bazaar", "sha3384", "ssdeep", "strong", "file type", "library", "size", "default", "sha1", "accept", "mcafee", "span", "install", "softonic", "alerta", "download", "error", "crypt32", "body", "bootkit", "lockfile", "title", "inside", "shutdown", "impact", "global", "restart", "uwaga", "startpage", "window", "find", "false", "null", "payload", "write", "installer", "winmm", "back", "nlrnsrdb", "trumusic", "kevsight tox", "html internet", "html document", "unicode text", "utf8 text", "language", "settings", "first counter", "file size", "sha256", "bridge", "info", "date", "agent", "root", "pe file", "ms windows", "pe32", "found", "png image", "rgba", "cabinet archive", "files c", "delphi", "code", "persistence", "malicious", "unix", "wed jun", "dropped info", "linux verdict", "bluetooth", "4/27/25", "drops", "legacy admin", "hacking tools", "geofence", "education", "government" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308356&Signature=Bq0QXx5QtdlR4B1OLE2oNH2ivhP5koRxoxaBIC4bDOb1nad7b%2B4MKW2csIzcVHkiJ2lEuxuzVaPZAtPN9ZbTMiEwygTIHCvt%2BjujlP3fb2dgOki9C6FhEd5DCKB3RdzsNdqXB2VDF7rZoLj%2BNII3rrWNk714D3qNNxku1k1gsD%2FpGCxIrO0e0y2styb6l6hhzJjcGwSCEPbS6MRA%2BA90qkVuNCgIucEDcJ5lkx0B2OOW4YW0Csc3", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308390&Signature=29e34JRtkg7NaukyKdD3mE9rGo0hrpCAePmGPmvrVPeeHY4ax13egnxzXVjOctDKN%2F26RdliQEdXTd301UZjrUIJxeMbNgmdXQ3AdU5y%2FV8c21ePTIEAIq2Onb%2Bq5kutHekqTdBS3d0tgfIBKVBE9kZsGWzbMQFPKPv%2B%2FDpvMZSgtM2dO2vord9nXbkwcHCYBrVWvVALPOmXc910%2BAWvZOsLaWmvQjsMI0DTAIUwyx0zveFkVWqa2XOJbD", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308554&Signature=lODaur8GDc6MSh92WMx%2BV%2F7WRfkYjVs6kHiY4Sx12RcybRrsXaBC6oik%2FVeSMne1EODoqRn6AOcL%2FnIJ3J1ki%2Flrawz0HqWnxDTycnuefpWaPbw6abOU2796lcdgAMJxF9cGIDFHeaJDHQhbd0qeV07OK%2BhEKGGkjFWmqxOlqcTx526c%2FyRTuJaoFKrRzHVk9z2Xhv16kmnrY1VWhnBNyv3cMtVW076z2DheqC1Nya4ZJR3T", "https://vtbehaviour.commondatastorage.googleapis.com/fe2fcf32cc0d38931131fde27db1e5693774844075b4e3c33c82a3625f397a7d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308630&Signature=tal7xZ9VHrLtK%2Fx5z4thfPUsqP4jnN7mnhQemzL4D6Jt%2BSk8bXHsrCdJlx%2Be1lnoGRVGwvwKCjx3CEIT2hLNbJt09HJOJW8y0ZHcSz%2BVuPuDQOe77pC%2F3yFozFW3vI7CEZI7ISt8C80aND1aciQHVQazVru6MO8fQbjeA78vsrN6MB0ZuxTE%2FXOh0gshhIYHplGRIVhhJx5waxIeoxWL1ZXsSC%2BoXwk4g44W5t38Y5Tkcf%2", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308947&Signature=alDMcpCHWUfDgEjmw6GuL5bYJ7WAgrYGXsYb8PfNczzjNzMmdclOsPPSd8nKJEDsDmNxeb2sw0hYiHkOza%2FRN9q8612YM9nTO2inlISRitzqqNDU6JlAsf97walR1G6zBOoJyqTiDrsSbx5evH65eHfvmspVqAXrb%2BQ47kPd56689I4BQ%2BsXgtfYNLYfi0tZCIDXf9zFVUl7yJpOaXHvd6%2FB7n3VeDqry5%2FrR9w%2Ftznq2oHOWz", "https://vtbehaviour.commondatastorage.googleapis.com/96726d252031408ce594cb2d0f49cc98a87d5742e5c7bf95b067158bf1ecbb5a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309020&Signature=vqlAf29Jh8gzLx2hXd4oK3SHSQ7rtDkDCKFUjJTgs37n6pJU8vOHAMY%2BZDsFv79mq1BdEHoY7nok%2B%2F8fXKVOYaTlt0eAlBTIvhYUtDyujmwblYEgNlDU1rpNNKmZ55W8WmPUBFmUN3AaCIOZIX5vA4HFg6qulPpJnXDQ57TINvsk4Wwf9mClPe97Ye9DE6zAZarXt7XMT2RTpxVJqTD143j7%2BeJGcwEPknT64TWHLEfitFThoeAdncSqpQS74B", "https://vtbehaviour.commondatastorage.googleapis.com/cb38f0c781c188c3fc2ace5f55a12f2a4833c1c5fc869e698cf7994041e4a135_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309094&Signature=2X1UxXszEC0vdMoCHG30M8zifvQi45%2FJScJ8N3QaALRZ8JM5fIK5QIhWdv9eYZgDlMDjqEs9sECAtO16r8UbHNPoPwRNzqUN6f6UIq0L8Tj%2BIYQrjZo7NBhiH6eUgkTaHAoBU02WDYP5Ov0biBhHziqfTBQQ5yDFh0H9CPRlLUefNK%2BHM%2BQYLwGLUpQ5yBTv1Mh5suQ1PLSj3g%2Fz429aGgT0ianBgbW7IIV50lIP4m5cr5UUek3l", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309164&Signature=NWdp0fiFpH6Jr1kaVwKEFGn0Zk0wRKMQLorUPZy7WKGD3M381ZLQM1PRrWmvwz5bujAib4QiCiOLd8A7PMvTMnOKQXz%2BwsI8tZk1vXfRwW6DJpI8nj3KWKoP3btIoik2VBrWn%2Fr1xNdIJ4Ic2MQEfOpslObUTaNkvaOGbdedf8llYwYXllyZneCKuVP5wMIq72nExH21e3%2FIfViwNbHZFbKS6roKZkLx4V7XxVk94woz0KT1LUAS0dYh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 547, "IPv4": 545, "hostname": 752, "domain": 290, "URL": 979, "FileHash-SHA1": 296, "FileHash-SHA256": 904, "CIDR": 2, "email": 2 }, "indicator_count": 4317, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "21 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fed98a5807c9756ff0eb87", "name": "CAPE Sandbox - \"Client Challenge\" Created 4/27/2025.", "description": "[The Cuckoo.com website has been shut down by Microsoft, with the result of an analysis of the network's traffic patterns, and the results of its analysis] A SHA for an educational app/website I dont even have generated what is called \" Client Challenge\"\n 2c4b2093aa07afb9d633fd4e734a9707\n2732a5adf7152c21b4a5aaa0a7b45f3d4be7874a\naa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d\n622b6b82655de58b927dd956ab84db9d\n48:IYhkrFN9YfHFTtJXQHyeyQ4v3W7UNp/xmhIfgjOGkOHMZKKyMaiskaO3n:TsYdxJXQHFY375ro6tZ8MaM93n\nT1E05100012CF6C176147724BB9E73B25A2B5064476216E41C3AEDDA28CF82FD9EC426EC\nHTML \ninternet\nhtml\nHTML document, Unicode text, UTF-8 text\nHyperText Markup Language (100%)\nHTML\n3.03 KB (3101 bytes) /_fs-ch-1T1wmsGaOgGaSxcX/assets/inter-var.woff2\n/_fs-ch-1T1wmsGaOgGaSxcX/assets/styles.css -13jdrops from one html/38 malic files/bluetooth cap.", "modified": "2026-05-09T12:26:36.816000", "created": "2026-05-09T06:51:54.319000", "tags": [ "nothing", "registry keys", "mutexes nothing", "data", "datacrashpad", "edge", "created", "parent pid", "full path", "command line", "https", "network info", "processes extra", "performs dns", "layer protocol", "overview", "mitre attack", "overview zenbox", "verdict", "guest system", "phishing", "defense evasion", "next", "ip info", "ip country", "united", "info process", "mwdb", "bazaar", "sha3384", "ssdeep", "strong", "file type", "library", "size", "default", "sha1", "accept", "mcafee", "span", "install", "softonic", "alerta", "download", "error", "crypt32", "body", "bootkit", "lockfile", "title", "inside", "shutdown", "impact", "global", "restart", "uwaga", "startpage", "window", "find", "false", "null", "payload", "write", "installer", "winmm", "back", "nlrnsrdb", "trumusic", "kevsight tox", "html internet", "html document", "unicode text", "utf8 text", "language", "settings", "first counter", "file size", "sha256", "bridge", "info", "date", "agent", "root", "pe file", "ms windows", "pe32", "found", "png image", "rgba", "cabinet archive", "files c", "delphi", "code", "persistence", "malicious", "unix", "wed jun", "dropped info", "linux verdict", "bluetooth", "4/27/25", "drops", "legacy admin", "hacking tools", "geofence", "education", "government" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308356&Signature=Bq0QXx5QtdlR4B1OLE2oNH2ivhP5koRxoxaBIC4bDOb1nad7b%2B4MKW2csIzcVHkiJ2lEuxuzVaPZAtPN9ZbTMiEwygTIHCvt%2BjujlP3fb2dgOki9C6FhEd5DCKB3RdzsNdqXB2VDF7rZoLj%2BNII3rrWNk714D3qNNxku1k1gsD%2FpGCxIrO0e0y2styb6l6hhzJjcGwSCEPbS6MRA%2BA90qkVuNCgIucEDcJ5lkx0B2OOW4YW0Csc3", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308390&Signature=29e34JRtkg7NaukyKdD3mE9rGo0hrpCAePmGPmvrVPeeHY4ax13egnxzXVjOctDKN%2F26RdliQEdXTd301UZjrUIJxeMbNgmdXQ3AdU5y%2FV8c21ePTIEAIq2Onb%2Bq5kutHekqTdBS3d0tgfIBKVBE9kZsGWzbMQFPKPv%2B%2FDpvMZSgtM2dO2vord9nXbkwcHCYBrVWvVALPOmXc910%2BAWvZOsLaWmvQjsMI0DTAIUwyx0zveFkVWqa2XOJbD", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308554&Signature=lODaur8GDc6MSh92WMx%2BV%2F7WRfkYjVs6kHiY4Sx12RcybRrsXaBC6oik%2FVeSMne1EODoqRn6AOcL%2FnIJ3J1ki%2Flrawz0HqWnxDTycnuefpWaPbw6abOU2796lcdgAMJxF9cGIDFHeaJDHQhbd0qeV07OK%2BhEKGGkjFWmqxOlqcTx526c%2FyRTuJaoFKrRzHVk9z2Xhv16kmnrY1VWhnBNyv3cMtVW076z2DheqC1Nya4ZJR3T", "https://vtbehaviour.commondatastorage.googleapis.com/fe2fcf32cc0d38931131fde27db1e5693774844075b4e3c33c82a3625f397a7d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308630&Signature=tal7xZ9VHrLtK%2Fx5z4thfPUsqP4jnN7mnhQemzL4D6Jt%2BSk8bXHsrCdJlx%2Be1lnoGRVGwvwKCjx3CEIT2hLNbJt09HJOJW8y0ZHcSz%2BVuPuDQOe77pC%2F3yFozFW3vI7CEZI7ISt8C80aND1aciQHVQazVru6MO8fQbjeA78vsrN6MB0ZuxTE%2FXOh0gshhIYHplGRIVhhJx5waxIeoxWL1ZXsSC%2BoXwk4g44W5t38Y5Tkcf%2", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308947&Signature=alDMcpCHWUfDgEjmw6GuL5bYJ7WAgrYGXsYb8PfNczzjNzMmdclOsPPSd8nKJEDsDmNxeb2sw0hYiHkOza%2FRN9q8612YM9nTO2inlISRitzqqNDU6JlAsf97walR1G6zBOoJyqTiDrsSbx5evH65eHfvmspVqAXrb%2BQ47kPd56689I4BQ%2BsXgtfYNLYfi0tZCIDXf9zFVUl7yJpOaXHvd6%2FB7n3VeDqry5%2FrR9w%2Ftznq2oHOWz", "https://vtbehaviour.commondatastorage.googleapis.com/96726d252031408ce594cb2d0f49cc98a87d5742e5c7bf95b067158bf1ecbb5a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309020&Signature=vqlAf29Jh8gzLx2hXd4oK3SHSQ7rtDkDCKFUjJTgs37n6pJU8vOHAMY%2BZDsFv79mq1BdEHoY7nok%2B%2F8fXKVOYaTlt0eAlBTIvhYUtDyujmwblYEgNlDU1rpNNKmZ55W8WmPUBFmUN3AaCIOZIX5vA4HFg6qulPpJnXDQ57TINvsk4Wwf9mClPe97Ye9DE6zAZarXt7XMT2RTpxVJqTD143j7%2BeJGcwEPknT64TWHLEfitFThoeAdncSqpQS74B", "https://vtbehaviour.commondatastorage.googleapis.com/cb38f0c781c188c3fc2ace5f55a12f2a4833c1c5fc869e698cf7994041e4a135_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309094&Signature=2X1UxXszEC0vdMoCHG30M8zifvQi45%2FJScJ8N3QaALRZ8JM5fIK5QIhWdv9eYZgDlMDjqEs9sECAtO16r8UbHNPoPwRNzqUN6f6UIq0L8Tj%2BIYQrjZo7NBhiH6eUgkTaHAoBU02WDYP5Ov0biBhHziqfTBQQ5yDFh0H9CPRlLUefNK%2BHM%2BQYLwGLUpQ5yBTv1Mh5suQ1PLSj3g%2Fz429aGgT0ianBgbW7IIV50lIP4m5cr5UUek3l", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309164&Signature=NWdp0fiFpH6Jr1kaVwKEFGn0Zk0wRKMQLorUPZy7WKGD3M381ZLQM1PRrWmvwz5bujAib4QiCiOLd8A7PMvTMnOKQXz%2BwsI8tZk1vXfRwW6DJpI8nj3KWKoP3btIoik2VBrWn%2Fr1xNdIJ4Ic2MQEfOpslObUTaNkvaOGbdedf8llYwYXllyZneCKuVP5wMIq72nExH21e3%2FIfViwNbHZFbKS6roKZkLx4V7XxVk94woz0KT1LUAS0dYh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 521, "IPv4": 402, "hostname": 393, "domain": 120, "URL": 261, "FileHash-SHA1": 287, "FileHash-SHA256": 391 }, "indicator_count": 2375, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69fed9859e3d403a869a56d9", "name": "CAPE Sandbox - \"Client Challenge\" Created 4/27/2025.", "description": "[The Cuckoo.com website has been shut down by Microsoft, with the result of an analysis of the network's traffic patterns, and the results of its analysis] A SHA for an educational app/website I dont even have generated what is called \" Client Challenge\"\n 2c4b2093aa07afb9d633fd4e734a9707\n2732a5adf7152c21b4a5aaa0a7b45f3d4be7874a\naa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d\n622b6b82655de58b927dd956ab84db9d\n48:IYhkrFN9YfHFTtJXQHyeyQ4v3W7UNp/xmhIfgjOGkOHMZKKyMaiskaO3n:TsYdxJXQHFY375ro6tZ8MaM93n\nT1E05100012CF6C176147724BB9E73B25A2B5064476216E41C3AEDDA28CF82FD9EC426EC\nHTML \ninternet\nhtml\nHTML document, Unicode text, UTF-8 text\nHyperText Markup Language (100%)\nHTML\n3.03 KB (3101 bytes) /_fs-ch-1T1wmsGaOgGaSxcX/assets/inter-var.woff2\n/_fs-ch-1T1wmsGaOgGaSxcX/assets/styles.css -13jdrops from one html/38 malic files/bluetooth cap.", "modified": "2026-05-09T07:20:23.936000", "created": "2026-05-09T06:51:49.607000", "tags": [ "nothing", "registry keys", "mutexes nothing", "data", "datacrashpad", "edge", "created", "parent pid", "full path", "command line", "https", "network info", "processes extra", "performs dns", "layer protocol", "overview", "mitre attack", "overview zenbox", "verdict", "guest system", "phishing", "defense evasion", "next", "ip info", "ip country", "united", "info process", "mwdb", "bazaar", "sha3384", "ssdeep", "strong", "file type", "library", "size", "default", "sha1", "accept", "mcafee", "span", "install", "softonic", "alerta", "download", "error", "crypt32", "body", "bootkit", "lockfile", "title", "inside", "shutdown", "impact", "global", "restart", "uwaga", "startpage", "window", "find", "false", "null", "payload", "write", "installer", "winmm", "back", "nlrnsrdb", "trumusic", "kevsight tox", "html internet", "html document", "unicode text", "utf8 text", "language", "settings", "first counter", "file size", "sha256", "bridge", "info", "date", "agent", "root", "pe file", "ms windows", "pe32", "found", "png image", "rgba", "cabinet archive", "files c", "delphi", "code", "persistence", "malicious", "unix", "wed jun", "dropped info", "linux verdict", "bluetooth", "4/27/25", "drops", "legacy admin", "hacking tools", "geofence", "education", "government" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308356&Signature=Bq0QXx5QtdlR4B1OLE2oNH2ivhP5koRxoxaBIC4bDOb1nad7b%2B4MKW2csIzcVHkiJ2lEuxuzVaPZAtPN9ZbTMiEwygTIHCvt%2BjujlP3fb2dgOki9C6FhEd5DCKB3RdzsNdqXB2VDF7rZoLj%2BNII3rrWNk714D3qNNxku1k1gsD%2FpGCxIrO0e0y2styb6l6hhzJjcGwSCEPbS6MRA%2BA90qkVuNCgIucEDcJ5lkx0B2OOW4YW0Csc3", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308390&Signature=29e34JRtkg7NaukyKdD3mE9rGo0hrpCAePmGPmvrVPeeHY4ax13egnxzXVjOctDKN%2F26RdliQEdXTd301UZjrUIJxeMbNgmdXQ3AdU5y%2FV8c21ePTIEAIq2Onb%2Bq5kutHekqTdBS3d0tgfIBKVBE9kZsGWzbMQFPKPv%2B%2FDpvMZSgtM2dO2vord9nXbkwcHCYBrVWvVALPOmXc910%2BAWvZOsLaWmvQjsMI0DTAIUwyx0zveFkVWqa2XOJbD", "https://vtbehaviour.commondatastorage.googleapis.com/aa7261397b39ae202abcfc337b8307c7d2532a9b7ee721f7a87a6f25aa59608d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308554&Signature=lODaur8GDc6MSh92WMx%2BV%2F7WRfkYjVs6kHiY4Sx12RcybRrsXaBC6oik%2FVeSMne1EODoqRn6AOcL%2FnIJ3J1ki%2Flrawz0HqWnxDTycnuefpWaPbw6abOU2796lcdgAMJxF9cGIDFHeaJDHQhbd0qeV07OK%2BhEKGGkjFWmqxOlqcTx526c%2FyRTuJaoFKrRzHVk9z2Xhv16kmnrY1VWhnBNyv3cMtVW076z2DheqC1Nya4ZJR3T", "https://vtbehaviour.commondatastorage.googleapis.com/fe2fcf32cc0d38931131fde27db1e5693774844075b4e3c33c82a3625f397a7d_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308630&Signature=tal7xZ9VHrLtK%2Fx5z4thfPUsqP4jnN7mnhQemzL4D6Jt%2BSk8bXHsrCdJlx%2Be1lnoGRVGwvwKCjx3CEIT2hLNbJt09HJOJW8y0ZHcSz%2BVuPuDQOe77pC%2F3yFozFW3vI7CEZI7ISt8C80aND1aciQHVQazVru6MO8fQbjeA78vsrN6MB0ZuxTE%2FXOh0gshhIYHplGRIVhhJx5waxIeoxWL1ZXsSC%2BoXwk4g44W5t38Y5Tkcf%2", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778308947&Signature=alDMcpCHWUfDgEjmw6GuL5bYJ7WAgrYGXsYb8PfNczzjNzMmdclOsPPSd8nKJEDsDmNxeb2sw0hYiHkOza%2FRN9q8612YM9nTO2inlISRitzqqNDU6JlAsf97walR1G6zBOoJyqTiDrsSbx5evH65eHfvmspVqAXrb%2BQ47kPd56689I4BQ%2BsXgtfYNLYfi0tZCIDXf9zFVUl7yJpOaXHvd6%2FB7n3VeDqry5%2FrR9w%2Ftznq2oHOWz", "https://vtbehaviour.commondatastorage.googleapis.com/96726d252031408ce594cb2d0f49cc98a87d5742e5c7bf95b067158bf1ecbb5a_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309020&Signature=vqlAf29Jh8gzLx2hXd4oK3SHSQ7rtDkDCKFUjJTgs37n6pJU8vOHAMY%2BZDsFv79mq1BdEHoY7nok%2B%2F8fXKVOYaTlt0eAlBTIvhYUtDyujmwblYEgNlDU1rpNNKmZ55W8WmPUBFmUN3AaCIOZIX5vA4HFg6qulPpJnXDQ57TINvsk4Wwf9mClPe97Ye9DE6zAZarXt7XMT2RTpxVJqTD143j7%2BeJGcwEPknT64TWHLEfitFThoeAdncSqpQS74B", "https://vtbehaviour.commondatastorage.googleapis.com/cb38f0c781c188c3fc2ace5f55a12f2a4833c1c5fc869e698cf7994041e4a135_Zenbox%20Linux.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309094&Signature=2X1UxXszEC0vdMoCHG30M8zifvQi45%2FJScJ8N3QaALRZ8JM5fIK5QIhWdv9eYZgDlMDjqEs9sECAtO16r8UbHNPoPwRNzqUN6f6UIq0L8Tj%2BIYQrjZo7NBhiH6eUgkTaHAoBU02WDYP5Ov0biBhHziqfTBQQ5yDFh0H9CPRlLUefNK%2BHM%2BQYLwGLUpQ5yBTv1Mh5suQ1PLSj3g%2Fz429aGgT0ianBgbW7IIV50lIP4m5cr5UUek3l", "https://vtbehaviour.commondatastorage.googleapis.com/643c94812af9c0d32df3563b4c03f3a27bb3931df6d0bf98ed2028439df5c523_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1778309164&Signature=NWdp0fiFpH6Jr1kaVwKEFGn0Zk0wRKMQLorUPZy7WKGD3M381ZLQM1PRrWmvwz5bujAib4QiCiOLd8A7PMvTMnOKQXz%2BwsI8tZk1vXfRwW6DJpI8nj3KWKoP3btIoik2VBrWn%2Fr1xNdIJ4Ic2MQEfOpslObUTaNkvaOGbdedf8llYwYXllyZneCKuVP5wMIq72nExH21e3%2FIfViwNbHZFbKS6roKZkLx4V7XxVk94woz0KT1LUAS0dYh" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 522, "IPv4": 409, "hostname": 645, "domain": 178, "URL": 786, "FileHash-SHA1": 288, "FileHash-SHA256": 392, "CVE": 1 }, "indicator_count": 3221, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "22 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "695089cbedad5c86f39b1363", "name": "Tracking Domains 03.03.26 (Updated Test)", "description": "Privacy Badger - Update on 01.09.26\nTracking domains on a hybrid (mobile laptop) clone of an AHS/Covenant Health, UAlberta (University of Alberta), and Government of Alberta Laptop.\nHealthcare: No Cybersecurity, EDU: No Cybersecurity / Remote only, GoA = Informed & don't quite know what to do or to whom this should be brought up with.", "modified": "2026-04-05T06:35:43.679000", "created": "2025-12-28T01:37:15.993000", "tags": [ "privacy badger", "sites general", "settings widget", "domains manage", "data privacy", "badger", "hide" ], "references": [ "https://hybrid-analysis.com/sample/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "https://yaraify.abuse.ch/scan/results/32bfc760-1757-11f1-b47f-42010aa4000b", "https://polyswarm.network/scan/results/file/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "https://app.threat.zone/submission/c8b0b1e4-0c9b-4210-b5ce-1dc2303445df/overview", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/summary", "https://www.virustotal.com/graph/embed/g6d4bce6162064ac09cd20411c1947e69d7d5a1d475f0447da023ac933d338fce?theme=dark", "https://viz.greynoise.io/ip/analysis/6356f330-63a7-4ce3-91fa-7ab355a1dc1a" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 50404, "hostname": 10879, "URL": 715, "FileHash-MD5": 1 }, "indicator_count": 61999, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "56 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64ed117e2308a042e50e1e9e", "name": "Investigation of Distribution Vectors and Threat Network Infrastructure", "description": "Targets: Individual(s), University of Alberta Infrastructure, Covenant Health (Alberta Health Services), TELUS Communications (Network & Mobile infrastructure), Government of Alberta, Government of Canada. International entities spanning primarily government, healthcare, and educational institutions.", "modified": "2025-11-23T23:20:07.571000", "created": "2023-08-28T21:28:30.294000", "tags": [ "Domains", "ip addresses", "URLs", "Files", "Alberta Health Services", "BEC", "Education", "University of Alberta", "Government of Alberta", "Covenant Health Alberta", "Telus Communications", "Canadian Universities", "Malicious Certificates", "Digital Identity Theft / Credential Theft" ], "references": [ "https://www.virustotal.com/gui/collection/27233a89c864ba0e77e672a8909fd63b4a8b6d457c9e4ff219f2a3e47db13376", "https://www.virustotal.com/gui/collection/50919d9e9d6d71522b641a3907ed32093293c400a2ae4faaab142f175c48de4b", "https://www.virustotal.com/gui/collection/bb0c0633dbe98b659fb06e07acd6e1f51ca43d3a1b4be09b4e9bfe8b3fde0cdb", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783", "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9", "https://www.virustotal.com/gui/collection/2c8e8189f77f80c97f4192dff56750f9603651db2cc6cca045f53e274f4b090e", "https://www.virustotal.com/gui/collection/be10f2ed2776b9b4028ac868814ab14bdd576ca5e5bce877ac2954389ba9d328", "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305", "https://www.virustotal.com/gui/collection/d142f78015e1c929cedae31dba7e5b735b6dedfc31e4759d8ec5f02c16328b98", "https://www.virustotal.com/gui/collection/02bef6a3cf1a035ad5bfb238cac2e913f4ed9425847d7cec5e7dc4097aa3c352", "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327/summary", "https://www.virustotal.com/gui/collection/3bf1c0922ee6f4d041effbf9f72a21a1e9f4b38d0593cfbeaca24851cf712eac", "https://www.virustotal.com/gui/collection/2cdadbf6aa2ec4f9815c038b0e9375b1475ac7e049fd123861d6e925e7802c6a", "https://www.virustotal.com/gui/collection/ba238f4d585b87abb85c126f927090cb866facfa9e4e2e0db8e307aff553397d", "https://www.virustotal.com/gui/collection/385f419c1c3733dd9dd151d4403bdb38cb24d12c21f18ce8f4f41d818d7a12a5/summary", "https://www.virustotal.com/gui/collection/9220d9375ebb4289fdbc4a7aac232b75a5c1b01e5e27edd965982bc6fe28f0e2", "https://www.virustotal.com/gui/collection/343b947063e58a53ca281f5ad54a72a7fa1b9b6e4c1ca84de6202b99e3126327", "https://www.virustotal.com/gui/collection/fd8ebe64d72b2ad9e90773791522c3ec5863868dc3b9c58a929c6b4e01bb3042", "https://www.virustotal.com/gui/collection/8d65d93130b4775903adbffbb53820d40bb9425dcf1848b806ffee65ee883984", "https://www.virustotal.com/gui/collection/385f419c1c3733dd9dd151d4403bdb38cb24d12c21f18ce8f4f41d818d7a12a5", "https://www.virustotal.com/gui/collection/6434f0cf09638991baf3be289834696b46e11c4c6cbe1e7b9548f9ac27372b53", "https://www.virustotal.com/gui/collection/bc7e252dcc07855314e153efe890d70e7a7e9b8a743e171eac31e5951260c1b7", "https://www.virustotal.com/gui/collection/dbf356b0a281fa94308e2e24738d839491491bfb2defa4e6c42662646e52c8f8", "https://www.virustotal.com/gui/collection/f60b8061133367a1047262a1e90d54cd72de4d59885c267906c6eeb557a35500", "https://www.virustotal.com/gui/collection/da124f42943c08f1cafdc1c42635457b0c69ccce41b4031263af3235717996a2/summary", "https://www.virustotal.com/gui/collection/daab0521ae533cbdfeec047e51a9499aedfd27c8cc05c644950126c1947131f9", "https://www.virustotal.com/gui/collection/12100cb4982365cfe5122fcedda2c084d60cebe09314846cae980c36fc90fc8c/iocs", "https://www.virustotal.com/graph/embed/g9219350397134ff3a645319a88b67833077c9cf0f50d4979aa0239a3d0b6ecea?theme=dark", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/graph", "https://www.virustotal.com/gui/collection/c1ea74232c607b23ded09484664f00ae58f911ccb82433d042056cbb84c9d602/iocs", "https://www.virustotal.com/gui/collection/da35693aa528a682ca91aee332c8155d99ac8e4a13077cc73b2a8921c8fea36b", "https://www.virustotal.com/gui/collection/1497c56a475d73236c67292964eabd7f8961f88c57fa5a2e3f30720dc29a51e7", "https://www.virustotal.com/gui/collection/8228434e85241bd42ae063de8cf2ee2afb86f0848675ed11e3f33b967e8c3c7c", "https://www.virustotal.com/gui/collection/aabd4abecf7099202ccbfbc1cec130ea266329ade38b040169399c6abf97a188", "https://www.virustotal.com/gui/collection/6a4e699473879d39e15ed7cd130f2ee9543f842b92c9ad8b78e310968f4b086f", "https://www.virustotal.com/graph/embed/g3dae42eb79cc447182e3a3dd746e462f0903d71c784d4f5cacf970954deea221?theme=dark", "https://www.virustotal.com/graph/embed/gc0d82762363b4aa88991027c391afdbfe9585395bd8d4273bbe09907fbfaf532?theme=light", "https://www.virustotal.com/graph/embed/g78ea5ea9b68b4a4bbcd2bc078e23b321985e72d90da146c19d8d80ede366c1fa?theme=dark", "https://www.virustotal.com/gui/collection/8f89eb9579ca53d15294ec27a4c1e763998ce57d3644ea746621d9fe0cb57e55/iocs", "https://www.virustotal.com/graph/g994d0094226240eba65c081dfbc3e4936aa010abf4db48049e3a964e7c5ad076", "https://www.virustotal.com/gui/collection/86f3d77a28744357c14d92dba7ac6302d57700308c64b641513119d8fcad411f/iocs", "https://www.virustotal.com/graph/g38632f8b939b443ab3b69f6a3171d02ffd2696a0f3714325a84b9a5f227a7d1c", "https://www.virustotal.com/gui/collection/4b166c2c1752d85215da951b15a065688bfe24ea92c65228a45ded6f2d94685b/iocs", "https://www.virustotal.com/graph/embed/g798b5e01446c4711ba22802009d71f5ba78553df16794088a907ae7456e2a017?theme=dark", "https://www.virustotal.com/gui/collection/86f3d77a28744357c14d92dba7ac6302d57700308c64b641513119d8fcad411f", "https://www.virustotal.com/gui/collection/a6a81c8412b19ac6357a7c6e978c31a38d52a75fbb3b2e44f0f1a2bf0deb8a58/iocs", "https://www.virustotal.com/graph/embed/g699a7b9bfb324855859555181d01666c372310cf233441e08a095459b3394dea?theme=dark", "https://www.virustotal.com/graph/embed/g6a67af8ffa22446da35d6989d7d0bc47efcd295eb893471e9b4912080c1dddef?theme=dark", "https://www.virustotal.com/graph/embed/g23481631a7c745c6ba19f72ce9f853643d17706c08ab44eb8851eb5c56c0f073?theme=dark", "https://www.virustotal.com/graph/embed/g3b316b58b8c54064b322b2e186d62950d7632add2f3f408f8d8a1706563fd3c0?theme=dark", "https://www.virustotal.com/graph/embed/g994d0094226240eba65c081dfbc3e4936aa010abf4db48049e3a964e7c5ad076?theme=dark", "https://www.virustotal.com/graph/g40f442f2b5d64cba818cac88855ba4ce274d109ce4ef4fb496f1af4efb993886", "https://www.virustotal.com/gui/collection/0c9360cb9f8601bd6cdf912eb414d67902487f0c4eec96e952377e300ff4e983/iocs", "https://www.virustotal.com/gui/collection/a1866f4c7dbc79920d0c7e914a3bace0d3dc424a2aac06bf30bf724c6c8b0375/iocs", "https://www.virustotal.com/gui/collection/82dc29932b9184d02b037289fd4605c158e96a57f376b08a8b2b94e43d0ae18b/iocs", "https://viz.greynoise.io/ip/analysis/ae06b3b5-c746-4b44-b2ac-19bb3aea14a1 [11.23.25 - 1000ipv4]" ], "public": 1, "adversary": "Unknown APT Group(s) / Threat Actor (s)", "targeted_countries": [ "Canada", "United States of America", "Philippines", "Panama", "Netherlands", "Anguilla", "Saint Vincent and the Grenadines", "Aruba", "Mexico", "Guatemala", "Costa Rica", "Tanzania, United Republic of" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 111, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 236, "FileHash-SHA1": 139, "FileHash-SHA256": 1421, "URL": 9580, "CIDR": 30, "domain": 10205, "email": 12, "hostname": 517612, "IPv4": 11, "CVE": 62 }, "indicator_count": 539308, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "188 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691b61e16cea7624a6606a69", "name": "For Later", "description": "***", "modified": "2025-11-17T18:46:19.094000", "created": "2025-11-17T17:56:49.875000", "tags": [ "wormhole", "want", "sign", "submit send", "copy", "share show", "report delete", "faq roadmap", "security legal", "twitter discord", "protected" ], "references": [ "https://wormhole.app/Pp5DdP#3EpzsqLhw5lJdQ0Xe_mRQA", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 72127, "hostname": 16700, "URL": 50 }, "indicator_count": 88877, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "195 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f5555b6ce863d998e83e26", "name": "macOS Threat Infrastructure Leveraging Remote Agents via remotewd.com and rtmsprod.net", "description": "This pulse identifies an actively observed macOS-focused remote access infrastructure abusing trusted native Apple agents (ARDAgent.app, SSMenuAgent.app) and communicating with a distributed network of C2-like endpoints under domains such as remotewd.com, idsremoteurlconnectionagent.app, and rtmsprod.net.\n\nThe infrastructure is composed of dynamically generated subdomains \u2014 many in the form of device-.remotewd.com \u2014 indicative of automated deployment, system tracking, or per-host remote access configurations.\n\nAdditional indicators include HTTP/S URLs pointing directly to embedded binary paths within macOS agents, suggesting possible delivery vectors, staging, or persistence techniques.\n\nThis campaign shows signs of structured, programmatic targeting and is highly likely to be pre-operational infrastructure for wide-scale surveillance or access operations. All listed indicators should be considered high-risk. If observed in your environment, initiate a full forensic and IR process immediately.", "modified": "2025-05-11T19:03:59.885000", "created": "2025-04-08T16:56:59.641000", "tags": [ "generated from", "do not", "edit uri", "urls", "edit", "rewriteengine", "rewritecond", "rewriterule", "r301", "xml2encalias", "beralloct", "berbvarrayadd", "berbvarrayfree", "berbvdup", "berbvecadd", "berbvecfree", "berbvfree", "berdump", "berdup", "berdupbv", "laerrordomain", "laerrornoncekey", "lamechanismtree", "lacontext", "ladomainstate", "laenvironment", "lanotification", "laprivatekey", "lapublickey", "laright", "apple swift", "o librarylevel", "combine import", "foundation", "swift import", "mcpeerid", "mcsession", "property", "copyright", "protocol", "class", "bonjour", "ascii lowercase", "abc company", "section", "bonjour txt", "note", "ui element", "utf8 encoding", "nscopying", "nsdictionary", "nsstring", "mcextern", "attribute", "mcextern extern", "mcexternweak", "nsenum", "nsinteger", "mcerrorcode", "mcerrorunknown", "mcerrortimedout", "peer", "example", "bonjour apis", "stop", "tags", "session", "nsprogress", "nserror", "nsurl", "nsarray", "create", "nsuinteger", "notifies", "mcsession api", "interface", "dbictrace", "dbivporth", "dbictracelevel", "dbdtffoo", "dbihseterrchar", "dbicstate", "dbictraceflags", "provides macros", "dbi release", "only", "sqlsuccess", "odbc", "sqlok", "tim bunce", "england", "sql cli", "sql datatype", "sqlguid", "sqlwlongvarchar", "main", "beware", "sv sth", "sv dbh", "impsth", "impdbh", "sv keysv", "sv params", "sv attr", "sv attribs", "sv drh", "void", "fri jul", "mixed", "dbixsrevision", "plsvundef", "license", "spagain", "perlioprintf", "dbiclogpio", "putback", "ireland", "gnu general", "super", "magic", "dbicflags", "dbis", "svrv", "null", "imp2com", "dbicactivekids", "dbicfiadestroy", "sv h", "dbicdbistate", "code", "copy", "refer", "trace", "error", "unknown", "hookopcheckh", "startexternc", "hookopcheckcb", "userdata", "endexternc", "isinternalbuild", "kickmcxdforuid", "loadappkit", "ardconfig", "authenticator", "dsauthenticator", "dsnode", "dsrecord", "group", "hostconfig", "apfsvolumelock", "apfsvolumerole", "aoskgetosinfo", "aoskgetuserinfo", "aosaddappleid", "aosdisablepcs", "aosenablepcs", "aoslog", "aoslogforce", "aosrelaycookie", "didfailcallback", "kaosaccountkey", "kapcsbundle", "kapcspath", "kjsonextension", "apcsbucketid", "apcsreports", "apconfiguration", "apversiondata", "apversionhelper", "systemvolumesvm", "name size", "identifier", "gb disk0s3", "devdisk3", "apfs container", "scheme", "physical store", "macintosh hd", "apfs snapshot", "preboot", "refs address", "size wired", "name", "version", "uuid", "linked against", "renderer", "helper", "chrome helper", "contains", "cloud ui", "macintosh", "khtml", "gecko", "ui helper", "plugin", "service", "good", "battery power", "apfs encryption", "jumpcloud go", "chrome web", "store", "privacy badger", "flowcrypt", "encrypt gmail", "simple", "google", "b2b phone", "number", "apollo", "future", "exccrash", "sigkill", "code signature", "invalid", "sigabrt", "protonvpn", "excguard", "excbreakpoint", "sigtrap", "excbadaccess", "appl", "english", "adobe crash", "adobe", "acrobat dcadobe", "processor", "uninstaller", "assistant", "install", "cloud", "dock", "calendar", "music", "terminal", "tips", "installer", "updater", "proton", "tools", "stub", "python", "clock", "powershell", "team", "rave scout", "cookies", "public folder", "key cert", "sign", "crl sign", "root ca", "authority", "public primary", "global root", "verisign", "academic", "premium", "adaptive", "interactive", "background", "standard", "launchd sandbox", "s mdworker", "agent", "command line", "progress", "yubico", "macos13action", "disableoverride", "disableairdrop", "denyactivation", "enable", "loginwindowtext", "jumpcloud", "autoupdate", "loggingoption", "enablefirewall", "arm64e", "apple m2", "mac142", "kjqqtw7pqt", "daemon", "server", "open directory", "user", "account", "kerberos admin", "kerberos change", "device daemon", "network", "desktop", "screensaver", "bridge", "aesxtsarm", "aesecbarm", "sha512vngarmhw", "sha384vngarmhw", "sha256vngarm", "sha1vngarm", "darwin kernel", "wed mar", "wkarraycreate", "wkbooleancreate", "wkcontextcreate", "wkdatacreate", "wkdatagettypeid", "wkdoublecreate", "wkframecopyurl", "wkgettypeid", "wkimagecreate", "wkpagecandelete", "webview", "notice", "this software", "including", "but not", "limited to", "redistribution", "is provided", "by apple", "direct", "damage", "apiavailable", "webkit", "nsswiftname", "document", "a block", "as is", "hasinclude", "wkdownload", "abstract", "wkerrorcode", "wkerrorunknown", "discussion", "bool", "whether", "wkcontentworld", "wkwebview", "javascript", "nsunavailable", "vaargs", "nsswiftasync", "wkswiftasync", "wkcookiepolicy", "wkswiftuiactor", "nshttpcookie", "targetosiphone", "wknavigation", "decides", "boolean value", "apideprecated", "methodkind", "wkerrordomain", "wkscriptmessage", "promise", "fulfill", "const", "url scheme", "mark", "wkuserscript", "targetosvision", "param", "wkframeinfo", "targetosios", "pass", "window", "mime type", "link", "nsimage", "returns", "nsset", "checks", "matches", "a boolean", "defaults", "wkwebextension", "cgsize", "uiimage", "apis", "nsdate", "wkcontentmode", "wkextern", "possible", "cgfloat", "media", "cgrect", "apiunavailable", "framework", "nsswiftuiactor", "targetoswatch", "confirms", "apple upgrade", "nsstring user", "nsobject", "provider", "apple", "password", "uicontrol", "nscontrol", "asuseragerange", "check", "opaque user", "apple id", "initiate", "asauthorization", "operation", "state", "nserrorenum", "nsdata", "relying party", "asapiavailable", "perform", "realm", "http response", "authorization", "http", "oauth", "saml", "a byte", "nsdata userid", "relying", "a string", "nsdata readdata", "bool didwrite", "a cose", "nsdata first", "nsdata second", "nsstring name", "bool appid", "targetosxr", "nsstring appid", "bluetooth", "mdm profile", "nsurl url", "returns yes", "a state", "a json", "web token", "private seckeys", "enables", "keychain", "asswiftsendable", "cose algorithm", "ecdsa", "sha256", "cose curve", "p256", "nullable", "bool success", "remove", "call", "complete", "initializes", "time code", "extensions", "asextern extern", "asextern", "nsswiftsendable", "prepare", "list", "nsextension", "attempt", "nsstring label", "creates", "nsstring code", "a key", "webauthn", "nssecurecoding", "input", "output", "initialize", "nsinteger rank", "json", "inputs", "hash", "nsstring origin", "settings app", "extension", "https urls", "safari", "cancel", "nsuuid uuid", "r uftpexu", "nsmutabledata", "vnsdate", "mprcjy", "postfix", "domain", "canonical", "tables", "ldap", "post", "replace user", "address", "wietse venema", "bugs", "mail", "aliases", "postfix version", "restrict", "sample", "person", "basic system", "general", "reject empty", "postfix smtp", "ipv6 host", "reject", "reply", "access", "prior", "hold", "info", "mail delivery", "charset", "system", "report", "postfix dsn", "mail returned", "this", "generic", "smtp", "isp mail", "mime", "headerchecks", "readme files", "filters while", "posix", "empty", "body", "write", "date", "smtp server", "specify", "mx host", "unix password", "user unknown", "pathbin", "postfix queue", "unix", "cyrus", "path", "uucp", "shell", "local", "program", "agreement", "contributor", "recipient", "contribution", "the program", "corporation", "contributors", "product x", "as expressly", "arch", "arch x8664", "pipe wall", "wimplicit", "ranlib", "warn", "switch", "start", "systype", "outlook", "postfix master", "begin", "server admin", "mail backend", "modern smtp", "iana", "many", "postfix pipe", "recent cyrus", "amos gouaux", "old example", "or even", "lutz jaenicke", "technology", "cottbus", "germany", "openssl package", "openssl project", "europe", "remember that", "use of", "file", "update", "usrsbin", "file format", "no group", "daemondirectory", "deliver mail", "transport", "description", "result format", "virtual", "virtual alias", "redirect mail", "relocated", "matches user", "synopsis", "lastname", "firstname", "apple computer", "tcpip", "supported", "quantum", "facility", "level", "level info", "broadcast", "ignore", "rules", "sender", "automounter map", "use directory", "get home", "home autohome", "true", "t option", "mount", "force", "environment", "automountdenv", "promptcommand", "shellsessiondir", "histfile", "histfilesize", "myvar", "histtimeformat", "arrange", "bashrematch", "tell", "ps1h", "make bash", "s checkwinsize", "etcbashrc", "termprogram", "inpck", "nnnbaud", "berkeley", "parity", "pc entry", "pass8", "parenb istrip", "fixed speed", "entry", "clocal mode", "maxhistsize", "promptmode", "verbose end", "etcirbrcloaded", "default", "setup", "history file", "kernel", "readline", "jabber", "group database", "dovecot", "postfix scsd", "networkd", "searchpaths", "freebsd", "tmpdir", "fcodes", "prunepaths", "vartmp", "prunedirs", "filesystems", "nroff", "manpath", "uncomment", "manpager", "whatispager", "manlocale", "every", "manpath optman", "maybe", "troff", "status mailfrom", "returnpath via", "pidfile", "flags", "bcgjnuwz", "bin usrsbin", "sbin", "default pf", "care", "audio", "user database", "unix copy", "gate daemon", "bashno", "r etcbashrc", "rfc1323", "m1460", "macos x", "signature", "linux", "opera", "xp sp1", "windows sp1", "nmap syn", "m265", "synack", "mind", "macos", "warp", "ipv6", "internet", "icmp", "cisco", "monitoring", "argus", "chaos", "rsvp", "encapsulation", "aris", "isis", "netbootmount", "netbootshadow", "computername", "localonly", "localnetbootdir", "netboot", "define", "purpose", "networkonly", "waiting", "networkup", "term", "devnull", "common setup", "configure", "set command", "dns hostname", "dns query", "see also", "kame", "sunnet manager", "rpcsrc", "netlicense", "ftpd", "bindash binksh", "binsh bintcsh", "jumpcloud ldap", "smb2", "security", "workgroup", "standalone", "samba server", "enforce", "smb3", "example share", "improper use", "ctrlc", "none", "fax reception", "hardwired", "0007", "must", "visudo", "blocksize", "charset lang", "language lcall", "lines columns", "lscolors", "sshauthsock", "orion", "setup user", "home", "zdotdir", "delete", "beep", "vendor", "kf10", "kf11", "kf12", "kf13", "backspace", "insert", "resume", "termsessionid", "savehist", "sharehistory", "h do", "volume", "de l", "l uuid", "m tra", "n est", "suuid", "prfen", "fusion", "syst", "look", "executant", "alla", "over", "test", "overie", "zapis", "rapid", "disco usa", "de macos", "nie s", "i denne", "adgjmpsvx", "diskgthis disk", "01k8x j", "34disk", "levy kytt", "dict", "array", "plist", "apple root", "code signing", "inode64r", "xofkoxzh", "integer", "doctype", "brain", "abcd", "ogwo", "boaw", "cobwa", "uhawavauatsh", "ip bitmap", "foewdc", "could", "ip block", "funcs", "cogwo", "trash", "double", "hunt", "affa", "carr", "crypto", "docwbac", "q1b0", "q1 0", "h h5", "docwbag", "slice", "format", "zero", "alfa", "hera", "lelei", "hehe", "hisp", "fail", "katy", "zakk", "eodwcbgao", "hhk8di", "alma", "topo", "open", "huhk", "piper", "hehx", "eh ui", "h20hph", "hif h", "hmhhihqhyla hq", "r11b0", "target", "uus10u", "hifh", "loghookfailed", "loghook", "hell", "q1b 0", "f duh", "aqw1", "1160" ], "references": [ "index.html.en", "bind.html", "caching.html", "BUILDING", "configuring.html", "content-negotiation.html", "custom-error.html", "convenience.map", "LDAP.tbd", "lber.h", "ldap.h", "LocalAuthentication.tbd", "arm64e-apple-macos.swiftinterface", "x86_64-apple-ios-macabi.swiftinterface", "arm64e-apple-ios-macabi.swiftinterface", "x86_64-apple-macos.swiftinterface", "MultipeerConnectivity.tbd", "module.modulemap", "MCNearbyServiceAdvertiser.h", "MCPeerID.h", "MCError.h", "MCNearbyServiceBrowser.h", "MCAdvertiserAssistant.h", "MultipeerConnectivity.apinotes", "MultipeerConnectivity.h", "MCSession.h", "MCBrowserViewController.h", "dbivport.h", "dbi_sql.h", "dbd_xsh.h", "dbixs_rev.h", "Driver_xst.h", "DBIXS.h", "hook_op_check.h", "Admin.tbd", "AirPlayReceiver.tbd", "apfs_boot_mount.tbd", "AOSKit.tbd", "APConfigurationSystem.tbd", "AppleFirmwareUpdate.tbd", "launchdaemons.txt", "preboot_archive_errors.log", "mounts.txt", "launchagents.txt", "disk_structure.txt", "user_launchagents.txt", "security_status.txt", "kexts.txt", "process_list.txt", "battery.csv", "diskEncryption.csv", "chromeExtensions.csv", "crashes.csv", "interfaceAddrs.csv", "kernel.csv", "interfaceDetails.csv", "etcHosts.csv", "applications.csv", "mounts.csv", "sharedFolders.csv", "certificates.csv", "sharingPreferences.csv", "launchD.csv", "usbDevices.csv", "managedPolicies.csv", "systemInfo.csv", "users.csv", "sipConfig.csv", "systemControls.csv", "canonical", "aliases", "custom_header_checks", "access", "bounce.cf.default", "generic", "header_checks", "main.cf.default", "LICENSE", "makedefs.out", "main.cf", "master.cf.default", "main.cf.proto", "master.cf.proto", "master.cf", "TLS_LICENSE", "postfix-files", "transport", "virtual", "relocated", "afpovertcp.cfg", "asl.conf", "auto_home", "auto_master", "autofs.conf", "bashrc_Apple_Terminal", "com.apple.screensharing.agent.launchd", "bashrc", "command_args.json", "csh.cshrc", "csh.login", "find.codes", "csh.logout", "ftpusers", "gettytab", "irbrc", "kern_loader.conf", "group", "locate.rc", "man.conf", "mail.rc", "manpaths", "networks", "nfs.conf", "newsyslog.conf", "ntp_opendirectory.conf", "ntp.conf", "notify.conf", "paths", "pf.conf", "passwd", "profile", "pf.os", "protocols", "rc.netboot", "rc.common", "rmtab", "resolv.conf", "rtadvd.conf", "rpc", "shells", "smb.conf", "sudo_lecture", "ttys", "syslog.conf", "xtab", "sudoers", "zprofile", "zshrc", "zshrc_Apple_Terminal", "CodeResources", "version.plist", "Info.plist" ], "public": 1, "adversary": "DragonForce Malaysia Hacker Group", "targeted_countries": [], "malware_families": [ { "id": "Lastname", "display_name": "Lastname", "target": null }, { "id": "Firstname", "display_name": "Firstname", "target": null } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 66, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ilyailya", "id": "298851", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 4449, "domain": 3847, "URL": 14263, "FileHash-SHA256": 2356, "FileHash-MD5": 223, "FileHash-SHA1": 523, "email": 223, "CVE": 40, "CIDR": 12, "SSLCertFingerprint": 302 }, "indicator_count": 26238, "is_author": false, "is_subscribing": null, "subscriber_count": 37, "modified_text": "385 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b0fa3624bf0384e427f2e7", "name": "Tracking Domains 4.2 - 08.19.24", "description": "Tracking Domains detected by Privacy Badger Ext. on Microsoft Edge Browser (W11 Device) using Telus ISP (ASN852)\n*Not-Enriched (08.05.24): ~50,000 suggests IOCs by AlienVault\nFrom VT: 2 IPs hosted by 45090 (Shenzhen Tencent Computer Systems Company Limited) & 4611 (CNNIC member) seem to be the problem here 118[.]89.204.198, 118[.]89.0.0/16 & 202[.]123.107.15, 202[.]123.107.0/24 (Respectively)", "modified": "2024-09-04T15:01:01.432000", "created": "2024-08-05T16:13:42.563000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/iocs", "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/summary", "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/graph", "https://www.virustotal.com/graph/embed/ge839428bb3e24a98aae8cbcc242ae4d8febdc0c46e49411ebb09d155e22b4bbc?theme=dark", "https://viz.greynoise.io/query/AS4611", "https://urlscan.io/asn/AS4611", "https://urlscan.io/search/#asn:%22AS4611%22", "https://urlscan.io/asn/AS45090", "https://urlscan.io/search/#asn%3A%22AS45090%22", "https://viz.greynoise.io/query/AS45090", "https://urlscan.io/result/aeb42615-79b7-465d-924e-c9bdde3eefd1/#transactions", "https://urlscan.io/result/d4bf08e4-88dc-4bf8-be34-6b352576882e/#behaviour", "Filescan[.]io report: bc47c757-0a4d-4659-98d4-5d0c86406462 (08.23.24)", "https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-be" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 6180, "FileHash-MD5": 1, "domain": 24921, "URL": 10854 }, "indicator_count": 41956, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "634 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66269b1f33258a8e26033b17", "name": "Tracking Domains - Part 4.1", "description": "More Tracking Domains", "modified": "2024-08-30T13:02:28.335000", "created": "2024-04-22T17:15:11.398000", "tags": [ "Tracking Domains" ], "references": [ "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs", "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark", "https://viz.greynoise.io/analysis/02a64dd4-d7e0-451c-8384-13cf23298551" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 94496, "FileHash-MD5": 63, "domain": 112327, "URL": 166918, "FileHash-SHA1": 33, "FileHash-SHA256": 103, "CIDR": 216 }, "indicator_count": 374156, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "639 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "uidsync.net", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "uidsync.net", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780256399.8200028 }