{ "Event": { "analysis": "1", "date": "2026-04-10", "extends_uuid": "", "info": "[Threat Intel] 59 Victims, Zero Authentication: A ClickFix Campaign Force-Installs a Chrome Extension Banking Stealer and Leaves the Entire C2 Wide Open", "protected": false, "publish_timestamp": "1776682902", "published": true, "threat_level_id": "3", "timestamp": "1776682901", "uuid": "8f676bb2-fdc9-451c-b2e2-031c4d71bb4e", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#ed66f6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Web Session Cookie - T1539\"", "relationship_type": "" }, { "colour": "#77a4ec", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Email Collection - T1114\"", "relationship_type": "" }, { "colour": "#029dd6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Extensions - T1176\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#82eae0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domains - T1583.001\"", "relationship_type": "" }, { "colour": "#62e1b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Browser Session Hijacking - T1185\"", "relationship_type": "" }, { "colour": "#adf1b0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"", "relationship_type": "" }, { "colour": "#91649a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Virtual Private Server - T1583.003\"", "relationship_type": "" }, { "colour": "#f95f85", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials In Files - T1552.001\"", "relationship_type": "" }, { "colour": "#1b29e9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Internal Defacement - T1491.001\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#2e58ce", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1056\"", "relationship_type": "" }, { "colour": "#0f7a15", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Session Cookie - T1550.004\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#5884a7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious Link - T1204.001\"", "relationship_type": "" }, { "colour": "#c94db5", "local": false, "name": "misp-galaxy:target-information=\"Brazil\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120046", "local": false, "name": "rectifyq:sub-category=\"infra-profile\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776222012", "to_ids": false, "type": "link", "uuid": "304d5311-1e5e-47e1-a815-06f8b6fe2d1e", "value": "https://intel.breakglass.tech/post/clickfix-chrome-extension-banking-stealer-59-victims-unauthenticated-c2", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776222012", "to_ids": false, "type": "text", "uuid": "635d4548-a3ea-41fb-894d-028465cfd63e", "value": "A Brazilian banking fraud operation leveraging ClickFix social engineering was discovered through a community tip, exposing a completely unauthenticated command-and-control infrastructure. The campaign deploys a malicious Chrome extension masquerading as a Banco Central do Brasil tool, force-installed via Chrome Cloud Management enrollment tokens. The extension achieves zero antivirus detections while targeting eight Brazilian financial institutions. At investigation time, 59 machines were compromised with seven active connections. The operator's C2 server exposed all endpoints without authentication, including admin panels, live victim screenshots, stolen credentials in cleartext, and intercepted Pix payment data. Attribution was established through WHOIS records revealing the operator's real name, CPF, and email address. The operation specifically targeted Northern Brazilian regional banks and credit cooperatives, with evidence of compromising a school fund account." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776222012", "to_ids": false, "type": "text", "uuid": "34ce12a5-7954-42d2-99dd-a65e939783e0", "value": "Name: 59 Victims, Zero Authentication: A ClickFix Campaign Force-Installs a Chrome Extension Banking Stealer and Leaves the Entire C2 Wide Open\nAuthor: AlienVault\nAdversary: ANTONIO EDUARDO FREDERICO\nTags: [\"session-hijacking\", \"clickfix\", \"credential-theft\", \"banking-stealer\"]\nTgtd countries: [\"Brazil\"]\nMlwr families: [\"BCB\", \"ClickFix\"]\nAttack_ids: [\"T1113\", \"T1056.001\", \"T1539\", \"T1114\", \"T1176\", \"T1005\", \"T1583.001\", \"T1185\", \"T1090\", \"T1583.003\", \"T1552.001\", \"T1491.001\", \"T1041\", \"T1059.001\", \"T1027\", \"T1573\", \"T1056\", \"T1550.004\", \"T1071.001\", \"T1204.001\"]\nIndustries: [\"Finance\", \"Education\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1776222012", "to_ids": false, "type": "threat-actor", "uuid": "cbdae723-9721-40d5-89e6-7ec1598059cf", "value": "ANTONIO EDUARDO FREDERICO" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776655996", "to_ids": true, "type": "url", "uuid": "3c096b1f-d0ba-4a75-b9d4-398b53d96b8f", "value": "http://144.126.140.33:3000", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656017", "to_ids": true, "type": "domain", "uuid": "3df2a135-fea2-48e0-a0d8-0a45d33f9651", "value": "xpie348.online", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656038", "to_ids": true, "type": "url", "uuid": "c2343732-fc94-4c6f-b888-19ad20cf1465", "value": "http://xpie348.online/instalador/update.xml", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656059", "to_ids": true, "type": "hostname", "uuid": "b98ed358-c1db-4201-bb9b-a217b07d3257", "value": "test1.amanur.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656081", "to_ids": true, "type": "ip-dst", "uuid": "f2d91776-55c2-4f39-b06c-69e21eb73c42", "value": "144.126.140.33", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656102", "to_ids": true, "type": "url", "uuid": "3f606bb8-cd57-47a7-8aa0-3ffdb4032868", "value": "http://144.126.140.33:3000/openapi.json", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656123", "to_ids": true, "type": "url", "uuid": "2f508465-7b0e-4194-ab46-342a9ceedf5d", "value": "http://protocolovirtual.org", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656144", "to_ids": true, "type": "url", "uuid": "55c2c384-4316-47ce-b0b3-3498299955ff", "value": "http://test1.amanur.com", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656165", "to_ids": true, "type": "url", "uuid": "af0442c2-8e32-41c3-bbef-eed80a7ab5bb", "value": "http://xpie348.online/instalador/get_token.ps1", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656186", "to_ids": true, "type": "domain", "uuid": "d109cd40-72d7-4195-bd5f-e70365b0689c", "value": "amanur.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656208", "to_ids": true, "type": "domain", "uuid": "2115df75-0c5e-4741-bbcd-408f197cd062", "value": "certificadosuporte.com.br", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656229", "to_ids": true, "type": "domain", "uuid": "6c0d1407-09d6-4b81-9657-075d11c7011c", "value": "protocolovirtual.org", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656251", "to_ids": true, "type": "url", "uuid": "c6e19806-e214-4ecd-9958-59f146ee0b20", "value": "http://144.126.140.33:3000/admin", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656272", "to_ids": true, "type": "url", "uuid": "c6de8e8c-6e75-4513-be8f-42048be9f6cd", "value": "http://144.126.140.33:3000/api/users", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656293", "to_ids": true, "type": "url", "uuid": "114b35dd-3d6a-44ef-8c07-26aa1e5b4c28", "value": "http://144.126.140.33:5000", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656314", "to_ids": true, "type": "hostname", "uuid": "d902cea0-ae4d-4502-a8c6-cb58988b3d7a", "value": "certificadosuporte.com.br", "Tag": [ { "colour": "#669ae5", "local": false, "name": "AlreadyExistsError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "On port 5000", "deleted": false, "disable_correlation": false, "timestamp": "1776656335", "to_ids": true, "type": "url", "uuid": "057aedb0-2ea4-4d8c-a044-f363cc9a4f2d", "value": "http://144.126.140.33", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656355", "to_ids": true, "type": "url", "uuid": "b4465afc-f7f2-4229-9422-19e83f3fdf41", "value": "wss://certificadosuporte.com.br", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "domain registrant", "deleted": false, "disable_correlation": false, "timestamp": "1776650968", "to_ids": true, "type": "email-src", "uuid": "37a6c502-2bd7-4608-ba56-868953a9fac2", "value": "ventonortemaria@gmail.com" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776656376", "uuid": "adabd32e-8ed0-4177-b08b-8b7d30ecc4c9", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776656376", "to_ids": true, "type": "md5", "uuid": "851dc674-87da-42d3-95e5-300fe7d60609", "value": "386d4093f70219b8291d3f9e6f71ee1f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776654489", "to_ids": true, "type": "sha1", "uuid": "e798da3e-a3ca-4107-93c6-b7c857bb8f26", "value": "bdac75f0e71a6e2ee2030259ad5ff7c002ebc98d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776654489", "to_ids": true, "type": "sha256", "uuid": "7e280cde-c8f8-4c38-8042-658756b68f6b", "value": "401c125517b1f845289bf0a7a33e5db0391034f631eab85dd65b76b7fec9a959", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776654104", "to_ids": true, "type": "ssdeep", "uuid": "65d59421-d485-4447-bfd1-c3cdf37b2c52", "value": "49152:4QrYgXcJGJXPwxjXUUoLyiiZi6WSltE27J8:4gXcYJfwldJiiAuGEJ8" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776654104", "to_ids": false, "type": "size-in-bytes", "uuid": "8d4297fe-512c-4d6a-ac34-95b0af888732", "value": "2311185" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776654104", "to_ids": true, "type": "filename", "uuid": "5a410f83-26eb-44ae-a9e0-777fb70c3467", "value": "bcb.crx" }, { "category": "Other", "comment": "Checked: 20/04/2026\nLast-scan\t: 20/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776654104", "to_ids": false, "type": "text", "uuid": "78a1e7af-4bb8-4814-b143-b954963e3eab", "value": "Type Description: Google Chrome Extension\nMicrosoft: None\nVT Total Detection:1/62\nFirst Submission:2026-04-10T19:01:14.000000+00:00\nLast Submission:2026-04-14T18:44:56.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776656397", "uuid": "721d9dec-bba0-470e-87ae-6c31e3c3b8e7", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776656397", "to_ids": true, "type": "md5", "uuid": "d3cb5328-878a-4575-86af-26476a67a585", "value": "79720bc7c8ed17343c2a950800e7a6a5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776654490", "to_ids": true, "type": "sha1", "uuid": "ef093f14-33c4-4737-b1d7-ba3a8a080bda", "value": "c505ebef0be83d0ac78d724559f72044a38c42b7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776654490", "to_ids": true, "type": "sha256", "uuid": "5f085f41-d665-4718-9dfa-e539446cdf4d", "value": "b68eefb10e2c304681532bc0c812c7905888e6b8e47448f1e4bc1edfe7ac193d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776654126", "to_ids": true, "type": "ssdeep", "uuid": "bf76fb2b-c399-4f6d-9d70-5a4bb0d9d012", "value": "6:Q+eGgaQEMJIGfpwWRPqXasTHZM3NClFb3v9LTv/bUtvMAfDqWoh/9+9XvKXCM4y9:R6QMFBhPqXZ577NbYbqWox9kvHvWZMXw" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776654126", "to_ids": false, "type": "size-in-bytes", "uuid": "3335410b-7f76-445e-bc54-7a65db491363", "value": "479" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776654126", "to_ids": true, "type": "vhash", "uuid": "8cc4fb87-abc9-47eb-b612-aad72618f739", "value": "38dbfe816b0238352f14da8986b60b03" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776654126", "to_ids": true, "type": "filename", "uuid": "8e510901-b167-49aa-b324-1ce604acb14f", "value": "get_token.ps1" }, { "category": "Other", "comment": "Checked: 20/04/2026\nLast-scan\t: 19/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776654126", "to_ids": false, "type": "text", "uuid": "c6fd2596-6b9f-4f9a-bc86-4104f2871ca0", "value": "Type Description: Powershell\nMicrosoft: None\nVT Total Detection:0/63\nFirst Submission:2025-12-08T18:06:05.000000+00:00\nLast Submission:2025-12-08T18:06:05.000000+00:00" } ] } ] } }