{ "Event": { "analysis": "1", "date": "2026-03-06", "extends_uuid": "", "info": "[Threat Intel] Investigating a new Click-fix variant", "protected": false, "publish_timestamp": "1774021974", "published": true, "threat_level_id": "3", "timestamp": "1774012249", "uuid": "b65a530b-f49d-49b4-9353-a00ad919c865", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#1cbe6b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Virtualization/Sandbox Evasion - T1497\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#08b028", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Asymmetric Cryptography - T1573.002\"", "relationship_type": "" }, { "colour": "#d82db7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"", "relationship_type": "" }, { "colour": "#02475d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Command Shell - T1059.003\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#3500cd", "local": false, "name": "rectifyq:detection-rules=\"sigma-from-src\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773658810", "to_ids": false, "type": "link", "uuid": "165efd46-b6b8-4fc1-9f82-8ca0385119be", "value": "https://atos.net/en/lp/cybershield/investigating-a-new-click-fix-variant", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1773658810", "to_ids": false, "type": "text", "uuid": "4860d76c-12c6-4622-a061-87828cc8f7ad", "value": "A new variant of the ClickFix technique has been identified, where attackers convince users to execute malicious commands on their devices through the Win + R shortcut. This variation uses a 'net use' command to map a network drive from an external server, followed by executing a '.cmd' batch file. The script downloads a ZIP archive, unpacks it, and executes a legitimate WorkFlowy application with modified, malicious logic hidden inside an '.asar' archive. This acts as a C2 beacon and a dropper for the final malware payload. The attack bypasses typical detection methods and utilizes Electron application bundling to hide malicious code." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1773658810", "to_ids": false, "type": "text", "uuid": "4c630a3d-7718-4016-92ea-7d3a603d2a1a", "value": "Name: Investigating a new Click-fix variant\nAuthor: AlienVault\nAdversary: \nTags: [\"clickfix\"]\nTgtd countries: []\nMlwr families: [\"ClickFix\"]\nAttack_ids: [\"T1204.002\", \"T1082\", \"T1140\", \"T1059\", \"T1497\", \"T1041\", \"T1547.001\", \"T1027\", \"T1573.002\", \"T1012\", \"T1059.003\", \"T1071.001\", \"T1105\"]\nIndustries: []" }, { "category": "Payload delivery", "comment": "app.asar No sample in VT\r\nLast check:20/03/2026 No sample in VT\r\nLast check:20/03/2026", "deleted": false, "disable_correlation": false, "timestamp": "1774012249", "to_ids": true, "type": "sha256", "uuid": "5b218bf7-3782-436a-a29b-6ca4659b1c7b", "value": "a390fe045f50a0697b14160132dfa124c7f92d85c18fba07df351c2fcfc11063", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773999779", "to_ids": true, "type": "ip-dst", "uuid": "ee623d11-c885-4ff5-9aea-48b9681f3d6a", "value": "144.31.165.173", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773999801", "to_ids": true, "type": "url", "uuid": "747ed6e1-de87-44c7-b82f-eba48bacc523", "value": "http://cloudflare.report/forever/e/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773999822", "to_ids": true, "type": "url", "uuid": "e96cf3cf-fb50-4cd4-9562-05a101c4279b", "value": "https://cloudflare.report/forever/e/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773999844", "to_ids": true, "type": "domain", "uuid": "8bc8b497-0064-47b6-a79a-d3a33c7c3a37", "value": "cloudflare.report", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773999867", "to_ids": true, "type": "domain", "uuid": "bd591b5f-c8fa-4f05-b917-dc8778a88fd4", "value": "happyglamper.ro", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773999889", "to_ids": true, "type": "ip-dst", "uuid": "c9dc929f-b06a-4035-8958-74108f1fd846", "value": "94.156.170.255", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1773917347", "to_ids": false, "type": "sigma", "uuid": "98574f4b-fb24-4cbb-b24f-bc60185aed58", "value": "title: Suspicious Commands executed via Run dialog\r\nid: 20891a30-032e-4f15-a282-fa4a8b0d8aae\r\nstatus: experimental\r\ndescription: Detects suspicious command interpreters and LOLBins written into the Explorer RunMRU registry key (commonly used for Run dialog history), with explorer.exe as the initiating process.\r\nauthor: TRC\r\ndate: 2026-03-05\r\ntags:\r\n \u2013 attack.execution\r\n \u2013 attack.t1059\r\n \u2013 attack.defense_evasion\r\nlogsource:\r\n category: registry_set\r\n product: windows\r\n definition: \u201cSysmon Event ID 13 (Registry value set) or equivalent EDR registry telemetry\u201d\r\ndetection:\r\n selection_key:\r\n TargetObject|contains: \u2018\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\u2019\r\n selection_proc:\r\nImage|endswith: \u2018\\explorer.exe\u2019\r\n selection_data:\r\n Details|contains:\r\n \u2013 \u2018cmd \u2018\r\n \u2013 \u2018powershell \u2018\r\n \u2013 \u2018cmd.exe \u2018\r\n \u2013 \u2018powershell.exe \u2018\r\n \u2013 \u2018wscript.exe \u2018\r\n \u2013 \u2018cscript.exe \u2018\r\n \u2013 \u2018net.exe \u2018\r\n \u2013 \u2018net1.exe \u2018\r\n \u2013 \u2018sh.exe \u2018\r\n \u2013 \u2018bash.exe \u2018\r\n \u2013 \u2018schtasks.exe \u2018\r\n \u2013 \u2018regsvr32.exe \u2018\r\n \u2013 \u2018hh.exe \u2018\r\n \u2013 \u2018wmic.exe \u2018\r\n \u2013 \u2018mshta.exe \u2018\r\n \u2013 \u2018rundll32.exe \u2018\r\n \u2013 \u2018msiexec.exe \u2018\r\n \u2013 \u2018forfiles.exe \u2018\r\n \u2013 \u2018scriptrunner.exe \u2018\r\n \u2013 \u2018mftrace.exe \u2018\r\n \u2013 \u2018AppVLP.exe \u2018\r\n \u2013 \u2018svchost.exe \u2018\r\n \u2013 \u2018msbuild.exe \u2018\r\n condition: selection_key and selection_proc and selection_data\r\nfalsepositives:\r\n \u2013 \u201cLegitimate administrative activity using Run dialog (Win+R) to execute built-in tools.\u201d\r\n \u2013 \u201cIT scripts or troubleshooting steps executed interactively by a user.\u201d\r\nlevel: medium" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774012184", "uuid": "c6b8a853-e4ae-4c45-be52-805fed7e01d8", "Attribute": [ { "category": "Payload delivery", "comment": "WorkFlowy.exe \u2013Older version of legitimate binary, not malicious", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1773999910", "to_ids": true, "type": "md5", "uuid": "81451a83-1690-4f2f-94d0-c5d352a965a5", "value": "07e0d6d1a3690412b03cb89d302135d2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "WorkFlowy.exe \u2013Older version of legitimate binary, not malicious", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773999074", "to_ids": true, "type": "sha1", "uuid": "e85bc959-9ec4-4a07-9603-590fe800e1d1", "value": "db29475f12172b5477768c4f415b12609638fe15", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "WorkFlowy.exe \u2013Older version of legitimate binary, not malicious", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773999075", "to_ids": true, "type": "sha256", "uuid": "2130d517-604d-4468-b378-c2e6bbb6e33c", "value": "9ee58eb59e337c06429ff3f0afd0ee6886b0644ddd4531305b269e97ad2b8d42", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773997629", "to_ids": true, "type": "ssdeep", "uuid": "f5ac733c-0937-41fe-aefe-9e586cc55db3", "value": "786432:4q8RyteNbgZQzFrE3oRsTpW1M9wOGnXO+1QxajNfMu6SXzPKZixrg:yytVOxeoK81M9wOGXO+0ajNfMFw5g" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773997629", "to_ids": false, "type": "size-in-bytes", "uuid": "93d3c57c-bf3f-4345-8dbf-51958d1ef8c0", "value": "146680320" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773997629", "to_ids": true, "type": "vhash", "uuid": "bcf4ce9b-ca16-4a4c-947f-cd331e38bde4", "value": "0180c6656d156510161d14z1f2zff8z143za7z3001f334zb7e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773997629", "to_ids": true, "type": "filename", "uuid": "8b58db8b-2c10-4b2a-89fa-f10b7c39ab29", "value": "WorkFlowy" }, { "category": "Other", "comment": "Checked: 20/03/2026\nLast-scan\t: 18/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773997629", "to_ids": false, "type": "text", "uuid": "e3347e77-51d5-4bd2-9257-3abd263c8dfc", "value": "WorkFlowy.exe \u2013Older version of legitimate binary, not malicious\r\nType Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:0/70\nFirst Submission:2022-08-30T14:13:35.000000+00:00\nLast Submission:2026-03-17T23:26:56.000000+00:00" }, { "category": "Other", "comment": "Checked: 20/03/2026\nLast-scan\t: 18/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1774012184", "to_ids": false, "type": "text", "uuid": "66c2d0f5-4650-4baf-88de-f3625d21da14", "value": "Type Description: Win32 EXE\nMicrosoft: None\nVT Total Detection:0/70" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1774012184", "to_ids": true, "type": "ssdeep", "uuid": "ca855dc1-6f7a-41c2-934f-76e8bb8fe643", "value": "786432:4q8RyteNbgZQzFrE3oRsTpW1M9wOGnXO+1QxajNfMu6SXzPKZixrg:yytVOxeoK81M9wOGXO+0ajNfMFw5g" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1774012184", "to_ids": false, "type": "size-in-bytes", "uuid": "b7f40653-26b8-42cd-92a2-51ac05614d3a", "value": "146680320" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1774012184", "to_ids": true, "type": "vhash", "uuid": "941c5532-bb26-488b-a128-da9cb9708532", "value": "0180c6656d156510161d14z1f2zff8z143za7z3001f334zb7e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1774012184", "to_ids": true, "type": "filename", "uuid": "772c3a3b-b24b-4b79-999b-acfe589f7d61", "value": "WorkFlowy" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1774012207", "uuid": "190f288e-949e-4b38-a668-2072daf871ab", "Attribute": [ { "category": "Payload delivery", "comment": "main.js", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1773999932", "to_ids": true, "type": "md5", "uuid": "5a0db781-dfd7-401a-8d75-01d4ac54378e", "value": "776b31d5001d6e35db9b4e8a551afe86", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "main.js", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1773999076", "to_ids": true, "type": "sha1", "uuid": "4e950c00-3900-4535-83fb-d6ad440dc81e", "value": "5bb32943632379c8ff3c20fd499559f107df7ac5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "main.js", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1773999077", "to_ids": true, "type": "sha256", "uuid": "9a0bee17-9ef2-4986-ba22-16732926ac60", "value": "dc95f7c7fb98ec30d3cb03963865a11d1b7b696e34f163b8de45f828b62ec829", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1773997675", "to_ids": true, "type": "ssdeep", "uuid": "6b47582b-d54e-4f73-806d-5bf2be2d85a4", "value": "192:/VC7dWvoJQ0j979gsk+gNJTvNTXaL/4A5i9VUDLxpIzyLCA0ZSFeiVCneWrc4T:9C7dWvoQ0jljeRaT5kFt" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1773997675", "to_ids": false, "type": "size-in-bytes", "uuid": "69e81d1a-f47a-4db4-baaa-bd697fc848a5", "value": "10473" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1773997675", "to_ids": true, "type": "vhash", "uuid": "91b8a629-e5d3-4e0e-a92e-9e2f46c66ea5", "value": "26853865a94588e0e17ad2bb7e78fc0d" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1773997675", "to_ids": true, "type": "filename", "uuid": "fd7d656f-63ad-46cd-ac65-b5a63ffeecc8", "value": "dc95f7c7fb98ec30d3cb03963865a11d1b7b696e34f163b8de45f828b62ec829.js" }, { "category": "Other", "comment": "Checked: 20/03/2026\nLast-scan\t: 18/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1773997675", "to_ids": false, "type": "text", "uuid": "aa694582-4a59-412d-87ff-be6a0af3ab2a", "value": "main.js\r\nType Description: JavaScript\nMicrosoft: Trojan:JS/Clickfix.DA!MTB\nVT Total Detection:10/62\nFirst Submission:2026-02-25T15:07:02.000000+00:00\nLast Submission:2026-03-16T19:53:04.000000+00:00" }, { "category": "Other", "comment": "Checked: 20/03/2026\nLast-scan\t: 20/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1774012207", "to_ids": false, "type": "text", "uuid": "dcd630b3-202d-4900-b241-abe0c8203fd4", "value": "Type Description: JavaScript\nMicrosoft: Trojan:Win32/Alevaul!rfn\nVT Total Detection:10/61" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1774012207", "to_ids": true, "type": "ssdeep", "uuid": "26a98ef1-e3ca-49e7-b40e-92fbe4c91b0e", "value": "192:/VC7dWvoJQ0j979gsk+gNJTvNTXaL/4A5i9VUDLxpIzyLCA0ZSFeiVCneWrc4T:9C7dWvoQ0jljeRaT5kFt" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1774012207", "to_ids": false, "type": "size-in-bytes", "uuid": "0c967173-05c4-4649-8f54-9245cd538892", "value": "10473" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1774012207", "to_ids": true, "type": "vhash", "uuid": "c491a069-071e-485c-a3a4-283f4abc2f76", "value": "26853865a94588e0e17ad2bb7e78fc0d" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1774012207", "to_ids": true, "type": "filename", "uuid": "bfa19b72-1359-4356-9989-7febda41ade0", "value": "dc95f7c7fb98ec30d3cb03963865a11d1b7b696e34f163b8de45f828b62ec829.js" } ] } ] } }