{ "type": "Domain", "indicator": "authorize.net", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/authorize.net", "alexa": "http://www.alexa.com/siteinfo/authorize.net", "indicator": "authorize.net", "type": "domain", "type_title": "Domain", "validation": [ { "source": "akamai", "message": "Akamai rank: #627", "name": "Akamai Popular Domain" }, { "source": "majestic", "message": "Whitelisted domain authorize.net", "name": "Whitelisted domain" }, { "source": "whitelist", "message": "Whitelisted domain authorize.net", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3351099011, "indicator": "authorize.net", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "69c06ca9341d6c063f652e33", "name": "ETERNALBLUE Probe MS17-010 | Wannacry Ransomware Domain - related to NSO Group Pegasus", "description": "Quasi governmental, Healthcare Law Firms , legal entities , as well as direct safety threats such as NSO Group Pegasus, Enterprise Cellebrite (in references) and other dangerous intimidation and life endangering tactics directed against a crime victim. Continuous harassment and threats of violence against victims family including 83 yo father. Veteran & hand picked Sr Systems Analyst and Engineer for Aegis Weapon System Team of 24. You\u2019re welcome America.. Victim left zero evidence with family. Documents shredded. Data stolen by parties named. She isn\u2019t the only one. These people do this for a living. Abuse of Palantir & Foundry tools.", "modified": "2026-04-21T22:07:35.710000", "created": "2026-03-22T22:26:49.205000", "tags": [ "ransomware", "united", "search", "asnone", "regsetvalueexa", "service", "regdword", "medium", "get na", "malware", "dock", "push", "write", "win32", "playgame", "unknown", "exploit", "cve", "wncry", "wannacry", "passive dns", "urls", "british virgin", "all url", "http", "ip address", "related nids", "files location", "virgin islands", "islands", "bgp", "virgin islands", "hijacked", "data upload", "extraction", "failed", "review iocs", "include ovo", "tovary review", "ids detec", "yara dete", "trior texarag", "drop or", "rrowse", "type", "extra data", "hurricane electric", "p2404", "p11629470400", "p11629107633", "artifacts v", "full reports", "v help", "info", "low l", "high ta0002", "techniques", "t1053", "command", "scripting inte", "low ta0003", "techniques high", "t1053 ite", "modify system", "pl t1543", "boot", "logon autostart", "ex t1547", "checks-disk-space", "checks-network-adapters", "detect-debug-environment", "direct-cpu-clock-access", "long-sleeps", "runtime-modules", "get http", "head http", "dns resolutions", "ip traffic", "53 tcp", "tls sni", "apple id", "webdisk", "expiration", "url http", "hostname", "no expiration", "iocs", "url https", "es included", "win32 exe", "pe32 executable", "ms windows", "intel", "ms visual", "win32 dynamic", "link library", "win16 ne", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "t1204 user", "defense evasion", "over", "mitre att", "ck matrix", "ascii text", "hybrid", "general", "local", "path", "click", "strings", "javascript", "ssl certificate", "encrypt", "accept", "russia unknown", "meta", "record value", "aaaa", "link", "present jun", "apple", "remote access", "otx logo", "all ipv4", "url analysis", "files", "accept ch", "present dec", "content type", "x pcrew", "name servers", "present may", "body doctype", "title", "all domain", "servers", "china unknown", "found content", "gmt p3p", "cp oti", "dsp cor", "iva our", "ind com", "domain", "cname", "entries", "brian sabey", "hallrender", "christopher ahmann", "t1480 execution", "discovery att", "heur", "virtool", "win64", "mtb win32", "backdoor", "location china", "hangzhou", "china asn", "ransom", "wannadecryptor", "filehash", "yara detections", "msvisualcpp60", "related tags", "none file", "type pexe", "copy", "beginstring", "null", "refresh", "body", "span", "error", "tools", "look", "verify", "restart", "expl", "unknown cname", "hacktool", "domain address", "contacted hosts", "process details", "flag", "ipv4 add", "location united", "america flag", "exploit", "show", "all filehash", "expiration date", "gmt location", "gmt max", "domain add", "elite", "date", "cowboy", "United States", "present feb", "present oct", "creation date", "present nov", "moved", "emails" ], "references": [ "http://ww17.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/", "Win32:CVE-2017-0147-B\\ [Expl] , Win.Ransomware.WannaCry-6313787-0 , Exploit:Win32/CVE-2017-0147.A", "IDS Detections: Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style) ETERNALBLUE Probe Vulnerable System Response MS17-010", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)", "IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection SMB-DS", "IDS Detections: IPC$ share access \u2022 SMB-DS IPC$ unicode share access \u2022 403 Forbidden", "Yara Detections: WannaCry_Ransomware , Wanna_Cry_Ransomware_Generic , WannaDecryptor", "Yara Detections: MS17_010_WanaCry_worm , stack_string , MS_Visual_Cpp_6_0 , Armadillov1xxv2xx", "Alerts: network_icmp nolookup_communication persistence_autorun modifies_proxy_wpad", "Alerts: network_cnc_http network_http allocates_rwx creates_exe creates_hidden_file", "Alerts: creates_service stealth_window antivm_network_adapters checks_debugger", "Alerts: peid_packer pe_unknown_resource_name", "IP\u2019s Contacted: 103.224.212.220 105.242.60.208 117.13.61.219 117.180.208.83 12.105.46.122", "IP\u2019s Contacted: 121.105.233.189 128.251.173.246 13.248.148.254 132.124.155.52 139.246.30.108", "Domains Contacted: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com", "Domains Contacted: ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com", "FileHash-SHA256 002dee2db8b07b98b543ad99d0dd4e3e0ba7624f956d719ba803f57b426e30e7", "Names: Photo.scr \u2022 85115B0142902832C864B3009CAB1A00.RS (names of FileHash above)", "Crowdsourced IDS: Matches rule MALWARE-CNC DNS", "Crowdsourced IDS: Fast Flux attempt Matches rule ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)", "Crowdsourced IDS: Matches rule ET POLICY PE EXE or DLL Windows file download HTTP", "apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn", "apple.com-verify.account.manage.test2.aptaforum.com.cn", "appleid.apple.com-signin-8491e.test2.aptaforum.com.cn", "appleid.apple.com.secure1account.pagelogin.test2.aptaforum.com.cn", "web-secure-appleid-login.com.test2.aptaforum.com.cn", "http://apple.com-verify.account.manage.test2.aptaforum.com.cn/", "http://appleid.apple.com-signin-8491e.test2.aptaforum.com.cn/", "http://apple.sweetycat.com/ \u2022 https://apple.sweetycat.com/", "findmy.apple-uk.live", "apple.haipaoapp.com \u2022 http://apple.haipaoapp.com \u2022 http://apple.haipaoapp.com/ \u2022 https://apple.haipaoapp.com/", "http://apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn/", "http://appleid.apple.com.secure1account.pagelogin.test2.aptaforum.com.cn/", "http://web-secure-appleid-login.com.test2.aptaforum.com.cn/", "Trojan/JS.Redirector.QNO SHA256:9e6e93c05a9736b95426fe0f492a18a2ac409bd9fb572dd3c982cb6de3ba0dbc", "VO7MU1HA.htm : https://hybrid-analysis.com/sample/9e6e93c05a9736b95426fe0f492a18a2ac409bd9fb572dd3c982cb6de3ba0dbc", "https://hybrid-analysis.com/sample/a638ece11c81bcac0002363eb3f75de35a46ce0e080b5de41162093181079a6b/69c018efcb875e4fb30cdfcc", "https://hybrid-analysis.com/sample/09610b7c855ef132a31f2e0136b4d62b9dbb04c6fcb42160d6d8409ef6394e40/69c0189c5e0483a78907cc39", "KeenDNS | keendnsaclremote805717135272048.qeenetic.link", "https://fonts.googleapis.com/css", "http://e7.c.lencr.org/74.crl \u2022 http://e7.i.lencr.org/", "Quasi Gov - Law firms stole victims clouds. Evidence, $Intellectual property, Memories of & victims family. Merciless", "www.remoteaccess.allied-media.com", "apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn", "aptaforum.com.cn 182.61.201.90 , 182.61.201.91 China ASN AS38365 beijing baidu netcom science and technology co. ltd", "Emails:yejun.shou@yxips.com Name:\u7ebd\u8fea\u5e0c\u4e9a\u751f\u547d\u65e9\u671f\u8425\u517b\u54c1\u7ba1\u7406(\u4e0a\u6d77)\u6709\u9650\u516c\u53f8 Name Servers: dns17.hichina.com", "*unsigned Domain: aptaforum.com.cn Name Servers: dns18.hichina.com Registrar: \u963f\u91cc\u4e91\u8ba1\u7b97\u6709\u9650\u516c\u53f8\uff08\u4e07\u7f51\uff09Status: ok", "dns17.hichina.com", "dropbox.com - deleted victims DB post assault. Sabey + Ahmann repeatedly erased DB (ILLEGAL)", "Protected:SA\u2019r Jeffrey Scott Reimer, Mark Montano MD, John T. Sasha MD, Frederick P. Scherr , others.", "https://otx.alienvault.com/indicator/domain/qeenetic.link", "okg.and.googletagmanagers.com", "pcy.and.googletagmanagers.com", "pgj.and.googletagmanagers.com", "prb.and.googletagmanagers.com", "lkp.and.googletagmanagers.com", "jgw.and.googletagmanagers.com", "bzx.and.googletagmanagers.com", "msedge.b.tlu.dl.delivery.mp.microsoft.com", "http://prtests.ru/test.html?15%0Ahttp://profetest.ru/test.html?2%0Ahttp://qptest.ru/test.html?5%0Ahttp://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/3cf71a18-f999-4372-beac-67715d51bb62?P1=1629470400&P2=404&P3=2&P4=d%2520arRdiatcalmlQRKq2gm1LlFitNgIcLpnyzCIHYtf%2520ByXQF0JNptZ0rBDMKlLL%2520qsOzZdPICJjC7MWkkdm1Hg==%0Ahttp://stafftest.ru/test.html?0%0Ahttp://iqtesti.ru/test.html?17%0Ahttp://hrtests.ru/test.html?1%0Ahttp://pstests.ru/test.html?4%0Ahttp://prtests.ru/test.html?6%0Ahttp:/", "HallRender.com | Law Firm M. Brian Sabey Esq. | Pegasus related", "TAM Legal\u2019s Christopher P. \u2018Buzz\u2019 Ahmann Esq works for State Quasi Government in tandem w/ Hall Render", "https://otx.alienvault.com/pulse/69bf8e2663d5480917ddb699", "https://otx.alienvault.com/pulse/69bf261cc4e399447d78776c", "https://otx.alienvault.com/pulse/69bea426487bffa5384c6f38", "(?) https://living-sun.com/applescript/68281-is-there-a-way-to-disable-force-quit-while-applescript-application-is-still-running-applescript-quit.html", "https://otx.alienvault.com/pulse/69bf261cc4e399447d78776c", "https://otx.alienvault.com/pulse/69b49ad5dd40a24d83cd6a72" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Win.Ransomware.WannaCry-6313787-0", "display_name": "Win.Ransomware.WannaCry-6313787-0", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147.A", "display_name": "Exploit:Win32/CVE-2017-0147.A", "target": "/malware/Exploit:Win32/CVE-2017-0147.A" }, { "id": "Trojan/JS.Redirector.QNO", "display_name": "Trojan/JS.Redirector.QNO", "target": null }, { "id": "Win.Trojan.Application-1955.", "display_name": "Win.Trojan.Application-1955.", "target": null }, { "id": "Win32:Banker-LAA\\ [Trj]", "display_name": "Win32:Banker-LAA\\ [Trj]", "target": null }, { "id": "Win.Malware.Snojan-6775202-0", "display_name": "Win.Malware.Snojan-6775202-0", "target": null }, { "id": "Win32:Evo-gen\\ [Trj]", "display_name": "Win32:Evo-gen\\ [Trj]", "target": null }, { "id": "Win64:Expiro-AJ\\ [Inf]", "display_name": "Win64:Expiro-AJ\\ [Inf]", "target": null }, { "id": "Win.Trojan.Fugrafa-9733007-0", "display_name": "Win.Trojan.Fugrafa-9733007-0", "target": null }, { "id": "Win32:TrojanX-gen\\ [Trj]", "display_name": "Win32:TrojanX-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.VBGeneric-6989114-0", "display_name": "Win.Trojan.VBGeneric-6989114-0", "target": null }, { "id": "VirTool:Win32/VBInject.YA!MTB", "display_name": "VirTool:Win32/VBInject.YA!MTB", "target": "/malware/VirTool:Win32/VBInject.YA!MTB" }, { "id": "Win32:Dh-A\\ [Win32:FileInfector-C\\ [Heur]", "display_name": "Win32:Dh-A\\ [Win32:FileInfector-C\\ [Heur]", "target": null }, { "id": "#VirTool:Win32/Obfuscator", "display_name": "#VirTool:Win32/Obfuscator", "target": "/malware/#VirTool:Win32/Obfuscator" }, { "id": "Backdoor:Win32/Small.IR", "display_name": "Backdoor:Win32/Small.IR", "target": "/malware/Backdoor:Win32/Small.IR" }, { "id": "Win64:Expiro-AJ\\ [Inf]", "display_name": "Win64:Expiro-AJ\\ [Inf]", "target": null }, { "id": "Win32:Dh-A\\", "display_name": "Win32:Dh-A\\", "target": null }, { "id": "CVE-2017-0147", "display_name": "CVE-2017-0147", "target": null }, { "id": "Ransom:Win32/CVE-2017-0147.A", "display_name": "Ransom:Win32/CVE-2017-0147.A", "target": "/malware/Ransom:Win32/CVE-2017-0147.A" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Malware.Flystudio-6738927-0", "display_name": "Win.Malware.Flystudio-6738927-0", "target": null }, { "id": "ALF:SpikeAexR.PEVPOPC", "display_name": "ALF:SpikeAexR.PEVPOPC", "target": null }, { "id": "Sf:WNCryLdr-A\\ [Trj]", "display_name": "Sf:WNCryLdr-A\\ [Trj]", "target": null }, { "id": "Win.Ransomware.WannaCry-6313787-0", "display_name": "Win.Ransomware.WannaCry-6313787-0", "target": null }, { "id": "ransom:Win32/WannaCrypt.H", "display_name": "ransom:Win32/WannaCrypt.H", "target": "/malware/ransom:Win32/WannaCrypt.H" } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" } ], "industries": [ "Government", "Legal", "Technology", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3779, "FileHash-MD5": 422, "FileHash-SHA1": 411, "FileHash-SHA256": 1824, "domain": 979, "hostname": 2082, "CVE": 1, "BitcoinAddress": 3, "SSLCertFingerprint": 6, "email": 8 }, "indicator_count": 9515, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "695089cbedad5c86f39b1363", "name": "Tracking Domains 03.03.26 (Updated Test)", "description": "Privacy Badger - Update on 01.09.26\nTracking domains on a hybrid (mobile laptop) clone of an AHS/Covenant Health, UAlberta (University of Alberta), and Government of Alberta Laptop.\nHealthcare: No Cybersecurity, EDU: No Cybersecurity / Remote only, GoA = Informed & don't quite know what to do or to whom this should be brought up with.", "modified": "2026-04-05T06:35:43.679000", "created": "2025-12-28T01:37:15.993000", "tags": [ "privacy badger", "sites general", "settings widget", "domains manage", "data privacy", "badger", "hide" ], "references": [ "https://hybrid-analysis.com/sample/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "https://yaraify.abuse.ch/scan/results/32bfc760-1757-11f1-b47f-42010aa4000b", "https://polyswarm.network/scan/results/file/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "https://app.threat.zone/submission/c8b0b1e4-0c9b-4210-b5ce-1dc2303445df/overview", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/summary", "https://www.virustotal.com/graph/embed/g6d4bce6162064ac09cd20411c1947e69d7d5a1d475f0447da023ac933d338fce?theme=dark", "https://viz.greynoise.io/ip/analysis/6356f330-63a7-4ce3-91fa-7ab355a1dc1a" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 50404, "hostname": 10879, "URL": 715, "FileHash-MD5": 1 }, "indicator_count": 61999, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "58 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691b61e16cea7624a6606a69", "name": "For Later", "description": "***", "modified": "2025-11-17T18:46:19.094000", "created": "2025-11-17T17:56:49.875000", "tags": [ "wormhole", "want", "sign", "submit send", "copy", "share show", "report delete", "faq roadmap", "security legal", "twitter discord", "protected" ], "references": [ "https://wormhole.app/Pp5DdP#3EpzsqLhw5lJdQ0Xe_mRQA", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 72127, "hostname": 16700, "URL": 50 }, "indicator_count": 88877, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "197 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67e1aa875e6c907d7e1b5fa0", "name": "hxxps://tech4service.ca - 03.24.25", "description": "YEG tech/hardware vendor", "modified": "2025-04-23T18:02:31.021000", "created": "2025-03-24T18:55:03.147000", "tags": [ "please", "javascript", "threat intelligence", "feed", "ioc", "change theme", "contact us", "intelligence", "threats api", "analyze api", "overview", "threats explore", "rate limits", "stixtaxii", "bulk export", "community", "results", "switch", "inquest labs", "resources api", "notes supported", "cve list", "drop your", "file", "service", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "virus", "ransomware", "static", "indicator of compromise", "extraction", "emulation", "platform", "prefetch8 ansi", "ansi", "show process", "hash seen", "pcap processing", "pcap", "date", "ck id", "command decode", "mitre att", "win64", "suspicious", "hybrid", "comspec", "close", "click", "hosts", "general", "path", "model", "encrypt", "upgrade", "strings", "contact" ], "references": [ "https://www.virustotal.com/gui/url/d3fcc8b4575e8e04b8c80b171089c26f3d117ac9b11e971dc4fd0345f00b4414", "https://pulsedive.com/indicator/?iid=68410521", "https://metadefender.com/results/url/aHR0cHM6Ly90ZWNoNHNlcnZpY2UuY2E=", "https://hybrid-analysis.com/sample/4ac0486c18ef662f2ba44e75cc13830d7e3d6a8ec20040a78e7818a6484bf807", "https://www.filescan.io/uploads/67e1a7ffc26eb3fd74f584c0/reports/28bf2c8b-9ebd-4f47-8428-135838c23c2f/overview", "https://www.filescan.io/uploads/67e1a7ffc26eb3fd74f584c0/reports/28bf2c8b-9ebd-4f47-8428-135838c23c2f/geolocation", "https://www.filescan.io/uploads/67e1a7ffc26eb3fd74f584c0/reports/28bf2c8b-9ebd-4f47-8428-135838c23c2f/ioc", "https://hybrid-analysis.com/sample/4ac0486c18ef662f2ba44e75cc13830d7e3d6a8ec20040a78e7818a6484bf807/67e1a708525a509d1805065a", "", "https://pulsedive.com/indicator/?iid=68410679" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 189, "FileHash-MD5": 21, "FileHash-SHA1": 20, "FileHash-SHA256": 20, "domain": 29, "email": 7, "hostname": 37, "SSLCertFingerprint": 20 }, "indicator_count": 343, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "405 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f235b9a7a94a6a61acd651", "name": "n0paste - Show paste: \\\"No Problems\\\" - dos meses del URLscan", "description": "This pulse represents a 'scattered sample' of data extracted from 'submissions of interest' made to virustotal, filescan_itsec, HybridAnalysis, anyrun_app, DynamiteLab, and triage (over a period of two months) which were submitted to urlscanio & subsequently GreyNoiseIO (which I've come across both from live samples and also those from offlined data). I don't particularly anticipate this will correlate w. anything specific - but at least will be put in one more place for further analysis & increased visibility.", "modified": "2025-03-07T08:38:08.584000", "created": "2024-09-24T03:44:57.902000", "tags": [ "geoip", "public url", "as16509", "amazon02", "as20940", "akamaiasn1", "as8075", "as15169", "google", "akamaias", "facebook", "telecom", "twitter", "media", "win64", "level3", "mini", "ukraine", "proton", "ghost", "win32", "cuba", "mexico", "indonesia", "seznam", "as3359", "as852" ], "references": [ "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1", "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c", "https://n0paste.eu/UH6n5pD/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Anguilla", "Poland", "Aruba", "Australia", "Barbados", "Costa Rica", "Guatemala", "Philippines", "Panama", "Sint Maarten (Dutch part)", "Saint Martin (French part)", "Cayman Islands", "Cura\u00e7ao", "Mexico", "Saint Vincent and the Grenadines", "Saint Kitts and Nevis", "Tanzania, United Republic of", "Netherlands", "Ukraine", "Trinidad and Tobago", "Japan", "Bahamas", "United Kingdom of Great Britain and Northern Ireland", "Georgia" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "CIDR": 1186, "CVE": 4, "FileHash-MD5": 29, "FileHash-SHA1": 3, "URL": 25493, "domain": 5396, "email": 10, "hostname": 10770 }, "indicator_count": 42892, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "452 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b0fa3624bf0384e427f2e7", "name": "Tracking Domains 4.2 - 08.19.24", "description": "Tracking Domains detected by Privacy Badger Ext. on Microsoft Edge Browser (W11 Device) using Telus ISP (ASN852)\n*Not-Enriched (08.05.24): ~50,000 suggests IOCs by AlienVault\nFrom VT: 2 IPs hosted by 45090 (Shenzhen Tencent Computer Systems Company Limited) & 4611 (CNNIC member) seem to be the problem here 118[.]89.204.198, 118[.]89.0.0/16 & 202[.]123.107.15, 202[.]123.107.0/24 (Respectively)", "modified": "2024-09-04T15:01:01.432000", "created": "2024-08-05T16:13:42.563000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/iocs", "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/summary", "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/graph", "https://www.virustotal.com/graph/embed/ge839428bb3e24a98aae8cbcc242ae4d8febdc0c46e49411ebb09d155e22b4bbc?theme=dark", "https://viz.greynoise.io/query/AS4611", "https://urlscan.io/asn/AS4611", "https://urlscan.io/search/#asn:%22AS4611%22", "https://urlscan.io/asn/AS45090", "https://urlscan.io/search/#asn%3A%22AS45090%22", "https://viz.greynoise.io/query/AS45090", "https://urlscan.io/result/aeb42615-79b7-465d-924e-c9bdde3eefd1/#transactions", "https://urlscan.io/result/d4bf08e4-88dc-4bf8-be34-6b352576882e/#behaviour", "Filescan[.]io report: bc47c757-0a4d-4659-98d4-5d0c86406462 (08.23.24)", "https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-be" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 6180, "FileHash-MD5": 1, "domain": 24921, "URL": 10854 }, "indicator_count": 41956, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "636 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66269b1f33258a8e26033b17", "name": "Tracking Domains - Part 4.1", "description": "More Tracking Domains", "modified": "2024-08-30T13:02:28.335000", "created": "2024-04-22T17:15:11.398000", "tags": [ "Tracking Domains" ], "references": [ "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs", "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark", "https://viz.greynoise.io/analysis/02a64dd4-d7e0-451c-8384-13cf23298551" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 94496, "FileHash-MD5": 63, "domain": 112327, "URL": 166918, "FileHash-SHA1": 33, "FileHash-SHA256": 103, "CIDR": 216 }, "indicator_count": 374156, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "641 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66269b204ecfba63974dc1d8", "name": "Tracking Domains - Part 4", "description": "More Tracking Domains", "modified": "2024-05-22T17:04:45.215000", "created": "2024-04-22T17:15:12.353000", "tags": [ "Tracking Domains" ], "references": [ "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs", "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 792, "FileHash-MD5": 1, "domain": 5803, "URL": 2 }, "indicator_count": 6598, "is_author": false, "is_subscribing": null, "subscriber_count": 136, "modified_text": "741 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "", "https://hybrid-analysis.com/sample/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs", "dropbox.com - deleted victims DB post assault. Sabey + Ahmann repeatedly erased DB (ILLEGAL)", "https://metadefender.com/results/url/aHR0cHM6Ly90ZWNoNHNlcnZpY2UuY2E=", "https://urlscan.io/asn/AS45090", "http://appleid.apple.com.secure1account.pagelogin.test2.aptaforum.com.cn/", "Yara Detections: WannaCry_Ransomware , Wanna_Cry_Ransomware_Generic , WannaDecryptor", "apple.haipaoapp.com \u2022 http://apple.haipaoapp.com \u2022 http://apple.haipaoapp.com/ \u2022 https://apple.haipaoapp.com/", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style) ETERNALBLUE Probe Vulnerable System Response MS17-010", "http://web-secure-appleid-login.com.test2.aptaforum.com.cn/", "Domains Contacted: ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com", "HallRender.com | Law Firm M. Brian Sabey Esq. | Pegasus related", "Crowdsourced IDS: Matches rule ET POLICY PE EXE or DLL Windows file download HTTP", "https://www.filescan.io/uploads/67e1a7ffc26eb3fd74f584c0/reports/28bf2c8b-9ebd-4f47-8428-135838c23c2f/geolocation", "https://app.threat.zone/submission/c8b0b1e4-0c9b-4210-b5ce-1dc2303445df/overview", "Quasi Gov - Law firms stole victims clouds. Evidence, $Intellectual property, Memories of & victims family. Merciless", "Names: Photo.scr \u2022 85115B0142902832C864B3009CAB1A00.RS (names of FileHash above)", "http://appleid.apple.com-signin-8491e.test2.aptaforum.com.cn/", "Crowdsourced IDS: Fast Flux attempt Matches rule ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)", "https://viz.greynoise.io/ip/analysis/6356f330-63a7-4ce3-91fa-7ab355a1dc1a", "KeenDNS | keendnsaclremote805717135272048.qeenetic.link", "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/graph", "Domains Contacted: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com", "findmy.apple-uk.live", "Alerts: creates_service stealth_window antivm_network_adapters checks_debugger", "http://prtests.ru/test.html?15%0Ahttp://profetest.ru/test.html?2%0Ahttp://qptest.ru/test.html?5%0Ahttp://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/3cf71a18-f999-4372-beac-67715d51bb62?P1=1629470400&P2=404&P3=2&P4=d%2520arRdiatcalmlQRKq2gm1LlFitNgIcLpnyzCIHYtf%2520ByXQF0JNptZ0rBDMKlLL%2520qsOzZdPICJjC7MWkkdm1Hg==%0Ahttp://stafftest.ru/test.html?0%0Ahttp://iqtesti.ru/test.html?17%0Ahttp://hrtests.ru/test.html?1%0Ahttp://pstests.ru/test.html?4%0Ahttp://prtests.ru/test.html?6%0Ahttp:/", "VO7MU1HA.htm : https://hybrid-analysis.com/sample/9e6e93c05a9736b95426fe0f492a18a2ac409bd9fb572dd3c982cb6de3ba0dbc", "https://hybrid-analysis.com/sample/a638ece11c81bcac0002363eb3f75de35a46ce0e080b5de41162093181079a6b/69c018efcb875e4fb30cdfcc", "http://apple.sweetycat.com/ \u2022 https://apple.sweetycat.com/", "TAM Legal\u2019s Christopher P. \u2018Buzz\u2019 Ahmann Esq works for State Quasi Government in tandem w/ Hall Render", "https://hybrid-analysis.com/sample/4ac0486c18ef662f2ba44e75cc13830d7e3d6a8ec20040a78e7818a6484bf807", "http://e7.c.lencr.org/74.crl \u2022 http://e7.i.lencr.org/", "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs", "https://otx.alienvault.com/pulse/69bf261cc4e399447d78776c", "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark", "https://www.virustotal.com/graph/embed/ge839428bb3e24a98aae8cbcc242ae4d8febdc0c46e49411ebb09d155e22b4bbc?theme=dark", "apple.com-verify.account.manage.test2.aptaforum.com.cn", "Protected:SA\u2019r Jeffrey Scott Reimer, Mark Montano MD, John T. Sasha MD, Frederick P. Scherr , others.", "IP\u2019s Contacted: 103.224.212.220 105.242.60.208 117.13.61.219 117.180.208.83 12.105.46.122", "appleid.apple.com-signin-8491e.test2.aptaforum.com.cn", "https://viz.greynoise.io/analysis/02a64dd4-d7e0-451c-8384-13cf23298551", "(?) https://living-sun.com/applescript/68281-is-there-a-way-to-disable-force-quit-while-applescript-application-is-still-running-applescript-quit.html", "IDS Detections: Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)", "https://polyswarm.network/scan/results/file/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "https://hybrid-analysis.com/sample/4ac0486c18ef662f2ba44e75cc13830d7e3d6a8ec20040a78e7818a6484bf807/67e1a708525a509d1805065a", "pcy.and.googletagmanagers.com", "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/iocs", "IDS Detections: IPC$ share access \u2022 SMB-DS IPC$ unicode share access \u2022 403 Forbidden", "*unsigned Domain: aptaforum.com.cn Name Servers: dns18.hichina.com Registrar: \u963f\u91cc\u4e91\u8ba1\u7b97\u6709\u9650\u516c\u53f8\uff08\u4e07\u7f51\uff09Status: ok", "Alerts: network_icmp nolookup_communication persistence_autorun modifies_proxy_wpad", "https://www.virustotal.com/graph/embed/g6d4bce6162064ac09cd20411c1947e69d7d5a1d475f0447da023ac933d338fce?theme=dark", "Yara Detections: MS17_010_WanaCry_worm , stack_string , MS_Visual_Cpp_6_0 , Armadillov1xxv2xx", "Win32:CVE-2017-0147-B\\ [Expl] , Win.Ransomware.WannaCry-6313787-0 , Exploit:Win32/CVE-2017-0147.A", "https://n0paste.eu/UH6n5pD/", "FileHash-SHA256 002dee2db8b07b98b543ad99d0dd4e3e0ba7624f956d719ba803f57b426e30e7", "https://urlscan.io/result/d4bf08e4-88dc-4bf8-be34-6b352576882e/#behaviour", "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1", "IP\u2019s Contacted: 121.105.233.189 128.251.173.246 13.248.148.254 132.124.155.52 139.246.30.108", "https://otx.alienvault.com/pulse/69b49ad5dd40a24d83cd6a72", "jgw.and.googletagmanagers.com", "https://otx.alienvault.com/indicator/domain/qeenetic.link", "okg.and.googletagmanagers.com", "prb.and.googletagmanagers.com", "https://yaraify.abuse.ch/scan/results/32bfc760-1757-11f1-b47f-42010aa4000b", "pgj.and.googletagmanagers.com", "aptaforum.com.cn 182.61.201.90 , 182.61.201.91 China ASN AS38365 beijing baidu netcom science and technology co. ltd", "https://urlscan.io/result/aeb42615-79b7-465d-924e-c9bdde3eefd1/#transactions", "appleid.apple.com.secure1account.pagelogin.test2.aptaforum.com.cn", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)", "https://urlscan.io/search/#asn%3A%22AS45090%22", "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c", "https://urlscan.io/asn/AS4611", "bzx.and.googletagmanagers.com", "web-secure-appleid-login.com.test2.aptaforum.com.cn", "http://ww17.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/", "Crowdsourced IDS: Matches rule MALWARE-CNC DNS", "https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-be", "http://apple.com-verify.account.manage.test2.aptaforum.com.cn/", "msedge.b.tlu.dl.delivery.mp.microsoft.com", "Emails:yejun.shou@yxips.com Name:\u7ebd\u8fea\u5e0c\u4e9a\u751f\u547d\u65e9\u671f\u8425\u517b\u54c1\u7ba1\u7406(\u4e0a\u6d77)\u6709\u9650\u516c\u53f8 Name Servers: dns17.hichina.com", "http://apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn/", "https://pulsedive.com/indicator/?iid=68410521", "lkp.and.googletagmanagers.com", "https://otx.alienvault.com/pulse/69bf8e2663d5480917ddb699", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/summary", "IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection SMB-DS", "https://www.filescan.io/uploads/67e1a7ffc26eb3fd74f584c0/reports/28bf2c8b-9ebd-4f47-8428-135838c23c2f/ioc", "https://urlscan.io/search/#asn:%22AS4611%22", "https://www.filescan.io/uploads/67e1a7ffc26eb3fd74f584c0/reports/28bf2c8b-9ebd-4f47-8428-135838c23c2f/overview", "https://fonts.googleapis.com/css", "https://viz.greynoise.io/query/AS4611", "https://hybrid-analysis.com/sample/09610b7c855ef132a31f2e0136b4d62b9dbb04c6fcb42160d6d8409ef6394e40/69c0189c5e0483a78907cc39", "dns17.hichina.com", "Alerts: network_cnc_http network_http allocates_rwx creates_exe creates_hidden_file", "https://pulsedive.com/indicator/?iid=68410679", "https://www.virustotal.com/gui/url/d3fcc8b4575e8e04b8c80b171089c26f3d117ac9b11e971dc4fd0345f00b4414", "https://viz.greynoise.io/query/AS45090", "Trojan/JS.Redirector.QNO SHA256:9e6e93c05a9736b95426fe0f492a18a2ac409bd9fb572dd3c982cb6de3ba0dbc", "apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn", "Alerts: peid_packer pe_unknown_resource_name", "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/summary", "www.remoteaccess.allied-media.com", "https://wormhole.app/Pp5DdP#3EpzsqLhw5lJdQ0Xe_mRQA", "https://otx.alienvault.com/pulse/69bea426487bffa5384c6f38", "Filescan[.]io report: bc47c757-0a4d-4659-98d4-5d0c86406462 (08.23.24)" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Win.trojan.vbgeneric-6989114-0", "Win.trojan.fugrafa-9733007-0", "Exploit:win32/cve-2017-0147.a", "Cve-2017-0147", "#virtool:win32/obfuscator", "Win.malware.flystudio-6738927-0", "Virtool:win32/vbinject.ya!mtb", "Win.ransomware.wannacry-6313787-0", "Win32:trojanx-gen\\ [trj]", "Win.malware.snojan-6775202-0", "Win.trojan.application-1955.", "Backdoor:win32/small.ir", "Win64:expiro-aj\\ [inf]", "Ransom:win32/wannacrypt.h", "Win32:banker-laa\\ [trj]", "Alf:spikeaexr.pevpopc", "Trojan/js.redirector.qno", "Ransomware", "Win32:dh-a\\", "Win32:evo-gen\\ [trj]", "Sf:wncryldr-a\\ [trj]", "Win32:malware-gen", "Win32:dh-a\\ [win32:fileinfector-c\\ [heur]", "Ransom:win32/cve-2017-0147.a" ], "industries": [ "Education", "Legal", "Technology", "Telecommunications", "Government", "Healthcare" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "69c06ca9341d6c063f652e33", "name": "ETERNALBLUE Probe MS17-010 | Wannacry Ransomware Domain - related to NSO Group Pegasus", "description": "Quasi governmental, Healthcare Law Firms , legal entities , as well as direct safety threats such as NSO Group Pegasus, Enterprise Cellebrite (in references) and other dangerous intimidation and life endangering tactics directed against a crime victim. Continuous harassment and threats of violence against victims family including 83 yo father. Veteran & hand picked Sr Systems Analyst and Engineer for Aegis Weapon System Team of 24. You\u2019re welcome America.. Victim left zero evidence with family. Documents shredded. Data stolen by parties named. She isn\u2019t the only one. These people do this for a living. Abuse of Palantir & Foundry tools.", "modified": "2026-04-21T22:07:35.710000", "created": "2026-03-22T22:26:49.205000", "tags": [ "ransomware", "united", "search", "asnone", "regsetvalueexa", "service", "regdword", "medium", "get na", "malware", "dock", "push", "write", "win32", "playgame", "unknown", "exploit", "cve", "wncry", "wannacry", "passive dns", "urls", "british virgin", "all url", "http", "ip address", "related nids", "files location", "virgin islands", "islands", "bgp", "virgin islands", "hijacked", "data upload", "extraction", "failed", "review iocs", "include ovo", "tovary review", "ids detec", "yara dete", "trior texarag", "drop or", "rrowse", "type", "extra data", "hurricane electric", "p2404", "p11629470400", "p11629107633", "artifacts v", "full reports", "v help", "info", "low l", "high ta0002", "techniques", "t1053", "command", "scripting inte", "low ta0003", "techniques high", "t1053 ite", "modify system", "pl t1543", "boot", "logon autostart", "ex t1547", "checks-disk-space", "checks-network-adapters", "detect-debug-environment", "direct-cpu-clock-access", "long-sleeps", "runtime-modules", "get http", "head http", "dns resolutions", "ip traffic", "53 tcp", "tls sni", "apple id", "webdisk", "expiration", "url http", "hostname", "no expiration", "iocs", "url https", "es included", "win32 exe", "pe32 executable", "ms windows", "intel", "ms visual", "win32 dynamic", "link library", "win16 ne", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "t1204 user", "defense evasion", "over", "mitre att", "ck matrix", "ascii text", "hybrid", "general", "local", "path", "click", "strings", "javascript", "ssl certificate", "encrypt", "accept", "russia unknown", "meta", "record value", "aaaa", "link", "present jun", "apple", "remote access", "otx logo", "all ipv4", "url analysis", "files", "accept ch", "present dec", "content type", "x pcrew", "name servers", "present may", "body doctype", "title", "all domain", "servers", "china unknown", "found content", "gmt p3p", "cp oti", "dsp cor", "iva our", "ind com", "domain", "cname", "entries", "brian sabey", "hallrender", "christopher ahmann", "t1480 execution", "discovery att", "heur", "virtool", "win64", "mtb win32", "backdoor", "location china", "hangzhou", "china asn", "ransom", "wannadecryptor", "filehash", "yara detections", "msvisualcpp60", "related tags", "none file", "type pexe", "copy", "beginstring", "null", "refresh", "body", "span", "error", "tools", "look", "verify", "restart", "expl", "unknown cname", "hacktool", "domain address", "contacted hosts", "process details", "flag", "ipv4 add", "location united", "america flag", "exploit", "show", "all filehash", "expiration date", "gmt location", "gmt max", "domain add", "elite", "date", "cowboy", "United States", "present feb", "present oct", "creation date", "present nov", "moved", "emails" ], "references": [ "http://ww17.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/", "Win32:CVE-2017-0147-B\\ [Expl] , Win.Ransomware.WannaCry-6313787-0 , Exploit:Win32/CVE-2017-0147.A", "IDS Detections: Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style) ETERNALBLUE Probe Vulnerable System Response MS17-010", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)", "IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection SMB-DS", "IDS Detections: IPC$ share access \u2022 SMB-DS IPC$ unicode share access \u2022 403 Forbidden", "Yara Detections: WannaCry_Ransomware , Wanna_Cry_Ransomware_Generic , WannaDecryptor", "Yara Detections: MS17_010_WanaCry_worm , stack_string , MS_Visual_Cpp_6_0 , Armadillov1xxv2xx", "Alerts: network_icmp nolookup_communication persistence_autorun modifies_proxy_wpad", "Alerts: network_cnc_http network_http allocates_rwx creates_exe creates_hidden_file", "Alerts: creates_service stealth_window antivm_network_adapters checks_debugger", "Alerts: peid_packer pe_unknown_resource_name", "IP\u2019s Contacted: 103.224.212.220 105.242.60.208 117.13.61.219 117.180.208.83 12.105.46.122", "IP\u2019s Contacted: 121.105.233.189 128.251.173.246 13.248.148.254 132.124.155.52 139.246.30.108", "Domains Contacted: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com", "Domains Contacted: ww38.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com", "FileHash-SHA256 002dee2db8b07b98b543ad99d0dd4e3e0ba7624f956d719ba803f57b426e30e7", "Names: Photo.scr \u2022 85115B0142902832C864B3009CAB1A00.RS (names of FileHash above)", "Crowdsourced IDS: Matches rule MALWARE-CNC DNS", "Crowdsourced IDS: Fast Flux attempt Matches rule ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)", "Crowdsourced IDS: Matches rule ET POLICY PE EXE or DLL Windows file download HTTP", "apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn", "apple.com-verify.account.manage.test2.aptaforum.com.cn", "appleid.apple.com-signin-8491e.test2.aptaforum.com.cn", "appleid.apple.com.secure1account.pagelogin.test2.aptaforum.com.cn", "web-secure-appleid-login.com.test2.aptaforum.com.cn", "http://apple.com-verify.account.manage.test2.aptaforum.com.cn/", "http://appleid.apple.com-signin-8491e.test2.aptaforum.com.cn/", "http://apple.sweetycat.com/ \u2022 https://apple.sweetycat.com/", "findmy.apple-uk.live", "apple.haipaoapp.com \u2022 http://apple.haipaoapp.com \u2022 http://apple.haipaoapp.com/ \u2022 https://apple.haipaoapp.com/", "http://apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn/", "http://appleid.apple.com.secure1account.pagelogin.test2.aptaforum.com.cn/", "http://web-secure-appleid-login.com.test2.aptaforum.com.cn/", "Trojan/JS.Redirector.QNO SHA256:9e6e93c05a9736b95426fe0f492a18a2ac409bd9fb572dd3c982cb6de3ba0dbc", "VO7MU1HA.htm : https://hybrid-analysis.com/sample/9e6e93c05a9736b95426fe0f492a18a2ac409bd9fb572dd3c982cb6de3ba0dbc", "https://hybrid-analysis.com/sample/a638ece11c81bcac0002363eb3f75de35a46ce0e080b5de41162093181079a6b/69c018efcb875e4fb30cdfcc", "https://hybrid-analysis.com/sample/09610b7c855ef132a31f2e0136b4d62b9dbb04c6fcb42160d6d8409ef6394e40/69c0189c5e0483a78907cc39", "KeenDNS | keendnsaclremote805717135272048.qeenetic.link", "https://fonts.googleapis.com/css", "http://e7.c.lencr.org/74.crl \u2022 http://e7.i.lencr.org/", "Quasi Gov - Law firms stole victims clouds. Evidence, $Intellectual property, Memories of & victims family. Merciless", "www.remoteaccess.allied-media.com", "apple.com-index.php-account-locked-verification.test2.aptaforum.com.cn", "aptaforum.com.cn 182.61.201.90 , 182.61.201.91 China ASN AS38365 beijing baidu netcom science and technology co. ltd", "Emails:yejun.shou@yxips.com Name:\u7ebd\u8fea\u5e0c\u4e9a\u751f\u547d\u65e9\u671f\u8425\u517b\u54c1\u7ba1\u7406(\u4e0a\u6d77)\u6709\u9650\u516c\u53f8 Name Servers: dns17.hichina.com", "*unsigned Domain: aptaforum.com.cn Name Servers: dns18.hichina.com Registrar: \u963f\u91cc\u4e91\u8ba1\u7b97\u6709\u9650\u516c\u53f8\uff08\u4e07\u7f51\uff09Status: ok", "dns17.hichina.com", "dropbox.com - deleted victims DB post assault. Sabey + Ahmann repeatedly erased DB (ILLEGAL)", "Protected:SA\u2019r Jeffrey Scott Reimer, Mark Montano MD, John T. Sasha MD, Frederick P. Scherr , others.", "https://otx.alienvault.com/indicator/domain/qeenetic.link", "okg.and.googletagmanagers.com", "pcy.and.googletagmanagers.com", "pgj.and.googletagmanagers.com", "prb.and.googletagmanagers.com", "lkp.and.googletagmanagers.com", "jgw.and.googletagmanagers.com", "bzx.and.googletagmanagers.com", "msedge.b.tlu.dl.delivery.mp.microsoft.com", "http://prtests.ru/test.html?15%0Ahttp://profetest.ru/test.html?2%0Ahttp://qptest.ru/test.html?5%0Ahttp://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/3cf71a18-f999-4372-beac-67715d51bb62?P1=1629470400&P2=404&P3=2&P4=d%2520arRdiatcalmlQRKq2gm1LlFitNgIcLpnyzCIHYtf%2520ByXQF0JNptZ0rBDMKlLL%2520qsOzZdPICJjC7MWkkdm1Hg==%0Ahttp://stafftest.ru/test.html?0%0Ahttp://iqtesti.ru/test.html?17%0Ahttp://hrtests.ru/test.html?1%0Ahttp://pstests.ru/test.html?4%0Ahttp://prtests.ru/test.html?6%0Ahttp:/", "HallRender.com | Law Firm M. Brian Sabey Esq. | Pegasus related", "TAM Legal\u2019s Christopher P. \u2018Buzz\u2019 Ahmann Esq works for State Quasi Government in tandem w/ Hall Render", "https://otx.alienvault.com/pulse/69bf8e2663d5480917ddb699", "https://otx.alienvault.com/pulse/69bf261cc4e399447d78776c", "https://otx.alienvault.com/pulse/69bea426487bffa5384c6f38", "(?) https://living-sun.com/applescript/68281-is-there-a-way-to-disable-force-quit-while-applescript-application-is-still-running-applescript-quit.html", "https://otx.alienvault.com/pulse/69bf261cc4e399447d78776c", "https://otx.alienvault.com/pulse/69b49ad5dd40a24d83cd6a72" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Win.Ransomware.WannaCry-6313787-0", "display_name": "Win.Ransomware.WannaCry-6313787-0", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147.A", "display_name": "Exploit:Win32/CVE-2017-0147.A", "target": "/malware/Exploit:Win32/CVE-2017-0147.A" }, { "id": "Trojan/JS.Redirector.QNO", "display_name": "Trojan/JS.Redirector.QNO", "target": null }, { "id": "Win.Trojan.Application-1955.", "display_name": "Win.Trojan.Application-1955.", "target": null }, { "id": "Win32:Banker-LAA\\ [Trj]", "display_name": "Win32:Banker-LAA\\ [Trj]", "target": null }, { "id": "Win.Malware.Snojan-6775202-0", "display_name": "Win.Malware.Snojan-6775202-0", "target": null }, { "id": "Win32:Evo-gen\\ [Trj]", "display_name": "Win32:Evo-gen\\ [Trj]", "target": null }, { "id": "Win64:Expiro-AJ\\ [Inf]", "display_name": "Win64:Expiro-AJ\\ [Inf]", "target": null }, { "id": "Win.Trojan.Fugrafa-9733007-0", "display_name": "Win.Trojan.Fugrafa-9733007-0", "target": null }, { "id": "Win32:TrojanX-gen\\ [Trj]", "display_name": "Win32:TrojanX-gen\\ [Trj]", "target": null }, { "id": "Win.Trojan.VBGeneric-6989114-0", "display_name": "Win.Trojan.VBGeneric-6989114-0", "target": null }, { "id": "VirTool:Win32/VBInject.YA!MTB", "display_name": "VirTool:Win32/VBInject.YA!MTB", "target": "/malware/VirTool:Win32/VBInject.YA!MTB" }, { "id": "Win32:Dh-A\\ [Win32:FileInfector-C\\ [Heur]", "display_name": "Win32:Dh-A\\ [Win32:FileInfector-C\\ [Heur]", "target": null }, { "id": "#VirTool:Win32/Obfuscator", "display_name": "#VirTool:Win32/Obfuscator", "target": "/malware/#VirTool:Win32/Obfuscator" }, { "id": "Backdoor:Win32/Small.IR", "display_name": "Backdoor:Win32/Small.IR", "target": "/malware/Backdoor:Win32/Small.IR" }, { "id": "Win64:Expiro-AJ\\ [Inf]", "display_name": "Win64:Expiro-AJ\\ [Inf]", "target": null }, { "id": "Win32:Dh-A\\", "display_name": "Win32:Dh-A\\", "target": null }, { "id": "CVE-2017-0147", "display_name": "CVE-2017-0147", "target": null }, { "id": "Ransom:Win32/CVE-2017-0147.A", "display_name": "Ransom:Win32/CVE-2017-0147.A", "target": "/malware/Ransom:Win32/CVE-2017-0147.A" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Malware.Flystudio-6738927-0", "display_name": "Win.Malware.Flystudio-6738927-0", "target": null }, { "id": "ALF:SpikeAexR.PEVPOPC", "display_name": "ALF:SpikeAexR.PEVPOPC", "target": null }, { "id": "Sf:WNCryLdr-A\\ [Trj]", "display_name": "Sf:WNCryLdr-A\\ [Trj]", "target": null }, { "id": "Win.Ransomware.WannaCry-6313787-0", "display_name": "Win.Ransomware.WannaCry-6313787-0", "target": null }, { "id": "ransom:Win32/WannaCrypt.H", "display_name": "ransom:Win32/WannaCrypt.H", "target": "/malware/ransom:Win32/WannaCrypt.H" } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1198", "name": "SIP and Trust Provider Hijacking", "display_name": "T1198 - SIP and Trust Provider Hijacking" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1022", "name": "Data Encrypted", "display_name": "T1022 - Data Encrypted" } ], "industries": [ "Government", "Legal", "Technology", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3779, "FileHash-MD5": 422, "FileHash-SHA1": 411, "FileHash-SHA256": 1824, "domain": 979, "hostname": 2082, "CVE": 1, "BitcoinAddress": 3, "SSLCertFingerprint": 6, "email": 8 }, "indicator_count": 9515, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "42 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "695089cbedad5c86f39b1363", "name": "Tracking Domains 03.03.26 (Updated Test)", "description": "Privacy Badger - Update on 01.09.26\nTracking domains on a hybrid (mobile laptop) clone of an AHS/Covenant Health, UAlberta (University of Alberta), and Government of Alberta Laptop.\nHealthcare: No Cybersecurity, EDU: No Cybersecurity / Remote only, GoA = Informed & don't quite know what to do or to whom this should be brought up with.", "modified": "2026-04-05T06:35:43.679000", "created": "2025-12-28T01:37:15.993000", "tags": [ "privacy badger", "sites general", "settings widget", "domains manage", "data privacy", "badger", "hide" ], "references": [ "https://hybrid-analysis.com/sample/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "https://yaraify.abuse.ch/scan/results/32bfc760-1757-11f1-b47f-42010aa4000b", "https://polyswarm.network/scan/results/file/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "https://app.threat.zone/submission/c8b0b1e4-0c9b-4210-b5ce-1dc2303445df/overview", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/summary", "https://www.virustotal.com/graph/embed/g6d4bce6162064ac09cd20411c1947e69d7d5a1d475f0447da023ac933d338fce?theme=dark", "https://viz.greynoise.io/ip/analysis/6356f330-63a7-4ce3-91fa-7ab355a1dc1a" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 50404, "hostname": 10879, "URL": 715, "FileHash-MD5": 1 }, "indicator_count": 61999, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "58 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691b61e16cea7624a6606a69", "name": "For Later", "description": "***", "modified": "2025-11-17T18:46:19.094000", "created": "2025-11-17T17:56:49.875000", "tags": [ "wormhole", "want", "sign", "submit send", "copy", "share show", "report delete", "faq roadmap", "security legal", "twitter discord", "protected" ], "references": [ "https://wormhole.app/Pp5DdP#3EpzsqLhw5lJdQ0Xe_mRQA", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 72127, "hostname": 16700, "URL": 50 }, "indicator_count": 88877, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "197 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67e1aa875e6c907d7e1b5fa0", "name": "hxxps://tech4service.ca - 03.24.25", "description": "YEG tech/hardware vendor", "modified": "2025-04-23T18:02:31.021000", "created": "2025-03-24T18:55:03.147000", "tags": [ "please", "javascript", "threat intelligence", "feed", "ioc", "change theme", "contact us", "intelligence", "threats api", "analyze api", "overview", "threats explore", "rate limits", "stixtaxii", "bulk export", "community", "results", "switch", "inquest labs", "resources api", "notes supported", "cve list", "drop your", "file", "service", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "virus", "ransomware", "static", "indicator of compromise", "extraction", "emulation", "platform", "prefetch8 ansi", "ansi", "show process", "hash seen", "pcap processing", "pcap", "date", "ck id", "command decode", "mitre att", "win64", "suspicious", "hybrid", "comspec", "close", "click", "hosts", "general", "path", "model", "encrypt", "upgrade", "strings", "contact" ], "references": [ "https://www.virustotal.com/gui/url/d3fcc8b4575e8e04b8c80b171089c26f3d117ac9b11e971dc4fd0345f00b4414", "https://pulsedive.com/indicator/?iid=68410521", "https://metadefender.com/results/url/aHR0cHM6Ly90ZWNoNHNlcnZpY2UuY2E=", "https://hybrid-analysis.com/sample/4ac0486c18ef662f2ba44e75cc13830d7e3d6a8ec20040a78e7818a6484bf807", "https://www.filescan.io/uploads/67e1a7ffc26eb3fd74f584c0/reports/28bf2c8b-9ebd-4f47-8428-135838c23c2f/overview", "https://www.filescan.io/uploads/67e1a7ffc26eb3fd74f584c0/reports/28bf2c8b-9ebd-4f47-8428-135838c23c2f/geolocation", "https://www.filescan.io/uploads/67e1a7ffc26eb3fd74f584c0/reports/28bf2c8b-9ebd-4f47-8428-135838c23c2f/ioc", "https://hybrid-analysis.com/sample/4ac0486c18ef662f2ba44e75cc13830d7e3d6a8ec20040a78e7818a6484bf807/67e1a708525a509d1805065a", "", "https://pulsedive.com/indicator/?iid=68410679" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 189, "FileHash-MD5": 21, "FileHash-SHA1": 20, "FileHash-SHA256": 20, "domain": 29, "email": 7, "hostname": 37, "SSLCertFingerprint": 20 }, "indicator_count": 343, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "405 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66f235b9a7a94a6a61acd651", "name": "n0paste - Show paste: \\\"No Problems\\\" - dos meses del URLscan", "description": "This pulse represents a 'scattered sample' of data extracted from 'submissions of interest' made to virustotal, filescan_itsec, HybridAnalysis, anyrun_app, DynamiteLab, and triage (over a period of two months) which were submitted to urlscanio & subsequently GreyNoiseIO (which I've come across both from live samples and also those from offlined data). I don't particularly anticipate this will correlate w. anything specific - but at least will be put in one more place for further analysis & increased visibility.", "modified": "2025-03-07T08:38:08.584000", "created": "2024-09-24T03:44:57.902000", "tags": [ "geoip", "public url", "as16509", "amazon02", "as20940", "akamaiasn1", "as8075", "as15169", "google", "akamaias", "facebook", "telecom", "twitter", "media", "win64", "level3", "mini", "ukraine", "proton", "ghost", "win32", "cuba", "mexico", "indonesia", "seznam", "as3359", "as852" ], "references": [ "https://metadefender.com/results/file/bzI1MDMwMVFWaXRDS0hpWElYcnV0QllCYlB1", "https://mwdb.cert.pl/file/efb45096e24a61b488eb809bd8edf874d15bb498dd75ced8b888b020c87e5c6c", "https://n0paste.eu/UH6n5pD/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Anguilla", "Poland", "Aruba", "Australia", "Barbados", "Costa Rica", "Guatemala", "Philippines", "Panama", "Sint Maarten (Dutch part)", "Saint Martin (French part)", "Cayman Islands", "Cura\u00e7ao", "Mexico", "Saint Vincent and the Grenadines", "Saint Kitts and Nevis", "Tanzania, United Republic of", "Netherlands", "Ukraine", "Trinidad and Tobago", "Japan", "Bahamas", "United Kingdom of Great Britain and Northern Ireland", "Georgia" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "CIDR": 1186, "CVE": 4, "FileHash-MD5": 29, "FileHash-SHA1": 3, "URL": 25493, "domain": 5396, "email": 10, "hostname": 10770 }, "indicator_count": 42892, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "452 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66b0fa3624bf0384e427f2e7", "name": "Tracking Domains 4.2 - 08.19.24", "description": "Tracking Domains detected by Privacy Badger Ext. on Microsoft Edge Browser (W11 Device) using Telus ISP (ASN852)\n*Not-Enriched (08.05.24): ~50,000 suggests IOCs by AlienVault\nFrom VT: 2 IPs hosted by 45090 (Shenzhen Tencent Computer Systems Company Limited) & 4611 (CNNIC member) seem to be the problem here 118[.]89.204.198, 118[.]89.0.0/16 & 202[.]123.107.15, 202[.]123.107.0/24 (Respectively)", "modified": "2024-09-04T15:01:01.432000", "created": "2024-08-05T16:13:42.563000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/iocs", "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/summary", "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/graph", "https://www.virustotal.com/graph/embed/ge839428bb3e24a98aae8cbcc242ae4d8febdc0c46e49411ebb09d155e22b4bbc?theme=dark", "https://viz.greynoise.io/query/AS4611", "https://urlscan.io/asn/AS4611", "https://urlscan.io/search/#asn:%22AS4611%22", "https://urlscan.io/asn/AS45090", "https://urlscan.io/search/#asn%3A%22AS45090%22", "https://viz.greynoise.io/query/AS45090", "https://urlscan.io/result/aeb42615-79b7-465d-924e-c9bdde3eefd1/#transactions", "https://urlscan.io/result/d4bf08e4-88dc-4bf8-be34-6b352576882e/#behaviour", "Filescan[.]io report: bc47c757-0a4d-4659-98d4-5d0c86406462 (08.23.24)", "https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-be" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 6180, "FileHash-MD5": 1, "domain": 24921, "URL": 10854 }, "indicator_count": 41956, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "636 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66269b1f33258a8e26033b17", "name": "Tracking Domains - Part 4.1", "description": "More Tracking Domains", "modified": "2024-08-30T13:02:28.335000", "created": "2024-04-22T17:15:11.398000", "tags": [ "Tracking Domains" ], "references": [ "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs", "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark", "https://viz.greynoise.io/analysis/02a64dd4-d7e0-451c-8384-13cf23298551" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 94496, "FileHash-MD5": 63, "domain": 112327, "URL": 166918, "FileHash-SHA1": 33, "FileHash-SHA256": 103, "CIDR": 216 }, "indicator_count": 374156, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "641 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66269b204ecfba63974dc1d8", "name": "Tracking Domains - Part 4", "description": "More Tracking Domains", "modified": "2024-05-22T17:04:45.215000", "created": "2024-04-22T17:15:12.353000", "tags": [ "Tracking Domains" ], "references": [ "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs", "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 792, "FileHash-MD5": 1, "domain": 5803, "URL": 2 }, "indicator_count": 6598, "is_author": false, "is_subscribing": null, "subscriber_count": 136, "modified_text": "741 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "authorize.net", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "authorize.net", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780444711.1883018 }