{ "type": "Domain", "indicator": "b.support", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/b.support", "alexa": "http://www.alexa.com/siteinfo/b.support", "indicator": "b.support", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2732103182, "indicator": "b.support", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "693f3ef3b05672ba47b903e3", "name": "Create Amazing Password Forms - Project Cicada", "description": "Huge pulse of multiple IoC\u2019 from Project Cicada URL\n(not the 3301 Mystery) | Monitored Target | Indont know if it\u2019s related to Havana Syndrome. Is related to State of Colorado , Christopher P. \u2018Buzz\u2019 Ahmann and Tesla Hackers, \n\u201cThe right of a man or woman to retreat into his/her own home and there be free is from UNREASONABLE government intrusion is at the \u201c very core\u201d of the Fourth Amendment.\u201d\nFlorida vs. Jardines 569 U.S. 1 (2013)", "modified": "2026-01-13T22:02:50.260000", "created": "2025-12-14T22:49:23.114000", "tags": [ "cicada", "project cicada", "united states", "quasi government", "asnone country", "united", "moved", "agent", "meta", "title error", "reverse dns", "servers", "urls", "url analysis", "aaaa", "present dec", "ip address", "america flag", "unknown", "Christopher P. \u2018Buzz\u2019 Ahmann", "brian sabey.", "State of Colorado", "date checked", "url hostname", "server response", "google safe", "results mar", "avast avg", "qualified immunity", "address google", "freeman", "mathis", "special forces", "tailored access", "tao", "hacker force", "infiltrate", "manipulate", "sabotage", "tools", "show", "results nov", "9b", "tao operations", "root9b", "hunt operations", "error mar", "over watch", "overkill", "read c", "memcommit", "high", "checks", "windows", "delete", "execution", "dock", "write", "persistence", "capture", "next", "local", "msie", "windows nt", "wow64", "slcc2", "media center", "suspicious_write_exe", "network_icmp", "antisandbox_restart", "creates_largekey", "infostealer_keylogger", "proess_martian", "injection_resumethread", "allocates_rwx", "targeted intelligence", "js_eval", "network_http", "name servers", "value domain", "domain name", "expiration date", "safe browsing", "unknown ns", "record value", "vercel", "certificate", "domain add", "refresh", "encrypt", "x vercel", "k jun", "mtb jul", "next http", "scans record", "value", "deployment not", "ransom", "trojan", "a domains", "safari", "android", "webkit", "animation", "click", "title", "passive dns", "gmt content", "arial helvetica", "ipv4 add", "status", "search", "emails", "as15169 google", "virtool", "cryp", "as396982", "win32", "error", "code", "domain", "showing", "query", "hostile", "observed dns", "et dns", "et info", "dns query", "malware", "push", "gmt cache", "sameorigin", "files", "url add", "http", "related nids", "files location", "flag united", "as44273 host", "hostname add", "unknown aaaa", "win32upatre dec", "mtb dec", "trojandropper", "hstr", "next associated", "backdoor", "entity", "tempe", "present sep", "hostname", "verdict", "lowfi", "usesscrrun", "ipv4", "element", "password", "developers", "create", "forms web", "group", "make sure", "autocomplete", "currentpassword", "make", "extraction", "data upload", "search otx", "ider data", "asn na", "ag da", "source level", "url text", "general full", "url https", "protocol h2", "security tls", "asn16509", "amazon02", "resource", "hash", "as16509", "us note", "route", "redacted for", "script urls", "japan unknown", "present apr", "present mar", "accept", "cookie", "path", "sectigo https", "encrypt https", "log id", "trustasia https", "amazon", "search criteria", "22965417271", "summary leaf", "timestamp entry", "log operator", "https", "script script", "cname", "present jun", "coup", "files ip", "address", "location united", "asn as16509", "color value", "item tile", "gmt max", "primary text", "text color", "play button", "search bar", "dasher", "flag", "bad traffic", "tls handshake", "failure", "analysis tip", "windir", "openurl c", "ascii text", "ck id", "show technique", "mitre att", "ck matrix", "pattern match", "network traffic", "beginstring", "show process", "null", "span", "general", "strings", "look", "verify", "restart", "dynamicloader", "ee fc", "yara rule", "ff d5", "c1 e0", "f0 ff", "ff ff", "eb e2", "ed b8", "fe ff", "june", "polymorphic", "network cnc", "cnc", "dead connect", "present nov", "france unknown", "generic http", "exe upload", "uploading exe", "intel", "ms windows", "medium", "http traffic", "monitored target", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "learn", "command", "suspicious", "informative", "name tactics", "spawns", "t1480 execution", "file defense", "file discovery", "t1071", "t1057", "segoe ui", "script", "html", "body", "twitter", "formbook cnc", "checkin", "pegasus", "get updates", "p2p zeus", "downloader", "mpress", "win32upatre sep", "win32upatre oct", "win32upatre nov", "india unknown", "r61afin", "common upatre", "write c", "cts exe", "ids detections", "open", "present aug", "singapore", "date", "creation date", "pentest people", "tesla hackers", "vietnam unknown", "viet nam", "company limited", "pulse pulses" ], "references": [ "http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com \u2022", "dev-app.project-cicada.com \u2022 project-cicada.com", "NAME project-cicada.com\tIdentity Protection Service\tOn behalf of project-cicada.com", "Files IP Address api.a 3.169.173.27,3.169.173.49, 3.169.173.87, 3.169.173.92", "Location United States ASN Nameservers ns- \u2022 482.awsdns-60.com.", "api.acumatica.flex.redteam.com", "CICADA - Higurashi Analysis Agent [https://dev-app.project-cicada.com/ ]", "CICADA Contextual Inference & Comprehensive Analysis Data Agent", "https://urlscan.io/screenshots/019b1bba-5e12-709b-86eb-fcbbaa4e8375.png", "https://goo.gl/9p2vKq", "IDS Detections Win32/Snojan Variant Uploading EXE Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara: UPX , Nrv2x , UPX_OEP_place , UPX290LZMA ,UPXV200V290 ( all by MarkusOberhumerLaszloMolnarJohnReiser)", "Alerts: polymorphic procmem_yara suricata_alert dynamic_function_loading reads_self", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name", "Alerts: packer_entropy dead_connect queries_locale_api antidebug_setunhandledexceptionfilter", "IDS Detections : Downloader (P2P Zeus dropper UA) TLS Handshake", "IDS Detections Gh0stCringe CnC Activity M2", "Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users , massminer_gh0st", "Alerts: infostealer_browser infostealer_cookies persistence_autorun persistence_autorun_tasks", "Alerts: alters_windows_utility procmem_yara static_pe_anomaly suricata_alert suspicious_command_tools mouse_movement_detect", "https://api-lsa.lenovosoftware.com/0/lsa/common/clever/generatedUrls", "googleusercontent.com | Win32:MalOb-BX\\ [Cryp] \u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K \u2022 Win32:MalOb-BX\\ [Cryp]\t\u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K", "teslathomas.xyz \u2022 https://teslathomas.xyz/ \u2022 teslaev.d36qivll26iymf.amplifyapp.com" ], "public": 1, "adversary": "State of Colorado \u2022Tesla Hackers \u2022 (Quasi Government)", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Doc.Downloader.EmotetRed02220-9938909-0", "display_name": "Doc.Downloader.EmotetRed02220-9938909-0", "target": null }, { "id": "TrojanDropper:Win32/VB.IL", "display_name": "TrojanDropper:Win32/VB.IL", "target": "/malware/TrojanDropper:Win32/VB.IL" }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Cymt", "display_name": "Cymt", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.AA", "display_name": "TrojanDownloader:Win32/Upatre.AA", "target": "/malware/TrojanDownloader:Win32/Upatre.AA" }, { "id": "Win.Trojan.Gh0stRAT-9955419-1", "display_name": "Win.Trojan.Gh0stRAT-9955419-1", "target": null }, { "id": "Win32:MalOb-BX", "display_name": "Win32:MalOb-BX", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "VirTool:Win32/Obfuscator.K", "display_name": "VirTool:Win32/Obfuscator.K", "target": "/malware/VirTool:Win32/Obfuscator.K" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11102, "hostname": 4142, "domain": 4251, "email": 15, "FileHash-SHA256": 3108, "FileHash-MD5": 624, "FileHash-SHA1": 490, "CIDR": 1, "SSLCertFingerprint": 3 }, "indicator_count": 23736, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "138 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708e0d95a8c74cc715f7a2", "name": "West.cn", "description": "", "modified": "2023-12-06T15:06:53.350000", "created": "2023-12-06T15:06:53.350000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 208, "domain": 533, "hostname": 757, "URL": 1861, "FileHash-MD5": 1 }, "indicator_count": 3360, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708c0f5981b6d81d0fa423", "name": "data102 and colohouse. Malware hosting", "description": "", "modified": "2023-12-06T14:58:23.206000", "created": "2023-12-06T14:58:23.206000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 458, "domain": 557, "URL": 2599, "hostname": 952 }, "indicator_count": 4566, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6280398780fbe64692dd54fd", "name": "West.cn", "description": "If you want to know more about Shockwave Flash, spare a thought for the members of your own storage system:mt.co.g.o.mimeTypes.com, mime", "modified": "2022-06-13T00:00:32.864000", "created": "2022-05-14T23:21:43.936000", "tags": [ "jquery", "date", "vue jquery", "template", "layer", "paas", "dist", "wjf3m", "ajax", "business", "string", "number", "regexp", "copyright", "uint8array", "fnumber", "aw1045757556", "closure library", "xdfunction", "code", "ddos", "image", "script", "document", "unescape", "msie", "canvas", "domain", "click", "input", "label", "jdomname", "strong", "jactive15toast", "jclearinput", "case", "datatarget", "jdomainregcount", "span", "function", "x786e", "x53d6", "cite", "x4fe1", "iframe", "null", "prompt", "x6700", "x591a", "array", "numarray", "data", "midsize", "action", "keyword", "firstfix", "object", "5n3j", "3f4r", "5p3s", "1f5m", "hhe2", "bbf2", "3y3z", "1223", "6q6m", "zfunction", "psettimeout", "tsettimeout", "hsetinterval", "iparseint", "hnull", "pnull", "tnull", "lv1s", "efunction", "typeof t", "typeof e", "adobeedge", "typeof r", "webkittransform", "moztransform", "body", "this", "notifier", "invert", "name", "param", "value", "error", "false", "trigger", "restart", "form", "config", "constants", "true", "modalhelper", "relative", "fixed", "account login", "activexobject", "haslocation", "xmlhttprequest", "xmlregexp", "temp", "extpart", "foundation", "mit license", "write", "rhino", "mark", "import", "classnamedom", "onbeforedestroy", "login", "auto", "init", "typeof b", "width", "pseudo", "child", "enulle", "class", "accept", "shockwave flash", "new date1e3", "ka6e5", "la10" ], "references": [ "xfe-IP-103.24.249.209-stix2-2.1-export.json", "xfe-URL-West.cn-stix2-2.1-export.json", "https://m.west.cn/jscripts/baidutj/hm.js", "http://m.west.cn/jscripts/baidutj/hm.js", "https://www.west.cn/js2016/lib/jquery.SuperSlide/jquery.SuperSlide.2.1.1.x.js", "https://www.west.cn/js2016/root/jqinclude.js?t=20211126a", "https://www.googletagmanager.com/gtag/js?id=AW-1045757556" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 533, "URL": 1861, "hostname": 757, "FileHash-SHA256": 208, "FileHash-MD5": 1 }, "indicator_count": 3360, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "1449 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62925b989eba65cefe8c5f88", "name": "Mathworks.com (work in progress) extractor is malfunctioning", "description": "defineProperty(t,n), Object.prototype, E.S.D, e.CmpApiModel, \"DeepClone\", \"deepClones\" - a description of all the functions in this.", "modified": "2022-05-28T17:43:49.055000", "created": "2022-05-28T17:27:52.332000", "tags": [ "optin", "elqsitevisited", "qnew date", "rnew date", "dlkey", "dllookup", "image", "httponly", "typeof e", "typeerror", "typeof symbol", "string", "array", "date", "efunction", "sfunction", "target", "typeof h", "typeof t", "typeof n", "typeof", "copyright", "event", "jquery", "typeof u", "uspapi", "confirmation", "matlab", "matlab speaks", "video", "system toolbox", "international", "learning", "computer vision", "analytics", "toolbox", "shell", "loans", "b0b6c1", "send", "caced6", "qualaroo", "thank", "ffd700", "simulink", "blank", "pass", "undef", "false", "null", "martin", "6464", "12224", "survey", "close", "tools", "python", "typeof require", "error", "modulenotfound", "abcdef", "typeof visitor", "adcloud", "typeof alloy" ], "references": [ "https://quantcast.mgr.consensu.org/tcfv2/27/cmp2.js?referer=m", "https://www.everestjs.net/static/le/last-event-tag-latest.min.js", "https://s3.amazonaws.com/ki.js/49559/ahy.js", "https://rules.quantcount.com/rules-p-zfNtLVVEHXE-1.js", "https://secure.quantserve.com/quant.js", "https://quantcast.mgr.consensu.org/tcfv2/27/cmp2.js?referer=mathworks.com", "https://img03.en25.com/i/elqCfg.min.js" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 156, "hostname": 192, "URL": 608, "FileHash-SHA256": 22, "FileHash-MD5": 2 }, "indicator_count": 980, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1464 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6266c416c4598fa139868c64", "name": "\u05de\u05e9\u05e8\u05d3 \u05e4\u05e8\u05e1\u05d5\u05dd \u05d5\u05d1\u05e0\u05d9\u05d9\u05ea \u05d0\u05ea\u05e8\u05d9\u05dd | TOPWEB - \u05d8\u05d5\u05e4 \u05d5\u05d5\u05d1- \u05d4\u05d5\u05e4\u05db\u05d9\u05dd \u05e2\u05e1\u05e7\u05d9\u05dd \u05dc\u05de\u05d5\u05ea\u05d2\u05d9\u05dd \u05d1\u05d3\u05d9\u05d2\u05d9\u05d8\u05dc", "description": "New RegExp(M) is a new type, and it will change any of the elements to the same type if you want to add them to your HTML page or add a third element.", "modified": "2022-05-25T00:04:03.622000", "created": "2022-04-25T15:53:58.206000", "tags": [ "init", "803911410135716", "pageview", "date", "datalayer", "gtmnqnvc6k", "copyright", "closure library", "facebook", "google", "linkedin", "reddit", "tumblr", "digg", "stumbleupon", "telegram", "whatsapp", "email", "kfunction", "u05deu05dcu05d0", "aw363516812", "error", "promise", "inull", "webfontconfig", "webfont", "gc", "number", "string", "uint8array", "regexp", "xhfunction", "yhfunction", "host", "path", "code", "topweb", "top web", "beyond", "forex", "hackeru", "one stop", "shop", "bgroup", "typesubmit", "datasecret", "shape", "html", "span", "false", "scrl", "haschildren", "zoomindown", "show hide", "dark", "checkbox", "back", "light", "typeof e", "formdata", "typeof symbol", "customevent", "post", "refill", "wpcf7", "wpcf7locale", "wpcf7unittag", "reflect", "math", "array", "object", "typeerror", "symbol", "function", "null", "title", "body", "click", "lecount", "count", "typeof define", "typeof t", "this", "close", "twitter", "open", "next", "blank", "xpercent0", "failure", "xpercent50", "essential grid", "blackberry", "author", "themepunch", "android", "typeof module", "tweenlite", "version", "onull", "updates and", "tools", "linear", "ticker", "bounce", "alpha", "fancybox", "plugin", "janis skarnelis", "100n", "right", "bottom", "left", "html tags", "ox20trnf", "dom element", "class", "attr", "pseudo", "child", "js foundation", "udc66udc67", "ud83d", "ufe0f", "ud83e", "udc68udc69", "udfcbudfcc", "u2640u2642", "source", "image", "ud83dudc6cud83c" ], "references": [ "xfe-URL-anyweb.co.il-stix2-2.1-export.json", "https://anyweb.co.il/wp-includes/js/wp-emoji-release.min.js?ver=5.7.3", "https://anyweb.co.il/wp-includes/js/jquery/jquery.min.js?ver=3.5.1", "https://anyweb.co.il/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2", "https://anyweb.co.il/wp-content/plugins/essential-grid/public/assets/js/lightbox.js?ver=2.0.9.1", "https://anyweb.co.il/wp-content/plugins/essential-grid/public/assets/js/jquery.themepunch.tools.min.js?ver=2.0.9.1", "https://anyweb.co.il/wp-content/plugins/essential-grid/public/assets/js/jquery.themepunch.essential.min.js?ver=2.0.9.1", "https://anyweb.co.il/wp-content/themes/superfine/assets/js/assets.js?ver=5.7.3", "https://anyweb.co.il/wp-content/themes/superfine/assets/js/post-like.min.js?ver=1.0", "https://anyweb.co.il/wp-includes/js/dist/vendor/wp-polyfill.min.js?ver=7.4.4", "https://anyweb.co.il/wp-content/plugins/contact-form-7/includes/js/index.js?ver=5.4.1", "https://anyweb.co.il/wp-content/themes/superfine/assets/js/script.js", "https://anyweb.co.il/wp-includes/js/wp-embed.min.js?ver=5.7.3", "https://anyweb.co.il/wp-includes/css/dist/block-library/style.min.css?ver=5.7.3", "https://topweb.co.il/", "https://www.googletagmanager.com/gtm.js?id=GTM-NQNVC6K", "https://topweb.co.il/wp-content/plugins/litespeed-cache/assets/js/webfontloader.min.js", "https://topweb.co.il/wp-content/litespeed/js/c3a18f91ebd798da3e120a12aec7c615.js?ver=7c615", "https://googleads.g.doubleclick.net/pagead/viewthroughconversion/363516812/?random=1650901467024&cv=9&fst=1650901467024&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=1&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2oa4k0&sendb=1&ig=1&data=event%3Dgtag.config&frm=0&url=https%3A%2F%2Ftopweb.co.il%2F&tiba=%D7%9E%D7%A9%D7%A8%D7%93%20%D7%A4%D7%A8%D7%A1%D7%95%D7%9D%20%D7%95%D7%91%D7%A0%D7%99%D7%99%D7%AA%20%D7%90%D7%AA%D7%A8%D7%99%D7%9D%20%7C%20TOPWEB%20-%20%D7%98%D" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Gc", "display_name": "Gc", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1158, "FileHash-SHA256": 671, "hostname": 304, "domain": 329, "email": 2 }, "indicator_count": 2464, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "1468 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "625f3287d722d8d85700b75d", "name": "Leaseweb.com - malware hosting", "description": "function D(t,e,n), as well as window.com, has been frozen by a single function, as part of a series of \"snoopers' checks\"...", "modified": "2022-05-19T00:00:49.028000", "created": "2022-04-19T22:07:03.024000", "tags": [ "11px center", "html", "typetext", "typeurl", "typeemail", "typetel", "typenumber", "typedate", "color", "marketo forms", "cross domain", "null", "click", "forceclose", "lightbox", "slideshow", "controls", "hide", "safari", "image", "mozilla", "explorer", "entity", "linear", "date", "jquery", "iframe", "close", "loops", "class", "stretch", "false", "function", "abbb", "typeerror", "boolean", "body", "object", "array", "regexp", "bind", "error", "void", "hammer", "form", "this", "views slideshow", "zindex1", "ajax", "href", "default", "thumb", "msgesture", "mspointerdown", "next", "stop", "type", "index", "event", "snapabugcbmbtn", "chat", "hidden", "leaf", "open", "dump", "window", "win32", "footer", "front", "drupal", "command", "implement", "copyright", "route", "foundation", "thecookie", "remove", "example", "backport", "grab", "span", "import", "attr", "string", "invalid json", "domparser", "number", "script", "closure library", "symbol", "array int8array", "caregexp", "legacy", "boardman", "fontface", "typeof d", "promise", "parseint", "marketo", "rangeerror", "uint8array", "typeof b", "buffer", "path", "takk", "kiitos", "buttons};kb(convertedmessage);break;case\"/sys\":var", "acum", "ufunction", "ffunction", "gfunction", "mchtd", "cancel", "thank", "enter", "please", "cobrowsing", "accept", "decline", "back", "comment", "grazie", "klik", "super", "dados", "hello", "vd", "reduceright", "trackevent", "lead", "query", "videos", "leaseweb", "trackpageview", "contact", "download", "metal", "code", "functional", "member", "hnew regexp", "qfunction", "adview", "addbillinginfo", "addtocart", "addtolist", "install", "cookiebot", "iabv2", "jsonversion", "cookie script", "methodstrict", "ticket", "id attribute", "cookiebot setup", "cookieconsent", "customevent", "09af", "ver0", "tag0", "extdata0", "ua ch", "invalid", "iterator", "service", "phonenumber", "facebook", "meta", "ytconfig", "edge", "swhealthlog", "logsdatabasev2", "trident", "android", "infinity", "pnull", "style", "ctnull", "post", "uint32array", "fanull", "license", "ynull", "config" ], "references": [ "https://consent.cookiebot.com/1e27dadb-e278-4c02-aa4f-43f9222c4fbb/cc.js?renew=false&referer=www.leaseweb.com&culture=en&dnt=false", "https://j.clarity.ms/s/0.6.34/clarity.js", "https://www.google-analytics.com/plugins/ua/linkid.js", "https://www.youtube.com/s/player/19eb72e4/www-widgetapi.vflset/www-widgetapi.js", "https://www.youtube.com/iframe_api", "https://connect.facebook.net/signals/config/399164440484826?v=2.9.57&r=stable", "https://bat.bing.com/bat.js", "https://consent.cookiebot.com/uc.js?cbid=1e27dadb-e278-4c02-aa4f-43f9222c4fbb&culture=en", "https://snap.licdn.com/li.lms-analytics/insight.min.js", "https://www.googletagmanager.com/gtm.js?id=GTM-NWPHSS", "https://storage.googleapis.com/snapengage-eu/js/e9219576-8f74-40b5-8b6f-bbad33f6ca57.js", "https://munchkin.marketo.net/161/munchkin.js", "https://app-lon04.marketo.com/js/forms2/js/forms2.min.js", "https://munchkin.marketo.net/munchkin.js", "https://www.leaseweb.com/sites/all/modules/custom/lsw_marketo/js/lsw_marketo_forms.js", "https://use.fortawesome.com/03018d9d.js", "https://googleads.g.doubleclick.net/pagead/viewthroughconversion/1001847692/?random=1650405011980&cv=9&fst=1650405011980&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&eid=376635471&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=1&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2wg4i1&sendb=1&ig=1&frm=0&url=https%3A%2F%2Fwww.leaseweb.com%2F&tiba=Leaseweb%20%7C%20Global%20Hosted%20Infrastructure%20(IaaS)%20and%20Cloud%20Solutions&hn=www.googleadservices.com&async=1&rfmt=3&fmt=4", "https://googleads.g.doubleclick.net/pagead/viewthroughconversion/952389962/?random=1650405011982&cv=9&fst=1650405011982&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&eid=376635471&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=1&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2wg4i1&sendb=1&ig=1&frm=0&url=https%3A%2F%2Fwww.leaseweb.com%2F&tiba=Leaseweb%20%7C%20Global%20Hosted%20Infrastructure%20(IaaS)%20and%20Cloud%20Solutions&hn=www.googleadservices.com&async=1&rfmt=3&fmt=4", "https://eu.snapengage.com/chatjs/ServiceGetConfig?w=e9219576-8f74-40b5-8b6f-bbad33f6ca57", "https://eu.snapengage.com/chatjs/servicegetproactivegeodata?w=e9219576-8f74-40b5-8b6f-bbad33f6ca57", "https://bat.bing.com/p/action/5602105.js", "https://eu.snapengage.com/chatjs/servicegetallavailableagents?w=e9219576-8f74-40b5-8b6f-bbad33f6ca57&t=1", "https://www.googleadservices.com/pagead/conversion_async.js", "https://www.leaseweb.com/sites/default/files/js/js_kwxcSFD2Y0_BPtdJClYUy5H8THI_5EycUmIgIGWaGYs.js", "https://www.leaseweb.com/sites/default/files/js/js_wcSNEXVJ4Xjhkf8qhMguEPZJTDTMNmPaJM-YWdAOhQE.js", "https://www.leaseweb.com/sites/default/files/js/js_kI_QwKJlaBz9CzQdENdUBFiEl4aehfjf4_-9taiwcCE.js", "https://www.leaseweb.com/sites/default/files/js/js_zoLA7TweXam0kYiqJrXepqBWmyDoP1sLSlHoZcveFnY.js", "https://www.leaseweb.com/sites/default/files/js/js_6FowaFXT9bT78hf9earPdGcdTmvsFiaBzKgFl9P4fSo.js", "https://www.leaseweb.com/sites/default/files/js/js_6lTJ_m6ahwXas7Efbw8ZYEMSaecrGw8ilNALfvIPNUw.js", "https://analytics.twitter.com/i/adsct?type=javascript&version=2.0.4&p_id=Twitter&p_user_id=0&txn_id=nxsfu&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=0&event_id=511b6f48-2639-478c-a251-b09fcbae76e7&tw_document_href=https%3A%2F%2Fwww.leaseweb.com%2F&tpx_cb=twttr.conversion.loadPixels", "https://bid.g.doubleclick.net/xbbe/pixel?d=KAE", "https://consentcdn.cookiebot.com/sdk/bc-v4.min.html", "https://app-lon04.marketo.com/index.php/form/XDFrame", "https://app-lon04.marketo.com/js/forms2/css/forms2-theme-plain.css", "https://www.leaseweb.com/sites/default/files/css/css_47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU.css", "https://www.leaseweb.com/sites/default/files/css/css_7CYF9En6DNp6AojfSKnT8USKR3GvzPwznmTqLTKT9VM.css" ], "public": 1, "adversary": "", "targeted_countries": [ "Tunisia" ], "malware_families": [ { "id": "Ajax", "display_name": "Ajax", "target": null }, { "id": "Kiitos", "display_name": "Kiitos", "target": null }, { "id": "Takk", "display_name": "Takk", "target": null }, { "id": "Acum", "display_name": "Acum", "target": null }, { "id": "buttons};kb(convertedMessage);break;case\"/SYS\":var", "display_name": "buttons};kb(convertedMessage);break;case\"/SYS\":var", "target": null }, { "id": "Vd", "display_name": "Vd", "target": null }, { "id": "ReduceRight", "display_name": "ReduceRight", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 648, "domain": 469, "URL": 2037, "FileHash-SHA256": 705, "email": 7 }, "indicator_count": 3866, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1474 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "625f42dcc369f59f6a1e8b58", "name": "data102 and colohouse. Malware hosting", "description": "var a,b,c,d, f.substr(d),a=f, a.href, and a number of other elements:a.b.search.com.", "modified": "2022-05-19T00:00:49.028000", "created": "2022-04-19T23:16:44.418000", "tags": [ "regexp", "rangeerror", "typeerror", "date", "array", "error", "this", "uint8array", "typeof b", "buffer", "class", "null", "path", "void", "marketo forms", "cross domain", "typetext", "typeurl", "typeemail", "typetel", "typenumber", "typedate", "color", "label", "input", "typerange", "typecheckbox", "woff2", "fontface", "u1c801c88", "u20b4", "u2de02dff", "ua640a69f", "ufe2efe2f", "u04b004b1", "u2116", "u1ea01ef9", "franklin", "woff", "u20ab", "u0259", "u1e001eff", "u2020", "u20a020ab", "u20ad20cf", "gradienttype0", "webkitkeyframes", "span", "button", "tbody", "textarea", "helvetica neue", "tfoot", "body", "alpha", "twitter", "roboto", "pitch", "datasecret", "q1kg", "q17g", "d2dg", "c d3r", "q171zg", "e c2ttttb", "c g7", "6n184z", "6f6g", "typeof", "wpcf7redirect", "cf7mlscurrentfs", "handle fire", "popuptemplate", "templatename", "click", "fieldset", "cf7mlsbackfs", "section", "classwidget", "idmenu", "idfooter", "idwidget", "idcomment", "classmenu", "classfooter", "classcomment", "target", "blank", "typeof e", "formdata", "typeof symbol", "customevent", "post", "refill", "wpcf7", "wpcf7locale", "wpcf7unittag", "typeof wpcf7", "boolean", "modernizr", "custom build", "build", "afunction", "cfunction", "object", "documenttouch", "websocket", "symbol", "generator", "function", "select", "harvest", "mit license", "optgroup", "nnn n", "n nnnn", "explorer", "options", "abbr", "element", "unknownerror", "overquerylimit", "requestdenied", "zeroresults", "node", "edge", "android", "trident", "unknown", "false", "iframe", "marker", "hybrid", "tawkspinner", "failed", "resend", "tawkavatar", "tawkvideo", "tawkalert", "tawkemoji", "tawkicon", "enter", "number", "startchatbutton", "u26a1", "typeof t", "invalid attempt", "copyright", "marketo", "remove", "commentform", "author", "mouseenter", "secure", "ccpa", "bottom", "fixed", "widget", "embed", "trigger", "antispam", "please", "cleantalk", "typeof o", "ajaxnonce", "unkown", "apbctajaxerror", "typeof define", "typeof module", "html tags", "ox20trnf", "dom element", "attr", "pseudo", "child", "udc66udc67", "ud83d", "ufe0f", "ud83e", "udc68udc69", "udfcbudfcc", "u2640u2642", "source", "image", "ud83dudc6cud83c", "qe", "string", "xhfunction", "yhfunction", "gtmptxlxz4", "host", "code", "script", "promise", "complete", "reduceright", "g7be8pmlskx", "r300", "typeof d", "caca", "ufunction", "ffunction", "gfunction", "mchtd", "azaz", "firefox", "opera", "chrome", "iemobile", "black", "incorrect", "xfunction", "typeof p", "typeof btoa", "vnode", "colohouse", "york", "learn more", "data center", "miami", "e cermak", "springs", "read", "cloud", "managed", "fast", "philadelphia", "bare", "metal", "chat", "accept", "placeheld", "minimum", "tooshort", "wpcf7wfreetext", "alert", "invert", "form", "animation", "value", "foundation", "migrate", "backcompat", "quirks mode", "typeof f", "html", "sufeffxa0", "legacy", "contenttype", "wivobjkey", "typehit", "data", "closure library", "pfunction", "zfunction", "bfunction", "mvoid", "ofunction" ], "references": [ "xfe-URL-Data102.com-stix2-2.1-export.json", "https://www.google-analytics.com/analytics.js", "https://chimpstatic.com/mcjs-connected/js/users/6c3abfa7ff8634c75cdb2b22e/ddf7a436c1746be666f330e4a.js", "https://app.whoisvisiting.com/who.js", "https://www.data102.com/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp", "https://www.data102.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1", "https://www.data102.com/?wordfence_lh=1&hid=2D6A812A7EB197E80D5A3978A6386BE4&r=0.5029022326538093", "https://www.data102.com/wp-includes/js/wp-embed.min.js?ver=00b0ffc433836dcf9f57035fded0b908", "https://www.data102.com/wp-content/plugins/cta/shared//shortcodes/js/spin.min.js", "https://www.data102.com/wp-content/plugins/contact-form-7/includes/js/scripts.js", "https://colohouse.com/", "xfe-URL-colohouse.com-stix2-2.1-export.json", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-main.js", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-vendor.js", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-chunk-vendors.js", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-chunk-common.js", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-runtime.js", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-app.js", "https://munchkin.marketo.net/161/munchkin.js", "https://www.googletagmanager.com/gtag/js?id=G-7BE8PMLSKX&l=dataLayer&cx=c", "https://embed.tawk.to/5697c34527b9b5d40b66960f/default", "https://www.googletagmanager.com/gtm.js?id=GTM-PTXLXZ4", "https://colohouse.com/wp-includes/js/wp-emoji-release.min.js?ver=5.8", "https://colohouse.com/wp-includes/js/jquery/jquery.min.js?ver=3.6.0", "https://colohouse.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2", "https://colohouse.com/wp-content/plugins/cleantalk-spam-protect/js/apbct-public--functions.min.js?ver=5.173", "https://colohouse.com/wp-content/plugins/cleantalk-spam-protect/js/apbct-public.min.js?ver=5.173", "https://colohouse.com/wp-content/plugins/cleantalk-spam-protect/js/cleantalk-modal.min.js?ver=5.173", "https://colohouse.com/wp-content/plugins/cookie-law-info/public/js/cookie-law-info-public.js?ver=2.0.4", "https://colohouse.com/wp-content/plugins/stop-user-enumeration/frontend/js/frontend.js?ver=1.3.31", "https://colohouse.com/wp-content/plugins/duracelltomi-google-tag-manager/js/gtm4wp-form-move-tracker.js?ver=1.13.1", "https://munchkin.marketo.net/munchkin.js", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-chunk-2d0d2b7c.js", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-chunk-32507910.js", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-chunk-f163fcd0.js", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-chunk-2d0b9454.js", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-chunk-4fe9d5dd.js", "https://app-ab02.marketo.com/js/forms2/js/forms2.min.js", "https://maps.googleapis.com/maps/api/js?v=3.exp&key=AIzaSyDR76rjQL_2raonHiZ6ZrPqJr-FPb7pGH0", "https://colohouse.com/wp-content/themes/Netrouting/assets/chosen/chosen.jquery.min.js", "https://colohouse.com/wp-includes/js/dist/vendor/regenerator-runtime.min.js?ver=0.13.7", "https://colohouse.com/wp-content/themes/Netrouting/js/vendor/modernizr-2.8.3-respond-1.4.2.min.js", "https://colohouse.com/wp-content/plugins/contact-form-7/includes/js/index.js?ver=5.4.2", "https://colohouse.com/wp-content/plugins/link-whisper-premium/js/frontend.js?ver=1632756485", "https://colohouse.com/wp-content/plugins/wpcf7-redirect/build/js/wpcf7-redirect-frontend-script.js?ver=1.1", "https://colohouse.com/wp-content/plugins/kingcomposer/assets/frontend/js/kingcomposer.min.js?ver=2.9.6", "https://colohouse.com/wp-includes/js/wp-embed.min.js?ver=5.8", "https://colohouse.com/wp-content/plugins/wp-schema-pro/admin/assets/min-js/frontend.min.js?ver=2.7.2", "https://colohouse.com/wp-content/cache/autoptimize/css/autoptimize_5e11636f7dd8fb4f55e0ff84f0ed5faa.css", "https://fonts.googleapis.com/css?family=Libre+Franklin%3A300%2C300i%2C400%2C400i%2C600%2C600i%2C800%2C800i&subset=latin%2Clatin-ext", "https://fonts.googleapis.com/css?family=Roboto%3A100%2C100italic%2C300%2C300italic%2Cregular%2Citalic%2C500%2C500italic%2C700%2C700italic%2C900%2C900italic&subset=greek%2Clatin%2Cvietnamese%2Clatin-ext%2Ccyrillic%2Ccyrillic-ext%2Cgreek-ext&ver=2.9.6", "https://app-ab02.marketo.com/js/forms2/css/forms2.css", "https://app-ab02.marketo.com/js/forms2/css/forms2-theme-simple.css", "https://app-ab02.marketo.com/index.php/form/XDFrame" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qe", "display_name": "Qe", "target": null }, { "id": "ReduceRight", "display_name": "ReduceRight", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2599, "hostname": 952, "FileHash-SHA256": 458, "domain": 557 }, "indicator_count": 4566, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "1474 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62549aabb033e7afc5069f98", "name": "Malware - victim=fr", "description": "Mme, Mlle, M. Compte, yn \u00f4l \u00c2\u00a31.5m (\u20ac2.4m; \u00e2\u201a\u00ac1m)", "modified": "2022-05-11T21:04:45.103000", "created": "2022-04-11T21:16:27.786000", "tags": [ "freebox", "free", "mois pendant", "sabonner voir", "fibre free", "la fibre", "votre", "wifi", "freebox en", "offre", "delta", "face", "prix", "date", "this", "typeof e", "true", "function", "left", "bottom", "html", "nullt", "false", "next", "february", "april", "june", "august", "atom", "cookie", "close", "null", "back", "bounce", "kolab", "target", "object", "tcfuiservice", "reflect", "typeof proxy", "boolean", "agree", "disagree", "select", "save", "learn", "click", "gnu gpl", "copyright", "javascript code", "license", "extwin1", "framed1", "roundcube", "webmail client", "script", "team", "format", "regexp", "software", "error", "pseudo", "child", "the software", "sufeffxa0", "class", "attr", "javascript", "express", "nous", "didomi", "typeof t", "hmuvfyyh", "sekindo", "lkqd", "aol cdn", "ffffff", "montserrat", "adsl", "offres adsl", "internet", "t\u00e9l\u00e9phone", "t\u00e9l\u00e9phonie", "mobiles", "forfaits mobiles", "tv", "t\u00e9l\u00e9vision", "vod", "vid\u00e9o \u00e0 la demande", "multiposte", "radio", "routeur", "freeplayer", "multiplay", "d\u00e9groupage", "total", "partiel", "e-mail", "mail", "m\u00e9l", "fournisseur d'acc\u00e8s", "i.s.p.", "isp", "internaute", "internautes", "france", "fran\u00e7ais", "zimbra", "le webmail", "free fait", "webmail imp", "cela n", "webmail zimbra", "stockage", "pour migrer", "accder", "testteltext", "sans", "testziptext", "testziptext i", "testteltext i", "typenumber", "screenh", "tvbycanal", "tvbycanal147", "tvbycanal204", "tvbycanal83", "tvbycanal80", "tvbycanal34", "4000", "typeof console", "console", "nullc", "nulld", "customevent", "msanimationend", "typeof n", "typeof r", "x20trnf", "width", "accept", "json", "moz o", "custom build", "https", "xmlhttprequest", "typeof module", "webkit", "android", "flash", "span", "un espace", "phpmysql", "helvetica" ], "references": [ "xfe-IP-212.27.63.109-stix2-2.1-export.json", "http://pageperso.free.fr/im/css/free.css", "http://passback.free.fr/pub/pp_300x250.html", "https://subscribe.free.fr/accesgratuit/index.html", "https://subscribe.free.fr/assets/js/vendor/modernizr.custom.js", "https://subscribe.free.fr/assets/js/vendor/jquery-1.9.1.min.js", "https://subscribe.free.fr/assets/js/plugins.min.js", "https://subscribe.free.fr/assets/js/vendor/wow.min.js", "https://subscribe.free.fr/assets/js/main.min.js", "https://subscribe.free.fr/assets/css/accesgratuit.min.css", "https://subscribe.free.fr/assets/css/app2.min.css", "https://webmail.free.fr/", "https://sdk.privacy-center.org/87df2f8d-232a-4617-8efc-3764b3bbd0c0/loader.js?target=webmail.free.fr", "https://webmail.free.fr/program/js/jquery.min.js?s=1510166541", "https://webmail.free.fr/program/js/app.min.js?s=1510166525", "https://sdk.privacy-center.org/ui-gdpr-en.a96c69ed0cb8f37a2deea6c49dd453517875ac60.js", "https://webmail.free.fr/plugins/jqueryui/js/jquery-ui.min.js?s=1510166524", "https://www.free.fr/freebox/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1078, "URL": 2104, "domain": 290, "FileHash-SHA256": 117, "FileHash-MD5": 4, "FileHash-SHA1": 2 }, "indicator_count": 3595, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1481 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "625088e80292028d4e82311c", "name": "Botnet-malware -lgmhgjm.com", "description": "The full list of names and names of people who have taken part in the 2016 Olympics and Paralympics in Rio de Janeiro, Brazil, as part of the Rio Games, and as well as the 2017 Olympics in Brazil.", "modified": "2022-05-08T00:03:14.586000", "created": "2022-04-08T19:11:36.165000", "tags": [ "function", "param", "object", "return", "webpackrequire", "constructor", "clipboard", "typeof", "symbol", "typeerror", "error", "click", "null", "copy", "factory", "super", "date", "target", "mustflag", "html", "applewebkit", "ipad", "mqqbrowser", "base", "trident", "presto", "gecko", "khtml", "ios android", "android", "array", "2f2f2i2i0f", "eh0g", "exptable", "logtable", "typeof h", "typeof e", "regexp", "typeof n", "typeof t", "width", "typeof r", "pseudo", "class", "this", "accept", "false", "https", "zeno rocha", "typeof define", "select", "input", "textarea", "0x455d", "0x34260b", "0x4ce9d1", "avge", "tung", "3ctz", "n33m", "0x514351", "hn4d", "0x70c2f4", "push", "shift", "baidu", "instanceof", "adjust", "body", "nulli", "windowi", "typeof jquery", "tthis", "mspointerdown", "child", "sfunction", "microsoft yahei", "arial", "x20trnf", "version", "swiper", "most", "copyright", "mit license", "october", "win32", "meta", "parsefloat", "androidgi", "iphonegi", "\u77ed\u89c6\u9891", "\u641e\u7b11\u89c6\u9891", "\u89c6\u9891\u5206\u4eab", "\u514d\u8d39\u89c6\u9891", "\u5728\u7ebf\u89c6\u9891", "\u9884\u544a\u7247", "wifi", "saol", "fc2ppv12518005", "oretd633riana01", "hodv sex", "orec37502", "06inn01", "siro2661ol2401", "garea742kou01", "175cm9av", "attr", "typeof symbol", "root", "length", "indexof", "x0ax20x20x20x20", "location", "math", "0x10", "0x18", "history", "config", "slice", "cookie", "open", "onload", "adunit", "refresh", "style", "position", "creativetplid", "show", "tcmod", "tcheight", "height", "yahei", "truetype", "f8f8f8", "typeof module", "reserved", "18hdxxxx\u4e2d\u56fd", "\u5973\u4e3b\u7a7f\u8d8a\u88ab\u8089\u6765\u8089\u53bbnp", "\u7537\u753718\u7981\u6c61\u8089\u56fe\u65e0\u7801", "\u65e0\u7801\u4e9a\u6d32\u6210a\u4eba\u7247\u5728\u7ebf\u89c2\u770b", "ore572s04", "ore572s03", "ore572s02", "ore572s01", "fc2ppv117430501", "cmi1513707", "cmi1513706", "cmi1513705", "cmi1513704", "cmi1513703", "\u514d\u8d39\u89c6\u9891\u7231\u7231\u592a\u723d\u4e86\u7f51\u7ad9_\u8001\u8272\u9b3c\u5728\u7ebf\u7cbe\u54c1\u89c6\u9891\u5728\u7ebf\u89c2\u770b_\u767d\u6d01\u4e00\u591c\u88ab\u723d\u4e86\u4e03\u6b21_\u5fd8\u4e86\u6234\u80f8\u7f69\u88ab\u540c\u5b66\u6478\u4e86\u4e00\u8282\u8bfe", "viewport" ], "references": [ "xfe-URL-lgmhgjm.com-stix2-2.0-export.json", "http://www.lgmhgjm.com/common.js", "http://www.lgmhgjm.com/tj.js", "http://www.sp385.com/", "http://avtv10.com", "http://9766.tv", "https://xc.6xc.tv/?channelCode=xiaosu03_8", "https://app.okoockec.xyz:8443/apps/v2/index1/0c1d6cd4e9634a3d?m=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoiZzByUjNpMUczaEt0Sk5sZmVNSE44NEhjVDlDOVFTM2xEcm5pM1dIWG9UM1FBSklpR1phN01teTZOcjFxVVJIWVlhZnJPQkE9IiwiZXhwIjoxNjQ5NDQ0NDcyfQ.utSNnRI7C9FuWMUxhY4cufCJBIuHUk5vdk8Dj6WnXYs", "https://xc.6xc.tv/js/jquery-3.6.0.min.js", "https://xc.6xc.tv/css/index.css", "https://xctg07.cc/?channelCode=xiaosu03_8", "https://ad.abilm.info/bid?url=http%3A%2F%2Fkniveb.info%2F&frm=0&ref=http%3A%2F%2Fwww.sp385.com%2F&ic=1&pl=0&ml=0&sid=105:80:104:111:110:101:58:50:53:48:50:50:51:49:53:54:58:51:58:51:57:48:46:56:52:52&ps=20030107&lgs=0&zo=240&ws=390x844&gdm=0&iw=1&cpn=0&fid=5d80d32079e9fdb035e4886c32c6612e&hl=2&ihn=0&md=1&ns=undefined&np=undefined&pj=0&top=650&left=0&id=47&rid=ec5a07ef8f3e3f2c25ba75c7da106dcc&dcc=&dcl=&gvd=Apple%20Inc.&grr=Apple%20GPU&ct=unknown&diit=&dit=&cmn=", "http://sdk.51.la/js-sdk-pro.min.js", "http://sdk.51.la/event/js-sdk-event.min.js?u=JYWHYgTN1B6iZ5P2", "http://kniveb.info/template/9c/ads/gonggao.js", "http://kniveb.info/", "https://koban360.com/ky/?shareName=1736.com", "https://koban360.com/ky/js/flexible.js", "https://koban360.com/ky/js/swiper.min.js", "https://koban360.com/ky/js/jquery.min.js", "https://koban360.com/ky/css/m.css?vs=1.7", "https://libs.baidu.com/jquery/2.0.0/jquery.min.js", "https://xbt.0lunwen.com/3/js/flexible.js", "https://xbt.0lunwen.com/boinstall.js", "https://miaouuuc.com/?channelCode=852890&aid=852890", "https://miaouuuc.com/template/static/js/clipborad.min.js", "https://am96.vip/", "https://unpkg.com/jquery-1.10.2@1.10.2/jquery-1.10.2.min.js", "https://unpkg.com/jquery.qrcode@1.0.3/jquery.qrcode.min.js", "https://www.gootft.com/js/app.base.js;jsessionid=20F7490B81FBD25B0DE24EE1076D230D", "https://www.gootft.com/js/poplayer.js;jsessionid=20F7490B81FBD25B0DE24EE1076D230D", "https://unpkg.com/clipboard@2.0.8/dist/clipboard.js" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 482, "URL": 1383, "FileHash-SHA256": 104, "domain": 199, "FileHash-MD5": 2, "FileHash-SHA1": 1 }, "indicator_count": 2171, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "1485 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6249a9e497137f9627e5a794", "name": "\u7f8e\u9ad8\u6885\u2014botnet", "description": "At.ts.t, At.com, is the new version of HTML, which can now be viewed in full on Google's web browser and on Apple's mobile app for the first time.", "modified": "2022-04-03T14:09:48.093000", "created": "2022-04-03T14:06:28.503000", "tags": [ "event", "null", "promise", "html", "width", "hasclass", "loadx20error", "ajaxcomplete", "unique", "609237fvvpkt", "push", "first", "open", "checkbox", "trigger", "jquery", "write", "blackberry", "android", "androidos", "firefox", "chrome", "skyfire", "opera", "opera mobi", "dolfin", "kindle", "0x1d9131", "0x180bcc", "0x4b6177", "0x13f349", "0x3bcb54", "0xbbe80d", "0x57b7de", "0x2ea74e", "0x4fb0f2", "0x25f113", "window", "shift", "date", "canvas", "tencent", "barrio", "slice", "regexp", "function", "typeof b", "error", "pseudo", "child", "array", "sufeffxa0", "class", "accept", "testflight", "typeof e", "typeof n", "typeof t", "typeof r", "x20trnf", "this" ], "references": [ "http://slulutz02.com/", "https://mgttse001.vip/static/js/jquery.js", "https://mgttse001.vip/template/m1938pc/pic/hf1", "https://m2855.com:35003/", "https://m9277.com/tsnew-download/index.html", "https://www.7631.app:8755/js/jquery-1.11.3.min.js", "https://www.7631.app:8755/js/xinstall_inner_e.min.js?v=1004", "https://www.7631.app:8755/js/mobile-detect.min.js?v=1004", "https://m9277.com/tsnew-download/js/jquery.min.js" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1048, "domain": 132, "hostname": 311 }, "indicator_count": 1491, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1519 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6249a9e3fcaee2fb956ffacc", "name": "\u7f8e\u9ad8\u6885\u2014botnet", "description": "At.ts.t, At.com, is the new version of HTML, which can now be viewed in full on Google's web browser and on Apple's mobile app for the first time.", "modified": "2022-04-03T14:06:27.271000", "created": "2022-04-03T14:06:27.271000", "tags": [ "event", "null", "promise", "html", "width", "hasclass", "loadx20error", "ajaxcomplete", "unique", "609237fvvpkt", "push", "first", "open", "checkbox", "trigger", "jquery", "write", "blackberry", "android", "androidos", "firefox", "chrome", "skyfire", "opera", "opera mobi", "dolfin", "kindle", "0x1d9131", "0x180bcc", "0x4b6177", "0x13f349", "0x3bcb54", "0xbbe80d", "0x57b7de", "0x2ea74e", "0x4fb0f2", "0x25f113", "window", "shift", "date", "canvas", "tencent", "barrio", "slice", "regexp", "function", "typeof b", "error", "pseudo", "child", "array", "sufeffxa0", "class", "accept", "testflight", "typeof e", "typeof n", "typeof t", "typeof r", "x20trnf", "this" ], "references": [ "http://slulutz02.com/", "https://mgttse001.vip/static/js/jquery.js", "https://mgttse001.vip/template/m1938pc/pic/hf1", "https://m2855.com:35003/", "https://m9277.com/tsnew-download/index.html", "https://www.7631.app:8755/js/jquery-1.11.3.min.js", "https://www.7631.app:8755/js/xinstall_inner_e.min.js?v=1004", "https://www.7631.app:8755/js/mobile-detect.min.js?v=1004", "https://m9277.com/tsnew-download/js/jquery.min.js" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1047, "domain": 132, "hostname": 311 }, "indicator_count": 1490, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1519 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "621ff16c60a508e18bbeeb9e", "name": "Webb County, TX", "description": "", "modified": "2022-03-02T22:36:28.218000", "created": "2022-03-02T22:36:28.218000", "tags": [], "references": [ "Webb County, TX 3.pdf", "Webb County, TX 1 .pdf", "Webb County, TX 2.pdf", "Webb County, TX 5 pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 364, "URL": 913, "domain": 104, "FileHash-SHA256": 126 }, "indicator_count": 1507, "is_author": false, "is_subscribing": null, "subscriber_count": 405, "modified_text": "1551 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.leaseweb.com/sites/default/files/js/js_zoLA7TweXam0kYiqJrXepqBWmyDoP1sLSlHoZcveFnY.js", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-app.js", "IDS Detections Win32/Snojan Variant Uploading EXE Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "https://anyweb.co.il/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2", "https://colohouse.com/wp-includes/js/dist/vendor/regenerator-runtime.min.js?ver=0.13.7", "https://j.clarity.ms/s/0.6.34/clarity.js", "https://app-ab02.marketo.com/js/forms2/js/forms2.min.js", "https://bid.g.doubleclick.net/xbbe/pixel?d=KAE", "https://www.gootft.com/js/poplayer.js;jsessionid=20F7490B81FBD25B0DE24EE1076D230D", "https://www.data102.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1", "https://googleads.g.doubleclick.net/pagead/viewthroughconversion/952389962/?random=1650405011982&cv=9&fst=1650405011982&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&eid=376635471&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=1&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2wg4i1&sendb=1&ig=1&frm=0&url=https%3A%2F%2Fwww.leaseweb.com%2F&tiba=Leaseweb%20%7C%20Global%20Hosted%20Infrastructure%20(IaaS)%20and%20Cloud%20Solutions&hn=www.googleadservices.com&async=1&rfmt=3&fmt=4", "https://colohouse.com/wp-content/plugins/cleantalk-spam-protect/js/apbct-public.min.js?ver=5.173", "https://www.leaseweb.com/sites/all/modules/custom/lsw_marketo/js/lsw_marketo_forms.js", "xfe-URL-anyweb.co.il-stix2-2.1-export.json", "https://topweb.co.il/wp-content/plugins/litespeed-cache/assets/js/webfontloader.min.js", "https://www.leaseweb.com/sites/default/files/css/css_47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU.css", "http://slulutz02.com/", "https://subscribe.free.fr/assets/js/vendor/wow.min.js", "https://chimpstatic.com/mcjs-connected/js/users/6c3abfa7ff8634c75cdb2b22e/ddf7a436c1746be666f330e4a.js", "https://xctg07.cc/?channelCode=xiaosu03_8", "https://koban360.com/ky/js/swiper.min.js", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-chunk-2d0b9454.js", "https://colohouse.com/wp-content/plugins/wp-schema-pro/admin/assets/min-js/frontend.min.js?ver=2.7.2", "xfe-URL-lgmhgjm.com-stix2-2.0-export.json", "https://anyweb.co.il/wp-content/plugins/essential-grid/public/assets/js/jquery.themepunch.essential.min.js?ver=2.0.9.1", "http://www.lgmhgjm.com/common.js", "https://www.googletagmanager.com/gtm.js?id=GTM-NWPHSS", "https://m2855.com:35003/", "https://topweb.co.il/wp-content/litespeed/js/c3a18f91ebd798da3e120a12aec7c615.js?ver=7c615", "http://kniveb.info/template/9c/ads/gonggao.js", "https://www.data102.com/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp", "https://xbt.0lunwen.com/boinstall.js", "https://consentcdn.cookiebot.com/sdk/bc-v4.min.html", "https://anyweb.co.il/wp-includes/js/dist/vendor/wp-polyfill.min.js?ver=7.4.4", "https://www.free.fr/freebox/", "https://ad.abilm.info/bid?url=http%3A%2F%2Fkniveb.info%2F&frm=0&ref=http%3A%2F%2Fwww.sp385.com%2F&ic=1&pl=0&ml=0&sid=105:80:104:111:110:101:58:50:53:48:50:50:51:49:53:54:58:51:58:51:57:48:46:56:52:52&ps=20030107&lgs=0&zo=240&ws=390x844&gdm=0&iw=1&cpn=0&fid=5d80d32079e9fdb035e4886c32c6612e&hl=2&ihn=0&md=1&ns=undefined&np=undefined&pj=0&top=650&left=0&id=47&rid=ec5a07ef8f3e3f2c25ba75c7da106dcc&dcc=&dcl=&gvd=Apple%20Inc.&grr=Apple%20GPU&ct=unknown&diit=&dit=&cmn=", "https://anyweb.co.il/wp-content/plugins/contact-form-7/includes/js/index.js?ver=5.4.1", "https://anyweb.co.il/wp-content/plugins/essential-grid/public/assets/js/lightbox.js?ver=2.0.9.1", "https://www.7631.app:8755/js/xinstall_inner_e.min.js?v=1004", "https://colohouse.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2", "https://app-ab02.marketo.com/js/forms2/css/forms2.css", "https://unpkg.com/jquery.qrcode@1.0.3/jquery.qrcode.min.js", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-chunk-2d0d2b7c.js", "https://eu.snapengage.com/chatjs/servicegetallavailableagents?w=e9219576-8f74-40b5-8b6f-bbad33f6ca57&t=1", "https://fonts.googleapis.com/css?family=Libre+Franklin%3A300%2C300i%2C400%2C400i%2C600%2C600i%2C800%2C800i&subset=latin%2Clatin-ext", "https://m.west.cn/jscripts/baidutj/hm.js", "https://quantcast.mgr.consensu.org/tcfv2/27/cmp2.js?referer=m", "xfe-URL-West.cn-stix2-2.1-export.json", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-main.js", "http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com \u2022", "https://app-lon04.marketo.com/js/forms2/js/forms2.min.js", "Alerts: alters_windows_utility procmem_yara static_pe_anomaly suricata_alert suspicious_command_tools mouse_movement_detect", "https://www.leaseweb.com/sites/default/files/js/js_wcSNEXVJ4Xjhkf8qhMguEPZJTDTMNmPaJM-YWdAOhQE.js", "https://www.leaseweb.com/sites/default/files/css/css_7CYF9En6DNp6AojfSKnT8USKR3GvzPwznmTqLTKT9VM.css", "https://colohouse.com/wp-includes/js/wp-embed.min.js?ver=5.8", "https://koban360.com/ky/css/m.css?vs=1.7", "https://www.googleadservices.com/pagead/conversion_async.js", "https://colohouse.com/wp-content/plugins/contact-form-7/includes/js/index.js?ver=5.4.2", "https://www.data102.com/?wordfence_lh=1&hid=2D6A812A7EB197E80D5A3978A6386BE4&r=0.5029022326538093", "https://xc.6xc.tv/css/index.css", "https://snap.licdn.com/li.lms-analytics/insight.min.js", "https://quantcast.mgr.consensu.org/tcfv2/27/cmp2.js?referer=mathworks.com", "https://www.data102.com/wp-includes/js/wp-embed.min.js?ver=00b0ffc433836dcf9f57035fded0b908", "https://sdk.privacy-center.org/ui-gdpr-en.a96c69ed0cb8f37a2deea6c49dd453517875ac60.js", "https://webmail.free.fr/plugins/jqueryui/js/jquery-ui.min.js?s=1510166524", "xfe-IP-103.24.249.209-stix2-2.1-export.json", "https://www.7631.app:8755/js/jquery-1.11.3.min.js", "https://www.7631.app:8755/js/mobile-detect.min.js?v=1004", "Webb County, TX 5 pdf", "https://api-lsa.lenovosoftware.com/0/lsa/common/clever/generatedUrls", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-runtime.js", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-vendor.js", "https://www.leaseweb.com/sites/default/files/js/js_kwxcSFD2Y0_BPtdJClYUy5H8THI_5EycUmIgIGWaGYs.js", "https://secure.quantserve.com/quant.js", "xfe-URL-colohouse.com-stix2-2.1-export.json", "api.acumatica.flex.redteam.com", "IDS Detections Gh0stCringe CnC Activity M2", "https://goo.gl/9p2vKq", "https://mgttse001.vip/template/m1938pc/pic/hf1", "http://pageperso.free.fr/im/css/free.css", "https://app-ab02.marketo.com/js/forms2/css/forms2-theme-simple.css", "IDS Detections : Downloader (P2P Zeus dropper UA) TLS Handshake", "https://app-lon04.marketo.com/js/forms2/css/forms2-theme-plain.css", "https://topweb.co.il/", "http://sdk.51.la/js-sdk-pro.min.js", "googleusercontent.com | Win32:MalOb-BX\\ [Cryp] \u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K \u2022 Win32:MalOb-BX\\ [Cryp]\t\u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K", "https://eu.snapengage.com/chatjs/ServiceGetConfig?w=e9219576-8f74-40b5-8b6f-bbad33f6ca57", "https://www.google-analytics.com/analytics.js", "http://passback.free.fr/pub/pp_300x250.html", "https://am96.vip/", "http://avtv10.com", "https://anyweb.co.il/wp-content/themes/superfine/assets/js/assets.js?ver=5.7.3", "https://embed.tawk.to/5697c34527b9b5d40b66960f/default", "https://subscribe.free.fr/accesgratuit/index.html", "https://koban360.com/ky/js/flexible.js", "https://webmail.free.fr/program/js/app.min.js?s=1510166525", "https://www.google-analytics.com/plugins/ua/linkid.js", "https://www.data102.com/wp-content/plugins/cta/shared//shortcodes/js/spin.min.js", "Yara: UPX , Nrv2x , UPX_OEP_place , UPX290LZMA ,UPXV200V290 ( all by MarkusOberhumerLaszloMolnarJohnReiser)", "NAME project-cicada.com\tIdentity Protection Service\tOn behalf of project-cicada.com", "Alerts: packer_entropy dead_connect queries_locale_api antidebug_setunhandledexceptionfilter", "https://koban360.com/ky/?shareName=1736.com", "Files IP Address api.a 3.169.173.27,3.169.173.49, 3.169.173.87, 3.169.173.92", "https://libs.baidu.com/jquery/2.0.0/jquery.min.js", "https://www.googletagmanager.com/gtag/js?id=AW-1045757556", "https://googleads.g.doubleclick.net/pagead/viewthroughconversion/1001847692/?random=1650405011980&cv=9&fst=1650405011980&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&eid=376635471&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=1&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2wg4i1&sendb=1&ig=1&frm=0&url=https%3A%2F%2Fwww.leaseweb.com%2F&tiba=Leaseweb%20%7C%20Global%20Hosted%20Infrastructure%20(IaaS)%20and%20Cloud%20Solutions&hn=www.googleadservices.com&async=1&rfmt=3&fmt=4", "https://www.youtube.com/iframe_api", "https://anyweb.co.il/wp-content/themes/superfine/assets/js/script.js", "https://xc.6xc.tv/?channelCode=xiaosu03_8", "https://miaouuuc.com/template/static/js/clipborad.min.js", "https://img03.en25.com/i/elqCfg.min.js", "https://colohouse.com/wp-includes/js/jquery/jquery.min.js?ver=3.6.0", "https://unpkg.com/jquery-1.10.2@1.10.2/jquery-1.10.2.min.js", "https://mgttse001.vip/static/js/jquery.js", "https://www.googletagmanager.com/gtm.js?id=GTM-PTXLXZ4", "https://analytics.twitter.com/i/adsct?type=javascript&version=2.0.4&p_id=Twitter&p_user_id=0&txn_id=nxsfu&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=0&event_id=511b6f48-2639-478c-a251-b09fcbae76e7&tw_document_href=https%3A%2F%2Fwww.leaseweb.com%2F&tpx_cb=twttr.conversion.loadPixels", "https://colohouse.com/wp-content/plugins/kingcomposer/assets/frontend/js/kingcomposer.min.js?ver=2.9.6", "Webb County, TX 1 .pdf", "Webb County, TX 2.pdf", "https://eu.snapengage.com/chatjs/servicegetproactivegeodata?w=e9219576-8f74-40b5-8b6f-bbad33f6ca57", "https://subscribe.free.fr/assets/css/app2.min.css", "https://subscribe.free.fr/assets/js/vendor/modernizr.custom.js", "https://anyweb.co.il/wp-content/themes/superfine/assets/js/post-like.min.js?ver=1.0", "https://colohouse.com/wp-content/plugins/cleantalk-spam-protect/js/apbct-public--functions.min.js?ver=5.173", "http://m.west.cn/jscripts/baidutj/hm.js", "https://xbt.0lunwen.com/3/js/flexible.js", "https://colohouse.com/wp-content/themes/Netrouting/js/vendor/modernizr-2.8.3-respond-1.4.2.min.js", "http://www.lgmhgjm.com/tj.js", "https://m9277.com/tsnew-download/index.html", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-chunk-f163fcd0.js", "https://consent.cookiebot.com/uc.js?cbid=1e27dadb-e278-4c02-aa4f-43f9222c4fbb&culture=en", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-chunk-32507910.js", "https://urlscan.io/screenshots/019b1bba-5e12-709b-86eb-fcbbaa4e8375.png", "https://colohouse.com/wp-content/plugins/stop-user-enumeration/frontend/js/frontend.js?ver=1.3.31", "https://koban360.com/ky/js/jquery.min.js", "https://colohouse.com/wp-content/plugins/cookie-law-info/public/js/cookie-law-info-public.js?ver=2.0.4", "https://www.googletagmanager.com/gtm.js?id=GTM-NQNVC6K", "https://munchkin.marketo.net/munchkin.js", "https://app-ab02.marketo.com/index.php/form/XDFrame", "https://webmail.free.fr/", "https://miaouuuc.com/?channelCode=852890&aid=852890", "CICADA Contextual Inference & Comprehensive Analysis Data Agent", "https://colohouse.com/wp-content/plugins/wpcf7-redirect/build/js/wpcf7-redirect-frontend-script.js?ver=1.1", "Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users , massminer_gh0st", "https://colohouse.com/", "https://anyweb.co.il/wp-content/plugins/essential-grid/public/assets/js/jquery.themepunch.tools.min.js?ver=2.0.9.1", "CICADA - Higurashi Analysis Agent [https://dev-app.project-cicada.com/ ]", "https://googleads.g.doubleclick.net/pagead/viewthroughconversion/363516812/?random=1650901467024&cv=9&fst=1650901467024&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=1&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2oa4k0&sendb=1&ig=1&data=event%3Dgtag.config&frm=0&url=https%3A%2F%2Ftopweb.co.il%2F&tiba=%D7%9E%D7%A9%D7%A8%D7%93%20%D7%A4%D7%A8%D7%A1%D7%95%D7%9D%20%D7%95%D7%91%D7%A0%D7%99%D7%99%D7%AA%20%D7%90%D7%AA%D7%A8%D7%99%D7%9D%20%7C%20TOPWEB%20-%20%D7%98%D", "Alerts: infostealer_browser infostealer_cookies persistence_autorun persistence_autorun_tasks", "https://colohouse.com/wp-includes/js/wp-emoji-release.min.js?ver=5.8", "https://anyweb.co.il/wp-includes/js/wp-embed.min.js?ver=5.7.3", "https://rules.quantcount.com/rules-p-zfNtLVVEHXE-1.js", "https://sdk.privacy-center.org/87df2f8d-232a-4617-8efc-3764b3bbd0c0/loader.js?target=webmail.free.fr", "https://webmail.free.fr/program/js/jquery.min.js?s=1510166541", "https://www.gootft.com/js/app.base.js;jsessionid=20F7490B81FBD25B0DE24EE1076D230D", "https://colohouse.com/wp-content/themes/Netrouting/assets/chosen/chosen.jquery.min.js", "https://subscribe.free.fr/assets/css/accesgratuit.min.css", "https://subscribe.free.fr/assets/js/main.min.js", "https://use.fortawesome.com/03018d9d.js", "https://bat.bing.com/bat.js", "xfe-URL-Data102.com-stix2-2.1-export.json", "https://consent.cookiebot.com/1e27dadb-e278-4c02-aa4f-43f9222c4fbb/cc.js?renew=false&referer=www.leaseweb.com&culture=en&dnt=false", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-chunk-4fe9d5dd.js", "https://www.west.cn/js2016/root/jqinclude.js?t=20211126a", "https://www.googletagmanager.com/gtag/js?id=G-7BE8PMLSKX&l=dataLayer&cx=c", "https://anyweb.co.il/wp-includes/js/wp-emoji-release.min.js?ver=5.7.3", "https://colohouse.com/wp-content/plugins/link-whisper-premium/js/frontend.js?ver=1632756485", "https://fonts.googleapis.com/css?family=Roboto%3A100%2C100italic%2C300%2C300italic%2Cregular%2Citalic%2C500%2C500italic%2C700%2C700italic%2C900%2C900italic&subset=greek%2Clatin%2Cvietnamese%2Clatin-ext%2Ccyrillic%2Ccyrillic-ext%2Cgreek-ext&ver=2.9.6", "https://app-lon04.marketo.com/index.php/form/XDFrame", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-chunk-common.js", "https://app.whoisvisiting.com/who.js", "https://www.everestjs.net/static/le/last-event-tag-latest.min.js", "Alerts: polymorphic procmem_yara suricata_alert dynamic_function_loading reads_self", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name", "http://9766.tv", "https://xc.6xc.tv/js/jquery-3.6.0.min.js", "dev-app.project-cicada.com \u2022 project-cicada.com", "https://colohouse.com/wp-content/plugins/duracelltomi-google-tag-manager/js/gtm4wp-form-move-tracker.js?ver=1.13.1", "https://subscribe.free.fr/assets/js/vendor/jquery-1.9.1.min.js", "Webb County, TX 3.pdf", "https://subscribe.free.fr/assets/js/plugins.min.js", "https://connect.facebook.net/signals/config/399164440484826?v=2.9.57&r=stable", "https://www.leaseweb.com/sites/default/files/js/js_6lTJ_m6ahwXas7Efbw8ZYEMSaecrGw8ilNALfvIPNUw.js", "https://www.west.cn/js2016/lib/jquery.SuperSlide/jquery.SuperSlide.2.1.1.x.js", "https://anyweb.co.il/wp-includes/css/dist/block-library/style.min.css?ver=5.7.3", "teslathomas.xyz \u2022 https://teslathomas.xyz/ \u2022 teslaev.d36qivll26iymf.amplifyapp.com", "https://app.okoockec.xyz:8443/apps/v2/index1/0c1d6cd4e9634a3d?m=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoiZzByUjNpMUczaEt0Sk5sZmVNSE44NEhjVDlDOVFTM2xEcm5pM1dIWG9UM1FBSklpR1phN01teTZOcjFxVVJIWVlhZnJPQkE9IiwiZXhwIjoxNjQ5NDQ0NDcyfQ.utSNnRI7C9FuWMUxhY4cufCJBIuHUk5vdk8Dj6WnXYs", "https://colohouse.com/wp-content/cache/autoptimize/css/autoptimize_5e11636f7dd8fb4f55e0ff84f0ed5faa.css", "https://www.leaseweb.com/sites/default/files/js/js_6FowaFXT9bT78hf9earPdGcdTmvsFiaBzKgFl9P4fSo.js", "https://www.youtube.com/s/player/19eb72e4/www-widgetapi.vflset/www-widgetapi.js", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-chunk-vendors.js", "https://colohouse.com/wp-content/plugins/cleantalk-spam-protect/js/cleantalk-modal.min.js?ver=5.173", "http://www.sp385.com/", "http://sdk.51.la/event/js-sdk-event.min.js?u=JYWHYgTN1B6iZ5P2", "http://kniveb.info/", "https://storage.googleapis.com/snapengage-eu/js/e9219576-8f74-40b5-8b6f-bbad33f6ca57.js", "https://maps.googleapis.com/maps/api/js?v=3.exp&key=AIzaSyDR76rjQL_2raonHiZ6ZrPqJr-FPb7pGH0", "https://bat.bing.com/p/action/5602105.js", "https://s3.amazonaws.com/ki.js/49559/ahy.js", "https://unpkg.com/clipboard@2.0.8/dist/clipboard.js", "https://m9277.com/tsnew-download/js/jquery.min.js", "https://anyweb.co.il/wp-includes/js/jquery/jquery.min.js?ver=3.5.1", "Location United States ASN Nameservers ns- \u2022 482.awsdns-60.com.", "https://munchkin.marketo.net/161/munchkin.js", "https://www.data102.com/wp-content/plugins/contact-form-7/includes/js/scripts.js", "xfe-IP-212.27.63.109-stix2-2.1-export.json", "https://www.leaseweb.com/sites/default/files/js/js_kI_QwKJlaBz9CzQdENdUBFiEl4aehfjf4_-9taiwcCE.js" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "State of Colorado \u2022Tesla Hackers \u2022 (Quasi Government)" ], "malware_families": [ "Ransom:win32/crowti.a", "Takk", "Cymt", "Et", "Virtool:win32/obfuscator.k", "Gc", "Kiitos", "Alf:heraklezeval:trojan:win32/clipbanker", "Trojandropper:win32/vb.il", "Reduceright", "Vd", "Qe", "Trojandownloader:win32/cutwail.bs", "Win.trojan.agent", "Doc.downloader.emotetred02220-9938909-0", "Trojandownloader:win32/upatre.aa", "Win32:malob-bx", "Buttons};kb(convertedmessage);break;case\"/sys\":var", "Win.trojan.gh0strat-9955419-1", "Acum", "Ajax" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "693f3ef3b05672ba47b903e3", "name": "Create Amazing Password Forms - Project Cicada", "description": "Huge pulse of multiple IoC\u2019 from Project Cicada URL\n(not the 3301 Mystery) | Monitored Target | Indont know if it\u2019s related to Havana Syndrome. Is related to State of Colorado , Christopher P. \u2018Buzz\u2019 Ahmann and Tesla Hackers, \n\u201cThe right of a man or woman to retreat into his/her own home and there be free is from UNREASONABLE government intrusion is at the \u201c very core\u201d of the Fourth Amendment.\u201d\nFlorida vs. Jardines 569 U.S. 1 (2013)", "modified": "2026-01-13T22:02:50.260000", "created": "2025-12-14T22:49:23.114000", "tags": [ "cicada", "project cicada", "united states", "quasi government", "asnone country", "united", "moved", "agent", "meta", "title error", "reverse dns", "servers", "urls", "url analysis", "aaaa", "present dec", "ip address", "america flag", "unknown", "Christopher P. \u2018Buzz\u2019 Ahmann", "brian sabey.", "State of Colorado", "date checked", "url hostname", "server response", "google safe", "results mar", "avast avg", "qualified immunity", "address google", "freeman", "mathis", "special forces", "tailored access", "tao", "hacker force", "infiltrate", "manipulate", "sabotage", "tools", "show", "results nov", "9b", "tao operations", "root9b", "hunt operations", "error mar", "over watch", "overkill", "read c", "memcommit", "high", "checks", "windows", "delete", "execution", "dock", "write", "persistence", "capture", "next", "local", "msie", "windows nt", "wow64", "slcc2", "media center", "suspicious_write_exe", "network_icmp", "antisandbox_restart", "creates_largekey", "infostealer_keylogger", "proess_martian", "injection_resumethread", "allocates_rwx", "targeted intelligence", "js_eval", "network_http", "name servers", "value domain", "domain name", "expiration date", "safe browsing", "unknown ns", "record value", "vercel", "certificate", "domain add", "refresh", "encrypt", "x vercel", "k jun", "mtb jul", "next http", "scans record", "value", "deployment not", "ransom", "trojan", "a domains", "safari", "android", "webkit", "animation", "click", "title", "passive dns", "gmt content", "arial helvetica", "ipv4 add", "status", "search", "emails", "as15169 google", "virtool", "cryp", "as396982", "win32", "error", "code", "domain", "showing", "query", "hostile", "observed dns", "et dns", "et info", "dns query", "malware", "push", "gmt cache", "sameorigin", "files", "url add", "http", "related nids", "files location", "flag united", "as44273 host", "hostname add", "unknown aaaa", "win32upatre dec", "mtb dec", "trojandropper", "hstr", "next associated", "backdoor", "entity", "tempe", "present sep", "hostname", "verdict", "lowfi", "usesscrrun", "ipv4", "element", "password", "developers", "create", "forms web", "group", "make sure", "autocomplete", "currentpassword", "make", "extraction", "data upload", "search otx", "ider data", "asn na", "ag da", "source level", "url text", "general full", "url https", "protocol h2", "security tls", "asn16509", "amazon02", "resource", "hash", "as16509", "us note", "route", "redacted for", "script urls", "japan unknown", "present apr", "present mar", "accept", "cookie", "path", "sectigo https", "encrypt https", "log id", "trustasia https", "amazon", "search criteria", "22965417271", "summary leaf", "timestamp entry", "log operator", "https", "script script", "cname", "present jun", "coup", "files ip", "address", "location united", "asn as16509", "color value", "item tile", "gmt max", "primary text", "text color", "play button", "search bar", "dasher", "flag", "bad traffic", "tls handshake", "failure", "analysis tip", "windir", "openurl c", "ascii text", "ck id", "show technique", "mitre att", "ck matrix", "pattern match", "network traffic", "beginstring", "show process", "null", "span", "general", "strings", "look", "verify", "restart", "dynamicloader", "ee fc", "yara rule", "ff d5", "c1 e0", "f0 ff", "ff ff", "eb e2", "ed b8", "fe ff", "june", "polymorphic", "network cnc", "cnc", "dead connect", "present nov", "france unknown", "generic http", "exe upload", "uploading exe", "intel", "ms windows", "medium", "http traffic", "monitored target", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "learn", "command", "suspicious", "informative", "name tactics", "spawns", "t1480 execution", "file defense", "file discovery", "t1071", "t1057", "segoe ui", "script", "html", "body", "twitter", "formbook cnc", "checkin", "pegasus", "get updates", "p2p zeus", "downloader", "mpress", "win32upatre sep", "win32upatre oct", "win32upatre nov", "india unknown", "r61afin", "common upatre", "write c", "cts exe", "ids detections", "open", "present aug", "singapore", "date", "creation date", "pentest people", "tesla hackers", "vietnam unknown", "viet nam", "company limited", "pulse pulses" ], "references": [ "http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com \u2022", "dev-app.project-cicada.com \u2022 project-cicada.com", "NAME project-cicada.com\tIdentity Protection Service\tOn behalf of project-cicada.com", "Files IP Address api.a 3.169.173.27,3.169.173.49, 3.169.173.87, 3.169.173.92", "Location United States ASN Nameservers ns- \u2022 482.awsdns-60.com.", "api.acumatica.flex.redteam.com", "CICADA - Higurashi Analysis Agent [https://dev-app.project-cicada.com/ ]", "CICADA Contextual Inference & Comprehensive Analysis Data Agent", "https://urlscan.io/screenshots/019b1bba-5e12-709b-86eb-fcbbaa4e8375.png", "https://goo.gl/9p2vKq", "IDS Detections Win32/Snojan Variant Uploading EXE Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound", "Yara: UPX , Nrv2x , UPX_OEP_place , UPX290LZMA ,UPXV200V290 ( all by MarkusOberhumerLaszloMolnarJohnReiser)", "Alerts: polymorphic procmem_yara suricata_alert dynamic_function_loading reads_self", "Alerts: network_cnc_http network_http packer_unknown_pe_section_name", "Alerts: packer_entropy dead_connect queries_locale_api antidebug_setunhandledexceptionfilter", "IDS Detections : Downloader (P2P Zeus dropper UA) TLS Handshake", "IDS Detections Gh0stCringe CnC Activity M2", "Yara Detections: ConventionEngine_Term_Desktop , ConventionEngine_Term_Users , massminer_gh0st", "Alerts: infostealer_browser infostealer_cookies persistence_autorun persistence_autorun_tasks", "Alerts: alters_windows_utility procmem_yara static_pe_anomaly suricata_alert suspicious_command_tools mouse_movement_detect", "https://api-lsa.lenovosoftware.com/0/lsa/common/clever/generatedUrls", "googleusercontent.com | Win32:MalOb-BX\\ [Cryp] \u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K \u2022 Win32:MalOb-BX\\ [Cryp]\t\u2022 Win.Trojan.Agent-755615 \u2022 VirTool:Win32/Obfuscator.K", "teslathomas.xyz \u2022 https://teslathomas.xyz/ \u2022 teslaev.d36qivll26iymf.amplifyapp.com" ], "public": 1, "adversary": "State of Colorado \u2022Tesla Hackers \u2022 (Quasi Government)", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDownloader:Win32/Cutwail.BS", "display_name": "TrojanDownloader:Win32/Cutwail.BS", "target": "/malware/TrojanDownloader:Win32/Cutwail.BS" }, { "id": "Ransom:Win32/Crowti.A", "display_name": "Ransom:Win32/Crowti.A", "target": "/malware/Ransom:Win32/Crowti.A" }, { "id": "Doc.Downloader.EmotetRed02220-9938909-0", "display_name": "Doc.Downloader.EmotetRed02220-9938909-0", "target": null }, { "id": "TrojanDropper:Win32/VB.IL", "display_name": "TrojanDropper:Win32/VB.IL", "target": "/malware/TrojanDropper:Win32/VB.IL" }, { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Cymt", "display_name": "Cymt", "target": null }, { "id": "TrojanDownloader:Win32/Upatre.AA", "display_name": "TrojanDownloader:Win32/Upatre.AA", "target": "/malware/TrojanDownloader:Win32/Upatre.AA" }, { "id": "Win.Trojan.Gh0stRAT-9955419-1", "display_name": "Win.Trojan.Gh0stRAT-9955419-1", "target": null }, { "id": "Win32:MalOb-BX", "display_name": "Win32:MalOb-BX", "target": null }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "VirTool:Win32/Obfuscator.K", "display_name": "VirTool:Win32/Obfuscator.K", "target": "/malware/VirTool:Win32/Obfuscator.K" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 11102, "hostname": 4142, "domain": 4251, "email": 15, "FileHash-SHA256": 3108, "FileHash-MD5": 624, "FileHash-SHA1": 490, "CIDR": 1, "SSLCertFingerprint": 3 }, "indicator_count": 23736, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "138 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708e0d95a8c74cc715f7a2", "name": "West.cn", "description": "", "modified": "2023-12-06T15:06:53.350000", "created": "2023-12-06T15:06:53.350000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 208, "domain": 533, "hostname": 757, "URL": 1861, "FileHash-MD5": 1 }, "indicator_count": 3360, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708c0f5981b6d81d0fa423", "name": "data102 and colohouse. Malware hosting", "description": "", "modified": "2023-12-06T14:58:23.206000", "created": "2023-12-06T14:58:23.206000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 458, "domain": 557, "URL": 2599, "hostname": 952 }, "indicator_count": 4566, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "907 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6280398780fbe64692dd54fd", "name": "West.cn", "description": "If you want to know more about Shockwave Flash, spare a thought for the members of your own storage system:mt.co.g.o.mimeTypes.com, mime", "modified": "2022-06-13T00:00:32.864000", "created": "2022-05-14T23:21:43.936000", "tags": [ "jquery", "date", "vue jquery", "template", "layer", "paas", "dist", "wjf3m", "ajax", "business", "string", "number", "regexp", "copyright", "uint8array", "fnumber", "aw1045757556", "closure library", "xdfunction", "code", "ddos", "image", "script", "document", "unescape", "msie", "canvas", "domain", "click", "input", "label", "jdomname", "strong", "jactive15toast", "jclearinput", "case", "datatarget", "jdomainregcount", "span", "function", "x786e", "x53d6", "cite", "x4fe1", "iframe", "null", "prompt", "x6700", "x591a", "array", "numarray", "data", "midsize", "action", "keyword", "firstfix", "object", "5n3j", "3f4r", "5p3s", "1f5m", "hhe2", "bbf2", "3y3z", "1223", "6q6m", "zfunction", "psettimeout", "tsettimeout", "hsetinterval", "iparseint", "hnull", "pnull", "tnull", "lv1s", "efunction", "typeof t", "typeof e", "adobeedge", "typeof r", "webkittransform", "moztransform", "body", "this", "notifier", "invert", "name", "param", "value", "error", "false", "trigger", "restart", "form", "config", "constants", "true", "modalhelper", "relative", "fixed", "account login", "activexobject", "haslocation", "xmlhttprequest", "xmlregexp", "temp", "extpart", "foundation", "mit license", "write", "rhino", "mark", "import", "classnamedom", "onbeforedestroy", "login", "auto", "init", "typeof b", "width", "pseudo", "child", "enulle", "class", "accept", "shockwave flash", "new date1e3", "ka6e5", "la10" ], "references": [ "xfe-IP-103.24.249.209-stix2-2.1-export.json", "xfe-URL-West.cn-stix2-2.1-export.json", "https://m.west.cn/jscripts/baidutj/hm.js", "http://m.west.cn/jscripts/baidutj/hm.js", "https://www.west.cn/js2016/lib/jquery.SuperSlide/jquery.SuperSlide.2.1.1.x.js", "https://www.west.cn/js2016/root/jqinclude.js?t=20211126a", "https://www.googletagmanager.com/gtag/js?id=AW-1045757556" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 533, "URL": 1861, "hostname": 757, "FileHash-SHA256": 208, "FileHash-MD5": 1 }, "indicator_count": 3360, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "1449 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62925b989eba65cefe8c5f88", "name": "Mathworks.com (work in progress) extractor is malfunctioning", "description": "defineProperty(t,n), Object.prototype, E.S.D, e.CmpApiModel, \"DeepClone\", \"deepClones\" - a description of all the functions in this.", "modified": "2022-05-28T17:43:49.055000", "created": "2022-05-28T17:27:52.332000", "tags": [ "optin", "elqsitevisited", "qnew date", "rnew date", "dlkey", "dllookup", "image", "httponly", "typeof e", "typeerror", "typeof symbol", "string", "array", "date", "efunction", "sfunction", "target", "typeof h", "typeof t", "typeof n", "typeof", "copyright", "event", "jquery", "typeof u", "uspapi", "confirmation", "matlab", "matlab speaks", "video", "system toolbox", "international", "learning", "computer vision", "analytics", "toolbox", "shell", "loans", "b0b6c1", "send", "caced6", "qualaroo", "thank", "ffd700", "simulink", "blank", "pass", "undef", "false", "null", "martin", "6464", "12224", "survey", "close", "tools", "python", "typeof require", "error", "modulenotfound", "abcdef", "typeof visitor", "adcloud", "typeof alloy" ], "references": [ "https://quantcast.mgr.consensu.org/tcfv2/27/cmp2.js?referer=m", "https://www.everestjs.net/static/le/last-event-tag-latest.min.js", "https://s3.amazonaws.com/ki.js/49559/ahy.js", "https://rules.quantcount.com/rules-p-zfNtLVVEHXE-1.js", "https://secure.quantserve.com/quant.js", "https://quantcast.mgr.consensu.org/tcfv2/27/cmp2.js?referer=mathworks.com", "https://img03.en25.com/i/elqCfg.min.js" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 156, "hostname": 192, "URL": 608, "FileHash-SHA256": 22, "FileHash-MD5": 2 }, "indicator_count": 980, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1464 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6266c416c4598fa139868c64", "name": "\u05de\u05e9\u05e8\u05d3 \u05e4\u05e8\u05e1\u05d5\u05dd \u05d5\u05d1\u05e0\u05d9\u05d9\u05ea \u05d0\u05ea\u05e8\u05d9\u05dd | TOPWEB - \u05d8\u05d5\u05e4 \u05d5\u05d5\u05d1- \u05d4\u05d5\u05e4\u05db\u05d9\u05dd \u05e2\u05e1\u05e7\u05d9\u05dd \u05dc\u05de\u05d5\u05ea\u05d2\u05d9\u05dd \u05d1\u05d3\u05d9\u05d2\u05d9\u05d8\u05dc", "description": "New RegExp(M) is a new type, and it will change any of the elements to the same type if you want to add them to your HTML page or add a third element.", "modified": "2022-05-25T00:04:03.622000", "created": "2022-04-25T15:53:58.206000", "tags": [ "init", "803911410135716", "pageview", "date", "datalayer", "gtmnqnvc6k", "copyright", "closure library", "facebook", "google", "linkedin", "reddit", "tumblr", "digg", "stumbleupon", "telegram", "whatsapp", "email", "kfunction", "u05deu05dcu05d0", "aw363516812", "error", "promise", "inull", "webfontconfig", "webfont", "gc", "number", "string", "uint8array", "regexp", "xhfunction", "yhfunction", "host", "path", "code", "topweb", "top web", "beyond", "forex", "hackeru", "one stop", "shop", "bgroup", "typesubmit", "datasecret", "shape", "html", "span", "false", "scrl", "haschildren", "zoomindown", "show hide", "dark", "checkbox", "back", "light", "typeof e", "formdata", "typeof symbol", "customevent", "post", "refill", "wpcf7", "wpcf7locale", "wpcf7unittag", "reflect", "math", "array", "object", "typeerror", "symbol", "function", "null", "title", "body", "click", "lecount", "count", "typeof define", "typeof t", "this", "close", "twitter", "open", "next", "blank", "xpercent0", "failure", "xpercent50", "essential grid", "blackberry", "author", "themepunch", "android", "typeof module", "tweenlite", "version", "onull", "updates and", "tools", "linear", "ticker", "bounce", "alpha", "fancybox", "plugin", "janis skarnelis", "100n", "right", "bottom", "left", "html tags", "ox20trnf", "dom element", "class", "attr", "pseudo", "child", "js foundation", "udc66udc67", "ud83d", "ufe0f", "ud83e", "udc68udc69", "udfcbudfcc", "u2640u2642", "source", "image", "ud83dudc6cud83c" ], "references": [ "xfe-URL-anyweb.co.il-stix2-2.1-export.json", "https://anyweb.co.il/wp-includes/js/wp-emoji-release.min.js?ver=5.7.3", "https://anyweb.co.il/wp-includes/js/jquery/jquery.min.js?ver=3.5.1", "https://anyweb.co.il/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2", "https://anyweb.co.il/wp-content/plugins/essential-grid/public/assets/js/lightbox.js?ver=2.0.9.1", "https://anyweb.co.il/wp-content/plugins/essential-grid/public/assets/js/jquery.themepunch.tools.min.js?ver=2.0.9.1", "https://anyweb.co.il/wp-content/plugins/essential-grid/public/assets/js/jquery.themepunch.essential.min.js?ver=2.0.9.1", "https://anyweb.co.il/wp-content/themes/superfine/assets/js/assets.js?ver=5.7.3", "https://anyweb.co.il/wp-content/themes/superfine/assets/js/post-like.min.js?ver=1.0", "https://anyweb.co.il/wp-includes/js/dist/vendor/wp-polyfill.min.js?ver=7.4.4", "https://anyweb.co.il/wp-content/plugins/contact-form-7/includes/js/index.js?ver=5.4.1", "https://anyweb.co.il/wp-content/themes/superfine/assets/js/script.js", "https://anyweb.co.il/wp-includes/js/wp-embed.min.js?ver=5.7.3", "https://anyweb.co.il/wp-includes/css/dist/block-library/style.min.css?ver=5.7.3", "https://topweb.co.il/", "https://www.googletagmanager.com/gtm.js?id=GTM-NQNVC6K", "https://topweb.co.il/wp-content/plugins/litespeed-cache/assets/js/webfontloader.min.js", "https://topweb.co.il/wp-content/litespeed/js/c3a18f91ebd798da3e120a12aec7c615.js?ver=7c615", "https://googleads.g.doubleclick.net/pagead/viewthroughconversion/363516812/?random=1650901467024&cv=9&fst=1650901467024&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=1&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2oa4k0&sendb=1&ig=1&data=event%3Dgtag.config&frm=0&url=https%3A%2F%2Ftopweb.co.il%2F&tiba=%D7%9E%D7%A9%D7%A8%D7%93%20%D7%A4%D7%A8%D7%A1%D7%95%D7%9D%20%D7%95%D7%91%D7%A0%D7%99%D7%99%D7%AA%20%D7%90%D7%AA%D7%A8%D7%99%D7%9D%20%7C%20TOPWEB%20-%20%D7%98%D" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Gc", "display_name": "Gc", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1158, "FileHash-SHA256": 671, "hostname": 304, "domain": 329, "email": 2 }, "indicator_count": 2464, "is_author": false, "is_subscribing": null, "subscriber_count": 70, "modified_text": "1468 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "625f3287d722d8d85700b75d", "name": "Leaseweb.com - malware hosting", "description": "function D(t,e,n), as well as window.com, has been frozen by a single function, as part of a series of \"snoopers' checks\"...", "modified": "2022-05-19T00:00:49.028000", "created": "2022-04-19T22:07:03.024000", "tags": [ "11px center", "html", "typetext", "typeurl", "typeemail", "typetel", "typenumber", "typedate", "color", "marketo forms", "cross domain", "null", "click", "forceclose", "lightbox", "slideshow", "controls", "hide", "safari", "image", "mozilla", "explorer", "entity", "linear", "date", "jquery", "iframe", "close", "loops", "class", "stretch", "false", "function", "abbb", "typeerror", "boolean", "body", "object", "array", "regexp", "bind", "error", "void", "hammer", "form", "this", "views slideshow", "zindex1", "ajax", "href", "default", "thumb", "msgesture", "mspointerdown", "next", "stop", "type", "index", "event", "snapabugcbmbtn", "chat", "hidden", "leaf", "open", "dump", "window", "win32", "footer", "front", "drupal", "command", "implement", "copyright", "route", "foundation", "thecookie", "remove", "example", "backport", "grab", "span", "import", "attr", "string", "invalid json", "domparser", "number", "script", "closure library", "symbol", "array int8array", "caregexp", "legacy", "boardman", "fontface", "typeof d", "promise", "parseint", "marketo", "rangeerror", "uint8array", "typeof b", "buffer", "path", "takk", "kiitos", "buttons};kb(convertedmessage);break;case\"/sys\":var", "acum", "ufunction", "ffunction", "gfunction", "mchtd", "cancel", "thank", "enter", "please", "cobrowsing", "accept", "decline", "back", "comment", "grazie", "klik", "super", "dados", "hello", "vd", "reduceright", "trackevent", "lead", "query", "videos", "leaseweb", "trackpageview", "contact", "download", "metal", "code", "functional", "member", "hnew regexp", "qfunction", "adview", "addbillinginfo", "addtocart", "addtolist", "install", "cookiebot", "iabv2", "jsonversion", "cookie script", "methodstrict", "ticket", "id attribute", "cookiebot setup", "cookieconsent", "customevent", "09af", "ver0", "tag0", "extdata0", "ua ch", "invalid", "iterator", "service", "phonenumber", "facebook", "meta", "ytconfig", "edge", "swhealthlog", "logsdatabasev2", "trident", "android", "infinity", "pnull", "style", "ctnull", "post", "uint32array", "fanull", "license", "ynull", "config" ], "references": [ "https://consent.cookiebot.com/1e27dadb-e278-4c02-aa4f-43f9222c4fbb/cc.js?renew=false&referer=www.leaseweb.com&culture=en&dnt=false", "https://j.clarity.ms/s/0.6.34/clarity.js", "https://www.google-analytics.com/plugins/ua/linkid.js", "https://www.youtube.com/s/player/19eb72e4/www-widgetapi.vflset/www-widgetapi.js", "https://www.youtube.com/iframe_api", "https://connect.facebook.net/signals/config/399164440484826?v=2.9.57&r=stable", "https://bat.bing.com/bat.js", "https://consent.cookiebot.com/uc.js?cbid=1e27dadb-e278-4c02-aa4f-43f9222c4fbb&culture=en", "https://snap.licdn.com/li.lms-analytics/insight.min.js", "https://www.googletagmanager.com/gtm.js?id=GTM-NWPHSS", "https://storage.googleapis.com/snapengage-eu/js/e9219576-8f74-40b5-8b6f-bbad33f6ca57.js", "https://munchkin.marketo.net/161/munchkin.js", "https://app-lon04.marketo.com/js/forms2/js/forms2.min.js", "https://munchkin.marketo.net/munchkin.js", "https://www.leaseweb.com/sites/all/modules/custom/lsw_marketo/js/lsw_marketo_forms.js", "https://use.fortawesome.com/03018d9d.js", "https://googleads.g.doubleclick.net/pagead/viewthroughconversion/1001847692/?random=1650405011980&cv=9&fst=1650405011980&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&eid=376635471&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=1&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2wg4i1&sendb=1&ig=1&frm=0&url=https%3A%2F%2Fwww.leaseweb.com%2F&tiba=Leaseweb%20%7C%20Global%20Hosted%20Infrastructure%20(IaaS)%20and%20Cloud%20Solutions&hn=www.googleadservices.com&async=1&rfmt=3&fmt=4", "https://googleads.g.doubleclick.net/pagead/viewthroughconversion/952389962/?random=1650405011982&cv=9&fst=1650405011982&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&eid=376635471&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=1&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2wg4i1&sendb=1&ig=1&frm=0&url=https%3A%2F%2Fwww.leaseweb.com%2F&tiba=Leaseweb%20%7C%20Global%20Hosted%20Infrastructure%20(IaaS)%20and%20Cloud%20Solutions&hn=www.googleadservices.com&async=1&rfmt=3&fmt=4", "https://eu.snapengage.com/chatjs/ServiceGetConfig?w=e9219576-8f74-40b5-8b6f-bbad33f6ca57", "https://eu.snapengage.com/chatjs/servicegetproactivegeodata?w=e9219576-8f74-40b5-8b6f-bbad33f6ca57", "https://bat.bing.com/p/action/5602105.js", "https://eu.snapengage.com/chatjs/servicegetallavailableagents?w=e9219576-8f74-40b5-8b6f-bbad33f6ca57&t=1", "https://www.googleadservices.com/pagead/conversion_async.js", "https://www.leaseweb.com/sites/default/files/js/js_kwxcSFD2Y0_BPtdJClYUy5H8THI_5EycUmIgIGWaGYs.js", "https://www.leaseweb.com/sites/default/files/js/js_wcSNEXVJ4Xjhkf8qhMguEPZJTDTMNmPaJM-YWdAOhQE.js", "https://www.leaseweb.com/sites/default/files/js/js_kI_QwKJlaBz9CzQdENdUBFiEl4aehfjf4_-9taiwcCE.js", "https://www.leaseweb.com/sites/default/files/js/js_zoLA7TweXam0kYiqJrXepqBWmyDoP1sLSlHoZcveFnY.js", "https://www.leaseweb.com/sites/default/files/js/js_6FowaFXT9bT78hf9earPdGcdTmvsFiaBzKgFl9P4fSo.js", "https://www.leaseweb.com/sites/default/files/js/js_6lTJ_m6ahwXas7Efbw8ZYEMSaecrGw8ilNALfvIPNUw.js", "https://analytics.twitter.com/i/adsct?type=javascript&version=2.0.4&p_id=Twitter&p_user_id=0&txn_id=nxsfu&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=0&event_id=511b6f48-2639-478c-a251-b09fcbae76e7&tw_document_href=https%3A%2F%2Fwww.leaseweb.com%2F&tpx_cb=twttr.conversion.loadPixels", "https://bid.g.doubleclick.net/xbbe/pixel?d=KAE", "https://consentcdn.cookiebot.com/sdk/bc-v4.min.html", "https://app-lon04.marketo.com/index.php/form/XDFrame", "https://app-lon04.marketo.com/js/forms2/css/forms2-theme-plain.css", "https://www.leaseweb.com/sites/default/files/css/css_47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU.css", "https://www.leaseweb.com/sites/default/files/css/css_7CYF9En6DNp6AojfSKnT8USKR3GvzPwznmTqLTKT9VM.css" ], "public": 1, "adversary": "", "targeted_countries": [ "Tunisia" ], "malware_families": [ { "id": "Ajax", "display_name": "Ajax", "target": null }, { "id": "Kiitos", "display_name": "Kiitos", "target": null }, { "id": "Takk", "display_name": "Takk", "target": null }, { "id": "Acum", "display_name": "Acum", "target": null }, { "id": "buttons};kb(convertedMessage);break;case\"/SYS\":var", "display_name": "buttons};kb(convertedMessage);break;case\"/SYS\":var", "target": null }, { "id": "Vd", "display_name": "Vd", "target": null }, { "id": "ReduceRight", "display_name": "ReduceRight", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 648, "domain": 469, "URL": 2037, "FileHash-SHA256": 705, "email": 7 }, "indicator_count": 3866, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1474 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "625f42dcc369f59f6a1e8b58", "name": "data102 and colohouse. Malware hosting", "description": "var a,b,c,d, f.substr(d),a=f, a.href, and a number of other elements:a.b.search.com.", "modified": "2022-05-19T00:00:49.028000", "created": "2022-04-19T23:16:44.418000", "tags": [ "regexp", "rangeerror", "typeerror", "date", "array", "error", "this", "uint8array", "typeof b", "buffer", "class", "null", "path", "void", "marketo forms", "cross domain", "typetext", "typeurl", "typeemail", "typetel", "typenumber", "typedate", "color", "label", "input", "typerange", "typecheckbox", "woff2", "fontface", "u1c801c88", "u20b4", "u2de02dff", "ua640a69f", "ufe2efe2f", "u04b004b1", "u2116", "u1ea01ef9", "franklin", "woff", "u20ab", "u0259", "u1e001eff", "u2020", "u20a020ab", "u20ad20cf", "gradienttype0", "webkitkeyframes", "span", "button", "tbody", "textarea", "helvetica neue", "tfoot", "body", "alpha", "twitter", "roboto", "pitch", "datasecret", "q1kg", "q17g", "d2dg", "c d3r", "q171zg", "e c2ttttb", "c g7", "6n184z", "6f6g", "typeof", "wpcf7redirect", "cf7mlscurrentfs", "handle fire", "popuptemplate", "templatename", "click", "fieldset", "cf7mlsbackfs", "section", "classwidget", "idmenu", "idfooter", "idwidget", "idcomment", "classmenu", "classfooter", "classcomment", "target", "blank", "typeof e", "formdata", "typeof symbol", "customevent", "post", "refill", "wpcf7", "wpcf7locale", "wpcf7unittag", "typeof wpcf7", "boolean", "modernizr", "custom build", "build", "afunction", "cfunction", "object", "documenttouch", "websocket", "symbol", "generator", "function", "select", "harvest", "mit license", "optgroup", "nnn n", "n nnnn", "explorer", "options", "abbr", "element", "unknownerror", "overquerylimit", "requestdenied", "zeroresults", "node", "edge", "android", "trident", "unknown", "false", "iframe", "marker", "hybrid", "tawkspinner", "failed", "resend", "tawkavatar", "tawkvideo", "tawkalert", "tawkemoji", "tawkicon", "enter", "number", "startchatbutton", "u26a1", "typeof t", "invalid attempt", "copyright", "marketo", "remove", "commentform", "author", "mouseenter", "secure", "ccpa", "bottom", "fixed", "widget", "embed", "trigger", "antispam", "please", "cleantalk", "typeof o", "ajaxnonce", "unkown", "apbctajaxerror", "typeof define", "typeof module", "html tags", "ox20trnf", "dom element", "attr", "pseudo", "child", "udc66udc67", "ud83d", "ufe0f", "ud83e", "udc68udc69", "udfcbudfcc", "u2640u2642", "source", "image", "ud83dudc6cud83c", "qe", "string", "xhfunction", "yhfunction", "gtmptxlxz4", "host", "code", "script", "promise", "complete", "reduceright", "g7be8pmlskx", "r300", "typeof d", "caca", "ufunction", "ffunction", "gfunction", "mchtd", "azaz", "firefox", "opera", "chrome", "iemobile", "black", "incorrect", "xfunction", "typeof p", "typeof btoa", "vnode", "colohouse", "york", "learn more", "data center", "miami", "e cermak", "springs", "read", "cloud", "managed", "fast", "philadelphia", "bare", "metal", "chat", "accept", "placeheld", "minimum", "tooshort", "wpcf7wfreetext", "alert", "invert", "form", "animation", "value", "foundation", "migrate", "backcompat", "quirks mode", "typeof f", "html", "sufeffxa0", "legacy", "contenttype", "wivobjkey", "typehit", "data", "closure library", "pfunction", "zfunction", "bfunction", "mvoid", "ofunction" ], "references": [ "xfe-URL-Data102.com-stix2-2.1-export.json", "https://www.google-analytics.com/analytics.js", "https://chimpstatic.com/mcjs-connected/js/users/6c3abfa7ff8634c75cdb2b22e/ddf7a436c1746be666f330e4a.js", "https://app.whoisvisiting.com/who.js", "https://www.data102.com/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp", "https://www.data102.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1", "https://www.data102.com/?wordfence_lh=1&hid=2D6A812A7EB197E80D5A3978A6386BE4&r=0.5029022326538093", "https://www.data102.com/wp-includes/js/wp-embed.min.js?ver=00b0ffc433836dcf9f57035fded0b908", "https://www.data102.com/wp-content/plugins/cta/shared//shortcodes/js/spin.min.js", "https://www.data102.com/wp-content/plugins/contact-form-7/includes/js/scripts.js", "https://colohouse.com/", "xfe-URL-colohouse.com-stix2-2.1-export.json", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-main.js", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-vendor.js", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-chunk-vendors.js", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-chunk-common.js", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-runtime.js", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-app.js", "https://munchkin.marketo.net/161/munchkin.js", "https://www.googletagmanager.com/gtag/js?id=G-7BE8PMLSKX&l=dataLayer&cx=c", "https://embed.tawk.to/5697c34527b9b5d40b66960f/default", "https://www.googletagmanager.com/gtm.js?id=GTM-PTXLXZ4", "https://colohouse.com/wp-includes/js/wp-emoji-release.min.js?ver=5.8", "https://colohouse.com/wp-includes/js/jquery/jquery.min.js?ver=3.6.0", "https://colohouse.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2", "https://colohouse.com/wp-content/plugins/cleantalk-spam-protect/js/apbct-public--functions.min.js?ver=5.173", "https://colohouse.com/wp-content/plugins/cleantalk-spam-protect/js/apbct-public.min.js?ver=5.173", "https://colohouse.com/wp-content/plugins/cleantalk-spam-protect/js/cleantalk-modal.min.js?ver=5.173", "https://colohouse.com/wp-content/plugins/cookie-law-info/public/js/cookie-law-info-public.js?ver=2.0.4", "https://colohouse.com/wp-content/plugins/stop-user-enumeration/frontend/js/frontend.js?ver=1.3.31", "https://colohouse.com/wp-content/plugins/duracelltomi-google-tag-manager/js/gtm4wp-form-move-tracker.js?ver=1.13.1", "https://munchkin.marketo.net/munchkin.js", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-chunk-2d0d2b7c.js", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-chunk-32507910.js", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-chunk-f163fcd0.js", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-chunk-2d0b9454.js", "https://embed.tawk.to/_s/v4/app/625d36b405c/js/twk-chunk-4fe9d5dd.js", "https://app-ab02.marketo.com/js/forms2/js/forms2.min.js", "https://maps.googleapis.com/maps/api/js?v=3.exp&key=AIzaSyDR76rjQL_2raonHiZ6ZrPqJr-FPb7pGH0", "https://colohouse.com/wp-content/themes/Netrouting/assets/chosen/chosen.jquery.min.js", "https://colohouse.com/wp-includes/js/dist/vendor/regenerator-runtime.min.js?ver=0.13.7", "https://colohouse.com/wp-content/themes/Netrouting/js/vendor/modernizr-2.8.3-respond-1.4.2.min.js", "https://colohouse.com/wp-content/plugins/contact-form-7/includes/js/index.js?ver=5.4.2", "https://colohouse.com/wp-content/plugins/link-whisper-premium/js/frontend.js?ver=1632756485", "https://colohouse.com/wp-content/plugins/wpcf7-redirect/build/js/wpcf7-redirect-frontend-script.js?ver=1.1", "https://colohouse.com/wp-content/plugins/kingcomposer/assets/frontend/js/kingcomposer.min.js?ver=2.9.6", "https://colohouse.com/wp-includes/js/wp-embed.min.js?ver=5.8", "https://colohouse.com/wp-content/plugins/wp-schema-pro/admin/assets/min-js/frontend.min.js?ver=2.7.2", "https://colohouse.com/wp-content/cache/autoptimize/css/autoptimize_5e11636f7dd8fb4f55e0ff84f0ed5faa.css", "https://fonts.googleapis.com/css?family=Libre+Franklin%3A300%2C300i%2C400%2C400i%2C600%2C600i%2C800%2C800i&subset=latin%2Clatin-ext", "https://fonts.googleapis.com/css?family=Roboto%3A100%2C100italic%2C300%2C300italic%2Cregular%2Citalic%2C500%2C500italic%2C700%2C700italic%2C900%2C900italic&subset=greek%2Clatin%2Cvietnamese%2Clatin-ext%2Ccyrillic%2Ccyrillic-ext%2Cgreek-ext&ver=2.9.6", "https://app-ab02.marketo.com/js/forms2/css/forms2.css", "https://app-ab02.marketo.com/js/forms2/css/forms2-theme-simple.css", "https://app-ab02.marketo.com/index.php/form/XDFrame" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Qe", "display_name": "Qe", "target": null }, { "id": "ReduceRight", "display_name": "ReduceRight", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2599, "hostname": 952, "FileHash-SHA256": 458, "domain": 557 }, "indicator_count": 4566, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "1474 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "62549aabb033e7afc5069f98", "name": "Malware - victim=fr", "description": "Mme, Mlle, M. Compte, yn \u00f4l \u00c2\u00a31.5m (\u20ac2.4m; \u00e2\u201a\u00ac1m)", "modified": "2022-05-11T21:04:45.103000", "created": "2022-04-11T21:16:27.786000", "tags": [ "freebox", "free", "mois pendant", "sabonner voir", "fibre free", "la fibre", "votre", "wifi", "freebox en", "offre", "delta", "face", "prix", "date", "this", "typeof e", "true", "function", "left", "bottom", "html", "nullt", "false", "next", "february", "april", "june", "august", "atom", "cookie", "close", "null", "back", "bounce", "kolab", "target", "object", "tcfuiservice", "reflect", "typeof proxy", "boolean", "agree", "disagree", "select", "save", "learn", "click", "gnu gpl", "copyright", "javascript code", "license", "extwin1", "framed1", "roundcube", "webmail client", "script", "team", "format", "regexp", "software", "error", "pseudo", "child", "the software", "sufeffxa0", "class", "attr", "javascript", "express", "nous", "didomi", "typeof t", "hmuvfyyh", "sekindo", "lkqd", "aol cdn", "ffffff", "montserrat", "adsl", "offres adsl", "internet", "t\u00e9l\u00e9phone", "t\u00e9l\u00e9phonie", "mobiles", "forfaits mobiles", "tv", "t\u00e9l\u00e9vision", "vod", "vid\u00e9o \u00e0 la demande", "multiposte", "radio", "routeur", "freeplayer", "multiplay", "d\u00e9groupage", "total", "partiel", "e-mail", "mail", "m\u00e9l", "fournisseur d'acc\u00e8s", "i.s.p.", "isp", "internaute", "internautes", "france", "fran\u00e7ais", "zimbra", "le webmail", "free fait", "webmail imp", "cela n", "webmail zimbra", "stockage", "pour migrer", "accder", "testteltext", "sans", "testziptext", "testziptext i", "testteltext i", "typenumber", "screenh", "tvbycanal", "tvbycanal147", "tvbycanal204", "tvbycanal83", "tvbycanal80", "tvbycanal34", "4000", "typeof console", "console", "nullc", "nulld", "customevent", "msanimationend", "typeof n", "typeof r", "x20trnf", "width", "accept", "json", "moz o", "custom build", "https", "xmlhttprequest", "typeof module", "webkit", "android", "flash", "span", "un espace", "phpmysql", "helvetica" ], "references": [ "xfe-IP-212.27.63.109-stix2-2.1-export.json", "http://pageperso.free.fr/im/css/free.css", "http://passback.free.fr/pub/pp_300x250.html", "https://subscribe.free.fr/accesgratuit/index.html", "https://subscribe.free.fr/assets/js/vendor/modernizr.custom.js", "https://subscribe.free.fr/assets/js/vendor/jquery-1.9.1.min.js", "https://subscribe.free.fr/assets/js/plugins.min.js", "https://subscribe.free.fr/assets/js/vendor/wow.min.js", "https://subscribe.free.fr/assets/js/main.min.js", "https://subscribe.free.fr/assets/css/accesgratuit.min.css", "https://subscribe.free.fr/assets/css/app2.min.css", "https://webmail.free.fr/", "https://sdk.privacy-center.org/87df2f8d-232a-4617-8efc-3764b3bbd0c0/loader.js?target=webmail.free.fr", "https://webmail.free.fr/program/js/jquery.min.js?s=1510166541", "https://webmail.free.fr/program/js/app.min.js?s=1510166525", "https://sdk.privacy-center.org/ui-gdpr-en.a96c69ed0cb8f37a2deea6c49dd453517875ac60.js", "https://webmail.free.fr/plugins/jqueryui/js/jquery-ui.min.js?s=1510166524", "https://www.free.fr/freebox/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1078, "URL": 2104, "domain": 290, "FileHash-SHA256": 117, "FileHash-MD5": 4, "FileHash-SHA1": 2 }, "indicator_count": 3595, "is_author": false, "is_subscribing": null, "subscriber_count": 68, "modified_text": "1481 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "625088e80292028d4e82311c", "name": "Botnet-malware -lgmhgjm.com", "description": "The full list of names and names of people who have taken part in the 2016 Olympics and Paralympics in Rio de Janeiro, Brazil, as part of the Rio Games, and as well as the 2017 Olympics in Brazil.", "modified": "2022-05-08T00:03:14.586000", "created": "2022-04-08T19:11:36.165000", "tags": [ "function", "param", "object", "return", "webpackrequire", "constructor", "clipboard", "typeof", "symbol", "typeerror", "error", "click", "null", "copy", "factory", "super", "date", "target", "mustflag", "html", "applewebkit", "ipad", "mqqbrowser", "base", "trident", "presto", "gecko", "khtml", "ios android", "android", "array", "2f2f2i2i0f", "eh0g", "exptable", "logtable", "typeof h", "typeof e", "regexp", "typeof n", "typeof t", "width", "typeof r", "pseudo", "class", "this", "accept", "false", "https", "zeno rocha", "typeof define", "select", "input", "textarea", "0x455d", "0x34260b", "0x4ce9d1", "avge", "tung", "3ctz", "n33m", "0x514351", "hn4d", "0x70c2f4", "push", "shift", "baidu", "instanceof", "adjust", "body", "nulli", "windowi", "typeof jquery", "tthis", "mspointerdown", "child", "sfunction", "microsoft yahei", "arial", "x20trnf", "version", "swiper", "most", "copyright", "mit license", "october", "win32", "meta", "parsefloat", "androidgi", "iphonegi", "\u77ed\u89c6\u9891", "\u641e\u7b11\u89c6\u9891", "\u89c6\u9891\u5206\u4eab", "\u514d\u8d39\u89c6\u9891", "\u5728\u7ebf\u89c6\u9891", "\u9884\u544a\u7247", "wifi", "saol", "fc2ppv12518005", "oretd633riana01", "hodv sex", "orec37502", "06inn01", "siro2661ol2401", "garea742kou01", "175cm9av", "attr", "typeof symbol", "root", "length", "indexof", "x0ax20x20x20x20", "location", "math", "0x10", "0x18", "history", "config", "slice", "cookie", "open", "onload", "adunit", "refresh", "style", "position", "creativetplid", "show", "tcmod", "tcheight", "height", "yahei", "truetype", "f8f8f8", "typeof module", "reserved", "18hdxxxx\u4e2d\u56fd", "\u5973\u4e3b\u7a7f\u8d8a\u88ab\u8089\u6765\u8089\u53bbnp", "\u7537\u753718\u7981\u6c61\u8089\u56fe\u65e0\u7801", "\u65e0\u7801\u4e9a\u6d32\u6210a\u4eba\u7247\u5728\u7ebf\u89c2\u770b", "ore572s04", "ore572s03", "ore572s02", "ore572s01", "fc2ppv117430501", "cmi1513707", "cmi1513706", "cmi1513705", "cmi1513704", "cmi1513703", "\u514d\u8d39\u89c6\u9891\u7231\u7231\u592a\u723d\u4e86\u7f51\u7ad9_\u8001\u8272\u9b3c\u5728\u7ebf\u7cbe\u54c1\u89c6\u9891\u5728\u7ebf\u89c2\u770b_\u767d\u6d01\u4e00\u591c\u88ab\u723d\u4e86\u4e03\u6b21_\u5fd8\u4e86\u6234\u80f8\u7f69\u88ab\u540c\u5b66\u6478\u4e86\u4e00\u8282\u8bfe", "viewport" ], "references": [ "xfe-URL-lgmhgjm.com-stix2-2.0-export.json", "http://www.lgmhgjm.com/common.js", "http://www.lgmhgjm.com/tj.js", "http://www.sp385.com/", "http://avtv10.com", "http://9766.tv", "https://xc.6xc.tv/?channelCode=xiaosu03_8", "https://app.okoockec.xyz:8443/apps/v2/index1/0c1d6cd4e9634a3d?m=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoiZzByUjNpMUczaEt0Sk5sZmVNSE44NEhjVDlDOVFTM2xEcm5pM1dIWG9UM1FBSklpR1phN01teTZOcjFxVVJIWVlhZnJPQkE9IiwiZXhwIjoxNjQ5NDQ0NDcyfQ.utSNnRI7C9FuWMUxhY4cufCJBIuHUk5vdk8Dj6WnXYs", "https://xc.6xc.tv/js/jquery-3.6.0.min.js", "https://xc.6xc.tv/css/index.css", "https://xctg07.cc/?channelCode=xiaosu03_8", "https://ad.abilm.info/bid?url=http%3A%2F%2Fkniveb.info%2F&frm=0&ref=http%3A%2F%2Fwww.sp385.com%2F&ic=1&pl=0&ml=0&sid=105:80:104:111:110:101:58:50:53:48:50:50:51:49:53:54:58:51:58:51:57:48:46:56:52:52&ps=20030107&lgs=0&zo=240&ws=390x844&gdm=0&iw=1&cpn=0&fid=5d80d32079e9fdb035e4886c32c6612e&hl=2&ihn=0&md=1&ns=undefined&np=undefined&pj=0&top=650&left=0&id=47&rid=ec5a07ef8f3e3f2c25ba75c7da106dcc&dcc=&dcl=&gvd=Apple%20Inc.&grr=Apple%20GPU&ct=unknown&diit=&dit=&cmn=", "http://sdk.51.la/js-sdk-pro.min.js", "http://sdk.51.la/event/js-sdk-event.min.js?u=JYWHYgTN1B6iZ5P2", "http://kniveb.info/template/9c/ads/gonggao.js", "http://kniveb.info/", "https://koban360.com/ky/?shareName=1736.com", "https://koban360.com/ky/js/flexible.js", "https://koban360.com/ky/js/swiper.min.js", "https://koban360.com/ky/js/jquery.min.js", "https://koban360.com/ky/css/m.css?vs=1.7", "https://libs.baidu.com/jquery/2.0.0/jquery.min.js", "https://xbt.0lunwen.com/3/js/flexible.js", "https://xbt.0lunwen.com/boinstall.js", "https://miaouuuc.com/?channelCode=852890&aid=852890", "https://miaouuuc.com/template/static/js/clipborad.min.js", "https://am96.vip/", "https://unpkg.com/jquery-1.10.2@1.10.2/jquery-1.10.2.min.js", "https://unpkg.com/jquery.qrcode@1.0.3/jquery.qrcode.min.js", "https://www.gootft.com/js/app.base.js;jsessionid=20F7490B81FBD25B0DE24EE1076D230D", "https://www.gootft.com/js/poplayer.js;jsessionid=20F7490B81FBD25B0DE24EE1076D230D", "https://unpkg.com/clipboard@2.0.8/dist/clipboard.js" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 482, "URL": 1383, "FileHash-SHA256": 104, "domain": 199, "FileHash-MD5": 2, "FileHash-SHA1": 1 }, "indicator_count": 2171, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "1485 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "b.support", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "b.support", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780293726.1670334 }