{
  "type": "Domain",
  "indicator": "capecod.net",
  "general": {
    "sections": [
      "general",
      "geo",
      "url_list",
      "passive_dns",
      "malware",
      "whois",
      "http_scans"
    ],
    "whois": "http://whois.domaintools.com/capecod.net",
    "alexa": "http://www.alexa.com/siteinfo/capecod.net",
    "indicator": "capecod.net",
    "type": "domain",
    "type_title": "Domain",
    "validation": [],
    "base_indicator": {
      "id": 2600628389,
      "indicator": "capecod.net",
      "type": "domain",
      "title": "",
      "description": "",
      "content": "",
      "access_type": "public",
      "access_reason": ""
    },
    "pulse_info": {
      "count": 5,
      "pulses": [
        {
          "id": "69f30ef4033560d49d39ac55",
          "name": "VirusTotal report\n                    for executable.exe",
          "description": "[security firm has developed a tool that can automatically identify a Wi-Fi password and make it easy to access it via the net. and use it to create a secure log-in system.] <remote, .net, failed cryptographic validation chains cause this.",
          "modified": "2026-05-30T09:04:01.553000",
          "created": "2026-04-30T08:12:36.771000",
          "tags": [
            "wifi password",
            "joe security",
            "nextron",
            "new run",
            "key pointing",
            "run key",
            "roth",
            "markus neis",
            "sander wiebing",
            "poudel",
            "public",
            "appdata"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1005",
              "name": "Data from Local System",
              "display_name": "T1005 - Data from Local System"
            },
            {
              "id": "T1010",
              "name": "Application Window Discovery",
              "display_name": "T1010 - Application Window Discovery"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1218",
              "name": "Signed Binary Proxy Execution",
              "display_name": "T1218 - Signed Binary Proxy Execution"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1552",
              "name": "Unsecured Credentials",
              "display_name": "T1552 - Unsecured Credentials"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 1069,
            "FileHash-SHA1": 868,
            "FileHash-SHA256": 2783,
            "URL": 764,
            "hostname": 756,
            "domain": 293,
            "email": 44,
            "CVE": 44
          },
          "indicator_count": 6621,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "1 day ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69efc567ae24b8285a71099d",
          "name": "Enemy of the State: Order in the Court \u2022 Part 4 - World Media",
          "description": "Critical, out of control targeting. Suspected Pegasus related campaign seen in State of Colorado court and Hospital systems+++. The answer is NO. The crime victim / survivor was never going to be given a chance to bring forward a case of any type of. Silenced. Not allowed to pursue justice. Car accident. No. Robbed. No Assault. No. Either the State is heavily involved or systems are manipulated by adversaries.\n\nCVE found more than a year ago, Original OTX researchers Pulses not found.\nCVE Overview:\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.",
          "modified": "2026-05-27T18:05:26.880000",
          "created": "2026-04-27T20:21:59.824000",
          "tags": [
            "wifi id",
            "april",
            "extraction",
            "enter sc",
            "type ol",
            "data upload",
            "extra",
            "referen",
            "wifi data",
            "wifi",
            "ntgraph xe",
            "dynamicloader",
            "high",
            "port",
            "a8 f0",
            "c0 a0",
            "c4 d8",
            "a4 c4",
            "cache",
            "yara rule",
            "write",
            "music",
            "explorer",
            "guard",
            "tracker",
            "media",
            "default",
            "file",
            "id login",
            "mwdb",
            "bazaar",
            "sha3384",
            "ssdeep",
            "xport",
            "accept",
            "agent",
            "shutdown",
            "pe file",
            "network info",
            "sample",
            "aslr",
            "program",
            "mitre attack",
            "processes extra",
            "overview zenbox",
            "verdict",
            "iocs",
            "extra data",
            "included iocs",
            "indicator",
            "review iocs",
            "find",
            "dr wifi",
            "include review",
            "exclude sugges",
            "find s",
            "failed",
            "typ url",
            "registrant name",
            "all domain",
            "passive dns",
            "urls",
            "files",
            "access",
            "all ipv4",
            "america flag",
            "des moines",
            "level",
            "zeppelin",
            "domain add",
            "united states",
            "active",
            "msie",
            "windows nt",
            "united",
            "search",
            "medium",
            "as16509",
            "unknown",
            "upatre",
            "malware",
            "next",
            "ip address",
            "pty ltd",
            "url analysis",
            "trojan",
            "write c",
            "suspicious",
            "tt tr",
            "ultradns client",
            "service",
            "name servers",
            "emails",
            "world media",
            "contacted",
            "post",
            "u001b4nu0017",
            "powershell",
            "sc data",
            "type",
            "enter",
            "data",
            "cre pul",
            "enric",
            "extraction data",
            "denver courts",
            "hacking",
            "mitm_attacks",
            "injustice",
            "tracking",
            "ai",
            "ee fc",
            "ff d5",
            "domain",
            "australia",
            "files ip",
            "script script",
            "set cookie",
            "cookie",
            "related pulses",
            "learn",
            "ck id",
            "name tactics",
            "informative",
            "adversaries",
            "command",
            "defense evasion",
            "spawns",
            "javascript",
            "ascii text",
            "pattern match",
            "mitre att",
            "null",
            "refresh",
            "span",
            "hybrid",
            "general",
            "local",
            "path",
            "click",
            "strings",
            "error",
            "tools",
            "title",
            "look",
            "verify",
            "restart",
            "australia asn",
            "as9714 vocus",
            "body",
            "certificate",
            "present may",
            "japan unknown",
            "a domains",
            "value",
            "content type",
            "location japan",
            "shibuya",
            "japan asn",
            "as2497 internet",
            "dns resolutions",
            "domains top",
            "united states",
            "ipv4",
            "targeting",
            "tsara brashears",
            "state colorado",
            "critical",
            "pornhub",
            "tulach",
            "sabey",
            "poleass",
            "foundrypalantir",
            "pegasus",
            "state",
            "quasi",
            "shhh",
            "denver",
            "dougco",
            "jeffrey reimer",
            "reimer gropes",
            "christopher ahmann",
            "workers compensation",
            "commerce industry",
            "aig",
            "industry commerce",
            "confluence"
          ],
          "references": [
            "[DR] Wifi ID Login v1.3 [03 April 2014].exe",
            "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a",
            "bell.ca",
            "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http",
            "https://welcome.indonesiawifi.net/wifi.id/flexizone",
            "SLF:MSIL/PSTAnomaly.A  SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb",
            "A target pursued post criminal assault on Pinnacol Assuranve insured premises",
            "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp",
            "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD",
            "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...",
            "Yara Detections: PWSWin32Kegotip ,  VirusWin32Gogo ,  VirusWin32Hala ,  VirusWin32Wholdor",
            "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect",
            "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep  dynamic_function_loading",
            "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx",
            "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
            "IP\u2019s Contacted: 143.204.237.45  58.138.175.188  65.38.128.10  147.21.128.26  78.41.204.31  132.148.77.44",
            "IP\u2019s Contacted: 185.104.29.148  92.122.107.204  139.76.134.15  184.150.211.195",
            "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net",
            "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au",
            "Backdoor.Win32.Pushdo.s Checkin",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)",
            "Name Servers PDNS1.ULTRADNS.NET Org",
            "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #",
            "https://otx.alienvault.com/indicator/cve/CVE-2022-26134",
            "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO",
            "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado",
            "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected",
            "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration",
            "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png",
            "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms",
            "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY",
            "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH",
            "CVE-2022-26134 \u2022  PRIVILEGES REQUIRED: NONE"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "SLF:MSIL/PSTAnomaly.A",
              "display_name": "SLF:MSIL/PSTAnomaly.A",
              "target": "/malware/SLF:MSIL/PSTAnomaly.A"
            },
            {
              "id": "Win.Trojan.Pushdo-20",
              "display_name": "Win.Trojan.Pushdo-20",
              "target": null
            },
            {
              "id": "TrojanDownloader:Win32/Cutwail.BS",
              "display_name": "TrojanDownloader:Win32/Cutwail.BS",
              "target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
            },
            {
              "id": "TrojanDownloader:Win32/Cutwail.BV",
              "display_name": "TrojanDownloader:Win32/Cutwail.BV",
              "target": "/malware/TrojanDownloader:Win32/Cutwail.BV"
            },
            {
              "id": "World Media",
              "display_name": "World Media",
              "target": null
            },
            {
              "id": "CVE-2022-26134",
              "display_name": "CVE-2022-26134",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1069",
              "name": "Permission Groups Discovery",
              "display_name": "T1069 - Permission Groups Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1560",
              "name": "Archive Collected Data",
              "display_name": "T1560 - Archive Collected Data"
            },
            {
              "id": "T1553.002",
              "name": "Code Signing",
              "display_name": "T1553.002 - Code Signing"
            },
            {
              "id": "T1069.002",
              "name": "Domain Groups",
              "display_name": "T1069.002 - Domain Groups"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1071.001",
              "name": "Web Protocols",
              "display_name": "T1071.001 - Web Protocols"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            }
          ],
          "industries": [
            "Government",
            "Legal",
            "Judicial",
            "Technology",
            "Telecommunications"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 1037,
            "hostname": 865,
            "domain": 685,
            "URL": 2224,
            "FileHash-MD5": 131,
            "FileHash-SHA1": 94,
            "CVE": 1,
            "email": 8,
            "SSLCertFingerprint": 6
          },
          "indicator_count": 5051,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 143,
          "modified_text": "3 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69efc7a6778f84c179d27073",
          "name": "Credit Q.Vashti - Cloned Pulse [\"Enemy of the State: Order in the Court\"]",
          "description": "",
          "modified": "2026-05-27T18:05:26.880000",
          "created": "2026-04-27T20:31:34.221000",
          "tags": [
            "wifi id",
            "april",
            "extraction",
            "enter sc",
            "type ol",
            "data upload",
            "extra",
            "referen",
            "wifi data",
            "wifi",
            "ntgraph xe",
            "dynamicloader",
            "high",
            "port",
            "a8 f0",
            "c0 a0",
            "c4 d8",
            "a4 c4",
            "cache",
            "yara rule",
            "write",
            "music",
            "explorer",
            "guard",
            "tracker",
            "media",
            "default",
            "file",
            "id login",
            "mwdb",
            "bazaar",
            "sha3384",
            "ssdeep",
            "xport",
            "accept",
            "agent",
            "shutdown",
            "pe file",
            "network info",
            "sample",
            "aslr",
            "program",
            "mitre attack",
            "processes extra",
            "overview zenbox",
            "verdict",
            "iocs",
            "extra data",
            "included iocs",
            "indicator",
            "review iocs",
            "find",
            "dr wifi",
            "include review",
            "exclude sugges",
            "find s",
            "failed",
            "typ url",
            "registrant name",
            "all domain",
            "passive dns",
            "urls",
            "files",
            "access",
            "all ipv4",
            "america flag",
            "des moines",
            "level",
            "zeppelin",
            "domain add",
            "united states",
            "active",
            "msie",
            "windows nt",
            "united",
            "search",
            "medium",
            "as16509",
            "unknown",
            "upatre",
            "malware",
            "next",
            "ip address",
            "pty ltd",
            "url analysis",
            "trojan",
            "write c",
            "suspicious",
            "tt tr",
            "ultradns client",
            "service",
            "name servers",
            "emails",
            "world media",
            "contacted",
            "post",
            "u001b4nu0017",
            "powershell",
            "sc data",
            "type",
            "enter",
            "data",
            "cre pul",
            "enric",
            "extraction data",
            "denver courts",
            "hacking",
            "mitm_attacks",
            "injustice",
            "tracking",
            "ai",
            "ee fc",
            "ff d5",
            "domain",
            "australia",
            "files ip",
            "script script",
            "set cookie",
            "cookie",
            "related pulses",
            "learn",
            "ck id",
            "name tactics",
            "informative",
            "adversaries",
            "command",
            "defense evasion",
            "spawns",
            "javascript",
            "ascii text",
            "pattern match",
            "mitre att",
            "null",
            "refresh",
            "span",
            "hybrid",
            "general",
            "local",
            "path",
            "click",
            "strings",
            "error",
            "tools",
            "title",
            "look",
            "verify",
            "restart",
            "australia asn",
            "as9714 vocus",
            "body",
            "certificate",
            "present may",
            "japan unknown",
            "a domains",
            "value",
            "content type",
            "location japan",
            "shibuya",
            "japan asn",
            "as2497 internet",
            "dns resolutions",
            "domains top",
            "united states",
            "ipv4",
            "targeting",
            "tsara brashears",
            "state colorado",
            "critical",
            "pornhub",
            "tulach",
            "sabey",
            "poleass",
            "foundrypalantir",
            "pegasus",
            "state",
            "quasi",
            "shhh",
            "denver",
            "dougco",
            "jeffrey reimer",
            "reimer gropes",
            "christopher ahmann",
            "workers compensation",
            "commerce industry",
            "aig",
            "industry commerce",
            "confluence"
          ],
          "references": [
            "[DR] Wifi ID Login v1.3 [03 April 2014].exe",
            "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a",
            "bell.ca",
            "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http",
            "https://welcome.indonesiawifi.net/wifi.id/flexizone",
            "SLF:MSIL/PSTAnomaly.A  SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb",
            "A target pursued post criminal assault on Pinnacol Assuranve insured premises",
            "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp",
            "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD",
            "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...",
            "Yara Detections: PWSWin32Kegotip ,  VirusWin32Gogo ,  VirusWin32Hala ,  VirusWin32Wholdor",
            "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect",
            "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep  dynamic_function_loading",
            "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx",
            "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
            "IP\u2019s Contacted: 143.204.237.45  58.138.175.188  65.38.128.10  147.21.128.26  78.41.204.31  132.148.77.44",
            "IP\u2019s Contacted: 185.104.29.148  92.122.107.204  139.76.134.15  184.150.211.195",
            "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net",
            "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au",
            "Backdoor.Win32.Pushdo.s Checkin",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)",
            "Name Servers PDNS1.ULTRADNS.NET Org",
            "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #",
            "https://otx.alienvault.com/indicator/cve/CVE-2022-26134",
            "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO",
            "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado",
            "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected",
            "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration",
            "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png",
            "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms",
            "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY",
            "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH",
            "CVE-2022-26134 \u2022  PRIVILEGES REQUIRED: NONE"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "SLF:MSIL/PSTAnomaly.A",
              "display_name": "SLF:MSIL/PSTAnomaly.A",
              "target": "/malware/SLF:MSIL/PSTAnomaly.A"
            },
            {
              "id": "Win.Trojan.Pushdo-20",
              "display_name": "Win.Trojan.Pushdo-20",
              "target": null
            },
            {
              "id": "TrojanDownloader:Win32/Cutwail.BS",
              "display_name": "TrojanDownloader:Win32/Cutwail.BS",
              "target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
            },
            {
              "id": "TrojanDownloader:Win32/Cutwail.BV",
              "display_name": "TrojanDownloader:Win32/Cutwail.BV",
              "target": "/malware/TrojanDownloader:Win32/Cutwail.BV"
            },
            {
              "id": "World Media",
              "display_name": "World Media",
              "target": null
            },
            {
              "id": "CVE-2022-26134",
              "display_name": "CVE-2022-26134",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1069",
              "name": "Permission Groups Discovery",
              "display_name": "T1069 - Permission Groups Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1560",
              "name": "Archive Collected Data",
              "display_name": "T1560 - Archive Collected Data"
            },
            {
              "id": "T1553.002",
              "name": "Code Signing",
              "display_name": "T1553.002 - Code Signing"
            },
            {
              "id": "T1069.002",
              "name": "Domain Groups",
              "display_name": "T1069.002 - Domain Groups"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1071.001",
              "name": "Web Protocols",
              "display_name": "T1071.001 - Web Protocols"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            }
          ],
          "industries": [
            "Government",
            "Legal",
            "Judicial",
            "Technology",
            "Telecommunications"
          ],
          "TLP": "white",
          "cloned_from": "69efc567ae24b8285a71099d",
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 1039,
            "hostname": 868,
            "domain": 687,
            "URL": 2226,
            "FileHash-MD5": 133,
            "FileHash-SHA1": 96,
            "CVE": 1,
            "email": 8,
            "SSLCertFingerprint": 6
          },
          "indicator_count": 5064,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "3 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69d6c7fec016b76d49ed95ae",
          "name": "VirusTotal report\n                    for index.html",
          "description": "shatter",
          "modified": "2026-05-08T22:06:56.603000",
          "created": "2026-04-08T21:26:22.351000",
          "tags": [
            "performs dns",
            "united",
            "https",
            "found",
            "tls version",
            "mitre attack",
            "network info",
            "processes extra",
            "urls",
            "t1055 process",
            "phishing",
            "next",
            "script",
            "doctype html",
            "variablece2034",
            "head"
          ],
          "references": [
            "https://vtbehaviour.commondatastorage.googleapis.com/602820fab45e2260fc61a6b3e10ed0dd6fa5d27d0e571e4c3ebb10d14b8e8756_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775683438&Signature=khOWYYuus3ZD%2FA6t3hVsvbol60hQl5I46qotKwZMyqB6DNAXxK4JB97T0tmp862kfEfXlYLfR0OGuqJWYR0xjzw6jI3ClHipxRTHaVFE%2BW8vtqgbXdiqrad1nlgDGd6Xw4GAH8TdOhuhS856Rn9Koeg4m7TI%2FNzussElBucPkseVfb4X14JRTEjbYkMAFg1XVJ%2FeiUdlEu3jfg89YphMxVpB0IKI6V75BAOVK5Ptd1S6wScJvIStkG451uhiH0",
            "https://vtbehaviour.commondatastorage.googleapis.com/602820fab45e2260fc61a6b3e10ed0dd6fa5d27d0e571e4c3ebb10d14b8e8756_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775683485&Signature=RtGC7ItLn43wQgm4%2FHamRNp82WM%2BtkmJKZF1tBP1Lt%2BGqWf%2BNwCyCXYDesreIO4OILdto4gRkDqaJWfoXOD%2F6foz%2FIRXEyBU2UI0T6Bi%2B40WmRBVL94A0kBZ9Q8NHM2AsQoGx30hsnWlfsZIF9tqc3b9TAmpJHZNaEEJ44hkxWVLvlFu6BdnSKQBIqh8Al32ckdVzmDvpRTuF2ydQquoqvtZ5T5HyPKSlhH7TLacySC5a4lI"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1189",
              "name": "Drive-by Compromise",
              "display_name": "T1189 - Drive-by Compromise"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 442,
            "FileHash-MD5": 245,
            "FileHash-SHA1": 201,
            "FileHash-SHA256": 573,
            "URL": 570,
            "hostname": 1058,
            "email": 3,
            "SSLCertFingerprint": 2
          },
          "indicator_count": 3094,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "22 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66f100d791f9f9f6ab7b4f24",
          "name": "Cerber \u00bb Charter Communications \u00bb Spectrum Denver",
          "description": "[107.14.73.70] IP address range owned by Charter Communications Inc and located in Denver, Co United States.\n\nTargets & family neighborhood ISP's attacked again.  Internet and targets devices attacked , Internet had to be reset twice by tech teams. Our team was able to track comprises directed towards target and families devices, which they are destroying. Stolen passwords, leaks, forced content, dumping. Both Spectrum &  Quantum fiber positive for malicious activity within targeted devices. Fake iOS update pushed to a device. It comes with an agreement from Apple Singapore, LTD. \n\nMalware Families ,\nBackdoor:Win32/Tofse , \nCerber Ransomware ,\nET.  \nETPRO ,\nInject3.QGY ,\nKelihos ,\nNIDS ,\nNOD32 ,\nSf:ShellCode-AU\\ [Trj] , \nTrojan:Win32/Glupteba ,\nTrojanDownloader:Win32/Cutwail ,\nVirTool:Win32/Obfuscator",
          "modified": "2024-10-23T05:03:21.045000",
          "created": "2024-09-23T05:47:03.625000",
          "tags": [
            "isp charter",
            "usage type",
            "fixed line",
            "isp hostname",
            "domain name",
            "country united",
            "america city",
            "denver",
            "colorado",
            "ip address",
            "whois",
            "check",
            "information isp",
            "inc usage",
            "type fixed",
            "line isp",
            "hostname",
            "plesk forum",
            "centos web",
            "panel forum",
            "whois lookup",
            "netrange",
            "nethandle",
            "net107",
            "net1070000",
            "cc3517",
            "inc orgid",
            "dr city",
            "stateprov",
            "postalcode",
            "status",
            "as7843 charter",
            "united",
            "name servers",
            "passive dns",
            "urls",
            "domain",
            "search",
            "emails",
            "unknown",
            "scan endpoints",
            "all scoreblue",
            "ipv4",
            "files",
            "reverse dns",
            "location united",
            "win32",
            "abuseipdb",
            "read",
            "write",
            "read c",
            "server header",
            "show",
            "suspicious",
            "kelihos",
            "trojan",
            "artemis",
            "virustotal",
            "download",
            "drweb",
            "vipre",
            "panda",
            "malware",
            "specified",
            "next",
            "et trojan",
            "et info",
            "medium",
            "http",
            "ids detections",
            "yara detections",
            "e98c1cec8156",
            "as11426 charter",
            "as20001 charter",
            "as11427 charter",
            "as11351 charter",
            "as16787 charter",
            "as33363 charter",
            "as20115 charter",
            "as10796 charter",
            "as12271 charter",
            "body",
            "servers",
            "all search",
            "entries",
            "intel",
            "ms windows",
            "windows nt",
            "destination",
            "port",
            "asnone",
            "heurunsec",
            "etpro trojan",
            "nxdomain",
            "a nxdomain",
            "aaaa",
            "asnone united",
            "aaaa nxdomain",
            "backdoor",
            "pulse submit",
            "url analysis",
            "location oxford",
            "as3456 charter",
            "moved",
            "showing",
            "body doctype",
            "html public",
            "ietfdtd html",
            "as6976 verizon",
            "as701 verizon",
            "file samples",
            "files matching",
            "date hash",
            "copyright",
            "levelblue",
            "related pulses",
            "pulse pulses",
            "kryptikpii",
            "msr apr",
            "date",
            "creation date",
            "analyzer paste",
            "iocs",
            "samples",
            "secure server",
            "cname",
            "as5742",
            "body head",
            "object moved",
            "content length",
            "content type",
            "cookie",
            "as15133 verizon",
            "lowfi",
            "gmt server",
            "ecacc",
            "record value",
            "oxford",
            "michigan",
            "ns nxdomain",
            "soa nxdomain",
            "url http",
            "mitre att",
            "evasion ta0005",
            "creates",
            "discovery t1082",
            "reads software",
            "file",
            "t1083 reads",
            "jujubox",
            "zenbox",
            "get http",
            "request",
            "host",
            "win64",
            "khtml",
            "gecko",
            "response",
            "cus cndigicert",
            "tls rsa",
            "user",
            "javascript c",
            "doscom c",
            "text c",
            "files c",
            "storage",
            "file system",
            "filesadobe c",
            "appdata",
            "appdatalocal",
            "hostnames",
            "ta0002 command",
            "t1059 very",
            "t1064",
            "javascript",
            "modules t1129",
            "ta0003 create",
            "modify system",
            "process t1543",
            "windows service",
            "cisco umbrella",
            "blacklist",
            "safe site",
            "filerepmalware",
            "microsoft",
            "phishing bank",
            "sgeneric",
            "malware site",
            "unsafe",
            "number",
            "cus cngts",
            "ogoogle trust",
            "subject",
            "algorithm",
            "cus ouserver",
            "ouserver ca",
            "record type",
            "ttl value",
            "msms86718722",
            "query",
            "open",
            "capa",
            "create process",
            "windows create",
            "delete file",
            "write file",
            "windows check",
            "os version",
            "enumerate",
            "hashes",
            "signals mutexes",
            "mutexes",
            "open threat",
            "location los",
            "emails info",
            "expiration date",
            "write c",
            "process32nextw",
            "regsetvalueexa",
            "regdword",
            "module load",
            "t1129",
            "as51167 contabo",
            "germany unknown",
            "as40021 contabo",
            "encrypt",
            "hosting",
            "netherlands asn",
            "as204601 zomro",
            "pulses",
            "tags",
            "related tags",
            "indicator facts",
            "historical otx",
            "files ip",
            "asnone germany",
            "as174 cogent",
            "czechia unknown",
            "whitelisted",
            "certificate",
            "bittorrent dht",
            "post http",
            "et p2p",
            "cryptexportkey",
            "invalid pointer",
            "delete c",
            "post utcore",
            "benchhttp",
            "mozilla",
            "maldoc",
            "service",
            "tools",
            "nids",
            "et",
            "x95xd3xa4",
            "regbinary",
            "hx88x89",
            "kx82xd3x11",
            "xb9x8b",
            "x8dxb7xb7",
            "hx88x9ax1e",
            "mx81xd1r",
            "x92xac",
            "stream",
            "persistence",
            "execution",
            "dynamicloader",
            "contacted",
            "domains",
            "yara rule",
            "high",
            "dynamic",
            "pcap",
            "pushdo",
            "msie",
            "activity beacon",
            "malware beacon",
            "default",
            "redacted for",
            "for privacy",
            "as3379 kaiser",
            "server",
            "gmt content",
            "type",
            "x frame",
            "entries http",
            "scans show",
            "domain related",
            "no data",
            "tag count",
            "fakedout threat",
            "analyzer threat",
            "url summary",
            "ip summary",
            "summary",
            "sample",
            "detection list",
            "components",
            "zune",
            "etpro",
            "nod32",
            "avast avg",
            "next http",
            "example domain",
            "title meta",
            "invalid url",
            "akamai",
            "urls http",
            "as20940",
            "as16625 akamai",
            "netherlands",
            "germany",
            "france",
            "virtool",
            "rock",
            "address",
            "apache",
            "accept",
            "as8075",
            "pulse http",
            "related nids",
            "files location",
            "moldova related",
            "pulses none",
            "as31898 oracle",
            "title",
            "kryptiklfq",
            "win32dh",
            "vitro",
            "shutdown",
            "erase",
            "find",
            "close",
            "as53418",
            "hat server",
            "as797 att",
            "script urls",
            "a domains",
            "as10753 level",
            "script script",
            "meta",
            "path",
            "null",
            "stop",
            "as54113",
            "chrome",
            "as7018 att",
            "as28521",
            "mexico unknown",
            "fastly error",
            "please",
            "sea p",
            "object",
            "set cookie",
            "pragma",
            "as19536 directv",
            "united kingdom",
            "as60664 xion",
            "trojan features",
            "moldova unknown",
            "susp",
            "breaking news",
            "business",
            "finance",
            "entertainment",
            "sports",
            "games",
            "trending videos",
            "weather",
            "home",
            "as396982 google",
            "url https",
            "type indicator",
            "role title",
            "added active",
            "cyberfolks",
            ".pl",
            "level 3"
          ],
          "references": [
            "ISP: Charter Communications Inc Usage Type\tFixed Line ISP",
            "dnvrco-pub-iedge-vip.email.rr.com \tspectrum.com Denver, Colorado USA",
            "dnscache2b.cdptpa dnvrco-oms2ims-mta-svip-01.email dnvrco-queue04-ac.email dnvrco-ring-a62.email dnvrco-smss-f01-ac.email dnvrco-west-dhcpw-02.",
            "Reverse DNS dnvrco-pub-iedge-vip.email.rr.com",
            "Crypt3.COYL FileHash - SHA256 cb536e2e5eb3b23a74702f80832ab964e7dfe07763300437b5ba581f464a108e",
            "IDS Detections: Suspicious double Server Header Possible Kelihos",
            "IDS Detections: Possible Kelihos Infection Executable Download With Malformed Header",
            "telemetry-incoming.r53-2.services.mozilla.com",
            "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel",
            "http://www.door.net/ARISBE/arisbe.htm",
            "talk.plesk.com | 4evermusic.pl |  nist.gov | alaska.gov.inbound10.mxlogic.net | publicfiles.fcc.gov",
            "https://cdns.directv.com/resources/js/dtv/framework/plugins/jquery.placeholder.min.js | peri.com.pl"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Germany",
            "Hungary",
            "Ukraine",
            "Spain",
            "Brazil",
            "Russian Federation",
            "Moldova, Republic of",
            "Japan",
            "Ireland",
            "Luxembourg",
            "Canada"
          ],
          "malware_families": [
            {
              "id": "TrojanDownloader:Win32/Cutwail",
              "display_name": "TrojanDownloader:Win32/Cutwail",
              "target": "/malware/TrojanDownloader:Win32/Cutwail"
            },
            {
              "id": "Backdoor:Win32/Tofsee",
              "display_name": "Backdoor:Win32/Tofsee",
              "target": "/malware/Backdoor:Win32/Tofsee"
            },
            {
              "id": "Cerber Ransomware",
              "display_name": "Cerber Ransomware",
              "target": null
            },
            {
              "id": "NIDS",
              "display_name": "NIDS",
              "target": null
            },
            {
              "id": "ET",
              "display_name": "ET",
              "target": null
            },
            {
              "id": "Inject3.QGY",
              "display_name": "Inject3.QGY",
              "target": null
            },
            {
              "id": "Kelihos",
              "display_name": "Kelihos",
              "target": null
            },
            {
              "id": "ETPRO",
              "display_name": "ETPRO",
              "target": null
            },
            {
              "id": "NOD32",
              "display_name": "NOD32",
              "target": null
            },
            {
              "id": "VirTool:Win32/Obfuscator",
              "display_name": "VirTool:Win32/Obfuscator",
              "target": "/malware/VirTool:Win32/Obfuscator"
            },
            {
              "id": "Sf:ShellCode-AU\\ [Trj]",
              "display_name": "Sf:ShellCode-AU\\ [Trj]",
              "target": null
            },
            {
              "id": "Trojan:Win32/Glupteba",
              "display_name": "Trojan:Win32/Glupteba",
              "target": "/malware/Trojan:Win32/Glupteba"
            }
          ],
          "attack_ids": [
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1064",
              "name": "Scripting",
              "display_name": "T1064 - Scripting"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1543",
              "name": "Create or Modify System Process",
              "display_name": "T1543 - Create or Modify System Process"
            },
            {
              "id": "T1547",
              "name": "Boot or Logon Autostart Execution",
              "display_name": "T1547 - Boot or Logon Autostart Execution"
            },
            {
              "id": "T1023",
              "name": "Shortcut Modification",
              "display_name": "T1023 - Shortcut Modification"
            },
            {
              "id": "T1040",
              "name": "Network Sniffing",
              "display_name": "T1040 - Network Sniffing"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1047",
              "name": "Windows Management Instrumentation",
              "display_name": "T1047 - Windows Management Instrumentation"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1204",
              "name": "User Execution",
              "display_name": "T1204 - User Execution"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            },
            {
              "id": "T1089",
              "name": "Disabling Security Tools",
              "display_name": "T1089 - Disabling Security Tools"
            },
            {
              "id": "T1096",
              "name": "NTFS File Attributes",
              "display_name": "T1096 - NTFS File Attributes"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 37,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 2060,
            "hostname": 3067,
            "CIDR": 4,
            "URL": 1300,
            "email": 29,
            "FileHash-MD5": 3181,
            "FileHash-SHA1": 1994,
            "FileHash-SHA256": 3228,
            "CVE": 2,
            "SSLCertFingerprint": 1
          },
          "indicator_count": 14866,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 233,
          "modified_text": "585 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        }
      ],
      "references": [
        "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
        "ISP: Charter Communications Inc Usage Type\tFixed Line ISP",
        "SLF:MSIL/PSTAnomaly.A  SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb",
        "https://otx.alienvault.com/indicator/cve/CVE-2022-26134",
        "Reverse DNS dnvrco-pub-iedge-vip.email.rr.com",
        "dnscache2b.cdptpa dnvrco-oms2ims-mta-svip-01.email dnvrco-queue04-ac.email dnvrco-ring-a62.email dnvrco-smss-f01-ac.email dnvrco-west-dhcpw-02.",
        "bell.ca",
        "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp",
        "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a",
        "Crypt3.COYL FileHash - SHA256 cb536e2e5eb3b23a74702f80832ab964e7dfe07763300437b5ba581f464a108e",
        "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx",
        "Yara Detections: PWSWin32Kegotip ,  VirusWin32Gogo ,  VirusWin32Hala ,  VirusWin32Wholdor",
        "Name Servers PDNS1.ULTRADNS.NET Org",
        "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel",
        "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected",
        "https://vtbehaviour.commondatastorage.googleapis.com/602820fab45e2260fc61a6b3e10ed0dd6fa5d27d0e571e4c3ebb10d14b8e8756_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775683438&Signature=khOWYYuus3ZD%2FA6t3hVsvbol60hQl5I46qotKwZMyqB6DNAXxK4JB97T0tmp862kfEfXlYLfR0OGuqJWYR0xjzw6jI3ClHipxRTHaVFE%2BW8vtqgbXdiqrad1nlgDGd6Xw4GAH8TdOhuhS856Rn9Koeg4m7TI%2FNzussElBucPkseVfb4X14JRTEjbYkMAFg1XVJ%2FeiUdlEu3jfg89YphMxVpB0IKI6V75BAOVK5Ptd1S6wScJvIStkG451uhiH0",
        "IDS Detections: Possible Kelihos Infection Executable Download With Malformed Header",
        "[DR] Wifi ID Login v1.3 [03 April 2014].exe",
        "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado",
        "IP\u2019s Contacted: 143.204.237.45  58.138.175.188  65.38.128.10  147.21.128.26  78.41.204.31  132.148.77.44",
        "Backdoor.Win32.Pushdo.s Checkin",
        "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep  dynamic_function_loading",
        "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD",
        "http://www.door.net/ARISBE/arisbe.htm",
        "telemetry-incoming.r53-2.services.mozilla.com",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)",
        "A target pursued post criminal assault on Pinnacol Assuranve insured premises",
        "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au",
        "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...",
        "https://welcome.indonesiawifi.net/wifi.id/flexizone",
        "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect",
        "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #",
        "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY",
        "dnvrco-pub-iedge-vip.email.rr.com \tspectrum.com Denver, Colorado USA",
        "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net",
        "talk.plesk.com | 4evermusic.pl |  nist.gov | alaska.gov.inbound10.mxlogic.net | publicfiles.fcc.gov",
        "https://cdns.directv.com/resources/js/dtv/framework/plugins/jquery.placeholder.min.js | peri.com.pl",
        "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png",
        "IDS Detections: Suspicious double Server Header Possible Kelihos",
        "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO",
        "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms",
        "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http",
        "https://vtbehaviour.commondatastorage.googleapis.com/602820fab45e2260fc61a6b3e10ed0dd6fa5d27d0e571e4c3ebb10d14b8e8756_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775683485&Signature=RtGC7ItLn43wQgm4%2FHamRNp82WM%2BtkmJKZF1tBP1Lt%2BGqWf%2BNwCyCXYDesreIO4OILdto4gRkDqaJWfoXOD%2F6foz%2FIRXEyBU2UI0T6Bi%2B40WmRBVL94A0kBZ9Q8NHM2AsQoGx30hsnWlfsZIF9tqc3b9TAmpJHZNaEEJ44hkxWVLvlFu6BdnSKQBIqh8Al32ckdVzmDvpRTuF2ydQquoqvtZ5T5HyPKSlhH7TLacySC5a4lI",
        "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH",
        "CVE-2022-26134 \u2022  PRIVILEGES REQUIRED: NONE",
        "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration",
        "IP\u2019s Contacted: 185.104.29.148  92.122.107.204  139.76.134.15  184.150.211.195"
      ],
      "related": {
        "alienvault": {
          "adversary": [],
          "malware_families": [],
          "industries": []
        },
        "other": {
          "adversary": [],
          "malware_families": [
            "Trojan:win32/glupteba",
            "Trojandownloader:win32/cutwail.bs",
            "Kelihos",
            "Sf:shellcode-au\\ [trj]",
            "Win.trojan.pushdo-20",
            "World media",
            "Cerber ransomware",
            "Nod32",
            "Nids",
            "Et",
            "Cve-2022-26134",
            "Virtool:win32/obfuscator",
            "Trojandownloader:win32/cutwail",
            "Slf:msil/pstanomaly.a",
            "Inject3.qgy",
            "Etpro",
            "Trojandownloader:win32/cutwail.bv",
            "Backdoor:win32/tofsee"
          ],
          "industries": [
            "Government",
            "Judicial",
            "Telecommunications",
            "Legal",
            "Technology"
          ]
        }
      }
    },
    "false_positive": []
  },
  "geo": {},
  "geo_ipapicom": {},
  "pulse_count": 5,
  "pulses": [
    {
      "id": "69f30ef4033560d49d39ac55",
      "name": "VirusTotal report\n                    for executable.exe",
      "description": "[security firm has developed a tool that can automatically identify a Wi-Fi password and make it easy to access it via the net. and use it to create a secure log-in system.] <remote, .net, failed cryptographic validation chains cause this.",
      "modified": "2026-05-30T09:04:01.553000",
      "created": "2026-04-30T08:12:36.771000",
      "tags": [
        "wifi password",
        "joe security",
        "nextron",
        "new run",
        "key pointing",
        "run key",
        "roth",
        "markus neis",
        "sander wiebing",
        "poudel",
        "public",
        "appdata"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1003",
          "name": "OS Credential Dumping",
          "display_name": "T1003 - OS Credential Dumping"
        },
        {
          "id": "T1005",
          "name": "Data from Local System",
          "display_name": "T1005 - Data from Local System"
        },
        {
          "id": "T1010",
          "name": "Application Window Discovery",
          "display_name": "T1010 - Application Window Discovery"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1095",
          "name": "Non-Application Layer Protocol",
          "display_name": "T1095 - Non-Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1218",
          "name": "Signed Binary Proxy Execution",
          "display_name": "T1218 - Signed Binary Proxy Execution"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1552",
          "name": "Unsecured Credentials",
          "display_name": "T1552 - Unsecured Credentials"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 1069,
        "FileHash-SHA1": 868,
        "FileHash-SHA256": 2783,
        "URL": 764,
        "hostname": 756,
        "domain": 293,
        "email": 44,
        "CVE": 44
      },
      "indicator_count": 6621,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "1 day ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69efc567ae24b8285a71099d",
      "name": "Enemy of the State: Order in the Court \u2022 Part 4 - World Media",
      "description": "Critical, out of control targeting. Suspected Pegasus related campaign seen in State of Colorado court and Hospital systems+++. The answer is NO. The crime victim / survivor was never going to be given a chance to bring forward a case of any type of. Silenced. Not allowed to pursue justice. Car accident. No. Robbed. No Assault. No. Either the State is heavily involved or systems are manipulated by adversaries.\n\nCVE found more than a year ago, Original OTX researchers Pulses not found.\nCVE Overview:\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.",
      "modified": "2026-05-27T18:05:26.880000",
      "created": "2026-04-27T20:21:59.824000",
      "tags": [
        "wifi id",
        "april",
        "extraction",
        "enter sc",
        "type ol",
        "data upload",
        "extra",
        "referen",
        "wifi data",
        "wifi",
        "ntgraph xe",
        "dynamicloader",
        "high",
        "port",
        "a8 f0",
        "c0 a0",
        "c4 d8",
        "a4 c4",
        "cache",
        "yara rule",
        "write",
        "music",
        "explorer",
        "guard",
        "tracker",
        "media",
        "default",
        "file",
        "id login",
        "mwdb",
        "bazaar",
        "sha3384",
        "ssdeep",
        "xport",
        "accept",
        "agent",
        "shutdown",
        "pe file",
        "network info",
        "sample",
        "aslr",
        "program",
        "mitre attack",
        "processes extra",
        "overview zenbox",
        "verdict",
        "iocs",
        "extra data",
        "included iocs",
        "indicator",
        "review iocs",
        "find",
        "dr wifi",
        "include review",
        "exclude sugges",
        "find s",
        "failed",
        "typ url",
        "registrant name",
        "all domain",
        "passive dns",
        "urls",
        "files",
        "access",
        "all ipv4",
        "america flag",
        "des moines",
        "level",
        "zeppelin",
        "domain add",
        "united states",
        "active",
        "msie",
        "windows nt",
        "united",
        "search",
        "medium",
        "as16509",
        "unknown",
        "upatre",
        "malware",
        "next",
        "ip address",
        "pty ltd",
        "url analysis",
        "trojan",
        "write c",
        "suspicious",
        "tt tr",
        "ultradns client",
        "service",
        "name servers",
        "emails",
        "world media",
        "contacted",
        "post",
        "u001b4nu0017",
        "powershell",
        "sc data",
        "type",
        "enter",
        "data",
        "cre pul",
        "enric",
        "extraction data",
        "denver courts",
        "hacking",
        "mitm_attacks",
        "injustice",
        "tracking",
        "ai",
        "ee fc",
        "ff d5",
        "domain",
        "australia",
        "files ip",
        "script script",
        "set cookie",
        "cookie",
        "related pulses",
        "learn",
        "ck id",
        "name tactics",
        "informative",
        "adversaries",
        "command",
        "defense evasion",
        "spawns",
        "javascript",
        "ascii text",
        "pattern match",
        "mitre att",
        "null",
        "refresh",
        "span",
        "hybrid",
        "general",
        "local",
        "path",
        "click",
        "strings",
        "error",
        "tools",
        "title",
        "look",
        "verify",
        "restart",
        "australia asn",
        "as9714 vocus",
        "body",
        "certificate",
        "present may",
        "japan unknown",
        "a domains",
        "value",
        "content type",
        "location japan",
        "shibuya",
        "japan asn",
        "as2497 internet",
        "dns resolutions",
        "domains top",
        "united states",
        "ipv4",
        "targeting",
        "tsara brashears",
        "state colorado",
        "critical",
        "pornhub",
        "tulach",
        "sabey",
        "poleass",
        "foundrypalantir",
        "pegasus",
        "state",
        "quasi",
        "shhh",
        "denver",
        "dougco",
        "jeffrey reimer",
        "reimer gropes",
        "christopher ahmann",
        "workers compensation",
        "commerce industry",
        "aig",
        "industry commerce",
        "confluence"
      ],
      "references": [
        "[DR] Wifi ID Login v1.3 [03 April 2014].exe",
        "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a",
        "bell.ca",
        "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http",
        "https://welcome.indonesiawifi.net/wifi.id/flexizone",
        "SLF:MSIL/PSTAnomaly.A  SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb",
        "A target pursued post criminal assault on Pinnacol Assuranve insured premises",
        "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp",
        "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD",
        "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...",
        "Yara Detections: PWSWin32Kegotip ,  VirusWin32Gogo ,  VirusWin32Hala ,  VirusWin32Wholdor",
        "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect",
        "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep  dynamic_function_loading",
        "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx",
        "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
        "IP\u2019s Contacted: 143.204.237.45  58.138.175.188  65.38.128.10  147.21.128.26  78.41.204.31  132.148.77.44",
        "IP\u2019s Contacted: 185.104.29.148  92.122.107.204  139.76.134.15  184.150.211.195",
        "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net",
        "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au",
        "Backdoor.Win32.Pushdo.s Checkin",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)",
        "Name Servers PDNS1.ULTRADNS.NET Org",
        "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #",
        "https://otx.alienvault.com/indicator/cve/CVE-2022-26134",
        "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO",
        "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado",
        "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected",
        "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration",
        "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png",
        "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms",
        "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY",
        "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH",
        "CVE-2022-26134 \u2022  PRIVILEGES REQUIRED: NONE"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "SLF:MSIL/PSTAnomaly.A",
          "display_name": "SLF:MSIL/PSTAnomaly.A",
          "target": "/malware/SLF:MSIL/PSTAnomaly.A"
        },
        {
          "id": "Win.Trojan.Pushdo-20",
          "display_name": "Win.Trojan.Pushdo-20",
          "target": null
        },
        {
          "id": "TrojanDownloader:Win32/Cutwail.BS",
          "display_name": "TrojanDownloader:Win32/Cutwail.BS",
          "target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
        },
        {
          "id": "TrojanDownloader:Win32/Cutwail.BV",
          "display_name": "TrojanDownloader:Win32/Cutwail.BV",
          "target": "/malware/TrojanDownloader:Win32/Cutwail.BV"
        },
        {
          "id": "World Media",
          "display_name": "World Media",
          "target": null
        },
        {
          "id": "CVE-2022-26134",
          "display_name": "CVE-2022-26134",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1069",
          "name": "Permission Groups Discovery",
          "display_name": "T1069 - Permission Groups Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1560",
          "name": "Archive Collected Data",
          "display_name": "T1560 - Archive Collected Data"
        },
        {
          "id": "T1553.002",
          "name": "Code Signing",
          "display_name": "T1553.002 - Code Signing"
        },
        {
          "id": "T1069.002",
          "name": "Domain Groups",
          "display_name": "T1069.002 - Domain Groups"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1071.001",
          "name": "Web Protocols",
          "display_name": "T1071.001 - Web Protocols"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        }
      ],
      "industries": [
        "Government",
        "Legal",
        "Judicial",
        "Technology",
        "Telecommunications"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 1037,
        "hostname": 865,
        "domain": 685,
        "URL": 2224,
        "FileHash-MD5": 131,
        "FileHash-SHA1": 94,
        "CVE": 1,
        "email": 8,
        "SSLCertFingerprint": 6
      },
      "indicator_count": 5051,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 143,
      "modified_text": "3 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69efc7a6778f84c179d27073",
      "name": "Credit Q.Vashti - Cloned Pulse [\"Enemy of the State: Order in the Court\"]",
      "description": "",
      "modified": "2026-05-27T18:05:26.880000",
      "created": "2026-04-27T20:31:34.221000",
      "tags": [
        "wifi id",
        "april",
        "extraction",
        "enter sc",
        "type ol",
        "data upload",
        "extra",
        "referen",
        "wifi data",
        "wifi",
        "ntgraph xe",
        "dynamicloader",
        "high",
        "port",
        "a8 f0",
        "c0 a0",
        "c4 d8",
        "a4 c4",
        "cache",
        "yara rule",
        "write",
        "music",
        "explorer",
        "guard",
        "tracker",
        "media",
        "default",
        "file",
        "id login",
        "mwdb",
        "bazaar",
        "sha3384",
        "ssdeep",
        "xport",
        "accept",
        "agent",
        "shutdown",
        "pe file",
        "network info",
        "sample",
        "aslr",
        "program",
        "mitre attack",
        "processes extra",
        "overview zenbox",
        "verdict",
        "iocs",
        "extra data",
        "included iocs",
        "indicator",
        "review iocs",
        "find",
        "dr wifi",
        "include review",
        "exclude sugges",
        "find s",
        "failed",
        "typ url",
        "registrant name",
        "all domain",
        "passive dns",
        "urls",
        "files",
        "access",
        "all ipv4",
        "america flag",
        "des moines",
        "level",
        "zeppelin",
        "domain add",
        "united states",
        "active",
        "msie",
        "windows nt",
        "united",
        "search",
        "medium",
        "as16509",
        "unknown",
        "upatre",
        "malware",
        "next",
        "ip address",
        "pty ltd",
        "url analysis",
        "trojan",
        "write c",
        "suspicious",
        "tt tr",
        "ultradns client",
        "service",
        "name servers",
        "emails",
        "world media",
        "contacted",
        "post",
        "u001b4nu0017",
        "powershell",
        "sc data",
        "type",
        "enter",
        "data",
        "cre pul",
        "enric",
        "extraction data",
        "denver courts",
        "hacking",
        "mitm_attacks",
        "injustice",
        "tracking",
        "ai",
        "ee fc",
        "ff d5",
        "domain",
        "australia",
        "files ip",
        "script script",
        "set cookie",
        "cookie",
        "related pulses",
        "learn",
        "ck id",
        "name tactics",
        "informative",
        "adversaries",
        "command",
        "defense evasion",
        "spawns",
        "javascript",
        "ascii text",
        "pattern match",
        "mitre att",
        "null",
        "refresh",
        "span",
        "hybrid",
        "general",
        "local",
        "path",
        "click",
        "strings",
        "error",
        "tools",
        "title",
        "look",
        "verify",
        "restart",
        "australia asn",
        "as9714 vocus",
        "body",
        "certificate",
        "present may",
        "japan unknown",
        "a domains",
        "value",
        "content type",
        "location japan",
        "shibuya",
        "japan asn",
        "as2497 internet",
        "dns resolutions",
        "domains top",
        "united states",
        "ipv4",
        "targeting",
        "tsara brashears",
        "state colorado",
        "critical",
        "pornhub",
        "tulach",
        "sabey",
        "poleass",
        "foundrypalantir",
        "pegasus",
        "state",
        "quasi",
        "shhh",
        "denver",
        "dougco",
        "jeffrey reimer",
        "reimer gropes",
        "christopher ahmann",
        "workers compensation",
        "commerce industry",
        "aig",
        "industry commerce",
        "confluence"
      ],
      "references": [
        "[DR] Wifi ID Login v1.3 [03 April 2014].exe",
        "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a",
        "bell.ca",
        "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http",
        "https://welcome.indonesiawifi.net/wifi.id/flexizone",
        "SLF:MSIL/PSTAnomaly.A  SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb",
        "A target pursued post criminal assault on Pinnacol Assuranve insured premises",
        "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp",
        "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD",
        "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...",
        "Yara Detections: PWSWin32Kegotip ,  VirusWin32Gogo ,  VirusWin32Hala ,  VirusWin32Wholdor",
        "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect",
        "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep  dynamic_function_loading",
        "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx",
        "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
        "IP\u2019s Contacted: 143.204.237.45  58.138.175.188  65.38.128.10  147.21.128.26  78.41.204.31  132.148.77.44",
        "IP\u2019s Contacted: 185.104.29.148  92.122.107.204  139.76.134.15  184.150.211.195",
        "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net",
        "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au",
        "Backdoor.Win32.Pushdo.s Checkin",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)",
        "Name Servers PDNS1.ULTRADNS.NET Org",
        "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #",
        "https://otx.alienvault.com/indicator/cve/CVE-2022-26134",
        "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO",
        "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado",
        "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected",
        "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration",
        "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png",
        "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms",
        "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY",
        "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH",
        "CVE-2022-26134 \u2022  PRIVILEGES REQUIRED: NONE"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "SLF:MSIL/PSTAnomaly.A",
          "display_name": "SLF:MSIL/PSTAnomaly.A",
          "target": "/malware/SLF:MSIL/PSTAnomaly.A"
        },
        {
          "id": "Win.Trojan.Pushdo-20",
          "display_name": "Win.Trojan.Pushdo-20",
          "target": null
        },
        {
          "id": "TrojanDownloader:Win32/Cutwail.BS",
          "display_name": "TrojanDownloader:Win32/Cutwail.BS",
          "target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
        },
        {
          "id": "TrojanDownloader:Win32/Cutwail.BV",
          "display_name": "TrojanDownloader:Win32/Cutwail.BV",
          "target": "/malware/TrojanDownloader:Win32/Cutwail.BV"
        },
        {
          "id": "World Media",
          "display_name": "World Media",
          "target": null
        },
        {
          "id": "CVE-2022-26134",
          "display_name": "CVE-2022-26134",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1069",
          "name": "Permission Groups Discovery",
          "display_name": "T1069 - Permission Groups Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1560",
          "name": "Archive Collected Data",
          "display_name": "T1560 - Archive Collected Data"
        },
        {
          "id": "T1553.002",
          "name": "Code Signing",
          "display_name": "T1553.002 - Code Signing"
        },
        {
          "id": "T1069.002",
          "name": "Domain Groups",
          "display_name": "T1069.002 - Domain Groups"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1071.001",
          "name": "Web Protocols",
          "display_name": "T1071.001 - Web Protocols"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        }
      ],
      "industries": [
        "Government",
        "Legal",
        "Judicial",
        "Technology",
        "Telecommunications"
      ],
      "TLP": "white",
      "cloned_from": "69efc567ae24b8285a71099d",
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 1039,
        "hostname": 868,
        "domain": 687,
        "URL": 2226,
        "FileHash-MD5": 133,
        "FileHash-SHA1": 96,
        "CVE": 1,
        "email": 8,
        "SSLCertFingerprint": 6
      },
      "indicator_count": 5064,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "3 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69d6c7fec016b76d49ed95ae",
      "name": "VirusTotal report\n                    for index.html",
      "description": "shatter",
      "modified": "2026-05-08T22:06:56.603000",
      "created": "2026-04-08T21:26:22.351000",
      "tags": [
        "performs dns",
        "united",
        "https",
        "found",
        "tls version",
        "mitre attack",
        "network info",
        "processes extra",
        "urls",
        "t1055 process",
        "phishing",
        "next",
        "script",
        "doctype html",
        "variablece2034",
        "head"
      ],
      "references": [
        "https://vtbehaviour.commondatastorage.googleapis.com/602820fab45e2260fc61a6b3e10ed0dd6fa5d27d0e571e4c3ebb10d14b8e8756_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775683438&Signature=khOWYYuus3ZD%2FA6t3hVsvbol60hQl5I46qotKwZMyqB6DNAXxK4JB97T0tmp862kfEfXlYLfR0OGuqJWYR0xjzw6jI3ClHipxRTHaVFE%2BW8vtqgbXdiqrad1nlgDGd6Xw4GAH8TdOhuhS856Rn9Koeg4m7TI%2FNzussElBucPkseVfb4X14JRTEjbYkMAFg1XVJ%2FeiUdlEu3jfg89YphMxVpB0IKI6V75BAOVK5Ptd1S6wScJvIStkG451uhiH0",
        "https://vtbehaviour.commondatastorage.googleapis.com/602820fab45e2260fc61a6b3e10ed0dd6fa5d27d0e571e4c3ebb10d14b8e8756_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775683485&Signature=RtGC7ItLn43wQgm4%2FHamRNp82WM%2BtkmJKZF1tBP1Lt%2BGqWf%2BNwCyCXYDesreIO4OILdto4gRkDqaJWfoXOD%2F6foz%2FIRXEyBU2UI0T6Bi%2B40WmRBVL94A0kBZ9Q8NHM2AsQoGx30hsnWlfsZIF9tqc3b9TAmpJHZNaEEJ44hkxWVLvlFu6BdnSKQBIqh8Al32ckdVzmDvpRTuF2ydQquoqvtZ5T5HyPKSlhH7TLacySC5a4lI"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1095",
          "name": "Non-Application Layer Protocol",
          "display_name": "T1095 - Non-Application Layer Protocol"
        },
        {
          "id": "T1189",
          "name": "Drive-by Compromise",
          "display_name": "T1189 - Drive-by Compromise"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1573",
          "name": "Encrypted Channel",
          "display_name": "T1573 - Encrypted Channel"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 442,
        "FileHash-MD5": 245,
        "FileHash-SHA1": 201,
        "FileHash-SHA256": 573,
        "URL": 570,
        "hostname": 1058,
        "email": 3,
        "SSLCertFingerprint": 2
      },
      "indicator_count": 3094,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "22 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "66f100d791f9f9f6ab7b4f24",
      "name": "Cerber \u00bb Charter Communications \u00bb Spectrum Denver",
      "description": "[107.14.73.70] IP address range owned by Charter Communications Inc and located in Denver, Co United States.\n\nTargets & family neighborhood ISP's attacked again.  Internet and targets devices attacked , Internet had to be reset twice by tech teams. Our team was able to track comprises directed towards target and families devices, which they are destroying. Stolen passwords, leaks, forced content, dumping. Both Spectrum &  Quantum fiber positive for malicious activity within targeted devices. Fake iOS update pushed to a device. It comes with an agreement from Apple Singapore, LTD. \n\nMalware Families ,\nBackdoor:Win32/Tofse , \nCerber Ransomware ,\nET.  \nETPRO ,\nInject3.QGY ,\nKelihos ,\nNIDS ,\nNOD32 ,\nSf:ShellCode-AU\\ [Trj] , \nTrojan:Win32/Glupteba ,\nTrojanDownloader:Win32/Cutwail ,\nVirTool:Win32/Obfuscator",
      "modified": "2024-10-23T05:03:21.045000",
      "created": "2024-09-23T05:47:03.625000",
      "tags": [
        "isp charter",
        "usage type",
        "fixed line",
        "isp hostname",
        "domain name",
        "country united",
        "america city",
        "denver",
        "colorado",
        "ip address",
        "whois",
        "check",
        "information isp",
        "inc usage",
        "type fixed",
        "line isp",
        "hostname",
        "plesk forum",
        "centos web",
        "panel forum",
        "whois lookup",
        "netrange",
        "nethandle",
        "net107",
        "net1070000",
        "cc3517",
        "inc orgid",
        "dr city",
        "stateprov",
        "postalcode",
        "status",
        "as7843 charter",
        "united",
        "name servers",
        "passive dns",
        "urls",
        "domain",
        "search",
        "emails",
        "unknown",
        "scan endpoints",
        "all scoreblue",
        "ipv4",
        "files",
        "reverse dns",
        "location united",
        "win32",
        "abuseipdb",
        "read",
        "write",
        "read c",
        "server header",
        "show",
        "suspicious",
        "kelihos",
        "trojan",
        "artemis",
        "virustotal",
        "download",
        "drweb",
        "vipre",
        "panda",
        "malware",
        "specified",
        "next",
        "et trojan",
        "et info",
        "medium",
        "http",
        "ids detections",
        "yara detections",
        "e98c1cec8156",
        "as11426 charter",
        "as20001 charter",
        "as11427 charter",
        "as11351 charter",
        "as16787 charter",
        "as33363 charter",
        "as20115 charter",
        "as10796 charter",
        "as12271 charter",
        "body",
        "servers",
        "all search",
        "entries",
        "intel",
        "ms windows",
        "windows nt",
        "destination",
        "port",
        "asnone",
        "heurunsec",
        "etpro trojan",
        "nxdomain",
        "a nxdomain",
        "aaaa",
        "asnone united",
        "aaaa nxdomain",
        "backdoor",
        "pulse submit",
        "url analysis",
        "location oxford",
        "as3456 charter",
        "moved",
        "showing",
        "body doctype",
        "html public",
        "ietfdtd html",
        "as6976 verizon",
        "as701 verizon",
        "file samples",
        "files matching",
        "date hash",
        "copyright",
        "levelblue",
        "related pulses",
        "pulse pulses",
        "kryptikpii",
        "msr apr",
        "date",
        "creation date",
        "analyzer paste",
        "iocs",
        "samples",
        "secure server",
        "cname",
        "as5742",
        "body head",
        "object moved",
        "content length",
        "content type",
        "cookie",
        "as15133 verizon",
        "lowfi",
        "gmt server",
        "ecacc",
        "record value",
        "oxford",
        "michigan",
        "ns nxdomain",
        "soa nxdomain",
        "url http",
        "mitre att",
        "evasion ta0005",
        "creates",
        "discovery t1082",
        "reads software",
        "file",
        "t1083 reads",
        "jujubox",
        "zenbox",
        "get http",
        "request",
        "host",
        "win64",
        "khtml",
        "gecko",
        "response",
        "cus cndigicert",
        "tls rsa",
        "user",
        "javascript c",
        "doscom c",
        "text c",
        "files c",
        "storage",
        "file system",
        "filesadobe c",
        "appdata",
        "appdatalocal",
        "hostnames",
        "ta0002 command",
        "t1059 very",
        "t1064",
        "javascript",
        "modules t1129",
        "ta0003 create",
        "modify system",
        "process t1543",
        "windows service",
        "cisco umbrella",
        "blacklist",
        "safe site",
        "filerepmalware",
        "microsoft",
        "phishing bank",
        "sgeneric",
        "malware site",
        "unsafe",
        "number",
        "cus cngts",
        "ogoogle trust",
        "subject",
        "algorithm",
        "cus ouserver",
        "ouserver ca",
        "record type",
        "ttl value",
        "msms86718722",
        "query",
        "open",
        "capa",
        "create process",
        "windows create",
        "delete file",
        "write file",
        "windows check",
        "os version",
        "enumerate",
        "hashes",
        "signals mutexes",
        "mutexes",
        "open threat",
        "location los",
        "emails info",
        "expiration date",
        "write c",
        "process32nextw",
        "regsetvalueexa",
        "regdword",
        "module load",
        "t1129",
        "as51167 contabo",
        "germany unknown",
        "as40021 contabo",
        "encrypt",
        "hosting",
        "netherlands asn",
        "as204601 zomro",
        "pulses",
        "tags",
        "related tags",
        "indicator facts",
        "historical otx",
        "files ip",
        "asnone germany",
        "as174 cogent",
        "czechia unknown",
        "whitelisted",
        "certificate",
        "bittorrent dht",
        "post http",
        "et p2p",
        "cryptexportkey",
        "invalid pointer",
        "delete c",
        "post utcore",
        "benchhttp",
        "mozilla",
        "maldoc",
        "service",
        "tools",
        "nids",
        "et",
        "x95xd3xa4",
        "regbinary",
        "hx88x89",
        "kx82xd3x11",
        "xb9x8b",
        "x8dxb7xb7",
        "hx88x9ax1e",
        "mx81xd1r",
        "x92xac",
        "stream",
        "persistence",
        "execution",
        "dynamicloader",
        "contacted",
        "domains",
        "yara rule",
        "high",
        "dynamic",
        "pcap",
        "pushdo",
        "msie",
        "activity beacon",
        "malware beacon",
        "default",
        "redacted for",
        "for privacy",
        "as3379 kaiser",
        "server",
        "gmt content",
        "type",
        "x frame",
        "entries http",
        "scans show",
        "domain related",
        "no data",
        "tag count",
        "fakedout threat",
        "analyzer threat",
        "url summary",
        "ip summary",
        "summary",
        "sample",
        "detection list",
        "components",
        "zune",
        "etpro",
        "nod32",
        "avast avg",
        "next http",
        "example domain",
        "title meta",
        "invalid url",
        "akamai",
        "urls http",
        "as20940",
        "as16625 akamai",
        "netherlands",
        "germany",
        "france",
        "virtool",
        "rock",
        "address",
        "apache",
        "accept",
        "as8075",
        "pulse http",
        "related nids",
        "files location",
        "moldova related",
        "pulses none",
        "as31898 oracle",
        "title",
        "kryptiklfq",
        "win32dh",
        "vitro",
        "shutdown",
        "erase",
        "find",
        "close",
        "as53418",
        "hat server",
        "as797 att",
        "script urls",
        "a domains",
        "as10753 level",
        "script script",
        "meta",
        "path",
        "null",
        "stop",
        "as54113",
        "chrome",
        "as7018 att",
        "as28521",
        "mexico unknown",
        "fastly error",
        "please",
        "sea p",
        "object",
        "set cookie",
        "pragma",
        "as19536 directv",
        "united kingdom",
        "as60664 xion",
        "trojan features",
        "moldova unknown",
        "susp",
        "breaking news",
        "business",
        "finance",
        "entertainment",
        "sports",
        "games",
        "trending videos",
        "weather",
        "home",
        "as396982 google",
        "url https",
        "type indicator",
        "role title",
        "added active",
        "cyberfolks",
        ".pl",
        "level 3"
      ],
      "references": [
        "ISP: Charter Communications Inc Usage Type\tFixed Line ISP",
        "dnvrco-pub-iedge-vip.email.rr.com \tspectrum.com Denver, Colorado USA",
        "dnscache2b.cdptpa dnvrco-oms2ims-mta-svip-01.email dnvrco-queue04-ac.email dnvrco-ring-a62.email dnvrco-smss-f01-ac.email dnvrco-west-dhcpw-02.",
        "Reverse DNS dnvrco-pub-iedge-vip.email.rr.com",
        "Crypt3.COYL FileHash - SHA256 cb536e2e5eb3b23a74702f80832ab964e7dfe07763300437b5ba581f464a108e",
        "IDS Detections: Suspicious double Server Header Possible Kelihos",
        "IDS Detections: Possible Kelihos Infection Executable Download With Malformed Header",
        "telemetry-incoming.r53-2.services.mozilla.com",
        "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel",
        "http://www.door.net/ARISBE/arisbe.htm",
        "talk.plesk.com | 4evermusic.pl |  nist.gov | alaska.gov.inbound10.mxlogic.net | publicfiles.fcc.gov",
        "https://cdns.directv.com/resources/js/dtv/framework/plugins/jquery.placeholder.min.js | peri.com.pl"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America",
        "Germany",
        "Hungary",
        "Ukraine",
        "Spain",
        "Brazil",
        "Russian Federation",
        "Moldova, Republic of",
        "Japan",
        "Ireland",
        "Luxembourg",
        "Canada"
      ],
      "malware_families": [
        {
          "id": "TrojanDownloader:Win32/Cutwail",
          "display_name": "TrojanDownloader:Win32/Cutwail",
          "target": "/malware/TrojanDownloader:Win32/Cutwail"
        },
        {
          "id": "Backdoor:Win32/Tofsee",
          "display_name": "Backdoor:Win32/Tofsee",
          "target": "/malware/Backdoor:Win32/Tofsee"
        },
        {
          "id": "Cerber Ransomware",
          "display_name": "Cerber Ransomware",
          "target": null
        },
        {
          "id": "NIDS",
          "display_name": "NIDS",
          "target": null
        },
        {
          "id": "ET",
          "display_name": "ET",
          "target": null
        },
        {
          "id": "Inject3.QGY",
          "display_name": "Inject3.QGY",
          "target": null
        },
        {
          "id": "Kelihos",
          "display_name": "Kelihos",
          "target": null
        },
        {
          "id": "ETPRO",
          "display_name": "ETPRO",
          "target": null
        },
        {
          "id": "NOD32",
          "display_name": "NOD32",
          "target": null
        },
        {
          "id": "VirTool:Win32/Obfuscator",
          "display_name": "VirTool:Win32/Obfuscator",
          "target": "/malware/VirTool:Win32/Obfuscator"
        },
        {
          "id": "Sf:ShellCode-AU\\ [Trj]",
          "display_name": "Sf:ShellCode-AU\\ [Trj]",
          "target": null
        },
        {
          "id": "Trojan:Win32/Glupteba",
          "display_name": "Trojan:Win32/Glupteba",
          "target": "/malware/Trojan:Win32/Glupteba"
        }
      ],
      "attack_ids": [
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1119",
          "name": "Automated Collection",
          "display_name": "T1119 - Automated Collection"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1064",
          "name": "Scripting",
          "display_name": "T1064 - Scripting"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1543",
          "name": "Create or Modify System Process",
          "display_name": "T1543 - Create or Modify System Process"
        },
        {
          "id": "T1547",
          "name": "Boot or Logon Autostart Execution",
          "display_name": "T1547 - Boot or Logon Autostart Execution"
        },
        {
          "id": "T1023",
          "name": "Shortcut Modification",
          "display_name": "T1023 - Shortcut Modification"
        },
        {
          "id": "T1040",
          "name": "Network Sniffing",
          "display_name": "T1040 - Network Sniffing"
        },
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1047",
          "name": "Windows Management Instrumentation",
          "display_name": "T1047 - Windows Management Instrumentation"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1204",
          "name": "User Execution",
          "display_name": "T1204 - User Execution"
        },
        {
          "id": "T1106",
          "name": "Native API",
          "display_name": "T1106 - Native API"
        },
        {
          "id": "T1031",
          "name": "Modify Existing Service",
          "display_name": "T1031 - Modify Existing Service"
        },
        {
          "id": "T1089",
          "name": "Disabling Security Tools",
          "display_name": "T1089 - Disabling Security Tools"
        },
        {
          "id": "T1096",
          "name": "NTFS File Attributes",
          "display_name": "T1096 - NTFS File Attributes"
        },
        {
          "id": "T1112",
          "name": "Modify Registry",
          "display_name": "T1112 - Modify Registry"
        },
        {
          "id": "T1566",
          "name": "Phishing",
          "display_name": "T1566 - Phishing"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 37,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "scoreblue",
        "id": "254100",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 2060,
        "hostname": 3067,
        "CIDR": 4,
        "URL": 1300,
        "email": 29,
        "FileHash-MD5": 3181,
        "FileHash-SHA1": 1994,
        "FileHash-SHA256": 3228,
        "CVE": 2,
        "SSLCertFingerprint": 1
      },
      "indicator_count": 14866,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 233,
      "modified_text": "585 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    }
  ],
  "error": null,
  "vt": {
    "error": "VirusTotal rate limit reached. Try again shortly.",
    "indicator": "capecod.net",
    "type": "Domain"
  },
  "abuseipdb": null,
  "urlhaus": {
    "indicator": "capecod.net",
    "found": false,
    "verdict": "clean",
    "urls": [],
    "error": null
  },
  "from_cache": true,
  "_cached_at": 1780237129.5435607
}