{ "type": "Domain", "indicator": "cloudopsstudio.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/cloudopsstudio.com", "alexa": "http://www.alexa.com/siteinfo/cloudopsstudio.com", "indicator": "cloudopsstudio.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4076260859, "indicator": "cloudopsstudio.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "68732864356c4353e0b1efe2", "name": "Denver Post - Custom Malware | Xord", "description": "YARA Detections:\n\u2022 xord_nopsled_in_jquery\ncompromised_site_redirector_fromcharcode\n\u2022 KnownMaliciousObfuscationPattern\n\u2022 WebExploit | \nAlerts:\n\u2022 ransomware_file_modifications\n\u2022 script_created_process\n\u2022 antivm_generic_disk\n\u2022 infostealer_cookies\n\u2022 suspicious_command\n\u2022 dead_host\n\u2022 suspicious_write_exe\n\u2022 network_icmp\n\u2022 modifies_certificates\n\u2022 process_martian\n* Malware IP - \n142.251.215.232", "modified": "2025-08-12T03:05:26.037000", "created": "2025-07-13T03:30:44.589000", "tags": [ "url https", "indicator role", "title added", "active related", "pulses", "entries", "url http", "domain", "ipv4", "filehashsha256", "hostname", "types of", "united kingdom", "united", "germany", "france", "type indicator", "role title", "added active", "related pulses", "extraction", "data upload", "failed", "se extraction", "enter sc", "type", "extra data", "please", "include review", "exclude sugges", "type ol", "please sub", "langes", "include", "review data", "extrad", "manually add", "indicator", "sc type", "included iocs", "se extr", "review exclude", "sugges", "extract data", "add indicator", "domain related", "showing", "tewdida data", "present jul", "script urls", "a domains", "present jun", "search", "accept encoding", "unknown aaaa", "present may", "date", "meta", "body", "ipv6", "role", "present jan", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "regexp", "typeof e", "typeof t", "function", "width", "error", "object", "x20trnf", "pseudo", "child", "form", "class", "null", "write", "this", "void", "accept", "copy", "extr please", "typ data", "indicalok no", "gmt max", "reverse dns", "location united", "america flag", "ashburn", "america asn", "dns resolutions", "domains top", "extri please", "review", "sugges data", "find suxesteu", "typ indical", "on hos", "dynamicloader", "medium", "show", "high", "windows", "cmd c", "delete", "next", "unknown", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "as15169", "execution", "dock", "persistence", "malware", "roboto", "fwlink", "powershell", "delete c", "guard", "win32", "passive dns", "ransom", "trojan", "gmt cache", "sameorigin", "443 ma2592000", "pulse", "trojandropper", "worm", "ur extraction", "find", "types", "seard data", "source se", "url toi", "ela fer", "iocs", "search otx", "extr", "indicators h", "weall", "indica", "sc data", "data u", "extre", "find s", "onv incmde", "exclude data", "suggested", "typ no" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3107, "domain": 526, "hostname": 940, "FileHash-SHA256": 2209, "email": 2, "FileHash-MD5": 80, "FileHash-SHA1": 31, "SSLCertFingerprint": 11 }, "indicator_count": 6906, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "250 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68732869bad70de69c45c1b3", "name": "Denver Post - Custom Malware | Xord", "description": "YARA Detections:\n\u2022 xord_nopsled_in_jquery\ncompromised_site_redirector_fromcharcode\n\u2022 KnownMaliciousObfuscationPattern\n\u2022 WebExploit | \nAlerts:\n\u2022 ransomware_file_modifications\n\u2022 script_created_process\n\u2022 antivm_generic_disk\n\u2022 infostealer_cookies\n\u2022 suspicious_command\n\u2022 dead_host\n\u2022 suspicious_write_exe\n\u2022 network_icmp\n\u2022 modifies_certificates\n\u2022 process_martian\n* Malware IP - \n142.251.215.232", "modified": "2025-08-12T03:05:26.037000", "created": "2025-07-13T03:30:49.347000", "tags": [ "url https", "indicator role", "title added", "active related", "pulses", "entries", "url http", "domain", "ipv4", "filehashsha256", "hostname", "types of", "united kingdom", "united", "germany", "france", "type indicator", "role title", "added active", "related pulses", "extraction", "data upload", "failed", "se extraction", "enter sc", "type", "extra data", "please", "include review", "exclude sugges", "type ol", "please sub", "langes", "include", "review data", "extrad", "manually add", "indicator", "sc type", "included iocs", "se extr", "review exclude", "sugges", "extract data", "add indicator", "domain related", "showing", "tewdida data", "present jul", "script urls", "a domains", "present jun", "search", "accept encoding", "unknown aaaa", "present may", "date", "meta", "body", "ipv6", "role", "present jan", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "regexp", "typeof e", "typeof t", "function", "width", "error", "object", "x20trnf", "pseudo", "child", "form", "class", "null", "write", "this", "void", "accept", "copy", "extr please", "typ data", "indicalok no", "gmt max", "reverse dns", "location united", "america flag", "ashburn", "america asn", "dns resolutions", "domains top", "extri please", "review", "sugges data", "find suxesteu", "typ indical", "on hos", "dynamicloader", "medium", "show", "high", "windows", "cmd c", "delete", "next", "unknown", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "as15169", "execution", "dock", "persistence", "malware", "roboto", "fwlink", "powershell", "delete c", "guard", "win32", "passive dns", "ransom", "trojan", "gmt cache", "sameorigin", "443 ma2592000", "pulse", "trojandropper", "worm", "ur extraction", "find", "types", "seard data", "source se", "url toi", "ela fer", "iocs", "search otx", "extr", "indicators h", "weall", "indica", "sc data", "data u", "extre", "find s", "onv incmde", "exclude data", "suggested", "typ no" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3107, "domain": 526, "hostname": 940, "FileHash-SHA256": 2209, "email": 2, "FileHash-MD5": 80, "FileHash-SHA1": 31, "SSLCertFingerprint": 11 }, "indicator_count": 6906, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "250 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684cd7ad87254fdda87d3054", "name": "Devilspen.com (awsdns) | Strictor/ Installmonster | Emotet", "description": "\u2022 Python Initiated Connection by frack113\n\u2022 Creation of an Executable by an Executable by frack113\n\u2022 ET DNS Query to a *.top domain - Likely Hostile\n\u2022 ET INFO TLS Handshake Failure\n\u2022 INDICATOR-COMPROMISE Suspicious .top dns query\n* MALWARE TROJAN\n#emotet\n More\u2026", "modified": "2025-07-14T01:04:45.357000", "created": "2025-06-14T02:00:13.883000", "tags": [ "united", "date", "flag", "server", "gandi sas", "name server", "proxy", "llc name", "overview dns", "requests domain", "logo analysis", "size45b type", "threat score", "av detection", "community score", "url scan", "analysis no", "domain scam", "score clean", "domain abuse", "error", "june", "malicious", "falcon sandbox", "march", "score", "size426kib type", "mime", "scan analysis", "upgrade", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "spawns", "mitre att", "sha1", "copy md5", "copy sha1", "copy sha256", "ascii text", "sha256", "show", "null", "body", "class", "refresh", "span", "window", "hybrid", "possible", "general", "local", "path", "click", "strings", "tools", "false", "look", "verify", "restart", "data", "v3 serial", "number", "cus olet", "encrypt cnr10", "validity", "subject public", "key info", "key algorithm", "rsa public", "dynadot", "dynadot llc", "dynadot inc", "thumbprint", "win32 exe", "pe32", "ms windows", "win16 ne", "icons library", "os2 executable", "generic windos", "executable", "pe64 compiler", "ltcgc", "file type", "google update", "setup", "kb file", "ico mainicon", "javascript", "redacted for", "privacy create", "domain", "registrant fax", "privacy update", "defense evasion", "access ta0006", "ta0008 command", "control ta0011", "ob0002 defense", "evasion ob0006", "file system", "oc0001 process", "oc0003 data", "system oc0008", "ja3s", "azure tls", "issuing ca", "cus subject", "stwa lredmond", "resolved ips", "ip traffic", "tls sni", "delphi generic", "intel", "dos borland", "pe32 compiler", "borland delphi", "linker", "delphi", "get http", "post http", "rstunf", "tad436770", "productname", "subid", "encodedpixel", "dns resolutions", "privacy", "internal name", "adobe help", "viewer file", "version" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 449, "hostname": 504, "FileHash-SHA256": 2208, "URL": 1109, "FileHash-MD5": 201, "FileHash-SHA1": 204, "SSLCertFingerprint": 9 }, "indicator_count": 4684, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "279 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "68732864356c4353e0b1efe2", "name": "Denver Post - Custom Malware | Xord", "description": "YARA Detections:\n\u2022 xord_nopsled_in_jquery\ncompromised_site_redirector_fromcharcode\n\u2022 KnownMaliciousObfuscationPattern\n\u2022 WebExploit | \nAlerts:\n\u2022 ransomware_file_modifications\n\u2022 script_created_process\n\u2022 antivm_generic_disk\n\u2022 infostealer_cookies\n\u2022 suspicious_command\n\u2022 dead_host\n\u2022 suspicious_write_exe\n\u2022 network_icmp\n\u2022 modifies_certificates\n\u2022 process_martian\n* Malware IP - \n142.251.215.232", "modified": "2025-08-12T03:05:26.037000", "created": "2025-07-13T03:30:44.589000", "tags": [ "url https", "indicator role", "title added", "active related", "pulses", "entries", "url http", "domain", "ipv4", "filehashsha256", "hostname", "types of", "united kingdom", "united", "germany", "france", "type indicator", "role title", "added active", "related pulses", "extraction", "data upload", "failed", "se extraction", "enter sc", "type", "extra data", "please", "include review", "exclude sugges", "type ol", "please sub", "langes", "include", "review data", "extrad", "manually add", "indicator", "sc type", "included iocs", "se extr", "review exclude", "sugges", "extract data", "add indicator", "domain related", "showing", "tewdida data", "present jul", "script urls", "a domains", "present jun", "search", "accept encoding", "unknown aaaa", "present may", "date", "meta", "body", "ipv6", "role", "present jan", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "regexp", "typeof e", "typeof t", "function", "width", "error", "object", "x20trnf", "pseudo", "child", "form", "class", "null", "write", "this", "void", "accept", "copy", "extr please", "typ data", "indicalok no", "gmt max", "reverse dns", "location united", "america flag", "ashburn", "america asn", "dns resolutions", "domains top", "extri please", "review", "sugges data", "find suxesteu", "typ indical", "on hos", "dynamicloader", "medium", "show", "high", "windows", "cmd c", "delete", "next", "unknown", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "as15169", "execution", "dock", "persistence", "malware", "roboto", "fwlink", "powershell", "delete c", "guard", "win32", "passive dns", "ransom", "trojan", "gmt cache", "sameorigin", "443 ma2592000", "pulse", "trojandropper", "worm", "ur extraction", "find", "types", "seard data", "source se", "url toi", "ela fer", "iocs", "search otx", "extr", "indicators h", "weall", "indica", "sc data", "data u", "extre", "find s", "onv incmde", "exclude data", "suggested", "typ no" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3107, "domain": 526, "hostname": 940, "FileHash-SHA256": 2209, "email": 2, "FileHash-MD5": 80, "FileHash-SHA1": 31, "SSLCertFingerprint": 11 }, "indicator_count": 6906, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "250 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68732869bad70de69c45c1b3", "name": "Denver Post - Custom Malware | Xord", "description": "YARA Detections:\n\u2022 xord_nopsled_in_jquery\ncompromised_site_redirector_fromcharcode\n\u2022 KnownMaliciousObfuscationPattern\n\u2022 WebExploit | \nAlerts:\n\u2022 ransomware_file_modifications\n\u2022 script_created_process\n\u2022 antivm_generic_disk\n\u2022 infostealer_cookies\n\u2022 suspicious_command\n\u2022 dead_host\n\u2022 suspicious_write_exe\n\u2022 network_icmp\n\u2022 modifies_certificates\n\u2022 process_martian\n* Malware IP - \n142.251.215.232", "modified": "2025-08-12T03:05:26.037000", "created": "2025-07-13T03:30:49.347000", "tags": [ "url https", "indicator role", "title added", "active related", "pulses", "entries", "url http", "domain", "ipv4", "filehashsha256", "hostname", "types of", "united kingdom", "united", "germany", "france", "type indicator", "role title", "added active", "related pulses", "extraction", "data upload", "failed", "se extraction", "enter sc", "type", "extra data", "please", "include review", "exclude sugges", "type ol", "please sub", "langes", "include", "review data", "extrad", "manually add", "indicator", "sc type", "included iocs", "se extr", "review exclude", "sugges", "extract data", "add indicator", "domain related", "showing", "tewdida data", "present jul", "script urls", "a domains", "present jun", "search", "accept encoding", "unknown aaaa", "present may", "date", "meta", "body", "ipv6", "role", "present jan", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "regexp", "typeof e", "typeof t", "function", "width", "error", "object", "x20trnf", "pseudo", "child", "form", "class", "null", "write", "this", "void", "accept", "copy", "extr please", "typ data", "indicalok no", "gmt max", "reverse dns", "location united", "america flag", "ashburn", "america asn", "dns resolutions", "domains top", "extri please", "review", "sugges data", "find suxesteu", "typ indical", "on hos", "dynamicloader", "medium", "show", "high", "windows", "cmd c", "delete", "next", "unknown", "msie", "windows nt", "wow64", "slcc2", "media center", "read c", "as15169", "execution", "dock", "persistence", "malware", "roboto", "fwlink", "powershell", "delete c", "guard", "win32", "passive dns", "ransom", "trojan", "gmt cache", "sameorigin", "443 ma2592000", "pulse", "trojandropper", "worm", "ur extraction", "find", "types", "seard data", "source se", "url toi", "ela fer", "iocs", "search otx", "extr", "indicators h", "weall", "indica", "sc data", "data u", "extre", "find s", "onv incmde", "exclude data", "suggested", "typ no" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3107, "domain": 526, "hostname": 940, "FileHash-SHA256": 2209, "email": 2, "FileHash-MD5": 80, "FileHash-SHA1": 31, "SSLCertFingerprint": 11 }, "indicator_count": 6906, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "250 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "684cd7ad87254fdda87d3054", "name": "Devilspen.com (awsdns) | Strictor/ Installmonster | Emotet", "description": "\u2022 Python Initiated Connection by frack113\n\u2022 Creation of an Executable by an Executable by frack113\n\u2022 ET DNS Query to a *.top domain - Likely Hostile\n\u2022 ET INFO TLS Handshake Failure\n\u2022 INDICATOR-COMPROMISE Suspicious .top dns query\n* MALWARE TROJAN\n#emotet\n More\u2026", "modified": "2025-07-14T01:04:45.357000", "created": "2025-06-14T02:00:13.883000", "tags": [ "united", "date", "flag", "server", "gandi sas", "name server", "proxy", "llc name", "overview dns", "requests domain", "logo analysis", "size45b type", "threat score", "av detection", "community score", "url scan", "analysis no", "domain scam", "score clean", "domain abuse", "error", "june", "malicious", "falcon sandbox", "march", "score", "size426kib type", "mime", "scan analysis", "upgrade", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "spawns", "mitre att", "sha1", "copy md5", "copy sha1", "copy sha256", "ascii text", "sha256", "show", "null", "body", "class", "refresh", "span", "window", "hybrid", "possible", "general", "local", "path", "click", "strings", "tools", "false", "look", "verify", "restart", "data", "v3 serial", "number", "cus olet", "encrypt cnr10", "validity", "subject public", "key info", "key algorithm", "rsa public", "dynadot", "dynadot llc", "dynadot inc", "thumbprint", "win32 exe", "pe32", "ms windows", "win16 ne", "icons library", "os2 executable", "generic windos", "executable", "pe64 compiler", "ltcgc", "file type", "google update", "setup", "kb file", "ico mainicon", "javascript", "redacted for", "privacy create", "domain", "registrant fax", "privacy update", "defense evasion", "access ta0006", "ta0008 command", "control ta0011", "ob0002 defense", "evasion ob0006", "file system", "oc0001 process", "oc0003 data", "system oc0008", "ja3s", "azure tls", "issuing ca", "cus subject", "stwa lredmond", "resolved ips", "ip traffic", "tls sni", "delphi generic", "intel", "dos borland", "pe32 compiler", "borland delphi", "linker", "delphi", "get http", "post http", "rstunf", "tad436770", "productname", "subid", "encodedpixel", "dns resolutions", "privacy", "internal name", "adobe help", "viewer file", "version" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 449, "hostname": 504, "FileHash-SHA256": 2208, "URL": 1109, "FileHash-MD5": 201, "FileHash-SHA1": 204, "SSLCertFingerprint": 9 }, "indicator_count": 4684, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "279 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "cloudopsstudio.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "cloudopsstudio.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776639581.8643203 }