{ "type": "URL", "indicator": "https://api-mc-prod.trafficmanager.cn", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://api-mc-prod.trafficmanager.cn", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4097965669, "indicator": "https://api-mc-prod.trafficmanager.cn", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "687d5d33d16ab7837e23bc01", "name": "howmanyofme.com - Packed | Palantir", "description": "howmanyofme.com was a honeypot. The names listed are potentially monitored targets. One was verified target.||\nhttp://howmanyofme.com/search/?given=Tsara&sur=Brashears/\nhttp://ww2.howmanyofme.com/people/Carrie_Henn/\nhttp://ww2.howmanyofme.com/people/Rockmond_Dunbar/\nhttp://howmanyofme.com/people/John_Hurt/\nhttp://howmanyofme.com/people/Mary_Gross/\nhttp://howmanyofme.com/people/Kenneth_Tobey/\nhttp://ww2.howmanyofme.com/people/Royce_Clayton/\n\n\n#Palantir # #honeypot #howmanyofme", "modified": "2025-09-18T23:05:18.490000", "created": "2025-07-20T21:18:43.974000", "tags": [ "united", "unknown ns", "a domains", "ip address", "search", "privacy service", "fbo registrant", "date", "entries", "how many", "destination", "port", "windows nt", "msie", "unknown", "et trojan", "poodle attack", "policy sslv3", "united kingdom", "suspicious", "copy", "virustotal", "malware", "write", "hostile", "next", "triton", "super node", "get reloaded", "x11 snf", "png image", "rgba", "post reloaded", "ascii text", "crlf line", "gnu message", "ms windows", "intel", "pe32", "host", "get babylon", "show", "babylon" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7185, "domain": 706, "hostname": 1906, "email": 5, "FileHash-SHA256": 3645, "FileHash-MD5": 330, "FileHash-SHA1": 135, "CVE": 1 }, "indicator_count": 13913, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "213 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6892a73593f73dfc969779b0", "name": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns", "description": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns\n*[ddddd.msg]\n[http://tracking.eu1.glintinc.com]\n[stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd]\n[stackstorm.ops.dev.az.glintinc.com]\n\u2022 http://stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd.onion/peter-thiel-running-database-to-root-out-those-disloyal-to-the-leader/\\n \u2022\n[http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-at-concentra/360]\n[http://pixelrz.com/lists/keywords/tsara-brashears-dead/360]", "modified": "2025-09-05T00:03:23.223000", "created": "2025-08-06T00:52:05.051000", "tags": [ "url http", "small", "indicator role", "title added", "active related", "pulses hostname", "tellyoun", "n aug", "entries", "data upload", "extraction", "windows error", "june", "fwd urgent", "justice czech", "copy sha256", "rejectedfailed", "timestamp input", "message status", "actions august", "file", "actions june", "actions may", "cta4 https", "context related", "associated urls", "campaigncodedsc", "language", "uid http", "community", "sha256", "size42b type", "submitted", "august", "april", "internal error", "previous1", "iframe", "community score", "scan analysis", "malicious", "intelligence", "learn", "falcon sandbox", "submissions", "status", "adversaries", "ck id", "name tactics", "suspicious", "informative", "defense evasion", "windows folder", "found", "dlls", "impact", "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9062, "domain": 707, "hostname": 2318, "FileHash-MD5": 86, "FileHash-SHA1": 26, "FileHash-SHA256": 2096, "email": 5, "FilePath": 2, "URI": 1 }, "indicator_count": 14303, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687f33a5ddf830e2f3e5acac", "name": "Trojan Dropper | Espionage | Keylogger affecting medical centers", "description": "PII and PHI at risk. Highest access spyware available infiltrates a small niche medical center. \ntrojandropper, keyloggers, advanced spyware, monitored rooms , mitre att, ||\nIDS: PROTOCOL-ICMP PATH MTU denial of service attempt \u2022 PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set\n\n\u2022 https://foundry2sdbl.dvr.dn2.n-helix.com/\n\u2022 https://www.pegasustech.net/products/mobility-barcode-scanning/Data-collector-mobile-computer\n\n\u2022 \nrobloxlogger.com\n\u2022\n\nhttps://video.welnext.com\n\u2022\nhttps://app1.oceantg.com/sta40/views/personnelscreenview.aspx", "modified": "2025-08-21T06:00:20.607000", "created": "2025-07-22T06:45:57.499000", "tags": [ "pegasus", "report spam", "gotham foundry", "espionage", "spinal cord", "injured created", "minutes ago", "strange", "foundry", "palantir", "alexa", "service", "url http", "url https", "type indicator", "role title", "added active", "related pulses", "ipv4", "united", "germany", "singapore", "netherlands", "iran", "india", "search", "domain", "hostname", "filehashmd5", "filehashsha1", "extraction", "data upload", "sc type", "dren aeu", "extr source", "ur data", "include", "review exclude", "sugges", "mtu denial", "matches rule", "needed", "df bit", "unique rule", "catalog tree", "c0002 wininet", "ta0005 command", "control ta0011", "get http", "resolved ips", "dns resolutions", "cloudflare", "flag", "server", "date", "contacted hosts", "ip address", "process details", "t1158", "hidden", "t1031", "modify existing", "t1053", "taskjob", "t1060", "run keys", "startup", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "command", "found", "itre att", "show process", "prefetch8", "mitre att", "show technique", "ck matrix", "windows nt", "win64", "khtml", "gecko", "april", "hybrid", "general", "path", "click", "strings", "entries", "unknown ns", "creation date", "record value", "showing", "gmt content", "accept encoding", "encrypt", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present jan" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2628, "domain": 472, "hostname": 880, "FileHash-SHA256": 805, "FileHash-MD5": 151, "FileHash-SHA1": 128, "CIDR": 1, "SSLCertFingerprint": 3, "email": 1 }, "indicator_count": 5069, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "241 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d30048b95aaba628a5ee7", "name": "Working on it\u2026\u2026", "description": "\u2022 Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)\n(onyx-ware.com)\nNS1.ENDGAME.COM\n(endgames.us)\nNS1.ENDGAME.COM\n#deadmau5 #janskyofficial #idk #soundcloud", "modified": "2025-08-19T17:00:59.379000", "created": "2025-07-20T18:05:56.587000", "tags": [ "dynamicloader", "united", "as15169", "medium", "search", "show", "write c", "whitelisted", "brazil as396982", "high", "themida", "write", "delphi", "copy", "upatre", "encrypt", "june", "win32", "malware", "win64", "windows nt", "directui", "element", "classinfobase", "value", "hwndhost", "sapeav12", "delete c", "worm", "explorer", "insert", "movie", "alerts", "windows", "installs", "filehash", "sha256 add", "pulse pulses", "av detections", "ids detections", "passive dns", "urls", "http", "ip address", "related nids", "files location", "spain flag", "spain domain", "files related", "spain", "entries", "next associated", "meta name", "frame src", "ok set", "cookie", "gmt date", "gmt content", "filehashsha256", "type indicator", "role title", "added active", "related pulses", "url http", "filehashmd5", "showing", "url https", "indicator role", "title added", "active related", "iocs", "learn more", "filehashsha1", "types of", "united kingdom", "t1053", "taskjob", "t1055", "injection", "t1082", "t1119", "t1129", "modules", "t1143", "soundcloud", "created", "hour ago", "facebook", "twitter", "victims website", "youtube", "jansky", "trojandropper", "pulses url" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2012, "FileHash-MD5": 140, "FileHash-SHA1": 129, "FileHash-SHA256": 1348, "SSLCertFingerprint": 3, "domain": 288, "hostname": 812 }, "indicator_count": 4732, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d18d829739be014393c59", "name": "SoundCloud - Hear the world\u2019s sounds", "description": "Social engineering included lots of contact via Facebook, Twitter, SoundCloud, Victims website, iCloud.. iCloud was erased and the hacker left the man \u2018deadmau5\u2018 . deadmau5 was used threatening posts emails and whoever they are sent photos and became overly interested in victims music. 1st to report music was not showing up on YouTube. Statements show victim had millions of views redirected. Hackers would often thank artistss for another million views. Songs pirated. Jansky on SoundCloud contacted victims daughter often, sent a photo and said he was from Great Britain. \n\u2022 ALFPER:PUA:Win32/InstallCore\n\u2022 TrojanDropper:Win32/VB.IL\n\u2022 Win.Trojan.Agent-\n|| blog.jpcert.or.jp \n\n\u2022 Registrant Org: Japan Computer Emergency Response Team Coordination Center\n\nI feel like this is very dangerous. These people are in Colorado no matter where they say they are.", "modified": "2025-08-19T14:03:11.976000", "created": "2025-07-20T16:27:04.872000", "tags": [ "read c", "search", "medium", "entries", "show", "unicode", "tls handshake", "memcommit", "delete", "crlf line", "next", "dock", "write", "execution", "malware", "copy", "no expiration", "filehashmd5", "filehashsha256", "showing", "urls", "passive dns", "http", "unique", "l add", "pulse pulses", "ip address", "related nids", "files location", "united", "code", "present jul", "present showing", "title error", "date checked", "url hostname", "server response", "google safe", "results jul", "next associated", "files show", "win32", "date", "urls show", "error", "creation date", "name servers", "value emails", "name eric", "wahlforss name", "org soundcloud", "city berlin", "country de", "dnssec unsigned", "files", "verdict", "domain", "files ip", "address", "location united", "asn as16509", "less", "results nov", "associated urls", "results jan", "present feb", "related tags", "none indicator", "facts domain", "present", "akamai external", "resources whois", "urlvoid", "related", "png image", "rgba", "alfper", "ipv4 add", "trojandropper", "present may", "present jun", "cname", "emails", "status", "servers", "less whois", "body", "fastly error", "please", "sea p", "america flag", "america asn", "trojan", "accept", "url add", "ip related", "pulses none", "cdhc", "oxq xr8w1", "fv5hc9a2l", "s showing", "next related", "domains domain", "script urls", "present sep", "cookie", "hostname add" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6020, "hostname": 1865, "FileHash-SHA256": 676, "FileHash-MD5": 106, "FileHash-SHA1": 86, "domain": 990, "email": 5 }, "indicator_count": 9748, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d18de7177474b759ab2b7", "name": "SoundCloud - Hear the world\u2019s sounds", "description": "Social engineering included lots of contact via Facebook, Twitter, SoundCloud, Victims website, iCloud.. iCloud was erased and the hacker left the man \u2018deadmau5\u2018 . deadmau5 was used threatening posts emails and whoever they are sent photos and became overly interested in victims music. 1st to report music was not showing up on YouTube. Statements show victim had millions of views redirected. Hackers would often thank artistss for another million views. Songs pirated. Jansky on SoundCloud contacted victims daughter often, sent a photo and said he was from Great Britain. \n\u2022 ALFPER:PUA:Win32/InstallCore\n\u2022 TrojanDropper:Win32/VB.IL\n\u2022 Win.Trojan.Agent-\n|| blog.jpcert.or.jp \n\n\u2022 Registrant Org: Japan Computer Emergency Response Team Coordination Center\n\nI feel like this is very dangerous. These people are in Colorado no matter where they say they are.", "modified": "2025-08-19T14:03:11.976000", "created": "2025-07-20T16:27:10.608000", "tags": [ "read c", "search", "medium", "entries", "show", "unicode", "tls handshake", "memcommit", "delete", "crlf line", "next", "dock", "write", "execution", "malware", "copy", "no expiration", "filehashmd5", "filehashsha256", "showing", "urls", "passive dns", "http", "unique", "l add", "pulse pulses", "ip address", "related nids", "files location", "united", "code", "present jul", "present showing", "title error", "date checked", "url hostname", "server response", "google safe", "results jul", "next associated", "files show", "win32", "date", "urls show", "error", "creation date", "name servers", "value emails", "name eric", "wahlforss name", "org soundcloud", "city berlin", "country de", "dnssec unsigned", "files", "verdict", "domain", "files ip", "address", "location united", "asn as16509", "less", "results nov", "associated urls", "results jan", "present feb", "related tags", "none indicator", "facts domain", "present", "akamai external", "resources whois", "urlvoid", "related", "png image", "rgba", "alfper", "ipv4 add", "trojandropper", "present may", "present jun", "cname", "emails", "status", "servers", "less whois", "body", "fastly error", "please", "sea p", "america flag", "america asn", "trojan", "accept", "url add", "ip related", "pulses none", "cdhc", "oxq xr8w1", "fv5hc9a2l", "s showing", "next related", "domains domain", "script urls", "present sep", "cookie", "hostname add" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6020, "hostname": 1865, "FileHash-SHA256": 676, "FileHash-MD5": 106, "FileHash-SHA1": 86, "domain": 990, "email": 5 }, "indicator_count": 9748, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 45262 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/trafficmanager.cn", "whois": "http://whois.domaintools.com/trafficmanager.cn", "domain": "trafficmanager.cn", "hostname": "api-mc-prod.trafficmanager.cn" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "687d5d33d16ab7837e23bc01", "name": "howmanyofme.com - Packed | Palantir", "description": "howmanyofme.com was a honeypot. The names listed are potentially monitored targets. One was verified target.||\nhttp://howmanyofme.com/search/?given=Tsara&sur=Brashears/\nhttp://ww2.howmanyofme.com/people/Carrie_Henn/\nhttp://ww2.howmanyofme.com/people/Rockmond_Dunbar/\nhttp://howmanyofme.com/people/John_Hurt/\nhttp://howmanyofme.com/people/Mary_Gross/\nhttp://howmanyofme.com/people/Kenneth_Tobey/\nhttp://ww2.howmanyofme.com/people/Royce_Clayton/\n\n\n#Palantir # #honeypot #howmanyofme", "modified": "2025-09-18T23:05:18.490000", "created": "2025-07-20T21:18:43.974000", "tags": [ "united", "unknown ns", "a domains", "ip address", "search", "privacy service", "fbo registrant", "date", "entries", "how many", "destination", "port", "windows nt", "msie", "unknown", "et trojan", "poodle attack", "policy sslv3", "united kingdom", "suspicious", "copy", "virustotal", "malware", "write", "hostile", "next", "triton", "super node", "get reloaded", "x11 snf", "png image", "rgba", "post reloaded", "ascii text", "crlf line", "gnu message", "ms windows", "intel", "pe32", "host", "get babylon", "show", "babylon" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7185, "domain": 706, "hostname": 1906, "email": 5, "FileHash-SHA256": 3645, "FileHash-MD5": 330, "FileHash-SHA1": 135, "CVE": 1 }, "indicator_count": 13913, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "213 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6892a73593f73dfc969779b0", "name": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns", "description": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns\n*[ddddd.msg]\n[http://tracking.eu1.glintinc.com]\n[stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd]\n[stackstorm.ops.dev.az.glintinc.com]\n\u2022 http://stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd.onion/peter-thiel-running-database-to-root-out-those-disloyal-to-the-leader/\\n \u2022\n[http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-at-concentra/360]\n[http://pixelrz.com/lists/keywords/tsara-brashears-dead/360]", "modified": "2025-09-05T00:03:23.223000", "created": "2025-08-06T00:52:05.051000", "tags": [ "url http", "small", "indicator role", "title added", "active related", "pulses hostname", "tellyoun", "n aug", "entries", "data upload", "extraction", "windows error", "june", "fwd urgent", "justice czech", "copy sha256", "rejectedfailed", "timestamp input", "message status", "actions august", "file", "actions june", "actions may", "cta4 https", "context related", "associated urls", "campaigncodedsc", "language", "uid http", "community", "sha256", "size42b type", "submitted", "august", "april", "internal error", "previous1", "iframe", "community score", "scan analysis", "malicious", "intelligence", "learn", "falcon sandbox", "submissions", "status", "adversaries", "ck id", "name tactics", "suspicious", "informative", "defense evasion", "windows folder", "found", "dlls", "impact", "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9062, "domain": 707, "hostname": 2318, "FileHash-MD5": 86, "FileHash-SHA1": 26, "FileHash-SHA256": 2096, "email": 5, "FilePath": 2, "URI": 1 }, "indicator_count": 14303, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687f33a5ddf830e2f3e5acac", "name": "Trojan Dropper | Espionage | Keylogger affecting medical centers", "description": "PII and PHI at risk. Highest access spyware available infiltrates a small niche medical center. \ntrojandropper, keyloggers, advanced spyware, monitored rooms , mitre att, ||\nIDS: PROTOCOL-ICMP PATH MTU denial of service attempt \u2022 PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set\n\n\u2022 https://foundry2sdbl.dvr.dn2.n-helix.com/\n\u2022 https://www.pegasustech.net/products/mobility-barcode-scanning/Data-collector-mobile-computer\n\n\u2022 \nrobloxlogger.com\n\u2022\n\nhttps://video.welnext.com\n\u2022\nhttps://app1.oceantg.com/sta40/views/personnelscreenview.aspx", "modified": "2025-08-21T06:00:20.607000", "created": "2025-07-22T06:45:57.499000", "tags": [ "pegasus", "report spam", "gotham foundry", "espionage", "spinal cord", "injured created", "minutes ago", "strange", "foundry", "palantir", "alexa", "service", "url http", "url https", "type indicator", "role title", "added active", "related pulses", "ipv4", "united", "germany", "singapore", "netherlands", "iran", "india", "search", "domain", "hostname", "filehashmd5", "filehashsha1", "extraction", "data upload", "sc type", "dren aeu", "extr source", "ur data", "include", "review exclude", "sugges", "mtu denial", "matches rule", "needed", "df bit", "unique rule", "catalog tree", "c0002 wininet", "ta0005 command", "control ta0011", "get http", "resolved ips", "dns resolutions", "cloudflare", "flag", "server", "date", "contacted hosts", "ip address", "process details", "t1158", "hidden", "t1031", "modify existing", "t1053", "taskjob", "t1060", "run keys", "startup", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "command", "found", "itre att", "show process", "prefetch8", "mitre att", "show technique", "ck matrix", "windows nt", "win64", "khtml", "gecko", "april", "hybrid", "general", "path", "click", "strings", "entries", "unknown ns", "creation date", "record value", "showing", "gmt content", "accept encoding", "encrypt", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present jan" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2628, "domain": 472, "hostname": 880, "FileHash-SHA256": 805, "FileHash-MD5": 151, "FileHash-SHA1": 128, "CIDR": 1, "SSLCertFingerprint": 3, "email": 1 }, "indicator_count": 5069, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "241 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d30048b95aaba628a5ee7", "name": "Working on it\u2026\u2026", "description": "\u2022 Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)\n(onyx-ware.com)\nNS1.ENDGAME.COM\n(endgames.us)\nNS1.ENDGAME.COM\n#deadmau5 #janskyofficial #idk #soundcloud", "modified": "2025-08-19T17:00:59.379000", "created": "2025-07-20T18:05:56.587000", "tags": [ "dynamicloader", "united", "as15169", "medium", "search", "show", "write c", "whitelisted", "brazil as396982", "high", "themida", "write", "delphi", "copy", "upatre", "encrypt", "june", "win32", "malware", "win64", "windows nt", "directui", "element", "classinfobase", "value", "hwndhost", "sapeav12", "delete c", "worm", "explorer", "insert", "movie", "alerts", "windows", "installs", "filehash", "sha256 add", "pulse pulses", "av detections", "ids detections", "passive dns", "urls", "http", "ip address", "related nids", "files location", "spain flag", "spain domain", "files related", "spain", "entries", "next associated", "meta name", "frame src", "ok set", "cookie", "gmt date", "gmt content", "filehashsha256", "type indicator", "role title", "added active", "related pulses", "url http", "filehashmd5", "showing", "url https", "indicator role", "title added", "active related", "iocs", "learn more", "filehashsha1", "types of", "united kingdom", "t1053", "taskjob", "t1055", "injection", "t1082", "t1119", "t1129", "modules", "t1143", "soundcloud", "created", "hour ago", "facebook", "twitter", "victims website", "youtube", "jansky", "trojandropper", "pulses url" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2012, "FileHash-MD5": 140, "FileHash-SHA1": 129, "FileHash-SHA256": 1348, "SSLCertFingerprint": 3, "domain": 288, "hostname": 812 }, "indicator_count": 4732, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d18d829739be014393c59", "name": "SoundCloud - Hear the world\u2019s sounds", "description": "Social engineering included lots of contact via Facebook, Twitter, SoundCloud, Victims website, iCloud.. iCloud was erased and the hacker left the man \u2018deadmau5\u2018 . deadmau5 was used threatening posts emails and whoever they are sent photos and became overly interested in victims music. 1st to report music was not showing up on YouTube. Statements show victim had millions of views redirected. Hackers would often thank artistss for another million views. Songs pirated. Jansky on SoundCloud contacted victims daughter often, sent a photo and said he was from Great Britain. \n\u2022 ALFPER:PUA:Win32/InstallCore\n\u2022 TrojanDropper:Win32/VB.IL\n\u2022 Win.Trojan.Agent-\n|| blog.jpcert.or.jp \n\n\u2022 Registrant Org: Japan Computer Emergency Response Team Coordination Center\n\nI feel like this is very dangerous. These people are in Colorado no matter where they say they are.", "modified": "2025-08-19T14:03:11.976000", "created": "2025-07-20T16:27:04.872000", "tags": [ "read c", "search", "medium", "entries", "show", "unicode", "tls handshake", "memcommit", "delete", "crlf line", "next", "dock", "write", "execution", "malware", "copy", "no expiration", "filehashmd5", "filehashsha256", "showing", "urls", "passive dns", "http", "unique", "l add", "pulse pulses", "ip address", "related nids", "files location", "united", "code", "present jul", "present showing", "title error", "date checked", "url hostname", "server response", "google safe", "results jul", "next associated", "files show", "win32", "date", "urls show", "error", "creation date", "name servers", "value emails", "name eric", "wahlforss name", "org soundcloud", "city berlin", "country de", "dnssec unsigned", "files", "verdict", "domain", "files ip", "address", "location united", "asn as16509", "less", "results nov", "associated urls", "results jan", "present feb", "related tags", "none indicator", "facts domain", "present", "akamai external", "resources whois", "urlvoid", "related", "png image", "rgba", "alfper", "ipv4 add", "trojandropper", "present may", "present jun", "cname", "emails", "status", "servers", "less whois", "body", "fastly error", "please", "sea p", "america flag", "america asn", "trojan", "accept", "url add", "ip related", "pulses none", "cdhc", "oxq xr8w1", "fv5hc9a2l", "s showing", "next related", "domains domain", "script urls", "present sep", "cookie", "hostname add" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6020, "hostname": 1865, "FileHash-SHA256": 676, "FileHash-MD5": 106, "FileHash-SHA1": 86, "domain": 990, "email": 5 }, "indicator_count": 9748, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d18de7177474b759ab2b7", "name": "SoundCloud - Hear the world\u2019s sounds", "description": "Social engineering included lots of contact via Facebook, Twitter, SoundCloud, Victims website, iCloud.. iCloud was erased and the hacker left the man \u2018deadmau5\u2018 . deadmau5 was used threatening posts emails and whoever they are sent photos and became overly interested in victims music. 1st to report music was not showing up on YouTube. Statements show victim had millions of views redirected. Hackers would often thank artistss for another million views. Songs pirated. Jansky on SoundCloud contacted victims daughter often, sent a photo and said he was from Great Britain. \n\u2022 ALFPER:PUA:Win32/InstallCore\n\u2022 TrojanDropper:Win32/VB.IL\n\u2022 Win.Trojan.Agent-\n|| blog.jpcert.or.jp \n\n\u2022 Registrant Org: Japan Computer Emergency Response Team Coordination Center\n\nI feel like this is very dangerous. These people are in Colorado no matter where they say they are.", "modified": "2025-08-19T14:03:11.976000", "created": "2025-07-20T16:27:10.608000", "tags": [ "read c", "search", "medium", "entries", "show", "unicode", "tls handshake", "memcommit", "delete", "crlf line", "next", "dock", "write", "execution", "malware", "copy", "no expiration", "filehashmd5", "filehashsha256", "showing", "urls", "passive dns", "http", "unique", "l add", "pulse pulses", "ip address", "related nids", "files location", "united", "code", "present jul", "present showing", "title error", "date checked", "url hostname", "server response", "google safe", "results jul", "next associated", "files show", "win32", "date", "urls show", "error", "creation date", "name servers", "value emails", "name eric", "wahlforss name", "org soundcloud", "city berlin", "country de", "dnssec unsigned", "files", "verdict", "domain", "files ip", "address", "location united", "asn as16509", "less", "results nov", "associated urls", "results jan", "present feb", "related tags", "none indicator", "facts domain", "present", "akamai external", "resources whois", "urlvoid", "related", "png image", "rgba", "alfper", "ipv4 add", "trojandropper", "present may", "present jun", "cname", "emails", "status", "servers", "less whois", "body", "fastly error", "please", "sea p", "america flag", "america asn", "trojan", "accept", "url add", "ip related", "pulses none", "cdhc", "oxq xr8w1", "fv5hc9a2l", "s showing", "next related", "domains domain", "script urls", "present sep", "cookie", "hostname add" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6020, "hostname": 1865, "FileHash-SHA256": 676, "FileHash-MD5": 106, "FileHash-SHA1": 86, "domain": 990, "email": 5 }, "indicator_count": 9748, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://api-mc-prod.trafficmanager.cn", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://api-mc-prod.trafficmanager.cn", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776641841.3034608 }