{ "type": "URL", "indicator": "https://cdn-main2.qa2.myfor.ms", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://cdn-main2.qa2.myfor.ms", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 2913024710, "indicator": "https://cdn-main2.qa2.myfor.ms", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 14, "pulses": [ { "id": "68743733a69ce827f6156f5c", "name": "W3.org | Google Spy engine | Tracking, Malware Repository | www.W3.org https://www.searchw3.com/ > ww.google.com.uy", "description": "", "modified": "2025-07-13T22:46:11.685000", "created": "2025-07-13T22:46:11.685000", "tags": [ "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "expired", "acceptencoding", "html info", "title home", "tags viewport", "trackers google", "tag manager", "gsddf3d2bzf", "historical ssl", "referrer", "december", "formbook", "round", "apple ios", "tsara brashears", "unlocker", "collection", "vt graph", "socgholish", "blister", "hacktool", "hiddentear", "gootloader", "agent tesla", "crypto", "installer", "life", "malware", "open", "korplug", "tofsee", "date", "name servers", "status", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "no data", "tag count", "analyzer threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "alexa top", "million", "site", "alexa", "maltiverse", "xcnfe", "safe site", "phishing", "remcos", "malicious", "miner", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "trojan", "detplock", "artemis", "networm", "win64", "redline stealer", "limerat", "venom rat", "trojanspy", "tld count", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "united", "jfif", "sha1", "core", "general", "starfield", "hybrid", "local", "encrypt", "click", "strings", "adobea", "daga", "as30148 sucuri", "td tr", "search", "span td", "as44273 host", "creation date", "a domains", "xtra", "meta", "back", "verdict", "domain", "aaaa", "as15169 google", "asnone united", "nxdomain", "sucuri security", "a li", "span", "class", "body", "sucuri website", "a div", "authority", "record value", "showing", "gmt content", "x sucuri", "high", "related pulses", "show", "guard", "entries", "win32", "west domains", "next", "ipv4", "asnone germany", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "formbook cnc", "checkin", "found", "error", "code", "create c", "read c", "delete", "write", "default", "dock", "execution", "copy", "xport", "firewall", "body doctype", "section", "dcrat", "analyzer paste", "iocs", "hostnames", "url https", "blacklist", "cl0p ransomware", "zbot", "malware site", "team memscan", "cl0p", "algorithm", "data", "v3 serial", "number", "cus starizona", "cngo daddy", "g2 validity", "subject public", "key info", "certificate", "whois lookup", "netrange", "nethandle", "net192", "net1920000", "as174", "as3257", "sucuri", "sucur2", "verisign", "whois database", "server", "registrar abuse", "icann whois", "whois status", "registrar iana", "form", "temple", "first", "android", "win32 exe", "html", "bobby fischer", "office open", "detections type", "name", "pdf dealer", "price list", "pdf my", "crime", "taiwan unknown", "as3462", "as131148 bank", "as21342", "all search", "otx scoreblue", "pulse pulses", "cname", "as22612", "as43350 nforce", "win32upatre jun", "expiration date", "hostname", "lowfi", "date hash", "avast avg", "date checked", "url hostname", "server response", "google safe", "results jun", "files show", "registrar", "china unknown", "title", "network", "fakedout threat", "urls http", "maltiverse safe", "malicious url", "team", "phishtank", "services", "botnet command", "control server", "mining", "betabot", "team malware", "engineering", "stealer", "service", "vawtrak", "virut", "emotet", "simda", "redline", "fri oct", "media sharing", "known infection source", "bot networks", "malware", "malware repository", "spyware" ], "references": [ "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/", "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,", "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "IP\u2019s Contacted: 192.124.249.187", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile", "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=", "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "6688e0ffb31d4881f3238713", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4080, "URL": 11952, "hostname": 4638, "domain": 4301, "FileHash-MD5": 2236, "FileHash-SHA1": 1140, "CVE": 8, "SSLCertFingerprint": 20, "email": 8, "CIDR": 1 }, "indicator_count": 28384, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "280 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6688e0ffb31d4881f3238713", "name": "Google Spy engine | Tracking, Malware Repository", "description": "www.W3.org https://www.searchw3.com/ > ww.google.com.uy. All tags auto populated. Did not spend time documenting all as pulse is quite large. I was able to prove the the compromises are active. I will make much smaller reports.\n(Botnet Commands, Google Spy engine | Tracking, Malware Repository, Stealer, iPhone unlocker)", "modified": "2024-08-05T04:01:42.283000", "created": "2024-07-06T06:15:27.994000", "tags": [ "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "expired", "acceptencoding", "html info", "title home", "tags viewport", "trackers google", "tag manager", "gsddf3d2bzf", "historical ssl", "referrer", "december", "formbook", "round", "apple ios", "tsara brashears", "unlocker", "collection", "vt graph", "socgholish", "blister", "hacktool", "hiddentear", "gootloader", "agent tesla", "crypto", "installer", "life", "malware", "open", "korplug", "tofsee", "date", "name servers", "status", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "no data", "tag count", "analyzer threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "alexa top", "million", "site", "alexa", "maltiverse", "xcnfe", "safe site", "phishing", "remcos", "malicious", "miner", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "trojan", "detplock", "artemis", "networm", "win64", "redline stealer", "limerat", "venom rat", "trojanspy", "tld count", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "united", "jfif", "sha1", "core", "general", "starfield", "hybrid", "local", "encrypt", "click", "strings", "adobea", "daga", "as30148 sucuri", "td tr", "search", "span td", "as44273 host", "creation date", "a domains", "xtra", "meta", "back", "verdict", "domain", "aaaa", "as15169 google", "asnone united", "nxdomain", "sucuri security", "a li", "span", "class", "body", "sucuri website", "a div", "authority", "record value", "showing", "gmt content", "x sucuri", "high", "related pulses", "show", "guard", "entries", "win32", "west domains", "next", "ipv4", "asnone germany", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "formbook cnc", "checkin", "found", "error", "code", "create c", "read c", "delete", "write", "default", "dock", "execution", "copy", "xport", "firewall", "body doctype", "section", "dcrat", "analyzer paste", "iocs", "hostnames", "url https", "blacklist", "cl0p ransomware", "zbot", "malware site", "team memscan", "cl0p", "algorithm", "data", "v3 serial", "number", "cus starizona", "cngo daddy", "g2 validity", "subject public", "key info", "certificate", "whois lookup", "netrange", "nethandle", "net192", "net1920000", "as174", "as3257", "sucuri", "sucur2", "verisign", "whois database", "server", "registrar abuse", "icann whois", "whois status", "registrar iana", "form", "temple", "first", "android", "win32 exe", "html", "bobby fischer", "office open", "detections type", "name", "pdf dealer", "price list", "pdf my", "crime", "taiwan unknown", "as3462", "as131148 bank", "as21342", "all search", "otx scoreblue", "pulse pulses", "cname", "as22612", "as43350 nforce", "win32upatre jun", "expiration date", "hostname", "lowfi", "date hash", "avast avg", "date checked", "url hostname", "server response", "google safe", "results jun", "files show", "registrar", "china unknown", "title", "network", "fakedout threat", "urls http", "maltiverse safe", "malicious url", "team", "phishtank", "services", "botnet command", "control server", "mining", "betabot", "team malware", "engineering", "stealer", "service", "vawtrak", "virut", "emotet", "simda", "redline", "fri oct", "media sharing", "known infection source", "bot networks", "malware", "malware repository", "spyware" ], "references": [ "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/", "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,", "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "IP\u2019s Contacted: 192.124.249.187", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile", "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=", "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 89, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4080, "URL": 11952, "hostname": 4638, "domain": 4301, "FileHash-MD5": 2236, "FileHash-SHA1": 1140, "CVE": 8, "SSLCertFingerprint": 20, "email": 8, "CIDR": 1 }, "indicator_count": 28384, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "623 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6688e142f0c8f5ddecbc788c", "name": "Google Spy engine | Tracking, Malware Repository", "description": "www.W3.org https://www.searchw3.com/ > ww.google.com.uy. All tags auto populated. Did not spend time documenting all as pulse is quite large. I was able to prove the the compromises are active. I will make much smaller reports.\n(Botnet Commands, Google Spy engine | Tracking, Malware Repository, Stealer, iPhone unlocker)", "modified": "2024-08-05T04:01:42.283000", "created": "2024-07-06T06:16:34.388000", "tags": [ "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "expired", "acceptencoding", "html info", "title home", "tags viewport", "trackers google", "tag manager", "gsddf3d2bzf", "historical ssl", "referrer", "december", "formbook", "round", "apple ios", "tsara brashears", "unlocker", "collection", "vt graph", "socgholish", "blister", "hacktool", "hiddentear", "gootloader", "agent tesla", "crypto", "installer", "life", "malware", "open", "korplug", "tofsee", "date", "name servers", "status", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "no data", "tag count", "analyzer threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "alexa top", "million", "site", "alexa", "maltiverse", "xcnfe", "safe site", "phishing", "remcos", "malicious", "miner", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "trojan", "detplock", "artemis", "networm", "win64", "redline stealer", "limerat", "venom rat", "trojanspy", "tld count", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "united", "jfif", "sha1", "core", "general", "starfield", "hybrid", "local", "encrypt", "click", "strings", "adobea", "daga", "as30148 sucuri", "td tr", "search", "span td", "as44273 host", "creation date", "a domains", "xtra", "meta", "back", "verdict", "domain", "aaaa", "as15169 google", "asnone united", "nxdomain", "sucuri security", "a li", "span", "class", "body", "sucuri website", "a div", "authority", "record value", "showing", "gmt content", "x sucuri", "high", "related pulses", "show", "guard", "entries", "win32", "west domains", "next", "ipv4", "asnone germany", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "formbook cnc", "checkin", "found", "error", "code", "create c", "read c", "delete", "write", "default", "dock", "execution", "copy", "xport", "firewall", "body doctype", "section", "dcrat", "analyzer paste", "iocs", "hostnames", "url https", "blacklist", "cl0p ransomware", "zbot", "malware site", "team memscan", "cl0p", "algorithm", "data", "v3 serial", "number", "cus starizona", "cngo daddy", "g2 validity", "subject public", "key info", "certificate", "whois lookup", "netrange", "nethandle", "net192", "net1920000", "as174", "as3257", "sucuri", "sucur2", "verisign", "whois database", "server", "registrar abuse", "icann whois", "whois status", "registrar iana", "form", "temple", "first", "android", "win32 exe", "html", "bobby fischer", "office open", "detections type", "name", "pdf dealer", "price list", "pdf my", "crime", "taiwan unknown", "as3462", "as131148 bank", "as21342", "all search", "otx scoreblue", "pulse pulses", "cname", "as22612", "as43350 nforce", "win32upatre jun", "expiration date", "hostname", "lowfi", "date hash", "avast avg", "date checked", "url hostname", "server response", "google safe", "results jun", "files show", "registrar", "china unknown", "title", "network", "fakedout threat", "urls http", "maltiverse safe", "malicious url", "team", "phishtank", "services", "botnet command", "control server", "mining", "betabot", "team malware", "engineering", "stealer", "service", "vawtrak", "virut", "emotet", "simda", "redline", "fri oct", "media sharing", "known infection source", "bot networks", "malware", "malware repository", "spyware" ], "references": [ "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/", "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,", "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "IP\u2019s Contacted: 192.124.249.187", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile", "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=", "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 94, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4080, "URL": 11952, "hostname": 4638, "domain": 4301, "FileHash-MD5": 2236, "FileHash-SHA1": 1140, "CVE": 8, "SSLCertFingerprint": 20, "email": 8, "CIDR": 1 }, "indicator_count": 28384, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "623 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6688e15588a794b95443b46d", "name": "Google Spy engine | Tracking, Malware Repository", "description": "www.W3.org https://www.searchw3.com/ > ww.google.com.uy. All tags auto populated. Did not spend time documenting all as pulse is quite large. I was able to prove the the compromises are active. I will make much smaller reports.\n(Botnet Commands, Google Spy engine | Tracking, Malware Repository, Stealer, iPhone unlocker)\nSorry so sloppy and large.\nAll tags , malware families and ATT&CK mechanisms auto populated", "modified": "2024-08-05T02:03:31.529000", "created": "2024-07-06T06:16:53.461000", "tags": [ "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "expired", "acceptencoding", "html info", "title home", "tags viewport", "trackers google", "tag manager", "gsddf3d2bzf", "historical ssl", "referrer", "december", "formbook", "round", "apple ios", "tsara brashears", "unlocker", "collection", "vt graph", "socgholish", "blister", "hacktool", "hiddentear", "gootloader", "agent tesla", "crypto", "installer", "life", "malware", "open", "korplug", "tofsee", "date", "name servers", "status", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "no data", "tag count", "analyzer threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "alexa top", "million", "site", "alexa", "maltiverse", "xcnfe", "safe site", "phishing", "remcos", "malicious", "miner", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "trojan", "detplock", "artemis", "networm", "win64", "redline stealer", "limerat", "venom rat", "trojanspy", "tld count", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "united", "jfif", "sha1", "core", "general", "starfield", "hybrid", "local", "encrypt", "click", "strings", "adobea", "daga", "as30148 sucuri", "td tr", "search", "span td", "as44273 host", "creation date", "a domains", "xtra", "meta", "back", "verdict", "domain", "aaaa", "as15169 google", "asnone united", "nxdomain", "sucuri security", "a li", "span", "class", "body", "sucuri website", "a div", "authority", "record value", "showing", "gmt content", "x sucuri", "high", "related pulses", "show", "guard", "entries", "win32", "west domains", "next", "ipv4", "asnone germany", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "formbook cnc", "checkin", "found", "error", "code", "create c", "read c", "delete", "write", "default", "dock", "execution", "copy", "xport", "firewall", "body doctype", "section", "dcrat", "analyzer paste", "iocs", "hostnames", "url https", "blacklist", "cl0p ransomware", "zbot", "malware site", "team memscan", "cl0p", "algorithm", "data", "v3 serial", "number", "cus starizona", "cngo daddy", "g2 validity", "subject public", "key info", "certificate", "whois lookup", "netrange", "nethandle", "net192", "net1920000", "as174", "as3257", "sucuri", "sucur2", "verisign", "whois database", "server", "registrar abuse", "icann whois", "whois status", "registrar iana", "form", "temple", "first", "android", "win32 exe", "html", "bobby fischer", "office open", "detections type", "name", "pdf dealer", "price list", "pdf my", "crime", "taiwan unknown", "as3462", "as131148 bank", "as21342", "all search", "otx scoreblue", "pulse pulses", "cname", "as22612", "as43350 nforce", "win32upatre jun", "expiration date", "hostname", "lowfi", "date hash", "avast avg", "date checked", "url hostname", "server response", "google safe", "results jun", "files show", "registrar", "china unknown", "title", "file size", "b file", "detections file", "gzip chrome", "cache entry", "graph", "ip detections", "country", "domains", "internet domain", "service bs", "corp", "namecheap inc", "csc corporate", "tucows", "epik llc", "tucows domains" ], "references": [ "https://www.searchw3.com/", "IP\u2019s Contacted: 192.124.249.187", "Ransomware: message.htm.com", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "192.124.249.187", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 73, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3731, "URL": 11926, "hostname": 4626, "domain": 4135, "FileHash-MD5": 1530, "FileHash-SHA1": 762, "CVE": 8, "SSLCertFingerprint": 20, "email": 8, "CIDR": 1 }, "indicator_count": 26747, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "623 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570800373899fd03e2e49db", "name": "Democrats.org", "description": "", "modified": "2023-12-06T14:06:59.250000", "created": "2023-12-06T14:06:59.250000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3114, "domain": 3501, "hostname": 3860, "URL": 17938, "FileHash-MD5": 2, "FileHash-SHA1": 10 }, "indicator_count": 28425, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707fb4961b1d8cc767134b", "name": "donaldtrump.digital", "description": "", "modified": "2023-12-06T14:05:40.791000", "created": "2023-12-06T14:05:40.791000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 939, "URL": 2100, "hostname": 604, "domain": 802, "email": 3, "FileHash-MD5": 3 }, "indicator_count": 4451, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707f519ef27fa72eb62598", "name": "CambridgeAnalytica.org", "description": "", "modified": "2023-12-06T14:04:01.301000", "created": "2023-12-06T14:04:01.301000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 335, "URL": 13379, "hostname": 2501, "domain": 1501, "FileHash-SHA1": 15 }, "indicator_count": 17731, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707ec3c760eea3873db672", "name": "BernieSanders.com (Pt.3)", "description": "", "modified": "2023-12-06T14:01:39.582000", "created": "2023-12-06T14:01:39.582000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 1950, "hostname": 1620, "domain": 900, "URL": 6563 }, "indicator_count": 11034, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707c9df9c33dd5983b366a", "name": "TrueCar.com", "description": "", "modified": "2023-12-06T13:52:29.953000", "created": "2023-12-06T13:52:29.953000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1156, "domain": 4253, "hostname": 4203, "URL": 17071, "FileHash-MD5": 13, "FileHash-SHA1": 5, "email": 1 }, "indicator_count": 26702, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6220c81aaf6fddde0116569a", "name": "Democrats.org", "description": "", "modified": "2022-04-02T00:04:50.405000", "created": "2022-03-03T13:52:26.328000", "tags": [ "date", "dns replication" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 17938, "hostname": 3860, "domain": 3501, "FileHash-SHA256": 3114, "FileHash-MD5": 2, "FileHash-SHA1": 10 }, "indicator_count": 28425, "is_author": false, "is_subscribing": null, "subscriber_count": 408, "modified_text": "1479 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "621e5e3fc46b558e798819a3", "name": "donaldtrump.digital", "description": "", "modified": "2022-03-31T00:02:44.795000", "created": "2022-03-01T17:56:15.526000", "tags": [ "redacted for", "date", "privacy tech", "privacy admin", "city", "country", "code", "stateprovince", "email", "server", "links community", "outgoing links", "submission", "office", "hillary rodham", "status texthtml", "content type", "history first", "analysis", "utc http", "response final" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2101, "domain": 802, "FileHash-SHA256": 939, "hostname": 604, "FileHash-MD5": 3, "email": 3 }, "indicator_count": 4452, "is_author": false, "is_subscribing": null, "subscriber_count": 410, "modified_text": "1481 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "621927dd57ee9ed86aeb9cb4", "name": "CambridgeAnalytica.org", "description": "", "modified": "2022-03-27T00:00:39.057000", "created": "2022-02-25T19:02:53.023000", "tags": [ "win32 exe", "scott hanselman", "win32 dll", "llc creation", "date", "passive dns", "subdomains", "detections type", "name", "rich text", "format", "music", "first" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13379, "hostname": 2501, "domain": 1501, "FileHash-SHA256": 335, "FileHash-SHA1": 15 }, "indicator_count": 17731, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1485 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6213f8adc8cfe3f681957ed1", "name": "BernieSanders.com (Pt.3)", "description": "", "modified": "2022-03-23T00:02:04.887000", "created": "2022-02-21T20:40:13.490000", "tags": [ "ssl certificate", "whois record", "whois" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1620, "URL": 6563, "FileHash-SHA256": 1950, "domain": 900, "CVE": 1 }, "indicator_count": 11034, "is_author": false, "is_subscribing": null, "subscriber_count": 409, "modified_text": "1489 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "61e2733e9e57250b5725ab5a", "name": "TrueCar.com", "description": "", "modified": "2022-02-14T00:00:26.279000", "created": "2022-01-15T07:09:50.416000", "tags": [ "android", "win32 exe", "key identifier", "win32 dll", "x509v3 subject", "server", "date", "registrar abuse", "algorithm", "markmonitor", "format", "impact", "first", "text", "email", "type name", "portable", "adguard premium", "usus", "mozilla firefox", "technology", "microsoft", "security", "subdomains", "threatseeker", "sophos", "comodo valkyrie", "verdict mobile", "rank value", "ingestion time", "statvoo", "cisco umbrella", "dns records", "record type", "ttl value", "msms94514764", "data", "v3 serial", "number", "issuer", "cus cnamazon", "validity", "subject public", "key info", "key algorithm", "domain status", "contact phone", "registrar", "ca creation", "dnssec", "domain name", "us registrant", "links https", "path", "submission", "httponly", "expiressat", "samesitelax", "details links", "vehicles comodo", "history first", "analysis" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 17071, "hostname": 4203, "FileHash-SHA256": 1156, "domain": 4253, "FileHash-MD5": 13, "FileHash-SHA1": 5, "email": 1 }, "indicator_count": 26702, "is_author": false, "is_subscribing": null, "subscriber_count": 412, "modified_text": "1526 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Ransomware: message.htm.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "IP\u2019s Contacted: 192.124.249.187", "https://www.searchw3.com/", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]", "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile", "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/", "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "192.124.249.187" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Cl0p", "Redline", "Trojanspy" ], "industries": [ "Government" ], "unique_indicators": 103340 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/myfor.ms", "whois": "http://whois.domaintools.com/myfor.ms", "domain": "myfor.ms", "hostname": "cdn-main2.qa2.myfor.ms" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 14, "pulses": [ { "id": "68743733a69ce827f6156f5c", "name": "W3.org | Google Spy engine | Tracking, Malware Repository | www.W3.org https://www.searchw3.com/ > ww.google.com.uy", "description": "", "modified": "2025-07-13T22:46:11.685000", "created": "2025-07-13T22:46:11.685000", "tags": [ "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "expired", "acceptencoding", "html info", "title home", "tags viewport", "trackers google", "tag manager", "gsddf3d2bzf", "historical ssl", "referrer", "december", "formbook", "round", "apple ios", "tsara brashears", "unlocker", "collection", "vt graph", "socgholish", "blister", "hacktool", "hiddentear", "gootloader", "agent tesla", "crypto", "installer", "life", "malware", "open", "korplug", "tofsee", "date", "name servers", "status", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "no data", "tag count", "analyzer threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "alexa top", "million", "site", "alexa", "maltiverse", "xcnfe", "safe site", "phishing", "remcos", "malicious", "miner", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "trojan", "detplock", "artemis", "networm", "win64", "redline stealer", "limerat", "venom rat", "trojanspy", "tld count", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "united", "jfif", "sha1", "core", "general", "starfield", "hybrid", "local", "encrypt", "click", "strings", "adobea", "daga", "as30148 sucuri", "td tr", "search", "span td", "as44273 host", "creation date", "a domains", "xtra", "meta", "back", "verdict", "domain", "aaaa", "as15169 google", "asnone united", "nxdomain", "sucuri security", "a li", "span", "class", "body", "sucuri website", "a div", "authority", "record value", "showing", "gmt content", "x sucuri", "high", "related pulses", "show", "guard", "entries", "win32", "west domains", "next", "ipv4", "asnone germany", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "formbook cnc", "checkin", "found", "error", "code", "create c", "read c", "delete", "write", "default", "dock", "execution", "copy", "xport", "firewall", "body doctype", "section", "dcrat", "analyzer paste", "iocs", "hostnames", "url https", "blacklist", "cl0p ransomware", "zbot", "malware site", "team memscan", "cl0p", "algorithm", "data", "v3 serial", "number", "cus starizona", "cngo daddy", "g2 validity", "subject public", "key info", "certificate", "whois lookup", "netrange", "nethandle", "net192", "net1920000", "as174", "as3257", "sucuri", "sucur2", "verisign", "whois database", "server", "registrar abuse", "icann whois", "whois status", "registrar iana", "form", "temple", "first", "android", "win32 exe", "html", "bobby fischer", "office open", "detections type", "name", "pdf dealer", "price list", "pdf my", "crime", "taiwan unknown", "as3462", "as131148 bank", "as21342", "all search", "otx scoreblue", "pulse pulses", "cname", "as22612", "as43350 nforce", "win32upatre jun", "expiration date", "hostname", "lowfi", "date hash", "avast avg", "date checked", "url hostname", "server response", "google safe", "results jun", "files show", "registrar", "china unknown", "title", "network", "fakedout threat", "urls http", "maltiverse safe", "malicious url", "team", "phishtank", "services", "botnet command", "control server", "mining", "betabot", "team malware", "engineering", "stealer", "service", "vawtrak", "virut", "emotet", "simda", "redline", "fri oct", "media sharing", "known infection source", "bot networks", "malware", "malware repository", "spyware" ], "references": [ "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/", "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,", "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "IP\u2019s Contacted: 192.124.249.187", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile", "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=", "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": "6688e0ffb31d4881f3238713", "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4080, "URL": 11952, "hostname": 4638, "domain": 4301, "FileHash-MD5": 2236, "FileHash-SHA1": 1140, "CVE": 8, "SSLCertFingerprint": 20, "email": 8, "CIDR": 1 }, "indicator_count": 28384, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "280 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6688e0ffb31d4881f3238713", "name": "Google Spy engine | Tracking, Malware Repository", "description": "www.W3.org https://www.searchw3.com/ > ww.google.com.uy. All tags auto populated. Did not spend time documenting all as pulse is quite large. I was able to prove the the compromises are active. I will make much smaller reports.\n(Botnet Commands, Google Spy engine | Tracking, Malware Repository, Stealer, iPhone unlocker)", "modified": "2024-08-05T04:01:42.283000", "created": "2024-07-06T06:15:27.994000", "tags": [ "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "expired", "acceptencoding", "html info", "title home", "tags viewport", "trackers google", "tag manager", "gsddf3d2bzf", "historical ssl", "referrer", "december", "formbook", "round", "apple ios", "tsara brashears", "unlocker", "collection", "vt graph", "socgholish", "blister", "hacktool", "hiddentear", "gootloader", "agent tesla", "crypto", "installer", "life", "malware", "open", "korplug", "tofsee", "date", "name servers", "status", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "no data", "tag count", "analyzer threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "alexa top", "million", "site", "alexa", "maltiverse", "xcnfe", "safe site", "phishing", "remcos", "malicious", "miner", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "trojan", "detplock", "artemis", "networm", "win64", "redline stealer", "limerat", "venom rat", "trojanspy", "tld count", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "united", "jfif", "sha1", "core", "general", "starfield", "hybrid", "local", "encrypt", "click", "strings", "adobea", "daga", "as30148 sucuri", "td tr", "search", "span td", "as44273 host", "creation date", "a domains", "xtra", "meta", "back", "verdict", "domain", "aaaa", "as15169 google", "asnone united", "nxdomain", "sucuri security", "a li", "span", "class", "body", "sucuri website", "a div", "authority", "record value", "showing", "gmt content", "x sucuri", "high", "related pulses", "show", "guard", "entries", "win32", "west domains", "next", "ipv4", "asnone germany", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "formbook cnc", "checkin", "found", "error", "code", "create c", "read c", "delete", "write", "default", "dock", "execution", "copy", "xport", "firewall", "body doctype", "section", "dcrat", "analyzer paste", "iocs", "hostnames", "url https", "blacklist", "cl0p ransomware", "zbot", "malware site", "team memscan", "cl0p", "algorithm", "data", "v3 serial", "number", "cus starizona", "cngo daddy", "g2 validity", "subject public", "key info", "certificate", "whois lookup", "netrange", "nethandle", "net192", "net1920000", "as174", "as3257", "sucuri", "sucur2", "verisign", "whois database", "server", "registrar abuse", "icann whois", "whois status", "registrar iana", "form", "temple", "first", "android", "win32 exe", "html", "bobby fischer", "office open", "detections type", "name", "pdf dealer", "price list", "pdf my", "crime", "taiwan unknown", "as3462", "as131148 bank", "as21342", "all search", "otx scoreblue", "pulse pulses", "cname", "as22612", "as43350 nforce", "win32upatre jun", "expiration date", "hostname", "lowfi", "date hash", "avast avg", "date checked", "url hostname", "server response", "google safe", "results jun", "files show", "registrar", "china unknown", "title", "network", "fakedout threat", "urls http", "maltiverse safe", "malicious url", "team", "phishtank", "services", "botnet command", "control server", "mining", "betabot", "team malware", "engineering", "stealer", "service", "vawtrak", "virut", "emotet", "simda", "redline", "fri oct", "media sharing", "known infection source", "bot networks", "malware", "malware repository", "spyware" ], "references": [ "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/", "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,", "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "IP\u2019s Contacted: 192.124.249.187", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile", "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=", "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 89, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4080, "URL": 11952, "hostname": 4638, "domain": 4301, "FileHash-MD5": 2236, "FileHash-SHA1": 1140, "CVE": 8, "SSLCertFingerprint": 20, "email": 8, "CIDR": 1 }, "indicator_count": 28384, "is_author": false, "is_subscribing": null, "subscriber_count": 229, "modified_text": "623 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6688e142f0c8f5ddecbc788c", "name": "Google Spy engine | Tracking, Malware Repository", "description": "www.W3.org https://www.searchw3.com/ > ww.google.com.uy. All tags auto populated. Did not spend time documenting all as pulse is quite large. I was able to prove the the compromises are active. I will make much smaller reports.\n(Botnet Commands, Google Spy engine | Tracking, Malware Repository, Stealer, iPhone unlocker)", "modified": "2024-08-05T04:01:42.283000", "created": "2024-07-06T06:16:34.388000", "tags": [ "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "expired", "acceptencoding", "html info", "title home", "tags viewport", "trackers google", "tag manager", "gsddf3d2bzf", "historical ssl", "referrer", "december", "formbook", "round", "apple ios", "tsara brashears", "unlocker", "collection", "vt graph", "socgholish", "blister", "hacktool", "hiddentear", "gootloader", "agent tesla", "crypto", "installer", "life", "malware", "open", "korplug", "tofsee", "date", "name servers", "status", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "no data", "tag count", "analyzer threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "alexa top", "million", "site", "alexa", "maltiverse", "xcnfe", "safe site", "phishing", "remcos", "malicious", "miner", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "trojan", "detplock", "artemis", "networm", "win64", "redline stealer", "limerat", "venom rat", "trojanspy", "tld count", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "united", "jfif", "sha1", "core", "general", "starfield", "hybrid", "local", "encrypt", "click", "strings", "adobea", "daga", "as30148 sucuri", "td tr", "search", "span td", "as44273 host", "creation date", "a domains", "xtra", "meta", "back", "verdict", "domain", "aaaa", "as15169 google", "asnone united", "nxdomain", "sucuri security", "a li", "span", "class", "body", "sucuri website", "a div", "authority", "record value", "showing", "gmt content", "x sucuri", "high", "related pulses", "show", "guard", "entries", "win32", "west domains", "next", "ipv4", "asnone germany", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "formbook cnc", "checkin", "found", "error", "code", "create c", "read c", "delete", "write", "default", "dock", "execution", "copy", "xport", "firewall", "body doctype", "section", "dcrat", "analyzer paste", "iocs", "hostnames", "url https", "blacklist", "cl0p ransomware", "zbot", "malware site", "team memscan", "cl0p", "algorithm", "data", "v3 serial", "number", "cus starizona", "cngo daddy", "g2 validity", "subject public", "key info", "certificate", "whois lookup", "netrange", "nethandle", "net192", "net1920000", "as174", "as3257", "sucuri", "sucur2", "verisign", "whois database", "server", "registrar abuse", "icann whois", "whois status", "registrar iana", "form", "temple", "first", "android", "win32 exe", "html", "bobby fischer", "office open", "detections type", "name", "pdf dealer", "price list", "pdf my", "crime", "taiwan unknown", "as3462", "as131148 bank", "as21342", "all search", "otx scoreblue", "pulse pulses", "cname", "as22612", "as43350 nforce", "win32upatre jun", "expiration date", "hostname", "lowfi", "date hash", "avast avg", "date checked", "url hostname", "server response", "google safe", "results jun", "files show", "registrar", "china unknown", "title", "network", "fakedout threat", "urls http", "maltiverse safe", "malicious url", "team", "phishtank", "services", "botnet command", "control server", "mining", "betabot", "team malware", "engineering", "stealer", "service", "vawtrak", "virut", "emotet", "simda", "redline", "fri oct", "media sharing", "known infection source", "bot networks", "malware", "malware repository", "spyware" ], "references": [ "https://www.searchw3.com/ = google.analytics.com, google.com, google.net, adservice.google.com.uy,https://plus.google.com/", "ns1.google.com, nussbaumlaw-ca.webpkgcache.com, plus.google.com, tddctx-com.webpkgcache.com,", "Ransomware: message.htm.com | nr-data.net [Apple Private Data Collection]", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "IP\u2019s Contacted: 192.124.249.187", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile", "Alerts: clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "www.google.com/images/branding/googlelogo/1x/googlelogo, https://www.google.com/recaptcha/api.js?onload=recaptchaCallback&render=explicit&hl=", "www.google.com/images/branding/googlelogo/2x/googlelogo, www.google.com/images/errors/robot.png, www.google.com, www.google.com/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 94, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4080, "URL": 11952, "hostname": 4638, "domain": 4301, "FileHash-MD5": 2236, "FileHash-SHA1": 1140, "CVE": 8, "SSLCertFingerprint": 20, "email": 8, "CIDR": 1 }, "indicator_count": 28384, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "623 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6688e15588a794b95443b46d", "name": "Google Spy engine | Tracking, Malware Repository", "description": "www.W3.org https://www.searchw3.com/ > ww.google.com.uy. All tags auto populated. Did not spend time documenting all as pulse is quite large. I was able to prove the the compromises are active. I will make much smaller reports.\n(Botnet Commands, Google Spy engine | Tracking, Malware Repository, Stealer, iPhone unlocker)\nSorry so sloppy and large.\nAll tags , malware families and ATT&CK mechanisms auto populated", "modified": "2024-08-05T02:03:31.529000", "created": "2024-07-06T06:16:53.461000", "tags": [ "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "headers", "expired", "acceptencoding", "html info", "title home", "tags viewport", "trackers google", "tag manager", "gsddf3d2bzf", "historical ssl", "referrer", "december", "formbook", "round", "apple ios", "tsara brashears", "unlocker", "collection", "vt graph", "socgholish", "blister", "hacktool", "hiddentear", "gootloader", "agent tesla", "crypto", "installer", "life", "malware", "open", "korplug", "tofsee", "date", "name servers", "status", "passive dns", "urls", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "files", "no data", "tag count", "analyzer threat", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "heur", "cisco umbrella", "alexa top", "million", "site", "alexa", "maltiverse", "xcnfe", "safe site", "phishing", "remcos", "malicious", "miner", "bank", "agenttesla", "agent", "unknown", "downloader", "unsafe", "trojan", "detplock", "artemis", "networm", "win64", "redline stealer", "limerat", "venom rat", "trojanspy", "tld count", "png image", "jpeg image", "rgba", "exif standard", "tiff image", "pattern match", "ascii text", "united", "jfif", "sha1", "core", "general", "starfield", "hybrid", "local", "encrypt", "click", "strings", "adobea", "daga", "as30148 sucuri", "td tr", "search", "span td", "as44273 host", "creation date", "a domains", "xtra", "meta", "back", "verdict", "domain", "aaaa", "as15169 google", "asnone united", "nxdomain", "sucuri security", "a li", "span", "class", "body", "sucuri website", "a div", "authority", "record value", "showing", "gmt content", "x sucuri", "high", "related pulses", "show", "guard", "entries", "win32", "west domains", "next", "ipv4", "asnone germany", "object", "com cnt", "dem fin", "gov int", "nav onl", "phy pre", "formbook cnc", "checkin", "found", "error", "code", "create c", "read c", "delete", "write", "default", "dock", "execution", "copy", "xport", "firewall", "body doctype", "section", "dcrat", "analyzer paste", "iocs", "hostnames", "url https", "blacklist", "cl0p ransomware", "zbot", "malware site", "team memscan", "cl0p", "algorithm", "data", "v3 serial", "number", "cus starizona", "cngo daddy", "g2 validity", "subject public", "key info", "certificate", "whois lookup", "netrange", "nethandle", "net192", "net1920000", "as174", "as3257", "sucuri", "sucur2", "verisign", "whois database", "server", "registrar abuse", "icann whois", "whois status", "registrar iana", "form", "temple", "first", "android", "win32 exe", "html", "bobby fischer", "office open", "detections type", "name", "pdf dealer", "price list", "pdf my", "crime", "taiwan unknown", "as3462", "as131148 bank", "as21342", "all search", "otx scoreblue", "pulse pulses", "cname", "as22612", "as43350 nforce", "win32upatre jun", "expiration date", "hostname", "lowfi", "date hash", "avast avg", "date checked", "url hostname", "server response", "google safe", "results jun", "files show", "registrar", "china unknown", "title", "file size", "b file", "detections file", "gzip chrome", "cache entry", "graph", "ip detections", "country", "domains", "internet domain", "service bs", "corp", "namecheap inc", "csc corporate", "tucows", "epik llc", "tucows domains" ], "references": [ "https://www.searchw3.com/", "IP\u2019s Contacted: 192.124.249.187", "Ransomware: message.htm.com", "https://otx.alienvault.com/indicator/file/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/e590f6ad5d0a831e297ed14c29af8467085d33bb26216501b621fbe8e8eca23b", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk uses_windows_utilities", "Alerts: cmdline_http_link clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint", "Alerts: anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self", "Alerts: stealth_window cmdline_http_link uses_windows_utilities suspicious_command_tools dead_connect", "192.124.249.187", "Possible Fake AV Checkin Kazy/Kryptor/Cycbot Trojan Checkin BetterInstaller Win32.AdWare.iBryte.C Install Dooptroop CnC Beacon Win32/DownloadAssistant.A PUP CnC Win32.Sality-GR Checkin Win32/FlyStudio Activity W32/InstallRex.Adware Initial CnC Beacon PUP Win32/DownloadAssistant.A Checkin", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities", "Alerts: ransomware_file_modifications script_created_process antivm_generic_bios antivm_generic_disk enumerates_physical_drives clears_logs registry_credential_store_access infostealer_cookies recon_fingerprint suspicious_command_tools anomalous_deletefile antidebug_guardpages antisandbox_sleep dynamic_function_loading encrypted_ioc reads_self stealth_window cmdline_http_link uses_windows_utilities" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Cl0p", "display_name": "Cl0p", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 73, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3731, "URL": 11926, "hostname": 4626, "domain": 4135, "FileHash-MD5": 1530, "FileHash-SHA1": 762, "CVE": 8, "SSLCertFingerprint": 20, "email": 8, "CIDR": 1 }, "indicator_count": 26747, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "623 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570800373899fd03e2e49db", "name": "Democrats.org", "description": "", "modified": "2023-12-06T14:06:59.250000", "created": "2023-12-06T14:06:59.250000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3114, "domain": 3501, "hostname": 3860, "URL": 17938, "FileHash-MD5": 2, "FileHash-SHA1": 10 }, "indicator_count": 28425, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707fb4961b1d8cc767134b", "name": "donaldtrump.digital", "description": "", "modified": "2023-12-06T14:05:40.791000", "created": "2023-12-06T14:05:40.791000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 939, "URL": 2100, "hostname": 604, "domain": 802, "email": 3, "FileHash-MD5": 3 }, "indicator_count": 4451, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707f519ef27fa72eb62598", "name": "CambridgeAnalytica.org", "description": "", "modified": "2023-12-06T14:04:01.301000", "created": "2023-12-06T14:04:01.301000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 335, "URL": 13379, "hostname": 2501, "domain": 1501, "FileHash-SHA1": 15 }, "indicator_count": 17731, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707ec3c760eea3873db672", "name": "BernieSanders.com (Pt.3)", "description": "", "modified": "2023-12-06T14:01:39.582000", "created": "2023-12-06T14:01:39.582000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-SHA256": 1950, "hostname": 1620, "domain": 900, "URL": 6563 }, "indicator_count": 11034, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707c9df9c33dd5983b366a", "name": "TrueCar.com", "description": "", "modified": "2023-12-06T13:52:29.953000", "created": "2023-12-06T13:52:29.953000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1156, "domain": 4253, "hostname": 4203, "URL": 17071, "FileHash-MD5": 13, "FileHash-SHA1": 5, "email": 1 }, "indicator_count": 26702, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "866 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6220c81aaf6fddde0116569a", "name": "Democrats.org", "description": "", "modified": "2022-04-02T00:04:50.405000", "created": "2022-03-03T13:52:26.328000", "tags": [ "date", "dns replication" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 17938, "hostname": 3860, "domain": 3501, "FileHash-SHA256": 3114, "FileHash-MD5": 2, "FileHash-SHA1": 10 }, "indicator_count": 28425, "is_author": false, "is_subscribing": null, "subscriber_count": 408, "modified_text": "1479 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://cdn-main2.qa2.myfor.ms", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://cdn-main2.qa2.myfor.ms", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776696502.5374527 }