{ "type": "URL", "indicator": "https://cdn.frankspeech.com/resources/videojs/plugins/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://cdn.frankspeech.com/resources/videojs/plugins/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4112148705, "indicator": "https://cdn.frankspeech.com/resources/videojs/plugins/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69d6619d62ea0c3bbf0ebf75", "name": "Mac OS Unwanted Programs | Mac Booster application potentially installed in background without target\u2019s knowledge", "description": "Not installed by users I\u2019m researching for. Downloaded as an unwanted program Overview of com.iobit.MacBooster-3\ncom.iobit.MacBooster-3 is the package identifier for MacBooster 3, a software application developed by IObit. This application is specifically designed for optimizing and maintaining Mac computers.\nKey Features\nMacBooster 3 includes several essential features aimed at enhancing the performance and security of Mac systems:\nSystem Cleanup: .\nPerformance Boosting: \nMalware Protection: .\nCompatibility\nMacBooster 3 is compatible with macOS versions starting from OS X 10.9. False - \nWhat are the potential risks of using MacBooster 3 on a Mac computer?\nUsing MacBooster 3 on a Mac computer can lead to potentially unwanted program (PUP) behavior, including browser interference, frequent pop-ups, and the installation of unnecessary software.", "modified": "2026-04-08T14:09:33.432000", "created": "2026-04-08T14:09:33.432000", "tags": [ "issuer apple", "valid from", "valid", "serial number", "macho", "macho 64bit", "mac os", "x macho", "intel", "file version", "team identifier", "apple root", "ca feb", "am ma9eduzpcw", "signers", "issuer valid", "from valid", "status issuer", "apple inc", "valid apple", "a9 a8", "process32nextw", "regsetvalueexa", "read c", "regdword", "tls handshake", "failure", "msie", "malware", "write", "win32", "unknown", "dynamicloader", "high", "myapp", "device driver", "host", "worm", "delphi", "error", "code", "defender", "next", "file score", "cryp", "virus", "checkin tls", "forbidden yara", "msvisualcpp2008", "less ip", "contacted", "scanning host", "trojan", "exploit host", "apple inc", "monitored target", "targeting", "name servers", "servers", "expiration date", "value emails", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "tulach" ], "references": [ "com.iobit.MacBooster-3", "IDS Detections: Win32.Floxif.A Checkin TLS Handshake Failure 403 Forbidden", "Yara Detections: Malware_Floxif_mpsvc_dll , stack_string , MS_Visual_Cpp_2008 ,", "Yara Detections: KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun", "Alerts: modifies_proxy_wpad antivm_vmware_in_instruction dumped_buffer", "Alerts: network_cnc_http network_http allocates_rwx antisandbox_sleep creates_exe", "Alerts: injection_process_search antivm_network_adapters privilege_luid_check", "Alerts: checks_debugger has_pdb raises_exception", "IP\u2019s Contacted: 104.200.23.95 174.139.10.194 198.35.26.96", "Domains Contacted: en.wikipedia.org 5isohu.com www.aieov.com", "Monitored targets. Tsara Brashears, UAlberta (disable_duck) seen", "I can\u2019t speak for behavior of targets. Seems unlikely programs were intentionally installed.", "https://otx.alienvault.com/indicator/cve/CVE-2023-22518", "Issue! Team member found CVE-2023-22518 have origins from the State of Colorado", "Issue! Multiple IoC\u2019s missing.", "A user StreamMiningEx copied pulses: octoseek, scoreblue, KAILULA4, callmeDoris , dorkingbeauty1 and more", "I can\u2019t help but notice a trend. IoC\u2019s found by actual targets are removed from pulses. Recent users are listed in place", "Issue! What I am troubled about the s the deletion service that has plagued OTX/ LevelBlue", "Brian Sabey, Tulach, other adversaries working illegally to remove IoC\u2019s", "Disturbed pulses of mercenary attacks S/A NSO Pegasus NOT reported to CISA or Citizens Lab.", "Reporting is an expected protocol. Is this more of a \u2018bounty\u2019 focused, a honeypot?", "Researching using an easy powerful tool like this has led to confrontations.", "I liked the tool. There is something strange happening with the pulses & IoC\u2019s", "I did not clone my pulse to read Bit.io", "I am not cloning pulses belonging to others without crediting. I\u2019m one of a few who credit. This has happened to other team members", "There are serious researchers on here for a short time hoping to resolve serious cyber issues", "I am unable to reach Level Blue regarding issues. Mailer Daemon only", "It\u2019s not just me. I have contacted from very secured emails, networks, devices", "I typically follow targets who have truly dangerous situations who no longer pulse.", "This would be sent in an email but \u2026.", "About pulse, found in peripheral.", "When your pulse says contacted, who is contacted besides OTX?", "An earlier version contacted entities affected or affecting targets." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "Ransom:Win32/CVE-2017-0147", "display_name": "Ransom:Win32/CVE-2017-0147", "target": "/malware/Ransom:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 75, "FileHash-MD5": 102, "FileHash-SHA256": 2076, "IPv4": 111, "URL": 2496, "CVE": 2, "domain": 483, "hostname": 938, "email": 4, "SSLCertFingerprint": 2 }, "indicator_count": 6289, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68abf66e97031d0ff0c04fed", "name": "Packed sentient.industries links to a targets business website", "description": "Very malicious link found in a targets business.\nPacked. Needs to be categorized.\n(FoundryPalantir rich?) Tracking, hacking, and serious espionage.\nAvailable public Information: \nSENTIENT INDUSTRIES\nsentient.industries\nSentient industries provides design and engineering services, from prototyping to small-batch manufacturing, empowering clients to overcome complex challenges. |\nMore about sentient\nMission sentient accelerates mission critical technology for\u2026\nSENTIENT INDUSTRIES\nAccelerating mission-critical tech for disaster response, defense ...\nContact Now\nAustin, tx 78758. United States. EMAIL us. info@sentient \n\nWorse than it looks. Spying on a several threat researchers.", "modified": "2025-09-24T04:04:05.604000", "created": "2025-08-25T05:36:46.327000", "tags": [ "moved", "body", "x cache", "cloudfront x", "cph50 c2", "certificate", "record value", "title", "h1 center", "server", "redacted for", "servers", "name redacted", "for privacy", "name servers", "org data", "privacy city", "privacy country", "ca creation", "passive dns", "urls", "files", "ip address", "asn as57033", "less whois", "registrar", "tucows domains", "key identifier", "data", "v3 serial", "number", "cat ozerossl", "cnzerossl ecc", "domain secure", "site ca", "validity", "subject public", "extraction", "data upload", "extra data", "include review", "find", "failed", "typ no", "ms windows", "intel", "pe32", "united", "search", "as16509", "from win32bios", "show", "high", "medium", "delphi", "copy", "write", "launcher", "next", "present aug", "present jul", "lowfi", "win32", "a div", "div div", "learn xml", "babylon", "win64", "trojan", "colors", "python", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "et info", "tls handshake", "bad traffic", "failure", "date", "august", "hybrid", "general", "path", "starfield", "click", "strings", "se bethseda", "n bethseda", "n data", "error", "date checked", "url hostname", "server response", "google safe", "results aug", "read c", "tlsv1", "port", "destination", "module load", "execution", "dock", "persistence", "malware", "unknown", "cname", "aaaa", "creation date", "showing", "domain", "dga domains", "palantirfoundry", "foundry", "status", "unknown ns", "g2 tls", "rsa sha256", "italy unknown", "mtb may", "trojandropper", "invalid url", "next associated", "ddos", "body html", "hacktool", "ipv4", "url analysis", "ukraine", "encrypt", "rl add", "http", "hostname", "files domain", "files related", "related tags", "present jun", "entries", "title error", "all ipv4", "reverse dns", "yara detections", "top source", "top destination", "source source", "sha256 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "address range", "cidr", "network name", "allocation type", "whois server", "entity amazon4", "handle", "canada unknown", "content type", "javascript src", "script script", "x powered", "ipv4 add", "pulse submit", "submit url", "analysis", "url add", "related nids", "files location", "canada flag", "canada hostname", "unknown aaaa", "ascii text", "user agent", "powershell", "agent", "czechia unknown", "domain add", "dynamicloader", "hostname add", "pentagon", "defense" ], "references": [ "sentient.industries affects independent artists. Affects several others.", "Bethseda Map - Yara Detections Delphi , InnoSetupInstaller", "Bethseda Map - High Priority Alerts: ransomware_file_moves ransomware_appends_extensions", "Bethseda Map - High Priority Alerts: dumped_buffer2 antisandbox_mouse_hook", "Bethseda Map - High Priority Alerts: modifies_certificates ransomware_dropped_files", "Bethseda Map - High Priority Alerts: ransomware_mass_file_delete antivm_firmware", "Bethseda Map - High Priority Alerts: antiemu_wine banker_zeus_p2p", "https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers", "prod.foundry.tylertechai.com \u2022 qa.foundry.tylertechai.com \u2022 staging.foundry.tylertechai.com \u2022", "talos-staging.palantirfoundry.com \u2022 tylertechai.com \u2022 Palantir Technologies Inc.\u2022 palantirfoundry.com", "Affects : Kailula4 , scnrscnr, SongCulture, Tsara Brashears & associated, ScrnrScrnr , dorkingbeauty", "Interesting widgets: https://myid.canon/prd/1.1.30/canonid-assets/gcid-widget.html", "http://link.monetizer101.com/widget/custom-2.0.2/templates/1", "https://widget-i18n.tiktokv.com.ttdns2.com/ \u2022 https://stella.demand-iq.com/widget", "widget-va.tiktokv.com.ttdns2.com \u2022 http://widget-i18n.tiktokv.com.ttdns2.com/", "http://link.monetizer101.com/widget/custom-2.0.3/js/load.min.js \u2022", "https://link.monetizer101.com/widget/code/595.js \u2022 https://link.monetizer101.com/widget/code/1343.js", "https://link.monetizer101.com/widget/code/1511.js \u2022 https://link.monetizer101.com/widget/code/mirror.js", "https://link.monetizer101.com/widget/code/dailystaruk.js", "https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers (ASP.NET)", "Interesting Strings: https://pro-api.coinmarketcap.com/v2/cryptocurrency/quotes/historical", "(Can't access file- Malware infection files)", "Potential reparations: Spyware , Trojan , Pegasus , DNS , Graphite , Paragon , NSO Group , Endgame , Cloudfront", "constellation.pcfrpegaservice.net (Pegasus related? idk)", "On behalf of pcfrpegaservice.net owner Name Servers\tNS-1477.AWSDNS-56.ORG Org\tIdentity Protection Service", "TrojanWin32Scoreem - CodeOverlap [616fc7047d6216f7a604fa90f2f2dd0ad5b12f1153137e43858d3421ba964ea4]", "I have to breakdown this enormous post over time. I\u2019m going to repost a potential hackers similar post", "Remotewd.com devices", "If you find anything interesting please research it." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "nUFS_inno", "display_name": "nUFS_inno", "target": null }, { "id": "#Lowfi:HSTR:MSIL/Malicious", "display_name": "#Lowfi:HSTR:MSIL/Malicious", "target": null }, { "id": "ALF:JASYP:PUA:Win32/Bibado", "display_name": "ALF:JASYP:PUA:Win32/Bibado", "target": null }, { "id": "Trojan:Win32/Toga", "display_name": "Trojan:Win32/Toga", "target": "/malware/Trojan:Win32/Toga" }, { "id": "Win32:Downloader-GJK\\ [Trj]", "display_name": "Win32:Downloader-GJK\\ [Trj]", "target": null }, { "id": "Win.Downloader.109205-1", "display_name": "Win.Downloader.109205-1", "target": null }, { "id": "Custom Malware", "display_name": "Custom Malware", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Win32:Downloader-GJK\\ [Trj]", "display_name": "Win32:Downloader-GJK\\ [Trj]", "target": null }, { "id": "Win.Downloader.109205-1", "display_name": "Win.Downloader.109205-1", "target": null }, { "id": "Win.Trojan.Jorik-149", "display_name": "Win.Trojan.Jorik-149", "target": null }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.Jorik-130", "display_name": "Win.Trojan.Jorik-130", "target": null }, { "id": "Win.Trojan.Fakecodecs-119", "display_name": "Win.Trojan.Fakecodecs-119", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Trojan.Bulz-9860169-0", "display_name": "Win.Trojan.Bulz-9860169-0", "target": null }, { "id": "Win.Malware.Midie-6847892-0", "display_name": "Win.Malware.Midie-6847892-0", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win.Packed.Razy-9785185-0", "display_name": "Win.Packed.Razy-9785185-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "PWS", "display_name": "PWS", "target": null }, { "id": "DDOS:Win32/Stormser.A", "display_name": "DDOS:Win32/Stormser.A", "target": "/malware/DDOS:Win32/Stormser.A" }, { "id": "ALF:HSTR:DotNET", "display_name": "ALF:HSTR:DotNET", "target": null }, { "id": "DotNET", "display_name": "DotNET", "target": null }, { "id": "Script Exploit", "display_name": "Script Exploit", "target": null }, { "id": "HackTool:Win32/AutoKMS", "display_name": "HackTool:Win32/AutoKMS", "target": "/malware/HackTool:Win32/AutoKMS" }, { "id": "Xanfpezes.A", "display_name": "Xanfpezes.A", "target": null }, { "id": "Trojan:Win32/Gandcrab", "display_name": "Trojan:Win32/Gandcrab", "target": "/malware/Trojan:Win32/Gandcrab" }, { "id": "Win.Trojan.Generic-9862772-0", "display_name": "Win.Trojan.Generic-9862772-0", "target": null }, { "id": "Trojan:Win32/Zbot.SIBL!MTB", "display_name": "Trojan:Win32/Zbot.SIBL!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBL!MTB" }, { "id": "Win32/Nemucod", "display_name": "Win32/Nemucod", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn", "display_name": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn", "target": null }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "Win.Malware.Kolab-9885903-0", "display_name": "Win.Malware.Kolab-9885903-0", "target": null }, { "id": "Win.Malware (30)", "display_name": "Win.Malware (30)", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "#Lowfi:HSTR:MSIL/Malicious.Decryption", "display_name": "#Lowfi:HSTR:MSIL/Malicious.Decryption", "target": null }, { "id": "E5", "display_name": "E5", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6232, "URL": 24908, "hostname": 7993, "FileHash-SHA256": 11128, "email": 6, "FileHash-MD5": 1054, "FileHash-SHA1": 932, "SSLCertFingerprint": 14, "CIDR": 3, "CVE": 3 }, "indicator_count": 52273, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "208 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689cc89e77327602780be49e", "name": "Remotewd Devices \u2022 Spectrum / Charter Communications & AT&T", "description": "Remotewd Devices expanded \u2022 Spectrum / Charter Communications & AT&T.\nAdvesarial. Polymorphic.", "modified": "2025-09-12T16:05:33.542000", "created": "2025-08-13T17:17:18.456000", "tags": [ "url https", "domain", "types of", "united kingdom", "sweden", "virgin islands", "china", "germany", "date", "status", "ip address", "search", "domain add", "passive dns", "urls", "files", "error sep", "present jul", "address google", "safe browsing", "united", "unknown ns", "moved", "body", "cloudfront x", "hio52 p1", "certificate", "win32", "trojan", "entries", "next associated", "title error", "ipv4", "host gh", "secure path", "httponly cache", "x github", "request id", "accept", "encrypt", "formbook cnc", "checkin", "a domains", "lowfi", "mtb jun", "github pages", "as11427", "us note", "route", "ptr record", "hostname add", "url analysis", "verdict", "general info", "geo mckinney", "texas", "spectrum", "charter communications", "charter collection", "auth", "files ip", "address", "asn as16509", "record value", "germany unknown", "meta", "gmt cache", "sans400", "condensed300", "feel lost", "h1 div", "server", "gmt connection", "keep alive", "pragma", "ipv4 add", "url add", "http", "related nids", "files location", "flag united", "unknown aaaa", "china unknown", "beijing", "unknown soa", "hostname", "present aug", "name servers", "aaaa", "windows nt", "dynamicloader", "generic http", "exe upload", "inbound", "outbound", "host", "medium", "write", "markus", "malware", "files domain", "files related", "related tags", "none google", "showing", "error", "extraction", "se enter", "sc type", "data upload", "failed", "extr data", "ox sunnort", "include review", "exclude data", "iocs", "pdf report", "pcap", "stix", "openloc", "pul data", "move", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "pattern match", "ascii text", "show technique", "null", "refresh", "span", "august", "hybrid", "general", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "class", "adversaries", "defense evasion", "initial access", "msie", "chrome", "gmt content", "main", "virtool", "idran anv", "exti", "concor referen", "running webserver", "review iocs", "suggested iocs", "show", "http traffic", "intel", "ms windows", "pe32", "high", "write c", "explorer", "unknown", "worm", "next", "comman_and_control", "et", "vtapi", "dos", "persistence", "polymorphic", "virus", "device", "script", "style", "endcolorstr", "regexp", "link", "powershell", "form", "push", "active", "remote_access", "general full", "protocol h2", "security tls", "austin", "asn7018", "attinternet4", "reverse dns", "software", "domains", "hashes", "at&t", "injection", "rwx", "hackers", "attack", "cape", "stealth hidden extension", "antivm generic", "cape detected", "threat stealth", "public folder", "deletes", "files anomalous", "disables system", "restore dead", "mail procmem", "yara suricata", "queries user name" ], "references": [ "Remotewd.com research - Devices under command and control. Malicious / adversarial | 3000 + devices in Pulse", "https://hybrid-analysis.com/sample/713944cb1accb541622bf99d55f34876b5ff13d042c6c203bab89632a15b9248/689c0eca8dd0033cbb064d12", "device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com TWC-11427-TEXAS, US \u2022 Spectrum", "Geo\tMcKinney, Texas, United States (US) \u2014 AS \u2022AS11427 - TWC-11427-TEXAS, US", "Note: An IP might be announced by multiple ASs.Spectrum | Charter Communications", "This is not shown. Route \u2022 184.92.0.0/16 (Route of ASN) PTR", "syn-184-092-221-096.res.spectrum.com(PTR record of primary IP) IPv4\t184.92.221.96", "https://urlscan.io/domain/device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com", "truist.palantirfoundry.com \u2022 nissansandbox.palantirfoundry.com", "device-7de2fab7-44a1-494e-8f36-8d135628c33a.remotewd.com 104.190.139.162 AT&T", "Stealth Hiddenreg Cape Detected Threat Stealth Timeout Accesses Public Folder Deletes", "Executed Files Anomalous Deletefile Dropper Disables System Restore Dead Connect", "Infostealer Cookies Infostealer Mail Procmem Yara Suricata Alert Modify Proxy Powershell", "Ransomware File Modifications Exec Crash", "Location Antisandbox Sleep Antidebug Setunhandledexceptionfilter Packer Unknown Pe Section Name Packer Entropy Network Bind Antivm Network Adapters Http Request Infostealer Browser Recon Fingerprint Antivm Checks Available Memory Antivm Generic Bios Reads Self Polymorphic Enumerates Physical Drives Network Http Network Cnc Http Antivm Bochs Keys", "Request Queries Keyboard Layout Antivm Generic Disk Resumethread", "Remote Process Static Pe Anomaly Https Urls Virus Process Creation Suspicious", "Contains Pe Overlay Queries Locale Api Language Check Registry" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" }, { "id": "VirTool:Win32/Obfuscator.JM", "display_name": "VirTool:Win32/Obfuscator.JM", "target": "/malware/VirTool:Win32/Obfuscator.JM" }, { "id": "Win.Trojan.Cycbot-1584", "display_name": "Win.Trojan.Cycbot-1584", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6171, "domain": 1823, "hostname": 3155, "email": 8, "FileHash-SHA256": 950, "FileHash-MD5": 345, "FileHash-SHA1": 317, "CVE": 1, "CIDR": 1, "SSLCertFingerprint": 1 }, "indicator_count": 12772, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "220 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689030129ed94e6805755c52", "name": "iimcb.e-kei.pl iimcb.gov.pl ip4 94.152.54.231 (94.152.0.0/16) ???", "description": "https://www.virustotal.com/gui/domain/iimcb.e-kei.pl/details\nhttps://www.virustotal.com/gui/domain/iimcb.gov.pl/details\nhttps://www.virustotal.com/gui/ip-address/94.152.54.231/details", "modified": "2025-09-03T03:00:19.806000", "created": "2025-08-04T03:59:14.325000", "tags": [], "references": [ "iimcb.e-kei.pl", "iimcb.e.gov.pl", "iimcb.gov.pl" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 249, "FileHash-MD5": 2, "FileHash-SHA1": 26, "FileHash-SHA256": 49, "hostname": 961, "URL": 2001, "CVE": 1 }, "indicator_count": 3289, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "229 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "iimcb.e.gov.pl", "It\u2019s not just me. I have contacted from very secured emails, networks, devices", "sentient.industries affects independent artists. Affects several others.", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers", "Monitored targets. Tsara Brashears, UAlberta (disable_duck) seen", "https://hybrid-analysis.com/sample/713944cb1accb541622bf99d55f34876b5ff13d042c6c203bab89632a15b9248/689c0eca8dd0033cbb064d12", "When your pulse says contacted, who is contacted besides OTX?", "I can\u2019t speak for behavior of targets. Seems unlikely programs were intentionally installed.", "Potential reparations: Spyware , Trojan , Pegasus , DNS , Graphite , Paragon , NSO Group , Endgame , Cloudfront", "Issue! Multiple IoC\u2019s missing.", "Brian Sabey, Tulach, other adversaries working illegally to remove IoC\u2019s", "If you find anything interesting please research it.", "https://otx.alienvault.com/indicator/cve/CVE-2023-22518", "Alerts: network_cnc_http network_http allocates_rwx antisandbox_sleep creates_exe", "Alerts: injection_process_search antivm_network_adapters privilege_luid_check", "syn-184-092-221-096.res.spectrum.com(PTR record of primary IP) IPv4\t184.92.221.96", "Bethseda Map - High Priority Alerts: ransomware_mass_file_delete antivm_firmware", "talos-staging.palantirfoundry.com \u2022 tylertechai.com \u2022 Palantir Technologies Inc.\u2022 palantirfoundry.com", "device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com TWC-11427-TEXAS, US \u2022 Spectrum", "Bethseda Map - High Priority Alerts: antiemu_wine banker_zeus_p2p", "Interesting widgets: https://myid.canon/prd/1.1.30/canonid-assets/gcid-widget.html", "I liked the tool. There is something strange happening with the pulses & IoC\u2019s", "https://urlscan.io/domain/device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com", "Researching using an easy powerful tool like this has led to confrontations.", "com.iobit.MacBooster-3", "https://link.monetizer101.com/widget/code/dailystaruk.js", "Bethseda Map - High Priority Alerts: dumped_buffer2 antisandbox_mouse_hook", "Issue! What I am troubled about the s the deletion service that has plagued OTX/ LevelBlue", "I did not clone my pulse to read Bit.io", "Domains Contacted: en.wikipedia.org 5isohu.com www.aieov.com", "This is not shown. Route \u2022 184.92.0.0/16 (Route of ASN) PTR", "I am unable to reach Level Blue regarding issues. Mailer Daemon only", "Remotewd.com research - Devices under command and control. Malicious / adversarial | 3000 + devices in Pulse", "Bethseda Map - High Priority Alerts: modifies_certificates ransomware_dropped_files", "Infostealer Cookies Infostealer Mail Procmem Yara Suricata Alert Modify Proxy Powershell", "constellation.pcfrpegaservice.net (Pegasus related? idk)", "Location Antisandbox Sleep Antidebug Setunhandledexceptionfilter Packer Unknown Pe Section Name Packer Entropy Network Bind Antivm Network Adapters Http Request Infostealer Browser Recon Fingerprint Antivm Checks Available Memory Antivm Generic Bios Reads Self Polymorphic Enumerates Physical Drives Network Http Network Cnc Http Antivm Bochs Keys", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers (ASP.NET)", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun", "Alerts: checks_debugger has_pdb raises_exception", "IP\u2019s Contacted: 104.200.23.95 174.139.10.194 198.35.26.96", "http://link.monetizer101.com/widget/custom-2.0.3/js/load.min.js \u2022", "Bethseda Map - High Priority Alerts: ransomware_file_moves ransomware_appends_extensions", "https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe", "(Can't access file- Malware infection files)", "There are serious researchers on here for a short time hoping to resolve serious cyber issues", "https://widget-i18n.tiktokv.com.ttdns2.com/ \u2022 https://stella.demand-iq.com/widget", "Alerts: modifies_proxy_wpad antivm_vmware_in_instruction dumped_buffer", "Remotewd.com devices", "On behalf of pcfrpegaservice.net owner Name Servers\tNS-1477.AWSDNS-56.ORG Org\tIdentity Protection Service", "I can\u2019t help but notice a trend. IoC\u2019s found by actual targets are removed from pulses. Recent users are listed in place", "Reporting is an expected protocol. Is this more of a \u2018bounty\u2019 focused, a honeypot?", "I have to breakdown this enormous post over time. I\u2019m going to repost a potential hackers similar post", "Remote Process Static Pe Anomaly Https Urls Virus Process Creation Suspicious", "prod.foundry.tylertechai.com \u2022 qa.foundry.tylertechai.com \u2022 staging.foundry.tylertechai.com \u2022", "Yara Detections: KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "iimcb.gov.pl", "A user StreamMiningEx copied pulses: octoseek, scoreblue, KAILULA4, callmeDoris , dorkingbeauty1 and more", "Affects : Kailula4 , scnrscnr, SongCulture, Tsara Brashears & associated, ScrnrScrnr , dorkingbeauty", "Issue! Team member found CVE-2023-22518 have origins from the State of Colorado", "Bethseda Map - Yara Detections Delphi , InnoSetupInstaller", "widget-va.tiktokv.com.ttdns2.com \u2022 http://widget-i18n.tiktokv.com.ttdns2.com/", "Stealth Hiddenreg Cape Detected Threat Stealth Timeout Accesses Public Folder Deletes", "https://link.monetizer101.com/widget/code/595.js \u2022 https://link.monetizer101.com/widget/code/1343.js", "https://link.monetizer101.com/widget/code/1511.js \u2022 https://link.monetizer101.com/widget/code/mirror.js", "I am not cloning pulses belonging to others without crediting. I\u2019m one of a few who credit. This has happened to other team members", "truist.palantirfoundry.com \u2022 nissansandbox.palantirfoundry.com", "About pulse, found in peripheral.", "Ransomware File Modifications Exec Crash", "I typically follow targets who have truly dangerous situations who no longer pulse.", "Executed Files Anomalous Deletefile Dropper Disables System Restore Dead Connect", "Interesting Strings: https://pro-api.coinmarketcap.com/v2/cryptocurrency/quotes/historical", "IDS Detections: Win32.Floxif.A Checkin TLS Handshake Failure 403 Forbidden", "Note: An IP might be announced by multiple ASs.Spectrum | Charter Communications", "Disturbed pulses of mercenary attacks S/A NSO Pegasus NOT reported to CISA or Citizens Lab.", "This would be sent in an email but \u2026.", "Geo\tMcKinney, Texas, United States (US) \u2014 AS \u2022AS11427 - TWC-11427-TEXAS, US", "device-7de2fab7-44a1-494e-8f36-8d135628c33a.remotewd.com 104.190.139.162 AT&T", "iimcb.e-kei.pl", "TrojanWin32Scoreem - CodeOverlap [616fc7047d6216f7a604fa90f2f2dd0ad5b12f1153137e43858d3421ba964ea4]", "An earlier version contacted entities affected or affecting targets.", "http://link.monetizer101.com/widget/custom-2.0.2/templates/1", "Contains Pe Overlay Queries Locale Api Language Check Registry", "Request Queries Keyboard Layout Antivm Generic Disk Resumethread", "Yara Detections: Malware_Floxif_mpsvc_dll , stack_string , MS_Visual_Cpp_2008 ," ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Alf:hstr:dotnet", "Pws", "Worm:win32/autorun!atmn", "Alf:heraklezeval:trojan:win32/ymacco.aa47", "Trojan:win32/gandcrab", "Worm:win32/lightmoon.h", "Trojan:win32/toga", "#lowfienabledtcontinueafterunpacking", "Ddos:win32/stormser.a", "Win.malware.kolab-9885903-0", "#lowfi:hstr:msil/malicious.decryption", "Win.trojan.fakecodecs-119", "Nufs_inno", "Win.malware (30)", "Win32/nemucod", "Win32:downloader-gjk\\ [trj]", "Win.malware.midie-6847892-0", "Trojan:win32/vflooder", "Ransom", "Trojandropper:win32/muldrop.v!mtb", "Trojan:win32/zombie.a", "Cve-2023-22518", "Trojan:win32/zbot.sibl!mtb", "Exploit:win32/cve-2017-0147", "Custom malware", "Script exploit", "Virtool:win32/obfuscator.jm", "Virus:win32/floxif.h", "Win.trojan.bulz-9860169-0", "Dotnet", "Alf:jasyp:pua:win32/bibado", "Ransom:win32/cve-2017-0147", "Win.trojan.jorik-130", "Win.trojan.jorik-149", "Trojandropper:win32/muldrop", "Trojan:win32/glupteba.mt!mtb", "Win.trojan.cycbot-1584", "#lowfi:hstr:msil/malicious", "E5", "Xanfpezes.a", "#lowfidetectsvmware", "Alf:heraklezeval:trojandownloader:html/adodb!rfn", "Hacktool:win32/autokms", "Trojan:win32/blihan.a", "Win.trojan.generic-9862772-0", "Mydoom", "Win.downloader.109205-1", "Win.packed.razy-9785185-0" ], "industries": [ "Technology", "Telecommunications" ], "unique_indicators": 74583 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/frankspeech.com", "whois": "http://whois.domaintools.com/frankspeech.com", "domain": "frankspeech.com", "hostname": "cdn.frankspeech.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69d6619d62ea0c3bbf0ebf75", "name": "Mac OS Unwanted Programs | Mac Booster application potentially installed in background without target\u2019s knowledge", "description": "Not installed by users I\u2019m researching for. Downloaded as an unwanted program Overview of com.iobit.MacBooster-3\ncom.iobit.MacBooster-3 is the package identifier for MacBooster 3, a software application developed by IObit. This application is specifically designed for optimizing and maintaining Mac computers.\nKey Features\nMacBooster 3 includes several essential features aimed at enhancing the performance and security of Mac systems:\nSystem Cleanup: .\nPerformance Boosting: \nMalware Protection: .\nCompatibility\nMacBooster 3 is compatible with macOS versions starting from OS X 10.9. False - \nWhat are the potential risks of using MacBooster 3 on a Mac computer?\nUsing MacBooster 3 on a Mac computer can lead to potentially unwanted program (PUP) behavior, including browser interference, frequent pop-ups, and the installation of unnecessary software.", "modified": "2026-04-08T14:09:33.432000", "created": "2026-04-08T14:09:33.432000", "tags": [ "issuer apple", "valid from", "valid", "serial number", "macho", "macho 64bit", "mac os", "x macho", "intel", "file version", "team identifier", "apple root", "ca feb", "am ma9eduzpcw", "signers", "issuer valid", "from valid", "status issuer", "apple inc", "valid apple", "a9 a8", "process32nextw", "regsetvalueexa", "read c", "regdword", "tls handshake", "failure", "msie", "malware", "write", "win32", "unknown", "dynamicloader", "high", "myapp", "device driver", "host", "worm", "delphi", "error", "code", "defender", "next", "file score", "cryp", "virus", "checkin tls", "forbidden yara", "msvisualcpp2008", "less ip", "contacted", "scanning host", "trojan", "exploit host", "apple inc", "monitored target", "targeting", "name servers", "servers", "expiration date", "value emails", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "tulach" ], "references": [ "com.iobit.MacBooster-3", "IDS Detections: Win32.Floxif.A Checkin TLS Handshake Failure 403 Forbidden", "Yara Detections: Malware_Floxif_mpsvc_dll , stack_string , MS_Visual_Cpp_2008 ,", "Yara Detections: KERNEL32_DLL_xor_exe_key_197 , xor_0xc5_This_program", "Alerts: dead_host network_icmp nolookup_communication persistence_autorun", "Alerts: modifies_proxy_wpad antivm_vmware_in_instruction dumped_buffer", "Alerts: network_cnc_http network_http allocates_rwx antisandbox_sleep creates_exe", "Alerts: injection_process_search antivm_network_adapters privilege_luid_check", "Alerts: checks_debugger has_pdb raises_exception", "IP\u2019s Contacted: 104.200.23.95 174.139.10.194 198.35.26.96", "Domains Contacted: en.wikipedia.org 5isohu.com www.aieov.com", "Monitored targets. Tsara Brashears, UAlberta (disable_duck) seen", "I can\u2019t speak for behavior of targets. Seems unlikely programs were intentionally installed.", "https://otx.alienvault.com/indicator/cve/CVE-2023-22518", "Issue! Team member found CVE-2023-22518 have origins from the State of Colorado", "Issue! Multiple IoC\u2019s missing.", "A user StreamMiningEx copied pulses: octoseek, scoreblue, KAILULA4, callmeDoris , dorkingbeauty1 and more", "I can\u2019t help but notice a trend. IoC\u2019s found by actual targets are removed from pulses. Recent users are listed in place", "Issue! What I am troubled about the s the deletion service that has plagued OTX/ LevelBlue", "Brian Sabey, Tulach, other adversaries working illegally to remove IoC\u2019s", "Disturbed pulses of mercenary attacks S/A NSO Pegasus NOT reported to CISA or Citizens Lab.", "Reporting is an expected protocol. Is this more of a \u2018bounty\u2019 focused, a honeypot?", "Researching using an easy powerful tool like this has led to confrontations.", "I liked the tool. There is something strange happening with the pulses & IoC\u2019s", "I did not clone my pulse to read Bit.io", "I am not cloning pulses belonging to others without crediting. I\u2019m one of a few who credit. This has happened to other team members", "There are serious researchers on here for a short time hoping to resolve serious cyber issues", "I am unable to reach Level Blue regarding issues. Mailer Daemon only", "It\u2019s not just me. I have contacted from very secured emails, networks, devices", "I typically follow targets who have truly dangerous situations who no longer pulse.", "This would be sent in an email but \u2026.", "About pulse, found in peripheral.", "When your pulse says contacted, who is contacted besides OTX?", "An earlier version contacted entities affected or affecting targets." ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "Ransom:Win32/CVE-2017-0147", "display_name": "Ransom:Win32/CVE-2017-0147", "target": "/malware/Ransom:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 75, "FileHash-MD5": 102, "FileHash-SHA256": 2076, "IPv4": 111, "URL": 2496, "CVE": 2, "domain": 483, "hostname": 938, "email": 4, "SSLCertFingerprint": 2 }, "indicator_count": 6289, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68abf66e97031d0ff0c04fed", "name": "Packed sentient.industries links to a targets business website", "description": "Very malicious link found in a targets business.\nPacked. Needs to be categorized.\n(FoundryPalantir rich?) Tracking, hacking, and serious espionage.\nAvailable public Information: \nSENTIENT INDUSTRIES\nsentient.industries\nSentient industries provides design and engineering services, from prototyping to small-batch manufacturing, empowering clients to overcome complex challenges. |\nMore about sentient\nMission sentient accelerates mission critical technology for\u2026\nSENTIENT INDUSTRIES\nAccelerating mission-critical tech for disaster response, defense ...\nContact Now\nAustin, tx 78758. United States. EMAIL us. info@sentient \n\nWorse than it looks. Spying on a several threat researchers.", "modified": "2025-09-24T04:04:05.604000", "created": "2025-08-25T05:36:46.327000", "tags": [ "moved", "body", "x cache", "cloudfront x", "cph50 c2", "certificate", "record value", "title", "h1 center", "server", "redacted for", "servers", "name redacted", "for privacy", "name servers", "org data", "privacy city", "privacy country", "ca creation", "passive dns", "urls", "files", "ip address", "asn as57033", "less whois", "registrar", "tucows domains", "key identifier", "data", "v3 serial", "number", "cat ozerossl", "cnzerossl ecc", "domain secure", "site ca", "validity", "subject public", "extraction", "data upload", "extra data", "include review", "find", "failed", "typ no", "ms windows", "intel", "pe32", "united", "search", "as16509", "from win32bios", "show", "high", "medium", "delphi", "copy", "write", "launcher", "next", "present aug", "present jul", "lowfi", "win32", "a div", "div div", "learn xml", "babylon", "win64", "trojan", "colors", "python", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "et info", "tls handshake", "bad traffic", "failure", "date", "august", "hybrid", "general", "path", "starfield", "click", "strings", "se bethseda", "n bethseda", "n data", "error", "date checked", "url hostname", "server response", "google safe", "results aug", "read c", "tlsv1", "port", "destination", "module load", "execution", "dock", "persistence", "malware", "unknown", "cname", "aaaa", "creation date", "showing", "domain", "dga domains", "palantirfoundry", "foundry", "status", "unknown ns", "g2 tls", "rsa sha256", "italy unknown", "mtb may", "trojandropper", "invalid url", "next associated", "ddos", "body html", "hacktool", "ipv4", "url analysis", "ukraine", "encrypt", "rl add", "http", "hostname", "files domain", "files related", "related tags", "present jun", "entries", "title error", "all ipv4", "reverse dns", "yara detections", "top source", "top destination", "source source", "sha256 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "address range", "cidr", "network name", "allocation type", "whois server", "entity amazon4", "handle", "canada unknown", "content type", "javascript src", "script script", "x powered", "ipv4 add", "pulse submit", "submit url", "analysis", "url add", "related nids", "files location", "canada flag", "canada hostname", "unknown aaaa", "ascii text", "user agent", "powershell", "agent", "czechia unknown", "domain add", "dynamicloader", "hostname add", "pentagon", "defense" ], "references": [ "sentient.industries affects independent artists. Affects several others.", "Bethseda Map - Yara Detections Delphi , InnoSetupInstaller", "Bethseda Map - High Priority Alerts: ransomware_file_moves ransomware_appends_extensions", "Bethseda Map - High Priority Alerts: dumped_buffer2 antisandbox_mouse_hook", "Bethseda Map - High Priority Alerts: modifies_certificates ransomware_dropped_files", "Bethseda Map - High Priority Alerts: ransomware_mass_file_delete antivm_firmware", "Bethseda Map - High Priority Alerts: antiemu_wine banker_zeus_p2p", "https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers", "prod.foundry.tylertechai.com \u2022 qa.foundry.tylertechai.com \u2022 staging.foundry.tylertechai.com \u2022", "talos-staging.palantirfoundry.com \u2022 tylertechai.com \u2022 Palantir Technologies Inc.\u2022 palantirfoundry.com", "Affects : Kailula4 , scnrscnr, SongCulture, Tsara Brashears & associated, ScrnrScrnr , dorkingbeauty", "Interesting widgets: https://myid.canon/prd/1.1.30/canonid-assets/gcid-widget.html", "http://link.monetizer101.com/widget/custom-2.0.2/templates/1", "https://widget-i18n.tiktokv.com.ttdns2.com/ \u2022 https://stella.demand-iq.com/widget", "widget-va.tiktokv.com.ttdns2.com \u2022 http://widget-i18n.tiktokv.com.ttdns2.com/", "http://link.monetizer101.com/widget/custom-2.0.3/js/load.min.js \u2022", "https://link.monetizer101.com/widget/code/595.js \u2022 https://link.monetizer101.com/widget/code/1343.js", "https://link.monetizer101.com/widget/code/1511.js \u2022 https://link.monetizer101.com/widget/code/mirror.js", "https://link.monetizer101.com/widget/code/dailystaruk.js", "https://download.mobiledit.com/drivers/setup_cdd_apple_1_0_10_0.exe", "https://forensic.manuals.mobiledit.com/MM/how-to-install-correct-apple-drivers (ASP.NET)", "Interesting Strings: https://pro-api.coinmarketcap.com/v2/cryptocurrency/quotes/historical", "(Can't access file- Malware infection files)", "Potential reparations: Spyware , Trojan , Pegasus , DNS , Graphite , Paragon , NSO Group , Endgame , Cloudfront", "constellation.pcfrpegaservice.net (Pegasus related? idk)", "On behalf of pcfrpegaservice.net owner Name Servers\tNS-1477.AWSDNS-56.ORG Org\tIdentity Protection Service", "TrojanWin32Scoreem - CodeOverlap [616fc7047d6216f7a604fa90f2f2dd0ad5b12f1153137e43858d3421ba964ea4]", "I have to breakdown this enormous post over time. I\u2019m going to repost a potential hackers similar post", "Remotewd.com devices", "If you find anything interesting please research it." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "nUFS_inno", "display_name": "nUFS_inno", "target": null }, { "id": "#Lowfi:HSTR:MSIL/Malicious", "display_name": "#Lowfi:HSTR:MSIL/Malicious", "target": null }, { "id": "ALF:JASYP:PUA:Win32/Bibado", "display_name": "ALF:JASYP:PUA:Win32/Bibado", "target": null }, { "id": "Trojan:Win32/Toga", "display_name": "Trojan:Win32/Toga", "target": "/malware/Trojan:Win32/Toga" }, { "id": "Win32:Downloader-GJK\\ [Trj]", "display_name": "Win32:Downloader-GJK\\ [Trj]", "target": null }, { "id": "Win.Downloader.109205-1", "display_name": "Win.Downloader.109205-1", "target": null }, { "id": "Custom Malware", "display_name": "Custom Malware", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "Win32:Downloader-GJK\\ [Trj]", "display_name": "Win32:Downloader-GJK\\ [Trj]", "target": null }, { "id": "Win.Downloader.109205-1", "display_name": "Win.Downloader.109205-1", "target": null }, { "id": "Win.Trojan.Jorik-149", "display_name": "Win.Trojan.Jorik-149", "target": null }, { "id": "#LowFiDetectsVmWare", "display_name": "#LowFiDetectsVmWare", "target": null }, { "id": "Win.Trojan.Jorik-130", "display_name": "Win.Trojan.Jorik-130", "target": null }, { "id": "Win.Trojan.Fakecodecs-119", "display_name": "Win.Trojan.Fakecodecs-119", "target": null }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Trojan.Bulz-9860169-0", "display_name": "Win.Trojan.Bulz-9860169-0", "target": null }, { "id": "Win.Malware.Midie-6847892-0", "display_name": "Win.Malware.Midie-6847892-0", "target": null }, { "id": "TrojanDropper:Win32/Muldrop.V!MTB", "display_name": "TrojanDropper:Win32/Muldrop.V!MTB", "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB" }, { "id": "Win.Packed.Razy-9785185-0", "display_name": "Win.Packed.Razy-9785185-0", "target": null }, { "id": "Trojan:Win32/Glupteba.MT!MTB", "display_name": "Trojan:Win32/Glupteba.MT!MTB", "target": "/malware/Trojan:Win32/Glupteba.MT!MTB" }, { "id": "PWS", "display_name": "PWS", "target": null }, { "id": "DDOS:Win32/Stormser.A", "display_name": "DDOS:Win32/Stormser.A", "target": "/malware/DDOS:Win32/Stormser.A" }, { "id": "ALF:HSTR:DotNET", "display_name": "ALF:HSTR:DotNET", "target": null }, { "id": "DotNET", "display_name": "DotNET", "target": null }, { "id": "Script Exploit", "display_name": "Script Exploit", "target": null }, { "id": "HackTool:Win32/AutoKMS", "display_name": "HackTool:Win32/AutoKMS", "target": "/malware/HackTool:Win32/AutoKMS" }, { "id": "Xanfpezes.A", "display_name": "Xanfpezes.A", "target": null }, { "id": "Trojan:Win32/Gandcrab", "display_name": "Trojan:Win32/Gandcrab", "target": "/malware/Trojan:Win32/Gandcrab" }, { "id": "Win.Trojan.Generic-9862772-0", "display_name": "Win.Trojan.Generic-9862772-0", "target": null }, { "id": "Trojan:Win32/Zbot.SIBL!MTB", "display_name": "Trojan:Win32/Zbot.SIBL!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBL!MTB" }, { "id": "Win32/Nemucod", "display_name": "Win32/Nemucod", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn", "display_name": "ALF:HeraklezEval:TrojanDownloader:HTML/Adodb!rfn", "target": null }, { "id": "Trojan:Win32/Blihan.A", "display_name": "Trojan:Win32/Blihan.A", "target": "/malware/Trojan:Win32/Blihan.A" }, { "id": "TrojanDropper:Win32/Muldrop", "display_name": "TrojanDropper:Win32/Muldrop", "target": "/malware/TrojanDropper:Win32/Muldrop" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "Win.Malware.Kolab-9885903-0", "display_name": "Win.Malware.Kolab-9885903-0", "target": null }, { "id": "Win.Malware (30)", "display_name": "Win.Malware (30)", "target": null }, { "id": "Ransom", "display_name": "Ransom", "target": null }, { "id": "#Lowfi:HSTR:MSIL/Malicious.Decryption", "display_name": "#Lowfi:HSTR:MSIL/Malicious.Decryption", "target": null }, { "id": "E5", "display_name": "E5", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null } ], "attack_ids": [ { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 6232, "URL": 24908, "hostname": 7993, "FileHash-SHA256": 11128, "email": 6, "FileHash-MD5": 1054, "FileHash-SHA1": 932, "SSLCertFingerprint": 14, "CIDR": 3, "CVE": 3 }, "indicator_count": 52273, "is_author": false, "is_subscribing": null, "subscriber_count": 146, "modified_text": "208 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689cc89e77327602780be49e", "name": "Remotewd Devices \u2022 Spectrum / Charter Communications & AT&T", "description": "Remotewd Devices expanded \u2022 Spectrum / Charter Communications & AT&T.\nAdvesarial. Polymorphic.", "modified": "2025-09-12T16:05:33.542000", "created": "2025-08-13T17:17:18.456000", "tags": [ "url https", "domain", "types of", "united kingdom", "sweden", "virgin islands", "china", "germany", "date", "status", "ip address", "search", "domain add", "passive dns", "urls", "files", "error sep", "present jul", "address google", "safe browsing", "united", "unknown ns", "moved", "body", "cloudfront x", "hio52 p1", "certificate", "win32", "trojan", "entries", "next associated", "title error", "ipv4", "host gh", "secure path", "httponly cache", "x github", "request id", "accept", "encrypt", "formbook cnc", "checkin", "a domains", "lowfi", "mtb jun", "github pages", "as11427", "us note", "route", "ptr record", "hostname add", "url analysis", "verdict", "general info", "geo mckinney", "texas", "spectrum", "charter communications", "charter collection", "auth", "files ip", "address", "asn as16509", "record value", "germany unknown", "meta", "gmt cache", "sans400", "condensed300", "feel lost", "h1 div", "server", "gmt connection", "keep alive", "pragma", "ipv4 add", "url add", "http", "related nids", "files location", "flag united", "unknown aaaa", "china unknown", "beijing", "unknown soa", "hostname", "present aug", "name servers", "aaaa", "windows nt", "dynamicloader", "generic http", "exe upload", "inbound", "outbound", "host", "medium", "write", "markus", "malware", "files domain", "files related", "related tags", "none google", "showing", "error", "extraction", "se enter", "sc type", "data upload", "failed", "extr data", "ox sunnort", "include review", "exclude data", "iocs", "pdf report", "pcap", "stix", "openloc", "pul data", "move", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "pattern match", "ascii text", "show technique", "null", "refresh", "span", "august", "hybrid", "general", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "class", "adversaries", "defense evasion", "initial access", "msie", "chrome", "gmt content", "main", "virtool", "idran anv", "exti", "concor referen", "running webserver", "review iocs", "suggested iocs", "show", "http traffic", "intel", "ms windows", "pe32", "high", "write c", "explorer", "unknown", "worm", "next", "comman_and_control", "et", "vtapi", "dos", "persistence", "polymorphic", "virus", "device", "script", "style", "endcolorstr", "regexp", "link", "powershell", "form", "push", "active", "remote_access", "general full", "protocol h2", "security tls", "austin", "asn7018", "attinternet4", "reverse dns", "software", "domains", "hashes", "at&t", "injection", "rwx", "hackers", "attack", "cape", "stealth hidden extension", "antivm generic", "cape detected", "threat stealth", "public folder", "deletes", "files anomalous", "disables system", "restore dead", "mail procmem", "yara suricata", "queries user name" ], "references": [ "Remotewd.com research - Devices under command and control. Malicious / adversarial | 3000 + devices in Pulse", "https://hybrid-analysis.com/sample/713944cb1accb541622bf99d55f34876b5ff13d042c6c203bab89632a15b9248/689c0eca8dd0033cbb064d12", "device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com TWC-11427-TEXAS, US \u2022 Spectrum", "Geo\tMcKinney, Texas, United States (US) \u2014 AS \u2022AS11427 - TWC-11427-TEXAS, US", "Note: An IP might be announced by multiple ASs.Spectrum | Charter Communications", "This is not shown. Route \u2022 184.92.0.0/16 (Route of ASN) PTR", "syn-184-092-221-096.res.spectrum.com(PTR record of primary IP) IPv4\t184.92.221.96", "https://urlscan.io/domain/device-f016b9a7-792b-4b35-a277-04a408ab1703.remotewd.com", "truist.palantirfoundry.com \u2022 nissansandbox.palantirfoundry.com", "device-7de2fab7-44a1-494e-8f36-8d135628c33a.remotewd.com 104.190.139.162 AT&T", "Stealth Hiddenreg Cape Detected Threat Stealth Timeout Accesses Public Folder Deletes", "Executed Files Anomalous Deletefile Dropper Disables System Restore Dead Connect", "Infostealer Cookies Infostealer Mail Procmem Yara Suricata Alert Modify Proxy Powershell", "Ransomware File Modifications Exec Crash", "Location Antisandbox Sleep Antidebug Setunhandledexceptionfilter Packer Unknown Pe Section Name Packer Entropy Network Bind Antivm Network Adapters Http Request Infostealer Browser Recon Fingerprint Antivm Checks Available Memory Antivm Generic Bios Reads Self Polymorphic Enumerates Physical Drives Network Http Network Cnc Http Antivm Bochs Keys", "Request Queries Keyboard Layout Antivm Generic Disk Resumethread", "Remote Process Static Pe Anomaly Https Urls Virus Process Creation Suspicious", "Contains Pe Overlay Queries Locale Api Language Check Registry" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "Worm:Win32/Lightmoon.H", "display_name": "Worm:Win32/Lightmoon.H", "target": "/malware/Worm:Win32/Lightmoon.H" }, { "id": "VirTool:Win32/Obfuscator.JM", "display_name": "VirTool:Win32/Obfuscator.JM", "target": "/malware/VirTool:Win32/Obfuscator.JM" }, { "id": "Win.Trojan.Cycbot-1584", "display_name": "Win.Trojan.Cycbot-1584", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [ "Telecommunications", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6171, "domain": 1823, "hostname": 3155, "email": 8, "FileHash-SHA256": 950, "FileHash-MD5": 345, "FileHash-SHA1": 317, "CVE": 1, "CIDR": 1, "SSLCertFingerprint": 1 }, "indicator_count": 12772, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "220 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689030129ed94e6805755c52", "name": "iimcb.e-kei.pl iimcb.gov.pl ip4 94.152.54.231 (94.152.0.0/16) ???", "description": "https://www.virustotal.com/gui/domain/iimcb.e-kei.pl/details\nhttps://www.virustotal.com/gui/domain/iimcb.gov.pl/details\nhttps://www.virustotal.com/gui/ip-address/94.152.54.231/details", "modified": "2025-09-03T03:00:19.806000", "created": "2025-08-04T03:59:14.325000", "tags": [], "references": [ "iimcb.e-kei.pl", "iimcb.e.gov.pl", "iimcb.gov.pl" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 249, "FileHash-MD5": 2, "FileHash-SHA1": 26, "FileHash-SHA256": 49, "hostname": 961, "URL": 2001, "CVE": 1 }, "indicator_count": 3289, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "229 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://cdn.frankspeech.com/resources/videojs/plugins/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://cdn.frankspeech.com/resources/videojs/plugins/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776716927.3118155 }