{
"type": "URL",
"indicator": "https://cdn45.com",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://cdn45.com",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 3927185960,
"indicator": "https://cdn45.com",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 6,
"pulses": [
{
"id": "6964c08bf79bcb252eaa9e15",
"name": "TrojanSpy - Spotify account under an attack which conceals artists releases / deletes followers",
"description": "Spotify Attacks: TrojanSpy - Streamer Spotify account under an attack which conceals artists releases / deletes followers. The attack is adversarial. I\u2019m unclear how widespread it is. . Further research required. OTX auto generated Pegasus. Released work that was once viewable is now concealed, followers deleted.\n#cloudfront #spyware #delete_service #cloudfront_attacks",
"modified": "2026-02-11T09:03:20.933000",
"created": "2026-01-12T09:36:11.701000",
"tags": [
"google",
"fastly",
"googlecl",
"january",
"http",
"domain",
"akamaias",
"cloudflar",
"page url",
"de summary",
"april",
"reverse dns",
"url https",
"general full",
"software",
"united",
"resource hash",
"protocol h3",
"security quic",
"protocol h2",
"security tls",
"main",
"present jan",
"title",
"gmt max",
"certificate",
"moved",
"lowfi",
"gmt content",
"meta",
"present dec",
"status",
"aaaa",
"passive dns",
"urls",
"search",
"expiration date",
"win32",
"files",
"verdict",
"files ip",
"address",
"mtb jan",
"trojandropper",
"backdoor",
"win32upatre jan",
"origin trial",
"gmt cache",
"443 ma2592000",
"possible",
"worm",
"trojan",
"ip address",
"record value",
"dark",
"found",
"ipv4 add",
"error",
"trojanspy",
"emails",
"servers",
"pegasus",
"america flag",
"america asn",
"tlsv1",
"read c",
"show",
"medium",
"lstockholm",
"ospotify ab",
"odigicert inc",
"execution",
"next",
"dock",
"write",
"persistence",
"dynamicloader",
"yara rule",
"ms windows",
"pe32",
"named pipe",
"smartassembly",
"delphi",
"malware",
"united states",
"pe file",
"filehash",
"md5 add",
"av detections",
"ids detections",
"yara detections",
"alerts",
"high",
"write c",
"tls sni",
"tls handshake",
"delete",
"as15169",
"stun binding",
"request",
"port",
"win64",
"themida",
"guard",
"risepro",
"sha256",
"sha1",
"pattern match",
"ascii text",
"size",
"mitre att",
"ck id",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"tools",
"look",
"verify",
"restart",
"learn",
"command",
"name tactics",
"suspicious",
"informative",
"spawns",
"ck techniques",
"evasion att",
"t1480 execution",
"directui",
"element",
"hwndhost",
"classinfobase",
"hwndelement",
"value",
"explorer",
"insert",
"movie",
"hacktool",
"showing",
"entries http",
"scans show",
"california",
"location united",
"next associated",
"pulse pulses",
"name servers",
"found request",
"unique",
"url add",
"related nids",
"files location",
"expiration",
"flag united",
"present nov",
"present sep",
"href",
"suricata stream",
"command decode",
"starfield",
"encrypt",
"iframe",
"date",
"title error",
"hostname",
"pulse submit",
"memcommit",
"checks",
"windows",
"capture",
"cloudfront",
"colorado",
"creation date",
"hostname add",
"eset",
"binary file",
"pdb path",
"internalname",
"nod32",
"amon"
],
"references": [
"open.spotify.com \u2022",
"https://open.spotify.com/intl-de/track/5KjB1j0u54VXg6M8SN8hH2",
"https://open.spotify.com/track/5KjB1j0u54VXg6M8SN8hH2",
"FileHash-SHA256 cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95",
"events.launchdarkly.com \u2022 clientstream.launchdarkly. \u2022 app.launchdarkly.com",
"https://target.tccwest.www.littleswimmers.fr/",
"www.onyx-ware.com \u2022 endgamesystems.com",
"cloudfront.net \u2022 d127qq8ld0aiq5.cloudfront.net"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Win.Packed.Stealerc-10017074-0",
"display_name": "Win.Packed.Stealerc-10017074-0",
"target": null
},
{
"id": "#Lowfi:Win32/AutoIt",
"display_name": "#Lowfi:Win32/AutoIt",
"target": "/malware/#Lowfi:Win32/AutoIt"
},
{
"id": "Win.Packed.Generic-9967832-0",
"display_name": "Win.Packed.Generic-9967832-0",
"target": null
},
{
"id": "TrojanSpy:MSIL/Yakbeex.A",
"display_name": "TrojanSpy:MSIL/Yakbeex.A",
"target": "/malware/TrojanSpy:MSIL/Yakbeex.A"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "Win32:HacktoolX-gen\\ [Trj]",
"display_name": "Win32:HacktoolX-gen\\ [Trj]",
"target": null
},
{
"id": "nUFS_unicode",
"display_name": "nUFS_unicode",
"target": null
},
{
"id": "HackTool:Win32/CobaltStrike.A",
"display_name": "HackTool:Win32/CobaltStrike.A",
"target": "/malware/HackTool:Win32/CobaltStrike.A"
},
{
"id": "Win.Dropper.PoisonIvy-9876745-0",
"display_name": "Win.Dropper.PoisonIvy-9876745-0",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Win.Trojan.Barys-10005825-0",
"display_name": "Win.Trojan.Barys-10005825-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
}
],
"industries": [
"Entertainment",
"Technology"
],
"TLP": "white",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1293,
"URL": 3389,
"FileHash-MD5": 635,
"FileHash-SHA1": 531,
"FileHash-SHA256": 2345,
"domain": 501,
"email": 12,
"SSLCertFingerprint": 16
},
"indicator_count": 8722,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69640c0afc9805a6fa2da07b",
"name": "MUSO.AI Malware \u2018Incredimail\u2019 Palantir in use[OTX auto populated title -Tsara Brashears]",
"description": "MUSO.Ai , Is have to do more research. Some searches on reports MUSO as an opt in resource for artist to view, sort, and manage legacy credits, MUSO also collects royalties. Research and investigation confirms no one on music team is associated with or l thinks they may have heard of MUSO. Is MUSO. AI Palantir customer or service ,spy app services by the folks at Palantir. . [otx auto pop praise: Tsara Brashears is the most popular songwriter in the world, but can you use the app to find out more about the artist and the musicians behind the tracks?] cute. \n#dembiak #palantir #muso #ai",
"modified": "2026-02-10T20:03:47.214000",
"created": "2026-01-11T20:46:02.176000",
"tags": [
"lark kdence",
"zack dare",
"zafira",
"jon bonus",
"andy flebbe",
"div div",
"present nov",
"a domains",
"united",
"script urls",
"div a",
"script domains",
"discover",
"moved",
"insert",
"x0 tw",
"urls",
"cloudfront x",
"title error",
"url analysis",
"reverse dns",
"servers",
"name servers",
"united states",
"all ipv4",
"aaaa",
"ip address",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"evasion att",
"t1480 execution",
"ascii text",
"mitre att",
"pattern match",
"null",
"error",
"click",
"hybrid",
"general",
"local",
"path",
"starfield",
"strings",
"refresh",
"tools",
"meta",
"onload",
"span",
"data upload",
"extraction",
"type",
"extra",
"referen https",
"include review",
"exclude sugges",
"stop",
"aivoes typ",
"passive dns",
"date",
"united states",
"status",
"domain add",
"files",
"hostname",
"read c",
"medium",
"search",
"show",
"memcommit",
"high",
"checks",
"windows",
"delete",
"execution",
"dock",
"write",
"persistence",
"capture",
"next",
"amazon02",
"as autonomous",
"system",
"asn16509",
"domain",
"current dns",
"a record",
"as16509",
"december",
"ip information",
"ipasns ip",
"google",
"fastly",
"googlecl",
"akamaias",
"cloudflar",
"domain tree",
"links ip",
"address as",
"cisco",
"umbrella rank",
"general full",
"url https",
"software",
"resource hash",
"protocol h2",
"security tls",
"hostname add",
"challengescript",
"captchascript",
"name",
"value",
"source level",
"url text",
"automatic",
"webgl",
"please",
"extr data",
"data",
"size",
"title",
"yara detections",
"filehash",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"low risk",
"entries",
"rgba",
"unicode",
"asnone",
"malware",
"port",
"destination",
"tlsv1",
"tls handshake",
"failure",
"roboto",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"expiration",
"url http",
"no expiration",
"present jan",
"unknown ns",
"certificate",
"body",
"present oct",
"present may",
"present dec",
"present sep",
"present feb",
"showing",
"next associated",
"all se",
"pulse pulses",
"http",
"files domain",
"files related",
"pulses none",
"debiak",
"tsara brashears",
"ai",
"palantir",
"muso ai",
"sort",
"artists",
"royalties",
"music",
"songwriter",
"collect",
"view",
"malicious app",
"false claims"
],
"references": [
"https://credits.muso.ai/profile/ad62a9c1-de4a-4b3a-91d4-8f1ca6b5ad7a",
"22.hio52.r.cloudfront.net",
"us-gov-west-1.gov.reveal-global.com",
"us-g0v-wact-1anvrav\u0645al=\u0635\u0639 \u0627\u062d\u0637\u0645\u0644\u0647",
"MD5 be5eae9bd85769bce02d6e52a4927bcd Pulses Integrations C EXIF Data: HTML:Title\tINetSim default HTML page",
"External Hosts Israel Unique Countries 2 Unique ASNs 2 IP",
"ASN 82.80.204.63 www5.incredimail.com \u2022 Israel",
"United States | ASNone 82.80.204.5 cen.incredibar.com \u2022 Israel",
"AS8551 bezeq international-Itd 3.163.24.31 www5l.incredimail.com \u2022 Israel",
"Antivirus Detections: Win.Malware.Incredimail-6804483-0 IDS Detections: Misspelled Mozilla User-Agent (Mozila)",
"IP\u2019s Contacted : 82.80.204.63 3.163.24.31 82.80.204.5",
"Domains Contacted: cen.incredibar.com www5l.incredimail.com www5.incredimail.com",
"medallion-compute.washington.palantircloud.com \u2022 graviera-compute.palantirfedstart.com",
"caerphilly-containers.palantirfedstart.com \u2022 equilibrium.palantirfoundry.com \u2022 palantirfoundry.com",
"upstreamx.palantirfoundry.com \u2022 https://usw-2-dev.palantirfoundry.com",
"https://upstreamx.palantirfoundry.com \u2022 edwards.palantirfoundry.com \u2022 stagwellmarketingcloud.palantirfoundry.com",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master",
"https://paloma.palantirfoundry.com https://lucyw.palantirfoundry.com \u2022 http://edwards.palantirfoundry.com/",
"http://dasima-containers.palantirfoundry.com \u2022 http://usw-2-dev.palantirfoundry.com",
"https://kt-presales.palantirfoundry.co \u2022 https://glare.palantirfoundry.com",
"engage.palantirfoundry.com \u2022 http://engage.palantirfoundry.com",
"https://equilibrium.palantirfoundry.com \u2022\u2019https://engage.palantirfoundry.com",
"http://upstreamx.palantirfoundry.com/ \u2022 https://equilibrium.palantirfoundry.com/",
"https://glare.pali om. \u2022 http://engage.palantirfou?",
"What? patch.virtualworldweb.com \u2022 s.palantirfoundry.com \u2022 http://u tirfoundry.co",
"(patch.virtualworldweb.com) why does this sound so creepy? DIT , simulation, OWO ,sentient weird.",
"www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t\u2022",
"www.endgame \u2022 http://battlefront.com/matrixgames.html \u2022 prometheus.services.myscript.com - Wild!",
"campdeadwood2026.com",
"http://www.mobile-connection-alert.fyi/eb/bn/bn-9-nopop/9-nopop-1.html?var=&var2=&var3=$device=MOBILE&brand=Apple&model=iPhone&city=San%20Antonio&os=IOS&osversion=IOS%2011.4&country=US&countryname=United%20States&carrier=&referrerdomain=&language=en&connectiontype=CABLE&ip=76.185.246.58®ion=Texas&cep=W-gWTncHS9Jzl2WpUnQW3DI5dgjcKdwNWM11yWj-BtNBDFNTD52Baezh0F6DNui3qOYcu9zUPktlUvTulBlF6GONqMgW0w5NXdG42lOJGAp8P79kEUkAM3xGHBcIuf2PfSpz0mTGxnhbXyAteh4g-wCUR45SdW6fMtSANbFpDDpNDCq8LpN8mLeQJjdLUA_TGOXW9mubTgOyAGy",
"Pornhub to your phone. Dumping or by request?",
"https://soerkvingo.msnstyle.dk/vaginas-escort-girl-ukraina-pure-nudisme-dyresex-noveller-sukker-pris-porno-med-norsk-tale/",
"www.killer333.club So I\u2019m right."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Incredimail-6804483-0",
"display_name": "Win.Malware.Incredimail-6804483-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "TA0028",
"name": "Persistence",
"display_name": "TA0028 - Persistence"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1017",
"name": "Application Deployment Software",
"display_name": "T1017 - Application Deployment Software"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 10686,
"hostname": 2427,
"domain": 1094,
"FileHash-MD5": 175,
"FileHash-SHA1": 65,
"FileHash-SHA256": 1118,
"email": 4,
"SSLCertFingerprint": 14
},
"indicator_count": 15583,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "67576b4cdaafecfac733fac4",
"name": "http://pit.waw.pl skrypt w pliku://C:/28f67ac2f4875f36aeb31e181e2d2d50f84b5c0791afa4b7bd6987cf00e95186.html.html http://ww53.cookiesinfo.com/",
"description": "MS Office Excel 2016\n0x2491:$h_raw1: /javascript\n0x289d:$h_raw1: /javascript\n0x2dd0:$h_raw1: /javascript\n0x182a6:$h_raw1: /javascript\n0x18dc0:$h_raw1: /javascript\n0x1a072:$h_raw1: /javascript\n0x1ad72:$h_raw1: /javascript\n0x222e6:$h_raw1: /javascript\n0x22870:$h_raw1: /javascript\n0x23lut:$h_raw1: /javascript\nskrypt w pliku://C:/28f67ac2f4875f36aeb31e181e2d2d50f84b5c0791afa4b7bd6987cf00e95186.html.html",
"modified": "2025-05-14T20:46:38.021000",
"created": "2024-12-09T22:12:28.252000",
"tags": [
"grudzie",
"typ zawartoci",
"linux x8664",
"khtml",
"gecko",
"metoda",
"adres url",
"poczenie",
"dugo treci",
"dostawa artnet",
"sha1",
"sha256",
"microsoft",
"microsoft store",
"office",
"robisz",
"zakupy w",
"dla firm",
"family",
"internetem",
"kliknij tutaj",
"microsoft i",
"bony",
"jaka",
"android",
"utc1 html",
"utc1",
"utc1 gif",
"plik",
"utc1 popieprzy",
"javascript",
"or requesturl",
"or filehash",
"maxradlinklen50",
"type3",
"june",
"copyright",
"t1027",
"warto",
"muid warto",
"mr warto",
"warto clid",
"anonchk warto"
],
"references": [
"http://office.microsoft.com/pl-pl/try/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 56,
"hostname": 96,
"URL": 348,
"FileHash-SHA256": 313,
"FileHash-MD5": 22,
"FileHash-SHA1": 12,
"IPv4": 11,
"YARA": 2
},
"indicator_count": 860,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 122,
"modified_text": "340 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6769beaee1a21227b5411707",
"name": "svchost.com",
"description": "if(3.0) =t+o, i, as a result of an error, if i=0, is any longer than a single word, then i(i) is a",
"modified": "2025-01-08T01:55:33.905000",
"created": "2024-12-23T19:49:02.840000",
"tags": [
"remoteurl",
"remoteip",
"65535",
"error",
"date",
"fingerprintjs",
"typeof e",
"promise",
"copyright",
"murmurhash3",
"karan lyons",
"msstream",
"click",
"whasz"
],
"references": [
"https://svchost.com/js/fingerprint/iife.min.js",
"http://ww16.test.windows.svchost.com/?sub1=20231019-1240-0363-984e-cb61eec5c9c7",
"http://svchost.com/?fp=-3",
"http://svchost.com/?fp=c9ef88c56cbdd266b94e81c85887b3b5",
"http://svchost.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 84,
"FileHash-SHA1": 80,
"FileHash-SHA256": 424,
"IPv4": 1,
"URL": 131,
"hostname": 45,
"domain": 16
},
"indicator_count": 781,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 122,
"modified_text": "466 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6722a579c257c8968664233a",
"name": "VirusTotal Graph - Hidden Hidden - 173[.]194[.]195[.]94 - 10.30.24",
"description": "VirusTotal Graph - Hidden Hidden - 173[.]194[.]195[.]94 - 10.30.24\nGraph Not Expanded, Not enriched on import to OTX",
"modified": "2024-11-29T21:03:08.719000",
"created": "2024-10-30T21:30:33.413000",
"tags": [
"entity",
"Certificates",
"Hidden",
"Malcerts"
],
"references": [
"https://www.virustotal.com/graph/embed/g33a1f2bab7074974aae7dcceef6a1db455f36c107676407d898b41474d9c2bdd?theme=dark",
"https://www.filescan.io/uploads/6722a6a96f9ec335191c8490/reports/b1fe9f64-f3e5-464b-8f04-6da3faa0397f/overview"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [
"Technology",
"Education",
"Government",
"Healthcare"
],
"TLP": "white",
"cloned_from": null,
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 5,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 15,
"FileHash-SHA1": 15,
"FileHash-SHA256": 119,
"URL": 82,
"domain": 13,
"hostname": 20
},
"indicator_count": 264,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 129,
"modified_text": "506 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6684ddb81f457884672174ce",
"name": "Suss & Suspicious dlls",
"description": "The full text of the dlls - 07.02.24 - has been published on the website of MSPs.bing.mm.net, with the title \"msedge\". (autopop)\nNoVirusThanks dll Tool:\n13 Suspicious - Threw these into VT -> Made a pretty Graph -> Added to VT Collection\n74 unsigned - didn't touch on these so much (cert probs)\nOG Log File:\n902414559e7f9184ed74685e6ad34ed59abe865bd75f6bc8233da00389d776b4\n07.02.24 - dos - DLLExplorer.log -> Tossed into AlienVault w. the VT Collection and some magic happened",
"modified": "2024-08-23T15:00:34.872000",
"created": "2024-07-03T05:12:24.970000",
"tags": [
"entity",
"please",
"javascript",
"suss",
"hidden",
"false file",
"description",
"hash",
"suspicious",
"duck duck",
"comodo security",
"solutions",
"inc hash",
"intel",
"compiler",
"loader"
],
"references": [
"https://www.virustotal.com/graph/embed/g993ffeadf3fd4998ab224cfe2c747905168b064bf4ca43c8aaebcbfa1218cd32?theme=dark",
"https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/summary",
"https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/iocs",
"https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/graph",
"07.02.24 - dos - DLLExplorer.log"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
}
],
"industries": [
"Technology",
"Education",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 26,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 3627,
"FileHash-SHA1": 937,
"FileHash-SHA256": 28560,
"hostname": 5477,
"domain": 8215,
"URL": 10147,
"email": 7,
"CIDR": 2
},
"indicator_count": 56972,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 132,
"modified_text": "604 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"Pornhub to your phone. Dumping or by request?",
"https://kt-presales.palantirfoundry.co \u2022 https://glare.palantirfoundry.com",
"Antivirus Detections: Win.Malware.Incredimail-6804483-0 IDS Detections: Misspelled Mozilla User-Agent (Mozila)",
"https://upstreamx.palantirfoundry.com \u2022 edwards.palantirfoundry.com \u2022 stagwellmarketingcloud.palantirfoundry.com",
"open.spotify.com \u2022",
"https://www.filescan.io/uploads/6722a6a96f9ec335191c8490/reports/b1fe9f64-f3e5-464b-8f04-6da3faa0397f/overview",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master",
"https://equilibrium.palantirfoundry.com \u2022\u2019https://engage.palantirfoundry.com",
"MD5 be5eae9bd85769bce02d6e52a4927bcd Pulses Integrations C EXIF Data: HTML:Title\tINetSim default HTML page",
"FileHash-SHA256 cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95",
"upstreamx.palantirfoundry.com \u2022 https://usw-2-dev.palantirfoundry.com",
"AS8551 bezeq international-Itd 3.163.24.31 www5l.incredimail.com \u2022 Israel",
"http://www.mobile-connection-alert.fyi/eb/bn/bn-9-nopop/9-nopop-1.html?var=&var2=&var3=$device=MOBILE&brand=Apple&model=iPhone&city=San%20Antonio&os=IOS&osversion=IOS%2011.4&country=US&countryname=United%20States&carrier=&referrerdomain=&language=en&connectiontype=CABLE&ip=76.185.246.58®ion=Texas&cep=W-gWTncHS9Jzl2WpUnQW3DI5dgjcKdwNWM11yWj-BtNBDFNTD52Baezh0F6DNui3qOYcu9zUPktlUvTulBlF6GONqMgW0w5NXdG42lOJGAp8P79kEUkAM3xGHBcIuf2PfSpz0mTGxnhbXyAteh4g-wCUR45SdW6fMtSANbFpDDpNDCq8LpN8mLeQJjdLUA_TGOXW9mubTgOyAGy",
"07.02.24 - dos - DLLExplorer.log",
"engage.palantirfoundry.com \u2022 http://engage.palantirfoundry.com",
"https://www.virustotal.com/graph/embed/g33a1f2bab7074974aae7dcceef6a1db455f36c107676407d898b41474d9c2bdd?theme=dark",
"https://www.virustotal.com/graph/embed/g993ffeadf3fd4998ab224cfe2c747905168b064bf4ca43c8aaebcbfa1218cd32?theme=dark",
"IP\u2019s Contacted : 82.80.204.63 3.163.24.31 82.80.204.5",
"https://open.spotify.com/track/5KjB1j0u54VXg6M8SN8hH2",
"medallion-compute.washington.palantircloud.com \u2022 graviera-compute.palantirfedstart.com",
"https://svchost.com/js/fingerprint/iife.min.js",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master",
"http://svchost.com/?fp=-3",
"https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/iocs",
"campdeadwood2026.com",
"22.hio52.r.cloudfront.net",
"What? patch.virtualworldweb.com \u2022 s.palantirfoundry.com \u2022 http://u tirfoundry.co",
"(patch.virtualworldweb.com) why does this sound so creepy? DIT , simulation, OWO ,sentient weird.",
"United States | ASNone 82.80.204.5 cen.incredibar.com \u2022 Israel",
"https://credits.muso.ai/profile/ad62a9c1-de4a-4b3a-91d4-8f1ca6b5ad7a",
"https://target.tccwest.www.littleswimmers.fr/",
"https://open.spotify.com/intl-de/track/5KjB1j0u54VXg6M8SN8hH2",
"us-g0v-wact-1anvrav\u0645al=\u0635\u0639 \u0627\u062d\u0637\u0645\u0644\u0647",
"https://paloma.palantirfoundry.com https://lucyw.palantirfoundry.com \u2022 http://edwards.palantirfoundry.com/",
"http://upstreamx.palantirfoundry.com/ \u2022 https://equilibrium.palantirfoundry.com/",
"www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t\u2022",
"http://ww16.test.windows.svchost.com/?sub1=20231019-1240-0363-984e-cb61eec5c9c7",
"https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/graph",
"www.killer333.club So I\u2019m right.",
"caerphilly-containers.palantirfedstart.com \u2022 equilibrium.palantirfoundry.com \u2022 palantirfoundry.com",
"http://svchost.com/",
"ASN 82.80.204.63 www5.incredimail.com \u2022 Israel",
"http://dasima-containers.palantirfoundry.com \u2022 http://usw-2-dev.palantirfoundry.com",
"www.endgame \u2022 http://battlefront.com/matrixgames.html \u2022 prometheus.services.myscript.com - Wild!",
"http://office.microsoft.com/pl-pl/try/",
"events.launchdarkly.com \u2022 clientstream.launchdarkly. \u2022 app.launchdarkly.com",
"https://soerkvingo.msnstyle.dk/vaginas-escort-girl-ukraina-pure-nudisme-dyresex-noveller-sukker-pris-porno-med-norsk-tale/",
"http://svchost.com/?fp=c9ef88c56cbdd266b94e81c85887b3b5",
"cloudfront.net \u2022 d127qq8ld0aiq5.cloudfront.net",
"us-gov-west-1.gov.reveal-global.com",
"https://glare.pali om. \u2022 http://engage.palantirfou?",
"Domains Contacted: cen.incredibar.com www5l.incredimail.com www5.incredimail.com",
"www.onyx-ware.com \u2022 endgamesystems.com",
"External Hosts Israel Unique Countries 2 Unique ASNs 2 IP",
"https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/summary"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"Trojanspy",
"#lowfi:win32/autoit",
"Win.packed.stealerc-10017074-0",
"Win32:hacktoolx-gen\\ [trj]",
"Win.packed.generic-9967832-0",
"Pegasus",
"Win.dropper.poisonivy-9876745-0",
"Win.trojan.barys-10005825-0",
"Trojanspy:msil/yakbeex.a",
"Win.malware.incredimail-6804483-0",
"Trojan:win32/zombie.a",
"Nufs_unicode",
"Hacktool:win32/cobaltstrike.a"
],
"industries": [
"Entertainment",
"Telecommunications",
"Technology",
"Education",
"Healthcare",
"Government"
],
"unique_indicators": 33587
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/cdn45.com",
"whois": "http://whois.domaintools.com/cdn45.com",
"domain": "cdn45.com",
"hostname": "Unavailable"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 6,
"pulses": [
{
"id": "6964c08bf79bcb252eaa9e15",
"name": "TrojanSpy - Spotify account under an attack which conceals artists releases / deletes followers",
"description": "Spotify Attacks: TrojanSpy - Streamer Spotify account under an attack which conceals artists releases / deletes followers. The attack is adversarial. I\u2019m unclear how widespread it is. . Further research required. OTX auto generated Pegasus. Released work that was once viewable is now concealed, followers deleted.\n#cloudfront #spyware #delete_service #cloudfront_attacks",
"modified": "2026-02-11T09:03:20.933000",
"created": "2026-01-12T09:36:11.701000",
"tags": [
"google",
"fastly",
"googlecl",
"january",
"http",
"domain",
"akamaias",
"cloudflar",
"page url",
"de summary",
"april",
"reverse dns",
"url https",
"general full",
"software",
"united",
"resource hash",
"protocol h3",
"security quic",
"protocol h2",
"security tls",
"main",
"present jan",
"title",
"gmt max",
"certificate",
"moved",
"lowfi",
"gmt content",
"meta",
"present dec",
"status",
"aaaa",
"passive dns",
"urls",
"search",
"expiration date",
"win32",
"files",
"verdict",
"files ip",
"address",
"mtb jan",
"trojandropper",
"backdoor",
"win32upatre jan",
"origin trial",
"gmt cache",
"443 ma2592000",
"possible",
"worm",
"trojan",
"ip address",
"record value",
"dark",
"found",
"ipv4 add",
"error",
"trojanspy",
"emails",
"servers",
"pegasus",
"america flag",
"america asn",
"tlsv1",
"read c",
"show",
"medium",
"lstockholm",
"ospotify ab",
"odigicert inc",
"execution",
"next",
"dock",
"write",
"persistence",
"dynamicloader",
"yara rule",
"ms windows",
"pe32",
"named pipe",
"smartassembly",
"delphi",
"malware",
"united states",
"pe file",
"filehash",
"md5 add",
"av detections",
"ids detections",
"yara detections",
"alerts",
"high",
"write c",
"tls sni",
"tls handshake",
"delete",
"as15169",
"stun binding",
"request",
"port",
"win64",
"themida",
"guard",
"risepro",
"sha256",
"sha1",
"pattern match",
"ascii text",
"size",
"mitre att",
"ck id",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"tools",
"look",
"verify",
"restart",
"learn",
"command",
"name tactics",
"suspicious",
"informative",
"spawns",
"ck techniques",
"evasion att",
"t1480 execution",
"directui",
"element",
"hwndhost",
"classinfobase",
"hwndelement",
"value",
"explorer",
"insert",
"movie",
"hacktool",
"showing",
"entries http",
"scans show",
"california",
"location united",
"next associated",
"pulse pulses",
"name servers",
"found request",
"unique",
"url add",
"related nids",
"files location",
"expiration",
"flag united",
"present nov",
"present sep",
"href",
"suricata stream",
"command decode",
"starfield",
"encrypt",
"iframe",
"date",
"title error",
"hostname",
"pulse submit",
"memcommit",
"checks",
"windows",
"capture",
"cloudfront",
"colorado",
"creation date",
"hostname add",
"eset",
"binary file",
"pdb path",
"internalname",
"nod32",
"amon"
],
"references": [
"open.spotify.com \u2022",
"https://open.spotify.com/intl-de/track/5KjB1j0u54VXg6M8SN8hH2",
"https://open.spotify.com/track/5KjB1j0u54VXg6M8SN8hH2",
"FileHash-SHA256 cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95",
"events.launchdarkly.com \u2022 clientstream.launchdarkly. \u2022 app.launchdarkly.com",
"https://target.tccwest.www.littleswimmers.fr/",
"www.onyx-ware.com \u2022 endgamesystems.com",
"cloudfront.net \u2022 d127qq8ld0aiq5.cloudfront.net"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Win.Packed.Stealerc-10017074-0",
"display_name": "Win.Packed.Stealerc-10017074-0",
"target": null
},
{
"id": "#Lowfi:Win32/AutoIt",
"display_name": "#Lowfi:Win32/AutoIt",
"target": "/malware/#Lowfi:Win32/AutoIt"
},
{
"id": "Win.Packed.Generic-9967832-0",
"display_name": "Win.Packed.Generic-9967832-0",
"target": null
},
{
"id": "TrojanSpy:MSIL/Yakbeex.A",
"display_name": "TrojanSpy:MSIL/Yakbeex.A",
"target": "/malware/TrojanSpy:MSIL/Yakbeex.A"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "Win32:HacktoolX-gen\\ [Trj]",
"display_name": "Win32:HacktoolX-gen\\ [Trj]",
"target": null
},
{
"id": "nUFS_unicode",
"display_name": "nUFS_unicode",
"target": null
},
{
"id": "HackTool:Win32/CobaltStrike.A",
"display_name": "HackTool:Win32/CobaltStrike.A",
"target": "/malware/HackTool:Win32/CobaltStrike.A"
},
{
"id": "Win.Dropper.PoisonIvy-9876745-0",
"display_name": "Win.Dropper.PoisonIvy-9876745-0",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Win.Trojan.Barys-10005825-0",
"display_name": "Win.Trojan.Barys-10005825-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
}
],
"industries": [
"Entertainment",
"Technology"
],
"TLP": "white",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1293,
"URL": 3389,
"FileHash-MD5": 635,
"FileHash-SHA1": 531,
"FileHash-SHA256": 2345,
"domain": 501,
"email": 12,
"SSLCertFingerprint": 16
},
"indicator_count": 8722,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69640c0afc9805a6fa2da07b",
"name": "MUSO.AI Malware \u2018Incredimail\u2019 Palantir in use[OTX auto populated title -Tsara Brashears]",
"description": "MUSO.Ai , Is have to do more research. Some searches on reports MUSO as an opt in resource for artist to view, sort, and manage legacy credits, MUSO also collects royalties. Research and investigation confirms no one on music team is associated with or l thinks they may have heard of MUSO. Is MUSO. AI Palantir customer or service ,spy app services by the folks at Palantir. . [otx auto pop praise: Tsara Brashears is the most popular songwriter in the world, but can you use the app to find out more about the artist and the musicians behind the tracks?] cute. \n#dembiak #palantir #muso #ai",
"modified": "2026-02-10T20:03:47.214000",
"created": "2026-01-11T20:46:02.176000",
"tags": [
"lark kdence",
"zack dare",
"zafira",
"jon bonus",
"andy flebbe",
"div div",
"present nov",
"a domains",
"united",
"script urls",
"div a",
"script domains",
"discover",
"moved",
"insert",
"x0 tw",
"urls",
"cloudfront x",
"title error",
"url analysis",
"reverse dns",
"servers",
"name servers",
"united states",
"all ipv4",
"aaaa",
"ip address",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"evasion att",
"t1480 execution",
"ascii text",
"mitre att",
"pattern match",
"null",
"error",
"click",
"hybrid",
"general",
"local",
"path",
"starfield",
"strings",
"refresh",
"tools",
"meta",
"onload",
"span",
"data upload",
"extraction",
"type",
"extra",
"referen https",
"include review",
"exclude sugges",
"stop",
"aivoes typ",
"passive dns",
"date",
"united states",
"status",
"domain add",
"files",
"hostname",
"read c",
"medium",
"search",
"show",
"memcommit",
"high",
"checks",
"windows",
"delete",
"execution",
"dock",
"write",
"persistence",
"capture",
"next",
"amazon02",
"as autonomous",
"system",
"asn16509",
"domain",
"current dns",
"a record",
"as16509",
"december",
"ip information",
"ipasns ip",
"google",
"fastly",
"googlecl",
"akamaias",
"cloudflar",
"domain tree",
"links ip",
"address as",
"cisco",
"umbrella rank",
"general full",
"url https",
"software",
"resource hash",
"protocol h2",
"security tls",
"hostname add",
"challengescript",
"captchascript",
"name",
"value",
"source level",
"url text",
"automatic",
"webgl",
"please",
"extr data",
"data",
"size",
"title",
"yara detections",
"filehash",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"low risk",
"entries",
"rgba",
"unicode",
"asnone",
"malware",
"port",
"destination",
"tlsv1",
"tls handshake",
"failure",
"roboto",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"expiration",
"url http",
"no expiration",
"present jan",
"unknown ns",
"certificate",
"body",
"present oct",
"present may",
"present dec",
"present sep",
"present feb",
"showing",
"next associated",
"all se",
"pulse pulses",
"http",
"files domain",
"files related",
"pulses none",
"debiak",
"tsara brashears",
"ai",
"palantir",
"muso ai",
"sort",
"artists",
"royalties",
"music",
"songwriter",
"collect",
"view",
"malicious app",
"false claims"
],
"references": [
"https://credits.muso.ai/profile/ad62a9c1-de4a-4b3a-91d4-8f1ca6b5ad7a",
"22.hio52.r.cloudfront.net",
"us-gov-west-1.gov.reveal-global.com",
"us-g0v-wact-1anvrav\u0645al=\u0635\u0639 \u0627\u062d\u0637\u0645\u0644\u0647",
"MD5 be5eae9bd85769bce02d6e52a4927bcd Pulses Integrations C EXIF Data: HTML:Title\tINetSim default HTML page",
"External Hosts Israel Unique Countries 2 Unique ASNs 2 IP",
"ASN 82.80.204.63 www5.incredimail.com \u2022 Israel",
"United States | ASNone 82.80.204.5 cen.incredibar.com \u2022 Israel",
"AS8551 bezeq international-Itd 3.163.24.31 www5l.incredimail.com \u2022 Israel",
"Antivirus Detections: Win.Malware.Incredimail-6804483-0 IDS Detections: Misspelled Mozilla User-Agent (Mozila)",
"IP\u2019s Contacted : 82.80.204.63 3.163.24.31 82.80.204.5",
"Domains Contacted: cen.incredibar.com www5l.incredimail.com www5.incredimail.com",
"medallion-compute.washington.palantircloud.com \u2022 graviera-compute.palantirfedstart.com",
"caerphilly-containers.palantirfedstart.com \u2022 equilibrium.palantirfoundry.com \u2022 palantirfoundry.com",
"upstreamx.palantirfoundry.com \u2022 https://usw-2-dev.palantirfoundry.com",
"https://upstreamx.palantirfoundry.com \u2022 edwards.palantirfoundry.com \u2022 stagwellmarketingcloud.palantirfoundry.com",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master",
"https://paloma.palantirfoundry.com https://lucyw.palantirfoundry.com \u2022 http://edwards.palantirfoundry.com/",
"http://dasima-containers.palantirfoundry.com \u2022 http://usw-2-dev.palantirfoundry.com",
"https://kt-presales.palantirfoundry.co \u2022 https://glare.palantirfoundry.com",
"engage.palantirfoundry.com \u2022 http://engage.palantirfoundry.com",
"https://equilibrium.palantirfoundry.com \u2022\u2019https://engage.palantirfoundry.com",
"http://upstreamx.palantirfoundry.com/ \u2022 https://equilibrium.palantirfoundry.com/",
"https://glare.pali om. \u2022 http://engage.palantirfou?",
"What? patch.virtualworldweb.com \u2022 s.palantirfoundry.com \u2022 http://u tirfoundry.co",
"(patch.virtualworldweb.com) why does this sound so creepy? DIT , simulation, OWO ,sentient weird.",
"www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t\u2022",
"www.endgame \u2022 http://battlefront.com/matrixgames.html \u2022 prometheus.services.myscript.com - Wild!",
"campdeadwood2026.com",
"http://www.mobile-connection-alert.fyi/eb/bn/bn-9-nopop/9-nopop-1.html?var=&var2=&var3=$device=MOBILE&brand=Apple&model=iPhone&city=San%20Antonio&os=IOS&osversion=IOS%2011.4&country=US&countryname=United%20States&carrier=&referrerdomain=&language=en&connectiontype=CABLE&ip=76.185.246.58®ion=Texas&cep=W-gWTncHS9Jzl2WpUnQW3DI5dgjcKdwNWM11yWj-BtNBDFNTD52Baezh0F6DNui3qOYcu9zUPktlUvTulBlF6GONqMgW0w5NXdG42lOJGAp8P79kEUkAM3xGHBcIuf2PfSpz0mTGxnhbXyAteh4g-wCUR45SdW6fMtSANbFpDDpNDCq8LpN8mLeQJjdLUA_TGOXW9mubTgOyAGy",
"Pornhub to your phone. Dumping or by request?",
"https://soerkvingo.msnstyle.dk/vaginas-escort-girl-ukraina-pure-nudisme-dyresex-noveller-sukker-pris-porno-med-norsk-tale/",
"www.killer333.club So I\u2019m right."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Incredimail-6804483-0",
"display_name": "Win.Malware.Incredimail-6804483-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "TA0028",
"name": "Persistence",
"display_name": "TA0028 - Persistence"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1017",
"name": "Application Deployment Software",
"display_name": "T1017 - Application Deployment Software"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 10686,
"hostname": 2427,
"domain": 1094,
"FileHash-MD5": 175,
"FileHash-SHA1": 65,
"FileHash-SHA256": 1118,
"email": 4,
"SSLCertFingerprint": 14
},
"indicator_count": 15583,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "67576b4cdaafecfac733fac4",
"name": "http://pit.waw.pl skrypt w pliku://C:/28f67ac2f4875f36aeb31e181e2d2d50f84b5c0791afa4b7bd6987cf00e95186.html.html http://ww53.cookiesinfo.com/",
"description": "MS Office Excel 2016\n0x2491:$h_raw1: /javascript\n0x289d:$h_raw1: /javascript\n0x2dd0:$h_raw1: /javascript\n0x182a6:$h_raw1: /javascript\n0x18dc0:$h_raw1: /javascript\n0x1a072:$h_raw1: /javascript\n0x1ad72:$h_raw1: /javascript\n0x222e6:$h_raw1: /javascript\n0x22870:$h_raw1: /javascript\n0x23lut:$h_raw1: /javascript\nskrypt w pliku://C:/28f67ac2f4875f36aeb31e181e2d2d50f84b5c0791afa4b7bd6987cf00e95186.html.html",
"modified": "2025-05-14T20:46:38.021000",
"created": "2024-12-09T22:12:28.252000",
"tags": [
"grudzie",
"typ zawartoci",
"linux x8664",
"khtml",
"gecko",
"metoda",
"adres url",
"poczenie",
"dugo treci",
"dostawa artnet",
"sha1",
"sha256",
"microsoft",
"microsoft store",
"office",
"robisz",
"zakupy w",
"dla firm",
"family",
"internetem",
"kliknij tutaj",
"microsoft i",
"bony",
"jaka",
"android",
"utc1 html",
"utc1",
"utc1 gif",
"plik",
"utc1 popieprzy",
"javascript",
"or requesturl",
"or filehash",
"maxradlinklen50",
"type3",
"june",
"copyright",
"t1027",
"warto",
"muid warto",
"mr warto",
"warto clid",
"anonchk warto"
],
"references": [
"http://office.microsoft.com/pl-pl/try/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 56,
"hostname": 96,
"URL": 348,
"FileHash-SHA256": 313,
"FileHash-MD5": 22,
"FileHash-SHA1": 12,
"IPv4": 11,
"YARA": 2
},
"indicator_count": 860,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 122,
"modified_text": "340 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6769beaee1a21227b5411707",
"name": "svchost.com",
"description": "if(3.0) =t+o, i, as a result of an error, if i=0, is any longer than a single word, then i(i) is a",
"modified": "2025-01-08T01:55:33.905000",
"created": "2024-12-23T19:49:02.840000",
"tags": [
"remoteurl",
"remoteip",
"65535",
"error",
"date",
"fingerprintjs",
"typeof e",
"promise",
"copyright",
"murmurhash3",
"karan lyons",
"msstream",
"click",
"whasz"
],
"references": [
"https://svchost.com/js/fingerprint/iife.min.js",
"http://ww16.test.windows.svchost.com/?sub1=20231019-1240-0363-984e-cb61eec5c9c7",
"http://svchost.com/?fp=-3",
"http://svchost.com/?fp=c9ef88c56cbdd266b94e81c85887b3b5",
"http://svchost.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 84,
"FileHash-SHA1": 80,
"FileHash-SHA256": 424,
"IPv4": 1,
"URL": 131,
"hostname": 45,
"domain": 16
},
"indicator_count": 781,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 122,
"modified_text": "466 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6722a579c257c8968664233a",
"name": "VirusTotal Graph - Hidden Hidden - 173[.]194[.]195[.]94 - 10.30.24",
"description": "VirusTotal Graph - Hidden Hidden - 173[.]194[.]195[.]94 - 10.30.24\nGraph Not Expanded, Not enriched on import to OTX",
"modified": "2024-11-29T21:03:08.719000",
"created": "2024-10-30T21:30:33.413000",
"tags": [
"entity",
"Certificates",
"Hidden",
"Malcerts"
],
"references": [
"https://www.virustotal.com/graph/embed/g33a1f2bab7074974aae7dcceef6a1db455f36c107676407d898b41474d9c2bdd?theme=dark",
"https://www.filescan.io/uploads/6722a6a96f9ec335191c8490/reports/b1fe9f64-f3e5-464b-8f04-6da3faa0397f/overview"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [
"Technology",
"Education",
"Government",
"Healthcare"
],
"TLP": "white",
"cloned_from": null,
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 5,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 15,
"FileHash-SHA1": 15,
"FileHash-SHA256": 119,
"URL": 82,
"domain": 13,
"hostname": 20
},
"indicator_count": 264,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 129,
"modified_text": "506 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6684ddb81f457884672174ce",
"name": "Suss & Suspicious dlls",
"description": "The full text of the dlls - 07.02.24 - has been published on the website of MSPs.bing.mm.net, with the title \"msedge\". (autopop)\nNoVirusThanks dll Tool:\n13 Suspicious - Threw these into VT -> Made a pretty Graph -> Added to VT Collection\n74 unsigned - didn't touch on these so much (cert probs)\nOG Log File:\n902414559e7f9184ed74685e6ad34ed59abe865bd75f6bc8233da00389d776b4\n07.02.24 - dos - DLLExplorer.log -> Tossed into AlienVault w. the VT Collection and some magic happened",
"modified": "2024-08-23T15:00:34.872000",
"created": "2024-07-03T05:12:24.970000",
"tags": [
"entity",
"please",
"javascript",
"suss",
"hidden",
"false file",
"description",
"hash",
"suspicious",
"duck duck",
"comodo security",
"solutions",
"inc hash",
"intel",
"compiler",
"loader"
],
"references": [
"https://www.virustotal.com/graph/embed/g993ffeadf3fd4998ab224cfe2c747905168b064bf4ca43c8aaebcbfa1218cd32?theme=dark",
"https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/summary",
"https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/iocs",
"https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/graph",
"07.02.24 - dos - DLLExplorer.log"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
}
],
"industries": [
"Technology",
"Education",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 26,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 3627,
"FileHash-SHA1": 937,
"FileHash-SHA256": 28560,
"hostname": 5477,
"domain": 8215,
"URL": 10147,
"email": 7,
"CIDR": 2
},
"indicator_count": 56972,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 132,
"modified_text": "604 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://cdn45.com",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://cdn45.com",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776638594.5695784
}