{ "type": "URL", "indicator": "https://crimestoppers.ab.ca", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://crimestoppers.ab.ca", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4051552442, "indicator": "https://crimestoppers.ab.ca", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 11, "pulses": [ { "id": "69b10d1ce4563d38fbbc72d6", "name": "disable_duck clone Alberta", "description": "", "modified": "2026-03-11T07:40:56.177000", "created": "2026-03-11T06:35:08.464000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "white", "modified", "runtime data", "ansi", "public", "months ago", "filehashsha256", "hostname", "domain", "path", "green", "copy", "powershell", "general", "malicious", "pixel", "suspicious", "meta", "covenant", "virustotal", "click", "open", "cobalt strike", "probe", "first", "installer", "template", "crypto", "cobalt", "mozilla", "mirai", "false", "date", "title", "roboto", "arch", "android", "april", "drovorub", "squad", "baby", "geek", "tofsee", "redline stealer", "twitter", "service", "team", "killswitch", "mini", "cobaltstrike", "enterprise", "simda", "suppobox", "ransomware", "maldoc", "computrace", "february", "tetris", "hybrid", "body", "iframe", "qakbot", "double", "proton", "mark", "jakarta", "win32", "explorer", "union", "redirector", "xrat", "model", "rogue", "done", "python", "police", "thor", "xploit", "impact", "retro", "jeff", "oilrig", "sliver", "bypass", "info", "school", "miner", "phishing", "riots", "comment", "gafgyt", "bashlite", "calgary", "tech", "bitcoin", "test", "survey", "ukraine", "gamarue", "swisyn", "krucky", "systembc", "june", "dridex", "agent", "close", "format", "autodetect", "strings", "contact", "switch", "community", "limits", "inquest labs", "resources api", "cve list", "notes blog", "drop your", "file", "kaspersky threat intelligence portal", "online virus scan file", "online file scanner", "kaspersky online scanner", "online file virus scan", "scan file online", "scan file for virus", "file scanner", "online file virus scanner", "check link for virus", "kaspersky online scan", "check file for virus", "false alarm", "false detection", "false positive", "online virus", "scanner", "hybrid analysis", "api key", "vetting process", "please note", "please", "ualberta", "ualberta http", "xormozilla", "disableduck", "virus", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "triage", "report", "reported", "analyze", "filesize", "set value", "iocs", "process", "process key", "monitor", "resource", "config", "target", "generic", "javascript", "static analyzer", "analyzer", "Microsoft", "YEG", "UAlberta", "Google", "AHS", "Covenant Health" ], "references": [ "https://hybrid-analysis.com/sample/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d/68e01fdde76500b3c20326c4", "https://metadefender.com/results/file/bzI1MTAwMzhvTXdHbkVaZGItcW0tbnU2Nmkx_mdaas", "https://opentip.kaspersky.com/5E066617CC959DBAB123F23D5D36A4DC4D813358E43EDDBD1A6E7C87827C301D/?tab=upload", "https://hybrid-analysis.com/sample/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d", "https://www.filescan.io/uploads/68e01279f377ab2310519c81/reports/02a0a465-8936-4b6d-99a2-6950b71ab1c5/ioc", "https://tria.ge/251003-x8c56azky6/behavioral2", "https://www.virustotal.com/gui/file/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d?nocache=1", "https://app.threat.zone/submission/db9c1a4a-a706-4ed9-9229-4190f02151bc/overview" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [ "Education", "Government", "Healthcare" ], "TLP": "white", "cloned_from": "68e02ab7156e79ecd34a4929", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4203, "CIDR": 8, "CVE": 13, "FileHash-MD5": 31, "FileHash-SHA1": 25, "FileHash-SHA256": 74, "domain": 117, "email": 14, "hostname": 76 }, "indicator_count": 4561, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "40 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6709ad372568d7810af2e480", "name": "https://rcmp[.]ca/en/alberta // rcmp[.]ca // rcmp-grc[.]gc[.]ca - 12.06.25", "description": "Alberta RCMP\nhttps://rcmp[.]ca/en/alberta // rcmp[.]ca // rcmp-grc[.]gc[.]ca", "modified": "2026-01-05T22:04:46.025000", "created": "2024-10-11T22:56:55.968000", "tags": [ "entity", "RCMP", "Alberta", "EPS", "Edmonton Police Services", "RCMP AB", "CrimeStoppers AB" ], "references": [ "https://www.virustotal.com/graph/embed/g69422d071856425cb7ef01a90232cae9aef9af2362ad45db8fc83caabe618606?theme=dark", "https://www.virustotal.com/gui/collection/22cbfd4f1a868301f4f66c5914ab66d63695118f829e90ede0c8450876d4dd13/iocs", "https://urlquery.net/report/54993e5a-9b3f-4eef-a219-6ed529b4ea66", "https://www.filescan.io/uploads/6775f8d1108e6fdea94ba637/reports/ba88f2c2-96e9-4106-9b93-4f7fa7f1519a/overview", "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee", "https://www.virustotal.com/gui/collection/malpedia_win_tofsee/summary", "https://viz.greynoise.io/analysis/ade7d4f8-0bf7-4582-9a91-f7b26c0bb9f7", "", "https://rcmp[.]ca/en/alberta", "https://www.virustotal.com/gui/collection/22cbfd4f1a868301f4f66c5914ab66d63695118f829e90ede0c8450876d4dd13", "https://www.hybrid-analysis.com/sample/32fee8f77b43f62e89c2156fd15a6fa350beff81429a6bc7984c0e54fe608f2a/67e0baae85aff10b880edd20", "https://www.hybrid-analysis.com/sample/32fee8f77b43f62e89c2156fd15a6fa350beff81429a6bc7984c0e54fe608f2a" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "", "Government", "Telecommunications", "Education", "Technology", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 4, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 764, "FileHash-SHA1": 760, "FileHash-SHA256": 4062, "domain": 378, "hostname": 1808, "URL": 886, "SSLCertFingerprint": 18, "email": 10, "CVE": 1 }, "indicator_count": 8687, "is_author": false, "is_subscribing": null, "subscriber_count": 135, "modified_text": "105 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "680896aa900ac914a8897345", "name": "hxxps://crimestoppers[.]ab[.]ca -12.03.25", "description": "Analysis of hxxps://crimestoppers[.]ab[.]ca -Updated", "modified": "2026-01-02T10:03:02.125000", "created": "2025-04-23T07:28:42.097000", "tags": [ "entity", "please", "javascript", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "virus", "ransomware", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "prefetch8 ansi", "show process", "ansi", "hash seen", "pcap processing", "pcap", "date", "ck id", "command decode", "threat level", "win64", "suspicious", "hybrid", "comspec", "close", "click", "hosts", "general", "path", "model", "encrypt", "mozi", "strings", "contact", "Crimestoppers", "Alberta" ], "references": [ "https://www.virustotal.com/graph/embed/g9668c50e2de9469883f69177b8280205c5494e1dae4548ea954447efa9601d63?theme=dark", "https://www.virustotal.com/gui/collection/539def30dd6cf1765c95f042e1b5c91fdab6f3210a78bf7ec42a5369afc87b63/iocs", "https://www.virustotal.com/gui/collection/539def30dd6cf1765c95f042e1b5c91fdab6f3210a78bf7ec42a5369afc87b63/summary", "https://www.hybrid-analysis.com/sample/1a5188c269891d3e27426787b243b056586c6536570a7112af4533bc63b764ca", "https://www.filescan.io/uploads/680891efe9c1e25797a05346/reports/f954a2d9-7437-4734-b64e-e6a2f07e6ccf/overview", "https://www.hybrid-analysis.com/sample/1a5188c269891d3e27426787b243b056586c6536570a7112af4533bc63b764ca/67e0bb7c22b1b76d6209c910", "https://www.filescan.io/uploads/69300efc8e26c121ec957ab6/reports/5ec46a13-5686-4def-bd1e-705effebb749/overview" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Government", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 25, "FileHash-SHA1": 24, "FileHash-SHA256": 683, "URL": 439, "domain": 204, "hostname": 103, "SSLCertFingerprint": 6, "email": 3 }, "indicator_count": 1487, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68e02ab7156e79ecd34a4929", "name": "Samples of OTX 2096 Libraries - up to 10.03.25", "description": "An attempt to skim over a little bit of everything in OTX 2096 for another project in the works\n\nUAlberta sighhh", "modified": "2025-11-02T19:00:47.473000", "created": "2025-10-03T19:57:43.609000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "white", "modified", "runtime data", "ansi", "public", "months ago", "filehashsha256", "hostname", "domain", "path", "green", "copy", "powershell", "general", "malicious", "pixel", "suspicious", "meta", "covenant", "virustotal", "click", "open", "cobalt strike", "probe", "first", "installer", "template", "crypto", "cobalt", "mozilla", "mirai", "false", "date", "title", "roboto", "arch", "android", "april", "drovorub", "squad", "baby", "geek", "tofsee", "redline stealer", "twitter", "service", "team", "killswitch", "mini", "cobaltstrike", "enterprise", "simda", "suppobox", "ransomware", "maldoc", "computrace", "february", "tetris", "hybrid", "body", "iframe", "qakbot", "double", "proton", "mark", "jakarta", "win32", "explorer", "union", "redirector", "xrat", "model", "rogue", "done", "python", "police", "thor", "xploit", "impact", "retro", "jeff", "oilrig", "sliver", "bypass", "info", "school", "miner", "phishing", "riots", "comment", "gafgyt", "bashlite", "calgary", "tech", "bitcoin", "test", "survey", "ukraine", "gamarue", "swisyn", "krucky", "systembc", "june", "dridex", "agent", "close", "format", "autodetect", "strings", "contact", "switch", "community", "limits", "inquest labs", "resources api", "cve list", "notes blog", "drop your", "file", "kaspersky threat intelligence portal", "online virus scan file", "online file scanner", "kaspersky online scanner", "online file virus scan", "scan file online", "scan file for virus", "file scanner", "online file virus scanner", "check link for virus", "kaspersky online scan", "check file for virus", "false alarm", "false detection", "false positive", "online virus", "scanner", "hybrid analysis", "api key", "vetting process", "please note", "please", "ualberta", "ualberta http", "xormozilla", "disableduck", "virus", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "triage", "report", "reported", "analyze", "filesize", "set value", "iocs", "process", "process key", "monitor", "resource", "config", "target", "generic", "javascript", "static analyzer", "analyzer", "Microsoft", "YEG", "UAlberta", "Google", "AHS", "Covenant Health" ], "references": [ "https://hybrid-analysis.com/sample/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d/68e01fdde76500b3c20326c4", "https://metadefender.com/results/file/bzI1MTAwMzhvTXdHbkVaZGItcW0tbnU2Nmkx_mdaas", "https://opentip.kaspersky.com/5E066617CC959DBAB123F23D5D36A4DC4D813358E43EDDBD1A6E7C87827C301D/?tab=upload", "https://hybrid-analysis.com/sample/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d", "https://www.filescan.io/uploads/68e01279f377ab2310519c81/reports/02a0a465-8936-4b6d-99a2-6950b71ab1c5/ioc", "https://tria.ge/251003-x8c56azky6/behavioral2", "https://www.virustotal.com/gui/file/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d?nocache=1", "https://app.threat.zone/submission/db9c1a4a-a706-4ed9-9229-4190f02151bc/overview" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [ "Education", "Government", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4203, "CIDR": 8, "CVE": 13, "FileHash-MD5": 31, "FileHash-SHA1": 25, "FileHash-SHA256": 74, "domain": 115, "email": 14, "hostname": 76 }, "indicator_count": 4559, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "169 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684a93360163e8802e213158", "name": "ELF:Mirai AMAZON-02 - Autonomous System 65.0.0.0/14", "description": "ELF:Mirai-BHZ\\ [Trj]\t\n65.0.0.0/14\nAutonomous System Number\n16509\nAutonomous System Label\nAMAZON-02\nRelated to \u2022 103.252.236.26 | \n\u2022 sr2.reliedhosting.com | \n.\u2022 http://planitair.com/ |\n\u2022 bgptools-wildcard-confirmed.acemalibu.com | \n\u2022 https://www.anyxxxtube.net/search-porn/tsara-brashears/ | \t\t\t\n\u2022 static.ads-twitter.com\t\n\u2022 https://twitter.com/PORNO_SEXYBABES\t\n\u2022 analytics.twitter.com\n\u2022 appleupdate.org\n\u2022 apps.apple.com\n\u2022 pin.it |\n\u2022 https://pin.it/ |\n\u2022 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian Critical issue. Cyber weaponry [Unclear] Stealth contractual US cyber defense entity, endless DGA\u2019s. India IP block.\nAdversary named by bupyeongop:\n\ubd80\ud3c9\uc624\ud53c \ucd9c\uc7a5\ub9c8\uc0ac\uc9c0\uc548\ub0b4.COM \ubd80\ud3c9OP (massage service?)\n*DoS with many OTX features", "modified": "2025-07-12T07:04:05.635000", "created": "2025-06-12T08:43:34.719000", "tags": [ "thumbprint", "apnic", "apnic whois", "database", "please", "arin whois", "north america", "caribbean", "africa", "internet", "iana", "address range", "cidr", "network name", "allocation type", "whois server", "algorithm", "v3 serial", "number", "cbe oglobalsign", "r6 alphassl", "validity", "subject public", "key info", "key algorithm", "key identifier", "link", "search", "united", "a domains", "ip address", "creation date", "record value", "date", "showing", "india unknown", "status", "passive dns", "ipv4 add", "pulse submit", "url analysis", "urls", "files", "location india", "india asn", "as133296 web", "dns resolutions" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "APNIC", "display_name": "APNIC", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 27, "domain": 2499, "hostname": 2651, "URL": 10986, "CIDR": 2, "FileHash-SHA256": 3596, "email": 1, "FileHash-MD5": 23, "CVE": 7 }, "indicator_count": 19792, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "282 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68451577ada8bb0aa0834edb", "name": "X - Business Social Media Account used to attack victim", "description": "Victims business social media accounts deleted. Used to commit malicious activity against businesses, espionage , financial abuse.", "modified": "2025-07-08T04:03:04.386000", "created": "2025-06-08T04:45:43.423000", "tags": [ "trojan", "ids detections", "yara detections", "alerts", "analysis date", "file score", "upxoepplace", "pulses none", "related tags", "none file", "markus", "april", "win32", "copy", "usvwu", "usvw", "high", "medium", "show", "uss c", "binary file", "yara", "write", "delphi", "enigma", "present mar", "aaaa", "united", "passive dns", "date", "present nov", "moved", "urls", "creation date", "entries", "body", "trojandropper", "susp", "msr jul", "next associated", "pulse pulses", "mtb jun", "backdoor", "content length", "html document", "ascii text", "search", "internalname", "entries pe", "showing", "filehash", "md5 add", "av detections", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "size", "encrypt", "june", "hybrid", "local", "path", "click", "twitter", "strings", "url https", "url http", "report spam", "created", "hours ago", "bad actor", "ck ids", "t1057", "discovery", "t1071", "amer", "ipv4", "indicator role", "title added", "active related", "pulses", "china", "hong kong", "russia", "type indicator", "role title", "added active", "related pulses", "pulses url", "filehashsha256", "url add", "http", "ip address", "related nids", "files location", "flag united", "domain", "hostname", "next", "filehashmd5", "protocol", "t1105", "tool transfer", "t1480" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 637, "FileHash-SHA1": 639, "FileHash-SHA256": 5380, "domain": 676, "hostname": 1120, "URL": 1031, "SSLCertFingerprint": 4 }, "indicator_count": 9487, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "286 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6843fe89793d0ef8e2afc34d", "name": "Deleted SocialMedia", "description": "Bad Actor Deleted SocialMedia account found in breach forum.", "modified": "2025-07-07T08:03:42.325000", "created": "2025-06-07T08:55:37.612000", "tags": [ "body", "secure", "self", "path", "date sat", "gmt contenttype", "connection", "accept", "gmt pragma", "deny", "maxage34214400", "learn", "spawns", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "ssl certificate", "found", "copy sha256", "copy md5", "copy sha1", "sha1", "sha256", "size", "type data", "ascii text", "pattern match", "mitre att", "show technique", "ck matrix", "file", "indicator", "show process", "encrypt", "june", "hybrid", "local" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1628, "domain": 58, "URL": 390, "hostname": 204, "FileHash-MD5": 84, "FileHash-SHA1": 88, "SSLCertFingerprint": 4 }, "indicator_count": 2456, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "287 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68406290e07ea54c2a9b7e4a", "name": "Win.Trojan.Uniblue-9873211-0 (?) -formerly \u2019Cycbot\u2019 active in Law Firm", "description": "Win.Trojan.Uniblue-9873211-0 -formerly \u2019Cycbot\u2019 active in regional injury Law Firm. Suspicious and inconsistent behavior of phone staff prompts search due to several complaints. Reputable Law firm unwilling to take actual cases with severe evidence based injuries, back peddling, information gathering, potentially tampered with data due to missing reports exchanged via email, etc. Denies hearing from clients, potential clients in months to years though much contact has been made and information medical, PHI, PII, and other information shared. In a recent situation firm declined case previously accepted but did want to review a piece of information they had not received from denied potential client.\n\nThe client will contact legitimate, reputable firms referred to and is redirected to botnets. Affected individuals have been denied the right to pursue justice on multiple occasions due to \u201cwho knows\u201d.\nHad individuals been accused of crimes they would even be able obtain free representation when necessary.", "modified": "2025-07-04T14:02:16.965000", "created": "2025-06-04T15:13:20.758000", "tags": [ "type indicator", "role title", "added active", "related pulses", "filehashmd5", "showing", "entries", "ipv4", "url https", "indicator role", "title added", "active related", "pulses url", "ip address", "location united", "asn as209242", "whois registrar", "next associated", "urls show", "date checked", "url hostname", "server response", "google safe", "results may", "present may", "present nov", "united", "unknown cname", "filehashsha256", "filehashsha1", "icator role", "regsetvalueexa", "win32", "search", "regdword", "process32nextw", "show", "read c", "port", "ms windows", "copy", "write", "malware", "format", "activity", "sid name", "malware cve", "forbidden", "http request", "post", "delete", "url host", "port method" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 46, "FileHash-SHA1": 39, "FileHash-SHA256": 37, "URL": 15, "domain": 4, "hostname": 14 }, "indicator_count": 155, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "290 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6836497513b6637e7e6f39d2", "name": "Exploited Host", "description": "", "modified": "2025-06-26T22:03:25.914000", "created": "2025-05-27T23:23:33.814000", "tags": [ "cname", "aaaa", "record type", "ttl value", "ascii text", "sha1", "copy md5", "copy sha1", "copy sha256", "size", "sha256", "united", "pattern match", "mitre att", "date", "path", "encrypt", "starfield", "hybrid", "general", "local", "click", "strings", "4624", "records", "amazon02", "us ie", "dns ns", "dns a", "dns mx", "command decode", "ck id", "show technique", "ck matrix", "filehashsha1", "filehashsha256", "filehashmd5", "search", "type indicator", "role title", "added active", "related pulses", "showing", "entries", "pulses", "url https", "ipv4", "ccus asnas33070", "role", "value a", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 70, "FileHash-MD5": 225, "FileHash-SHA1": 232, "FileHash-SHA256": 1004, "domain": 138, "hostname": 74, "SSLCertFingerprint": 19, "email": 1 }, "indicator_count": 1763, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "298 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "683614d951f4e789950071b3", "name": "Malicious blockade", "description": "Malicious blockade, redirecting, bot activity affecting client-firm/entity interactions (outreach organizations, legal, possibly educational\u2018 doubtful ) Botnet & monitoring\u2026my OTX profile is not working to it\u2019s full capacity. I am unable to do anything except upload and post in description.\nIPv4\n141.193.213.10\ncommand_and_control || IPv4\n142.250.150.26\nexploit_source || IPv4\n142.251.16.26\nexploit_source || IPv4\n142.251.163.26\nexploit_source ||\nhttps://crimestoppers.ab.ca\nphishing\t|| IPv4\n142.250.27.27 || Alerts - injection_inter_process\ncreates_largekey\nnetwork_bind\npersistence_autorun\npersistence_autorun_tasks\ncape_detected_threat\ninjection_process_hollowing\nantivm_generic_services\ndeletes_executed_files\ndeletes_self\ninjection_runpe\nIndirect_Command_Execution_Via_ConsoleWindowHost\npersistence_ads\nrecon_fingerprint\nsuspicious_command ||", "modified": "2025-06-26T19:05:21.983000", "created": "2025-05-27T19:39:05.470000", "tags": [ "backdoor", "hstr", "checkin", "entries", "urls", "files", "location united", "america flag", "united", "america asn", "trojandropper", "ransom", "trojan", "cycbot", "hash avast", "avg clamav", "msdefender jan", "virtool", "cves all", "time", "alfper", "less see", "all av" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cycbot", "display_name": "Cycbot", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 24, "FileHash-MD5": 159, "FileHash-SHA1": 159, "FileHash-SHA256": 1440, "domain": 128, "hostname": 236, "email": 1 }, "indicator_count": 2147, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "298 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68361628539ed40883b8ee66", "name": "Cycbot | Prevents affected individuals from contacting intended entities ", "description": "", "modified": "2025-06-26T19:05:21.983000", "created": "2025-05-27T19:44:40.311000", "tags": [ "backdoor", "hstr", "checkin", "entries", "urls", "files", "location united", "america flag", "united", "america asn", "trojandropper", "ransom", "trojan", "cycbot", "hash avast", "avg clamav", "msdefender jan", "virtool", "cves all", "time", "alfper", "less see", "all av" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cycbot", "display_name": "Cycbot", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "683614d951f4e789950071b3", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 24, "FileHash-MD5": 159, "FileHash-SHA1": 159, "FileHash-SHA256": 1440, "domain": 128, "hostname": 236, "email": 1 }, "indicator_count": 2147, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "298 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "", "https://www.virustotal.com/gui/collection/539def30dd6cf1765c95f042e1b5c91fdab6f3210a78bf7ec42a5369afc87b63/summary", "https://hybrid-analysis.com/sample/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d/68e01fdde76500b3c20326c4", "https://www.hybrid-analysis.com/sample/32fee8f77b43f62e89c2156fd15a6fa350beff81429a6bc7984c0e54fe608f2a/67e0baae85aff10b880edd20", "https://www.hybrid-analysis.com/sample/1a5188c269891d3e27426787b243b056586c6536570a7112af4533bc63b764ca", "https://www.filescan.io/uploads/6775f8d1108e6fdea94ba637/reports/ba88f2c2-96e9-4106-9b93-4f7fa7f1519a/overview", "https://www.virustotal.com/gui/collection/malpedia_win_tofsee/summary", "https://app.threat.zone/submission/db9c1a4a-a706-4ed9-9229-4190f02151bc/overview", "https://www.virustotal.com/gui/collection/539def30dd6cf1765c95f042e1b5c91fdab6f3210a78bf7ec42a5369afc87b63/iocs", "https://www.virustotal.com/gui/collection/22cbfd4f1a868301f4f66c5914ab66d63695118f829e90ede0c8450876d4dd13", "https://www.virustotal.com/gui/collection/22cbfd4f1a868301f4f66c5914ab66d63695118f829e90ede0c8450876d4dd13/iocs", "https://viz.greynoise.io/analysis/ade7d4f8-0bf7-4582-9a91-f7b26c0bb9f7", "https://opentip.kaspersky.com/5E066617CC959DBAB123F23D5D36A4DC4D813358E43EDDBD1A6E7C87827C301D/?tab=upload", "https://www.hybrid-analysis.com/sample/32fee8f77b43f62e89c2156fd15a6fa350beff81429a6bc7984c0e54fe608f2a", "https://www.virustotal.com/graph/embed/g69422d071856425cb7ef01a90232cae9aef9af2362ad45db8fc83caabe618606?theme=dark", "https://www.hybrid-analysis.com/sample/1a5188c269891d3e27426787b243b056586c6536570a7112af4533bc63b764ca/67e0bb7c22b1b76d6209c910", "https://tria.ge/251003-x8c56azky6/behavioral2", "https://www.filescan.io/uploads/680891efe9c1e25797a05346/reports/f954a2d9-7437-4734-b64e-e6a2f07e6ccf/overview", "https://urlquery.net/report/54993e5a-9b3f-4eef-a219-6ed529b4ea66", "https://www.filescan.io/uploads/69300efc8e26c121ec957ab6/reports/5ec46a13-5686-4def-bd1e-705effebb749/overview", "https://www.filescan.io/uploads/68e01279f377ab2310519c81/reports/02a0a465-8936-4b6d-99a2-6950b71ab1c5/ioc", "https://metadefender.com/results/file/bzI1MTAwMzhvTXdHbkVaZGItcW0tbnU2Nmkx_mdaas", "https://hybrid-analysis.com/sample/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d", "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee", "https://www.virustotal.com/graph/embed/g9668c50e2de9469883f69177b8280205c5494e1dae4548ea954447efa9601d63?theme=dark", "https://www.virustotal.com/gui/file/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d?nocache=1", "https://rcmp[.]ca/en/alberta" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Apnic", "Cycbot" ], "industries": [ "", "Healthcare", "Education", "Government", "Technology", "Telecommunications" ], "unique_indicators": 43090 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/crimestoppers.ab.ca", "whois": "http://whois.domaintools.com/crimestoppers.ab.ca", "domain": "crimestoppers.ab.ca", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 11, "pulses": [ { "id": "69b10d1ce4563d38fbbc72d6", "name": "disable_duck clone Alberta", "description": "", "modified": "2026-03-11T07:40:56.177000", "created": "2026-03-11T06:35:08.464000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "white", "modified", "runtime data", "ansi", "public", "months ago", "filehashsha256", "hostname", "domain", "path", "green", "copy", "powershell", "general", "malicious", "pixel", "suspicious", "meta", "covenant", "virustotal", "click", "open", "cobalt strike", "probe", "first", "installer", "template", "crypto", "cobalt", "mozilla", "mirai", "false", "date", "title", "roboto", "arch", "android", "april", "drovorub", "squad", "baby", "geek", "tofsee", "redline stealer", "twitter", "service", "team", "killswitch", "mini", "cobaltstrike", "enterprise", "simda", "suppobox", "ransomware", "maldoc", "computrace", "february", "tetris", "hybrid", "body", "iframe", "qakbot", "double", "proton", "mark", "jakarta", "win32", "explorer", "union", "redirector", "xrat", "model", "rogue", "done", "python", "police", "thor", "xploit", "impact", "retro", "jeff", "oilrig", "sliver", "bypass", "info", "school", "miner", "phishing", "riots", "comment", "gafgyt", "bashlite", "calgary", "tech", "bitcoin", "test", "survey", "ukraine", "gamarue", "swisyn", "krucky", "systembc", "june", "dridex", "agent", "close", "format", "autodetect", "strings", "contact", "switch", "community", "limits", "inquest labs", "resources api", "cve list", "notes blog", "drop your", "file", "kaspersky threat intelligence portal", "online virus scan file", "online file scanner", "kaspersky online scanner", "online file virus scan", "scan file online", "scan file for virus", "file scanner", "online file virus scanner", "check link for virus", "kaspersky online scan", "check file for virus", "false alarm", "false detection", "false positive", "online virus", "scanner", "hybrid analysis", "api key", "vetting process", "please note", "please", "ualberta", "ualberta http", "xormozilla", "disableduck", "virus", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "triage", "report", "reported", "analyze", "filesize", "set value", "iocs", "process", "process key", "monitor", "resource", "config", "target", "generic", "javascript", "static analyzer", "analyzer", "Microsoft", "YEG", "UAlberta", "Google", "AHS", "Covenant Health" ], "references": [ "https://hybrid-analysis.com/sample/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d/68e01fdde76500b3c20326c4", "https://metadefender.com/results/file/bzI1MTAwMzhvTXdHbkVaZGItcW0tbnU2Nmkx_mdaas", "https://opentip.kaspersky.com/5E066617CC959DBAB123F23D5D36A4DC4D813358E43EDDBD1A6E7C87827C301D/?tab=upload", "https://hybrid-analysis.com/sample/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d", "https://www.filescan.io/uploads/68e01279f377ab2310519c81/reports/02a0a465-8936-4b6d-99a2-6950b71ab1c5/ioc", "https://tria.ge/251003-x8c56azky6/behavioral2", "https://www.virustotal.com/gui/file/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d?nocache=1", "https://app.threat.zone/submission/db9c1a4a-a706-4ed9-9229-4190f02151bc/overview" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [ "Education", "Government", "Healthcare" ], "TLP": "white", "cloned_from": "68e02ab7156e79ecd34a4929", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4203, "CIDR": 8, "CVE": 13, "FileHash-MD5": 31, "FileHash-SHA1": 25, "FileHash-SHA256": 74, "domain": 117, "email": 14, "hostname": 76 }, "indicator_count": 4561, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "40 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6709ad372568d7810af2e480", "name": "https://rcmp[.]ca/en/alberta // rcmp[.]ca // rcmp-grc[.]gc[.]ca - 12.06.25", "description": "Alberta RCMP\nhttps://rcmp[.]ca/en/alberta // rcmp[.]ca // rcmp-grc[.]gc[.]ca", "modified": "2026-01-05T22:04:46.025000", "created": "2024-10-11T22:56:55.968000", "tags": [ "entity", "RCMP", "Alberta", "EPS", "Edmonton Police Services", "RCMP AB", "CrimeStoppers AB" ], "references": [ "https://www.virustotal.com/graph/embed/g69422d071856425cb7ef01a90232cae9aef9af2362ad45db8fc83caabe618606?theme=dark", "https://www.virustotal.com/gui/collection/22cbfd4f1a868301f4f66c5914ab66d63695118f829e90ede0c8450876d4dd13/iocs", "https://urlquery.net/report/54993e5a-9b3f-4eef-a219-6ed529b4ea66", "https://www.filescan.io/uploads/6775f8d1108e6fdea94ba637/reports/ba88f2c2-96e9-4106-9b93-4f7fa7f1519a/overview", "https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee", "https://www.virustotal.com/gui/collection/malpedia_win_tofsee/summary", "https://viz.greynoise.io/analysis/ade7d4f8-0bf7-4582-9a91-f7b26c0bb9f7", "", "https://rcmp[.]ca/en/alberta", "https://www.virustotal.com/gui/collection/22cbfd4f1a868301f4f66c5914ab66d63695118f829e90ede0c8450876d4dd13", "https://www.hybrid-analysis.com/sample/32fee8f77b43f62e89c2156fd15a6fa350beff81429a6bc7984c0e54fe608f2a/67e0baae85aff10b880edd20", "https://www.hybrid-analysis.com/sample/32fee8f77b43f62e89c2156fd15a6fa350beff81429a6bc7984c0e54fe608f2a" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "", "Government", "Telecommunications", "Education", "Technology", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 21, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 4, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 764, "FileHash-SHA1": 760, "FileHash-SHA256": 4062, "domain": 378, "hostname": 1808, "URL": 886, "SSLCertFingerprint": 18, "email": 10, "CVE": 1 }, "indicator_count": 8687, "is_author": false, "is_subscribing": null, "subscriber_count": 135, "modified_text": "105 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "680896aa900ac914a8897345", "name": "hxxps://crimestoppers[.]ab[.]ca -12.03.25", "description": "Analysis of hxxps://crimestoppers[.]ab[.]ca -Updated", "modified": "2026-01-02T10:03:02.125000", "created": "2025-04-23T07:28:42.097000", "tags": [ "entity", "please", "javascript", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "hybrid analysis", "api key", "vetting process", "please note", "virus", "ransomware", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "prefetch8 ansi", "show process", "ansi", "hash seen", "pcap processing", "pcap", "date", "ck id", "command decode", "threat level", "win64", "suspicious", "hybrid", "comspec", "close", "click", "hosts", "general", "path", "model", "encrypt", "mozi", "strings", "contact", "Crimestoppers", "Alberta" ], "references": [ "https://www.virustotal.com/graph/embed/g9668c50e2de9469883f69177b8280205c5494e1dae4548ea954447efa9601d63?theme=dark", "https://www.virustotal.com/gui/collection/539def30dd6cf1765c95f042e1b5c91fdab6f3210a78bf7ec42a5369afc87b63/iocs", "https://www.virustotal.com/gui/collection/539def30dd6cf1765c95f042e1b5c91fdab6f3210a78bf7ec42a5369afc87b63/summary", "https://www.hybrid-analysis.com/sample/1a5188c269891d3e27426787b243b056586c6536570a7112af4533bc63b764ca", "https://www.filescan.io/uploads/680891efe9c1e25797a05346/reports/f954a2d9-7437-4734-b64e-e6a2f07e6ccf/overview", "https://www.hybrid-analysis.com/sample/1a5188c269891d3e27426787b243b056586c6536570a7112af4533bc63b764ca/67e0bb7c22b1b76d6209c910", "https://www.filescan.io/uploads/69300efc8e26c121ec957ab6/reports/5ec46a13-5686-4def-bd1e-705effebb749/overview" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Government", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 25, "FileHash-SHA1": 24, "FileHash-SHA256": 683, "URL": 439, "domain": 204, "hostname": 103, "SSLCertFingerprint": 6, "email": 3 }, "indicator_count": 1487, "is_author": false, "is_subscribing": null, "subscriber_count": 128, "modified_text": "108 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68e02ab7156e79ecd34a4929", "name": "Samples of OTX 2096 Libraries - up to 10.03.25", "description": "An attempt to skim over a little bit of everything in OTX 2096 for another project in the works\n\nUAlberta sighhh", "modified": "2025-11-02T19:00:47.473000", "created": "2025-10-03T19:57:43.609000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "white", "modified", "runtime data", "ansi", "public", "months ago", "filehashsha256", "hostname", "domain", "path", "green", "copy", "powershell", "general", "malicious", "pixel", "suspicious", "meta", "covenant", "virustotal", "click", "open", "cobalt strike", "probe", "first", "installer", "template", "crypto", "cobalt", "mozilla", "mirai", "false", "date", "title", "roboto", "arch", "android", "april", "drovorub", "squad", "baby", "geek", "tofsee", "redline stealer", "twitter", "service", "team", "killswitch", "mini", "cobaltstrike", "enterprise", "simda", "suppobox", "ransomware", "maldoc", "computrace", "february", "tetris", "hybrid", "body", "iframe", "qakbot", "double", "proton", "mark", "jakarta", "win32", "explorer", "union", "redirector", "xrat", "model", "rogue", "done", "python", "police", "thor", "xploit", "impact", "retro", "jeff", "oilrig", "sliver", "bypass", "info", "school", "miner", "phishing", "riots", "comment", "gafgyt", "bashlite", "calgary", "tech", "bitcoin", "test", "survey", "ukraine", "gamarue", "swisyn", "krucky", "systembc", "june", "dridex", "agent", "close", "format", "autodetect", "strings", "contact", "switch", "community", "limits", "inquest labs", "resources api", "cve list", "notes blog", "drop your", "file", "kaspersky threat intelligence portal", "online virus scan file", "online file scanner", "kaspersky online scanner", "online file virus scan", "scan file online", "scan file for virus", "file scanner", "online file virus scanner", "check link for virus", "kaspersky online scan", "check file for virus", "false alarm", "false detection", "false positive", "online virus", "scanner", "hybrid analysis", "api key", "vetting process", "please note", "please", "ualberta", "ualberta http", "xormozilla", "disableduck", "virus", "static", "indicator of compromise", "ioc", "extraction", "emulation", "platform", "triage", "report", "reported", "analyze", "filesize", "set value", "iocs", "process", "process key", "monitor", "resource", "config", "target", "generic", "javascript", "static analyzer", "analyzer", "Microsoft", "YEG", "UAlberta", "Google", "AHS", "Covenant Health" ], "references": [ "https://hybrid-analysis.com/sample/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d/68e01fdde76500b3c20326c4", "https://metadefender.com/results/file/bzI1MTAwMzhvTXdHbkVaZGItcW0tbnU2Nmkx_mdaas", "https://opentip.kaspersky.com/5E066617CC959DBAB123F23D5D36A4DC4D813358E43EDDBD1A6E7C87827C301D/?tab=upload", "https://hybrid-analysis.com/sample/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d", "https://www.filescan.io/uploads/68e01279f377ab2310519c81/reports/02a0a465-8936-4b6d-99a2-6950b71ab1c5/ioc", "https://tria.ge/251003-x8c56azky6/behavioral2", "https://www.virustotal.com/gui/file/5e066617cc959dbab123f23d5d36a4dc4d813358e43eddbd1a6e7c87827c301d?nocache=1", "https://app.threat.zone/submission/db9c1a4a-a706-4ed9-9229-4190f02151bc/overview" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1135", "name": "Network Share Discovery", "display_name": "T1135 - Network Share Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" } ], "industries": [ "Education", "Government", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4203, "CIDR": 8, "CVE": 13, "FileHash-MD5": 31, "FileHash-SHA1": 25, "FileHash-SHA256": 74, "domain": 115, "email": 14, "hostname": 76 }, "indicator_count": 4559, "is_author": false, "is_subscribing": null, "subscriber_count": 131, "modified_text": "169 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684a93360163e8802e213158", "name": "ELF:Mirai AMAZON-02 - Autonomous System 65.0.0.0/14", "description": "ELF:Mirai-BHZ\\ [Trj]\t\n65.0.0.0/14\nAutonomous System Number\n16509\nAutonomous System Label\nAMAZON-02\nRelated to \u2022 103.252.236.26 | \n\u2022 sr2.reliedhosting.com | \n.\u2022 http://planitair.com/ |\n\u2022 bgptools-wildcard-confirmed.acemalibu.com | \n\u2022 https://www.anyxxxtube.net/search-porn/tsara-brashears/ | \t\t\t\n\u2022 static.ads-twitter.com\t\n\u2022 https://twitter.com/PORNO_SEXYBABES\t\n\u2022 analytics.twitter.com\n\u2022 appleupdate.org\n\u2022 apps.apple.com\n\u2022 pin.it |\n\u2022 https://pin.it/ |\n\u2022 https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian Critical issue. Cyber weaponry [Unclear] Stealth contractual US cyber defense entity, endless DGA\u2019s. India IP block.\nAdversary named by bupyeongop:\n\ubd80\ud3c9\uc624\ud53c \ucd9c\uc7a5\ub9c8\uc0ac\uc9c0\uc548\ub0b4.COM \ubd80\ud3c9OP (massage service?)\n*DoS with many OTX features", "modified": "2025-07-12T07:04:05.635000", "created": "2025-06-12T08:43:34.719000", "tags": [ "thumbprint", "apnic", "apnic whois", "database", "please", "arin whois", "north america", "caribbean", "africa", "internet", "iana", "address range", "cidr", "network name", "allocation type", "whois server", "algorithm", "v3 serial", "number", "cbe oglobalsign", "r6 alphassl", "validity", "subject public", "key info", "key algorithm", "key identifier", "link", "search", "united", "a domains", "ip address", "creation date", "record value", "date", "showing", "india unknown", "status", "passive dns", "ipv4 add", "pulse submit", "url analysis", "urls", "files", "location india", "india asn", "as133296 web", "dns resolutions" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "APNIC", "display_name": "APNIC", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 27, "domain": 2499, "hostname": 2651, "URL": 10986, "CIDR": 2, "FileHash-SHA256": 3596, "email": 1, "FileHash-MD5": 23, "CVE": 7 }, "indicator_count": 19792, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "282 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68451577ada8bb0aa0834edb", "name": "X - Business Social Media Account used to attack victim", "description": "Victims business social media accounts deleted. Used to commit malicious activity against businesses, espionage , financial abuse.", "modified": "2025-07-08T04:03:04.386000", "created": "2025-06-08T04:45:43.423000", "tags": [ "trojan", "ids detections", "yara detections", "alerts", "analysis date", "file score", "upxoepplace", "pulses none", "related tags", "none file", "markus", "april", "win32", "copy", "usvwu", "usvw", "high", "medium", "show", "uss c", "binary file", "yara", "write", "delphi", "enigma", "present mar", "aaaa", "united", "passive dns", "date", "present nov", "moved", "urls", "creation date", "entries", "body", "trojandropper", "susp", "msr jul", "next associated", "pulse pulses", "mtb jun", "backdoor", "content length", "html document", "ascii text", "search", "internalname", "entries pe", "showing", "filehash", "md5 add", "av detections", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "size", "encrypt", "june", "hybrid", "local", "path", "click", "twitter", "strings", "url https", "url http", "report spam", "created", "hours ago", "bad actor", "ck ids", "t1057", "discovery", "t1071", "amer", "ipv4", "indicator role", "title added", "active related", "pulses", "china", "hong kong", "russia", "type indicator", "role title", "added active", "related pulses", "pulses url", "filehashsha256", "url add", "http", "ip address", "related nids", "files location", "flag united", "domain", "hostname", "next", "filehashmd5", "protocol", "t1105", "tool transfer", "t1480" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 637, "FileHash-SHA1": 639, "FileHash-SHA256": 5380, "domain": 676, "hostname": 1120, "URL": 1031, "SSLCertFingerprint": 4 }, "indicator_count": 9487, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "286 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6843fe89793d0ef8e2afc34d", "name": "Deleted SocialMedia", "description": "Bad Actor Deleted SocialMedia account found in breach forum.", "modified": "2025-07-07T08:03:42.325000", "created": "2025-06-07T08:55:37.612000", "tags": [ "body", "secure", "self", "path", "date sat", "gmt contenttype", "connection", "accept", "gmt pragma", "deny", "maxage34214400", "learn", "spawns", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "ssl certificate", "found", "copy sha256", "copy md5", "copy sha1", "sha1", "sha256", "size", "type data", "ascii text", "pattern match", "mitre att", "show technique", "ck matrix", "file", "indicator", "show process", "encrypt", "june", "hybrid", "local" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1628, "domain": 58, "URL": 390, "hostname": 204, "FileHash-MD5": 84, "FileHash-SHA1": 88, "SSLCertFingerprint": 4 }, "indicator_count": 2456, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "287 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68406290e07ea54c2a9b7e4a", "name": "Win.Trojan.Uniblue-9873211-0 (?) -formerly \u2019Cycbot\u2019 active in Law Firm", "description": "Win.Trojan.Uniblue-9873211-0 -formerly \u2019Cycbot\u2019 active in regional injury Law Firm. Suspicious and inconsistent behavior of phone staff prompts search due to several complaints. Reputable Law firm unwilling to take actual cases with severe evidence based injuries, back peddling, information gathering, potentially tampered with data due to missing reports exchanged via email, etc. Denies hearing from clients, potential clients in months to years though much contact has been made and information medical, PHI, PII, and other information shared. In a recent situation firm declined case previously accepted but did want to review a piece of information they had not received from denied potential client.\n\nThe client will contact legitimate, reputable firms referred to and is redirected to botnets. Affected individuals have been denied the right to pursue justice on multiple occasions due to \u201cwho knows\u201d.\nHad individuals been accused of crimes they would even be able obtain free representation when necessary.", "modified": "2025-07-04T14:02:16.965000", "created": "2025-06-04T15:13:20.758000", "tags": [ "type indicator", "role title", "added active", "related pulses", "filehashmd5", "showing", "entries", "ipv4", "url https", "indicator role", "title added", "active related", "pulses url", "ip address", "location united", "asn as209242", "whois registrar", "next associated", "urls show", "date checked", "url hostname", "server response", "google safe", "results may", "present may", "present nov", "united", "unknown cname", "filehashsha256", "filehashsha1", "icator role", "regsetvalueexa", "win32", "search", "regdword", "process32nextw", "show", "read c", "port", "ms windows", "copy", "write", "malware", "format", "activity", "sid name", "malware cve", "forbidden", "http request", "post", "delete", "url host", "port method" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 46, "FileHash-SHA1": 39, "FileHash-SHA256": 37, "URL": 15, "domain": 4, "hostname": 14 }, "indicator_count": 155, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "290 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6836497513b6637e7e6f39d2", "name": "Exploited Host", "description": "", "modified": "2025-06-26T22:03:25.914000", "created": "2025-05-27T23:23:33.814000", "tags": [ "cname", "aaaa", "record type", "ttl value", "ascii text", "sha1", "copy md5", "copy sha1", "copy sha256", "size", "sha256", "united", "pattern match", "mitre att", "date", "path", "encrypt", "starfield", "hybrid", "general", "local", "click", "strings", "4624", "records", "amazon02", "us ie", "dns ns", "dns a", "dns mx", "command decode", "ck id", "show technique", "ck matrix", "filehashsha1", "filehashsha256", "filehashmd5", "search", "type indicator", "role title", "added active", "related pulses", "showing", "entries", "pulses", "url https", "ipv4", "ccus asnas33070", "role", "value a", "sec ch", "ch ua", "ua full", "ua platform", "ua bitness", "ua arch", "version sec", "mobile sec", "model sec", "version list" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 70, "FileHash-MD5": 225, "FileHash-SHA1": 232, "FileHash-SHA256": 1004, "domain": 138, "hostname": 74, "SSLCertFingerprint": 19, "email": 1 }, "indicator_count": 1763, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "298 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "683614d951f4e789950071b3", "name": "Malicious blockade", "description": "Malicious blockade, redirecting, bot activity affecting client-firm/entity interactions (outreach organizations, legal, possibly educational\u2018 doubtful ) Botnet & monitoring\u2026my OTX profile is not working to it\u2019s full capacity. I am unable to do anything except upload and post in description.\nIPv4\n141.193.213.10\ncommand_and_control || IPv4\n142.250.150.26\nexploit_source || IPv4\n142.251.16.26\nexploit_source || IPv4\n142.251.163.26\nexploit_source ||\nhttps://crimestoppers.ab.ca\nphishing\t|| IPv4\n142.250.27.27 || Alerts - injection_inter_process\ncreates_largekey\nnetwork_bind\npersistence_autorun\npersistence_autorun_tasks\ncape_detected_threat\ninjection_process_hollowing\nantivm_generic_services\ndeletes_executed_files\ndeletes_self\ninjection_runpe\nIndirect_Command_Execution_Via_ConsoleWindowHost\npersistence_ads\nrecon_fingerprint\nsuspicious_command ||", "modified": "2025-06-26T19:05:21.983000", "created": "2025-05-27T19:39:05.470000", "tags": [ "backdoor", "hstr", "checkin", "entries", "urls", "files", "location united", "america flag", "united", "america asn", "trojandropper", "ransom", "trojan", "cycbot", "hash avast", "avg clamav", "msdefender jan", "virtool", "cves all", "time", "alfper", "less see", "all av" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Cycbot", "display_name": "Cycbot", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 24, "FileHash-MD5": 159, "FileHash-SHA1": 159, "FileHash-SHA256": 1440, "domain": 128, "hostname": 236, "email": 1 }, "indicator_count": 2147, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "298 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://crimestoppers.ab.ca", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://crimestoppers.ab.ca", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776726726.6806638 }