{ "type": "URL", "indicator": "https://dev01.poc.civicalg.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://dev01.poc.civicalg.com/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4106860900, "indicator": "https://dev01.poc.civicalg.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "693596f8cd50958de6e9415c", "name": "Eternal Blue Probe - YouTube - GSE", "description": "EternalBlue is an exploit that targets a critical vulnerability (CVE-2017-0144, part of the larger MS17-010 security bulletin) in Microsoft's implementation of the Server Message Block (SMB) version 1 (SMBv1) protocol, which is used for file and printer sharing on Windows networks. \nVulnerability: The flaw allows an unauthenticated, remote attacker to execute arbitrary code on a vulnerable system by sending specially crafted packets to the SMBv1 server.\nOrigin: The exploit was developed by the NSA but was stolen and publicly leaked in April 2017 by a hacker group known as the Shadow Brokers.\nMajor Attacks: Shortly after its leak, EternalBlue was used in major, widespread cyberattacks, most notably the WannaCry and NotPetya ransomware outbreaks, which caused massive global disruption. The self-propagating \"wormable\" nature of the exploit allowed malware to spread rapidly across networks.", "modified": "2026-01-06T00:03:32.099000", "created": "2025-12-07T15:02:16.840000", "tags": [ "asn as8068", "cloud provider", "reverse dns", "america flag", "united", "america asn", "as8068", "united states", "avast avg", "ids detections", "yara detections", "probe ms17010", "smbds ipc", "av detections", "alerts", "read c", "medium", "rgba", "unicode", "msf style", "dock", "write", "execution", "malware", "eternal blue", "check in", "file score", "medium risk", "generic flags", "ms17010", "none alerts", "less ip", "contacted", "matches", "mirroring", "chromeshorts", "gse", "google", "youtube", "dating apps", "suspicious apps", "search engine", "redirect", "eternalblue" ], "references": [ "chromeshorts.com mirroring YouTube.com googlechinablog.com \u2022 www.google.com \u2022 108.177.121.105", "IDS Detections: ETERNALBLUE Probe Vulnerable System Response MS17-010", "IDS Detections : Possible ETERNALBLUE Probe MS17-010 (MSF style)", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)", "IDS Detections: SMB-DS IPC$ unicode share access SMB-DS IPC$ share access", "Environment Awareness : Able to access user sensitive domai", "Alerts : suspicious_write_exe nids_exploit_alert process_martian injection_resumethread js_eval", "Alerts : network_http allocates_rwx suspicious_process stealth_window uses_windows_utilities", "Alerts : recono_fingerprint antivm_memory_available", "www.endgame.com", "admin-contact-api.uat2.white-label-dating.com \u2022 capi-sns.qa1.white-label-dating.com \u2022 http://payments.uat1.white-label-dating.com", "URL https://mailcatcher.qa2.white-label-dating.com", "Attackers : Christopher P. Ahmann , Hall Render , Brian Sabey & Co , Foundry , Tulach , Quasi government entities.", "Alt + Google \u2018branded\u2019 search engine (monitoring targets searches) YouTube mirroring.", "Suspicious apps" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 449, "FileHash-MD5": 26, "FileHash-SHA1": 6, "FileHash-SHA256": 169, "URL": 719, "domain": 86, "SSLCertFingerprint": 1 }, "indicator_count": 1456, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "103 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6923408464566e39caf32285", "name": "Discord- DNS | Malvertizing | Ransom/Msilzilla (sifting IoC\u2019s created by scnrscnr)", "description": "TAGS\nActive\n443 ma2592000\nChristopher Pool\nPool's Closed\nTimothy Pool\na li\n google\namerica att\napache\napache ip\nasn as46606\nauditmode force\nbehavior\nbinary\nbinary file\nbk role\nchat\ncheck\nchrome\nck ids\ncommon stealer\ncookie\ndata upload\ndefender\ndelete c\ndirectui\ndiscord\ndns lookup\ndomain add\ndrop\ndynamicloader\neb d8\nee fc\nerror oct\nexplorer\nexternal ip\nextraction\nf0 ff\nfailed\nff bb\nff d5\nff ff\nfiles\nfoundry\ngmt content\ngmt etag\ngmt server\ngoogle chrome\nguard\nhigh\ninsert\nlolminer\nmalware\nmedia\nmeta\nmoved\nmovie\nmsie\nmsvisualbasic60\nmtb aug -present \nneversend\npowershell\nrelated nids\nresponse ip\nself\nservice domain\nsingapore\nsmartassembly\nspan\nspan a\nsx08x00x00a\ntargeting\ntls sni\ntrojan\ntrojandropper\ntwitter\ntx08x00x00n\nunique\nuser agent\nux08x00x00h\nvirtool\nvirustotal api\nvoice\nvx08x00x00j\nwrite\nwrite c\nwx08x00x00\nx08x00x00b\nx08x00x00x00\nyara\nyara rule\nyx08x00x00l\nz3je\nz3uwq7\nzx08x00x00", "modified": "2025-12-23T16:04:54.329000", "created": "2025-11-23T17:12:36.917000", "tags": [ "no expiration", "expiration", "url https", "url http", "filehashsha256", "hostname", "domain", "filehashmd5", "filehashsha1", "ipv4", "code", "pool", "timothy pool", "z3je z3uwq7", "creation date", "ip address", "emails", "expiration date", "status", "hostname add", "pulse pulses", "passive dns", "urls", "date" ], "references": [ "https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba", "Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted", "http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com", "https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com", "www.techcult.com", "http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com", "https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE", "truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com", "yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com", "lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json", "162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/", "http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing", "http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site", "2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt", "IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)", "IDS Detections: Observed Discord Domain (discord .com in TLS SNI)", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less", "Yara: Detections ConventionEngine_Term_Users", "Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents", "Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly", "Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc", "Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process", "Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name", "Yara : MS_Visual_Basic_6_0 ,", "Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly", "Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile", "Alerts: mouse_movement_detect", "Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left", "scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.", "Foundry stalking." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDropper:Win32/VB.IL0", "display_name": "TrojanDropper:Win32/VB.IL0", "target": "/malware/TrojanDropper:Win32/VB.IL0" }, { "id": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "display_name": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "target": null }, { "id": "Win.Ransomware.Msilzilla-10014498-0", "display_name": "Win.Ransomware.Msilzilla-10014498-0", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1443", "name": "Remotely Install Application", "display_name": "T1443 - Remotely Install Application" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 773, "FileHash-SHA1": 684, "FileHash-SHA256": 1910, "CVE": 2, "SSLCertFingerprint": 4, "URL": 3783, "domain": 878, "email": 7, "hostname": 1913 }, "indicator_count": 9954, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "116 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9288e0d98f3b44c2cb90c", "name": "Ultrasounds attack - South African criminal group-Denver, Vo affects critical infrastructure , Oil and public safety", "description": "South African and Ethiopian crime group with Denver , Co presence is not only infiltrating infrastructure from banking to oil, they are human traffickers, hitmen and yes, I received this tip from team member Pheona who a \u2018sassa.gov.za\u2018 South African link recurrently as a top search suggestion in a \u2018targets\u2019 browser. The most frightening piece is that a name listed is of an Ethiopian man who attempted to force a very targeted victim to go somewhere with him,, be his girlfriend and did show up outside of her residence in a different City & County. He also knew the exact name of where she purchased specific items. If you can see this. Please help the best way you can. Something is incredibly wrong. [OTX auto populated Title: We can\u2019t rely on goodwill to protect our critical infrastructure - Help Net Security]", "modified": "2025-11-21T18:02:11.054000", "created": "2025-10-22T18:55:10.527000", "tags": [ "server nginx", "date fri", "etag w", "urls", "passive dns", "acceptranges", "contentlength", "date thu", "gmt expires", "server", "code", "link", "script script", "south africa", "ipv4", "files", "location south", "accept", "present aug", "certificate", "hostname add", "domain", "files ip", "unknown a", "script urls", "ip address", "unknown soa", "unknown ns", "reverse dns", "africa flag", "asn as16637", "dns resolutions", "domains top", "level", "unique tld", "related pulses", "tags none", "indicator facts", "title", "ipv4 add", "opinion", "netacea", "lockbit", "wannacry attack", "nhs trusts", "council", "uk government", "protect", "cni safe", "acls", "praio", "prink", "prsc", "prla", "lg2en", "cti98", "search", "seiko epson", "corporation", "arc file", "malware", "delete c", "default", "show", "write", "next", "unknown", "united", "tlsv1", "msie", "windows nt", "wow64", "slcc2", "media center", "as15169", "port", "execution", "dock", "capture", "persistence", "yara detections", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "cabinet archive", "microsoft", "read c", "dynamicloader", "medium", "ltda me", "high", "write c", "entries", "checks", "delphi", "win32", "url pulse", "data upload", "extraction", "find suggested", "type", "domain hostname", "url add", "http", "related nids", "files location", "ireland flag", "files domain", "chrome", "ireland unknown", "pulse submit", "url analysis", "body", "date", "status", "name servers", "creation date", "expiration date", "flag united", "destination", "systemdrive", "html document", "crlf line", "updater", "copy", "unknown aaaa", "moved", "domain add", "extri data", "enter sc", "extr include", "review exclude", "sugges", "present jul", "saudi arabia", "present mar", "present oct", "present jun", "present feb", "present nov", "present may", "eeee", "eeeeeee", "eeeeee", "eefe", "ebeee", "ee eme", "eeheee", "eeefee e", "eeeee e", "vmprotect", "push", "local", "defender", "regsetvalueexa", "utf8 unicode" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lockbit", "display_name": "Lockbit", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "target": null }, { "id": "Other Dangerous Malware", "display_name": "Other Dangerous Malware", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Oil" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 648, "hostname": 1604, "FileHash-SHA256": 1826, "URL": 4153, "FileHash-MD5": 102, "FileHash-SHA1": 60, "SSLCertFingerprint": 18, "CVE": 2, "email": 5 }, "indicator_count": 8418, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f93b1cebf80f48450bd517", "name": "Yuner - File deletion and Disk Wiping / Cyberstalking ", "description": "", "modified": "2025-11-21T18:02:11.054000", "created": "2025-10-22T20:14:20.632000", "tags": [ "server nginx", "date fri", "etag w", "urls", "passive dns", "acceptranges", "contentlength", "date thu", "gmt expires", "server", "code", "link", "script script", "south africa", "ipv4", "files", "location south", "accept", "present aug", "certificate", "hostname add", "domain", "files ip", "unknown a", "script urls", "ip address", "unknown soa", "unknown ns", "reverse dns", "africa flag", "asn as16637", "dns resolutions", "domains top", "level", "unique tld", "related pulses", "tags none", "indicator facts", "title", "ipv4 add", "opinion", "netacea", "lockbit", "wannacry attack", "nhs trusts", "council", "uk government", "protect", "cni safe", "acls", "praio", "prink", "prsc", "prla", "lg2en", "cti98", "search", "seiko epson", "corporation", "arc file", "malware", "delete c", "default", "show", "write", "next", "unknown", "united", "tlsv1", "msie", "windows nt", "wow64", "slcc2", "media center", "as15169", "port", "execution", "dock", "capture", "persistence", "yara detections", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "cabinet archive", "microsoft", "read c", "dynamicloader", "medium", "ltda me", "high", "write c", "entries", "checks", "delphi", "win32", "url pulse", "data upload", "extraction", "find suggested", "type", "domain hostname", "url add", "http", "related nids", "files location", "ireland flag", "files domain", "chrome", "ireland unknown", "pulse submit", "url analysis", "body", "date", "status", "name servers", "creation date", "expiration date", "flag united", "destination", "systemdrive", "html document", "crlf line", "updater", "copy", "unknown aaaa", "moved", "domain add", "extri data", "enter sc", "extr include", "review exclude", "sugges", "present jul", "saudi arabia", "present mar", "present oct", "present jun", "present feb", "present nov", "present may", "eeee", "eeeeeee", "eeeeee", "eefe", "ebeee", "ee eme", "eeheee", "eeefee e", "eeeee e", "vmprotect", "push", "local", "defender", "regsetvalueexa", "utf8 unicode" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lockbit", "display_name": "Lockbit", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "target": null }, { "id": "Other Dangerous Malware", "display_name": "Other Dangerous Malware", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Oil" ], "TLP": "green", "cloned_from": "68f9288e0d98f3b44c2cb90c", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 648, "hostname": 1604, "FileHash-SHA256": 1826, "URL": 4153, "FileHash-MD5": 102, "FileHash-SHA1": 60, "SSLCertFingerprint": 18, "CVE": 2, "email": 5 }, "indicator_count": 8418, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ee5e9f8cfc5fbc73142660", "name": "Gaming Studios - YouTube - MyDoom", "description": "", "modified": "2025-11-13T12:05:32.283000", "created": "2025-10-14T14:30:55.471000", "tags": [ "no expiration", "url https", "url http", "iocs", "ipv4", "enter source", "indicator role", "title added", "active related", "united", "present jul", "unknown ns", "search", "for privacy", "moved", "ip address", "encrypt", "a domains", "script urls", "meta", "pragma", "general full", "reverse dns", "software", "resource", "security tls", "piscataway", "asn20473", "asn15169", "google", "asvultr", "portfolio", "josh theriault", "upei", "university", "island", "roblox", "jmt studios", "moon engine", "android", "icpc", "north america", "qualifier", "hello", "apache", "runner", "eric everest", "games", "cloudflar", "amazon02", "as autonomous", "system", "canada", "value", "domainpath name", "cgjerrieegaggq", "name value", "form", "game development", "blog", "jmt99", "developer", "event", "bullseye", "trick or treat", "unofficial trick or treat 2014", "unofficial trick or treat 2015", "egg hunt", "gift hunt", "hallows quest", "studio", "experience", "fall", "january", "july", "founder", "studio head", "passive dns", "urls", "registrar", "title", "roblox jmt99 \"jmt studios\" \"trick or treat\" \"egg hunt\"", "press copyright", "contact", "privacy policy", "safety how", "youtube", "test", "nfl sunday", "ticket", "google llc", "data upload", "extraction", "failed", "files", "twitter", "variables", "cgjjtbieggagla", "nid value", "expiration date", "files ip", "dynamicloader", "write c", "delete c", "intel", "ms windows", "medium", "default", "write", "guard", "mozilla", "malware", "defender", "unknown", "domains", "hashes", "url analysis", "unknown aaaa", "script domains", "certificate", "game", "servers", "unofficial", "settings", "public", "endpoints", "currently", "game servers", "current", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "role title", "related pulses", "domain v", "url indicator", "nameilname", "ascii text", "mitre att", "ck id", "ck matrix", "hybrid", "general", "local", "path", "click", "strings", "pe file", "high", "yara detections", "dynamic", "v hostname", "se fos", "include v", "domain url", "data", "alltypes", "win32mydoom oct", "trojan", "url add", "http", "related nids", "files location", "canada flag", "canada hostname", "canada unknown", "canada", "present aug", "name servers", "present sep", "aaaa", "present oct", "crlf line", "unicode text", "music", "suspicious", "bricked.wtf", "flag united", "google safe", "domain", "address domain", "united states", "filehashsha256", "hostname xn", "finland unknown", "filehashmd5", "indicators hong", "kong", "south korea", "present jun", "present mar", "present may", "olet", "cnr12", "tlsv1", "get updates", "upatre", "added active", "apple", "everest", "josh paul", "upadter", "convagent", "info stealing", "delete service", "phishing", "fraud", "social engineering", "gamer", "hacker", "adversaries", "icloud", "found", "gmt content", "error", "redacted for", "meta http", "content", "gmt server", "france unknown", "poland unknown", "content type", "xml title", "hostname add", "address", "location united", "life", "century link llc", "xfinity", "livesex", "domain add", "users", "show", "delete", "blocked by quad9", "showing", "record value", "location canada", "canada asn", "accept", "cookie", "macbook", "ipv4 add", "america flag", "america asn", "asn as714", "less", "woodynet", "next associated", "status", "exclude sugges", "ip related", "t1027.013" ], "references": [ "https://www.jmtstudios.org/farewell/", "https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw", "graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system", "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html", "ConventionEngine_Term_Dropbox \u2022 Dropbox", "http://api.jmtstudios.org/", "bricked.wtf", "ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com", "http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com", "careersandenterprise.appleid.com \u2022 http://apple.appleid.com/", "https://forwardemail.net/es/blog/open-source/apple-email-clients", "accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud", "http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link", "http://www.visitbooker.com/Dropbox-07/index.htm", "dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/", "Appears to be closely associated with close relative and initial victim of attack.", "Potentially disturbing , personal , invasive, aggressive, intimate behavior of party." ], "public": 1, "adversary": "", "targeted_countries": [ "Hong Kong", "United States of America" ], "malware_families": [ { "id": "Win.Malware.Convagent-9981433-0", "display_name": "Win.Malware.Convagent-9981433-0", "target": null }, { "id": "Upadter", "display_name": "Upadter", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6996, "FileHash-MD5": 281, "FileHash-SHA1": 220, "FileHash-SHA256": 2673, "domain": 1747, "email": 24, "hostname": 2803, "SSLCertFingerprint": 3 }, "indicator_count": 14747, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ee5ea4d51d4a1cabdb4ee9", "name": "Gaming Studios - YouTube - MyDoom", "description": "", "modified": "2025-11-13T12:05:32.283000", "created": "2025-10-14T14:31:00.172000", "tags": [ "no expiration", "url https", "url http", "iocs", "ipv4", "enter source", "indicator role", "title added", "active related", "united", "present jul", "unknown ns", "search", "for privacy", "moved", "ip address", "encrypt", "a domains", "script urls", "meta", "pragma", "general full", "reverse dns", "software", "resource", "security tls", "piscataway", "asn20473", "asn15169", "google", "asvultr", "portfolio", "josh theriault", "upei", "university", "island", "roblox", "jmt studios", "moon engine", "android", "icpc", "north america", "qualifier", "hello", "apache", "runner", "eric everest", "games", "cloudflar", "amazon02", "as autonomous", "system", "canada", "value", "domainpath name", "cgjerrieegaggq", "name value", "form", "game development", "blog", "jmt99", "developer", "event", "bullseye", "trick or treat", "unofficial trick or treat 2014", "unofficial trick or treat 2015", "egg hunt", "gift hunt", "hallows quest", "studio", "experience", "fall", "january", "july", "founder", "studio head", "passive dns", "urls", "registrar", "title", "roblox jmt99 \"jmt studios\" \"trick or treat\" \"egg hunt\"", "press copyright", "contact", "privacy policy", "safety how", "youtube", "test", "nfl sunday", "ticket", "google llc", "data upload", "extraction", "failed", "files", "twitter", "variables", "cgjjtbieggagla", "nid value", "expiration date", "files ip", "dynamicloader", "write c", "delete c", "intel", "ms windows", "medium", "default", "write", "guard", "mozilla", "malware", "defender", "unknown", "domains", "hashes", "url analysis", "unknown aaaa", "script domains", "certificate", "game", "servers", "unofficial", "settings", "public", "endpoints", "currently", "game servers", "current", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "role title", "related pulses", "domain v", "url indicator", "nameilname", "ascii text", "mitre att", "ck id", "ck matrix", "hybrid", "general", "local", "path", "click", "strings", "pe file", "high", "yara detections", "dynamic", "v hostname", "se fos", "include v", "domain url", "data", "alltypes", "win32mydoom oct", "trojan", "url add", "http", "related nids", "files location", "canada flag", "canada hostname", "canada unknown", "canada", "present aug", "name servers", "present sep", "aaaa", "present oct", "crlf line", "unicode text", "music", "suspicious", "bricked.wtf", "flag united", "google safe", "domain", "address domain", "united states", "filehashsha256", "hostname xn", "finland unknown", "filehashmd5", "indicators hong", "kong", "south korea", "present jun", "present mar", "present may", "olet", "cnr12", "tlsv1", "get updates", "upatre", "added active", "apple", "everest", "josh paul", "upadter", "convagent", "info stealing", "delete service", "phishing", "fraud", "social engineering", "gamer", "hacker", "adversaries", "icloud", "found", "gmt content", "error", "redacted for", "meta http", "content", "gmt server", "france unknown", "poland unknown", "content type", "xml title", "hostname add", "address", "location united", "life", "century link llc", "xfinity", "livesex", "domain add", "users", "show", "delete", "blocked by quad9", "showing", "record value", "location canada", "canada asn", "accept", "cookie", "macbook", "ipv4 add", "america flag", "america asn", "asn as714", "less", "woodynet", "next associated", "status", "exclude sugges", "ip related", "t1027.013" ], "references": [ "https://www.jmtstudios.org/farewell/", "https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw", "graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system", "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html", "ConventionEngine_Term_Dropbox \u2022 Dropbox", "http://api.jmtstudios.org/", "bricked.wtf", "ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com", "http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com", "careersandenterprise.appleid.com \u2022 http://apple.appleid.com/", "https://forwardemail.net/es/blog/open-source/apple-email-clients", "accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud", "http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link", "http://www.visitbooker.com/Dropbox-07/index.htm", "dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/", "Appears to be closely associated with close relative and initial victim of attack.", "Potentially disturbing , personal , invasive, aggressive, intimate behavior of party." ], "public": 1, "adversary": "", "targeted_countries": [ "Hong Kong", "United States of America" ], "malware_families": [ { "id": "Win.Malware.Convagent-9981433-0", "display_name": "Win.Malware.Convagent-9981433-0", "target": null }, { "id": "Upadter", "display_name": "Upadter", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6996, "FileHash-MD5": 281, "FileHash-SHA1": 220, "FileHash-SHA256": 2673, "domain": 1747, "email": 24, "hostname": 2803, "SSLCertFingerprint": 3 }, "indicator_count": 14747, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68dda4bcade283258f6ed707", "name": "Delta Server - Phishing", "description": "Related to FBI.gov and maliciously coded image found on Google image search result on a fully updated yet hacked iOS device.", "modified": "2025-10-31T21:05:05.615000", "created": "2025-10-01T22:01:32.571000", "tags": [ "related pulses", "delta server", "phishing", "fbi.gov?", "hacked images", "gogle", "google search", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "access att", "windows nt", "size", "mitre att", "path", "general", "local", "click", "strings", "dynamicloader", "eke eekeeeke", "eeye", "eekeee ee", "eekeeeke eekeee", "search", "delete", "yara detections", "eeeee e", "yara rule", "write", "trojan", "dynamic_loading_function", "command_and_control" ], "references": [ "http://autoconfig.delterserver.org/", "https://hybrid-analysis.com/sample/904630d9e73c404a0581c822970935ae49940d09402a55d96712293baa5e8061/68dd9a7397836f17be0d1485", "Yara Detections: stack_string , case_4485_ekix4 Alerts: procmem_yara dynamic_function_loading", "Alerts: network_cnc_https_generic", "Alerts : dead_connect antidebug_setunhandledexceptionfilter exec_crash IP\u2019s Contacted 104.20.151.16", "Alerts: dead_connect antidebug_setunhandledexceptionfilter exec_crash IP\u2019s Domains Contacted : 104.20.151.16" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 463, "domain": 60, "hostname": 210, "FileHash-MD5": 51, "FileHash-SHA1": 85, "FileHash-SHA256": 203, "SSLCertFingerprint": 1 }, "indicator_count": 1073, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "169 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c5d0cd10f7bf6c3e6fa513", "name": "Remote admin privileges affecting online payment service redirect", "description": "Openvision.ro.\nRemote admin privileges affecting online targeted users https://paypal.com redirect fed.paypal.com", "modified": "2025-10-13T19:29:11.484000", "created": "2025-09-13T20:15:09.236000", "tags": [ "domain", "url analysis", "passive dns", "urls", "ip address", "extraction", "s data", "extrac data", "included", "review ioc", "excluded", "data upload", "failed", "extra data", "include review", "exclude suggest", "find s", "typ no", "exclude sugges", "typ hos", "error dec", "servers", "value name", "dnssec active", "domain name", "domain status", "ok expiration", "date", "name servers", "referral url", "files", "reverse dns", "romania asn", "as20616", "dns resolutions", "domains top", "level", "unique tld", "dynamicloader", "medium", "high", "yara detections", "upxoepplace", "yara rule", "bochs", "anomalous file", "dynamic", "reads", "ping", "markus", "april", "copy", "entries exif", "data show", "search", "value exe", "script", "fileflags", "fileflagsmask", "fileos win32", "executable", "large address", "next resource", "strings show", "value ud975", "uude17\u17e9", "\u1b53 ud9ff\u1818udf1e", "uda64", "udec3", "intel", "ms windows", "ascii text", "crlf line", "registry total", "read", "write", "delete", "type", "extra", "pulse", "record type", "ttl value", "a mx", "thumbprint", "match info", "info", "mitre att", "ta0002 command", "t1059 severity", "modules t1129", "windows api", "ta0003 modify", "registry t1112", "defense evasion", "resolved ips", "files matching", "number", "sample analysis", "hide samples", "date hash", "sabey type", "rexx type", "foundry type", "palantir" ], "references": [ "openvision.ro", "sonar.tools.nonprod.civicalg.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.Remoteadmin-7056666-0", "display_name": "Win.Malware.Remoteadmin-7056666-0", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1463", "name": "Manipulate Device Communication", "display_name": "T1463 - Manipulate Device Communication" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" } ], "industries": [ "Financial", "Targeted", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 76, "FileHash-SHA256": 33, "FileHash-MD5": 27, "FileHash-SHA1": 35, "hostname": 213, "URL": 345 }, "indicator_count": 729, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "187 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ae5b9ef87646927a236b61", "name": "Privacy - Google Videos Search - Web Applications Stack Exchange = WannaCry", "description": "Description: dfir.blog - A blog about Digital Forensics & Incident Response\ndfir.blog\nDigital forensics, web browsers, visualizations, & open source tools.\n#monitoring #dod(?) #chinacache #crypt #ransom#infectedsystems", "modified": "2025-09-26T00:01:12.214000", "created": "2025-08-27T01:13:02.780000", "tags": [ "google", "mullvad browser", "value", "incognito mode", "mine", "unix time", "friday", "january", "does", "tor browser", "search", "show", "langchinese", "packing t1045", "t1045", "medium", "pe resource", "module load", "t1129", "service", "trojan", "copy", "dock", "write", "malware", "clock", "united", "passive dns", "urls", "next associated", "gmt cache", "ipv4 add", "pulse pulses", "files", "reverse dns", "win32", "title", "location united", "america flag", "america asn", "as15169 google", "dns resolutions", "domains top", "level", "unique tlds", "present aug", "china unknown", "creation date", "date", "domain", "ip address", "domain name", "expiration date", "status ok", "nanjing", "accept", "body", "div td", "td tr", "div div", "span span", "a li", "span p", "p div", "moved", "a domains", "open", "span", "uuupupu", "t1055", "process32nextw", "high", "windows", "high defense", "evasion", "delphi", "google gmail", "images sign", "advanced search", "solutions", "privacy", "store gmail", "delete delete", "report", "how search", "applying ai", "settings search", "advanced", "search search", "search help", "domainabuse", "showing", "hostname add", "url add", "http", "hostname", "files domain", "files related", "pulses none", "related tags", "read c", "tlsv1", "whitelisted", "port", "destination", "ascii text", "next", "encrypt", "script urls", "msie", "chrome", "bad gateway", "script domains", "present feb", "link", "meta", "digital", "language", "body doctype", "ghost", "present jun", "aaaa", "present jul", "present oct", "record value", "yara detections", "dock zone", "top source", "top destination", "source source", "filehash", "code", "error", "windows nt", "wow64", "slcc2", "media center", "execution", "persistence", "tulach", "brian sabey", "dod network", "orgtechref", "address range", "cidr", "network name", "allocation type", "whois server", "entity dnic", "handle", "whois lookup", "dod", "et trojan", "server header", "suspicious", "et info", "unknown", "virustotal", "specified", "download", "et", "please", "type size", "first seen", "loading", "python wheel", "dynamicloader", "intel", "ms windows", "pe32", "entries", "user agent", "powershell", "agent", "yara rule", "checks", "levelblue", "open threat", "observed dns", "query", "dns lookup", "msdos", "wannacry dns", "lookup", "wannacry", "worm", "explorer", "msil", "darkcomet", "ping", "tools", "capture", "hallrender", "dga domains", "unfurl sites", "honey net", "bot", "nxdomain", "potential-c2" ], "references": [ "Don\u2019t click! https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking | Infected systems", "DoD Network Information Center (DNIC)", "DoD Network Information Center disa.columbus.ns.mbx.arin-registrations@mail.mil [seen throughout}", "Python Wheel package", "https://www.google.com/search", "https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com", "https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Magania.DSK!MTB", "display_name": "Trojan:Win32/Magania.DSK!MTB", "target": "/malware/Trojan:Win32/Magania.DSK!MTB" }, { "id": "Trojan:Win32/Zusy", "display_name": "Trojan:Win32/Zusy", "target": "/malware/Trojan:Win32/Zusy" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "a variant of Win32/Kryptik.DEOA", "display_name": "a variant of Win32/Kryptik.DEOA", "target": null }, { "id": "ALF:Exploit:Win32/gSharedInfoRef.A", "display_name": "ALF:Exploit:Win32/gSharedInfoRef.A", "target": null }, { "id": "Wannacry", "display_name": "Wannacry", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Telecommunications", "Technology", "Civilian" ], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8221, "domain": 1216, "FileHash-SHA256": 2434, "FileHash-MD5": 296, "FileHash-SHA1": 155, "hostname": 2939, "email": 7, "SSLCertFingerprint": 8, "CIDR": 2 }, "indicator_count": 15278, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689b9b9fab42ca4f016a226f", "name": "Elastic's Al-driven Endpoint Security - Red Team Malicious (moved?)", "description": "Endgame - Unruy Activity -System infection | (Moved) Endpoint security (MOVED) from Elastic\nElastic's Al-driven security analytics empowers you with comprehensive endpoint protection. Detect, investigate, and respond to threats faster with a single agent and unified console. Gain actionable insights for a proactive defense posture. All built on the Search\nAl platform.\n| Used maliciously against monitored non-criminal targets. |\n{ virus - https://universitycenter.uccs.edu/}\n#unruy #activity #monitored_target #red_team_malicious #trojan #worm #moved\n#ai #adversarial #custom_malware #ransom #crypt #guardrails #dns #cnc #evasive #domain_generation #remote_access #devices #remotewd #virus #custom_malware #rip #endgame \n\u2022 TrojanDropper\t\t\t\n\u2022 Win32:Evo-gen\t\u2022 Cassini\n\u2022 RansomX-gen\u2022 Zombie.A\n\u2022 win32:MalwareX-gen\t\u2022 Win32:Malware-gen \u2022 Nymeria\n\u2022 Forcud +", "modified": "2025-09-11T13:03:18.814000", "created": "2025-08-12T19:53:03.953000", "tags": [ "url http", "url https", "indicator role", "title added", "active related", "pulses url", "entries", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "href", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "show technique", "ck matrix", "null", "refresh", "body", "span", "general", "local", "path", "iframe", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "united", "unknown ns", "ip address", "creation date", "search", "present sep", "moved", "domain add", "encrypt", "accept", "please", "passive dns", "msie", "next associated", "html", "background", "unknown site", "div div", "trojan", "zeus", "process32nextw", "read c", "show", "shellexecuteexw", "windows nt", "wow64", "copy", "dock", "write", "malware", "unknown", "defense evasion", "t1480 execution", "file defense", "august", "hybrid", "port", "destination", "tlsv1", "as15169", "ogoogle trust", "cngts ca", "execution", "next", "persistence", "data upload", "extraction", "win32", "ransom", "trojandropper", "mtb nov", "forcud", "files show", "date hash", "avast avg" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4179, "domain": 774, "hostname": 1673, "FileHash-MD5": 169, "FileHash-SHA1": 110, "FileHash-SHA256": 2073, "email": 1, "SSLCertFingerprint": 13, "CVE": 1 }, "indicator_count": 8993, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "220 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6894f30905efa56990bb10f6", "name": "Expanded device-local-****remotewd.com", "description": "device-local-2ffdbd74-9f90-41fa-beb8-454ed65788c5.remotewd.com", "modified": "2025-09-06T06:03:31.462000", "created": "2025-08-07T18:40:09.876000", "tags": [ "hostname", "pulse pulses", "passive dns", "urls", "files", "ip address", "nameservers", "date hash", "avast avg", "entries", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "itre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "mitre att", "pattern match", "show technique", "ck matrix", "null", "refresh", "body", "span", "august", "hybrid", "general", "local", "path", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "domain", "hostname add", "files ip", "address", "location united", "hash avast", "avg clamav", "msdefender aug", "united", "port", "destination", "as16509", "search", "unknown", "ocloudflare", "medium", "memcommit", "service", "write", "next", "persistence", "execution", "malware", "copy", "encrypt", "win32", "mtb feb", "trojan", "susp", "trojandropper", "msr feb", "trojanspy", "next associated", "urls show", "date checked", "virtool", "win64", "worm", "mtb may", "files show", "heur", "script", "dropper", "ransom", "vitro", "pe32", "intel", "ms windows", "as15169", "read c", "asnone", "show", "packing t1045", "t1045", "delphi", "code", "june" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 6741, "domain": 5822, "FileHash-SHA256": 1550, "URL": 16348, "FileHash-MD5": 287, "FileHash-SHA1": 242, "SSLCertFingerprint": 9, "email": 1 }, "indicator_count": 31000, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6894f4e6c41982f405592b55", "name": "Worm:Win32/Mydoom | Expanded device-local-****remotewd.com", "description": "", "modified": "2025-09-06T06:03:31.462000", "created": "2025-08-07T18:48:06.557000", "tags": [ "hostname", "pulse pulses", "passive dns", "urls", "files", "ip address", "nameservers", "date hash", "avast avg", "entries", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "itre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "mitre att", "pattern match", "show technique", "ck matrix", "null", "refresh", "body", "span", "august", "hybrid", "general", "local", "path", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "domain", "hostname add", "files ip", "address", "location united", "hash avast", "avg clamav", "msdefender aug", "united", "port", "destination", "as16509", "search", "unknown", "ocloudflare", "medium", "memcommit", "service", "write", "next", "persistence", "execution", "malware", "copy", "encrypt", "win32", "mtb feb", "trojan", "susp", "trojandropper", "msr feb", "trojanspy", "next associated", "urls show", "date checked", "virtool", "win64", "worm", "mtb may", "files show", "heur", "script", "dropper", "ransom", "vitro", "pe32", "intel", "ms windows", "as15169", "read c", "asnone", "show", "packing t1045", "t1045", "delphi", "code", "june" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": "6894f30905efa56990bb10f6", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 6741, "domain": 5822, "FileHash-SHA256": 1550, "URL": 16348, "FileHash-MD5": 287, "FileHash-SHA1": 242, "SSLCertFingerprint": 9, "email": 1 }, "indicator_count": 31000, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6892e73b32af18aa302df0dc", "name": "Part 1.5", "description": "Dark web media \u2022 Political news \u2022 Malvertizing\nlocate \u2022\ntrack [stalk] \u2022 record calls \u2022 control media [youtube , etc] http://t.name?n[++i]=e:this.removeEventListener\t\t\nJeeng &\nPowebox [ accidentally left out in original post pulse]", "modified": "2025-09-05T04:03:06.929000", "created": "2025-08-06T05:25:15.369000", "tags": [ "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "june", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "impact", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "file defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "script", "mitre att", "pattern match", "show technique", "iframe", "refresh", "august", "general", "local", "tools", "demo", "look", "verify", "restart", "url http", "small", "pulses url", "tellyoun", "showing", "entries", "url https", "indicator role", "title added", "active related", "type indicator", "role title", "added active", "related pulses", "cc08", "f06a6b", "sfurl", "filehashsha256", "types", "indicators show", "search", "pulses", "filehashsha1", "adversaries", "found", "webp image", "ascii text", "riff", "size", "encrypt", "legacy", "filehashmd5", "united", "flag", "server", "markmonitor", "name server", "llc name", "overview dns", "requests domain", "country", "win32", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "detections", "malware", "copy", "show", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "extraction", "data upload", "enter sc", "type", "extra data", "please", "failed", "review", "exclude data", "included review", "ic data", "suggeste", "stop", "type onow", "domain", "passive dns", "urls", "files related", "pulses none", "related tags", "none google", "safe browsing", "sc data", "extr amanuav", "review included", "manualy", "sugges excluded", "filehash", "md5 add", "pulse pulses", "url add", "http", "hostname", "files domain", "pulses otx", "virustotal", "hsmi192547107", "pulses hostname", "r dec", "customer dec", "iski dec", "decision dec", "va dec", "bitcoin", "bitcoin dec", "petra", "torstatus dec", "paul dec", "sodesc", "planet dec", "emilia", "heroin dec", "difference dec", "palantir dec", "loraxlive dec", "chaturbate dec", "sandra", "free dec", "marvel dec", "benjis dec", "fresh dec", "sodesc dec", "srdirport", "srhostname", "link dec", "types of", "italy", "china", "australia", "france", "turkey", "discovery", "information", "ck ids", "t1005", "local system", "t1007", "system service", "part", "track", "locate", "political", "civil society", "news", "created", "hours ago", "report spam", "t1555", "password", "t1560", "collected data", "t1573", "channel", "t1574", "execution flow", "scan", "iocs", "t1497", "u0lhmq", "mtawmq", "t1480", "guardrails", "t1486", "data encrypted", "learn more", "unsubscribe aug", "protocol", "t1074", "staged", "t1083", "t1102", "web service", "t1105", "tool transfer", "t1140", "data engineer", "candidate", "tlsv1", "odigicert inc", "stcalifornia", "lsan jose", "oadobe systems", "incorporated", "cndigicert sha2", "push", "next", "high", "write c", "ireland as16509", "delete", "dirty", "tags", "t1012", "flow endpoint", "security scan", "t1106", "copyright", "levelblue" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 608, "FileHash-SHA1": 433, "FileHash-SHA256": 3663, "URL": 17104, "domain": 1316, "email": 39, "hostname": 4208, "SSLCertFingerprint": 17 }, "indicator_count": 27388, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://forwardemail.net/es/blog/open-source/apple-email-clients", "careersandenterprise.appleid.com \u2022 http://apple.appleid.com/", "http://autoconfig.delterserver.org/", "yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com", "Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)", "http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing", "Appears to be closely associated with close relative and initial victim of attack.", "https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba", "Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left", "IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)", "https://hybrid-analysis.com/sample/904630d9e73c404a0581c822970935ae49940d09402a55d96712293baa5e8061/68dd9a7397836f17be0d1485", "Don\u2019t click! https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking | Infected systems", "Alt + Google \u2018branded\u2019 search engine (monitoring targets searches) YouTube mirroring.", "ConventionEngine_Term_Dropbox \u2022 Dropbox", "Alerts : suspicious_write_exe nids_exploit_alert process_martian injection_resumethread js_eval", "http://www.visitbooker.com/Dropbox-07/index.htm", "Suspicious apps", "URL https://mailcatcher.qa2.white-label-dating.com", "chromeshorts.com mirroring YouTube.com googlechinablog.com \u2022 www.google.com \u2022 108.177.121.105", "ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com", "IDS Detections : Possible ETERNALBLUE Probe MS17-010 (MSF style)", "truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com", "http://api.jmtstudios.org/", "lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json", "graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system", "2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt", "www.endgame.com", "IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less", "openvision.ro", "IDS Detections: ETERNALBLUE Probe Vulnerable System Response MS17-010", "http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site", "DoD Network Information Center (DNIC)", "Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC", "Environment Awareness : Able to access user sensitive domai", "Alerts: network_cnc_https_generic", "http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link", "scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.", "Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process", "bricked.wtf", "admin-contact-api.uat2.white-label-dating.com \u2022 capi-sns.qa1.white-label-dating.com \u2022 http://payments.uat1.white-label-dating.com", "http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com", "Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile", "Alerts: mouse_movement_detect", "https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com", "Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc", "www.techcult.com", "https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N", "DoD Network Information Center disa.columbus.ns.mbx.arin-registrations@mail.mil [seen throughout}", "Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly", "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html", "https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com", "dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/", "http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com", "Attackers : Christopher P. Ahmann , Hall Render , Brian Sabey & Co , Foundry , Tulach , Quasi government entities.", "accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud", "Alerts : dead_connect antidebug_setunhandledexceptionfilter exec_crash IP\u2019s Contacted 104.20.151.16", "Python Wheel package", "Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name", "IDS Detections: Observed Discord Domain (discord .com in TLS SNI)", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly", "https://www.google.com/search", "162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/", "Alerts : recono_fingerprint antivm_memory_available", "Alerts : network_http allocates_rwx suspicious_process stealth_window uses_windows_utilities", "Yara: Detections ConventionEngine_Term_Users", "Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "Foundry stalking.", "http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com", "Yara Detections: stack_string , case_4485_ekix4 Alerts: procmem_yara dynamic_function_loading", "IDS Detections: SMB-DS IPC$ unicode share access SMB-DS IPC$ share access", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE", "Alerts: dead_connect antidebug_setunhandledexceptionfilter exec_crash IP\u2019s Domains Contacted : 104.20.151.16", "Potentially disturbing , personal , invasive, aggressive, intimate behavior of party.", "https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw", "Yara : MS_Visual_Basic_6_0 ,", "https://www.jmtstudios.org/farewell/", "sonar.tools.nonprod.civicalg.com" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Et", "Other dangerous malware", "Win.malware.remoteadmin-7056666-0", "Upadter", "Trojandropper:win32/vb.il0", "Alf:heraklezeval:pua:win32/ultradownloads", "Win.malware.convagent-9981433-0", "Trojan:win32/zusy", "Mydoom", "Alf:trojan:win32/cassini_56a3061!ibt", "Wannacry", "A variant of win32/kryptik.deoa", "Win.ransomware.msilzilla-10014498-0", "Lockbit", "Trojan:win32/magania.dsk!mtb", "Alf:exploit:win32/gsharedinforef.a" ], "industries": [ "Telecommunications", "Technology", "Civilian", "Oil", "Financial", "Targeted" ], "unique_indicators": 112247 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/civicalg.com", "whois": "http://whois.domaintools.com/civicalg.com", "domain": "civicalg.com", "hostname": "dev01.poc.civicalg.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "693596f8cd50958de6e9415c", "name": "Eternal Blue Probe - YouTube - GSE", "description": "EternalBlue is an exploit that targets a critical vulnerability (CVE-2017-0144, part of the larger MS17-010 security bulletin) in Microsoft's implementation of the Server Message Block (SMB) version 1 (SMBv1) protocol, which is used for file and printer sharing on Windows networks. \nVulnerability: The flaw allows an unauthenticated, remote attacker to execute arbitrary code on a vulnerable system by sending specially crafted packets to the SMBv1 server.\nOrigin: The exploit was developed by the NSA but was stolen and publicly leaked in April 2017 by a hacker group known as the Shadow Brokers.\nMajor Attacks: Shortly after its leak, EternalBlue was used in major, widespread cyberattacks, most notably the WannaCry and NotPetya ransomware outbreaks, which caused massive global disruption. The self-propagating \"wormable\" nature of the exploit allowed malware to spread rapidly across networks.", "modified": "2026-01-06T00:03:32.099000", "created": "2025-12-07T15:02:16.840000", "tags": [ "asn as8068", "cloud provider", "reverse dns", "america flag", "united", "america asn", "as8068", "united states", "avast avg", "ids detections", "yara detections", "probe ms17010", "smbds ipc", "av detections", "alerts", "read c", "medium", "rgba", "unicode", "msf style", "dock", "write", "execution", "malware", "eternal blue", "check in", "file score", "medium risk", "generic flags", "ms17010", "none alerts", "less ip", "contacted", "matches", "mirroring", "chromeshorts", "gse", "google", "youtube", "dating apps", "suspicious apps", "search engine", "redirect", "eternalblue" ], "references": [ "chromeshorts.com mirroring YouTube.com googlechinablog.com \u2022 www.google.com \u2022 108.177.121.105", "IDS Detections: ETERNALBLUE Probe Vulnerable System Response MS17-010", "IDS Detections : Possible ETERNALBLUE Probe MS17-010 (MSF style)", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)", "IDS Detections: SMB-DS IPC$ unicode share access SMB-DS IPC$ share access", "Environment Awareness : Able to access user sensitive domai", "Alerts : suspicious_write_exe nids_exploit_alert process_martian injection_resumethread js_eval", "Alerts : network_http allocates_rwx suspicious_process stealth_window uses_windows_utilities", "Alerts : recono_fingerprint antivm_memory_available", "www.endgame.com", "admin-contact-api.uat2.white-label-dating.com \u2022 capi-sns.qa1.white-label-dating.com \u2022 http://payments.uat1.white-label-dating.com", "URL https://mailcatcher.qa2.white-label-dating.com", "Attackers : Christopher P. Ahmann , Hall Render , Brian Sabey & Co , Foundry , Tulach , Quasi government entities.", "Alt + Google \u2018branded\u2019 search engine (monitoring targets searches) YouTube mirroring.", "Suspicious apps" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 449, "FileHash-MD5": 26, "FileHash-SHA1": 6, "FileHash-SHA256": 169, "URL": 719, "domain": 86, "SSLCertFingerprint": 1 }, "indicator_count": 1456, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "103 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6923408464566e39caf32285", "name": "Discord- DNS | Malvertizing | Ransom/Msilzilla (sifting IoC\u2019s created by scnrscnr)", "description": "TAGS\nActive\n443 ma2592000\nChristopher Pool\nPool's Closed\nTimothy Pool\na li\n google\namerica att\napache\napache ip\nasn as46606\nauditmode force\nbehavior\nbinary\nbinary file\nbk role\nchat\ncheck\nchrome\nck ids\ncommon stealer\ncookie\ndata upload\ndefender\ndelete c\ndirectui\ndiscord\ndns lookup\ndomain add\ndrop\ndynamicloader\neb d8\nee fc\nerror oct\nexplorer\nexternal ip\nextraction\nf0 ff\nfailed\nff bb\nff d5\nff ff\nfiles\nfoundry\ngmt content\ngmt etag\ngmt server\ngoogle chrome\nguard\nhigh\ninsert\nlolminer\nmalware\nmedia\nmeta\nmoved\nmovie\nmsie\nmsvisualbasic60\nmtb aug -present \nneversend\npowershell\nrelated nids\nresponse ip\nself\nservice domain\nsingapore\nsmartassembly\nspan\nspan a\nsx08x00x00a\ntargeting\ntls sni\ntrojan\ntrojandropper\ntwitter\ntx08x00x00n\nunique\nuser agent\nux08x00x00h\nvirtool\nvirustotal api\nvoice\nvx08x00x00j\nwrite\nwrite c\nwx08x00x00\nx08x00x00b\nx08x00x00x00\nyara\nyara rule\nyx08x00x00l\nz3je\nz3uwq7\nzx08x00x00", "modified": "2025-12-23T16:04:54.329000", "created": "2025-11-23T17:12:36.917000", "tags": [ "no expiration", "expiration", "url https", "url http", "filehashsha256", "hostname", "domain", "filehashmd5", "filehashsha1", "ipv4", "code", "pool", "timothy pool", "z3je z3uwq7", "creation date", "ip address", "emails", "expiration date", "status", "hostname add", "pulse pulses", "passive dns", "urls", "date" ], "references": [ "https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba", "Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted", "http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com", "https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com", "www.techcult.com", "http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com", "https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE", "truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com", "yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com", "lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json", "162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/", "http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing", "http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site", "2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt", "IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)", "IDS Detections: Observed Discord Domain (discord .com in TLS SNI)", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less", "Yara: Detections ConventionEngine_Term_Users", "Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents", "Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly", "Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc", "Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process", "Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name", "Yara : MS_Visual_Basic_6_0 ,", "Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly", "Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile", "Alerts: mouse_movement_detect", "Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left", "scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.", "Foundry stalking." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDropper:Win32/VB.IL0", "display_name": "TrojanDropper:Win32/VB.IL0", "target": "/malware/TrojanDropper:Win32/VB.IL0" }, { "id": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "display_name": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "target": null }, { "id": "Win.Ransomware.Msilzilla-10014498-0", "display_name": "Win.Ransomware.Msilzilla-10014498-0", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1443", "name": "Remotely Install Application", "display_name": "T1443 - Remotely Install Application" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 773, "FileHash-SHA1": 684, "FileHash-SHA256": 1910, "CVE": 2, "SSLCertFingerprint": 4, "URL": 3783, "domain": 878, "email": 7, "hostname": 1913 }, "indicator_count": 9954, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "116 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9288e0d98f3b44c2cb90c", "name": "Ultrasounds attack - South African criminal group-Denver, Vo affects critical infrastructure , Oil and public safety", "description": "South African and Ethiopian crime group with Denver , Co presence is not only infiltrating infrastructure from banking to oil, they are human traffickers, hitmen and yes, I received this tip from team member Pheona who a \u2018sassa.gov.za\u2018 South African link recurrently as a top search suggestion in a \u2018targets\u2019 browser. The most frightening piece is that a name listed is of an Ethiopian man who attempted to force a very targeted victim to go somewhere with him,, be his girlfriend and did show up outside of her residence in a different City & County. He also knew the exact name of where she purchased specific items. If you can see this. Please help the best way you can. Something is incredibly wrong. [OTX auto populated Title: We can\u2019t rely on goodwill to protect our critical infrastructure - Help Net Security]", "modified": "2025-11-21T18:02:11.054000", "created": "2025-10-22T18:55:10.527000", "tags": [ "server nginx", "date fri", "etag w", "urls", "passive dns", "acceptranges", "contentlength", "date thu", "gmt expires", "server", "code", "link", "script script", "south africa", "ipv4", "files", "location south", "accept", "present aug", "certificate", "hostname add", "domain", "files ip", "unknown a", "script urls", "ip address", "unknown soa", "unknown ns", "reverse dns", "africa flag", "asn as16637", "dns resolutions", "domains top", "level", "unique tld", "related pulses", "tags none", "indicator facts", "title", "ipv4 add", "opinion", "netacea", "lockbit", "wannacry attack", "nhs trusts", "council", "uk government", "protect", "cni safe", "acls", "praio", "prink", "prsc", "prla", "lg2en", "cti98", "search", "seiko epson", "corporation", "arc file", "malware", "delete c", "default", "show", "write", "next", "unknown", "united", "tlsv1", "msie", "windows nt", "wow64", "slcc2", "media center", "as15169", "port", "execution", "dock", "capture", "persistence", "yara detections", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "cabinet archive", "microsoft", "read c", "dynamicloader", "medium", "ltda me", "high", "write c", "entries", "checks", "delphi", "win32", "url pulse", "data upload", "extraction", "find suggested", "type", "domain hostname", "url add", "http", "related nids", "files location", "ireland flag", "files domain", "chrome", "ireland unknown", "pulse submit", "url analysis", "body", "date", "status", "name servers", "creation date", "expiration date", "flag united", "destination", "systemdrive", "html document", "crlf line", "updater", "copy", "unknown aaaa", "moved", "domain add", "extri data", "enter sc", "extr include", "review exclude", "sugges", "present jul", "saudi arabia", "present mar", "present oct", "present jun", "present feb", "present nov", "present may", "eeee", "eeeeeee", "eeeeee", "eefe", "ebeee", "ee eme", "eeheee", "eeefee e", "eeeee e", "vmprotect", "push", "local", "defender", "regsetvalueexa", "utf8 unicode" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lockbit", "display_name": "Lockbit", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "target": null }, { "id": "Other Dangerous Malware", "display_name": "Other Dangerous Malware", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Oil" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 648, "hostname": 1604, "FileHash-SHA256": 1826, "URL": 4153, "FileHash-MD5": 102, "FileHash-SHA1": 60, "SSLCertFingerprint": 18, "CVE": 2, "email": 5 }, "indicator_count": 8418, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f93b1cebf80f48450bd517", "name": "Yuner - File deletion and Disk Wiping / Cyberstalking ", "description": "", "modified": "2025-11-21T18:02:11.054000", "created": "2025-10-22T20:14:20.632000", "tags": [ "server nginx", "date fri", "etag w", "urls", "passive dns", "acceptranges", "contentlength", "date thu", "gmt expires", "server", "code", "link", "script script", "south africa", "ipv4", "files", "location south", "accept", "present aug", "certificate", "hostname add", "domain", "files ip", "unknown a", "script urls", "ip address", "unknown soa", "unknown ns", "reverse dns", "africa flag", "asn as16637", "dns resolutions", "domains top", "level", "unique tld", "related pulses", "tags none", "indicator facts", "title", "ipv4 add", "opinion", "netacea", "lockbit", "wannacry attack", "nhs trusts", "council", "uk government", "protect", "cni safe", "acls", "praio", "prink", "prsc", "prla", "lg2en", "cti98", "search", "seiko epson", "corporation", "arc file", "malware", "delete c", "default", "show", "write", "next", "unknown", "united", "tlsv1", "msie", "windows nt", "wow64", "slcc2", "media center", "as15169", "port", "execution", "dock", "capture", "persistence", "yara detections", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "cabinet archive", "microsoft", "read c", "dynamicloader", "medium", "ltda me", "high", "write c", "entries", "checks", "delphi", "win32", "url pulse", "data upload", "extraction", "find suggested", "type", "domain hostname", "url add", "http", "related nids", "files location", "ireland flag", "files domain", "chrome", "ireland unknown", "pulse submit", "url analysis", "body", "date", "status", "name servers", "creation date", "expiration date", "flag united", "destination", "systemdrive", "html document", "crlf line", "updater", "copy", "unknown aaaa", "moved", "domain add", "extri data", "enter sc", "extr include", "review exclude", "sugges", "present jul", "saudi arabia", "present mar", "present oct", "present jun", "present feb", "present nov", "present may", "eeee", "eeeeeee", "eeeeee", "eefe", "ebeee", "ee eme", "eeheee", "eeefee e", "eeeee e", "vmprotect", "push", "local", "defender", "regsetvalueexa", "utf8 unicode" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lockbit", "display_name": "Lockbit", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "target": null }, { "id": "Other Dangerous Malware", "display_name": "Other Dangerous Malware", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Oil" ], "TLP": "green", "cloned_from": "68f9288e0d98f3b44c2cb90c", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 648, "hostname": 1604, "FileHash-SHA256": 1826, "URL": 4153, "FileHash-MD5": 102, "FileHash-SHA1": 60, "SSLCertFingerprint": 18, "CVE": 2, "email": 5 }, "indicator_count": 8418, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ee5e9f8cfc5fbc73142660", "name": "Gaming Studios - YouTube - MyDoom", "description": "", "modified": "2025-11-13T12:05:32.283000", "created": "2025-10-14T14:30:55.471000", "tags": [ "no expiration", "url https", "url http", "iocs", "ipv4", "enter source", "indicator role", "title added", "active related", "united", "present jul", "unknown ns", "search", "for privacy", "moved", "ip address", "encrypt", "a domains", "script urls", "meta", "pragma", "general full", "reverse dns", "software", "resource", "security tls", "piscataway", "asn20473", "asn15169", "google", "asvultr", "portfolio", "josh theriault", "upei", "university", "island", "roblox", "jmt studios", "moon engine", "android", "icpc", "north america", "qualifier", "hello", "apache", "runner", "eric everest", "games", "cloudflar", "amazon02", "as autonomous", "system", "canada", "value", "domainpath name", "cgjerrieegaggq", "name value", "form", "game development", "blog", "jmt99", "developer", "event", "bullseye", "trick or treat", "unofficial trick or treat 2014", "unofficial trick or treat 2015", "egg hunt", "gift hunt", "hallows quest", "studio", "experience", "fall", "january", "july", "founder", "studio head", "passive dns", "urls", "registrar", "title", "roblox jmt99 \"jmt studios\" \"trick or treat\" \"egg hunt\"", "press copyright", "contact", "privacy policy", "safety how", "youtube", "test", "nfl sunday", "ticket", "google llc", "data upload", "extraction", "failed", "files", "twitter", "variables", "cgjjtbieggagla", "nid value", "expiration date", "files ip", "dynamicloader", "write c", "delete c", "intel", "ms windows", "medium", "default", "write", "guard", "mozilla", "malware", "defender", "unknown", "domains", "hashes", "url analysis", "unknown aaaa", "script domains", "certificate", "game", "servers", "unofficial", "settings", "public", "endpoints", "currently", "game servers", "current", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "role title", "related pulses", "domain v", "url indicator", "nameilname", "ascii text", "mitre att", "ck id", "ck matrix", "hybrid", "general", "local", "path", "click", "strings", "pe file", "high", "yara detections", "dynamic", "v hostname", "se fos", "include v", "domain url", "data", "alltypes", "win32mydoom oct", "trojan", "url add", "http", "related nids", "files location", "canada flag", "canada hostname", "canada unknown", "canada", "present aug", "name servers", "present sep", "aaaa", "present oct", "crlf line", "unicode text", "music", "suspicious", "bricked.wtf", "flag united", "google safe", "domain", "address domain", "united states", "filehashsha256", "hostname xn", "finland unknown", "filehashmd5", "indicators hong", "kong", "south korea", "present jun", "present mar", "present may", "olet", "cnr12", "tlsv1", "get updates", "upatre", "added active", "apple", "everest", "josh paul", "upadter", "convagent", "info stealing", "delete service", "phishing", "fraud", "social engineering", "gamer", "hacker", "adversaries", "icloud", "found", "gmt content", "error", "redacted for", "meta http", "content", "gmt server", "france unknown", "poland unknown", "content type", "xml title", "hostname add", "address", "location united", "life", "century link llc", "xfinity", "livesex", "domain add", "users", "show", "delete", "blocked by quad9", "showing", "record value", "location canada", "canada asn", "accept", "cookie", "macbook", "ipv4 add", "america flag", "america asn", "asn as714", "less", "woodynet", "next associated", "status", "exclude sugges", "ip related", "t1027.013" ], "references": [ "https://www.jmtstudios.org/farewell/", "https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw", "graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system", "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html", "ConventionEngine_Term_Dropbox \u2022 Dropbox", "http://api.jmtstudios.org/", "bricked.wtf", "ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com", "http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com", "careersandenterprise.appleid.com \u2022 http://apple.appleid.com/", "https://forwardemail.net/es/blog/open-source/apple-email-clients", "accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud", "http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link", "http://www.visitbooker.com/Dropbox-07/index.htm", "dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/", "Appears to be closely associated with close relative and initial victim of attack.", "Potentially disturbing , personal , invasive, aggressive, intimate behavior of party." ], "public": 1, "adversary": "", "targeted_countries": [ "Hong Kong", "United States of America" ], "malware_families": [ { "id": "Win.Malware.Convagent-9981433-0", "display_name": "Win.Malware.Convagent-9981433-0", "target": null }, { "id": "Upadter", "display_name": "Upadter", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6996, "FileHash-MD5": 281, "FileHash-SHA1": 220, "FileHash-SHA256": 2673, "domain": 1747, "email": 24, "hostname": 2803, "SSLCertFingerprint": 3 }, "indicator_count": 14747, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ee5ea4d51d4a1cabdb4ee9", "name": "Gaming Studios - YouTube - MyDoom", "description": "", "modified": "2025-11-13T12:05:32.283000", "created": "2025-10-14T14:31:00.172000", "tags": [ "no expiration", "url https", "url http", "iocs", "ipv4", "enter source", "indicator role", "title added", "active related", "united", "present jul", "unknown ns", "search", "for privacy", "moved", "ip address", "encrypt", "a domains", "script urls", "meta", "pragma", "general full", "reverse dns", "software", "resource", "security tls", "piscataway", "asn20473", "asn15169", "google", "asvultr", "portfolio", "josh theriault", "upei", "university", "island", "roblox", "jmt studios", "moon engine", "android", "icpc", "north america", "qualifier", "hello", "apache", "runner", "eric everest", "games", "cloudflar", "amazon02", "as autonomous", "system", "canada", "value", "domainpath name", "cgjerrieegaggq", "name value", "form", "game development", "blog", "jmt99", "developer", "event", "bullseye", "trick or treat", "unofficial trick or treat 2014", "unofficial trick or treat 2015", "egg hunt", "gift hunt", "hallows quest", "studio", "experience", "fall", "january", "july", "founder", "studio head", "passive dns", "urls", "registrar", "title", "roblox jmt99 \"jmt studios\" \"trick or treat\" \"egg hunt\"", "press copyright", "contact", "privacy policy", "safety how", "youtube", "test", "nfl sunday", "ticket", "google llc", "data upload", "extraction", "failed", "files", "twitter", "variables", "cgjjtbieggagla", "nid value", "expiration date", "files ip", "dynamicloader", "write c", "delete c", "intel", "ms windows", "medium", "default", "write", "guard", "mozilla", "malware", "defender", "unknown", "domains", "hashes", "url analysis", "unknown aaaa", "script domains", "certificate", "game", "servers", "unofficial", "settings", "public", "endpoints", "currently", "game servers", "current", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "role title", "related pulses", "domain v", "url indicator", "nameilname", "ascii text", "mitre att", "ck id", "ck matrix", "hybrid", "general", "local", "path", "click", "strings", "pe file", "high", "yara detections", "dynamic", "v hostname", "se fos", "include v", "domain url", "data", "alltypes", "win32mydoom oct", "trojan", "url add", "http", "related nids", "files location", "canada flag", "canada hostname", "canada unknown", "canada", "present aug", "name servers", "present sep", "aaaa", "present oct", "crlf line", "unicode text", "music", "suspicious", "bricked.wtf", "flag united", "google safe", "domain", "address domain", "united states", "filehashsha256", "hostname xn", "finland unknown", "filehashmd5", "indicators hong", "kong", "south korea", "present jun", "present mar", "present may", "olet", "cnr12", "tlsv1", "get updates", "upatre", "added active", "apple", "everest", "josh paul", "upadter", "convagent", "info stealing", "delete service", "phishing", "fraud", "social engineering", "gamer", "hacker", "adversaries", "icloud", "found", "gmt content", "error", "redacted for", "meta http", "content", "gmt server", "france unknown", "poland unknown", "content type", "xml title", "hostname add", "address", "location united", "life", "century link llc", "xfinity", "livesex", "domain add", "users", "show", "delete", "blocked by quad9", "showing", "record value", "location canada", "canada asn", "accept", "cookie", "macbook", "ipv4 add", "america flag", "america asn", "asn as714", "less", "woodynet", "next associated", "status", "exclude sugges", "ip related", "t1027.013" ], "references": [ "https://www.jmtstudios.org/farewell/", "https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw", "graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system", "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html", "ConventionEngine_Term_Dropbox \u2022 Dropbox", "http://api.jmtstudios.org/", "bricked.wtf", "ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com", "http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com", "careersandenterprise.appleid.com \u2022 http://apple.appleid.com/", "https://forwardemail.net/es/blog/open-source/apple-email-clients", "accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud", "http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link", "http://www.visitbooker.com/Dropbox-07/index.htm", "dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/", "Appears to be closely associated with close relative and initial victim of attack.", "Potentially disturbing , personal , invasive, aggressive, intimate behavior of party." ], "public": 1, "adversary": "", "targeted_countries": [ "Hong Kong", "United States of America" ], "malware_families": [ { "id": "Win.Malware.Convagent-9981433-0", "display_name": "Win.Malware.Convagent-9981433-0", "target": null }, { "id": "Upadter", "display_name": "Upadter", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6996, "FileHash-MD5": 281, "FileHash-SHA1": 220, "FileHash-SHA256": 2673, "domain": 1747, "email": 24, "hostname": 2803, "SSLCertFingerprint": 3 }, "indicator_count": 14747, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68dda4bcade283258f6ed707", "name": "Delta Server - Phishing", "description": "Related to FBI.gov and maliciously coded image found on Google image search result on a fully updated yet hacked iOS device.", "modified": "2025-10-31T21:05:05.615000", "created": "2025-10-01T22:01:32.571000", "tags": [ "related pulses", "delta server", "phishing", "fbi.gov?", "hacked images", "gogle", "google search", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "access att", "windows nt", "size", "mitre att", "path", "general", "local", "click", "strings", "dynamicloader", "eke eekeeeke", "eeye", "eekeee ee", "eekeeeke eekeee", "search", "delete", "yara detections", "eeeee e", "yara rule", "write", "trojan", "dynamic_loading_function", "command_and_control" ], "references": [ "http://autoconfig.delterserver.org/", "https://hybrid-analysis.com/sample/904630d9e73c404a0581c822970935ae49940d09402a55d96712293baa5e8061/68dd9a7397836f17be0d1485", "Yara Detections: stack_string , case_4485_ekix4 Alerts: procmem_yara dynamic_function_loading", "Alerts: network_cnc_https_generic", "Alerts : dead_connect antidebug_setunhandledexceptionfilter exec_crash IP\u2019s Contacted 104.20.151.16", "Alerts: dead_connect antidebug_setunhandledexceptionfilter exec_crash IP\u2019s Domains Contacted : 104.20.151.16" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 463, "domain": 60, "hostname": 210, "FileHash-MD5": 51, "FileHash-SHA1": 85, "FileHash-SHA256": 203, "SSLCertFingerprint": 1 }, "indicator_count": 1073, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "169 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c5d0cd10f7bf6c3e6fa513", "name": "Remote admin privileges affecting online payment service redirect", "description": "Openvision.ro.\nRemote admin privileges affecting online targeted users https://paypal.com redirect fed.paypal.com", "modified": "2025-10-13T19:29:11.484000", "created": "2025-09-13T20:15:09.236000", "tags": [ "domain", "url analysis", "passive dns", "urls", "ip address", "extraction", "s data", "extrac data", "included", "review ioc", "excluded", "data upload", "failed", "extra data", "include review", "exclude suggest", "find s", "typ no", "exclude sugges", "typ hos", "error dec", "servers", "value name", "dnssec active", "domain name", "domain status", "ok expiration", "date", "name servers", "referral url", "files", "reverse dns", "romania asn", "as20616", "dns resolutions", "domains top", "level", "unique tld", "dynamicloader", "medium", "high", "yara detections", "upxoepplace", "yara rule", "bochs", "anomalous file", "dynamic", "reads", "ping", "markus", "april", "copy", "entries exif", "data show", "search", "value exe", "script", "fileflags", "fileflagsmask", "fileos win32", "executable", "large address", "next resource", "strings show", "value ud975", "uude17\u17e9", "\u1b53 ud9ff\u1818udf1e", "uda64", "udec3", "intel", "ms windows", "ascii text", "crlf line", "registry total", "read", "write", "delete", "type", "extra", "pulse", "record type", "ttl value", "a mx", "thumbprint", "match info", "info", "mitre att", "ta0002 command", "t1059 severity", "modules t1129", "windows api", "ta0003 modify", "registry t1112", "defense evasion", "resolved ips", "files matching", "number", "sample analysis", "hide samples", "date hash", "sabey type", "rexx type", "foundry type", "palantir" ], "references": [ "openvision.ro", "sonar.tools.nonprod.civicalg.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.Remoteadmin-7056666-0", "display_name": "Win.Malware.Remoteadmin-7056666-0", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1463", "name": "Manipulate Device Communication", "display_name": "T1463 - Manipulate Device Communication" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" } ], "industries": [ "Financial", "Targeted", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 76, "FileHash-SHA256": 33, "FileHash-MD5": 27, "FileHash-SHA1": 35, "hostname": 213, "URL": 345 }, "indicator_count": 729, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "187 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ae5b9ef87646927a236b61", "name": "Privacy - Google Videos Search - Web Applications Stack Exchange = WannaCry", "description": "Description: dfir.blog - A blog about Digital Forensics & Incident Response\ndfir.blog\nDigital forensics, web browsers, visualizations, & open source tools.\n#monitoring #dod(?) #chinacache #crypt #ransom#infectedsystems", "modified": "2025-09-26T00:01:12.214000", "created": "2025-08-27T01:13:02.780000", "tags": [ "google", "mullvad browser", "value", "incognito mode", "mine", "unix time", "friday", "january", "does", "tor browser", "search", "show", "langchinese", "packing t1045", "t1045", "medium", "pe resource", "module load", "t1129", "service", "trojan", "copy", "dock", "write", "malware", "clock", "united", "passive dns", "urls", "next associated", "gmt cache", "ipv4 add", "pulse pulses", "files", "reverse dns", "win32", "title", "location united", "america flag", "america asn", "as15169 google", "dns resolutions", "domains top", "level", "unique tlds", "present aug", "china unknown", "creation date", "date", "domain", "ip address", "domain name", "expiration date", "status ok", "nanjing", "accept", "body", "div td", "td tr", "div div", "span span", "a li", "span p", "p div", "moved", "a domains", "open", "span", "uuupupu", "t1055", "process32nextw", "high", "windows", "high defense", "evasion", "delphi", "google gmail", "images sign", "advanced search", "solutions", "privacy", "store gmail", "delete delete", "report", "how search", "applying ai", "settings search", "advanced", "search search", "search help", "domainabuse", "showing", "hostname add", "url add", "http", "hostname", "files domain", "files related", "pulses none", "related tags", "read c", "tlsv1", "whitelisted", "port", "destination", "ascii text", "next", "encrypt", "script urls", "msie", "chrome", "bad gateway", "script domains", "present feb", "link", "meta", "digital", "language", "body doctype", "ghost", "present jun", "aaaa", "present jul", "present oct", "record value", "yara detections", "dock zone", "top source", "top destination", "source source", "filehash", "code", "error", "windows nt", "wow64", "slcc2", "media center", "execution", "persistence", "tulach", "brian sabey", "dod network", "orgtechref", "address range", "cidr", "network name", "allocation type", "whois server", "entity dnic", "handle", "whois lookup", "dod", "et trojan", "server header", "suspicious", "et info", "unknown", "virustotal", "specified", "download", "et", "please", "type size", "first seen", "loading", "python wheel", "dynamicloader", "intel", "ms windows", "pe32", "entries", "user agent", "powershell", "agent", "yara rule", "checks", "levelblue", "open threat", "observed dns", "query", "dns lookup", "msdos", "wannacry dns", "lookup", "wannacry", "worm", "explorer", "msil", "darkcomet", "ping", "tools", "capture", "hallrender", "dga domains", "unfurl sites", "honey net", "bot", "nxdomain", "potential-c2" ], "references": [ "Don\u2019t click! https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking | Infected systems", "DoD Network Information Center (DNIC)", "DoD Network Information Center disa.columbus.ns.mbx.arin-registrations@mail.mil [seen throughout}", "Python Wheel package", "https://www.google.com/search", "https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com", "https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Magania.DSK!MTB", "display_name": "Trojan:Win32/Magania.DSK!MTB", "target": "/malware/Trojan:Win32/Magania.DSK!MTB" }, { "id": "Trojan:Win32/Zusy", "display_name": "Trojan:Win32/Zusy", "target": "/malware/Trojan:Win32/Zusy" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "a variant of Win32/Kryptik.DEOA", "display_name": "a variant of Win32/Kryptik.DEOA", "target": null }, { "id": "ALF:Exploit:Win32/gSharedInfoRef.A", "display_name": "ALF:Exploit:Win32/gSharedInfoRef.A", "target": null }, { "id": "Wannacry", "display_name": "Wannacry", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Telecommunications", "Technology", "Civilian" ], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8221, "domain": 1216, "FileHash-SHA256": 2434, "FileHash-MD5": 296, "FileHash-SHA1": 155, "hostname": 2939, "email": 7, "SSLCertFingerprint": 8, "CIDR": 2 }, "indicator_count": 15278, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689b9b9fab42ca4f016a226f", "name": "Elastic's Al-driven Endpoint Security - Red Team Malicious (moved?)", "description": "Endgame - Unruy Activity -System infection | (Moved) Endpoint security (MOVED) from Elastic\nElastic's Al-driven security analytics empowers you with comprehensive endpoint protection. Detect, investigate, and respond to threats faster with a single agent and unified console. Gain actionable insights for a proactive defense posture. All built on the Search\nAl platform.\n| Used maliciously against monitored non-criminal targets. |\n{ virus - https://universitycenter.uccs.edu/}\n#unruy #activity #monitored_target #red_team_malicious #trojan #worm #moved\n#ai #adversarial #custom_malware #ransom #crypt #guardrails #dns #cnc #evasive #domain_generation #remote_access #devices #remotewd #virus #custom_malware #rip #endgame \n\u2022 TrojanDropper\t\t\t\n\u2022 Win32:Evo-gen\t\u2022 Cassini\n\u2022 RansomX-gen\u2022 Zombie.A\n\u2022 win32:MalwareX-gen\t\u2022 Win32:Malware-gen \u2022 Nymeria\n\u2022 Forcud +", "modified": "2025-09-11T13:03:18.814000", "created": "2025-08-12T19:53:03.953000", "tags": [ "url http", "url https", "indicator role", "title added", "active related", "pulses url", "entries", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "href", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "show technique", "ck matrix", "null", "refresh", "body", "span", "general", "local", "path", "iframe", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "united", "unknown ns", "ip address", "creation date", "search", "present sep", "moved", "domain add", "encrypt", "accept", "please", "passive dns", "msie", "next associated", "html", "background", "unknown site", "div div", "trojan", "zeus", "process32nextw", "read c", "show", "shellexecuteexw", "windows nt", "wow64", "copy", "dock", "write", "malware", "unknown", "defense evasion", "t1480 execution", "file defense", "august", "hybrid", "port", "destination", "tlsv1", "as15169", "ogoogle trust", "cngts ca", "execution", "next", "persistence", "data upload", "extraction", "win32", "ransom", "trojandropper", "mtb nov", "forcud", "files show", "date hash", "avast avg" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4179, "domain": 774, "hostname": 1673, "FileHash-MD5": 169, "FileHash-SHA1": 110, "FileHash-SHA256": 2073, "email": 1, "SSLCertFingerprint": 13, "CVE": 1 }, "indicator_count": 8993, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "220 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://dev01.poc.civicalg.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://dev01.poc.civicalg.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776611640.2395256 }