{ "type": "URL", "indicator": "https://docs.azuremaps.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://docs.azuremaps.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3958122611, "indicator": "https://docs.azuremaps.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "687f33a5ddf830e2f3e5acac", "name": "Trojan Dropper | Espionage | Keylogger affecting medical centers", "description": "PII and PHI at risk. Highest access spyware available infiltrates a small niche medical center. \ntrojandropper, keyloggers, advanced spyware, monitored rooms , mitre att, ||\nIDS: PROTOCOL-ICMP PATH MTU denial of service attempt \u2022 PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set\n\n\u2022 https://foundry2sdbl.dvr.dn2.n-helix.com/\n\u2022 https://www.pegasustech.net/products/mobility-barcode-scanning/Data-collector-mobile-computer\n\n\u2022 \nrobloxlogger.com\n\u2022\n\nhttps://video.welnext.com\n\u2022\nhttps://app1.oceantg.com/sta40/views/personnelscreenview.aspx", "modified": "2025-08-21T06:00:20.607000", "created": "2025-07-22T06:45:57.499000", "tags": [ "pegasus", "report spam", "gotham foundry", "espionage", "spinal cord", "injured created", "minutes ago", "strange", "foundry", "palantir", "alexa", "service", "url http", "url https", "type indicator", "role title", "added active", "related pulses", "ipv4", "united", "germany", "singapore", "netherlands", "iran", "india", "search", "domain", "hostname", "filehashmd5", "filehashsha1", "extraction", "data upload", "sc type", "dren aeu", "extr source", "ur data", "include", "review exclude", "sugges", "mtu denial", "matches rule", "needed", "df bit", "unique rule", "catalog tree", "c0002 wininet", "ta0005 command", "control ta0011", "get http", "resolved ips", "dns resolutions", "cloudflare", "flag", "server", "date", "contacted hosts", "ip address", "process details", "t1158", "hidden", "t1031", "modify existing", "t1053", "taskjob", "t1060", "run keys", "startup", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "command", "found", "itre att", "show process", "prefetch8", "mitre att", "show technique", "ck matrix", "windows nt", "win64", "khtml", "gecko", "april", "hybrid", "general", "path", "click", "strings", "entries", "unknown ns", "creation date", "record value", "showing", "gmt content", "accept encoding", "encrypt", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present jan" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2628, "domain": 472, "hostname": 880, "FileHash-SHA256": 805, "FileHash-MD5": 151, "FileHash-SHA1": 128, "CIDR": 1, "SSLCertFingerprint": 3, "email": 1 }, "indicator_count": 5069, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "241 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d91b1a8f414040bfba430", "name": "Spyware", "description": "And I've been walking, talking\nBelieving the things that are true\nAnd I've been finding\nThe difference between right and wrong, bad and good\nSee me put things together\nPut them back where they belong\nWhen I look at each other\nHave I always been singing the same song?\n\nShe said\nThis is a perfect world\nRiding on an incline\nI'm staring in your face\nYou'll photograph mine\n\nI-I-I-I-I\nWhoo, ah-ha-ha\nHa-ha-ha-ha-ha-ha\n\nSomebody said that it happens all over the world\nI do believe that it's true (\u2022o\u2022)\n#spyware #MaaS #malvertizing #bullyfor$ #unethical #dangerous_tool", "modified": "2025-08-20T00:01:59.498000", "created": "2025-07-21T01:02:41.049000", "tags": [ "serving ip", "address", "status", "utc na", "utc google", "utc facebook", "custom audience", "tag manager", "ua748443502", "utc gtmwrp73mt", "utc gsrdlm5jnx1", "utc aw937838002", "adsense na", "connect", "file type", "status code", "body length", "kb body", "sha256", "powershell", "b file", "ta0004 defense", "evasion ta0005", "command", "control ta0011", "c0002 wininet", "number", "azure rsa", "tls issuing", "cus subject", "stwa lredmond", "corporation cus", "algorithm", "cndigicert sha2", "secure server", "ca odigicert", "inc cus", "subject", "cnwe1 ogoogle", "trust", "cnmicrosoft ecc", "update secure", "server ca", "omicrosoft", "get http", "request", "windows nt", "win64", "khtml", "gecko", "response", "united", "search", "creation date", "expiration date", "name servers", "unknown soa", "germany unknown", "entries", "pulse submit", "url analysis", "date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 304, "hostname": 796, "URL": 2590, "FileHash-SHA256": 2735, "FileHash-MD5": 253, "FileHash-SHA1": 144, "email": 1 }, "indicator_count": 6823, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "242 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6875e98438889e51b3fdd18f", "name": "Critical \u2022 Schedule system process - Mirai | Foundry Overwatch", "description": "", "modified": "2025-08-14T05:04:16.839000", "created": "2025-07-15T05:39:16.652000", "tags": [ "win32 exe", "country", "include review", "exclude", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "impact ob0008", "file system", "system oc0008", "match unknown", "adversaries", "match info", "info", "execution flow", "t1574 dll", "tries", "registry", "modify system", "process t1543", "unknown", "window", "ob0009 install", "ob0012 install", "insecure", "b0047 modify", "registry e1112", "hidden files", "registry run", "keys", "startup folder", "f0012 file", "critical", "united", "as15169", "delete c", "as16509", "show", "search", "intel", "ms windows", "entries", "medium", "worm", "copy", "write", "explorer", "malware", "next", "present jul", "status", "date", "ip address", "domain", "servers", "showing", "unknown ns", "related pulses", "pulses", "tags", "related tags", "more file", "type", "date april", "am size", "sha1 sha256", "as14618", "united kingdom", "as54113", "as15133 verizon", "top source", "top destination", "status domain", "ip whitelisted", "whitelisted", "tcp include", "source source", "oamazon", "cnamazon rsa", "odigicert inc", "sweden as20940", "as20940", "entries tls", "ip destination", "encrypt", "aaaa", "found", "certificate", "next associated", "urls show", "date checked", "error", "windows", "high", "yara detections", "installs", "checks", "filehash", "sha256 add", "themida", "data upload", "extraction", "md5 add", "av detections", "ids detections", "alerts", "analysis date", "file score", "win32", "ddos", "passive dns", "activity", "checkin", "win64", "mtb jan", "lowfi", "trojan", "ransom", "trojandropper", "yara", "nsis", "nss bv", "su data", "windo alerts", "andariel", "malware traffic", "nids", "icmp traffic", "dns query", "id deadhost", "connects", "andariel high", "richhash", "external", "virustotal api", "screenshots", "failed", "auurtonany data", "themida andarie", "present may", "japan unknown", "unknown cname", "domain add", "urls", "files", "http headers", "msie", "windows nt", "tcp syn", "resolverror", "externalport", "internalport", "wget command", "devices home", "execution", "foundry", "home networks", "mirai", "x.com", "porn", "monitored target", "d link", "targets" ], "references": [ "TJprojMain.exe {79c7303a1a49b85569245a8ca1c1a26be720387845af9391fa1e4677308bd6b6}", "Crowdsourced Signa: Schedule system process by Joe Security", "Sigma \u2022 Suspicious Process Masquerading As SvcHost.EXE by Swachchhanda Shrawan Poudel", "Sigma \u2022 System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "Yara \u2022 NSIS from ruleset NSIS by kevoreilly", "Yara \u2022 rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "Yara \u2022 Windows_Generic_Threat_7526f106 from ruleset Windows_Generic_Threat by Elastic Security", "Alerts: persistence_autorun \u2022 persistence_autorun_tasks stealth_hiddenreg \u2022 suspicious_command", "IDS : Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI", "Mirai - ]1.0.0.0 - Unix.Trojan.Mirai-6981169-0", "*Themida_2xx. Oreans,Technologies", "*Andariel Backdoor Activity (Checkin)", "Alert: dead_host nids_malware_alert network_icmp nolookup_communication", "IDS: WGET Command Specifying Output in HTTP Headers", "IDS: D-Link Devices Home Network Administration Protocol Command Execution", "foundry2-lbl.dvr.dn2.n-helix.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://foundry2sdbl", "https://xn--72c9abh1f8ad1lzc.com/video_tag/pornthai/ \u2022 https://ro.theskinnyfoodco.com/en-fr/blogs/recipes/pornstar-martini-recipe \u2022 m.pornsexer.xxx.3.1.adiosfil.roksit.net", "x.com \u2022 nr-data.net \u2022 apple.k8s.joewa.com", "http://apple.cc.lvlid.com/ \u2022 http://apple.cc.lvlid.com/ios/ \u2022 http://www.apple.cc.lvlid.com/ios", "Devices remotely connected, tracked , monitored" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Win.Malware.Ursu-9856871-0", "display_name": "Win.Malware.Ursu-9856871-0", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [ "Healthcare", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 448, "FileHash-SHA1": 435, "FileHash-SHA256": 5851, "hostname": 2580, "domain": 1176, "URL": 7133, "SSLCertFingerprint": 30, "email": 3, "CVE": 3 }, "indicator_count": 17659, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "248 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "681206d8f0d9d932daf913fa", "name": "Experience the Power of AI with Windows 11 OS, Computers, & Apps | Microsoft Windows", "description": "", "modified": "2025-05-30T10:03:12.343000", "created": "2025-04-30T11:17:44.688000", "tags": [ "ai", "windows 11", "windows 11 os", "windows", "learn", "microsoft", "view", "shop", "find", "get windows", "surface laptop", "microsoft store", "sync", "twitter", "refresh", "easy", "sha1" ], "references": [ "http://www.windows.com/-upgraded", "http://windows-upgraded.com", "http://www.microsoft.com0", "https://windows-upgraded.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 13, "FileHash-SHA256": 870, "hostname": 552, "domain": 155, "URL": 1545 }, "indicator_count": 3148, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "324 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d45dab14a189645153e8a6", "name": "Reverse WHOIS results for vgt.pl ( GANG VGT)", "description": "", "modified": "2024-12-17T14:47:57", "created": "2024-09-01T12:27:23.777000", "tags": [ "ipv4 domain", "ipv4 url", "domain", "sha1", "sha256", "pehash", "vhash", "ssdeep" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1286, "FileHash-SHA1": 1286, "FileHash-SHA256": 2722, "URL": 4729, "domain": 1909, "hostname": 2082, "IPv4": 97, "CVE": 4, "YARA": 1 }, "indicator_count": 14116, "is_author": false, "is_subscribing": null, "subscriber_count": 126, "modified_text": "488 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Yara \u2022 Windows_Generic_Threat_7526f106 from ruleset Windows_Generic_Threat by Elastic Security", "TJprojMain.exe {79c7303a1a49b85569245a8ca1c1a26be720387845af9391fa1e4677308bd6b6}", "Yara \u2022 rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "IDS: WGET Command Specifying Output in HTTP Headers", "Devices remotely connected, tracked , monitored", "Sigma \u2022 Suspicious Process Masquerading As SvcHost.EXE by Swachchhanda Shrawan Poudel", "IDS : Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI", "http://www.windows.com/-upgraded", "https://windows-upgraded.com", "x.com \u2022 nr-data.net \u2022 apple.k8s.joewa.com", "IDS: D-Link Devices Home Network Administration Protocol Command Execution", "Yara \u2022 NSIS from ruleset NSIS by kevoreilly", "Mirai - ]1.0.0.0 - Unix.Trojan.Mirai-6981169-0", "http://windows-upgraded.com", "Alert: dead_host nids_malware_alert network_icmp nolookup_communication", "*Themida_2xx. Oreans,Technologies", "https://xn--72c9abh1f8ad1lzc.com/video_tag/pornthai/ \u2022 https://ro.theskinnyfoodco.com/en-fr/blogs/recipes/pornstar-martini-recipe \u2022 m.pornsexer.xxx.3.1.adiosfil.roksit.net", "Crowdsourced Signa: Schedule system process by Joe Security", "Alerts: persistence_autorun \u2022 persistence_autorun_tasks stealth_hiddenreg \u2022 suspicious_command", "http://www.microsoft.com0", "foundry2-lbl.dvr.dn2.n-helix.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://foundry2sdbl", "http://apple.cc.lvlid.com/ \u2022 http://apple.cc.lvlid.com/ios/ \u2022 http://www.apple.cc.lvlid.com/ios", "Sigma \u2022 System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "*Andariel Backdoor Activity (Checkin)" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Worm:win32/mofksys.rnd!mtb", "Unix.trojan.mirai-6981169-0", "Win.malware.ursu-9856871-0", "Elf:ddos-y\\ [trj]" ], "industries": [ "Technology", "Healthcare" ], "unique_indicators": 43833 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/azuremaps.com", "whois": "http://whois.domaintools.com/azuremaps.com", "domain": "azuremaps.com", "hostname": "docs.azuremaps.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "687f33a5ddf830e2f3e5acac", "name": "Trojan Dropper | Espionage | Keylogger affecting medical centers", "description": "PII and PHI at risk. Highest access spyware available infiltrates a small niche medical center. \ntrojandropper, keyloggers, advanced spyware, monitored rooms , mitre att, ||\nIDS: PROTOCOL-ICMP PATH MTU denial of service attempt \u2022 PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set\n\n\u2022 https://foundry2sdbl.dvr.dn2.n-helix.com/\n\u2022 https://www.pegasustech.net/products/mobility-barcode-scanning/Data-collector-mobile-computer\n\n\u2022 \nrobloxlogger.com\n\u2022\n\nhttps://video.welnext.com\n\u2022\nhttps://app1.oceantg.com/sta40/views/personnelscreenview.aspx", "modified": "2025-08-21T06:00:20.607000", "created": "2025-07-22T06:45:57.499000", "tags": [ "pegasus", "report spam", "gotham foundry", "espionage", "spinal cord", "injured created", "minutes ago", "strange", "foundry", "palantir", "alexa", "service", "url http", "url https", "type indicator", "role title", "added active", "related pulses", "ipv4", "united", "germany", "singapore", "netherlands", "iran", "india", "search", "domain", "hostname", "filehashmd5", "filehashsha1", "extraction", "data upload", "sc type", "dren aeu", "extr source", "ur data", "include", "review exclude", "sugges", "mtu denial", "matches rule", "needed", "df bit", "unique rule", "catalog tree", "c0002 wininet", "ta0005 command", "control ta0011", "get http", "resolved ips", "dns resolutions", "cloudflare", "flag", "server", "date", "contacted hosts", "ip address", "process details", "t1158", "hidden", "t1031", "modify existing", "t1053", "taskjob", "t1060", "run keys", "startup", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "command", "found", "itre att", "show process", "prefetch8", "mitre att", "show technique", "ck matrix", "windows nt", "win64", "khtml", "gecko", "april", "hybrid", "general", "path", "click", "strings", "entries", "unknown ns", "creation date", "record value", "showing", "gmt content", "accept encoding", "encrypt", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present jan" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2628, "domain": 472, "hostname": 880, "FileHash-SHA256": 805, "FileHash-MD5": 151, "FileHash-SHA1": 128, "CIDR": 1, "SSLCertFingerprint": 3, "email": 1 }, "indicator_count": 5069, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "241 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d91b1a8f414040bfba430", "name": "Spyware", "description": "And I've been walking, talking\nBelieving the things that are true\nAnd I've been finding\nThe difference between right and wrong, bad and good\nSee me put things together\nPut them back where they belong\nWhen I look at each other\nHave I always been singing the same song?\n\nShe said\nThis is a perfect world\nRiding on an incline\nI'm staring in your face\nYou'll photograph mine\n\nI-I-I-I-I\nWhoo, ah-ha-ha\nHa-ha-ha-ha-ha-ha\n\nSomebody said that it happens all over the world\nI do believe that it's true (\u2022o\u2022)\n#spyware #MaaS #malvertizing #bullyfor$ #unethical #dangerous_tool", "modified": "2025-08-20T00:01:59.498000", "created": "2025-07-21T01:02:41.049000", "tags": [ "serving ip", "address", "status", "utc na", "utc google", "utc facebook", "custom audience", "tag manager", "ua748443502", "utc gtmwrp73mt", "utc gsrdlm5jnx1", "utc aw937838002", "adsense na", "connect", "file type", "status code", "body length", "kb body", "sha256", "powershell", "b file", "ta0004 defense", "evasion ta0005", "command", "control ta0011", "c0002 wininet", "number", "azure rsa", "tls issuing", "cus subject", "stwa lredmond", "corporation cus", "algorithm", "cndigicert sha2", "secure server", "ca odigicert", "inc cus", "subject", "cnwe1 ogoogle", "trust", "cnmicrosoft ecc", "update secure", "server ca", "omicrosoft", "get http", "request", "windows nt", "win64", "khtml", "gecko", "response", "united", "search", "creation date", "expiration date", "name servers", "unknown soa", "germany unknown", "entries", "pulse submit", "url analysis", "date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 304, "hostname": 796, "URL": 2590, "FileHash-SHA256": 2735, "FileHash-MD5": 253, "FileHash-SHA1": 144, "email": 1 }, "indicator_count": 6823, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "242 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6875e98438889e51b3fdd18f", "name": "Critical \u2022 Schedule system process - Mirai | Foundry Overwatch", "description": "", "modified": "2025-08-14T05:04:16.839000", "created": "2025-07-15T05:39:16.652000", "tags": [ "win32 exe", "country", "include review", "exclude", "defense evasion", "access ta0006", "command", "control ta0011", "impact ta0040", "impact ob0008", "file system", "system oc0008", "match unknown", "adversaries", "match info", "info", "execution flow", "t1574 dll", "tries", "registry", "modify system", "process t1543", "unknown", "window", "ob0009 install", "ob0012 install", "insecure", "b0047 modify", "registry e1112", "hidden files", "registry run", "keys", "startup folder", "f0012 file", "critical", "united", "as15169", "delete c", "as16509", "show", "search", "intel", "ms windows", "entries", "medium", "worm", "copy", "write", "explorer", "malware", "next", "present jul", "status", "date", "ip address", "domain", "servers", "showing", "unknown ns", "related pulses", "pulses", "tags", "related tags", "more file", "type", "date april", "am size", "sha1 sha256", "as14618", "united kingdom", "as54113", "as15133 verizon", "top source", "top destination", "status domain", "ip whitelisted", "whitelisted", "tcp include", "source source", "oamazon", "cnamazon rsa", "odigicert inc", "sweden as20940", "as20940", "entries tls", "ip destination", "encrypt", "aaaa", "found", "certificate", "next associated", "urls show", "date checked", "error", "windows", "high", "yara detections", "installs", "checks", "filehash", "sha256 add", "themida", "data upload", "extraction", "md5 add", "av detections", "ids detections", "alerts", "analysis date", "file score", "win32", "ddos", "passive dns", "activity", "checkin", "win64", "mtb jan", "lowfi", "trojan", "ransom", "trojandropper", "yara", "nsis", "nss bv", "su data", "windo alerts", "andariel", "malware traffic", "nids", "icmp traffic", "dns query", "id deadhost", "connects", "andariel high", "richhash", "external", "virustotal api", "screenshots", "failed", "auurtonany data", "themida andarie", "present may", "japan unknown", "unknown cname", "domain add", "urls", "files", "http headers", "msie", "windows nt", "tcp syn", "resolverror", "externalport", "internalport", "wget command", "devices home", "execution", "foundry", "home networks", "mirai", "x.com", "porn", "monitored target", "d link", "targets" ], "references": [ "TJprojMain.exe {79c7303a1a49b85569245a8ca1c1a26be720387845af9391fa1e4677308bd6b6}", "Crowdsourced Signa: Schedule system process by Joe Security", "Sigma \u2022 Suspicious Process Masquerading As SvcHost.EXE by Swachchhanda Shrawan Poudel", "Sigma \u2022 System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)", "Yara \u2022 NSIS from ruleset NSIS by kevoreilly", "Yara \u2022 rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)", "Yara \u2022 Windows_Generic_Threat_7526f106 from ruleset Windows_Generic_Threat by Elastic Security", "Alerts: persistence_autorun \u2022 persistence_autorun_tasks stealth_hiddenreg \u2022 suspicious_command", "IDS : Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI", "Mirai - ]1.0.0.0 - Unix.Trojan.Mirai-6981169-0", "*Themida_2xx. Oreans,Technologies", "*Andariel Backdoor Activity (Checkin)", "Alert: dead_host nids_malware_alert network_icmp nolookup_communication", "IDS: WGET Command Specifying Output in HTTP Headers", "IDS: D-Link Devices Home Network Administration Protocol Command Execution", "foundry2-lbl.dvr.dn2.n-helix.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://foundry2sdbl", "https://xn--72c9abh1f8ad1lzc.com/video_tag/pornthai/ \u2022 https://ro.theskinnyfoodco.com/en-fr/blogs/recipes/pornstar-martini-recipe \u2022 m.pornsexer.xxx.3.1.adiosfil.roksit.net", "x.com \u2022 nr-data.net \u2022 apple.k8s.joewa.com", "http://apple.cc.lvlid.com/ \u2022 http://apple.cc.lvlid.com/ios/ \u2022 http://www.apple.cc.lvlid.com/ios", "Devices remotely connected, tracked , monitored" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Unix.Trojan.Mirai-6981169-0", "display_name": "Unix.Trojan.Mirai-6981169-0", "target": null }, { "id": "Win.Malware.Ursu-9856871-0", "display_name": "Win.Malware.Ursu-9856871-0", "target": null }, { "id": "ELF:DDoS-Y\\ [Trj]", "display_name": "ELF:DDoS-Y\\ [Trj]", "target": null } ], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [ "Healthcare", "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 448, "FileHash-SHA1": 435, "FileHash-SHA256": 5851, "hostname": 2580, "domain": 1176, "URL": 7133, "SSLCertFingerprint": 30, "email": 3, "CVE": 3 }, "indicator_count": 17659, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "248 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "681206d8f0d9d932daf913fa", "name": "Experience the Power of AI with Windows 11 OS, Computers, & Apps | Microsoft Windows", "description": "", "modified": "2025-05-30T10:03:12.343000", "created": "2025-04-30T11:17:44.688000", "tags": [ "ai", "windows 11", "windows 11 os", "windows", "learn", "microsoft", "view", "shop", "find", "get windows", "surface laptop", "microsoft store", "sync", "twitter", "refresh", "easy", "sha1" ], "references": [ "http://www.windows.com/-upgraded", "http://windows-upgraded.com", "http://www.microsoft.com0", "https://windows-upgraded.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 13, "FileHash-SHA1": 13, "FileHash-SHA256": 870, "hostname": 552, "domain": 155, "URL": 1545 }, "indicator_count": 3148, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "324 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d45dab14a189645153e8a6", "name": "Reverse WHOIS results for vgt.pl ( GANG VGT)", "description": "", "modified": "2024-12-17T14:47:57", "created": "2024-09-01T12:27:23.777000", "tags": [ "ipv4 domain", "ipv4 url", "domain", "sha1", "sha256", "pehash", "vhash", "ssdeep" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1286, "FileHash-SHA1": 1286, "FileHash-SHA256": 2722, "URL": 4729, "domain": 1909, "hostname": 2082, "IPv4": 97, "CVE": 4, "YARA": 1 }, "indicator_count": 14116, "is_author": false, "is_subscribing": null, "subscriber_count": 126, "modified_text": "488 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://docs.azuremaps.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://docs.azuremaps.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776639187.6109245 }