{
  "type": "URL",
  "indicator": "https://doubleclick.net",
  "general": {
    "sections": [
      "general",
      "url_list",
      "http_scans",
      "screenshot"
    ],
    "indicator": "https://doubleclick.net",
    "type": "url",
    "type_title": "URL",
    "validation": [
      {
        "source": "akamai",
        "message": "Akamai rank: #17",
        "name": "Akamai Popular Domain"
      },
      {
        "source": "whitelist",
        "message": "Whitelisted domain doubleclick.net",
        "name": "Whitelisted domain"
      },
      {
        "source": "majestic",
        "message": "Whitelisted domain doubleclick.net",
        "name": "Whitelisted domain"
      },
      {
        "source": "ad_network",
        "message": "Whitelisted ad network domain doubleclick.net",
        "name": "Whitelisted ad network domain"
      }
    ],
    "base_indicator": {
      "id": 3676553926,
      "indicator": "https://doubleclick.net",
      "type": "URL",
      "title": "",
      "description": "",
      "content": "",
      "access_type": "public",
      "access_reason": ""
    },
    "pulse_info": {
      "count": 7,
      "pulses": [
        {
          "id": "69ca5d583057aaefed16789a",
          "name": "CAPE Sandbox- Stealc Config CNCs\thttp://170.130.55.38\\/ad23d4a47cfd4c13.php botnet\tnewbuild2",
          "description": "A complete list of details about who is registered on the Whois website:..1.0/16:30 GMT on 1 January 2019. (00:00 GMT).-1:<Pretext -- Stealc Config\nCNCs\thttp://170.130.55.38\\/ad23d4a47cfd4c13.php\nbotnet\tnewbuild2",
          "modified": "2026-03-30T11:45:14.761000",
          "created": "2026-03-30T11:24:08.053000",
          "tags": [
            "file size",
            "mwdb",
            "bazaar",
            "sha3384",
            "ssdeep",
            "file type",
            "default",
            "sha256",
            "sha1",
            "data",
            "info",
            "accept",
            "win64",
            "damage",
            "openssl",
            "shutdown",
            "direct",
            "explorer",
            "title",
            "payload",
            "rdap",
            "ip version",
            "address range",
            "cidr",
            "network name",
            "allocation type",
            "whois server",
            "entity sg679",
            "handle",
            "stealc config",
            "cncs http"
          ],
          "references": [
            "https://vtbehaviour.commondatastorage.googleapis.com/1ca8b15684a1143e38ef87f31d8a89c7b25a1107aeaf03d43ad9fd611c4a35ba_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774869821&Signature=dm0pQf9ykZMucZEHHViqEfYFoBozAF57ZHYUPo3i79Fb6al02qn6AeYk%2FxR1vzLE4NQkG40Rm1LFUVN79w5CNETgwiRzCx%2BSpUCvPnYIv7E3SEmv5wZrhcuObW%2FE%2B1Ef7e53KrnREKePmmVmLYO34EXBewDpQF4DTIUvGnHdoQkf8pmNquGPuJZRRodaPAkoAEufbI%2BMk4zTqA%2BXbEP%2FpFBi5v30azilsKQ8R%2BLyJYHnYE"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "IPv4": 92,
            "domain": 351,
            "URL": 392,
            "FileHash-MD5": 149,
            "FileHash-SHA1": 168,
            "FileHash-SHA256": 197,
            "email": 12,
            "hostname": 68,
            "CIDR": 4
          },
          "indicator_count": 1433,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 50,
          "modified_text": "20 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "6892e73b32af18aa302df0dc",
          "name": "Part 1.5",
          "description": "Dark web media \u2022 Political news \u2022 Malvertizing\nlocate \u2022\ntrack [stalk] \u2022 record calls \u2022 control media [youtube , etc] http://t.name?n[++i]=e:this.removeEventListener\t\t\nJeeng &\nPowebox [ accidentally left out in original post pulse]",
          "modified": "2025-09-05T04:03:06.929000",
          "created": "2025-08-06T05:25:15.369000",
          "tags": [
            "chromeua",
            "optout",
            "object",
            "path",
            "value",
            "access type",
            "setval",
            "windir",
            "localappdata",
            "null",
            "win64",
            "error",
            "generator",
            "close",
            "roboto",
            "date",
            "format",
            "light",
            "span",
            "template",
            "void",
            "android",
            "body",
            "trident",
            "mexico",
            "sonic",
            "black",
            "critical",
            "desktop",
            "dark",
            "meta",
            "this",
            "june",
            "hybrid",
            "apache",
            "write",
            "crypto",
            "autodetect",
            "face",
            "courier",
            "gigi",
            "impact",
            "shadow",
            "click",
            "strings",
            "cray",
            "smwg",
            "eret",
            "footer",
            "infinity",
            "window",
            "canvas",
            "legend",
            "nuke",
            "lion",
            "4629",
            "ahav",
            "olsa",
            "false",
            "learn",
            "command",
            "ck id",
            "name tactics",
            "suspicious",
            "informative",
            "spawns",
            "defense evasion",
            "t1480 execution",
            "file defense",
            "copy md5",
            "copy sha1",
            "copy sha256",
            "sha1",
            "sha256",
            "script",
            "mitre att",
            "pattern match",
            "show technique",
            "iframe",
            "refresh",
            "august",
            "general",
            "local",
            "tools",
            "demo",
            "look",
            "verify",
            "restart",
            "url http",
            "small",
            "pulses url",
            "tellyoun",
            "showing",
            "entries",
            "url https",
            "indicator role",
            "title added",
            "active related",
            "type indicator",
            "role title",
            "added active",
            "related pulses",
            "cc08",
            "f06a6b",
            "sfurl",
            "filehashsha256",
            "types",
            "indicators show",
            "search",
            "pulses",
            "filehashsha1",
            "adversaries",
            "found",
            "webp image",
            "ascii text",
            "riff",
            "size",
            "encrypt",
            "legacy",
            "filehashmd5",
            "united",
            "flag",
            "server",
            "markmonitor",
            "name server",
            "llc name",
            "overview dns",
            "requests domain",
            "country",
            "win32",
            "av detections",
            "ids detections",
            "yara detections",
            "alerts",
            "analysis date",
            "file score",
            "medium risk",
            "yara",
            "detections",
            "malware",
            "copy",
            "show",
            "icmp traffic",
            "packing t1045",
            "t1045",
            "pdb path",
            "pe resource",
            "extraction",
            "data upload",
            "enter sc",
            "type",
            "extra data",
            "please",
            "failed",
            "review",
            "exclude data",
            "included review",
            "ic data",
            "suggeste",
            "stop",
            "type onow",
            "domain",
            "passive dns",
            "urls",
            "files related",
            "pulses none",
            "related tags",
            "none google",
            "safe browsing",
            "sc data",
            "extr amanuav",
            "review included",
            "manualy",
            "sugges excluded",
            "filehash",
            "md5 add",
            "pulse pulses",
            "url add",
            "http",
            "hostname",
            "files domain",
            "pulses otx",
            "virustotal",
            "hsmi192547107",
            "pulses hostname",
            "r dec",
            "customer dec",
            "iski dec",
            "decision dec",
            "va dec",
            "bitcoin",
            "bitcoin dec",
            "petra",
            "torstatus dec",
            "paul dec",
            "sodesc",
            "planet dec",
            "emilia",
            "heroin dec",
            "difference dec",
            "palantir dec",
            "loraxlive dec",
            "chaturbate dec",
            "sandra",
            "free dec",
            "marvel dec",
            "benjis dec",
            "fresh dec",
            "sodesc dec",
            "srdirport",
            "srhostname",
            "link dec",
            "types of",
            "italy",
            "china",
            "australia",
            "france",
            "turkey",
            "discovery",
            "information",
            "ck ids",
            "t1005",
            "local system",
            "t1007",
            "system service",
            "part",
            "track",
            "locate",
            "political",
            "civil society",
            "news",
            "created",
            "hours ago",
            "report spam",
            "t1555",
            "password",
            "t1560",
            "collected data",
            "t1573",
            "channel",
            "t1574",
            "execution flow",
            "scan",
            "iocs",
            "t1497",
            "u0lhmq",
            "mtawmq",
            "t1480",
            "guardrails",
            "t1486",
            "data encrypted",
            "learn more",
            "unsubscribe aug",
            "protocol",
            "t1074",
            "staged",
            "t1083",
            "t1102",
            "web service",
            "t1105",
            "tool transfer",
            "t1140",
            "data engineer",
            "candidate",
            "tlsv1",
            "odigicert inc",
            "stcalifornia",
            "lsan jose",
            "oadobe systems",
            "incorporated",
            "cndigicert sha2",
            "push",
            "next",
            "high",
            "write c",
            "ireland as16509",
            "delete",
            "dirty",
            "tags",
            "t1012",
            "flow endpoint",
            "security scan",
            "t1106",
            "copyright",
            "levelblue"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1005",
              "name": "Data from Local System",
              "display_name": "T1005 - Data from Local System"
            },
            {
              "id": "T1007",
              "name": "System Service Discovery",
              "display_name": "T1007 - System Service Discovery"
            },
            {
              "id": "T1012",
              "name": "Query Registry",
              "display_name": "T1012 - Query Registry"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1033",
              "name": "System Owner/User Discovery",
              "display_name": "T1033 - System Owner/User Discovery"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1074",
              "name": "Data Staged",
              "display_name": "T1074 - Data Staged"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1102",
              "name": "Web Service",
              "display_name": "T1102 - Web Service"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1120",
              "name": "Peripheral Device Discovery",
              "display_name": "T1120 - Peripheral Device Discovery"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1132",
              "name": "Data Encoding",
              "display_name": "T1132 - Data Encoding"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1486",
              "name": "Data Encrypted for Impact",
              "display_name": "T1486 - Data Encrypted for Impact"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1555",
              "name": "Credentials from Password Stores",
              "display_name": "T1555 - Credentials from Password Stores"
            },
            {
              "id": "T1560",
              "name": "Archive Collected Data",
              "display_name": "T1560 - Archive Collected Data"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            },
            {
              "id": "T1574",
              "name": "Hijack Execution Flow",
              "display_name": "T1574 - Hijack Execution Flow"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1041",
              "name": "Exfiltration Over C2 Channel",
              "display_name": "T1041 - Exfiltration Over C2 Channel"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1063",
              "name": "Security Software Discovery",
              "display_name": "T1063 - Security Software Discovery"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 18,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 608,
            "FileHash-SHA1": 433,
            "FileHash-SHA256": 3663,
            "URL": 17104,
            "domain": 1316,
            "email": 39,
            "hostname": 4208,
            "SSLCertFingerprint": 17
          },
          "indicator_count": 27388,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 139,
          "modified_text": "226 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "6892a73593f73dfc969779b0",
          "name": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns",
          "description": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns\n*[ddddd.msg]\n[http://tracking.eu1.glintinc.com]\n[stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd]\n[stackstorm.ops.dev.az.glintinc.com]\n\u2022 http://stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd.onion/peter-thiel-running-database-to-root-out-those-disloyal-to-the-leader/\\n \u2022\n[http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-at-concentra/360]\n[http://pixelrz.com/lists/keywords/tsara-brashears-dead/360]",
          "modified": "2025-09-05T00:03:23.223000",
          "created": "2025-08-06T00:52:05.051000",
          "tags": [
            "url http",
            "small",
            "indicator role",
            "title added",
            "active related",
            "pulses hostname",
            "tellyoun",
            "n aug",
            "entries",
            "data upload",
            "extraction",
            "windows error",
            "june",
            "fwd urgent",
            "justice czech",
            "copy sha256",
            "rejectedfailed",
            "timestamp input",
            "message status",
            "actions august",
            "file",
            "actions june",
            "actions may",
            "cta4 https",
            "context related",
            "associated urls",
            "campaigncodedsc",
            "language",
            "uid http",
            "community",
            "sha256",
            "size42b type",
            "submitted",
            "august",
            "april",
            "internal error",
            "previous1",
            "iframe",
            "community score",
            "scan analysis",
            "malicious",
            "intelligence",
            "learn",
            "falcon sandbox",
            "submissions",
            "status",
            "adversaries",
            "ck id",
            "name tactics",
            "suspicious",
            "informative",
            "defense evasion",
            "windows folder",
            "found",
            "dlls",
            "impact",
            "chromeua",
            "optout",
            "object",
            "path",
            "value",
            "access type",
            "setval",
            "windir",
            "localappdata",
            "null",
            "win64",
            "error",
            "generator",
            "close",
            "roboto",
            "date",
            "format",
            "light",
            "span",
            "template",
            "void",
            "android",
            "body",
            "trident",
            "mexico",
            "sonic",
            "black",
            "critical",
            "desktop",
            "dark",
            "meta",
            "this",
            "hybrid",
            "apache",
            "write",
            "crypto",
            "autodetect",
            "face",
            "courier",
            "gigi",
            "shadow",
            "click",
            "strings",
            "cray",
            "smwg",
            "eret",
            "footer",
            "infinity",
            "window",
            "canvas",
            "legend",
            "nuke",
            "lion",
            "4629",
            "ahav",
            "olsa",
            "false"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1005",
              "name": "Data from Local System",
              "display_name": "T1005 - Data from Local System"
            },
            {
              "id": "T1007",
              "name": "System Service Discovery",
              "display_name": "T1007 - System Service Discovery"
            },
            {
              "id": "T1012",
              "name": "Query Registry",
              "display_name": "T1012 - Query Registry"
            },
            {
              "id": "T1018",
              "name": "Remote System Discovery",
              "display_name": "T1018 - Remote System Discovery"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1033",
              "name": "System Owner/User Discovery",
              "display_name": "T1033 - System Owner/User Discovery"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1041",
              "name": "Exfiltration Over C2 Channel",
              "display_name": "T1041 - Exfiltration Over C2 Channel"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1074",
              "name": "Data Staged",
              "display_name": "T1074 - Data Staged"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1102",
              "name": "Web Service",
              "display_name": "T1102 - Web Service"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1120",
              "name": "Peripheral Device Discovery",
              "display_name": "T1120 - Peripheral Device Discovery"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1132",
              "name": "Data Encoding",
              "display_name": "T1132 - Data Encoding"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1486",
              "name": "Data Encrypted for Impact",
              "display_name": "T1486 - Data Encrypted for Impact"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1555",
              "name": "Credentials from Password Stores",
              "display_name": "T1555 - Credentials from Password Stores"
            },
            {
              "id": "T1560",
              "name": "Archive Collected Data",
              "display_name": "T1560 - Archive Collected Data"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            },
            {
              "id": "T1574",
              "name": "Hijack Execution Flow",
              "display_name": "T1574 - Hijack Execution Flow"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 9,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 9062,
            "domain": 707,
            "hostname": 2318,
            "FileHash-MD5": 86,
            "FileHash-SHA1": 26,
            "FileHash-SHA256": 2096,
            "email": 5,
            "FilePath": 2,
            "URI": 1
          },
          "indicator_count": 14303,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 139,
          "modified_text": "226 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "658bd8f63a1e4c5a38ce44e4",
          "name": "USBank: Phishing and Frauds | Command and Control |",
          "description": "",
          "modified": "2024-01-26T07:01:23.551000",
          "created": "2023-12-27T07:57:42.725000",
          "tags": [
            "no expiration",
            "filehashsha256",
            "ipv4",
            "hostname",
            "expiration",
            "filehashmd5",
            "domain",
            "filehashsha1",
            "url http",
            "iocs",
            "next",
            "url https",
            "scan endpoints",
            "all octoseek",
            "create new",
            "pulse use",
            "pdf report",
            "pcap",
            "analyzer",
            "hackers",
            "hacktool",
            "hijacker",
            "tsara brashears",
            "hallrender",
            "lazarus",
            "win64",
            "usbank",
            "webp",
            "critical",
            "contacted",
            "octoseek",
            "command_and_control",
            "comspec",
            "copy",
            "core",
            "critical",
            "dangerous",
            "apple",
            "briannsabey breadcrumbs",
            "ck id",
            "cobalt strike",
            "bot",
            "bot network",
            "resolutions",
            "renos",
            "referrer",
            "model",
            "mitre att",
            "monitoring",
            "quasar rat",
            "ransomware",
            "networm",
            "open path",
            "pattern match",
            "payload",
            "powershell",
            "command_and_control",
            "exploit",
            "tracking",
            "cybercrime",
            "T1622 - Debugger Evasion",
            "cracked",
            "installer",
            "apple",
            "banking",
            "parking payload",
            "factory",
            "gpt analyzer",
            "teams",
            "localappdata",
            "breadcrumbs"
          ],
          "references": [
            "onlinebanking.usbank.com.blackboxconstruction.com.ph",
            "https://www.hallrender.com/attorney/brian-sabey/"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Worm.Mimail",
              "display_name": "Worm.Mimail",
              "target": null
            },
            {
              "id": "Win32:Pitou-C [Rtk]",
              "display_name": "Win32:Pitou-C [Rtk]",
              "target": null
            },
            {
              "id": "W32/Bagle.RC.worm",
              "display_name": "W32/Bagle.RC.worm",
              "target": null
            },
            {
              "id": "Trojan:VBS/Renos",
              "display_name": "Trojan:VBS/Renos",
              "target": "/malware/Trojan:VBS/Renos"
            },
            {
              "id": "Trojan:BAT/Gamaredon",
              "display_name": "Trojan:BAT/Gamaredon",
              "target": "/malware/Trojan:BAT/Gamaredon"
            },
            {
              "id": "Trojan-Ransom.Win32.Blocker.xhaw",
              "display_name": "Trojan-Ransom.Win32.Blocker.xhaw",
              "target": null
            },
            {
              "id": "Trojan-Downloader.Win32.Upatre",
              "display_name": "Trojan-Downloader.Win32.Upatre",
              "target": null
            },
            {
              "id": "Trj/CI.A",
              "display_name": "Trj/CI.A",
              "target": null
            },
            {
              "id": "Android:Agent-OVB [Trj]",
              "display_name": "Android:Agent-OVB [Trj]",
              "target": null
            },
            {
              "id": "Artemis",
              "display_name": "Artemis",
              "target": null
            },
            {
              "id": "Cobalt Strike",
              "display_name": "Cobalt Strike",
              "target": null
            },
            {
              "id": "Comspec",
              "display_name": "Comspec",
              "target": null
            },
            {
              "id": "Dark Power",
              "display_name": "Dark Power",
              "target": null
            },
            {
              "id": "HackTool",
              "display_name": "HackTool",
              "target": null
            },
            {
              "id": "HallRender",
              "display_name": "HallRender",
              "target": null
            },
            {
              "id": "Kzmiutmy",
              "display_name": "Kzmiutmy",
              "target": null
            },
            {
              "id": "Lazarus",
              "display_name": "Lazarus",
              "target": null
            },
            {
              "id": "LolKek",
              "display_name": "LolKek",
              "target": null
            },
            {
              "id": "Quasar RAT",
              "display_name": "Quasar RAT",
              "target": null
            },
            {
              "id": "Ransomware",
              "display_name": "Ransomware",
              "target": null
            },
            {
              "id": "RedLine Stealer",
              "display_name": "RedLine Stealer",
              "target": null
            },
            {
              "id": "Swisyn",
              "display_name": "Swisyn",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1583.005",
              "name": "Botnet",
              "display_name": "T1583.005 - Botnet"
            },
            {
              "id": "T1546",
              "name": "Event Triggered Execution",
              "display_name": "T1546 - Event Triggered Execution"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1218",
              "name": "Signed Binary Proxy Execution",
              "display_name": "T1218 - Signed Binary Proxy Execution"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1005",
              "name": "Data from Local System",
              "display_name": "T1005 - Data from Local System"
            },
            {
              "id": "T1010",
              "name": "Application Window Discovery",
              "display_name": "T1010 - Application Window Discovery"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1056.001",
              "name": "Keylogging",
              "display_name": "T1056.001 - Keylogging"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1600",
              "name": "Weaken Encryption",
              "display_name": "T1600 - Weaken Encryption"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 29,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 192,
            "FileHash-MD5": 72,
            "FileHash-SHA1": 66,
            "FileHash-SHA256": 380,
            "domain": 115,
            "hostname": 220,
            "CVE": 4
          },
          "indicator_count": 1049,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 219,
          "modified_text": "814 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "658ca4d09e86f0f3f107eeec",
          "name": "USBank: Phishing and Frauds | CNC | Quasar RAT ",
          "description": "",
          "modified": "2024-01-26T07:01:23.551000",
          "created": "2023-12-27T22:27:28.593000",
          "tags": [
            "no expiration",
            "filehashsha256",
            "ipv4",
            "hostname",
            "expiration",
            "filehashmd5",
            "domain",
            "filehashsha1",
            "url http",
            "iocs",
            "next",
            "url https",
            "scan endpoints",
            "all octoseek",
            "create new",
            "pulse use",
            "pdf report",
            "pcap",
            "analyzer",
            "hackers",
            "hacktool",
            "hijacker",
            "tsara brashears",
            "hallrender",
            "lazarus",
            "win64",
            "usbank",
            "webp",
            "critical",
            "contacted",
            "octoseek",
            "command_and_control",
            "comspec",
            "copy",
            "core",
            "critical",
            "dangerous",
            "apple",
            "briannsabey breadcrumbs",
            "ck id",
            "cobalt strike",
            "bot",
            "bot network",
            "resolutions",
            "renos",
            "referrer",
            "model",
            "mitre att",
            "monitoring",
            "quasar rat",
            "ransomware",
            "networm",
            "open path",
            "pattern match",
            "payload",
            "powershell",
            "command_and_control",
            "exploit",
            "tracking",
            "cybercrime",
            "T1622 - Debugger Evasion",
            "cracked",
            "installer",
            "apple",
            "banking",
            "parking payload",
            "factory",
            "gpt analyzer",
            "teams",
            "localappdata",
            "breadcrumbs"
          ],
          "references": [
            "onlinebanking.usbank.com.blackboxconstruction.com.ph",
            "https://www.hallrender.com/attorney/brian-sabey/"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Worm.Mimail",
              "display_name": "Worm.Mimail",
              "target": null
            },
            {
              "id": "Win32:Pitou-C [Rtk]",
              "display_name": "Win32:Pitou-C [Rtk]",
              "target": null
            },
            {
              "id": "W32/Bagle.RC.worm",
              "display_name": "W32/Bagle.RC.worm",
              "target": null
            },
            {
              "id": "Trojan:VBS/Renos",
              "display_name": "Trojan:VBS/Renos",
              "target": "/malware/Trojan:VBS/Renos"
            },
            {
              "id": "Trojan:BAT/Gamaredon",
              "display_name": "Trojan:BAT/Gamaredon",
              "target": "/malware/Trojan:BAT/Gamaredon"
            },
            {
              "id": "Trojan-Ransom.Win32.Blocker.xhaw",
              "display_name": "Trojan-Ransom.Win32.Blocker.xhaw",
              "target": null
            },
            {
              "id": "Trojan-Downloader.Win32.Upatre",
              "display_name": "Trojan-Downloader.Win32.Upatre",
              "target": null
            },
            {
              "id": "Trj/CI.A",
              "display_name": "Trj/CI.A",
              "target": null
            },
            {
              "id": "Android:Agent-OVB [Trj]",
              "display_name": "Android:Agent-OVB [Trj]",
              "target": null
            },
            {
              "id": "Artemis",
              "display_name": "Artemis",
              "target": null
            },
            {
              "id": "Cobalt Strike",
              "display_name": "Cobalt Strike",
              "target": null
            },
            {
              "id": "Comspec",
              "display_name": "Comspec",
              "target": null
            },
            {
              "id": "Dark Power",
              "display_name": "Dark Power",
              "target": null
            },
            {
              "id": "HackTool",
              "display_name": "HackTool",
              "target": null
            },
            {
              "id": "HallRender",
              "display_name": "HallRender",
              "target": null
            },
            {
              "id": "Kzmiutmy",
              "display_name": "Kzmiutmy",
              "target": null
            },
            {
              "id": "Lazarus",
              "display_name": "Lazarus",
              "target": null
            },
            {
              "id": "LolKek",
              "display_name": "LolKek",
              "target": null
            },
            {
              "id": "Quasar RAT",
              "display_name": "Quasar RAT",
              "target": null
            },
            {
              "id": "Ransomware",
              "display_name": "Ransomware",
              "target": null
            },
            {
              "id": "RedLine Stealer",
              "display_name": "RedLine Stealer",
              "target": null
            },
            {
              "id": "Swisyn",
              "display_name": "Swisyn",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1583.005",
              "name": "Botnet",
              "display_name": "T1583.005 - Botnet"
            },
            {
              "id": "T1546",
              "name": "Event Triggered Execution",
              "display_name": "T1546 - Event Triggered Execution"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1218",
              "name": "Signed Binary Proxy Execution",
              "display_name": "T1218 - Signed Binary Proxy Execution"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1005",
              "name": "Data from Local System",
              "display_name": "T1005 - Data from Local System"
            },
            {
              "id": "T1010",
              "name": "Application Window Discovery",
              "display_name": "T1010 - Application Window Discovery"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1056.001",
              "name": "Keylogging",
              "display_name": "T1056.001 - Keylogging"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1600",
              "name": "Weaken Encryption",
              "display_name": "T1600 - Weaken Encryption"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": "658bd8f63a1e4c5a38ce44e4",
          "export_count": 28,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 192,
            "FileHash-MD5": 72,
            "FileHash-SHA1": 66,
            "FileHash-SHA256": 380,
            "domain": 115,
            "hostname": 220,
            "CVE": 4
          },
          "indicator_count": 1049,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 227,
          "modified_text": "814 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "65709a384e3e8573cf5ecac4",
          "name": "v2 - kopat electronic door security  with hybrid scan data",
          "description": "",
          "modified": "2023-12-06T15:58:48.938000",
          "created": "2023-12-06T15:58:48.938000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 3,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "api",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "StreamMiningEx",
            "id": "262917",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 1569,
            "URL": 3824,
            "email": 8,
            "domain": 290,
            "hostname": 189,
            "FileHash-MD5": 576,
            "FileHash-SHA1": 52
          },
          "indicator_count": 6508,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 110,
          "modified_text": "865 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "645932281e34157197d4cbe4",
          "name": "v2 - kopat electronic door security  with hybrid scan data",
          "description": "",
          "modified": "2023-05-08T17:32:24.648000",
          "created": "2023-05-08T17:32:24.648000",
          "tags": [
            "dropped file",
            "null",
            "varchar",
            "gecko",
            "pcap",
            "pcap processing",
            "win64",
            "khtml",
            "span",
            "cookie",
            "path",
            "mozi",
            "roboto",
            "class",
            "mozilla",
            "body",
            "form",
            "window",
            "accept",
            "meta",
            "iframe",
            "contact",
            "4629",
            "trim",
            "embed",
            "dwis",
            "test",
            "tear",
            "qakbot",
            "tecv",
            "1inb",
            "a3ob",
            "u9p10dkhttps",
            "windir",
            "openurl c",
            "l10dkhttps",
            "charset",
            "w6t2hm",
            "is6bi"
          ],
          "references": [
            "https://www.hybrid-analysis.com/sample/5ea6b6bdf0a82359f7f73c6095b6c8891be485234e5544ef18a000136617a1b6/645767842cd19c9c560f0381"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 9,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "callmeDoris",
            "id": "205385",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 3824,
            "hostname": 189,
            "domain": 290,
            "FileHash-SHA256": 1569,
            "email": 8,
            "IPv4": 27,
            "FileHash-MD5": 576,
            "FileHash-SHA1": 52
          },
          "indicator_count": 6535,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 95,
          "modified_text": "1077 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        }
      ],
      "references": [
        "https://www.hybrid-analysis.com/sample/5ea6b6bdf0a82359f7f73c6095b6c8891be485234e5544ef18a000136617a1b6/645767842cd19c9c560f0381",
        "https://vtbehaviour.commondatastorage.googleapis.com/1ca8b15684a1143e38ef87f31d8a89c7b25a1107aeaf03d43ad9fd611c4a35ba_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774869821&Signature=dm0pQf9ykZMucZEHHViqEfYFoBozAF57ZHYUPo3i79Fb6al02qn6AeYk%2FxR1vzLE4NQkG40Rm1LFUVN79w5CNETgwiRzCx%2BSpUCvPnYIv7E3SEmv5wZrhcuObW%2FE%2B1Ef7e53KrnREKePmmVmLYO34EXBewDpQF4DTIUvGnHdoQkf8pmNquGPuJZRRodaPAkoAEufbI%2BMk4zTqA%2BXbEP%2FpFBi5v30azilsKQ8R%2BLyJYHnYE",
        "https://www.hallrender.com/attorney/brian-sabey/",
        "onlinebanking.usbank.com.blackboxconstruction.com.ph"
      ],
      "related": {
        "alienvault": {
          "adversary": [],
          "malware_families": [],
          "industries": [],
          "unique_indicators": 0
        },
        "other": {
          "adversary": [],
          "malware_families": [
            "Win32:pitou-c [rtk]",
            "Trojan-ransom.win32.blocker.xhaw",
            "Ransomware",
            "Trj/ci.a",
            "Worm.mimail",
            "Hallrender",
            "Swisyn",
            "Dark power",
            "Trojan:vbs/renos",
            "Trojan:bat/gamaredon",
            "Comspec",
            "Quasar rat",
            "Lazarus",
            "Trojan-downloader.win32.upatre",
            "Cobalt strike",
            "W32/bagle.rc.worm",
            "Redline stealer",
            "Android:agent-ovb [trj]",
            "Hacktool",
            "Artemis",
            "Kzmiutmy",
            "Lolkek"
          ],
          "industries": [],
          "unique_indicators": 36420
        }
      }
    },
    "false_positive": [],
    "alexa": "http://www.alexa.com/siteinfo/doubleclick.net",
    "whois": "http://whois.domaintools.com/doubleclick.net",
    "domain": "doubleclick.net",
    "hostname": "Unavailable"
  },
  "geo": {},
  "geo_ipapicom": {},
  "pulse_count": 7,
  "pulses": [
    {
      "id": "69ca5d583057aaefed16789a",
      "name": "CAPE Sandbox- Stealc Config CNCs\thttp://170.130.55.38\\/ad23d4a47cfd4c13.php botnet\tnewbuild2",
      "description": "A complete list of details about who is registered on the Whois website:..1.0/16:30 GMT on 1 January 2019. (00:00 GMT).-1:<Pretext -- Stealc Config\nCNCs\thttp://170.130.55.38\\/ad23d4a47cfd4c13.php\nbotnet\tnewbuild2",
      "modified": "2026-03-30T11:45:14.761000",
      "created": "2026-03-30T11:24:08.053000",
      "tags": [
        "file size",
        "mwdb",
        "bazaar",
        "sha3384",
        "ssdeep",
        "file type",
        "default",
        "sha256",
        "sha1",
        "data",
        "info",
        "accept",
        "win64",
        "damage",
        "openssl",
        "shutdown",
        "direct",
        "explorer",
        "title",
        "payload",
        "rdap",
        "ip version",
        "address range",
        "cidr",
        "network name",
        "allocation type",
        "whois server",
        "entity sg679",
        "handle",
        "stealc config",
        "cncs http"
      ],
      "references": [
        "https://vtbehaviour.commondatastorage.googleapis.com/1ca8b15684a1143e38ef87f31d8a89c7b25a1107aeaf03d43ad9fd611c4a35ba_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774869821&Signature=dm0pQf9ykZMucZEHHViqEfYFoBozAF57ZHYUPo3i79Fb6al02qn6AeYk%2FxR1vzLE4NQkG40Rm1LFUVN79w5CNETgwiRzCx%2BSpUCvPnYIv7E3SEmv5wZrhcuObW%2FE%2B1Ef7e53KrnREKePmmVmLYO34EXBewDpQF4DTIUvGnHdoQkf8pmNquGPuJZRRodaPAkoAEufbI%2BMk4zTqA%2BXbEP%2FpFBi5v30azilsKQ8R%2BLyJYHnYE"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "IPv4": 92,
        "domain": 351,
        "URL": 392,
        "FileHash-MD5": 149,
        "FileHash-SHA1": 168,
        "FileHash-SHA256": 197,
        "email": 12,
        "hostname": 68,
        "CIDR": 4
      },
      "indicator_count": 1433,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 50,
      "modified_text": "20 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "6892e73b32af18aa302df0dc",
      "name": "Part 1.5",
      "description": "Dark web media \u2022 Political news \u2022 Malvertizing\nlocate \u2022\ntrack [stalk] \u2022 record calls \u2022 control media [youtube , etc] http://t.name?n[++i]=e:this.removeEventListener\t\t\nJeeng &\nPowebox [ accidentally left out in original post pulse]",
      "modified": "2025-09-05T04:03:06.929000",
      "created": "2025-08-06T05:25:15.369000",
      "tags": [
        "chromeua",
        "optout",
        "object",
        "path",
        "value",
        "access type",
        "setval",
        "windir",
        "localappdata",
        "null",
        "win64",
        "error",
        "generator",
        "close",
        "roboto",
        "date",
        "format",
        "light",
        "span",
        "template",
        "void",
        "android",
        "body",
        "trident",
        "mexico",
        "sonic",
        "black",
        "critical",
        "desktop",
        "dark",
        "meta",
        "this",
        "june",
        "hybrid",
        "apache",
        "write",
        "crypto",
        "autodetect",
        "face",
        "courier",
        "gigi",
        "impact",
        "shadow",
        "click",
        "strings",
        "cray",
        "smwg",
        "eret",
        "footer",
        "infinity",
        "window",
        "canvas",
        "legend",
        "nuke",
        "lion",
        "4629",
        "ahav",
        "olsa",
        "false",
        "learn",
        "command",
        "ck id",
        "name tactics",
        "suspicious",
        "informative",
        "spawns",
        "defense evasion",
        "t1480 execution",
        "file defense",
        "copy md5",
        "copy sha1",
        "copy sha256",
        "sha1",
        "sha256",
        "script",
        "mitre att",
        "pattern match",
        "show technique",
        "iframe",
        "refresh",
        "august",
        "general",
        "local",
        "tools",
        "demo",
        "look",
        "verify",
        "restart",
        "url http",
        "small",
        "pulses url",
        "tellyoun",
        "showing",
        "entries",
        "url https",
        "indicator role",
        "title added",
        "active related",
        "type indicator",
        "role title",
        "added active",
        "related pulses",
        "cc08",
        "f06a6b",
        "sfurl",
        "filehashsha256",
        "types",
        "indicators show",
        "search",
        "pulses",
        "filehashsha1",
        "adversaries",
        "found",
        "webp image",
        "ascii text",
        "riff",
        "size",
        "encrypt",
        "legacy",
        "filehashmd5",
        "united",
        "flag",
        "server",
        "markmonitor",
        "name server",
        "llc name",
        "overview dns",
        "requests domain",
        "country",
        "win32",
        "av detections",
        "ids detections",
        "yara detections",
        "alerts",
        "analysis date",
        "file score",
        "medium risk",
        "yara",
        "detections",
        "malware",
        "copy",
        "show",
        "icmp traffic",
        "packing t1045",
        "t1045",
        "pdb path",
        "pe resource",
        "extraction",
        "data upload",
        "enter sc",
        "type",
        "extra data",
        "please",
        "failed",
        "review",
        "exclude data",
        "included review",
        "ic data",
        "suggeste",
        "stop",
        "type onow",
        "domain",
        "passive dns",
        "urls",
        "files related",
        "pulses none",
        "related tags",
        "none google",
        "safe browsing",
        "sc data",
        "extr amanuav",
        "review included",
        "manualy",
        "sugges excluded",
        "filehash",
        "md5 add",
        "pulse pulses",
        "url add",
        "http",
        "hostname",
        "files domain",
        "pulses otx",
        "virustotal",
        "hsmi192547107",
        "pulses hostname",
        "r dec",
        "customer dec",
        "iski dec",
        "decision dec",
        "va dec",
        "bitcoin",
        "bitcoin dec",
        "petra",
        "torstatus dec",
        "paul dec",
        "sodesc",
        "planet dec",
        "emilia",
        "heroin dec",
        "difference dec",
        "palantir dec",
        "loraxlive dec",
        "chaturbate dec",
        "sandra",
        "free dec",
        "marvel dec",
        "benjis dec",
        "fresh dec",
        "sodesc dec",
        "srdirport",
        "srhostname",
        "link dec",
        "types of",
        "italy",
        "china",
        "australia",
        "france",
        "turkey",
        "discovery",
        "information",
        "ck ids",
        "t1005",
        "local system",
        "t1007",
        "system service",
        "part",
        "track",
        "locate",
        "political",
        "civil society",
        "news",
        "created",
        "hours ago",
        "report spam",
        "t1555",
        "password",
        "t1560",
        "collected data",
        "t1573",
        "channel",
        "t1574",
        "execution flow",
        "scan",
        "iocs",
        "t1497",
        "u0lhmq",
        "mtawmq",
        "t1480",
        "guardrails",
        "t1486",
        "data encrypted",
        "learn more",
        "unsubscribe aug",
        "protocol",
        "t1074",
        "staged",
        "t1083",
        "t1102",
        "web service",
        "t1105",
        "tool transfer",
        "t1140",
        "data engineer",
        "candidate",
        "tlsv1",
        "odigicert inc",
        "stcalifornia",
        "lsan jose",
        "oadobe systems",
        "incorporated",
        "cndigicert sha2",
        "push",
        "next",
        "high",
        "write c",
        "ireland as16509",
        "delete",
        "dirty",
        "tags",
        "t1012",
        "flow endpoint",
        "security scan",
        "t1106",
        "copyright",
        "levelblue"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1005",
          "name": "Data from Local System",
          "display_name": "T1005 - Data from Local System"
        },
        {
          "id": "T1007",
          "name": "System Service Discovery",
          "display_name": "T1007 - System Service Discovery"
        },
        {
          "id": "T1012",
          "name": "Query Registry",
          "display_name": "T1012 - Query Registry"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1033",
          "name": "System Owner/User Discovery",
          "display_name": "T1033 - System Owner/User Discovery"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1074",
          "name": "Data Staged",
          "display_name": "T1074 - Data Staged"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1102",
          "name": "Web Service",
          "display_name": "T1102 - Web Service"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1106",
          "name": "Native API",
          "display_name": "T1106 - Native API"
        },
        {
          "id": "T1112",
          "name": "Modify Registry",
          "display_name": "T1112 - Modify Registry"
        },
        {
          "id": "T1120",
          "name": "Peripheral Device Discovery",
          "display_name": "T1120 - Peripheral Device Discovery"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1132",
          "name": "Data Encoding",
          "display_name": "T1132 - Data Encoding"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1486",
          "name": "Data Encrypted for Impact",
          "display_name": "T1486 - Data Encrypted for Impact"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        },
        {
          "id": "T1555",
          "name": "Credentials from Password Stores",
          "display_name": "T1555 - Credentials from Password Stores"
        },
        {
          "id": "T1560",
          "name": "Archive Collected Data",
          "display_name": "T1560 - Archive Collected Data"
        },
        {
          "id": "T1573",
          "name": "Encrypted Channel",
          "display_name": "T1573 - Encrypted Channel"
        },
        {
          "id": "T1574",
          "name": "Hijack Execution Flow",
          "display_name": "T1574 - Hijack Execution Flow"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        },
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1041",
          "name": "Exfiltration Over C2 Channel",
          "display_name": "T1041 - Exfiltration Over C2 Channel"
        },
        {
          "id": "T1114",
          "name": "Email Collection",
          "display_name": "T1114 - Email Collection"
        },
        {
          "id": "T1063",
          "name": "Security Software Discovery",
          "display_name": "T1063 - Security Software Discovery"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 18,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 608,
        "FileHash-SHA1": 433,
        "FileHash-SHA256": 3663,
        "URL": 17104,
        "domain": 1316,
        "email": 39,
        "hostname": 4208,
        "SSLCertFingerprint": 17
      },
      "indicator_count": 27388,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 139,
      "modified_text": "226 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "6892a73593f73dfc969779b0",
      "name": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns",
      "description": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns\n*[ddddd.msg]\n[http://tracking.eu1.glintinc.com]\n[stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd]\n[stackstorm.ops.dev.az.glintinc.com]\n\u2022 http://stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd.onion/peter-thiel-running-database-to-root-out-those-disloyal-to-the-leader/\\n \u2022\n[http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-at-concentra/360]\n[http://pixelrz.com/lists/keywords/tsara-brashears-dead/360]",
      "modified": "2025-09-05T00:03:23.223000",
      "created": "2025-08-06T00:52:05.051000",
      "tags": [
        "url http",
        "small",
        "indicator role",
        "title added",
        "active related",
        "pulses hostname",
        "tellyoun",
        "n aug",
        "entries",
        "data upload",
        "extraction",
        "windows error",
        "june",
        "fwd urgent",
        "justice czech",
        "copy sha256",
        "rejectedfailed",
        "timestamp input",
        "message status",
        "actions august",
        "file",
        "actions june",
        "actions may",
        "cta4 https",
        "context related",
        "associated urls",
        "campaigncodedsc",
        "language",
        "uid http",
        "community",
        "sha256",
        "size42b type",
        "submitted",
        "august",
        "april",
        "internal error",
        "previous1",
        "iframe",
        "community score",
        "scan analysis",
        "malicious",
        "intelligence",
        "learn",
        "falcon sandbox",
        "submissions",
        "status",
        "adversaries",
        "ck id",
        "name tactics",
        "suspicious",
        "informative",
        "defense evasion",
        "windows folder",
        "found",
        "dlls",
        "impact",
        "chromeua",
        "optout",
        "object",
        "path",
        "value",
        "access type",
        "setval",
        "windir",
        "localappdata",
        "null",
        "win64",
        "error",
        "generator",
        "close",
        "roboto",
        "date",
        "format",
        "light",
        "span",
        "template",
        "void",
        "android",
        "body",
        "trident",
        "mexico",
        "sonic",
        "black",
        "critical",
        "desktop",
        "dark",
        "meta",
        "this",
        "hybrid",
        "apache",
        "write",
        "crypto",
        "autodetect",
        "face",
        "courier",
        "gigi",
        "shadow",
        "click",
        "strings",
        "cray",
        "smwg",
        "eret",
        "footer",
        "infinity",
        "window",
        "canvas",
        "legend",
        "nuke",
        "lion",
        "4629",
        "ahav",
        "olsa",
        "false"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1005",
          "name": "Data from Local System",
          "display_name": "T1005 - Data from Local System"
        },
        {
          "id": "T1007",
          "name": "System Service Discovery",
          "display_name": "T1007 - System Service Discovery"
        },
        {
          "id": "T1012",
          "name": "Query Registry",
          "display_name": "T1012 - Query Registry"
        },
        {
          "id": "T1018",
          "name": "Remote System Discovery",
          "display_name": "T1018 - Remote System Discovery"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1033",
          "name": "System Owner/User Discovery",
          "display_name": "T1033 - System Owner/User Discovery"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1041",
          "name": "Exfiltration Over C2 Channel",
          "display_name": "T1041 - Exfiltration Over C2 Channel"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1074",
          "name": "Data Staged",
          "display_name": "T1074 - Data Staged"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1102",
          "name": "Web Service",
          "display_name": "T1102 - Web Service"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1106",
          "name": "Native API",
          "display_name": "T1106 - Native API"
        },
        {
          "id": "T1112",
          "name": "Modify Registry",
          "display_name": "T1112 - Modify Registry"
        },
        {
          "id": "T1114",
          "name": "Email Collection",
          "display_name": "T1114 - Email Collection"
        },
        {
          "id": "T1120",
          "name": "Peripheral Device Discovery",
          "display_name": "T1120 - Peripheral Device Discovery"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1132",
          "name": "Data Encoding",
          "display_name": "T1132 - Data Encoding"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1486",
          "name": "Data Encrypted for Impact",
          "display_name": "T1486 - Data Encrypted for Impact"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        },
        {
          "id": "T1555",
          "name": "Credentials from Password Stores",
          "display_name": "T1555 - Credentials from Password Stores"
        },
        {
          "id": "T1560",
          "name": "Archive Collected Data",
          "display_name": "T1560 - Archive Collected Data"
        },
        {
          "id": "T1573",
          "name": "Encrypted Channel",
          "display_name": "T1573 - Encrypted Channel"
        },
        {
          "id": "T1574",
          "name": "Hijack Execution Flow",
          "display_name": "T1574 - Hijack Execution Flow"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 9,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 9062,
        "domain": 707,
        "hostname": 2318,
        "FileHash-MD5": 86,
        "FileHash-SHA1": 26,
        "FileHash-SHA256": 2096,
        "email": 5,
        "FilePath": 2,
        "URI": 1
      },
      "indicator_count": 14303,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 139,
      "modified_text": "226 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "658bd8f63a1e4c5a38ce44e4",
      "name": "USBank: Phishing and Frauds | Command and Control |",
      "description": "",
      "modified": "2024-01-26T07:01:23.551000",
      "created": "2023-12-27T07:57:42.725000",
      "tags": [
        "no expiration",
        "filehashsha256",
        "ipv4",
        "hostname",
        "expiration",
        "filehashmd5",
        "domain",
        "filehashsha1",
        "url http",
        "iocs",
        "next",
        "url https",
        "scan endpoints",
        "all octoseek",
        "create new",
        "pulse use",
        "pdf report",
        "pcap",
        "analyzer",
        "hackers",
        "hacktool",
        "hijacker",
        "tsara brashears",
        "hallrender",
        "lazarus",
        "win64",
        "usbank",
        "webp",
        "critical",
        "contacted",
        "octoseek",
        "command_and_control",
        "comspec",
        "copy",
        "core",
        "critical",
        "dangerous",
        "apple",
        "briannsabey breadcrumbs",
        "ck id",
        "cobalt strike",
        "bot",
        "bot network",
        "resolutions",
        "renos",
        "referrer",
        "model",
        "mitre att",
        "monitoring",
        "quasar rat",
        "ransomware",
        "networm",
        "open path",
        "pattern match",
        "payload",
        "powershell",
        "command_and_control",
        "exploit",
        "tracking",
        "cybercrime",
        "T1622 - Debugger Evasion",
        "cracked",
        "installer",
        "apple",
        "banking",
        "parking payload",
        "factory",
        "gpt analyzer",
        "teams",
        "localappdata",
        "breadcrumbs"
      ],
      "references": [
        "onlinebanking.usbank.com.blackboxconstruction.com.ph",
        "https://www.hallrender.com/attorney/brian-sabey/"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "Worm.Mimail",
          "display_name": "Worm.Mimail",
          "target": null
        },
        {
          "id": "Win32:Pitou-C [Rtk]",
          "display_name": "Win32:Pitou-C [Rtk]",
          "target": null
        },
        {
          "id": "W32/Bagle.RC.worm",
          "display_name": "W32/Bagle.RC.worm",
          "target": null
        },
        {
          "id": "Trojan:VBS/Renos",
          "display_name": "Trojan:VBS/Renos",
          "target": "/malware/Trojan:VBS/Renos"
        },
        {
          "id": "Trojan:BAT/Gamaredon",
          "display_name": "Trojan:BAT/Gamaredon",
          "target": "/malware/Trojan:BAT/Gamaredon"
        },
        {
          "id": "Trojan-Ransom.Win32.Blocker.xhaw",
          "display_name": "Trojan-Ransom.Win32.Blocker.xhaw",
          "target": null
        },
        {
          "id": "Trojan-Downloader.Win32.Upatre",
          "display_name": "Trojan-Downloader.Win32.Upatre",
          "target": null
        },
        {
          "id": "Trj/CI.A",
          "display_name": "Trj/CI.A",
          "target": null
        },
        {
          "id": "Android:Agent-OVB [Trj]",
          "display_name": "Android:Agent-OVB [Trj]",
          "target": null
        },
        {
          "id": "Artemis",
          "display_name": "Artemis",
          "target": null
        },
        {
          "id": "Cobalt Strike",
          "display_name": "Cobalt Strike",
          "target": null
        },
        {
          "id": "Comspec",
          "display_name": "Comspec",
          "target": null
        },
        {
          "id": "Dark Power",
          "display_name": "Dark Power",
          "target": null
        },
        {
          "id": "HackTool",
          "display_name": "HackTool",
          "target": null
        },
        {
          "id": "HallRender",
          "display_name": "HallRender",
          "target": null
        },
        {
          "id": "Kzmiutmy",
          "display_name": "Kzmiutmy",
          "target": null
        },
        {
          "id": "Lazarus",
          "display_name": "Lazarus",
          "target": null
        },
        {
          "id": "LolKek",
          "display_name": "LolKek",
          "target": null
        },
        {
          "id": "Quasar RAT",
          "display_name": "Quasar RAT",
          "target": null
        },
        {
          "id": "Ransomware",
          "display_name": "Ransomware",
          "target": null
        },
        {
          "id": "RedLine Stealer",
          "display_name": "RedLine Stealer",
          "target": null
        },
        {
          "id": "Swisyn",
          "display_name": "Swisyn",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1583.005",
          "name": "Botnet",
          "display_name": "T1583.005 - Botnet"
        },
        {
          "id": "T1546",
          "name": "Event Triggered Execution",
          "display_name": "T1546 - Event Triggered Execution"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1218",
          "name": "Signed Binary Proxy Execution",
          "display_name": "T1218 - Signed Binary Proxy Execution"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1114",
          "name": "Email Collection",
          "display_name": "T1114 - Email Collection"
        },
        {
          "id": "T1106",
          "name": "Native API",
          "display_name": "T1106 - Native API"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1005",
          "name": "Data from Local System",
          "display_name": "T1005 - Data from Local System"
        },
        {
          "id": "T1010",
          "name": "Application Window Discovery",
          "display_name": "T1010 - Application Window Discovery"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1056.001",
          "name": "Keylogging",
          "display_name": "T1056.001 - Keylogging"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1600",
          "name": "Weaken Encryption",
          "display_name": "T1600 - Weaken Encryption"
        }
      ],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 29,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "OctoSeek",
        "id": "243548",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 192,
        "FileHash-MD5": 72,
        "FileHash-SHA1": 66,
        "FileHash-SHA256": 380,
        "domain": 115,
        "hostname": 220,
        "CVE": 4
      },
      "indicator_count": 1049,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 219,
      "modified_text": "814 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "658ca4d09e86f0f3f107eeec",
      "name": "USBank: Phishing and Frauds | CNC | Quasar RAT ",
      "description": "",
      "modified": "2024-01-26T07:01:23.551000",
      "created": "2023-12-27T22:27:28.593000",
      "tags": [
        "no expiration",
        "filehashsha256",
        "ipv4",
        "hostname",
        "expiration",
        "filehashmd5",
        "domain",
        "filehashsha1",
        "url http",
        "iocs",
        "next",
        "url https",
        "scan endpoints",
        "all octoseek",
        "create new",
        "pulse use",
        "pdf report",
        "pcap",
        "analyzer",
        "hackers",
        "hacktool",
        "hijacker",
        "tsara brashears",
        "hallrender",
        "lazarus",
        "win64",
        "usbank",
        "webp",
        "critical",
        "contacted",
        "octoseek",
        "command_and_control",
        "comspec",
        "copy",
        "core",
        "critical",
        "dangerous",
        "apple",
        "briannsabey breadcrumbs",
        "ck id",
        "cobalt strike",
        "bot",
        "bot network",
        "resolutions",
        "renos",
        "referrer",
        "model",
        "mitre att",
        "monitoring",
        "quasar rat",
        "ransomware",
        "networm",
        "open path",
        "pattern match",
        "payload",
        "powershell",
        "command_and_control",
        "exploit",
        "tracking",
        "cybercrime",
        "T1622 - Debugger Evasion",
        "cracked",
        "installer",
        "apple",
        "banking",
        "parking payload",
        "factory",
        "gpt analyzer",
        "teams",
        "localappdata",
        "breadcrumbs"
      ],
      "references": [
        "onlinebanking.usbank.com.blackboxconstruction.com.ph",
        "https://www.hallrender.com/attorney/brian-sabey/"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "Worm.Mimail",
          "display_name": "Worm.Mimail",
          "target": null
        },
        {
          "id": "Win32:Pitou-C [Rtk]",
          "display_name": "Win32:Pitou-C [Rtk]",
          "target": null
        },
        {
          "id": "W32/Bagle.RC.worm",
          "display_name": "W32/Bagle.RC.worm",
          "target": null
        },
        {
          "id": "Trojan:VBS/Renos",
          "display_name": "Trojan:VBS/Renos",
          "target": "/malware/Trojan:VBS/Renos"
        },
        {
          "id": "Trojan:BAT/Gamaredon",
          "display_name": "Trojan:BAT/Gamaredon",
          "target": "/malware/Trojan:BAT/Gamaredon"
        },
        {
          "id": "Trojan-Ransom.Win32.Blocker.xhaw",
          "display_name": "Trojan-Ransom.Win32.Blocker.xhaw",
          "target": null
        },
        {
          "id": "Trojan-Downloader.Win32.Upatre",
          "display_name": "Trojan-Downloader.Win32.Upatre",
          "target": null
        },
        {
          "id": "Trj/CI.A",
          "display_name": "Trj/CI.A",
          "target": null
        },
        {
          "id": "Android:Agent-OVB [Trj]",
          "display_name": "Android:Agent-OVB [Trj]",
          "target": null
        },
        {
          "id": "Artemis",
          "display_name": "Artemis",
          "target": null
        },
        {
          "id": "Cobalt Strike",
          "display_name": "Cobalt Strike",
          "target": null
        },
        {
          "id": "Comspec",
          "display_name": "Comspec",
          "target": null
        },
        {
          "id": "Dark Power",
          "display_name": "Dark Power",
          "target": null
        },
        {
          "id": "HackTool",
          "display_name": "HackTool",
          "target": null
        },
        {
          "id": "HallRender",
          "display_name": "HallRender",
          "target": null
        },
        {
          "id": "Kzmiutmy",
          "display_name": "Kzmiutmy",
          "target": null
        },
        {
          "id": "Lazarus",
          "display_name": "Lazarus",
          "target": null
        },
        {
          "id": "LolKek",
          "display_name": "LolKek",
          "target": null
        },
        {
          "id": "Quasar RAT",
          "display_name": "Quasar RAT",
          "target": null
        },
        {
          "id": "Ransomware",
          "display_name": "Ransomware",
          "target": null
        },
        {
          "id": "RedLine Stealer",
          "display_name": "RedLine Stealer",
          "target": null
        },
        {
          "id": "Swisyn",
          "display_name": "Swisyn",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1583.005",
          "name": "Botnet",
          "display_name": "T1583.005 - Botnet"
        },
        {
          "id": "T1546",
          "name": "Event Triggered Execution",
          "display_name": "T1546 - Event Triggered Execution"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1218",
          "name": "Signed Binary Proxy Execution",
          "display_name": "T1218 - Signed Binary Proxy Execution"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1114",
          "name": "Email Collection",
          "display_name": "T1114 - Email Collection"
        },
        {
          "id": "T1106",
          "name": "Native API",
          "display_name": "T1106 - Native API"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1005",
          "name": "Data from Local System",
          "display_name": "T1005 - Data from Local System"
        },
        {
          "id": "T1010",
          "name": "Application Window Discovery",
          "display_name": "T1010 - Application Window Discovery"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1056.001",
          "name": "Keylogging",
          "display_name": "T1056.001 - Keylogging"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1600",
          "name": "Weaken Encryption",
          "display_name": "T1600 - Weaken Encryption"
        }
      ],
      "industries": [],
      "TLP": "white",
      "cloned_from": "658bd8f63a1e4c5a38ce44e4",
      "export_count": 28,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "scoreblue",
        "id": "254100",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 192,
        "FileHash-MD5": 72,
        "FileHash-SHA1": 66,
        "FileHash-SHA256": 380,
        "domain": 115,
        "hostname": 220,
        "CVE": 4
      },
      "indicator_count": 1049,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 227,
      "modified_text": "814 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "65709a384e3e8573cf5ecac4",
      "name": "v2 - kopat electronic door security  with hybrid scan data",
      "description": "",
      "modified": "2023-12-06T15:58:48.938000",
      "created": "2023-12-06T15:58:48.938000",
      "tags": [],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 3,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "api",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "StreamMiningEx",
        "id": "262917",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 1569,
        "URL": 3824,
        "email": 8,
        "domain": 290,
        "hostname": 189,
        "FileHash-MD5": 576,
        "FileHash-SHA1": 52
      },
      "indicator_count": 6508,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 110,
      "modified_text": "865 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "645932281e34157197d4cbe4",
      "name": "v2 - kopat electronic door security  with hybrid scan data",
      "description": "",
      "modified": "2023-05-08T17:32:24.648000",
      "created": "2023-05-08T17:32:24.648000",
      "tags": [
        "dropped file",
        "null",
        "varchar",
        "gecko",
        "pcap",
        "pcap processing",
        "win64",
        "khtml",
        "span",
        "cookie",
        "path",
        "mozi",
        "roboto",
        "class",
        "mozilla",
        "body",
        "form",
        "window",
        "accept",
        "meta",
        "iframe",
        "contact",
        "4629",
        "trim",
        "embed",
        "dwis",
        "test",
        "tear",
        "qakbot",
        "tecv",
        "1inb",
        "a3ob",
        "u9p10dkhttps",
        "windir",
        "openurl c",
        "l10dkhttps",
        "charset",
        "w6t2hm",
        "is6bi"
      ],
      "references": [
        "https://www.hybrid-analysis.com/sample/5ea6b6bdf0a82359f7f73c6095b6c8891be485234e5544ef18a000136617a1b6/645767842cd19c9c560f0381"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1114",
          "name": "Email Collection",
          "display_name": "T1114 - Email Collection"
        }
      ],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 9,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "callmeDoris",
        "id": "205385",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 3824,
        "hostname": 189,
        "domain": 290,
        "FileHash-SHA256": 1569,
        "email": 8,
        "IPv4": 27,
        "FileHash-MD5": 576,
        "FileHash-SHA1": 52
      },
      "indicator_count": 6535,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 95,
      "modified_text": "1077 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    }
  ],
  "error": null,
  "vt": {
    "error": "VirusTotal rate limit reached. Try again shortly.",
    "indicator": "https://doubleclick.net",
    "type": "URL"
  },
  "abuseipdb": null,
  "urlhaus": {
    "indicator": "https://doubleclick.net",
    "type": "URL",
    "found": false,
    "verdict": "clean",
    "error": null
  },
  "from_cache": true,
  "_cached_at": 1776631424.319861
}