{ "type": "URL", "indicator": "https://empoweresports.com/sql", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://empoweresports.com/sql", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4085793347, "indicator": "https://empoweresports.com/sql", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "69c4281f5f232316375b225e", "name": "CoolWebSearch \u2022 Engine \u2022 Browser Hijack | Ransomware | Checkin | Tracking | Installer #pegasus_related", "description": "", "modified": "2026-03-25T18:23:27.601000", "created": "2026-03-25T18:23:27.601000", "tags": [ "lowfi", "ransom", "trojan", "mtb oct", "win32", "kingwe", "files", "files ip", "all ipv4", "america flag", "United States", "win32mydoom", "otx logo", "urls", "reverse dns", "cnc style", "cnc checkin", "style", "install cnc", "initial install", "activity", "win32mydoom sep", "worm", "win32mydoom oct", "win32getnow oct", "unknown ns", "search", "browser", "hijackers", "file format", "malwarerid", "majauskas", "google", "report", "once", "malicious", "malware", "overview ip", "address", "asn as46475", "nameservers", "related tags", "spf record", "tags", "domain", "name", "query time", "cyprus update", "united states", "browser hijacker", "install", "handle", "entity", "key identifier", "x509v3 subject", "host name", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "ttl value", "thumbprint", "enabled", "malvertising", "encoded_htm!", "new_domain", "suspicious_redirect", "proximity", "tracking_infrastructure", "passive dns", "http", "ip address", "related nids", "files location", "checkin worm", "mydoom checkin", "useragent", "checkin cnc", "acti cnc", "beac track", "failed\u0661\u0668", "data upload", "extraction", "winsoft", "checkin", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "defense evasion", "spawns", "over", "mitre att", "show technique", "ck matrix", "ascii text", "body", "title", "encrypt", "refresh", "hybrid", "general", "local", "path", "click", "strings", "dynamicloader", "medium", "high", "et exploit", "write c", "default", "probe ms17010", "write", "copy", "pegasus related" ], "references": [ "coolwebsearch.info | browser hijacker, malware , malicious", "Winsoft.E Checkin 3 Trojan.Generic.KDV.91800 Checkin PUP Win32/GetNow.B", "Checkin Worm.Mydoom Checkin User-Agent (explwer) Win32/Fosniw MacTryCnt CnC Style", "Checkin Win32/Fosniw CnC Checkin Style 2 Win32/Adware.iBryte.BO", "CnC Activity W32/SpeedingUpMyPC.Rootkit Install", "CnC Beacon Win32/InstallCore Initial Install Activity 2", "track.aptitudemedia.co/redirect?target=BASE64aHR0cDovL3RyYWNrLmNxcXNmLmNvbS9hZmZfYz9vZmZlcl9pZD0zNDI3JmFmZl9pZD0yNDM4NyZzb3VyY2U9OTI0MzhmOTktOGM5Yi00ODBjLWJjN2ItZGRiYzc2NDRhMjI3JmFmZl9zdWI9d001T0gxUUtVNzk5MUJUS0hDUklMSjhL" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.Generickdz-9918324-0", "display_name": "Win.Malware.Generickdz-9918324-0", "target": null }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "target": null }, { "id": "Win.Trojan.Generic-9909777-0", "display_name": "Win.Trojan.Generic-9909777-0", "target": null }, { "id": "Win.Malware.Installcore-9794583-0", "display_name": "Win.Malware.Installcore-9794583-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Win.Malware.Generic-9963787-0", "display_name": "Win.Malware.Generic-9963787-0", "target": null }, { "id": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "display_name": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "target": null }, { "id": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "display_name": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "target": null }, { "id": "Tags", "display_name": "Tags", "target": null }, { "id": "Winsoft", "display_name": "Winsoft", "target": null }, { "id": "Checkin", "display_name": "Checkin", "target": null }, { "id": "CoolWebService", "display_name": "CoolWebService", "target": null } ], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" } ], "industries": [], "TLP": "white", "cloned_from": "69c425ecfef08de19b962774", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1541, "URL": 2403, "domain": 328, "hostname": 593, "FileHash-MD5": 142, "FileHash-SHA1": 176, "FileHash-SHA256": 574, "email": 3, "SSLCertFingerprint": 10 }, "indicator_count": 5770, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c425ecfef08de19b962774", "name": "CoolWebSearc \u2022 Engine -Browser Hijack | Affects DropBox + other services | Checkin | Tracking | Installer #pegasus_related", "description": "", "modified": "2026-03-25T18:14:04.398000", "created": "2026-03-25T18:14:04.398000", "tags": [ "lowfi", "ransom", "trojan", "mtb oct", "win32", "kingwe", "files", "files ip", "all ipv4", "america flag", "United States", "win32mydoom", "otx logo", "urls", "reverse dns", "cnc style", "cnc checkin", "style", "install cnc", "initial install", "activity", "win32mydoom sep", "worm", "win32mydoom oct", "win32getnow oct", "unknown ns", "search", "browser", "hijackers", "file format", "malwarerid", "majauskas", "google", "report", "once", "malicious", "malware", "overview ip", "address", "asn as46475", "nameservers", "related tags", "spf record", "tags", "domain", "name", "query time", "cyprus update", "united states", "browser hijacker", "install", "handle", "entity", "key identifier", "x509v3 subject", "host name", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "ttl value", "thumbprint", "enabled", "malvertising", "encoded_htm!", "new_domain", "suspicious_redirect", "proximity", "tracking_infrastructure", "passive dns", "http", "ip address", "related nids", "files location", "checkin worm", "mydoom checkin", "useragent", "checkin cnc", "acti cnc", "beac track", "failed\u0661\u0668", "data upload", "extraction", "winsoft", "checkin", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "defense evasion", "spawns", "over", "mitre att", "show technique", "ck matrix", "ascii text", "body", "title", "encrypt", "refresh", "hybrid", "general", "local", "path", "click", "strings", "dynamicloader", "medium", "high", "et exploit", "write c", "default", "probe ms17010", "write", "copy", "pegasus related" ], "references": [ "coolwebsearch.info | browser hijacker, malware , malicious", "Winsoft.E Checkin 3 Trojan.Generic.KDV.91800 Checkin PUP Win32/GetNow.B", "Checkin Worm.Mydoom Checkin User-Agent (explwer) Win32/Fosniw MacTryCnt CnC Style", "Checkin Win32/Fosniw CnC Checkin Style 2 Win32/Adware.iBryte.BO", "CnC Activity W32/SpeedingUpMyPC.Rootkit Install", "CnC Beacon Win32/InstallCore Initial Install Activity 2", "track.aptitudemedia.co/redirect?target=BASE64aHR0cDovL3RyYWNrLmNxcXNmLmNvbS9hZmZfYz9vZmZlcl9pZD0zNDI3JmFmZl9pZD0yNDM4NyZzb3VyY2U9OTI0MzhmOTktOGM5Yi00ODBjLWJjN2ItZGRiYzc2NDRhMjI3JmFmZl9zdWI9d001T0gxUUtVNzk5MUJUS0hDUklMSjhL" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.Generickdz-9918324-0", "display_name": "Win.Malware.Generickdz-9918324-0", "target": null }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "target": null }, { "id": "Win.Trojan.Generic-9909777-0", "display_name": "Win.Trojan.Generic-9909777-0", "target": null }, { "id": "Win.Malware.Installcore-9794583-0", "display_name": "Win.Malware.Installcore-9794583-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Win.Malware.Generic-9963787-0", "display_name": "Win.Malware.Generic-9963787-0", "target": null }, { "id": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "display_name": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "target": null }, { "id": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "display_name": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "target": null }, { "id": "Tags", "display_name": "Tags", "target": null }, { "id": "Winsoft", "display_name": "Winsoft", "target": null }, { "id": "Checkin", "display_name": "Checkin", "target": null }, { "id": "CoolWebService", "display_name": "CoolWebService", "target": null } ], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" } ], "industries": [], "TLP": "white", "cloned_from": "69c41ac489f8cd00a59ef43e", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1541, "URL": 2403, "domain": 328, "hostname": 593, "FileHash-MD5": 142, "FileHash-SHA1": 176, "FileHash-SHA256": 574, "email": 3, "SSLCertFingerprint": 10 }, "indicator_count": 5770, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c41ac489f8cd00a59ef43e", "name": "CoolWebService -Browser Hijack | Affects DropBox and other services | Checkin", "description": "CoolWebService -Browser Hijack | Affects DropBox and other services | Checkin | Tracking \n| Search Engine Installer \n#pegasus_related", "modified": "2026-03-25T17:26:28.750000", "created": "2026-03-25T17:26:28.750000", "tags": [ "lowfi", "ransom", "trojan", "mtb oct", "win32", "kingwe", "files", "files ip", "all ipv4", "america flag", "United States", "win32mydoom", "otx logo", "urls", "reverse dns", "cnc style", "cnc checkin", "style", "install cnc", "initial install", "activity", "win32mydoom sep", "worm", "win32mydoom oct", "win32getnow oct", "unknown ns", "search", "browser", "hijackers", "file format", "malwarerid", "majauskas", "google", "report", "once", "malicious", "malware", "overview ip", "address", "asn as46475", "nameservers", "related tags", "spf record", "tags", "domain", "name", "query time", "cyprus update", "united states", "browser hijacker", "install", "handle", "entity", "key identifier", "x509v3 subject", "host name", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "ttl value", "thumbprint", "enabled", "malvertising", "encoded_htm!", "new_domain", "suspicious_redirect", "proximity", "tracking_infrastructure", "passive dns", "http", "ip address", "related nids", "files location", "checkin worm", "mydoom checkin", "useragent", "checkin cnc", "acti cnc", "beac track", "failed\u0661\u0668", "data upload", "extraction", "winsoft", "checkin", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "defense evasion", "spawns", "over", "mitre att", "show technique", "ck matrix", "ascii text", "body", "title", "encrypt", "refresh", "hybrid", "general", "local", "path", "click", "strings", "dynamicloader", "medium", "high", "et exploit", "write c", "default", "probe ms17010", "write", "copy", "pegasus related" ], "references": [ "coolwebsearch.info | browser hijacker, malware , malicious", "Winsoft.E Checkin 3 Trojan.Generic.KDV.91800 Checkin PUP Win32/GetNow.B", "Checkin Worm.Mydoom Checkin User-Agent (explwer) Win32/Fosniw MacTryCnt CnC Style", "Checkin Win32/Fosniw CnC Checkin Style 2 Win32/Adware.iBryte.BO", "CnC Activity W32/SpeedingUpMyPC.Rootkit Install", "CnC Beacon Win32/InstallCore Initial Install Activity 2", "track.aptitudemedia.co/redirect?target=BASE64aHR0cDovL3RyYWNrLmNxcXNmLmNvbS9hZmZfYz9vZmZlcl9pZD0zNDI3JmFmZl9pZD0yNDM4NyZzb3VyY2U9OTI0MzhmOTktOGM5Yi00ODBjLWJjN2ItZGRiYzc2NDRhMjI3JmFmZl9zdWI9d001T0gxUUtVNzk5MUJUS0hDUklMSjhL" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.Generickdz-9918324-0", "display_name": "Win.Malware.Generickdz-9918324-0", "target": null }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "target": null }, { "id": "Win.Trojan.Generic-9909777-0", "display_name": "Win.Trojan.Generic-9909777-0", "target": null }, { "id": "Win.Malware.Installcore-9794583-0", "display_name": "Win.Malware.Installcore-9794583-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Win.Malware.Generic-9963787-0", "display_name": "Win.Malware.Generic-9963787-0", "target": null }, { "id": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "display_name": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "target": null }, { "id": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "display_name": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "target": null }, { "id": "Tags", "display_name": "Tags", "target": null }, { "id": "Winsoft", "display_name": "Winsoft", "target": null }, { "id": "Checkin", "display_name": "Checkin", "target": null }, { "id": "CoolWebService", "display_name": "CoolWebService", "target": null } ], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1541, "URL": 2403, "domain": 328, "hostname": 593, "FileHash-MD5": 142, "FileHash-SHA1": 176, "FileHash-SHA256": 574, "email": 3, "SSLCertFingerprint": 10 }, "indicator_count": 5770, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "686d28ec9208b0424e0ccad2", "name": "Remote Keylogger | Foundry", "description": "Keylogger Remotely installed on all of targets devices. Up until\u2026 target had to purchase and return more than 50\ndevices minus service plans. Apple\nengineers have been involved many times. Mercenary attacks also confirmed: A kind phone store owner gave her a free phone that was hacked within seconds. \nUnless someone has been \u2018framing Palantir / Foundry Tech Mafia is portrayed a playing a significant involvement of SA victim potentially since day of coerced disclosure in 2013.\nThe first clue was a YouTube follower with a menacing name and picture began to follow, change login, network, dumped adult content, utilized web content scrapers,. stole\nPasswords,etc., Anyway .. Unruy & remotely installed keylogger. \n#foundry #apple #soc #keylogger \n\nThis is risky to say but very wrong to do. She was a multi generational (MGM) American.", "modified": "2025-09-19T03:02:22.742000", "created": "2025-07-08T14:19:24.211000", "tags": [ "delete", "msie", "windows nt", "wow64", "slcc2", "media center", "delete c", "intel", "write", "malware", "dynamicloader", "yara rule", "high", "vmware", "phishing", "remote", "keylogger", "remote keylogger", "type indicator", "related pulses", "no expiration", "url https", "showing", "reputation", "foundry", "apple", "downloader", "trojan" ], "references": [ "http://www.download-servers.com/SysInfo/Validate.exe||random.exe||/S||access your PC from anywhere!||Remote Access to your Home or Office PC remotely. Work on your PC from any internet computer or mobile. Access All files and transfer them between computers. Invite friends to view your LiveScreen and share presentations.||", "\u2022 engine.remote-keylogger.net \u2022 logout-superset2.remote-keylogger.net \u2022 mail.remote-keylogger.net", "\u2022 http://appleid.apple.com-cgi-bin-wets-myapleid.woa-wa-direct.yimucentral.com/apple/cgibin/confirm/processing/cmd=/95d9e0a26d38b5f248bb389e1a4d14c0/webobjects", "\u2022 199.59.243.226", "\u2022 ww25.vpn.steamcommunity-site.info", "\u2022 apple-mac.us \u2022 zpwi8.itunes-apple-jp.xyz \u2022 applefanatic.org \u2022 appleemailaccounts.com \u2022 http://appleemailaccounts.com/", "\u2022 zgcdfoundry.com \u2022 https://zgcdfoundry.com/", "\u2022 ww25.vpn.twitte5r.com | http://paypal-online.5flix.net/ | court-supreme.us", "\u2022 https://animal64u.com/bestiality-animal-porn/dog \u2022 \thttp://xxnxporntube.com", "\u2022 starbucksmobilepay.5flix.net | https://mobilemobster.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Reputation.1", "display_name": "Reputation.1", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [ "Telecommunications", "Technology", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 260, "FileHash-SHA1": 244, "FileHash-SHA256": 4406, "URL": 9684, "domain": 3164, "hostname": 3370, "CVE": 1 }, "indicator_count": 21129, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "212 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6872f4c510c590b7cdc5ff6a", "name": "Crowdsourced Collection of PayPal Mafia Monster - Foundry\u2019s Palantair", "description": "Americans are investing in what Edward Snowden foretold of\u2026 your future from beginning to end will predict how you will be treated. Preemptively policing people even if you have to make up a past.. |\n\nThe New York Times\nMay 30, 2025 \u2014 The Trump administration has expanded Palantir's work with the government, spreading the company's technology \u2014 which could easily merge data on ...\nFormer Palantir workers condemn company's work with ...\n\nNPR\nMay 5, 2025 \u2014 Thirteen former employees of influential data-mining firm Palantir are condemning the company's work with the Trump administration.\nWyden AOC Palantir Letter 061725\n\nSenate Finance (.gov)\nJun 17, 2025 \u2014 The Trump Administration has spent taxpayer dollars on Palantir software at numerous other government agencies and paid it billions of dollars ...\n#foundry #rip #palantir #jeffreyreimerdpt #lawenforcement #twitter #tsarabrashearsblessed #apple #privacynow #fightforprivacy #sabey #hallrender", "modified": "2025-08-11T23:02:24.583000", "created": "2025-07-12T23:50:29.847000", "tags": [ "url https", "url http", "type indicator", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses", "enter source", "urior exirag", "diri type", "data upload", "extraction", "failed", "included iocs", "review iocs", "find sugge", "extr extract", "in data", "extract", "type", "u extractio", "extra", "review ic", "ipv4", "pulses hostname", "accountunlock", "united", "ireland", "canada", "brazil", "sweden", "australia", "search", "scan", "iocs", "learn more", "filehashsha1", "filehashmd5", "types of", "extra data", "included review", "china", "colombia", "filepath https", "enter sc", "extr data", "include review", "exclude sugges", "filehashsha256", "hostname", "dicators japan", "url tor", "extrac data", "ic excluded", "suggeste", "stop", "type no", "no entrie", "included", "review locc", "excluded data", "sc data", "extri data", "includec review", "exclude data", "suggested", "se extra", "suggest", "manaiv add", "indicator", "review lace", "extri", "find s", "typ no", "no entdi", "ous u", "dron aew", "avtrat", "extre data", "manually", "add indicator", "pulses url", "url url", "typ host", "host url", "include", "z6911541", "extraction fail", "enter souf", "s type", "ur extraction", "extraction data", "jul all", "pulse data", "report external", "review", "extre please", "se extraction", "report spam", "all t8", "firmip", "bofa", "wikileaks", "tmobile", "dish", "capture", "cookie", "enter s", "please sub", "include outroov", "excludel sugges", "extra please", "high priority", "alerts ids", "priority alerts", "cnc beacon", "winver", "digitalmistica", "november", "pulse", "palantir", "foundry twitter", "arkei stealer", "config", "install", "downloader", "cidr", "domain", "indicators hong", "kong", "ukraine", "status no", "object", "unruy", "http", "remote", "keylogger", "foundry created", "days ago", "white keylogger", "apple", "foundry tech", "mafia", "t1045", "packing", "t1060", "run keys", "startup", "folder", "t1457", "showing", "types", "indicators show", "dicator role", "tsara brashears", "tsara", "porn", "porn videos", "pornhub https", "searchtsar", "watch tsara", "most relevant", "open threat", "green", "love", "daily", "videos", "free porn", "hybrid analysis", "falcon sandbox", "top tsara", "brashears porn", "stream", "spice", "download", "hybrid", "njrat", "threat network", "https", "created", "years ago", "modified", "months ago", "tinynote", "douglas county", "co sheriff", "office", "pegasus attacks", "sa victim", "octoseek public", "white", "excludedocs", "sugges", "stop data", "tsara lynn", "brashears les", "lynn brashears", "translate", "pornhub page", "emotet", "se review", "typ url", "dom hos", "hostname data", "harmful", "octoseekpulse", "attacks sa", "bandit stealer", "flubot", "agent tesla", "qbot", "qakbot", "ursnif", "azorult", "djvu", "hacktool", "maze", "dark", "linux", "android10", "khtml", "costcpc", "userosandroid", "bannerid2738231", "india", "enter so", "please subr", "suggest data", "netherlands", "russia", "america malware", "families", "sc type", "please", "show", "url data", "fanec", "include failed", "review exclude", "extre", "includea", "exclude toosrou", "sugges data", "typ data", "information", "cobalt strike", "ransomexx", "quackbot", "comspec", "span", "idn1", "sendimage0", "refts0", "include data", "uny inuuue", "fileh fileh", "exclude suggest", "uniy", "type fileh", "extr please", "ineluderc\u0660", "review data", "excludedlocs" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1065", "name": "Uncommonly Used Port", "display_name": "T1065 - Uncommonly Used Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12679, "domain": 1134, "hostname": 3543, "FileHash-MD5": 251, "email": 7, "FileHash-SHA256": 1927, "FileHash-SHA1": 232, "CVE": 1, "CIDR": 1, "URI": 1 }, "indicator_count": 19776, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "250 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Checkin Win32/Fosniw CnC Checkin Style 2 Win32/Adware.iBryte.BO", "coolwebsearch.info | browser hijacker, malware , malicious", "\u2022 http://appleid.apple.com-cgi-bin-wets-myapleid.woa-wa-direct.yimucentral.com/apple/cgibin/confirm/processing/cmd=/95d9e0a26d38b5f248bb389e1a4d14c0/webobjects", "\u2022 ww25.vpn.steamcommunity-site.info", "Winsoft.E Checkin 3 Trojan.Generic.KDV.91800 Checkin PUP Win32/GetNow.B", "\u2022 199.59.243.226", "\u2022 apple-mac.us \u2022 zpwi8.itunes-apple-jp.xyz \u2022 applefanatic.org \u2022 appleemailaccounts.com \u2022 http://appleemailaccounts.com/", "\u2022 https://animal64u.com/bestiality-animal-porn/dog \u2022 \thttp://xxnxporntube.com", "CnC Beacon Win32/InstallCore Initial Install Activity 2", "CnC Activity W32/SpeedingUpMyPC.Rootkit Install", "http://www.download-servers.com/SysInfo/Validate.exe||random.exe||/S||access your PC from anywhere!||Remote Access to your Home or Office PC remotely. Work on your PC from any internet computer or mobile. Access All files and transfer them between computers. Invite friends to view your LiveScreen and share presentations.||", "\u2022 ww25.vpn.twitte5r.com | http://paypal-online.5flix.net/ | court-supreme.us", "\u2022 starbucksmobilepay.5flix.net | https://mobilemobster.com/", "\u2022 zgcdfoundry.com \u2022 https://zgcdfoundry.com/", "\u2022 engine.remote-keylogger.net \u2022 logout-superset2.remote-keylogger.net \u2022 mail.remote-keylogger.net", "Checkin Worm.Mydoom Checkin User-Agent (explwer) Win32/Fosniw MacTryCnt CnC Style", "track.aptitudemedia.co/redirect?target=BASE64aHR0cDovL3RyYWNrLmNxcXNmLmNvbS9hZmZfYz9vZmZlcl9pZD0zNDI3JmFmZl9pZD0yNDM4NyZzb3VyY2U9OTI0MzhmOTktOGM5Yi00ODBjLWJjN2ItZGRiYzc2NDRhMjI3JmFmZl9zdWI9d001T0gxUUtVNzk5MUJUS0hDUklMSjhL" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win.dropper.darkkomet-9370806-0", "Win.malware.mydoom-6804696-0\tworm:win32/mydoom win.malware.mydoom-6804696-0\tworm:win32/mydoom sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#lowfi:hstr:optimuminstal", "Win.malware.installcore-9794583-0", "Reputation.1", "Win.malware.generickdz-9918324-0", "Coolwebservice", "Unruy", "Alf:heraklezeval:pua:win32/installcore.r", "Win.malware.generic-9963787-0", "Win.trojan.generic-9909777-0 #lowfi:hstr:optimuminstaller", "Ransom:win32/wannacrypt.h", "Trojan:win32/mydoom", "Tags", "Checkin", "Win.trojan.generic-9909777-0", "Winsoft" ], "industries": [ "Technology", "Media", "Telecommunications" ], "unique_indicators": 39962 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/empoweresports.com", "whois": "http://whois.domaintools.com/empoweresports.com", "domain": "empoweresports.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "69c4281f5f232316375b225e", "name": "CoolWebSearch \u2022 Engine \u2022 Browser Hijack | Ransomware | Checkin | Tracking | Installer #pegasus_related", "description": "", "modified": "2026-03-25T18:23:27.601000", "created": "2026-03-25T18:23:27.601000", "tags": [ "lowfi", "ransom", "trojan", "mtb oct", "win32", "kingwe", "files", "files ip", "all ipv4", "america flag", "United States", "win32mydoom", "otx logo", "urls", "reverse dns", "cnc style", "cnc checkin", "style", "install cnc", "initial install", "activity", "win32mydoom sep", "worm", "win32mydoom oct", "win32getnow oct", "unknown ns", "search", "browser", "hijackers", "file format", "malwarerid", "majauskas", "google", "report", "once", "malicious", "malware", "overview ip", "address", "asn as46475", "nameservers", "related tags", "spf record", "tags", "domain", "name", "query time", "cyprus update", "united states", "browser hijacker", "install", "handle", "entity", "key identifier", "x509v3 subject", "host name", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "ttl value", "thumbprint", "enabled", "malvertising", "encoded_htm!", "new_domain", "suspicious_redirect", "proximity", "tracking_infrastructure", "passive dns", "http", "ip address", "related nids", "files location", "checkin worm", "mydoom checkin", "useragent", "checkin cnc", "acti cnc", "beac track", "failed\u0661\u0668", "data upload", "extraction", "winsoft", "checkin", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "defense evasion", "spawns", "over", "mitre att", "show technique", "ck matrix", "ascii text", "body", "title", "encrypt", "refresh", "hybrid", "general", "local", "path", "click", "strings", "dynamicloader", "medium", "high", "et exploit", "write c", "default", "probe ms17010", "write", "copy", "pegasus related" ], "references": [ "coolwebsearch.info | browser hijacker, malware , malicious", "Winsoft.E Checkin 3 Trojan.Generic.KDV.91800 Checkin PUP Win32/GetNow.B", "Checkin Worm.Mydoom Checkin User-Agent (explwer) Win32/Fosniw MacTryCnt CnC Style", "Checkin Win32/Fosniw CnC Checkin Style 2 Win32/Adware.iBryte.BO", "CnC Activity W32/SpeedingUpMyPC.Rootkit Install", "CnC Beacon Win32/InstallCore Initial Install Activity 2", "track.aptitudemedia.co/redirect?target=BASE64aHR0cDovL3RyYWNrLmNxcXNmLmNvbS9hZmZfYz9vZmZlcl9pZD0zNDI3JmFmZl9pZD0yNDM4NyZzb3VyY2U9OTI0MzhmOTktOGM5Yi00ODBjLWJjN2ItZGRiYzc2NDRhMjI3JmFmZl9zdWI9d001T0gxUUtVNzk5MUJUS0hDUklMSjhL" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.Generickdz-9918324-0", "display_name": "Win.Malware.Generickdz-9918324-0", "target": null }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "target": null }, { "id": "Win.Trojan.Generic-9909777-0", "display_name": "Win.Trojan.Generic-9909777-0", "target": null }, { "id": "Win.Malware.Installcore-9794583-0", "display_name": "Win.Malware.Installcore-9794583-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Win.Malware.Generic-9963787-0", "display_name": "Win.Malware.Generic-9963787-0", "target": null }, { "id": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "display_name": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "target": null }, { "id": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "display_name": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "target": null }, { "id": "Tags", "display_name": "Tags", "target": null }, { "id": "Winsoft", "display_name": "Winsoft", "target": null }, { "id": "Checkin", "display_name": "Checkin", "target": null }, { "id": "CoolWebService", "display_name": "CoolWebService", "target": null } ], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" } ], "industries": [], "TLP": "white", "cloned_from": "69c425ecfef08de19b962774", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1541, "URL": 2403, "domain": 328, "hostname": 593, "FileHash-MD5": 142, "FileHash-SHA1": 176, "FileHash-SHA256": 574, "email": 3, "SSLCertFingerprint": 10 }, "indicator_count": 5770, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c425ecfef08de19b962774", "name": "CoolWebSearc \u2022 Engine -Browser Hijack | Affects DropBox + other services | Checkin | Tracking | Installer #pegasus_related", "description": "", "modified": "2026-03-25T18:14:04.398000", "created": "2026-03-25T18:14:04.398000", "tags": [ "lowfi", "ransom", "trojan", "mtb oct", "win32", "kingwe", "files", "files ip", "all ipv4", "america flag", "United States", "win32mydoom", "otx logo", "urls", "reverse dns", "cnc style", "cnc checkin", "style", "install cnc", "initial install", "activity", "win32mydoom sep", "worm", "win32mydoom oct", "win32getnow oct", "unknown ns", "search", "browser", "hijackers", "file format", "malwarerid", "majauskas", "google", "report", "once", "malicious", "malware", "overview ip", "address", "asn as46475", "nameservers", "related tags", "spf record", "tags", "domain", "name", "query time", "cyprus update", "united states", "browser hijacker", "install", "handle", "entity", "key identifier", "x509v3 subject", "host name", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "ttl value", "thumbprint", "enabled", "malvertising", "encoded_htm!", "new_domain", "suspicious_redirect", "proximity", "tracking_infrastructure", "passive dns", "http", "ip address", "related nids", "files location", "checkin worm", "mydoom checkin", "useragent", "checkin cnc", "acti cnc", "beac track", "failed\u0661\u0668", "data upload", "extraction", "winsoft", "checkin", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "defense evasion", "spawns", "over", "mitre att", "show technique", "ck matrix", "ascii text", "body", "title", "encrypt", "refresh", "hybrid", "general", "local", "path", "click", "strings", "dynamicloader", "medium", "high", "et exploit", "write c", "default", "probe ms17010", "write", "copy", "pegasus related" ], "references": [ "coolwebsearch.info | browser hijacker, malware , malicious", "Winsoft.E Checkin 3 Trojan.Generic.KDV.91800 Checkin PUP Win32/GetNow.B", "Checkin Worm.Mydoom Checkin User-Agent (explwer) Win32/Fosniw MacTryCnt CnC Style", "Checkin Win32/Fosniw CnC Checkin Style 2 Win32/Adware.iBryte.BO", "CnC Activity W32/SpeedingUpMyPC.Rootkit Install", "CnC Beacon Win32/InstallCore Initial Install Activity 2", "track.aptitudemedia.co/redirect?target=BASE64aHR0cDovL3RyYWNrLmNxcXNmLmNvbS9hZmZfYz9vZmZlcl9pZD0zNDI3JmFmZl9pZD0yNDM4NyZzb3VyY2U9OTI0MzhmOTktOGM5Yi00ODBjLWJjN2ItZGRiYzc2NDRhMjI3JmFmZl9zdWI9d001T0gxUUtVNzk5MUJUS0hDUklMSjhL" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.Generickdz-9918324-0", "display_name": "Win.Malware.Generickdz-9918324-0", "target": null }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "target": null }, { "id": "Win.Trojan.Generic-9909777-0", "display_name": "Win.Trojan.Generic-9909777-0", "target": null }, { "id": "Win.Malware.Installcore-9794583-0", "display_name": "Win.Malware.Installcore-9794583-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Win.Malware.Generic-9963787-0", "display_name": "Win.Malware.Generic-9963787-0", "target": null }, { "id": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "display_name": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "target": null }, { "id": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "display_name": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "target": null }, { "id": "Tags", "display_name": "Tags", "target": null }, { "id": "Winsoft", "display_name": "Winsoft", "target": null }, { "id": "Checkin", "display_name": "Checkin", "target": null }, { "id": "CoolWebService", "display_name": "CoolWebService", "target": null } ], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" } ], "industries": [], "TLP": "white", "cloned_from": "69c41ac489f8cd00a59ef43e", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1541, "URL": 2403, "domain": 328, "hostname": 593, "FileHash-MD5": 142, "FileHash-SHA1": 176, "FileHash-SHA256": 574, "email": 3, "SSLCertFingerprint": 10 }, "indicator_count": 5770, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69c41ac489f8cd00a59ef43e", "name": "CoolWebService -Browser Hijack | Affects DropBox and other services | Checkin", "description": "CoolWebService -Browser Hijack | Affects DropBox and other services | Checkin | Tracking \n| Search Engine Installer \n#pegasus_related", "modified": "2026-03-25T17:26:28.750000", "created": "2026-03-25T17:26:28.750000", "tags": [ "lowfi", "ransom", "trojan", "mtb oct", "win32", "kingwe", "files", "files ip", "all ipv4", "america flag", "United States", "win32mydoom", "otx logo", "urls", "reverse dns", "cnc style", "cnc checkin", "style", "install cnc", "initial install", "activity", "win32mydoom sep", "worm", "win32mydoom oct", "win32getnow oct", "unknown ns", "search", "browser", "hijackers", "file format", "malwarerid", "majauskas", "google", "report", "once", "malicious", "malware", "overview ip", "address", "asn as46475", "nameservers", "related tags", "spf record", "tags", "domain", "name", "query time", "cyprus update", "united states", "browser hijacker", "install", "handle", "entity", "key identifier", "x509v3 subject", "host name", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "ttl value", "thumbprint", "enabled", "malvertising", "encoded_htm!", "new_domain", "suspicious_redirect", "proximity", "tracking_infrastructure", "passive dns", "http", "ip address", "related nids", "files location", "checkin worm", "mydoom checkin", "useragent", "checkin cnc", "acti cnc", "beac track", "failed\u0661\u0668", "data upload", "extraction", "winsoft", "checkin", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "defense evasion", "spawns", "over", "mitre att", "show technique", "ck matrix", "ascii text", "body", "title", "encrypt", "refresh", "hybrid", "general", "local", "path", "click", "strings", "dynamicloader", "medium", "high", "et exploit", "write c", "default", "probe ms17010", "write", "copy", "pegasus related" ], "references": [ "coolwebsearch.info | browser hijacker, malware , malicious", "Winsoft.E Checkin 3 Trojan.Generic.KDV.91800 Checkin PUP Win32/GetNow.B", "Checkin Worm.Mydoom Checkin User-Agent (explwer) Win32/Fosniw MacTryCnt CnC Style", "Checkin Win32/Fosniw CnC Checkin Style 2 Win32/Adware.iBryte.BO", "CnC Activity W32/SpeedingUpMyPC.Rootkit Install", "CnC Beacon Win32/InstallCore Initial Install Activity 2", "track.aptitudemedia.co/redirect?target=BASE64aHR0cDovL3RyYWNrLmNxcXNmLmNvbS9hZmZfYz9vZmZlcl9pZD0zNDI3JmFmZl9pZD0yNDM4NyZzb3VyY2U9OTI0MzhmOTktOGM5Yi00ODBjLWJjN2ItZGRiYzc2NDRhMjI3JmFmZl9zdWI9d001T0gxUUtVNzk5MUJUS0hDUklMSjhL" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.Generickdz-9918324-0", "display_name": "Win.Malware.Generickdz-9918324-0", "target": null }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "target": null }, { "id": "Win.Trojan.Generic-9909777-0", "display_name": "Win.Trojan.Generic-9909777-0", "target": null }, { "id": "Win.Malware.Installcore-9794583-0", "display_name": "Win.Malware.Installcore-9794583-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Win.Malware.Generic-9963787-0", "display_name": "Win.Malware.Generic-9963787-0", "target": null }, { "id": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "display_name": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "target": null }, { "id": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "display_name": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "target": null }, { "id": "Tags", "display_name": "Tags", "target": null }, { "id": "Winsoft", "display_name": "Winsoft", "target": null }, { "id": "Checkin", "display_name": "Checkin", "target": null }, { "id": "CoolWebService", "display_name": "CoolWebService", "target": null } ], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1541, "URL": 2403, "domain": 328, "hostname": 593, "FileHash-MD5": 142, "FileHash-SHA1": 176, "FileHash-SHA256": 574, "email": 3, "SSLCertFingerprint": 10 }, "indicator_count": 5770, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "686d28ec9208b0424e0ccad2", "name": "Remote Keylogger | Foundry", "description": "Keylogger Remotely installed on all of targets devices. Up until\u2026 target had to purchase and return more than 50\ndevices minus service plans. Apple\nengineers have been involved many times. Mercenary attacks also confirmed: A kind phone store owner gave her a free phone that was hacked within seconds. \nUnless someone has been \u2018framing Palantir / Foundry Tech Mafia is portrayed a playing a significant involvement of SA victim potentially since day of coerced disclosure in 2013.\nThe first clue was a YouTube follower with a menacing name and picture began to follow, change login, network, dumped adult content, utilized web content scrapers,. stole\nPasswords,etc., Anyway .. Unruy & remotely installed keylogger. \n#foundry #apple #soc #keylogger \n\nThis is risky to say but very wrong to do. She was a multi generational (MGM) American.", "modified": "2025-09-19T03:02:22.742000", "created": "2025-07-08T14:19:24.211000", "tags": [ "delete", "msie", "windows nt", "wow64", "slcc2", "media center", "delete c", "intel", "write", "malware", "dynamicloader", "yara rule", "high", "vmware", "phishing", "remote", "keylogger", "remote keylogger", "type indicator", "related pulses", "no expiration", "url https", "showing", "reputation", "foundry", "apple", "downloader", "trojan" ], "references": [ "http://www.download-servers.com/SysInfo/Validate.exe||random.exe||/S||access your PC from anywhere!||Remote Access to your Home or Office PC remotely. Work on your PC from any internet computer or mobile. Access All files and transfer them between computers. Invite friends to view your LiveScreen and share presentations.||", "\u2022 engine.remote-keylogger.net \u2022 logout-superset2.remote-keylogger.net \u2022 mail.remote-keylogger.net", "\u2022 http://appleid.apple.com-cgi-bin-wets-myapleid.woa-wa-direct.yimucentral.com/apple/cgibin/confirm/processing/cmd=/95d9e0a26d38b5f248bb389e1a4d14c0/webobjects", "\u2022 199.59.243.226", "\u2022 ww25.vpn.steamcommunity-site.info", "\u2022 apple-mac.us \u2022 zpwi8.itunes-apple-jp.xyz \u2022 applefanatic.org \u2022 appleemailaccounts.com \u2022 http://appleemailaccounts.com/", "\u2022 zgcdfoundry.com \u2022 https://zgcdfoundry.com/", "\u2022 ww25.vpn.twitte5r.com | http://paypal-online.5flix.net/ | court-supreme.us", "\u2022 https://animal64u.com/bestiality-animal-porn/dog \u2022 \thttp://xxnxporntube.com", "\u2022 starbucksmobilepay.5flix.net | https://mobilemobster.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unruy", "display_name": "Unruy", "target": null }, { "id": "Reputation.1", "display_name": "Reputation.1", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1110.002", "name": "Password Cracking", "display_name": "T1110.002 - Password Cracking" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" } ], "industries": [ "Telecommunications", "Technology", "Media" ], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 260, "FileHash-SHA1": 244, "FileHash-SHA256": 4406, "URL": 9684, "domain": 3164, "hostname": 3370, "CVE": 1 }, "indicator_count": 21129, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "212 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6872f4c510c590b7cdc5ff6a", "name": "Crowdsourced Collection of PayPal Mafia Monster - Foundry\u2019s Palantair", "description": "Americans are investing in what Edward Snowden foretold of\u2026 your future from beginning to end will predict how you will be treated. Preemptively policing people even if you have to make up a past.. |\n\nThe New York Times\nMay 30, 2025 \u2014 The Trump administration has expanded Palantir's work with the government, spreading the company's technology \u2014 which could easily merge data on ...\nFormer Palantir workers condemn company's work with ...\n\nNPR\nMay 5, 2025 \u2014 Thirteen former employees of influential data-mining firm Palantir are condemning the company's work with the Trump administration.\nWyden AOC Palantir Letter 061725\n\nSenate Finance (.gov)\nJun 17, 2025 \u2014 The Trump Administration has spent taxpayer dollars on Palantir software at numerous other government agencies and paid it billions of dollars ...\n#foundry #rip #palantir #jeffreyreimerdpt #lawenforcement #twitter #tsarabrashearsblessed #apple #privacynow #fightforprivacy #sabey #hallrender", "modified": "2025-08-11T23:02:24.583000", "created": "2025-07-12T23:50:29.847000", "tags": [ "url https", "url http", "type indicator", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses", "enter source", "urior exirag", "diri type", "data upload", "extraction", "failed", "included iocs", "review iocs", "find sugge", "extr extract", "in data", "extract", "type", "u extractio", "extra", "review ic", "ipv4", "pulses hostname", "accountunlock", "united", "ireland", "canada", "brazil", "sweden", "australia", "search", "scan", "iocs", "learn more", "filehashsha1", "filehashmd5", "types of", "extra data", "included review", "china", "colombia", "filepath https", "enter sc", "extr data", "include review", "exclude sugges", "filehashsha256", "hostname", "dicators japan", "url tor", "extrac data", "ic excluded", "suggeste", "stop", "type no", "no entrie", "included", "review locc", "excluded data", "sc data", "extri data", "includec review", "exclude data", "suggested", "se extra", "suggest", "manaiv add", "indicator", "review lace", "extri", "find s", "typ no", "no entdi", "ous u", "dron aew", "avtrat", "extre data", "manually", "add indicator", "pulses url", "url url", "typ host", "host url", "include", "z6911541", "extraction fail", "enter souf", "s type", "ur extraction", "extraction data", "jul all", "pulse data", "report external", "review", "extre please", "se extraction", "report spam", "all t8", "firmip", "bofa", "wikileaks", "tmobile", "dish", "capture", "cookie", "enter s", "please sub", "include outroov", "excludel sugges", "extra please", "high priority", "alerts ids", "priority alerts", "cnc beacon", "winver", "digitalmistica", "november", "pulse", "palantir", "foundry twitter", "arkei stealer", "config", "install", "downloader", "cidr", "domain", "indicators hong", "kong", "ukraine", "status no", "object", "unruy", "http", "remote", "keylogger", "foundry created", "days ago", "white keylogger", "apple", "foundry tech", "mafia", "t1045", "packing", "t1060", "run keys", "startup", "folder", "t1457", "showing", "types", "indicators show", "dicator role", "tsara brashears", "tsara", "porn", "porn videos", "pornhub https", "searchtsar", "watch tsara", "most relevant", "open threat", "green", "love", "daily", "videos", "free porn", "hybrid analysis", "falcon sandbox", "top tsara", "brashears porn", "stream", "spice", "download", "hybrid", "njrat", "threat network", "https", "created", "years ago", "modified", "months ago", "tinynote", "douglas county", "co sheriff", "office", "pegasus attacks", "sa victim", "octoseek public", "white", "excludedocs", "sugges", "stop data", "tsara lynn", "brashears les", "lynn brashears", "translate", "pornhub page", "emotet", "se review", "typ url", "dom hos", "hostname data", "harmful", "octoseekpulse", "attacks sa", "bandit stealer", "flubot", "agent tesla", "qbot", "qakbot", "ursnif", "azorult", "djvu", "hacktool", "maze", "dark", "linux", "android10", "khtml", "costcpc", "userosandroid", "bannerid2738231", "india", "enter so", "please subr", "suggest data", "netherlands", "russia", "america malware", "families", "sc type", "please", "show", "url data", "fanec", "include failed", "review exclude", "extre", "includea", "exclude toosrou", "sugges data", "typ data", "information", "cobalt strike", "ransomexx", "quackbot", "comspec", "span", "idn1", "sendimage0", "refts0", "include data", "uny inuuue", "fileh fileh", "exclude suggest", "uniy", "type fileh", "extr please", "ineluderc\u0660", "review data", "excludedlocs" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1065", "name": "Uncommonly Used Port", "display_name": "T1065 - Uncommonly Used Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12679, "domain": 1134, "hostname": 3543, "FileHash-MD5": 251, "email": 7, "FileHash-SHA256": 1927, "FileHash-SHA1": 232, "CVE": 1, "CIDR": 1, "URI": 1 }, "indicator_count": 19776, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "250 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://empoweresports.com/sql", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://empoweresports.com/sql", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776613591.5097384 }