{ "type": "URL", "indicator": "https://forest-offensive-height-letters.trycloudflare.com/12341234", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://forest-offensive-height-letters.trycloudflare.com/12341234", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4057883836, "indicator": "https://forest-offensive-height-letters.trycloudflare.com/12341234", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "67ffb7eba715b936a2c4c2a8", "name": "Interlock ransomware evolving under the radar", "description": "The Interlock ransomware group, active since September 2024, has shown adaptability and innovation in its tactics despite a relatively low victim count. They employ fake browser updates and the ClickFix technique for initial access, followed by a multi-stage attack chain involving PowerShell backdoors, credential stealers, and a custom Remote Access Trojan. The group targets various sectors across North America and Europe, conducting Big Game Hunting and double extortion campaigns. Interlock has been observed improving their tools, including evolving their PowerShell backdoor and modifying their ransom notes to emphasize legal repercussions. The group's focus on maintaining relevance while avoiding large-scale visibility suggests a strategic approach to their operations.", "modified": "2025-11-06T10:53:56.867000", "created": "2025-04-16T14:00:11.178000", "tags": [ "berserkstealer", "clickfix", "interlock rat", "double extortion", "ransomware", "remote access trojan", "interlock ransomware", "credential stealer", "fake updaters", "powershell backdoor", "lumma" ], "references": [ "https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar" ], "public": 1, "adversary": "Interlock", "targeted_countries": [], "malware_families": [ { "id": "Interlock RAT", "display_name": "Interlock RAT", "target": null }, { "id": "LummaStealer", "display_name": "LummaStealer", "target": null }, { "id": "BerserkStealer", "display_name": "BerserkStealer", "target": null }, { "id": "Interlock ransomware", "display_name": "Interlock ransomware", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [ "Education", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 71, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 32, "FileHash-SHA1": 37, "FileHash-SHA256": 70, "URL": 22, "domain": 5, "hostname": 35 }, "indicator_count": 201, "is_author": false, "is_subscribing": null, "subscriber_count": 386484, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6889ff2cfa6a2c08cb85336a", "name": "EbeeJuly2025 Pt2", "description": "IOCs of multiple threaats observed and collected in July 2025", "modified": "2025-08-29T10:02:20.542000", "created": "2025-07-30T11:17:00.302000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 65, "FileHash-MD5": 177, "FileHash-SHA1": 132, "FileHash-SHA256": 216, "domain": 136, "email": 1, "hostname": 101 }, "indicator_count": 828, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "274 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6889ebeb317457163ab8fa42", "name": "Emmenhtal loader", "description": "Campaigns that used Emmenhtal to deliver various payloads", "modified": "2025-08-29T09:03:58.967000", "created": "2025-07-30T09:54:51.943000", "tags": [], "references": [ "Emmenhtal.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 395, "BitcoinAddress": 1, "CVE": 6, "FileHash-MD5": 240, "FileHash-SHA1": 123, "FileHash-SHA256": 392, "domain": 182, "email": 1, "hostname": 181 }, "indicator_count": 1521, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "274 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688b0dde98e8d32361238f0f", "name": "Emmenhtal Loader Campaign deliver various payloads [IMEBEEIMFINE]", "description": "", "modified": "2025-08-29T09:03:58.967000", "created": "2025-07-31T06:31:58.326000", "tags": [], "references": [ "Emmenhtal.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6889ebeb317457163ab8fa42", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 395, "BitcoinAddress": 1, "CVE": 6, "FileHash-MD5": 240, "FileHash-SHA1": 123, "FileHash-SHA256": 392, "domain": 182, "email": 1, "hostname": 181 }, "indicator_count": 1521, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "274 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6800cd88a905c048a110ef0f", "name": "Interlock ransomware evolving under the radar - Sekoia.io Blog", "description": "Interlock ransomware is a multi-stage cyber-attack that targets victims who are not aware of the threat, according to a report by Sekoia Threat Detection & Research (TDR) and its researchers.", "modified": "2025-05-17T09:05:14.615000", "created": "2025-04-17T09:44:40.591000", "tags": [ "interlock", "cluster", "powershell", "february", "january", "windows", "october", "september", "detection", "clickfix", "ransom", "clop", "ransomhub", "akira", "babuk", "lynx", "qilin", "later", "anydesk", "contact", "media", "anomaly", "linux", "rhysida", "remote access" ], "references": [ "https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/" ], "public": 1, "adversary": "Interlock", "targeted_countries": [], "malware_families": [ { "id": "Akira", "display_name": "Akira", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "Remote Access", "display_name": "Remote Access", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Interlock", "display_name": "Interlock", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "murgif105", "id": "292958", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 9, "FileHash-MD5": 69, "FileHash-SHA1": 69, "FileHash-SHA256": 70, "URL": 27, "YARA": 5, "hostname": 35 }, "indicator_count": 284, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "378 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar", "https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/", "Emmenhtal.pdf" ], "related": { "alienvault": { "adversary": [ "Interlock" ], "malware_families": [ "Interlock rat", "Berserkstealer", "Interlock ransomware", "Lummastealer" ], "industries": [ "Healthcare", "Education" ], "unique_indicators": 212 }, "other": { "adversary": [ "Interlock" ], "malware_families": [ "Remote access", "Akira", "Linux", "Interlock", "Rhysida", "Windows" ], "industries": [], "unique_indicators": 2364 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/trycloudflare.com", "whois": "http://whois.domaintools.com/trycloudflare.com", "domain": "trycloudflare.com", "hostname": "forest-offensive-height-letters.trycloudflare.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "67ffb7eba715b936a2c4c2a8", "name": "Interlock ransomware evolving under the radar", "description": "The Interlock ransomware group, active since September 2024, has shown adaptability and innovation in its tactics despite a relatively low victim count. They employ fake browser updates and the ClickFix technique for initial access, followed by a multi-stage attack chain involving PowerShell backdoors, credential stealers, and a custom Remote Access Trojan. The group targets various sectors across North America and Europe, conducting Big Game Hunting and double extortion campaigns. Interlock has been observed improving their tools, including evolving their PowerShell backdoor and modifying their ransom notes to emphasize legal repercussions. The group's focus on maintaining relevance while avoiding large-scale visibility suggests a strategic approach to their operations.", "modified": "2025-11-06T10:53:56.867000", "created": "2025-04-16T14:00:11.178000", "tags": [ "berserkstealer", "clickfix", "interlock rat", "double extortion", "ransomware", "remote access trojan", "interlock ransomware", "credential stealer", "fake updaters", "powershell backdoor", "lumma" ], "references": [ "https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar" ], "public": 1, "adversary": "Interlock", "targeted_countries": [], "malware_families": [ { "id": "Interlock RAT", "display_name": "Interlock RAT", "target": null }, { "id": "LummaStealer", "display_name": "LummaStealer", "target": null }, { "id": "BerserkStealer", "display_name": "BerserkStealer", "target": null }, { "id": "Interlock ransomware", "display_name": "Interlock ransomware", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1489", "name": "Service Stop", "display_name": "T1489 - Service Stop" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1490", "name": "Inhibit System Recovery", "display_name": "T1490 - Inhibit System Recovery" } ], "industries": [ "Education", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 71, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 32, "FileHash-SHA1": 37, "FileHash-SHA256": 70, "URL": 22, "domain": 5, "hostname": 35 }, "indicator_count": 201, "is_author": false, "is_subscribing": null, "subscriber_count": 386484, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6889ff2cfa6a2c08cb85336a", "name": "EbeeJuly2025 Pt2", "description": "IOCs of multiple threaats observed and collected in July 2025", "modified": "2025-08-29T10:02:20.542000", "created": "2025-07-30T11:17:00.302000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 65, "FileHash-MD5": 177, "FileHash-SHA1": 132, "FileHash-SHA256": 216, "domain": 136, "email": 1, "hostname": 101 }, "indicator_count": 828, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "274 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6889ebeb317457163ab8fa42", "name": "Emmenhtal loader", "description": "Campaigns that used Emmenhtal to deliver various payloads", "modified": "2025-08-29T09:03:58.967000", "created": "2025-07-30T09:54:51.943000", "tags": [], "references": [ "Emmenhtal.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 395, "BitcoinAddress": 1, "CVE": 6, "FileHash-MD5": 240, "FileHash-SHA1": 123, "FileHash-SHA256": 392, "domain": 182, "email": 1, "hostname": 181 }, "indicator_count": 1521, "is_author": false, "is_subscribing": null, "subscriber_count": 42, "modified_text": "274 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688b0dde98e8d32361238f0f", "name": "Emmenhtal Loader Campaign deliver various payloads [IMEBEEIMFINE]", "description": "", "modified": "2025-08-29T09:03:58.967000", "created": "2025-07-31T06:31:58.326000", "tags": [], "references": [ "Emmenhtal.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6889ebeb317457163ab8fa42", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 395, "BitcoinAddress": 1, "CVE": 6, "FileHash-MD5": 240, "FileHash-SHA1": 123, "FileHash-SHA256": 392, "domain": 182, "email": 1, "hostname": 181 }, "indicator_count": 1521, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "274 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6800cd88a905c048a110ef0f", "name": "Interlock ransomware evolving under the radar - Sekoia.io Blog", "description": "Interlock ransomware is a multi-stage cyber-attack that targets victims who are not aware of the threat, according to a report by Sekoia Threat Detection & Research (TDR) and its researchers.", "modified": "2025-05-17T09:05:14.615000", "created": "2025-04-17T09:44:40.591000", "tags": [ "interlock", "cluster", "powershell", "february", "january", "windows", "october", "september", "detection", "clickfix", "ransom", "clop", "ransomhub", "akira", "babuk", "lynx", "qilin", "later", "anydesk", "contact", "media", "anomaly", "linux", "rhysida", "remote access" ], "references": [ "https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/" ], "public": 1, "adversary": "Interlock", "targeted_countries": [], "malware_families": [ { "id": "Akira", "display_name": "Akira", "target": null }, { "id": "Linux", "display_name": "Linux", "target": null }, { "id": "Rhysida", "display_name": "Rhysida", "target": null }, { "id": "Remote Access", "display_name": "Remote Access", "target": null }, { "id": "Windows", "display_name": "Windows", "target": null }, { "id": "Interlock", "display_name": "Interlock", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "murgif105", "id": "292958", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 9, "FileHash-MD5": 69, "FileHash-SHA1": 69, "FileHash-SHA256": 70, "URL": 27, "YARA": 5, "hostname": 35 }, "indicator_count": 284, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "378 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://forest-offensive-height-letters.trycloudflare.com/12341234", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://forest-offensive-height-letters.trycloudflare.com/12341234", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780205073.1277804 }