{
  "type": "URL",
  "indicator": "https://form.jotform.com",
  "general": {
    "sections": [
      "general",
      "url_list",
      "http_scans",
      "screenshot"
    ],
    "indicator": "https://form.jotform.com",
    "type": "url",
    "type_title": "URL",
    "validation": [
      {
        "source": "alexa",
        "message": "Alexa rank: #489",
        "name": "Listed on Alexa"
      },
      {
        "source": "akamai",
        "message": "Akamai rank: #8394",
        "name": "Akamai Popular Domain"
      },
      {
        "source": "whitelist",
        "message": "Whitelisted domain jotform.com",
        "name": "Whitelisted domain"
      },
      {
        "source": "majestic",
        "message": "Whitelisted domain jotform.com",
        "name": "Whitelisted domain"
      }
    ],
    "base_indicator": {
      "id": 4079371358,
      "indicator": "https://form.jotform.com",
      "type": "URL",
      "title": "",
      "description": "",
      "content": "",
      "access_type": "public",
      "access_reason": ""
    },
    "pulse_info": {
      "count": 3,
      "pulses": [
        {
          "id": "69c5c7194394ff775d44f7e0",
          "name": "WaypointsStickyChromeCache",
          "description": "A complete analysis of user-created Pulses (AVs) at the University of California, Los Angeles, has been published by the BBC's Newsnight website, along with a series of links.<pretext",
          "modified": "2026-04-25T00:36:45.595000",
          "created": "2026-03-26T23:54:01.493000",
          "tags": [
            "http",
            "urls",
            "unique",
            "pulse pulses",
            "location united",
            "flag united",
            "related",
            "pulses",
            "related tags",
            "x tec",
            "log id",
            "gmtn",
            "tls web",
            "self",
            "encrypt",
            "b2 f6",
            "b0n timestamp",
            "f9401a",
            "timestamp",
            "url add",
            "false"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 121,
            "hostname": 31,
            "domain": 5,
            "FileHash-MD5": 20,
            "FileHash-SHA1": 18,
            "FileHash-SHA256": 98,
            "SSLCertFingerprint": 2,
            "CVE": 1
          },
          "indicator_count": 296,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "36 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "68cb233ba91aa1eb958b3f31",
          "name": "Home - RMHS | APT 10 \u2022 Andromeda \u2022  OneLouder",
          "description": "I don\u2019t even know what to say. I\u2019ve received several complaints. This is 2nd time checking out technical issues that do exist. Operates as a Human Service entity for injured persons. OTX auto populated \u2018Golfing\u2019 as industry. \n\nDoes serve the severely disabled population. Does pay caregivers. Possibly a front page a FF link page, I have no idea",
          "modified": "2025-10-17T19:03:15.031000",
          "created": "2025-09-17T21:08:11.518000",
          "tags": [
            "script urls",
            "meta",
            "moved",
            "x tec",
            "passive dns",
            "encrypt",
            "america flag",
            "san francisco",
            "extraction",
            "data upload",
            "type indicatod",
            "united states",
            "a domains",
            "united",
            "gmt server",
            "jose",
            "university",
            "bill",
            "rmhs",
            "information",
            "board",
            "lorin",
            "joseph",
            "all veterans",
            "rocky mountain",
            "mission",
            "vice",
            "april",
            "school",
            "austin",
            "prior",
            "ipv4 add",
            "urls",
            "files",
            "location united",
            "wordpress",
            "rmhs meta",
            "tags viewport",
            "rmhs og",
            "rmhs article",
            "wpbakery page",
            "builder",
            "slider plugin",
            "google tag",
            "mountain human",
            "denver",
            "connecting",
            "denver start",
            "relevance home",
            "providers",
            "contact us",
            "rmhs main",
            "server",
            "redacted tech",
            "redacted admin",
            "registrar abuse",
            "algorithm",
            "key identifier",
            "x509v3 subject",
            "dnssec",
            "country",
            "ttl value",
            "graph summary",
            "resolved ips",
            "ip address",
            "port",
            "data",
            "screenshots no",
            "involved direct",
            "country name",
            "name response",
            "tcp connections",
            "learn",
            "ck id",
            "name tactics",
            "suspicious",
            "informative",
            "command",
            "adversaries",
            "found",
            "spawns",
            "t1590 gather",
            "path",
            "ascii text",
            "exif standard",
            "tiff image",
            "format",
            "stop",
            "false",
            "soldier",
            "model",
            "youth",
            "baby",
            "june",
            "general",
            "local",
            "click",
            "strings",
            "core",
            "warrior",
            "green",
            "emotion",
            "flash",
            "nina",
            "hunk",
            "fono",
            "daam",
            "mitre att",
            "ck techniques",
            "id name",
            "malicious",
            "windows nt",
            "win64",
            "khtml",
            "gecko",
            "brand",
            "microsoft edge",
            "show process",
            "self",
            "date",
            "comspec",
            "hybrid",
            "form",
            "log id",
            "gmtn",
            "tls web",
            "b2 f6",
            "b0n timestamp",
            "f9401a",
            "record value",
            "x wix",
            "certificate",
            "domain add",
            "pulse submit",
            "body",
            "domain related",
            "blackbox",
            "apple",
            "helix",
            "dvrdns",
            "tracking",
            "remote access",
            "ios",
            "spyware",
            "hoax",
            "dynamicloader",
            "ptls6",
            "medium",
            "flashpix",
            "high",
            "ygjpavclsline",
            "officespace",
            "chartshared",
            "powershell",
            "write",
            "malware",
            "ygjpaulscontext",
            "status",
            "japan unknown",
            "domain",
            "pulses",
            "search",
            "accept",
            "apt10",
            "trojanspy",
            "win32",
            "entries",
            "susp",
            "backdoor",
            "useragent",
            "showing",
            "virtool",
            "twitter",
            "mozilla",
            "trojandropper",
            "trojan",
            "title",
            "onelouder",
            "yara det",
            "maware samoe",
            "genaco x",
            "ids detec",
            "ids terse",
            "win3 data",
            "include review",
            "exclude sugges",
            "targeting",
            "show",
            "copy",
            "reads",
            "dynamic",
            "vendor finding",
            "notes clamav",
            "files matching",
            "number",
            "sample analysis",
            "hide samples",
            "date hash",
            "next yara"
          ],
          "references": [
            "rmhumanservices.org",
            "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt",
            "ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
            "http://www.dvrdns.net/BlackBox/google/googleMapKey.txt",
            "http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe",
            "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player",
            "http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt",
            "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe",
            "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/",
            "https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound",
            "https://www.mlkfoundation.net/ (Foundry DGA)",
            "remotewd.com x 34 devices",
            "South Africa based:  remote.advisoroffice.com",
            "acc.lehigtapp.com - malware",
            "http://watchhers.net/index.php (espionage entity /palantir relationship  - seen before with palantir and Pegasus sometimes simultaneously )",
            "Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022  emails.redvue.com \u2022",
            "Active - pointing:  https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
            "http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
            "http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
            "Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/",
            "https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting",
            "YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
            "acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
            "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net",
            "IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2",
            "IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)",
            "IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname",
            "1.organization.api.powerplatform.partner.microsoftonline.cn",
            "chinaeast2.admin.api.powerautomate.cn",
            "https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/",
            "https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A",
            "ssa-gov.authorizeddns",
            "hmmm\u2026http://palander.stjernstrom.se/",
            "https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU"
          ],
          "public": 1,
          "adversary": "APT 10",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "APT 10",
              "display_name": "APT 10",
              "target": null
            },
            {
              "id": "OneLouder",
              "display_name": "OneLouder",
              "target": null
            },
            {
              "id": "Andromeda",
              "display_name": "Andromeda",
              "target": null
            },
            {
              "id": "Sality",
              "display_name": "Sality",
              "target": null
            },
            {
              "id": "KoobFace",
              "display_name": "KoobFace",
              "target": null
            },
            {
              "id": "Bayrob",
              "display_name": "Bayrob",
              "target": null
            },
            {
              "id": "Nivdort Checkin",
              "display_name": "Nivdort Checkin",
              "target": null
            },
            {
              "id": "Win.Malware.Installcore-6950365-0",
              "display_name": "Win.Malware.Installcore-6950365-0",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1102",
              "name": "Web Service",
              "display_name": "T1102 - Web Service"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "T1590",
              "name": "Gather Victim Network Information",
              "display_name": "T1590 - Gather Victim Network Information"
            },
            {
              "id": "T1113",
              "name": "Screen Capture",
              "display_name": "T1113 - Screen Capture"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1132",
              "name": "Data Encoding",
              "display_name": "T1132 - Data Encoding"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1574.006",
              "name": "Dynamic Linker Hijacking",
              "display_name": "T1574.006 - Dynamic Linker Hijacking"
            },
            {
              "id": "T1210",
              "name": "Exploitation of Remote Services",
              "display_name": "T1210 - Exploitation of Remote Services"
            },
            {
              "id": "T1449",
              "name": "Exploit SS7 to Redirect Phone Calls/SMS",
              "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
            },
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            }
          ],
          "industries": [
            "Golfing",
            "Healthcare",
            "Government"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 9,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 690,
            "hostname": 1912,
            "URL": 5925,
            "FileHash-SHA1": 273,
            "email": 8,
            "FileHash-SHA256": 3618,
            "CIDR": 3,
            "FileHash-MD5": 254,
            "SSLCertFingerprint": 19,
            "CVE": 2
          },
          "indicator_count": 12704,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 145,
          "modified_text": "225 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "685afb805ba518e374abc735",
          "name": "Home - RMHS - Ransom",
          "description": "I can only  imagine what is going on. This is a real organization, with a building,  ever changing case workers who don\u2019t want to meet with clients in person . I have received several incoming concerns since 2021. It seems that a threat actor may be ringing along or certain people are being handled / investigated / silenced and closely monitored by a very large interconnected Cyber Intelligence entity  \u2022 Trojan:X97M/ShellHide.C |\n\u2022 Trojan:PDF/Phish.RR!MTB |\n\u2022 Win.Trojan.Agent-370485 |\nAntivirus Detections:\n\u2022 Win.Trojan.Agent-370485\nYara: VirusWin32Span |\nAlerts\nransomware_file_modifications\nstealth_file\nDomains Contacted: Unknown\n(efbkfqpcdh.com) [\t\t\t\t2025-07-24T16:00:00\t14\t\n\nURL\nhttp://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel] #phishing #malware #intel? #trojan #infectiin",
          "modified": "2025-07-24T19:04:24.993000",
          "created": "2025-06-24T19:24:48.632000",
          "tags": [
            "wordpress",
            "home",
            "rmhs og",
            "rmhs article",
            "wpbakery page",
            "builder",
            "slider plugin",
            "utc google",
            "tag manager",
            "g5cygkcj7g1",
            "dynamicloader",
            "ms windows",
            "intel",
            "users",
            "medium",
            "pe32",
            "search",
            "show",
            "windows",
            "videos",
            "music",
            "copy",
            "write",
            "next",
            "ford mustang",
            "converter pdf",
            "gt convertible",
            "trim",
            "models ford",
            "mustang coupe",
            "createdate",
            "producer solid",
            "filehash",
            "trojan",
            "format",
            "united",
            "moved",
            "passive dns",
            "ipv4 add",
            "pulse submit",
            "url analysis",
            "urls",
            "files",
            "location united",
            "america flag",
            "encrypt",
            "date",
            "sc onlogon",
            "write c",
            "port",
            "showing",
            "entries",
            "module load",
            "execution",
            "malware",
            "self",
            "reverse dns",
            "url https",
            "resource",
            "general full",
            "name value",
            "security tls",
            "hash",
            "san francisco",
            "june",
            "input",
            "form",
            "dom get",
            "search start",
            "get https",
            "post",
            "value",
            "variables",
            "msgoriginaltext",
            "msgoptions",
            "isns function",
            "setupns",
            "rsiw number",
            "rsih object",
            "learn",
            "ck id",
            "name tactics",
            "suspicious",
            "informative",
            "command",
            "adversaries",
            "found",
            "spawns",
            "ck techniques",
            "flag",
            "markmonitor",
            "name server",
            "server",
            "rocky mountain",
            "human",
            "domain address",
            "enom",
            "copy sha256",
            "path",
            "copy md5",
            "copy sha1",
            "sha256",
            "size",
            "sha1",
            "attrib",
            "rowcycur",
            "hz4urdyi",
            "stop",
            "false",
            "soldier",
            "model",
            "youth",
            "baby",
            "core",
            "warrior",
            "green",
            "emotion",
            "flash",
            "nina",
            "hunk",
            "fono",
            "daam",
            "destination",
            "tlsv1",
            "dyndns domain",
            "irfan skiljan",
            "yara detections",
            "pdf pdf",
            "producer pdftk",
            "title data",
            "pulse pulses",
            "av detections",
            "ids detections",
            "alerts",
            "analysis date",
            "pictures",
            "read",
            "delete",
            "thumbprint",
            "graph summary",
            "url http",
            "gna7hdu",
            "g4 rsa4096",
            "adobe systems",
            "services1",
            "adobe product",
            "creatortool",
            "ascii text",
            "description svg",
            "scalable vector",
            "graphics image"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1158",
              "name": "Hidden Files and Directories",
              "display_name": "T1158 - Hidden Files and Directories"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "T1590",
              "name": "Gather Victim Network Information",
              "display_name": "T1590 - Gather Victim Network Information"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 34,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 56,
            "URL": 262,
            "hostname": 165,
            "FileHash-SHA256": 2141,
            "FileHash-MD5": 308,
            "FileHash-SHA1": 308,
            "SSLCertFingerprint": 3,
            "email": 1
          },
          "indicator_count": 3244,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 142,
          "modified_text": "310 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        }
      ],
      "references": [
        "hmmm\u2026http://palander.stjernstrom.se/",
        "https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/",
        "rmhumanservices.org",
        "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player",
        "https://www.mlkfoundation.net/ (Foundry DGA)",
        "https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU",
        "http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe",
        "IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)",
        "Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/",
        "IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname",
        "chinaeast2.admin.api.powerautomate.cn",
        "https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound",
        "Active - pointing:  https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
        "http://watchhers.net/index.php (espionage entity /palantir relationship  - seen before with palantir and Pegasus sometimes simultaneously )",
        "http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
        "Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022  emails.redvue.com \u2022",
        "https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A",
        "remotewd.com x 34 devices",
        "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt",
        "http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
        "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/",
        "IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2",
        "South Africa based:  remote.advisoroffice.com",
        "acc.lehigtapp.com - malware",
        "YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
        "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net",
        "http://www.dvrdns.net/BlackBox/google/googleMapKey.txt",
        "ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com",
        "acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
        "ssa-gov.authorizeddns",
        "https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting",
        "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe",
        "1.organization.api.powerplatform.partner.microsoftonline.cn",
        "http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt"
      ],
      "related": {
        "alienvault": {
          "adversary": [],
          "malware_families": [],
          "industries": [],
          "unique_indicators": 0
        },
        "other": {
          "adversary": [
            "APT 10"
          ],
          "malware_families": [
            "Nivdort checkin",
            "Onelouder",
            "Koobface",
            "Win.malware.installcore-6950365-0",
            "Apt 10",
            "Bayrob",
            "Sality",
            "Andromeda"
          ],
          "industries": [
            "Golfing",
            "Healthcare",
            "Government"
          ],
          "unique_indicators": 15829
        }
      }
    },
    "false_positive": [],
    "alexa": "http://www.alexa.com/siteinfo/jotform.com",
    "whois": "http://whois.domaintools.com/jotform.com",
    "domain": "jotform.com",
    "hostname": "form.jotform.com"
  },
  "geo": {},
  "geo_ipapicom": {},
  "pulse_count": 3,
  "pulses": [
    {
      "id": "69c5c7194394ff775d44f7e0",
      "name": "WaypointsStickyChromeCache",
      "description": "A complete analysis of user-created Pulses (AVs) at the University of California, Los Angeles, has been published by the BBC's Newsnight website, along with a series of links.<pretext",
      "modified": "2026-04-25T00:36:45.595000",
      "created": "2026-03-26T23:54:01.493000",
      "tags": [
        "http",
        "urls",
        "unique",
        "pulse pulses",
        "location united",
        "flag united",
        "related",
        "pulses",
        "related tags",
        "x tec",
        "log id",
        "gmtn",
        "tls web",
        "self",
        "encrypt",
        "b2 f6",
        "b0n timestamp",
        "f9401a",
        "timestamp",
        "url add",
        "false"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 121,
        "hostname": 31,
        "domain": 5,
        "FileHash-MD5": 20,
        "FileHash-SHA1": 18,
        "FileHash-SHA256": 98,
        "SSLCertFingerprint": 2,
        "CVE": 1
      },
      "indicator_count": 296,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 66,
      "modified_text": "36 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "68cb233ba91aa1eb958b3f31",
      "name": "Home - RMHS | APT 10 \u2022 Andromeda \u2022  OneLouder",
      "description": "I don\u2019t even know what to say. I\u2019ve received several complaints. This is 2nd time checking out technical issues that do exist. Operates as a Human Service entity for injured persons. OTX auto populated \u2018Golfing\u2019 as industry. \n\nDoes serve the severely disabled population. Does pay caregivers. Possibly a front page a FF link page, I have no idea",
      "modified": "2025-10-17T19:03:15.031000",
      "created": "2025-09-17T21:08:11.518000",
      "tags": [
        "script urls",
        "meta",
        "moved",
        "x tec",
        "passive dns",
        "encrypt",
        "america flag",
        "san francisco",
        "extraction",
        "data upload",
        "type indicatod",
        "united states",
        "a domains",
        "united",
        "gmt server",
        "jose",
        "university",
        "bill",
        "rmhs",
        "information",
        "board",
        "lorin",
        "joseph",
        "all veterans",
        "rocky mountain",
        "mission",
        "vice",
        "april",
        "school",
        "austin",
        "prior",
        "ipv4 add",
        "urls",
        "files",
        "location united",
        "wordpress",
        "rmhs meta",
        "tags viewport",
        "rmhs og",
        "rmhs article",
        "wpbakery page",
        "builder",
        "slider plugin",
        "google tag",
        "mountain human",
        "denver",
        "connecting",
        "denver start",
        "relevance home",
        "providers",
        "contact us",
        "rmhs main",
        "server",
        "redacted tech",
        "redacted admin",
        "registrar abuse",
        "algorithm",
        "key identifier",
        "x509v3 subject",
        "dnssec",
        "country",
        "ttl value",
        "graph summary",
        "resolved ips",
        "ip address",
        "port",
        "data",
        "screenshots no",
        "involved direct",
        "country name",
        "name response",
        "tcp connections",
        "learn",
        "ck id",
        "name tactics",
        "suspicious",
        "informative",
        "command",
        "adversaries",
        "found",
        "spawns",
        "t1590 gather",
        "path",
        "ascii text",
        "exif standard",
        "tiff image",
        "format",
        "stop",
        "false",
        "soldier",
        "model",
        "youth",
        "baby",
        "june",
        "general",
        "local",
        "click",
        "strings",
        "core",
        "warrior",
        "green",
        "emotion",
        "flash",
        "nina",
        "hunk",
        "fono",
        "daam",
        "mitre att",
        "ck techniques",
        "id name",
        "malicious",
        "windows nt",
        "win64",
        "khtml",
        "gecko",
        "brand",
        "microsoft edge",
        "show process",
        "self",
        "date",
        "comspec",
        "hybrid",
        "form",
        "log id",
        "gmtn",
        "tls web",
        "b2 f6",
        "b0n timestamp",
        "f9401a",
        "record value",
        "x wix",
        "certificate",
        "domain add",
        "pulse submit",
        "body",
        "domain related",
        "blackbox",
        "apple",
        "helix",
        "dvrdns",
        "tracking",
        "remote access",
        "ios",
        "spyware",
        "hoax",
        "dynamicloader",
        "ptls6",
        "medium",
        "flashpix",
        "high",
        "ygjpavclsline",
        "officespace",
        "chartshared",
        "powershell",
        "write",
        "malware",
        "ygjpaulscontext",
        "status",
        "japan unknown",
        "domain",
        "pulses",
        "search",
        "accept",
        "apt10",
        "trojanspy",
        "win32",
        "entries",
        "susp",
        "backdoor",
        "useragent",
        "showing",
        "virtool",
        "twitter",
        "mozilla",
        "trojandropper",
        "trojan",
        "title",
        "onelouder",
        "yara det",
        "maware samoe",
        "genaco x",
        "ids detec",
        "ids terse",
        "win3 data",
        "include review",
        "exclude sugges",
        "targeting",
        "show",
        "copy",
        "reads",
        "dynamic",
        "vendor finding",
        "notes clamav",
        "files matching",
        "number",
        "sample analysis",
        "hide samples",
        "date hash",
        "next yara"
      ],
      "references": [
        "rmhumanservices.org",
        "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt",
        "ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
        "http://www.dvrdns.net/BlackBox/google/googleMapKey.txt",
        "http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe",
        "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player",
        "http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt",
        "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe",
        "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/",
        "https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound",
        "https://www.mlkfoundation.net/ (Foundry DGA)",
        "remotewd.com x 34 devices",
        "South Africa based:  remote.advisoroffice.com",
        "acc.lehigtapp.com - malware",
        "http://watchhers.net/index.php (espionage entity /palantir relationship  - seen before with palantir and Pegasus sometimes simultaneously )",
        "Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022  emails.redvue.com \u2022",
        "Active - pointing:  https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
        "http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
        "http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
        "Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/",
        "https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting",
        "YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
        "acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
        "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net",
        "IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2",
        "IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)",
        "IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname",
        "1.organization.api.powerplatform.partner.microsoftonline.cn",
        "chinaeast2.admin.api.powerautomate.cn",
        "https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/",
        "https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A",
        "ssa-gov.authorizeddns",
        "hmmm\u2026http://palander.stjernstrom.se/",
        "https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU"
      ],
      "public": 1,
      "adversary": "APT 10",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "APT 10",
          "display_name": "APT 10",
          "target": null
        },
        {
          "id": "OneLouder",
          "display_name": "OneLouder",
          "target": null
        },
        {
          "id": "Andromeda",
          "display_name": "Andromeda",
          "target": null
        },
        {
          "id": "Sality",
          "display_name": "Sality",
          "target": null
        },
        {
          "id": "KoobFace",
          "display_name": "KoobFace",
          "target": null
        },
        {
          "id": "Bayrob",
          "display_name": "Bayrob",
          "target": null
        },
        {
          "id": "Nivdort Checkin",
          "display_name": "Nivdort Checkin",
          "target": null
        },
        {
          "id": "Win.Malware.Installcore-6950365-0",
          "display_name": "Win.Malware.Installcore-6950365-0",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1102",
          "name": "Web Service",
          "display_name": "T1102 - Web Service"
        },
        {
          "id": "T1566",
          "name": "Phishing",
          "display_name": "T1566 - Phishing"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        },
        {
          "id": "T1590",
          "name": "Gather Victim Network Information",
          "display_name": "T1590 - Gather Victim Network Information"
        },
        {
          "id": "T1113",
          "name": "Screen Capture",
          "display_name": "T1113 - Screen Capture"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1132",
          "name": "Data Encoding",
          "display_name": "T1132 - Data Encoding"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1119",
          "name": "Automated Collection",
          "display_name": "T1119 - Automated Collection"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1574.006",
          "name": "Dynamic Linker Hijacking",
          "display_name": "T1574.006 - Dynamic Linker Hijacking"
        },
        {
          "id": "T1210",
          "name": "Exploitation of Remote Services",
          "display_name": "T1210 - Exploitation of Remote Services"
        },
        {
          "id": "T1449",
          "name": "Exploit SS7 to Redirect Phone Calls/SMS",
          "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
        },
        {
          "id": "TA0011",
          "name": "Command and Control",
          "display_name": "TA0011 - Command and Control"
        }
      ],
      "industries": [
        "Golfing",
        "Healthcare",
        "Government"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 9,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 690,
        "hostname": 1912,
        "URL": 5925,
        "FileHash-SHA1": 273,
        "email": 8,
        "FileHash-SHA256": 3618,
        "CIDR": 3,
        "FileHash-MD5": 254,
        "SSLCertFingerprint": 19,
        "CVE": 2
      },
      "indicator_count": 12704,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 145,
      "modified_text": "225 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "685afb805ba518e374abc735",
      "name": "Home - RMHS - Ransom",
      "description": "I can only  imagine what is going on. This is a real organization, with a building,  ever changing case workers who don\u2019t want to meet with clients in person . I have received several incoming concerns since 2021. It seems that a threat actor may be ringing along or certain people are being handled / investigated / silenced and closely monitored by a very large interconnected Cyber Intelligence entity  \u2022 Trojan:X97M/ShellHide.C |\n\u2022 Trojan:PDF/Phish.RR!MTB |\n\u2022 Win.Trojan.Agent-370485 |\nAntivirus Detections:\n\u2022 Win.Trojan.Agent-370485\nYara: VirusWin32Span |\nAlerts\nransomware_file_modifications\nstealth_file\nDomains Contacted: Unknown\n(efbkfqpcdh.com) [\t\t\t\t2025-07-24T16:00:00\t14\t\n\nURL\nhttp://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel] #phishing #malware #intel? #trojan #infectiin",
      "modified": "2025-07-24T19:04:24.993000",
      "created": "2025-06-24T19:24:48.632000",
      "tags": [
        "wordpress",
        "home",
        "rmhs og",
        "rmhs article",
        "wpbakery page",
        "builder",
        "slider plugin",
        "utc google",
        "tag manager",
        "g5cygkcj7g1",
        "dynamicloader",
        "ms windows",
        "intel",
        "users",
        "medium",
        "pe32",
        "search",
        "show",
        "windows",
        "videos",
        "music",
        "copy",
        "write",
        "next",
        "ford mustang",
        "converter pdf",
        "gt convertible",
        "trim",
        "models ford",
        "mustang coupe",
        "createdate",
        "producer solid",
        "filehash",
        "trojan",
        "format",
        "united",
        "moved",
        "passive dns",
        "ipv4 add",
        "pulse submit",
        "url analysis",
        "urls",
        "files",
        "location united",
        "america flag",
        "encrypt",
        "date",
        "sc onlogon",
        "write c",
        "port",
        "showing",
        "entries",
        "module load",
        "execution",
        "malware",
        "self",
        "reverse dns",
        "url https",
        "resource",
        "general full",
        "name value",
        "security tls",
        "hash",
        "san francisco",
        "june",
        "input",
        "form",
        "dom get",
        "search start",
        "get https",
        "post",
        "value",
        "variables",
        "msgoriginaltext",
        "msgoptions",
        "isns function",
        "setupns",
        "rsiw number",
        "rsih object",
        "learn",
        "ck id",
        "name tactics",
        "suspicious",
        "informative",
        "command",
        "adversaries",
        "found",
        "spawns",
        "ck techniques",
        "flag",
        "markmonitor",
        "name server",
        "server",
        "rocky mountain",
        "human",
        "domain address",
        "enom",
        "copy sha256",
        "path",
        "copy md5",
        "copy sha1",
        "sha256",
        "size",
        "sha1",
        "attrib",
        "rowcycur",
        "hz4urdyi",
        "stop",
        "false",
        "soldier",
        "model",
        "youth",
        "baby",
        "core",
        "warrior",
        "green",
        "emotion",
        "flash",
        "nina",
        "hunk",
        "fono",
        "daam",
        "destination",
        "tlsv1",
        "dyndns domain",
        "irfan skiljan",
        "yara detections",
        "pdf pdf",
        "producer pdftk",
        "title data",
        "pulse pulses",
        "av detections",
        "ids detections",
        "alerts",
        "analysis date",
        "pictures",
        "read",
        "delete",
        "thumbprint",
        "graph summary",
        "url http",
        "gna7hdu",
        "g4 rsa4096",
        "adobe systems",
        "services1",
        "adobe product",
        "creatortool",
        "ascii text",
        "description svg",
        "scalable vector",
        "graphics image"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1158",
          "name": "Hidden Files and Directories",
          "display_name": "T1158 - Hidden Files and Directories"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        },
        {
          "id": "T1590",
          "name": "Gather Victim Network Information",
          "display_name": "T1590 - Gather Victim Network Information"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 34,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 56,
        "URL": 262,
        "hostname": 165,
        "FileHash-SHA256": 2141,
        "FileHash-MD5": 308,
        "FileHash-SHA1": 308,
        "SSLCertFingerprint": 3,
        "email": 1
      },
      "indicator_count": 3244,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 142,
      "modified_text": "310 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    }
  ],
  "error": null,
  "vt": {
    "error": "VirusTotal rate limit reached. Try again shortly.",
    "indicator": "https://form.jotform.com",
    "type": "URL"
  },
  "abuseipdb": null,
  "urlhaus": {
    "error": "Expecting value: line 1 column 1 (char 0)",
    "indicator": "https://form.jotform.com",
    "type": "URL"
  },
  "from_cache": true,
  "_cached_at": 1780234364.0468469
}