{
  "type": "URL",
  "indicator": "https://js.stripe.com",
  "general": {
    "sections": [
      "general",
      "url_list",
      "http_scans",
      "screenshot"
    ],
    "indicator": "https://js.stripe.com",
    "type": "url",
    "type_title": "URL",
    "validation": [
      {
        "source": "akamai",
        "message": "Akamai rank: #1067",
        "name": "Akamai Popular Domain"
      },
      {
        "source": "whitelist",
        "message": "Whitelisted domain stripe.com",
        "name": "Whitelisted domain"
      },
      {
        "source": "majestic",
        "message": "Whitelisted domain stripe.com",
        "name": "Whitelisted domain"
      }
    ],
    "base_indicator": {
      "id": 3159749467,
      "indicator": "https://js.stripe.com",
      "type": "URL",
      "title": "",
      "description": "",
      "content": "",
      "access_type": "public",
      "access_reason": ""
    },
    "pulse_info": {
      "count": 11,
      "pulses": [
        {
          "id": "69db4f2dc509a1e8210f1b68",
          "name": "CAPE Sandbox",
          "description": "CivicPlus, LLC (ICONE-2) is a US-based company with a name that includes the word \"CIVICPLUS\", \"civicplus\", and \"icon Enterprises, Inc\".",
          "modified": "2026-04-12T08:36:17.724000",
          "created": "2026-04-12T07:52:13.594000",
          "tags": [
            "network admin",
            "civicplus",
            "net192",
            "net1920000",
            "houston",
            "suite e",
            "city",
            "server",
            "select contact",
            "domain holder",
            "date",
            "form",
            "submission",
            "ssdeep",
            "file type",
            "text text",
            "magic unicode",
            "utf8",
            "crlf line",
            "trid text",
            "magika txt",
            "file size",
            "chatgpt",
            "doctype html",
            "meta",
            "ai system",
            "research",
            "preview",
            "gmt server",
            "self",
            "dynamic",
            "html info",
            "title chatgpt",
            "meta tags",
            "thumbprint"
          ],
          "references": [
            "https://vtbehaviour.commondatastorage.googleapis.com/528831360d5c49743bf0dcf9cb0af1f76c694de9dfff79b32098d68c3c592f8a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775980441&Signature=QefJtz2s096UJTV1NljpeJrvdFWJBbHJre5UDOJQeemvu9EGI8UaxLTPvZxejJToeSgqCCu4zCWniB2V9Xer1ozcM5Vy2xhgRO%2BaFeWFRkjfd5yRyZIGLi65ORYA2oyDhTBUZuQco3NNHZWaS0mWYOpAI662c%2BecYNp5SJTXMB4oKzu9bstiszUfM1HNlWjSpySaxCD4j34gZFgiv5xZGW34IcBSvzfQUWECgUu6jW5Pu4Rr%2FH5TJS%2"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "CIDR": 2,
            "URL": 602,
            "domain": 166,
            "email": 37,
            "hostname": 837,
            "FileHash-MD5": 125,
            "FileHash-SHA1": 136,
            "FileHash-SHA256": 1230,
            "IPv4": 399
          },
          "indicator_count": 3534,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 49,
          "modified_text": "7 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b237ba5540942cb494f3ef",
          "name": "Unique Hash",
          "description": "102af5442ea9b8c2ee2f54b6f8e69b3e39a1e0f30f97c3de3434f7df7037183a",
          "modified": "2026-04-11T04:04:56.834000",
          "created": "2026-03-12T03:49:14.665000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 677,
            "URL": 215,
            "domain": 57,
            "hostname": 199,
            "FileHash-MD5": 263,
            "FileHash-SHA1": 249
          },
          "indicator_count": 1660,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 48,
          "modified_text": "8 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "69c5c7194394ff775d44f7e0",
          "name": "WaypointsStickyChromeCache",
          "description": "A complete analysis of user-created Pulses (AVs) at the University of California, Los Angeles, has been published by the BBC's Newsnight website, along with a series of links.<pretext",
          "modified": "2026-03-27T00:12:08.015000",
          "created": "2026-03-26T23:54:01.493000",
          "tags": [
            "http",
            "urls",
            "unique",
            "pulse pulses",
            "location united",
            "flag united",
            "related",
            "pulses",
            "related tags",
            "x tec",
            "log id",
            "gmtn",
            "tls web",
            "self",
            "encrypt",
            "b2 f6",
            "b0n timestamp",
            "f9401a",
            "timestamp",
            "url add",
            "false"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 121,
            "hostname": 31,
            "domain": 5,
            "FileHash-MD5": 20,
            "FileHash-SHA1": 18,
            "FileHash-SHA256": 98,
            "SSLCertFingerprint": 2,
            "IPv4": 1,
            "CVE": 1
          },
          "indicator_count": 297,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 48,
          "modified_text": "23 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "68d62e5e038c036204e489ba",
          "name": "Deepsea - Seen in multiple targeting attacks | curse.llc |",
          "description": "DiabloFans.com redirects to curse.llc a shopify  storefront that offering witchcraft related products and/or services. \n\nIt will take time to break down the true intent of the website. Maybe it\u2019s hacked maybe it\u2019s a tool. I think targeting is involved because of the constant appearance of diablofans.com in various types of research over time including a most recent pulse related to a target \n\nThere are multiple checkins, bots, Trojans , worms, etc. This entire pulse will be populated by OTX , I won\u2019t be able to annotate for this pulse,\nLet\u2019s see what happens. \n\n#Lowfi:HSTR:MSIL/Obfuscator.Deepsea.C",
          "modified": "2025-10-26T05:01:11.780000",
          "created": "2025-09-26T06:10:38.550000",
          "tags": [
            "handle",
            "entity",
            "host name",
            "rdap database",
            "iana registrar",
            "roles",
            "dnssec",
            "links",
            "namecheap",
            "namecheap inc",
            "script urls",
            "united",
            "unknown ns",
            "moved",
            "script domains",
            "passive dns",
            "ip address",
            "body",
            "gmt content",
            "type",
            "title",
            "date",
            "meta",
            "request",
            "get updates",
            "common upatre",
            "p2p zeus",
            "common header",
            "struct",
            "downloader",
            "exe download",
            "terse",
            "regsetvalueexa",
            "execution",
            "dock",
            "write",
            "next",
            "win32",
            "persistence",
            "malware",
            "copy",
            "unknown",
            "canada unknown",
            "alfper",
            "entries",
            "ipv4",
            "pulse pulses",
            "urls",
            "files",
            "reverse dns",
            "location canada",
            "twitter",
            "present sep",
            "cname",
            "name servers",
            "search",
            "creation date",
            "canada",
            "certificate",
            "trojan",
            "ontario",
            "learn",
            "ck id",
            "name tactics",
            "suspicious",
            "informative",
            "command",
            "adversaries",
            "defense evasion",
            "spawns",
            "development att",
            "href",
            "show technique",
            "mitre att",
            "ck matrix",
            "script",
            "network related",
            "input url",
            "network traffic",
            "t1204",
            "copy md5",
            "copy sha1",
            "copy sha256",
            "size",
            "sha1",
            "sha256",
            "flag",
            "canada canada",
            "strings",
            "cloudflar",
            "google",
            "googlecl",
            "facebook",
            "as autonomous",
            "system",
            "hetznera",
            "detail domain",
            "domain tree",
            "links domain",
            "requested",
            "url https",
            "general full",
            "name value",
            "resource",
            "asn13335",
            "cloudflarenet",
            "hash",
            "protocol h3",
            "express",
            "value",
            "please",
            "automatic",
            "webgl",
            "september",
            "variables",
            "shopify",
            "shopifypay",
            "st boolean",
            "shopifyforms",
            "raven",
            "hstr",
            "next associated",
            "mtb may",
            "ipv4 add",
            "trojanspy",
            "trojandropper",
            "span",
            "path",
            "button",
            "circle",
            "link",
            "keychains",
            "choose",
            "input",
            "small",
            "close",
            "form",
            "stop",
            "anime",
            "kitty",
            "iframe",
            "null",
            "open",
            "tarot",
            "footer",
            "curse",
            "first",
            "back",
            "error",
            "config",
            "contact",
            "signs",
            "main",
            "payment",
            "window"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1040",
              "name": "Network Sniffing",
              "display_name": "T1040 - Network Sniffing"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1143",
              "name": "Hidden Window",
              "display_name": "T1143 - Hidden Window"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1204",
              "name": "User Execution",
              "display_name": "T1204 - User Execution"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 4,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 236,
            "FileHash-MD5": 320,
            "FileHash-SHA1": 314,
            "FileHash-SHA256": 2288,
            "URL": 889,
            "hostname": 361,
            "SSLCertFingerprint": 1,
            "email": 2,
            "CVE": 1
          },
          "indicator_count": 4412,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 139,
          "modified_text": "175 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "68cb233ba91aa1eb958b3f31",
          "name": "Home - RMHS | APT 10 \u2022 Andromeda \u2022  OneLouder",
          "description": "I don\u2019t even know what to say. I\u2019ve received several complaints. This is 2nd time checking out technical issues that do exist. Operates as a Human Service entity for injured persons. OTX auto populated \u2018Golfing\u2019 as industry. \n\nDoes serve the severely disabled population. Does pay caregivers. Possibly a front page a FF link page, I have no idea",
          "modified": "2025-10-17T19:03:15.031000",
          "created": "2025-09-17T21:08:11.518000",
          "tags": [
            "script urls",
            "meta",
            "moved",
            "x tec",
            "passive dns",
            "encrypt",
            "america flag",
            "san francisco",
            "extraction",
            "data upload",
            "type indicatod",
            "united states",
            "a domains",
            "united",
            "gmt server",
            "jose",
            "university",
            "bill",
            "rmhs",
            "information",
            "board",
            "lorin",
            "joseph",
            "all veterans",
            "rocky mountain",
            "mission",
            "vice",
            "april",
            "school",
            "austin",
            "prior",
            "ipv4 add",
            "urls",
            "files",
            "location united",
            "wordpress",
            "rmhs meta",
            "tags viewport",
            "rmhs og",
            "rmhs article",
            "wpbakery page",
            "builder",
            "slider plugin",
            "google tag",
            "mountain human",
            "denver",
            "connecting",
            "denver start",
            "relevance home",
            "providers",
            "contact us",
            "rmhs main",
            "server",
            "redacted tech",
            "redacted admin",
            "registrar abuse",
            "algorithm",
            "key identifier",
            "x509v3 subject",
            "dnssec",
            "country",
            "ttl value",
            "graph summary",
            "resolved ips",
            "ip address",
            "port",
            "data",
            "screenshots no",
            "involved direct",
            "country name",
            "name response",
            "tcp connections",
            "learn",
            "ck id",
            "name tactics",
            "suspicious",
            "informative",
            "command",
            "adversaries",
            "found",
            "spawns",
            "t1590 gather",
            "path",
            "ascii text",
            "exif standard",
            "tiff image",
            "format",
            "stop",
            "false",
            "soldier",
            "model",
            "youth",
            "baby",
            "june",
            "general",
            "local",
            "click",
            "strings",
            "core",
            "warrior",
            "green",
            "emotion",
            "flash",
            "nina",
            "hunk",
            "fono",
            "daam",
            "mitre att",
            "ck techniques",
            "id name",
            "malicious",
            "windows nt",
            "win64",
            "khtml",
            "gecko",
            "brand",
            "microsoft edge",
            "show process",
            "self",
            "date",
            "comspec",
            "hybrid",
            "form",
            "log id",
            "gmtn",
            "tls web",
            "b2 f6",
            "b0n timestamp",
            "f9401a",
            "record value",
            "x wix",
            "certificate",
            "domain add",
            "pulse submit",
            "body",
            "domain related",
            "blackbox",
            "apple",
            "helix",
            "dvrdns",
            "tracking",
            "remote access",
            "ios",
            "spyware",
            "hoax",
            "dynamicloader",
            "ptls6",
            "medium",
            "flashpix",
            "high",
            "ygjpavclsline",
            "officespace",
            "chartshared",
            "powershell",
            "write",
            "malware",
            "ygjpaulscontext",
            "status",
            "japan unknown",
            "domain",
            "pulses",
            "search",
            "accept",
            "apt10",
            "trojanspy",
            "win32",
            "entries",
            "susp",
            "backdoor",
            "useragent",
            "showing",
            "virtool",
            "twitter",
            "mozilla",
            "trojandropper",
            "trojan",
            "title",
            "onelouder",
            "yara det",
            "maware samoe",
            "genaco x",
            "ids detec",
            "ids terse",
            "win3 data",
            "include review",
            "exclude sugges",
            "targeting",
            "show",
            "copy",
            "reads",
            "dynamic",
            "vendor finding",
            "notes clamav",
            "files matching",
            "number",
            "sample analysis",
            "hide samples",
            "date hash",
            "next yara"
          ],
          "references": [
            "rmhumanservices.org",
            "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt",
            "ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
            "http://www.dvrdns.net/BlackBox/google/googleMapKey.txt",
            "http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe",
            "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player",
            "http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt",
            "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe",
            "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/",
            "https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound",
            "https://www.mlkfoundation.net/ (Foundry DGA)",
            "remotewd.com x 34 devices",
            "South Africa based:  remote.advisoroffice.com",
            "acc.lehigtapp.com - malware",
            "http://watchhers.net/index.php (espionage entity /palantir relationship  - seen before with palantir and Pegasus sometimes simultaneously )",
            "Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022  emails.redvue.com \u2022",
            "Active - pointing:  https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
            "http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
            "http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
            "Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/",
            "https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting",
            "YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
            "acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
            "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net",
            "IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2",
            "IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)",
            "IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname",
            "1.organization.api.powerplatform.partner.microsoftonline.cn",
            "chinaeast2.admin.api.powerautomate.cn",
            "https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/",
            "https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A",
            "ssa-gov.authorizeddns",
            "hmmm\u2026http://palander.stjernstrom.se/",
            "https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU"
          ],
          "public": 1,
          "adversary": "APT 10",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "APT 10",
              "display_name": "APT 10",
              "target": null
            },
            {
              "id": "OneLouder",
              "display_name": "OneLouder",
              "target": null
            },
            {
              "id": "Andromeda",
              "display_name": "Andromeda",
              "target": null
            },
            {
              "id": "Sality",
              "display_name": "Sality",
              "target": null
            },
            {
              "id": "KoobFace",
              "display_name": "KoobFace",
              "target": null
            },
            {
              "id": "Bayrob",
              "display_name": "Bayrob",
              "target": null
            },
            {
              "id": "Nivdort Checkin",
              "display_name": "Nivdort Checkin",
              "target": null
            },
            {
              "id": "Win.Malware.Installcore-6950365-0",
              "display_name": "Win.Malware.Installcore-6950365-0",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1102",
              "name": "Web Service",
              "display_name": "T1102 - Web Service"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "T1590",
              "name": "Gather Victim Network Information",
              "display_name": "T1590 - Gather Victim Network Information"
            },
            {
              "id": "T1113",
              "name": "Screen Capture",
              "display_name": "T1113 - Screen Capture"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1132",
              "name": "Data Encoding",
              "display_name": "T1132 - Data Encoding"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1574.006",
              "name": "Dynamic Linker Hijacking",
              "display_name": "T1574.006 - Dynamic Linker Hijacking"
            },
            {
              "id": "T1210",
              "name": "Exploitation of Remote Services",
              "display_name": "T1210 - Exploitation of Remote Services"
            },
            {
              "id": "T1449",
              "name": "Exploit SS7 to Redirect Phone Calls/SMS",
              "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
            },
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            }
          ],
          "industries": [
            "Golfing",
            "Healthcare",
            "Government"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 9,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 690,
            "hostname": 1912,
            "URL": 5925,
            "FileHash-SHA1": 273,
            "email": 8,
            "FileHash-SHA256": 3618,
            "CIDR": 3,
            "FileHash-MD5": 254,
            "SSLCertFingerprint": 19,
            "CVE": 2
          },
          "indicator_count": 12704,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 141,
          "modified_text": "184 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "689af6a1704fa2745bc8c2a3",
          "name": "Hijacked Twitter / X.com account. Phishing | Abnormal use",
          "description": "Hijacked phishing Twitter/ X.com.\nWin32/Unruy.C Activity\n#phishing #hijacked #intercoms #unruy #trojan #VTflood #malware #attack",
          "modified": "2025-09-11T08:02:36.759000",
          "created": "2025-08-12T08:09:05.642000",
          "tags": [
            "log id",
            "gmtn",
            "secure",
            "tls web",
            "passive dns",
            "urls",
            "path",
            "self",
            "encrypt",
            "ca issuers",
            "false",
            "search",
            "read c",
            "united",
            "entries",
            "show",
            "showing",
            "msie",
            "windows nt",
            "wow64",
            "slcc2",
            "copy",
            "write",
            "suspicious",
            "malware",
            "unknown",
            "process32nextw",
            "shellexecuteexw",
            "medium process",
            "discovery t1057",
            "t1057",
            "discovery",
            "medium",
            "locally unique",
            "identifier",
            "veailmboprd",
            "next associated",
            "ipv4 add",
            "pulse pulses",
            "files",
            "asn as13335",
            "dns resolutions",
            "domains top",
            "smoke loader",
            "trojan",
            "body",
            "learn",
            "ck id",
            "name tactics",
            "informative",
            "adversaries",
            "command",
            "spawns",
            "ssl certificate",
            "execution att",
            "show process",
            "programfiles",
            "command decode",
            "flag",
            "suricata ipv4",
            "mitre att",
            "show technique",
            "ck matrix",
            "date",
            "comspec",
            "model",
            "twitter",
            "august",
            "hybrid",
            "general",
            "click",
            "strings"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1143",
              "name": "Hidden Window",
              "display_name": "T1143 - Hidden Window"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 31,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 1504,
            "FileHash-SHA256": 1232,
            "SSLCertFingerprint": 14,
            "domain": 245,
            "hostname": 526,
            "FileHash-MD5": 43,
            "FileHash-SHA1": 38
          },
          "indicator_count": 3602,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 138,
          "modified_text": "220 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "685afb805ba518e374abc735",
          "name": "Home - RMHS - Ransom",
          "description": "I can only  imagine what is going on. This is a real organization, with a building,  ever changing case workers who don\u2019t want to meet with clients in person . I have received several incoming concerns since 2021. It seems that a threat actor may be ringing along or certain people are being handled / investigated / silenced and closely monitored by a very large interconnected Cyber Intelligence entity  \u2022 Trojan:X97M/ShellHide.C |\n\u2022 Trojan:PDF/Phish.RR!MTB |\n\u2022 Win.Trojan.Agent-370485 |\nAntivirus Detections:\n\u2022 Win.Trojan.Agent-370485\nYara: VirusWin32Span |\nAlerts\nransomware_file_modifications\nstealth_file\nDomains Contacted: Unknown\n(efbkfqpcdh.com) [\t\t\t\t2025-07-24T16:00:00\t14\t\n\nURL\nhttp://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel] #phishing #malware #intel? #trojan #infectiin",
          "modified": "2025-07-24T19:04:24.993000",
          "created": "2025-06-24T19:24:48.632000",
          "tags": [
            "wordpress",
            "home",
            "rmhs og",
            "rmhs article",
            "wpbakery page",
            "builder",
            "slider plugin",
            "utc google",
            "tag manager",
            "g5cygkcj7g1",
            "dynamicloader",
            "ms windows",
            "intel",
            "users",
            "medium",
            "pe32",
            "search",
            "show",
            "windows",
            "videos",
            "music",
            "copy",
            "write",
            "next",
            "ford mustang",
            "converter pdf",
            "gt convertible",
            "trim",
            "models ford",
            "mustang coupe",
            "createdate",
            "producer solid",
            "filehash",
            "trojan",
            "format",
            "united",
            "moved",
            "passive dns",
            "ipv4 add",
            "pulse submit",
            "url analysis",
            "urls",
            "files",
            "location united",
            "america flag",
            "encrypt",
            "date",
            "sc onlogon",
            "write c",
            "port",
            "showing",
            "entries",
            "module load",
            "execution",
            "malware",
            "self",
            "reverse dns",
            "url https",
            "resource",
            "general full",
            "name value",
            "security tls",
            "hash",
            "san francisco",
            "june",
            "input",
            "form",
            "dom get",
            "search start",
            "get https",
            "post",
            "value",
            "variables",
            "msgoriginaltext",
            "msgoptions",
            "isns function",
            "setupns",
            "rsiw number",
            "rsih object",
            "learn",
            "ck id",
            "name tactics",
            "suspicious",
            "informative",
            "command",
            "adversaries",
            "found",
            "spawns",
            "ck techniques",
            "flag",
            "markmonitor",
            "name server",
            "server",
            "rocky mountain",
            "human",
            "domain address",
            "enom",
            "copy sha256",
            "path",
            "copy md5",
            "copy sha1",
            "sha256",
            "size",
            "sha1",
            "attrib",
            "rowcycur",
            "hz4urdyi",
            "stop",
            "false",
            "soldier",
            "model",
            "youth",
            "baby",
            "core",
            "warrior",
            "green",
            "emotion",
            "flash",
            "nina",
            "hunk",
            "fono",
            "daam",
            "destination",
            "tlsv1",
            "dyndns domain",
            "irfan skiljan",
            "yara detections",
            "pdf pdf",
            "producer pdftk",
            "title data",
            "pulse pulses",
            "av detections",
            "ids detections",
            "alerts",
            "analysis date",
            "pictures",
            "read",
            "delete",
            "thumbprint",
            "graph summary",
            "url http",
            "gna7hdu",
            "g4 rsa4096",
            "adobe systems",
            "services1",
            "adobe product",
            "creatortool",
            "ascii text",
            "description svg",
            "scalable vector",
            "graphics image"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1158",
              "name": "Hidden Files and Directories",
              "display_name": "T1158 - Hidden Files and Directories"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "T1590",
              "name": "Gather Victim Network Information",
              "display_name": "T1590 - Gather Victim Network Information"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 34,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 56,
            "URL": 262,
            "hostname": 165,
            "FileHash-SHA256": 2141,
            "FileHash-MD5": 308,
            "FileHash-SHA1": 308,
            "SSLCertFingerprint": 3,
            "email": 1
          },
          "indicator_count": 3244,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 138,
          "modified_text": "269 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "68451577ada8bb0aa0834edb",
          "name": "X - Business Social Media Account used to attack victim",
          "description": "Victims business social media accounts deleted. Used to commit malicious activity against businesses, espionage , financial abuse.",
          "modified": "2025-07-08T04:03:04.386000",
          "created": "2025-06-08T04:45:43.423000",
          "tags": [
            "trojan",
            "ids detections",
            "yara detections",
            "alerts",
            "analysis date",
            "file score",
            "upxoepplace",
            "pulses none",
            "related tags",
            "none file",
            "markus",
            "april",
            "win32",
            "copy",
            "usvwu",
            "usvw",
            "high",
            "medium",
            "show",
            "uss c",
            "binary file",
            "yara",
            "write",
            "delphi",
            "enigma",
            "present mar",
            "aaaa",
            "united",
            "passive dns",
            "date",
            "present nov",
            "moved",
            "urls",
            "creation date",
            "entries",
            "body",
            "trojandropper",
            "susp",
            "msr jul",
            "next associated",
            "pulse pulses",
            "mtb jun",
            "backdoor",
            "content length",
            "html document",
            "ascii text",
            "search",
            "internalname",
            "entries pe",
            "showing",
            "filehash",
            "md5 add",
            "av detections",
            "learn",
            "ck id",
            "name tactics",
            "suspicious",
            "informative",
            "command",
            "adversaries",
            "spawns",
            "mitre att",
            "ck techniques",
            "copy md5",
            "copy sha1",
            "copy sha256",
            "sha1",
            "sha256",
            "pattern match",
            "size",
            "encrypt",
            "june",
            "hybrid",
            "local",
            "path",
            "click",
            "twitter",
            "strings",
            "url https",
            "url http",
            "report spam",
            "created",
            "hours ago",
            "bad actor",
            "ck ids",
            "t1057",
            "discovery",
            "t1071",
            "amer",
            "ipv4",
            "indicator role",
            "title added",
            "active related",
            "pulses",
            "china",
            "hong kong",
            "russia",
            "type indicator",
            "role title",
            "added active",
            "related pulses",
            "pulses url",
            "filehashsha256",
            "url add",
            "http",
            "ip address",
            "related nids",
            "files location",
            "flag united",
            "domain",
            "hostname",
            "next",
            "filehashmd5",
            "protocol",
            "t1105",
            "tool transfer",
            "t1480"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "T1113",
              "name": "Screen Capture",
              "display_name": "T1113 - Screen Capture"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 24,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 637,
            "FileHash-SHA1": 639,
            "FileHash-SHA256": 5380,
            "domain": 676,
            "hostname": 1120,
            "URL": 1031,
            "SSLCertFingerprint": 4
          },
          "indicator_count": 9487,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 139,
          "modified_text": "285 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "6843fe89793d0ef8e2afc34d",
          "name": "Deleted SocialMedia",
          "description": "Bad Actor Deleted SocialMedia account found in breach forum.",
          "modified": "2025-07-07T08:03:42.325000",
          "created": "2025-06-07T08:55:37.612000",
          "tags": [
            "body",
            "secure",
            "self",
            "path",
            "date sat",
            "gmt contenttype",
            "connection",
            "accept",
            "gmt pragma",
            "deny",
            "maxage34214400",
            "learn",
            "spawns",
            "command",
            "ck id",
            "name tactics",
            "suspicious",
            "informative",
            "adversaries",
            "ssl certificate",
            "found",
            "copy sha256",
            "copy md5",
            "copy sha1",
            "sha1",
            "sha256",
            "size",
            "type data",
            "ascii text",
            "pattern match",
            "mitre att",
            "show technique",
            "ck matrix",
            "file",
            "indicator",
            "show process",
            "encrypt",
            "june",
            "hybrid",
            "local"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 19,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 1628,
            "domain": 58,
            "URL": 390,
            "hostname": 204,
            "FileHash-MD5": 84,
            "FileHash-SHA1": 88,
            "SSLCertFingerprint": 4
          },
          "indicator_count": 2456,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 138,
          "modified_text": "286 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "682d38446ea0d643bdde30c9",
          "name": "hxxps://eduroam[.]org",
          "description": "Surface analysis of another related thing - will update later",
          "modified": "2025-06-20T02:05:09.642000",
          "created": "2025-05-21T02:19:48.419000",
          "tags": [
            "sandbox",
            "malware",
            "analysis",
            "online",
            "submit",
            "vxstream",
            "sample",
            "download",
            "trojan",
            "apt",
            "hybrid analysis",
            "api key",
            "vetting process",
            "please note",
            "please",
            "virus",
            "ransomware",
            "static",
            "indicator of compromise",
            "ioc",
            "extraction",
            "emulation",
            "platform",
            "ansi",
            "pcap",
            "pcap processing",
            "win64",
            "khtml",
            "gecko",
            "brand",
            "windows nt",
            "microsoft edge",
            "prefetch8 ansi",
            "cookie",
            "date",
            "mozilla",
            "accept",
            "window",
            "wind",
            "suspicious",
            "mozi",
            "bran",
            "dest",
            "hybrid",
            "comspec",
            "close",
            "click",
            "hosts",
            "general",
            "path",
            "model",
            "strings",
            "contact",
            "server",
            "redacted tech",
            "redacted admin",
            "host name",
            "country",
            "organization",
            "postal code",
            "stateprovince",
            "dnssec",
            "code",
            "javascript",
            "passive dns",
            "replication",
            "subdomains",
            "UAlberta",
            "Eduroam"
          ],
          "references": [
            "https://www.hybrid-analysis.com/sample/f80bb3e3e2b1abe6be46374899ad0e112973c56a363eb2ce5b77d58a4d419720",
            "https://www.filescan.io/uploads/682d2dfd0de036ed65ad6e33/reports/d54424e9-c5fc-4c6d-931e-7ee21360594a/overview",
            "https://www.filescan.io/uploads/682d2dfd0de036ed65ad6e33/reports/d54424e9-c5fc-4c6d-931e-7ee21360594a/geolocation",
            "https://www.hybrid-analysis.com/sample/f80bb3e3e2b1abe6be46374899ad0e112973c56a363eb2ce5b77d58a4d419720/682d2dcbc068830c1403398c",
            "https://www.virustotal.com/gui/domain/eduroam.org/details",
            "https://www.virustotal.com/gui/domain/eduroam.org/relations"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "Canada"
          ],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1132",
              "name": "Data Encoding",
              "display_name": "T1132 - Data Encoding"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "T1590",
              "name": "Gather Victim Network Information",
              "display_name": "T1590 - Gather Victim Network Information"
            }
          ],
          "industries": [
            "Telecommunications",
            "Education"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 36,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 288,
            "domain": 80,
            "email": 6,
            "FileHash-MD5": 15,
            "FileHash-SHA1": 13,
            "FileHash-SHA256": 96,
            "SSLCertFingerprint": 8,
            "hostname": 78,
            "CIDR": 2
          },
          "indicator_count": 586,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 130,
          "modified_text": "303 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "681386d75c34469176686756",
          "name": "x.com/KulinskiArkadi",
          "description": "",
          "modified": "2025-05-31T14:01:10.044000",
          "created": "2025-05-01T14:36:07.422000",
          "tags": [
            "script",
            "etag",
            "sharing",
            "cors",
            "mediatype",
            "mediasubtype",
            "contenttype",
            "header",
            "combination",
            "compression",
            "encrypt",
            "cookie",
            "critical",
            "twitter",
            "iframe",
            "insert",
            "info",
            "error",
            "suspicious",
            "find",
            "screen",
            "grok",
            "body"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Arek-BTC",
            "id": "212764",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 471,
            "CIDR": 34,
            "FileHash-MD5": 9,
            "FileHash-SHA1": 5,
            "FileHash-SHA256": 1177,
            "domain": 214,
            "hostname": 430,
            "email": 2
          },
          "indicator_count": 2342,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 122,
          "modified_text": "323 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        }
      ],
      "references": [
        "https://vtbehaviour.commondatastorage.googleapis.com/528831360d5c49743bf0dcf9cb0af1f76c694de9dfff79b32098d68c3c592f8a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775980441&Signature=QefJtz2s096UJTV1NljpeJrvdFWJBbHJre5UDOJQeemvu9EGI8UaxLTPvZxejJToeSgqCCu4zCWniB2V9Xer1ozcM5Vy2xhgRO%2BaFeWFRkjfd5yRyZIGLi65ORYA2oyDhTBUZuQco3NNHZWaS0mWYOpAI662c%2BecYNp5SJTXMB4oKzu9bstiszUfM1HNlWjSpySaxCD4j34gZFgiv5xZGW34IcBSvzfQUWECgUu6jW5Pu4Rr%2FH5TJS%2",
        "Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022  emails.redvue.com \u2022",
        "https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/",
        "https://www.mlkfoundation.net/ (Foundry DGA)",
        "1.organization.api.powerplatform.partner.microsoftonline.cn",
        "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/",
        "http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
        "https://www.hybrid-analysis.com/sample/f80bb3e3e2b1abe6be46374899ad0e112973c56a363eb2ce5b77d58a4d419720/682d2dcbc068830c1403398c",
        "https://www.hybrid-analysis.com/sample/f80bb3e3e2b1abe6be46374899ad0e112973c56a363eb2ce5b77d58a4d419720",
        "https://www.virustotal.com/gui/domain/eduroam.org/relations",
        "IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)",
        "Active - pointing:  https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
        "http://watchhers.net/index.php (espionage entity /palantir relationship  - seen before with palantir and Pegasus sometimes simultaneously )",
        "https://www.virustotal.com/gui/domain/eduroam.org/details",
        "acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
        "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe",
        "IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2",
        "https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU",
        "rmhumanservices.org",
        "remotewd.com x 34 devices",
        "YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
        "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net",
        "ssa-gov.authorizeddns",
        "ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com",
        "http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
        "South Africa based:  remote.advisoroffice.com",
        "https://www.filescan.io/uploads/682d2dfd0de036ed65ad6e33/reports/d54424e9-c5fc-4c6d-931e-7ee21360594a/geolocation",
        "https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A",
        "https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound",
        "http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt",
        "Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/",
        "http://www.dvrdns.net/BlackBox/google/googleMapKey.txt",
        "chinaeast2.admin.api.powerautomate.cn",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
        "hmmm\u2026http://palander.stjernstrom.se/",
        "http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe",
        "https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting",
        "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player",
        "acc.lehigtapp.com - malware",
        "https://www.filescan.io/uploads/682d2dfd0de036ed65ad6e33/reports/d54424e9-c5fc-4c6d-931e-7ee21360594a/overview",
        "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt",
        "IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname"
      ],
      "related": {
        "alienvault": {
          "adversary": [],
          "malware_families": [],
          "industries": [],
          "unique_indicators": 0
        },
        "other": {
          "adversary": [
            "APT 10"
          ],
          "malware_families": [
            "Sality",
            "Onelouder",
            "Win.malware.installcore-6950365-0",
            "Andromeda",
            "Koobface",
            "Nivdort checkin",
            "Apt 10",
            "Bayrob"
          ],
          "industries": [
            "Healthcare",
            "Education",
            "Telecommunications",
            "Golfing",
            "Government"
          ],
          "unique_indicators": 37868
        }
      }
    },
    "false_positive": [],
    "alexa": "http://www.alexa.com/siteinfo/stripe.com",
    "whois": "http://whois.domaintools.com/stripe.com",
    "domain": "stripe.com",
    "hostname": "js.stripe.com"
  },
  "geo": {},
  "geo_ipapicom": {},
  "pulse_count": 11,
  "pulses": [
    {
      "id": "69db4f2dc509a1e8210f1b68",
      "name": "CAPE Sandbox",
      "description": "CivicPlus, LLC (ICONE-2) is a US-based company with a name that includes the word \"CIVICPLUS\", \"civicplus\", and \"icon Enterprises, Inc\".",
      "modified": "2026-04-12T08:36:17.724000",
      "created": "2026-04-12T07:52:13.594000",
      "tags": [
        "network admin",
        "civicplus",
        "net192",
        "net1920000",
        "houston",
        "suite e",
        "city",
        "server",
        "select contact",
        "domain holder",
        "date",
        "form",
        "submission",
        "ssdeep",
        "file type",
        "text text",
        "magic unicode",
        "utf8",
        "crlf line",
        "trid text",
        "magika txt",
        "file size",
        "chatgpt",
        "doctype html",
        "meta",
        "ai system",
        "research",
        "preview",
        "gmt server",
        "self",
        "dynamic",
        "html info",
        "title chatgpt",
        "meta tags",
        "thumbprint"
      ],
      "references": [
        "https://vtbehaviour.commondatastorage.googleapis.com/528831360d5c49743bf0dcf9cb0af1f76c694de9dfff79b32098d68c3c592f8a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775980441&Signature=QefJtz2s096UJTV1NljpeJrvdFWJBbHJre5UDOJQeemvu9EGI8UaxLTPvZxejJToeSgqCCu4zCWniB2V9Xer1ozcM5Vy2xhgRO%2BaFeWFRkjfd5yRyZIGLi65ORYA2oyDhTBUZuQco3NNHZWaS0mWYOpAI662c%2BecYNp5SJTXMB4oKzu9bstiszUfM1HNlWjSpySaxCD4j34gZFgiv5xZGW34IcBSvzfQUWECgUu6jW5Pu4Rr%2FH5TJS%2"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        }
      ],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "CIDR": 2,
        "URL": 602,
        "domain": 166,
        "email": 37,
        "hostname": 837,
        "FileHash-MD5": 125,
        "FileHash-SHA1": 136,
        "FileHash-SHA256": 1230,
        "IPv4": 399
      },
      "indicator_count": 3534,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 49,
      "modified_text": "7 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b237ba5540942cb494f3ef",
      "name": "Unique Hash",
      "description": "102af5442ea9b8c2ee2f54b6f8e69b3e39a1e0f30f97c3de3434f7df7037183a",
      "modified": "2026-04-11T04:04:56.834000",
      "created": "2026-03-12T03:49:14.665000",
      "tags": [],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 677,
        "URL": 215,
        "domain": 57,
        "hostname": 199,
        "FileHash-MD5": 263,
        "FileHash-SHA1": 249
      },
      "indicator_count": 1660,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 48,
      "modified_text": "8 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "69c5c7194394ff775d44f7e0",
      "name": "WaypointsStickyChromeCache",
      "description": "A complete analysis of user-created Pulses (AVs) at the University of California, Los Angeles, has been published by the BBC's Newsnight website, along with a series of links.<pretext",
      "modified": "2026-03-27T00:12:08.015000",
      "created": "2026-03-26T23:54:01.493000",
      "tags": [
        "http",
        "urls",
        "unique",
        "pulse pulses",
        "location united",
        "flag united",
        "related",
        "pulses",
        "related tags",
        "x tec",
        "log id",
        "gmtn",
        "tls web",
        "self",
        "encrypt",
        "b2 f6",
        "b0n timestamp",
        "f9401a",
        "timestamp",
        "url add",
        "false"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 121,
        "hostname": 31,
        "domain": 5,
        "FileHash-MD5": 20,
        "FileHash-SHA1": 18,
        "FileHash-SHA256": 98,
        "SSLCertFingerprint": 2,
        "IPv4": 1,
        "CVE": 1
      },
      "indicator_count": 297,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 48,
      "modified_text": "23 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "68d62e5e038c036204e489ba",
      "name": "Deepsea - Seen in multiple targeting attacks | curse.llc |",
      "description": "DiabloFans.com redirects to curse.llc a shopify  storefront that offering witchcraft related products and/or services. \n\nIt will take time to break down the true intent of the website. Maybe it\u2019s hacked maybe it\u2019s a tool. I think targeting is involved because of the constant appearance of diablofans.com in various types of research over time including a most recent pulse related to a target \n\nThere are multiple checkins, bots, Trojans , worms, etc. This entire pulse will be populated by OTX , I won\u2019t be able to annotate for this pulse,\nLet\u2019s see what happens. \n\n#Lowfi:HSTR:MSIL/Obfuscator.Deepsea.C",
      "modified": "2025-10-26T05:01:11.780000",
      "created": "2025-09-26T06:10:38.550000",
      "tags": [
        "handle",
        "entity",
        "host name",
        "rdap database",
        "iana registrar",
        "roles",
        "dnssec",
        "links",
        "namecheap",
        "namecheap inc",
        "script urls",
        "united",
        "unknown ns",
        "moved",
        "script domains",
        "passive dns",
        "ip address",
        "body",
        "gmt content",
        "type",
        "title",
        "date",
        "meta",
        "request",
        "get updates",
        "common upatre",
        "p2p zeus",
        "common header",
        "struct",
        "downloader",
        "exe download",
        "terse",
        "regsetvalueexa",
        "execution",
        "dock",
        "write",
        "next",
        "win32",
        "persistence",
        "malware",
        "copy",
        "unknown",
        "canada unknown",
        "alfper",
        "entries",
        "ipv4",
        "pulse pulses",
        "urls",
        "files",
        "reverse dns",
        "location canada",
        "twitter",
        "present sep",
        "cname",
        "name servers",
        "search",
        "creation date",
        "canada",
        "certificate",
        "trojan",
        "ontario",
        "learn",
        "ck id",
        "name tactics",
        "suspicious",
        "informative",
        "command",
        "adversaries",
        "defense evasion",
        "spawns",
        "development att",
        "href",
        "show technique",
        "mitre att",
        "ck matrix",
        "script",
        "network related",
        "input url",
        "network traffic",
        "t1204",
        "copy md5",
        "copy sha1",
        "copy sha256",
        "size",
        "sha1",
        "sha256",
        "flag",
        "canada canada",
        "strings",
        "cloudflar",
        "google",
        "googlecl",
        "facebook",
        "as autonomous",
        "system",
        "hetznera",
        "detail domain",
        "domain tree",
        "links domain",
        "requested",
        "url https",
        "general full",
        "name value",
        "resource",
        "asn13335",
        "cloudflarenet",
        "hash",
        "protocol h3",
        "express",
        "value",
        "please",
        "automatic",
        "webgl",
        "september",
        "variables",
        "shopify",
        "shopifypay",
        "st boolean",
        "shopifyforms",
        "raven",
        "hstr",
        "next associated",
        "mtb may",
        "ipv4 add",
        "trojanspy",
        "trojandropper",
        "span",
        "path",
        "button",
        "circle",
        "link",
        "keychains",
        "choose",
        "input",
        "small",
        "close",
        "form",
        "stop",
        "anime",
        "kitty",
        "iframe",
        "null",
        "open",
        "tarot",
        "footer",
        "curse",
        "first",
        "back",
        "error",
        "config",
        "contact",
        "signs",
        "main",
        "payment",
        "window"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1040",
          "name": "Network Sniffing",
          "display_name": "T1040 - Network Sniffing"
        },
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1112",
          "name": "Modify Registry",
          "display_name": "T1112 - Modify Registry"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1143",
          "name": "Hidden Window",
          "display_name": "T1143 - Hidden Window"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1204",
          "name": "User Execution",
          "display_name": "T1204 - User Execution"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1566",
          "name": "Phishing",
          "display_name": "T1566 - Phishing"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 4,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 236,
        "FileHash-MD5": 320,
        "FileHash-SHA1": 314,
        "FileHash-SHA256": 2288,
        "URL": 889,
        "hostname": 361,
        "SSLCertFingerprint": 1,
        "email": 2,
        "CVE": 1
      },
      "indicator_count": 4412,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 139,
      "modified_text": "175 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "68cb233ba91aa1eb958b3f31",
      "name": "Home - RMHS | APT 10 \u2022 Andromeda \u2022  OneLouder",
      "description": "I don\u2019t even know what to say. I\u2019ve received several complaints. This is 2nd time checking out technical issues that do exist. Operates as a Human Service entity for injured persons. OTX auto populated \u2018Golfing\u2019 as industry. \n\nDoes serve the severely disabled population. Does pay caregivers. Possibly a front page a FF link page, I have no idea",
      "modified": "2025-10-17T19:03:15.031000",
      "created": "2025-09-17T21:08:11.518000",
      "tags": [
        "script urls",
        "meta",
        "moved",
        "x tec",
        "passive dns",
        "encrypt",
        "america flag",
        "san francisco",
        "extraction",
        "data upload",
        "type indicatod",
        "united states",
        "a domains",
        "united",
        "gmt server",
        "jose",
        "university",
        "bill",
        "rmhs",
        "information",
        "board",
        "lorin",
        "joseph",
        "all veterans",
        "rocky mountain",
        "mission",
        "vice",
        "april",
        "school",
        "austin",
        "prior",
        "ipv4 add",
        "urls",
        "files",
        "location united",
        "wordpress",
        "rmhs meta",
        "tags viewport",
        "rmhs og",
        "rmhs article",
        "wpbakery page",
        "builder",
        "slider plugin",
        "google tag",
        "mountain human",
        "denver",
        "connecting",
        "denver start",
        "relevance home",
        "providers",
        "contact us",
        "rmhs main",
        "server",
        "redacted tech",
        "redacted admin",
        "registrar abuse",
        "algorithm",
        "key identifier",
        "x509v3 subject",
        "dnssec",
        "country",
        "ttl value",
        "graph summary",
        "resolved ips",
        "ip address",
        "port",
        "data",
        "screenshots no",
        "involved direct",
        "country name",
        "name response",
        "tcp connections",
        "learn",
        "ck id",
        "name tactics",
        "suspicious",
        "informative",
        "command",
        "adversaries",
        "found",
        "spawns",
        "t1590 gather",
        "path",
        "ascii text",
        "exif standard",
        "tiff image",
        "format",
        "stop",
        "false",
        "soldier",
        "model",
        "youth",
        "baby",
        "june",
        "general",
        "local",
        "click",
        "strings",
        "core",
        "warrior",
        "green",
        "emotion",
        "flash",
        "nina",
        "hunk",
        "fono",
        "daam",
        "mitre att",
        "ck techniques",
        "id name",
        "malicious",
        "windows nt",
        "win64",
        "khtml",
        "gecko",
        "brand",
        "microsoft edge",
        "show process",
        "self",
        "date",
        "comspec",
        "hybrid",
        "form",
        "log id",
        "gmtn",
        "tls web",
        "b2 f6",
        "b0n timestamp",
        "f9401a",
        "record value",
        "x wix",
        "certificate",
        "domain add",
        "pulse submit",
        "body",
        "domain related",
        "blackbox",
        "apple",
        "helix",
        "dvrdns",
        "tracking",
        "remote access",
        "ios",
        "spyware",
        "hoax",
        "dynamicloader",
        "ptls6",
        "medium",
        "flashpix",
        "high",
        "ygjpavclsline",
        "officespace",
        "chartshared",
        "powershell",
        "write",
        "malware",
        "ygjpaulscontext",
        "status",
        "japan unknown",
        "domain",
        "pulses",
        "search",
        "accept",
        "apt10",
        "trojanspy",
        "win32",
        "entries",
        "susp",
        "backdoor",
        "useragent",
        "showing",
        "virtool",
        "twitter",
        "mozilla",
        "trojandropper",
        "trojan",
        "title",
        "onelouder",
        "yara det",
        "maware samoe",
        "genaco x",
        "ids detec",
        "ids terse",
        "win3 data",
        "include review",
        "exclude sugges",
        "targeting",
        "show",
        "copy",
        "reads",
        "dynamic",
        "vendor finding",
        "notes clamav",
        "files matching",
        "number",
        "sample analysis",
        "hide samples",
        "date hash",
        "next yara"
      ],
      "references": [
        "rmhumanservices.org",
        "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt",
        "ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
        "http://www.dvrdns.net/BlackBox/google/googleMapKey.txt",
        "http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe",
        "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player",
        "http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt",
        "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe",
        "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/",
        "https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound",
        "https://www.mlkfoundation.net/ (Foundry DGA)",
        "remotewd.com x 34 devices",
        "South Africa based:  remote.advisoroffice.com",
        "acc.lehigtapp.com - malware",
        "http://watchhers.net/index.php (espionage entity /palantir relationship  - seen before with palantir and Pegasus sometimes simultaneously )",
        "Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022  emails.redvue.com \u2022",
        "Active - pointing:  https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
        "http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
        "http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
        "Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/",
        "https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting",
        "YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
        "acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
        "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net",
        "IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2",
        "IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)",
        "IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname",
        "1.organization.api.powerplatform.partner.microsoftonline.cn",
        "chinaeast2.admin.api.powerautomate.cn",
        "https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/",
        "https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A",
        "ssa-gov.authorizeddns",
        "hmmm\u2026http://palander.stjernstrom.se/",
        "https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU"
      ],
      "public": 1,
      "adversary": "APT 10",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "APT 10",
          "display_name": "APT 10",
          "target": null
        },
        {
          "id": "OneLouder",
          "display_name": "OneLouder",
          "target": null
        },
        {
          "id": "Andromeda",
          "display_name": "Andromeda",
          "target": null
        },
        {
          "id": "Sality",
          "display_name": "Sality",
          "target": null
        },
        {
          "id": "KoobFace",
          "display_name": "KoobFace",
          "target": null
        },
        {
          "id": "Bayrob",
          "display_name": "Bayrob",
          "target": null
        },
        {
          "id": "Nivdort Checkin",
          "display_name": "Nivdort Checkin",
          "target": null
        },
        {
          "id": "Win.Malware.Installcore-6950365-0",
          "display_name": "Win.Malware.Installcore-6950365-0",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1102",
          "name": "Web Service",
          "display_name": "T1102 - Web Service"
        },
        {
          "id": "T1566",
          "name": "Phishing",
          "display_name": "T1566 - Phishing"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        },
        {
          "id": "T1590",
          "name": "Gather Victim Network Information",
          "display_name": "T1590 - Gather Victim Network Information"
        },
        {
          "id": "T1113",
          "name": "Screen Capture",
          "display_name": "T1113 - Screen Capture"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1132",
          "name": "Data Encoding",
          "display_name": "T1132 - Data Encoding"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1119",
          "name": "Automated Collection",
          "display_name": "T1119 - Automated Collection"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1574.006",
          "name": "Dynamic Linker Hijacking",
          "display_name": "T1574.006 - Dynamic Linker Hijacking"
        },
        {
          "id": "T1210",
          "name": "Exploitation of Remote Services",
          "display_name": "T1210 - Exploitation of Remote Services"
        },
        {
          "id": "T1449",
          "name": "Exploit SS7 to Redirect Phone Calls/SMS",
          "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
        },
        {
          "id": "TA0011",
          "name": "Command and Control",
          "display_name": "TA0011 - Command and Control"
        }
      ],
      "industries": [
        "Golfing",
        "Healthcare",
        "Government"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 9,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 690,
        "hostname": 1912,
        "URL": 5925,
        "FileHash-SHA1": 273,
        "email": 8,
        "FileHash-SHA256": 3618,
        "CIDR": 3,
        "FileHash-MD5": 254,
        "SSLCertFingerprint": 19,
        "CVE": 2
      },
      "indicator_count": 12704,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 141,
      "modified_text": "184 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "689af6a1704fa2745bc8c2a3",
      "name": "Hijacked Twitter / X.com account. Phishing | Abnormal use",
      "description": "Hijacked phishing Twitter/ X.com.\nWin32/Unruy.C Activity\n#phishing #hijacked #intercoms #unruy #trojan #VTflood #malware #attack",
      "modified": "2025-09-11T08:02:36.759000",
      "created": "2025-08-12T08:09:05.642000",
      "tags": [
        "log id",
        "gmtn",
        "secure",
        "tls web",
        "passive dns",
        "urls",
        "path",
        "self",
        "encrypt",
        "ca issuers",
        "false",
        "search",
        "read c",
        "united",
        "entries",
        "show",
        "showing",
        "msie",
        "windows nt",
        "wow64",
        "slcc2",
        "copy",
        "write",
        "suspicious",
        "malware",
        "unknown",
        "process32nextw",
        "shellexecuteexw",
        "medium process",
        "discovery t1057",
        "t1057",
        "discovery",
        "medium",
        "locally unique",
        "identifier",
        "veailmboprd",
        "next associated",
        "ipv4 add",
        "pulse pulses",
        "files",
        "asn as13335",
        "dns resolutions",
        "domains top",
        "smoke loader",
        "trojan",
        "body",
        "learn",
        "ck id",
        "name tactics",
        "informative",
        "adversaries",
        "command",
        "spawns",
        "ssl certificate",
        "execution att",
        "show process",
        "programfiles",
        "command decode",
        "flag",
        "suricata ipv4",
        "mitre att",
        "show technique",
        "ck matrix",
        "date",
        "comspec",
        "model",
        "twitter",
        "august",
        "hybrid",
        "general",
        "click",
        "strings"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1143",
          "name": "Hidden Window",
          "display_name": "T1143 - Hidden Window"
        },
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 31,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 1504,
        "FileHash-SHA256": 1232,
        "SSLCertFingerprint": 14,
        "domain": 245,
        "hostname": 526,
        "FileHash-MD5": 43,
        "FileHash-SHA1": 38
      },
      "indicator_count": 3602,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 138,
      "modified_text": "220 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "685afb805ba518e374abc735",
      "name": "Home - RMHS - Ransom",
      "description": "I can only  imagine what is going on. This is a real organization, with a building,  ever changing case workers who don\u2019t want to meet with clients in person . I have received several incoming concerns since 2021. It seems that a threat actor may be ringing along or certain people are being handled / investigated / silenced and closely monitored by a very large interconnected Cyber Intelligence entity  \u2022 Trojan:X97M/ShellHide.C |\n\u2022 Trojan:PDF/Phish.RR!MTB |\n\u2022 Win.Trojan.Agent-370485 |\nAntivirus Detections:\n\u2022 Win.Trojan.Agent-370485\nYara: VirusWin32Span |\nAlerts\nransomware_file_modifications\nstealth_file\nDomains Contacted: Unknown\n(efbkfqpcdh.com) [\t\t\t\t2025-07-24T16:00:00\t14\t\n\nURL\nhttp://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel] #phishing #malware #intel? #trojan #infectiin",
      "modified": "2025-07-24T19:04:24.993000",
      "created": "2025-06-24T19:24:48.632000",
      "tags": [
        "wordpress",
        "home",
        "rmhs og",
        "rmhs article",
        "wpbakery page",
        "builder",
        "slider plugin",
        "utc google",
        "tag manager",
        "g5cygkcj7g1",
        "dynamicloader",
        "ms windows",
        "intel",
        "users",
        "medium",
        "pe32",
        "search",
        "show",
        "windows",
        "videos",
        "music",
        "copy",
        "write",
        "next",
        "ford mustang",
        "converter pdf",
        "gt convertible",
        "trim",
        "models ford",
        "mustang coupe",
        "createdate",
        "producer solid",
        "filehash",
        "trojan",
        "format",
        "united",
        "moved",
        "passive dns",
        "ipv4 add",
        "pulse submit",
        "url analysis",
        "urls",
        "files",
        "location united",
        "america flag",
        "encrypt",
        "date",
        "sc onlogon",
        "write c",
        "port",
        "showing",
        "entries",
        "module load",
        "execution",
        "malware",
        "self",
        "reverse dns",
        "url https",
        "resource",
        "general full",
        "name value",
        "security tls",
        "hash",
        "san francisco",
        "june",
        "input",
        "form",
        "dom get",
        "search start",
        "get https",
        "post",
        "value",
        "variables",
        "msgoriginaltext",
        "msgoptions",
        "isns function",
        "setupns",
        "rsiw number",
        "rsih object",
        "learn",
        "ck id",
        "name tactics",
        "suspicious",
        "informative",
        "command",
        "adversaries",
        "found",
        "spawns",
        "ck techniques",
        "flag",
        "markmonitor",
        "name server",
        "server",
        "rocky mountain",
        "human",
        "domain address",
        "enom",
        "copy sha256",
        "path",
        "copy md5",
        "copy sha1",
        "sha256",
        "size",
        "sha1",
        "attrib",
        "rowcycur",
        "hz4urdyi",
        "stop",
        "false",
        "soldier",
        "model",
        "youth",
        "baby",
        "core",
        "warrior",
        "green",
        "emotion",
        "flash",
        "nina",
        "hunk",
        "fono",
        "daam",
        "destination",
        "tlsv1",
        "dyndns domain",
        "irfan skiljan",
        "yara detections",
        "pdf pdf",
        "producer pdftk",
        "title data",
        "pulse pulses",
        "av detections",
        "ids detections",
        "alerts",
        "analysis date",
        "pictures",
        "read",
        "delete",
        "thumbprint",
        "graph summary",
        "url http",
        "gna7hdu",
        "g4 rsa4096",
        "adobe systems",
        "services1",
        "adobe product",
        "creatortool",
        "ascii text",
        "description svg",
        "scalable vector",
        "graphics image"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1158",
          "name": "Hidden Files and Directories",
          "display_name": "T1158 - Hidden Files and Directories"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        },
        {
          "id": "T1590",
          "name": "Gather Victim Network Information",
          "display_name": "T1590 - Gather Victim Network Information"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 34,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 56,
        "URL": 262,
        "hostname": 165,
        "FileHash-SHA256": 2141,
        "FileHash-MD5": 308,
        "FileHash-SHA1": 308,
        "SSLCertFingerprint": 3,
        "email": 1
      },
      "indicator_count": 3244,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 138,
      "modified_text": "269 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "68451577ada8bb0aa0834edb",
      "name": "X - Business Social Media Account used to attack victim",
      "description": "Victims business social media accounts deleted. Used to commit malicious activity against businesses, espionage , financial abuse.",
      "modified": "2025-07-08T04:03:04.386000",
      "created": "2025-06-08T04:45:43.423000",
      "tags": [
        "trojan",
        "ids detections",
        "yara detections",
        "alerts",
        "analysis date",
        "file score",
        "upxoepplace",
        "pulses none",
        "related tags",
        "none file",
        "markus",
        "april",
        "win32",
        "copy",
        "usvwu",
        "usvw",
        "high",
        "medium",
        "show",
        "uss c",
        "binary file",
        "yara",
        "write",
        "delphi",
        "enigma",
        "present mar",
        "aaaa",
        "united",
        "passive dns",
        "date",
        "present nov",
        "moved",
        "urls",
        "creation date",
        "entries",
        "body",
        "trojandropper",
        "susp",
        "msr jul",
        "next associated",
        "pulse pulses",
        "mtb jun",
        "backdoor",
        "content length",
        "html document",
        "ascii text",
        "search",
        "internalname",
        "entries pe",
        "showing",
        "filehash",
        "md5 add",
        "av detections",
        "learn",
        "ck id",
        "name tactics",
        "suspicious",
        "informative",
        "command",
        "adversaries",
        "spawns",
        "mitre att",
        "ck techniques",
        "copy md5",
        "copy sha1",
        "copy sha256",
        "sha1",
        "sha256",
        "pattern match",
        "size",
        "encrypt",
        "june",
        "hybrid",
        "local",
        "path",
        "click",
        "twitter",
        "strings",
        "url https",
        "url http",
        "report spam",
        "created",
        "hours ago",
        "bad actor",
        "ck ids",
        "t1057",
        "discovery",
        "t1071",
        "amer",
        "ipv4",
        "indicator role",
        "title added",
        "active related",
        "pulses",
        "china",
        "hong kong",
        "russia",
        "type indicator",
        "role title",
        "added active",
        "related pulses",
        "pulses url",
        "filehashsha256",
        "url add",
        "http",
        "ip address",
        "related nids",
        "files location",
        "flag united",
        "domain",
        "hostname",
        "next",
        "filehashmd5",
        "protocol",
        "t1105",
        "tool transfer",
        "t1480"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        },
        {
          "id": "T1113",
          "name": "Screen Capture",
          "display_name": "T1113 - Screen Capture"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 24,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 637,
        "FileHash-SHA1": 639,
        "FileHash-SHA256": 5380,
        "domain": 676,
        "hostname": 1120,
        "URL": 1031,
        "SSLCertFingerprint": 4
      },
      "indicator_count": 9487,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 139,
      "modified_text": "285 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "6843fe89793d0ef8e2afc34d",
      "name": "Deleted SocialMedia",
      "description": "Bad Actor Deleted SocialMedia account found in breach forum.",
      "modified": "2025-07-07T08:03:42.325000",
      "created": "2025-06-07T08:55:37.612000",
      "tags": [
        "body",
        "secure",
        "self",
        "path",
        "date sat",
        "gmt contenttype",
        "connection",
        "accept",
        "gmt pragma",
        "deny",
        "maxage34214400",
        "learn",
        "spawns",
        "command",
        "ck id",
        "name tactics",
        "suspicious",
        "informative",
        "adversaries",
        "ssl certificate",
        "found",
        "copy sha256",
        "copy md5",
        "copy sha1",
        "sha1",
        "sha256",
        "size",
        "type data",
        "ascii text",
        "pattern match",
        "mitre att",
        "show technique",
        "ck matrix",
        "file",
        "indicator",
        "show process",
        "encrypt",
        "june",
        "hybrid",
        "local"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 19,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 1628,
        "domain": 58,
        "URL": 390,
        "hostname": 204,
        "FileHash-MD5": 84,
        "FileHash-SHA1": 88,
        "SSLCertFingerprint": 4
      },
      "indicator_count": 2456,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 138,
      "modified_text": "286 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "682d38446ea0d643bdde30c9",
      "name": "hxxps://eduroam[.]org",
      "description": "Surface analysis of another related thing - will update later",
      "modified": "2025-06-20T02:05:09.642000",
      "created": "2025-05-21T02:19:48.419000",
      "tags": [
        "sandbox",
        "malware",
        "analysis",
        "online",
        "submit",
        "vxstream",
        "sample",
        "download",
        "trojan",
        "apt",
        "hybrid analysis",
        "api key",
        "vetting process",
        "please note",
        "please",
        "virus",
        "ransomware",
        "static",
        "indicator of compromise",
        "ioc",
        "extraction",
        "emulation",
        "platform",
        "ansi",
        "pcap",
        "pcap processing",
        "win64",
        "khtml",
        "gecko",
        "brand",
        "windows nt",
        "microsoft edge",
        "prefetch8 ansi",
        "cookie",
        "date",
        "mozilla",
        "accept",
        "window",
        "wind",
        "suspicious",
        "mozi",
        "bran",
        "dest",
        "hybrid",
        "comspec",
        "close",
        "click",
        "hosts",
        "general",
        "path",
        "model",
        "strings",
        "contact",
        "server",
        "redacted tech",
        "redacted admin",
        "host name",
        "country",
        "organization",
        "postal code",
        "stateprovince",
        "dnssec",
        "code",
        "javascript",
        "passive dns",
        "replication",
        "subdomains",
        "UAlberta",
        "Eduroam"
      ],
      "references": [
        "https://www.hybrid-analysis.com/sample/f80bb3e3e2b1abe6be46374899ad0e112973c56a363eb2ce5b77d58a4d419720",
        "https://www.filescan.io/uploads/682d2dfd0de036ed65ad6e33/reports/d54424e9-c5fc-4c6d-931e-7ee21360594a/overview",
        "https://www.filescan.io/uploads/682d2dfd0de036ed65ad6e33/reports/d54424e9-c5fc-4c6d-931e-7ee21360594a/geolocation",
        "https://www.hybrid-analysis.com/sample/f80bb3e3e2b1abe6be46374899ad0e112973c56a363eb2ce5b77d58a4d419720/682d2dcbc068830c1403398c",
        "https://www.virustotal.com/gui/domain/eduroam.org/details",
        "https://www.virustotal.com/gui/domain/eduroam.org/relations"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "Canada"
      ],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1132",
          "name": "Data Encoding",
          "display_name": "T1132 - Data Encoding"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1566",
          "name": "Phishing",
          "display_name": "T1566 - Phishing"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        },
        {
          "id": "T1590",
          "name": "Gather Victim Network Information",
          "display_name": "T1590 - Gather Victim Network Information"
        }
      ],
      "industries": [
        "Telecommunications",
        "Education"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 36,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Disable_Duck",
        "id": "244325",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 288,
        "domain": 80,
        "email": 6,
        "FileHash-MD5": 15,
        "FileHash-SHA1": 13,
        "FileHash-SHA256": 96,
        "SSLCertFingerprint": 8,
        "hostname": 78,
        "CIDR": 2
      },
      "indicator_count": 586,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 130,
      "modified_text": "303 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    }
  ],
  "error": null,
  "vt": {
    "error": "VirusTotal rate limit reached. Try again shortly.",
    "indicator": "https://js.stripe.com",
    "type": "URL"
  },
  "abuseipdb": null,
  "urlhaus": {
    "indicator": "https://js.stripe.com",
    "type": "URL",
    "found": false,
    "verdict": "clean",
    "error": null
  },
  "from_cache": true,
  "_cached_at": 1776639046.538237
}