{ "type": "URL", "indicator": "https://kirinuki.d-io.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://kirinuki.d-io.com/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4146897138, "indicator": "https://kirinuki.d-io.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "69116f89c600907a25e6b397", "name": "GoBrut Service Bruter CnC Activity \u2022 TAM Legal \u2022 Christopher P. Ahmann", "description": "Malicious attacks from Special Counsel criminal attorney defending Jeffrey Scott Reimer and Concentra against and on premises vicious SA. Caused grate bodily injury. Christopher P. Ahmann and Hall\nRender (down the street) Palantir has been harassing , working 24/7 at silencing one crime victim. I\u2019m sure there are more because we thwarted an attempt in 2018. \n\nHitman hired. You couldn\u2019t believe manpower and cyber attacks one family has been through. They attack the Large Loss clients.", "modified": "2025-12-10T04:02:00.145000", "created": "2025-11-10T04:52:25.542000", "tags": [ "united", "ipv4", "america asn", "asn as397241", "neustar", "united states", "ubuntu", "linux x8664", "gobrut service", "bruter cnc", "activity", "malware", "present mar", "present oct", "present jun", "brazil", "present jul", "present feb", "present nov", "moved", "a domains", "win64", "alfper", "ransom", "script urls", "bank", "trojan", "win32", "meta", "path", "read c", "port", "destination", "delete", "write", "persistence", "execution", "generic", "hostile", "cookie", "suspicious", "e ee", "epeq", "efjeg", "eebe", "e ge", "eveoe6ee", "elem", "e ie", "eieeieeie", "jea ebjecedjee", "ipv4 add", "files", "reverse dns", "america flag", "msie", "chrome", "title", "h1 center", "gmt content", "unknown ns", "ip address", "for privacy", "icedid", "bokbot", "united states", "div div", "link", "amazon web", "a li", "click", "span", "unknown aaaa", "record value", "apache x", "asn as398101", "hosting", "twitter", "present may", "present jan", "error", "present sep", "url analysis", "passive dns", "urls", "less whois", "registrar", "criminal defense", "quasi gov", "tam legal", "monitored target", "p", "amazon", "apple", "japan unknown", "license", "expiresmon", "gmt path", "html", "tokyo", "show", "unknown", "tracking", "germany unknown", "bq nov", "virtool", "germany asn", "as47846", "cyber attacks", "christopher", "ahmann", "pulse pulses", "location united", "dns resolutions", "domains top", "hitmen", "hall", "hall render", "telper", "hostname add", "pulse submit", "domain", "files ip", "address", "yara detections", "contacted", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "detections elf", "lowfi", "entries", "win32midia", "next associated", "trojanclicker", "win32ellell jan", "date" ], "references": [ "Tam Legal \u2022 Christopher P. Ahmann Esq Cyber Criminal", "GoBrut Service Bruter CnC Activity", "interface.xpacemobilitycloud.com", "103.224.182.243 ghdukshop.com lb-182-243.above.comAustraliaCOUNTRYAS133618 trellian pty. limited", "http://pornsure.com/ \u2022 http://www.kittipornfiberglass.com/ \u2022 kittipornfiberglass.com \u2022 pornsure.com", "http://colorado-realestate-finder.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia" ], "malware_families": [ { "id": "TrojanDownloader:Linux/Morila", "display_name": "TrojanDownloader:Linux/Morila", "target": "/malware/TrojanDownloader:Linux/Morila" }, { "id": "Gafgyt", "display_name": "Gafgyt", "target": null }, { "id": "ELF:Agent-VW\\ [Trj]", "display_name": "ELF:Agent-VW\\ [Trj]", "target": null }, { "id": "Win32:IcedID-E\\ [Bank]", "display_name": "Win32:IcedID-E\\ [Bank]", "target": null }, { "id": "Win64:MalwareX-gen\\ [Trj]", "display_name": "Win64:MalwareX-gen\\ [Trj]", "target": null }, { "id": "Ransom:Win32/ContiCrypt", "display_name": "Ransom:Win32/ContiCrypt", "target": "/malware/Ransom:Win32/ContiCrypt" }, { "id": "ALFPER:RefLoadApiHash", "display_name": "ALFPER:RefLoadApiHash", "target": null }, { "id": "Win64:CrypterX-gen\\ [Trj]", "display_name": "Win64:CrypterX-gen\\ [Trj]", "target": null }, { "id": "Win64:BotX-gen\\ [Trj]", "display_name": "Win64:BotX-gen\\ [Trj]", "target": null }, { "id": "Bank", "display_name": "Bank", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "AutoRun", "display_name": "AutoRun", "target": null }, { "id": "Win.Trojan.Agent-316098", "display_name": "Win.Trojan.Agent-316098", "target": null }, { "id": "virtool:Win32/Injector.gen!BQ", "display_name": "virtool:Win32/Injector.gen!BQ", "target": "/malware/virtool:Win32/Injector.gen!BQ" } ], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3031, "email": 8, "hostname": 1840, "FileHash-SHA256": 1015, "URL": 4792, "FileHash-MD5": 441, "FileHash-SHA1": 432, "SSLCertFingerprint": 9, "CVE": 1 }, "indicator_count": 11569, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "172 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "690e8b773dc39921d88abd44", "name": "Nanocore - Affected", "description": "- wmsspacer.gif\n| Photography: WMSspacer.gif, |[wmstransparent.org,]\n* YARA Detections : \nDotNET_Reactor\nSystem.Security.Cryptography.AesCryptoServiceProvider\nSystem.Security.Cryptography\nSystem.Security.Cryptography ~\nI CryptoTransform |\n Wmsspacer, i.g.sg.js..png.com, on-screen.|", "modified": "2025-12-07T23:02:29.645000", "created": "2025-11-08T00:14:47.600000", "tags": [ "hgnvastlaiz", "read c", "medium", "rgba", "memcommit", "delete", "png image", "unicode", "dock", "execution", "malware", "crlf line", "speichermedium", "productversion", "fileversion", "engine dll", "internalname", "einstellungen", "comodo ca", "limited st", "yara detections", "next pe", "eula", "policy", "direct", "opencandy", "suspicious_write_exe", "network_icmp", "process_martian", "present jun", "present jul", "domain", "united", "ip address", "unknown ns", "ms windows", "intel", "verisign", "time stamping", "unknown", "class", "write", "markus", "temple", "msie", "windows nt", "get http", "lehash", "av detections", "ids detections", "alerts", "file score", "low risk", "compromised_site_redirector_fromcharcode", "present aug", "passive dns", "all ipv4", "urls", "files", "hosting", "america flag", "win32", "ipv4 add", "signed file, valid signature. revoked.", "united states", "pws", "atros", "fiha", "search", "entries", "present oct", "next associated", "show", "high", "wow64", "slcc2", "next", "domain add", "poland", "poland unknown", "ipv4", "location poland", "poland asn", "et policy", "pe exe", "dll windows", "amazon s3", "location united", "associated urls", "date checked", "url hostname", "server response", "google safe", "results feb", "nanocore", "url add", "http", "related nids", "files location", "flag united", "malicious image", "files domain", "files related", "pulses otx", "related tags", "resources whois", "virustotal", "present sep", "status", "present nov", "present mar", "trojan", "script script", "div div", "link", "a li", "meta", "sweden", "invalid url", "head title", "title head", "reference", "bad request", "server", "netherlands", "creation date", "date", "running server", "ahmann", "christopher", "p", "tam", "legal", "treece", "alfrey", "muscat", "adversaries", "cyber crime", "quasi", "government" ], "references": [ "wmsspacer.gif : 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87", "ceidg.gov.pl \u2022 https://www.csrc.gov.cn.lxcvc.com/ \u2022 www.alt.krasnopil-silrada.gov.ua", "http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.com/ \u2022", "www.opencandy.com", "http://www.opencandy.com/privacy \u2022 http://www.opencandy.com/privacy-policy. \u2022 license@opencandy.com \u2022", "Yara Detections : compromised_site_redirector_fromcharcode", "Matches rule: skip20_sqllang_hook from ruleset skip20_sqllang_hook by Mathieu Tartare ", "Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs", "http://pcoptimizerpro.com/eula.aspx \u2022 http://www.pcoptimizerpro.com/privacypolicy.aspx", "pcoptimizerpro.com \u2022 www.pcoptimizerpro.com", "PE EXE UpdatesDll.dll : 69081ab853021bd28bf7fb1eb4eac3199623c8ed413589e6f3898806a15f0f23", "YARA: DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform", "https://img.fkcdn.com/image/kg8avm80/mobile/j/f/9/apple-iphone-12-dummyapplefsn-200x200-imafwg8dkyh2zgrh.jpeg", "https://heavyfetish.com/search/CHEESE-PIZZA-porn/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Nanocore-5", "display_name": "Win.Trojan.Nanocore-5", "target": null }, { "id": "Win.Trojan.Adinstall-2", "display_name": "Win.Trojan.Adinstall-2", "target": null }, { "id": "PSW.Generic13", "display_name": "PSW.Generic13", "target": null }, { "id": "Atros.UPK", "display_name": "Atros.UPK", "target": null }, { "id": "Luhe.Fiha.A", "display_name": "Luhe.Fiha.A", "target": null }, { "id": "Pua.Optimizerpro/PCOptimizerPro", "display_name": "Pua.Optimizerpro/PCOptimizerPro", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1491.001", "name": "Internal Defacement", "display_name": "T1491.001 - Internal Defacement" }, { "id": "T1204.003", "name": "Malicious Image", "display_name": "T1204.003 - Malicious Image" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 753, "FileHash-SHA1": 622, "FileHash-SHA256": 4336, "URL": 2448, "domain": 300, "hostname": 788, "CVE": 1, "email": 4 }, "indicator_count": 9252, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "175 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "GoBrut Service Bruter CnC Activity", "wmsspacer.gif : 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87", "http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.com/ \u2022", "http://pcoptimizerpro.com/eula.aspx \u2022 http://www.pcoptimizerpro.com/privacypolicy.aspx", "interface.xpacemobilitycloud.com", "https://img.fkcdn.com/image/kg8avm80/mobile/j/f/9/apple-iphone-12-dummyapplefsn-200x200-imafwg8dkyh2zgrh.jpeg", "http://colorado-realestate-finder.com/", "Yara Detections : compromised_site_redirector_fromcharcode", "www.opencandy.com", "Tam Legal \u2022 Christopher P. Ahmann Esq Cyber Criminal", "PE EXE UpdatesDll.dll : 69081ab853021bd28bf7fb1eb4eac3199623c8ed413589e6f3898806a15f0f23", "http://pornsure.com/ \u2022 http://www.kittipornfiberglass.com/ \u2022 kittipornfiberglass.com \u2022 pornsure.com", "ceidg.gov.pl \u2022 https://www.csrc.gov.cn.lxcvc.com/ \u2022 www.alt.krasnopil-silrada.gov.ua", "YARA: DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform", "https://heavyfetish.com/search/CHEESE-PIZZA-porn/", "http://www.opencandy.com/privacy \u2022 http://www.opencandy.com/privacy-policy. \u2022 license@opencandy.com \u2022", "Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs", "pcoptimizerpro.com \u2022 www.pcoptimizerpro.com", "103.224.182.243 ghdukshop.com lb-182-243.above.comAustraliaCOUNTRYAS133618 trellian pty. limited", "Matches rule: skip20_sqllang_hook from ruleset skip20_sqllang_hook by Mathieu Tartare " ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win.trojan.adinstall-2", "Trojandownloader:linux/morila", "Win.trojan.agent", "Autorun", "Gafgyt", "Win64:malwarex-gen\\ [trj]", "Pua.optimizerpro/pcoptimizerpro", "Elf:agent-vw\\ [trj]", "Bank", "Exploit:win32/cve-2017-0147", "Luhe.fiha.a", "Psw.generic13", "Win64:botx-gen\\ [trj]", "Ransom:win32/conticrypt", "Win.trojan.agent-316098", "Win.trojan.nanocore-5", "Other malware", "Atros.upk", "Alfper:refloadapihash", "Win32:icedid-e\\ [bank]", "Virtool:win32/injector.gen!bq", "Win64:crypterx-gen\\ [trj]" ], "industries": [], "unique_indicators": 21110 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/d-io.com", "whois": "http://whois.domaintools.com/d-io.com", "domain": "d-io.com", "hostname": "kirinuki.d-io.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "69116f89c600907a25e6b397", "name": "GoBrut Service Bruter CnC Activity \u2022 TAM Legal \u2022 Christopher P. Ahmann", "description": "Malicious attacks from Special Counsel criminal attorney defending Jeffrey Scott Reimer and Concentra against and on premises vicious SA. Caused grate bodily injury. Christopher P. Ahmann and Hall\nRender (down the street) Palantir has been harassing , working 24/7 at silencing one crime victim. I\u2019m sure there are more because we thwarted an attempt in 2018. \n\nHitman hired. You couldn\u2019t believe manpower and cyber attacks one family has been through. They attack the Large Loss clients.", "modified": "2025-12-10T04:02:00.145000", "created": "2025-11-10T04:52:25.542000", "tags": [ "united", "ipv4", "america asn", "asn as397241", "neustar", "united states", "ubuntu", "linux x8664", "gobrut service", "bruter cnc", "activity", "malware", "present mar", "present oct", "present jun", "brazil", "present jul", "present feb", "present nov", "moved", "a domains", "win64", "alfper", "ransom", "script urls", "bank", "trojan", "win32", "meta", "path", "read c", "port", "destination", "delete", "write", "persistence", "execution", "generic", "hostile", "cookie", "suspicious", "e ee", "epeq", "efjeg", "eebe", "e ge", "eveoe6ee", "elem", "e ie", "eieeieeie", "jea ebjecedjee", "ipv4 add", "files", "reverse dns", "america flag", "msie", "chrome", "title", "h1 center", "gmt content", "unknown ns", "ip address", "for privacy", "icedid", "bokbot", "united states", "div div", "link", "amazon web", "a li", "click", "span", "unknown aaaa", "record value", "apache x", "asn as398101", "hosting", "twitter", "present may", "present jan", "error", "present sep", "url analysis", "passive dns", "urls", "less whois", "registrar", "criminal defense", "quasi gov", "tam legal", "monitored target", "p", "amazon", "apple", "japan unknown", "license", "expiresmon", "gmt path", "html", "tokyo", "show", "unknown", "tracking", "germany unknown", "bq nov", "virtool", "germany asn", "as47846", "cyber attacks", "christopher", "ahmann", "pulse pulses", "location united", "dns resolutions", "domains top", "hitmen", "hall", "hall render", "telper", "hostname add", "pulse submit", "domain", "files ip", "address", "yara detections", "contacted", "filehash", "av detections", "ids detections", "alerts", "analysis date", "file score", "detections elf", "lowfi", "entries", "win32midia", "next associated", "trojanclicker", "win32ellell jan", "date" ], "references": [ "Tam Legal \u2022 Christopher P. Ahmann Esq Cyber Criminal", "GoBrut Service Bruter CnC Activity", "interface.xpacemobilitycloud.com", "103.224.182.243 ghdukshop.com lb-182-243.above.comAustraliaCOUNTRYAS133618 trellian pty. limited", "http://pornsure.com/ \u2022 http://www.kittipornfiberglass.com/ \u2022 kittipornfiberglass.com \u2022 pornsure.com", "http://colorado-realestate-finder.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Australia" ], "malware_families": [ { "id": "TrojanDownloader:Linux/Morila", "display_name": "TrojanDownloader:Linux/Morila", "target": "/malware/TrojanDownloader:Linux/Morila" }, { "id": "Gafgyt", "display_name": "Gafgyt", "target": null }, { "id": "ELF:Agent-VW\\ [Trj]", "display_name": "ELF:Agent-VW\\ [Trj]", "target": null }, { "id": "Win32:IcedID-E\\ [Bank]", "display_name": "Win32:IcedID-E\\ [Bank]", "target": null }, { "id": "Win64:MalwareX-gen\\ [Trj]", "display_name": "Win64:MalwareX-gen\\ [Trj]", "target": null }, { "id": "Ransom:Win32/ContiCrypt", "display_name": "Ransom:Win32/ContiCrypt", "target": "/malware/Ransom:Win32/ContiCrypt" }, { "id": "ALFPER:RefLoadApiHash", "display_name": "ALFPER:RefLoadApiHash", "target": null }, { "id": "Win64:CrypterX-gen\\ [Trj]", "display_name": "Win64:CrypterX-gen\\ [Trj]", "target": null }, { "id": "Win64:BotX-gen\\ [Trj]", "display_name": "Win64:BotX-gen\\ [Trj]", "target": null }, { "id": "Bank", "display_name": "Bank", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "AutoRun", "display_name": "AutoRun", "target": null }, { "id": "Win.Trojan.Agent-316098", "display_name": "Win.Trojan.Agent-316098", "target": null }, { "id": "virtool:Win32/Injector.gen!BQ", "display_name": "virtool:Win32/Injector.gen!BQ", "target": "/malware/virtool:Win32/Injector.gen!BQ" } ], "attack_ids": [ { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1584.005", "name": "Botnet", "display_name": "T1584.005 - Botnet" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3031, "email": 8, "hostname": 1840, "FileHash-SHA256": 1015, "URL": 4792, "FileHash-MD5": 441, "FileHash-SHA1": 432, "SSLCertFingerprint": 9, "CVE": 1 }, "indicator_count": 11569, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "172 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "690e8b773dc39921d88abd44", "name": "Nanocore - Affected", "description": "- wmsspacer.gif\n| Photography: WMSspacer.gif, |[wmstransparent.org,]\n* YARA Detections : \nDotNET_Reactor\nSystem.Security.Cryptography.AesCryptoServiceProvider\nSystem.Security.Cryptography\nSystem.Security.Cryptography ~\nI CryptoTransform |\n Wmsspacer, i.g.sg.js..png.com, on-screen.|", "modified": "2025-12-07T23:02:29.645000", "created": "2025-11-08T00:14:47.600000", "tags": [ "hgnvastlaiz", "read c", "medium", "rgba", "memcommit", "delete", "png image", "unicode", "dock", "execution", "malware", "crlf line", "speichermedium", "productversion", "fileversion", "engine dll", "internalname", "einstellungen", "comodo ca", "limited st", "yara detections", "next pe", "eula", "policy", "direct", "opencandy", "suspicious_write_exe", "network_icmp", "process_martian", "present jun", "present jul", "domain", "united", "ip address", "unknown ns", "ms windows", "intel", "verisign", "time stamping", "unknown", "class", "write", "markus", "temple", "msie", "windows nt", "get http", "lehash", "av detections", "ids detections", "alerts", "file score", "low risk", "compromised_site_redirector_fromcharcode", "present aug", "passive dns", "all ipv4", "urls", "files", "hosting", "america flag", "win32", "ipv4 add", "signed file, valid signature. revoked.", "united states", "pws", "atros", "fiha", "search", "entries", "present oct", "next associated", "show", "high", "wow64", "slcc2", "next", "domain add", "poland", "poland unknown", "ipv4", "location poland", "poland asn", "et policy", "pe exe", "dll windows", "amazon s3", "location united", "associated urls", "date checked", "url hostname", "server response", "google safe", "results feb", "nanocore", "url add", "http", "related nids", "files location", "flag united", "malicious image", "files domain", "files related", "pulses otx", "related tags", "resources whois", "virustotal", "present sep", "status", "present nov", "present mar", "trojan", "script script", "div div", "link", "a li", "meta", "sweden", "invalid url", "head title", "title head", "reference", "bad request", "server", "netherlands", "creation date", "date", "running server", "ahmann", "christopher", "p", "tam", "legal", "treece", "alfrey", "muscat", "adversaries", "cyber crime", "quasi", "government" ], "references": [ "wmsspacer.gif : 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87", "ceidg.gov.pl \u2022 https://www.csrc.gov.cn.lxcvc.com/ \u2022 www.alt.krasnopil-silrada.gov.ua", "http://www.mof.gov.cn.lxcvc.com/ \u2022 http://www.mohurd.gov.cn.lxcvc.com/ \u2022", "www.opencandy.com", "http://www.opencandy.com/privacy \u2022 http://www.opencandy.com/privacy-policy. \u2022 license@opencandy.com \u2022", "Yara Detections : compromised_site_redirector_fromcharcode", "Matches rule: skip20_sqllang_hook from ruleset skip20_sqllang_hook by Mathieu Tartare ", "Matches rule Adobe_XMP_Identifier from ruleset Adobe_XMP_Identifier by InQuest Labs", "http://pcoptimizerpro.com/eula.aspx \u2022 http://www.pcoptimizerpro.com/privacypolicy.aspx", "pcoptimizerpro.com \u2022 www.pcoptimizerpro.com", "PE EXE UpdatesDll.dll : 69081ab853021bd28bf7fb1eb4eac3199623c8ed413589e6f3898806a15f0f23", "YARA: DotNET_Reactor System.Security.Cryptography.AesCryptoServiceProvider System.Security.Cryptography System.Security.Cryptography ICryptoTransform", "https://img.fkcdn.com/image/kg8avm80/mobile/j/f/9/apple-iphone-12-dummyapplefsn-200x200-imafwg8dkyh2zgrh.jpeg", "https://heavyfetish.com/search/CHEESE-PIZZA-porn/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Nanocore-5", "display_name": "Win.Trojan.Nanocore-5", "target": null }, { "id": "Win.Trojan.Adinstall-2", "display_name": "Win.Trojan.Adinstall-2", "target": null }, { "id": "PSW.Generic13", "display_name": "PSW.Generic13", "target": null }, { "id": "Atros.UPK", "display_name": "Atros.UPK", "target": null }, { "id": "Luhe.Fiha.A", "display_name": "Luhe.Fiha.A", "target": null }, { "id": "Pua.Optimizerpro/PCOptimizerPro", "display_name": "Pua.Optimizerpro/PCOptimizerPro", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1491.001", "name": "Internal Defacement", "display_name": "T1491.001 - Internal Defacement" }, { "id": "T1204.003", "name": "Malicious Image", "display_name": "T1204.003 - Malicious Image" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 753, "FileHash-SHA1": 622, "FileHash-SHA256": 4336, "URL": 2448, "domain": 300, "hostname": 788, "CVE": 1, "email": 4 }, "indicator_count": 9252, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "175 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://kirinuki.d-io.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://kirinuki.d-io.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780276477.1587796 }