{ "type": "URL", "indicator": "https://madisonheightshomecare.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://madisonheightshomecare.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3911744121, "indicator": "https://madisonheightshomecare.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "68dc624893ea922b898f911b", "name": "FBI? Ghe real one? Idk - Cab / Deive by compromised an iOS device", "description": "Checking a targets phone, it\u2019s seems very infected with limited results on google searches results. I clicked on an image I thought looked suspicious. Image was coded. I have no idea if this is the FBI I haven\u2019t examined or researched for vulnerabilities yet. I will break this down over time. The number is kept alive but number could not be verified , it was a different number altogether. The phone was out of service, I reached out to 911. And spoke to a person I can\u2019t verify. The service was reconnected a day later. It\u2019s a very crazy hack!", "modified": "2025-10-30T22:01:00.256000", "created": "2025-09-30T23:05:44.154000", "tags": [ "search", "google search", "in a", "relevance", "internet storm", "intranet", "part", "steps", "hyper v", "windowssystem32", "ping request", "algorithm", "ouno sni", "key usage", "google llc", "v3 serial", "number", "public key", "info", "key algorithm", "domain", "subject key", "identifier", "net173", "net1730000", "gogl", "orgid", "gogl address", "city", "mountain view", "stateprov", "postalcode", "registrar", "ip address", "http", "port", "accept", "info file", "network dropped", "duration cuckoo", "version file", "machine label", "shutdown", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "spawns", "found", "united", "ascii text", "pattern match", "mitre att", "title", "hybrid", "general", "path", "click", "strings", "body", "initial access", "local", "passive dns", "urls", "url add", "related nids", "files location", "flag united", "backdoor", "status", "aaaa", "date", "name servers", "record value", "emails", "present aug", "present sep", "moved", "error", "antivm", "drive by", "cab by" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 544, "FileHash-SHA256": 2300, "URL": 3905, "hostname": 1675, "FileHash-MD5": 209, "FileHash-SHA1": 210, "CIDR": 1, "email": 7, "SSLCertFingerprint": 8, "CVE": 2 }, "indicator_count": 8861, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "212 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688865644a38fd5eef407891", "name": "Denver Apartment Community website with multiple compromises", "description": "Network of a multi block Denver Townhome complex experiencing issues with info stealing, password o, spyware, ransomware, malware\u2026 \u2022Win.Trojan.Crypted-30\tPWS:Win32/Zbot\u2022(phish_alert_sp2_2.0.0.0) \u2022 (phish_alert_sp1_1.0.0.0 )(30)_url_001.bin\tFile detected as \"image\", this format is not supported on WINDOWS\terror\t\nMay 23rd 2023 06:20:30 (UTC)\tRe__Motherson_INVENSITY_Project_Discussion_url_001.bin\tFile \"Re__Motherson_INVENSITY_Project_Discussion_url_001.bin\" was detected as \"image\", this format is not supported on WINDOWS\terror\t\nMay 5th 2023 07:59:14 (UTC)\tRE XDR Roadmap Planning Workshop for Temasek Polytechnic_url_007.bin\tFile \"RE XDR Roadmap Planning Workshop for Temasek Polytechnic_url_007.bin\" was detected as \"image\", this format is not supported on WINDOWS\terror", "modified": "2025-08-28T06:00:46.366000", "created": "2025-07-29T06:08:36.869000", "tags": [ "context related", "associated urls", "community", "present jul", "present jun", "present may", "present apr", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present showing", "sha256", "submitted", "urls", "passive dns", "http", "unique", "ip asn", "as701 verizon", "url add", "pulse pulses", "ip address", "related nids", "windows error", "file", "re xdr", "workshop", "march", "february", "january", "windows nt", "klpx", "span", "script", "united", "indicator", "appdata", "pattern match", "runtime process", "copy md5", "iframe", "date", "jquery", "null", "solid", "code", "summer", "polish", "body", "hybrid", "general", "local", "accept", "click", "strings", "music", "class", "core", "contact", "flag", "united kingdom", "name server", "tcp system", "private limited", "prefetch2", "dns requests", "win32", "mtb jul", "susp", "worm", "trojan", "entries", "next associated", "mtb apr", "showing", "trojandropper", "virtool", "country", "csc corporate", "domains", "ransom", "lowfi", "urls show", "date checked", "url hostname", "domain address", "learn", "command", "control att", "ck id", "name tactics", "suspicious", "informative", "t1105 ingress", "tool transfer", "t1573 encrypted", "dynamicloader", "medium", "yara rule", "high", "windows", "remote data", "http traffic", "installs", "windows startup", "malware", "copy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1134, "hostname": 292, "domain": 197, "FileHash-MD5": 139, "FileHash-SHA1": 130, "FileHash-SHA256": 708, "email": 2 }, "indicator_count": 2602, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "276 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68886564cdc44059c7b2ef08", "name": "Denver Apartment Community website with multiple compromises", "description": "Network of a multi block Denver Townhome complex experiencing issues with info stealing, password o, spyware, ransomware, malware\u2026 \u2022Win.Trojan.Crypted-30\tPWS:Win32/Zbot\u2022(phish_alert_sp2_2.0.0.0) \u2022 (phish_alert_sp1_1.0.0.0 )(30)_url_001.bin\tFile detected as \"image\", this format is not supported on WINDOWS\terror\t\nMay 23rd 2023 06:20:30 (UTC)\tRe__Motherson_INVENSITY_Project_Discussion_url_001.bin\tFile \"Re__Motherson_INVENSITY_Project_Discussion_url_001.bin\" was detected as \"image\", this format is not supported on WINDOWS\terror\t\nMay 5th 2023 07:59:14 (UTC)\tRE XDR Roadmap Planning Workshop for Temasek Polytechnic_url_007.bin\tFile \"RE XDR Roadmap Planning Workshop for Temasek Polytechnic_url_007.bin\" was detected as \"image\", this format is not supported on WINDOWS\terror", "modified": "2025-08-28T06:00:46.366000", "created": "2025-07-29T06:08:36.770000", "tags": [ "context related", "associated urls", "community", "present jul", "present jun", "present may", "present apr", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present showing", "sha256", "submitted", "urls", "passive dns", "http", "unique", "ip asn", "as701 verizon", "url add", "pulse pulses", "ip address", "related nids", "windows error", "file", "re xdr", "workshop", "march", "february", "january", "windows nt", "klpx", "span", "script", "united", "indicator", "appdata", "pattern match", "runtime process", "copy md5", "iframe", "date", "jquery", "null", "solid", "code", "summer", "polish", "body", "hybrid", "general", "local", "accept", "click", "strings", "music", "class", "core", "contact", "flag", "united kingdom", "name server", "tcp system", "private limited", "prefetch2", "dns requests", "win32", "mtb jul", "susp", "worm", "trojan", "entries", "next associated", "mtb apr", "showing", "trojandropper", "virtool", "country", "csc corporate", "domains", "ransom", "lowfi", "urls show", "date checked", "url hostname", "domain address", "learn", "command", "control att", "ck id", "name tactics", "suspicious", "informative", "t1105 ingress", "tool transfer", "t1573 encrypted", "dynamicloader", "medium", "yara rule", "high", "windows", "remote data", "http traffic", "installs", "windows startup", "malware", "copy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1134, "hostname": 292, "domain": 197, "FileHash-MD5": 139, "FileHash-SHA1": 130, "FileHash-SHA256": 708, "email": 2 }, "indicator_count": 2602, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "276 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660b176a98b0c92ba5a962bc", "name": "\"No Problems\" - UAlberta TLD (Confirmed TLD - 08.04.24) & Subdomain compromise", "description": "Basically the above\n\n\"No Problems\", \"We are Unhackable\", etc. etc. causing problems.", "modified": "2024-09-04T05:01:56.993000", "created": "2024-04-01T20:22:02.851000", "tags": [ "BEC" ], "references": [ "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/summary", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/iocs", "https://www.virustotal.com/graph/embed/gead337f35cdd4241b225b68ff0528a3834be5d60876745fa99254ff7f8a0df22?theme=dark", "https://www.virustotal.com/graph/embed/g1e31eca6803a433a9a33437d593a2bbdf979ff77c91340d1ab624d10dc8732b3?theme=dark", "https://dnstwist.it/#ea665d15-6507-4057-b2c9-18a2e546ee95", "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom", "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 233, "FileHash-SHA1": 230, "FileHash-SHA256": 6703, "URL": 4450, "CIDR": 3, "domain": 6223, "hostname": 2863, "email": 7, "CVE": 53 }, "indicator_count": 20765, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "634 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://dnstwist.it/#ea665d15-6507-4057-b2c9-18a2e546ee95", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/summary", "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/iocs", "https://www.virustotal.com/graph/embed/gead337f35cdd4241b225b68ff0528a3834be5d60876745fa99254ff7f8a0df22?theme=dark", "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom", "https://www.virustotal.com/graph/embed/g1e31eca6803a433a9a33437d593a2bbdf979ff77c91340d1ab624d10dc8732b3?theme=dark" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [ "Technology", "Government", "Education" ], "unique_indicators": 17474 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/madisonheightshomecare.com", "whois": "http://whois.domaintools.com/madisonheightshomecare.com", "domain": "madisonheightshomecare.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "68dc624893ea922b898f911b", "name": "FBI? Ghe real one? Idk - Cab / Deive by compromised an iOS device", "description": "Checking a targets phone, it\u2019s seems very infected with limited results on google searches results. I clicked on an image I thought looked suspicious. Image was coded. I have no idea if this is the FBI I haven\u2019t examined or researched for vulnerabilities yet. I will break this down over time. The number is kept alive but number could not be verified , it was a different number altogether. The phone was out of service, I reached out to 911. And spoke to a person I can\u2019t verify. The service was reconnected a day later. It\u2019s a very crazy hack!", "modified": "2025-10-30T22:01:00.256000", "created": "2025-09-30T23:05:44.154000", "tags": [ "search", "google search", "in a", "relevance", "internet storm", "intranet", "part", "steps", "hyper v", "windowssystem32", "ping request", "algorithm", "ouno sni", "key usage", "google llc", "v3 serial", "number", "public key", "info", "key algorithm", "domain", "subject key", "identifier", "net173", "net1730000", "gogl", "orgid", "gogl address", "city", "mountain view", "stateprov", "postalcode", "registrar", "ip address", "http", "port", "accept", "info file", "network dropped", "duration cuckoo", "version file", "machine label", "shutdown", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "spawns", "found", "united", "ascii text", "pattern match", "mitre att", "title", "hybrid", "general", "path", "click", "strings", "body", "initial access", "local", "passive dns", "urls", "url add", "related nids", "files location", "flag united", "backdoor", "status", "aaaa", "date", "name servers", "record value", "emails", "present aug", "present sep", "moved", "error", "antivm", "drive by", "cab by" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 544, "FileHash-SHA256": 2300, "URL": 3905, "hostname": 1675, "FileHash-MD5": 209, "FileHash-SHA1": 210, "CIDR": 1, "email": 7, "SSLCertFingerprint": 8, "CVE": 2 }, "indicator_count": 8861, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "212 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "688865644a38fd5eef407891", "name": "Denver Apartment Community website with multiple compromises", "description": "Network of a multi block Denver Townhome complex experiencing issues with info stealing, password o, spyware, ransomware, malware\u2026 \u2022Win.Trojan.Crypted-30\tPWS:Win32/Zbot\u2022(phish_alert_sp2_2.0.0.0) \u2022 (phish_alert_sp1_1.0.0.0 )(30)_url_001.bin\tFile detected as \"image\", this format is not supported on WINDOWS\terror\t\nMay 23rd 2023 06:20:30 (UTC)\tRe__Motherson_INVENSITY_Project_Discussion_url_001.bin\tFile \"Re__Motherson_INVENSITY_Project_Discussion_url_001.bin\" was detected as \"image\", this format is not supported on WINDOWS\terror\t\nMay 5th 2023 07:59:14 (UTC)\tRE XDR Roadmap Planning Workshop for Temasek Polytechnic_url_007.bin\tFile \"RE XDR Roadmap Planning Workshop for Temasek Polytechnic_url_007.bin\" was detected as \"image\", this format is not supported on WINDOWS\terror", "modified": "2025-08-28T06:00:46.366000", "created": "2025-07-29T06:08:36.869000", "tags": [ "context related", "associated urls", "community", "present jul", "present jun", "present may", "present apr", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present showing", "sha256", "submitted", "urls", "passive dns", "http", "unique", "ip asn", "as701 verizon", "url add", "pulse pulses", "ip address", "related nids", "windows error", "file", "re xdr", "workshop", "march", "february", "january", "windows nt", "klpx", "span", "script", "united", "indicator", "appdata", "pattern match", "runtime process", "copy md5", "iframe", "date", "jquery", "null", "solid", "code", "summer", "polish", "body", "hybrid", "general", "local", "accept", "click", "strings", "music", "class", "core", "contact", "flag", "united kingdom", "name server", "tcp system", "private limited", "prefetch2", "dns requests", "win32", "mtb jul", "susp", "worm", "trojan", "entries", "next associated", "mtb apr", "showing", "trojandropper", "virtool", "country", "csc corporate", "domains", "ransom", "lowfi", "urls show", "date checked", "url hostname", "domain address", "learn", "command", "control att", "ck id", "name tactics", "suspicious", "informative", "t1105 ingress", "tool transfer", "t1573 encrypted", "dynamicloader", "medium", "yara rule", "high", "windows", "remote data", "http traffic", "installs", "windows startup", "malware", "copy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1134, "hostname": 292, "domain": 197, "FileHash-MD5": 139, "FileHash-SHA1": 130, "FileHash-SHA256": 708, "email": 2 }, "indicator_count": 2602, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "276 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68886564cdc44059c7b2ef08", "name": "Denver Apartment Community website with multiple compromises", "description": "Network of a multi block Denver Townhome complex experiencing issues with info stealing, password o, spyware, ransomware, malware\u2026 \u2022Win.Trojan.Crypted-30\tPWS:Win32/Zbot\u2022(phish_alert_sp2_2.0.0.0) \u2022 (phish_alert_sp1_1.0.0.0 )(30)_url_001.bin\tFile detected as \"image\", this format is not supported on WINDOWS\terror\t\nMay 23rd 2023 06:20:30 (UTC)\tRe__Motherson_INVENSITY_Project_Discussion_url_001.bin\tFile \"Re__Motherson_INVENSITY_Project_Discussion_url_001.bin\" was detected as \"image\", this format is not supported on WINDOWS\terror\t\nMay 5th 2023 07:59:14 (UTC)\tRE XDR Roadmap Planning Workshop for Temasek Polytechnic_url_007.bin\tFile \"RE XDR Roadmap Planning Workshop for Temasek Polytechnic_url_007.bin\" was detected as \"image\", this format is not supported on WINDOWS\terror", "modified": "2025-08-28T06:00:46.366000", "created": "2025-07-29T06:08:36.770000", "tags": [ "context related", "associated urls", "community", "present jul", "present jun", "present may", "present apr", "checked url", "hostname server", "response ip", "address google", "safe browsing", "present showing", "sha256", "submitted", "urls", "passive dns", "http", "unique", "ip asn", "as701 verizon", "url add", "pulse pulses", "ip address", "related nids", "windows error", "file", "re xdr", "workshop", "march", "february", "january", "windows nt", "klpx", "span", "script", "united", "indicator", "appdata", "pattern match", "runtime process", "copy md5", "iframe", "date", "jquery", "null", "solid", "code", "summer", "polish", "body", "hybrid", "general", "local", "accept", "click", "strings", "music", "class", "core", "contact", "flag", "united kingdom", "name server", "tcp system", "private limited", "prefetch2", "dns requests", "win32", "mtb jul", "susp", "worm", "trojan", "entries", "next associated", "mtb apr", "showing", "trojandropper", "virtool", "country", "csc corporate", "domains", "ransom", "lowfi", "urls show", "date checked", "url hostname", "domain address", "learn", "command", "control att", "ck id", "name tactics", "suspicious", "informative", "t1105 ingress", "tool transfer", "t1573 encrypted", "dynamicloader", "medium", "yara rule", "high", "windows", "remote data", "http traffic", "installs", "windows startup", "malware", "copy" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1134, "hostname": 292, "domain": 197, "FileHash-MD5": 139, "FileHash-SHA1": 130, "FileHash-SHA256": 708, "email": 2 }, "indicator_count": 2602, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "276 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "660b176a98b0c92ba5a962bc", "name": "\"No Problems\" - UAlberta TLD (Confirmed TLD - 08.04.24) & Subdomain compromise", "description": "Basically the above\n\n\"No Problems\", \"We are Unhackable\", etc. etc. causing problems.", "modified": "2024-09-04T05:01:56.993000", "created": "2024-04-01T20:22:02.851000", "tags": [ "BEC" ], "references": [ "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/summary", "https://www.virustotal.com/gui/collection/b8a6d1fcd73207ba46eae6806b946c4b539f301e718f3fba21fa4e797d4b5783/iocs", "https://www.virustotal.com/graph/embed/gead337f35cdd4241b225b68ff0528a3834be5d60876745fa99254ff7f8a0df22?theme=dark", "https://www.virustotal.com/graph/embed/g1e31eca6803a433a9a33437d593a2bbdf979ff77c91340d1ab624d10dc8732b3?theme=dark", "https://dnstwist.it/#ea665d15-6507-4057-b2c9-18a2e546ee95", "https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore", "https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/", "https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom", "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkgate" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 233, "FileHash-SHA1": 230, "FileHash-SHA256": 6703, "URL": 4450, "CIDR": 3, "domain": 6223, "hostname": 2863, "email": 7, "CVE": 53 }, "indicator_count": 20765, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "634 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://madisonheightshomecare.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://madisonheightshomecare.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780248027.1227014 }