{ "type": "URL", "indicator": "https://ns-455.awsdns-56.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://ns-455.awsdns-56.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3870669233, "indicator": "https://ns-455.awsdns-56.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "689b9b9fab42ca4f016a226f", "name": "Elastic's Al-driven Endpoint Security - Red Team Malicious (moved?)", "description": "Endgame - Unruy Activity -System infection | (Moved) Endpoint security (MOVED) from Elastic\nElastic's Al-driven security analytics empowers you with comprehensive endpoint protection. Detect, investigate, and respond to threats faster with a single agent and unified console. Gain actionable insights for a proactive defense posture. All built on the Search\nAl platform.\n| Used maliciously against monitored non-criminal targets. |\n{ virus - https://universitycenter.uccs.edu/}\n#unruy #activity #monitored_target #red_team_malicious #trojan #worm #moved\n#ai #adversarial #custom_malware #ransom #crypt #guardrails #dns #cnc #evasive #domain_generation #remote_access #devices #remotewd #virus #custom_malware #rip #endgame \n\u2022 TrojanDropper\t\t\t\n\u2022 Win32:Evo-gen\t\u2022 Cassini\n\u2022 RansomX-gen\u2022 Zombie.A\n\u2022 win32:MalwareX-gen\t\u2022 Win32:Malware-gen \u2022 Nymeria\n\u2022 Forcud +", "modified": "2025-09-11T13:03:18.814000", "created": "2025-08-12T19:53:03.953000", "tags": [ "url http", "url https", "indicator role", "title added", "active related", "pulses url", "entries", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "href", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "show technique", "ck matrix", "null", "refresh", "body", "span", "general", "local", "path", "iframe", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "united", "unknown ns", "ip address", "creation date", "search", "present sep", "moved", "domain add", "encrypt", "accept", "please", "passive dns", "msie", "next associated", "html", "background", "unknown site", "div div", "trojan", "zeus", "process32nextw", "read c", "show", "shellexecuteexw", "windows nt", "wow64", "copy", "dock", "write", "malware", "unknown", "defense evasion", "t1480 execution", "file defense", "august", "hybrid", "port", "destination", "tlsv1", "as15169", "ogoogle trust", "cngts ca", "execution", "next", "persistence", "data upload", "extraction", "win32", "ransom", "trojandropper", "mtb nov", "forcud", "files show", "date hash", "avast avg" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4179, "domain": 774, "hostname": 1673, "FileHash-MD5": 169, "FileHash-SHA1": 110, "FileHash-SHA256": 2073, "email": 1, "SSLCertFingerprint": 13, "CVE": 1 }, "indicator_count": 8993, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "220 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6894f30905efa56990bb10f6", "name": "Expanded device-local-****remotewd.com", "description": "device-local-2ffdbd74-9f90-41fa-beb8-454ed65788c5.remotewd.com", "modified": "2025-09-06T06:03:31.462000", "created": "2025-08-07T18:40:09.876000", "tags": [ "hostname", "pulse pulses", "passive dns", "urls", "files", "ip address", "nameservers", "date hash", "avast avg", "entries", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "itre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "mitre att", "pattern match", "show technique", "ck matrix", "null", "refresh", "body", "span", "august", "hybrid", "general", "local", "path", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "domain", "hostname add", "files ip", "address", "location united", "hash avast", "avg clamav", "msdefender aug", "united", "port", "destination", "as16509", "search", "unknown", "ocloudflare", "medium", "memcommit", "service", "write", "next", "persistence", "execution", "malware", "copy", "encrypt", "win32", "mtb feb", "trojan", "susp", "trojandropper", "msr feb", "trojanspy", "next associated", "urls show", "date checked", "virtool", "win64", "worm", "mtb may", "files show", "heur", "script", "dropper", "ransom", "vitro", "pe32", "intel", "ms windows", "as15169", "read c", "asnone", "show", "packing t1045", "t1045", "delphi", "code", "june" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 6741, "domain": 5822, "FileHash-SHA256": 1550, "URL": 16348, "FileHash-MD5": 287, "FileHash-SHA1": 242, "SSLCertFingerprint": 9, "email": 1 }, "indicator_count": 31000, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6894f4e6c41982f405592b55", "name": "Worm:Win32/Mydoom | Expanded device-local-****remotewd.com", "description": "", "modified": "2025-09-06T06:03:31.462000", "created": "2025-08-07T18:48:06.557000", "tags": [ "hostname", "pulse pulses", "passive dns", "urls", "files", "ip address", "nameservers", "date hash", "avast avg", "entries", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "itre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "mitre att", "pattern match", "show technique", "ck matrix", "null", "refresh", "body", "span", "august", "hybrid", "general", "local", "path", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "domain", "hostname add", "files ip", "address", "location united", "hash avast", "avg clamav", "msdefender aug", "united", "port", "destination", "as16509", "search", "unknown", "ocloudflare", "medium", "memcommit", "service", "write", "next", "persistence", "execution", "malware", "copy", "encrypt", "win32", "mtb feb", "trojan", "susp", "trojandropper", "msr feb", "trojanspy", "next associated", "urls show", "date checked", "virtool", "win64", "worm", "mtb may", "files show", "heur", "script", "dropper", "ransom", "vitro", "pe32", "intel", "ms windows", "as15169", "read c", "asnone", "show", "packing t1045", "t1045", "delphi", "code", "june" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": "6894f30905efa56990bb10f6", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 6741, "domain": 5822, "FileHash-SHA256": 1550, "URL": 16348, "FileHash-MD5": 287, "FileHash-SHA1": 242, "SSLCertFingerprint": 9, "email": 1 }, "indicator_count": 31000, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68923ea4efbf58b7ba48acec", "name": "Hosted App", "description": "", "modified": "2025-09-04T16:03:17.037000", "created": "2025-08-05T17:25:56.454000", "tags": [ "issuer wr3", "log id", "gmtn", "abn timestamp", "ad180b80", "full name", "extensionsstr", "web server", "ca issuers", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "mitre att", "sha1", "copy md5", "copy sha1", "copy sha256", "sha256", "ascii text", "pattern match", "show technique", "date", "format", "august", "hybrid", "local", "path", "click", "strings", "flag", "usa windows", "hwp support", "march", "december", "united", "markmonitor", "overview dns", "requests domain", "country", "contacted hosts", "ip address", "process details", "t1179 hooking", "access windows", "installs", "control att", "found", "development att", "name server", "show process", "programfiles", "command decode", "suricata ipv4", "ck matrix", "comspec", "model", "general", "dynamicloader", "unknown", "as16509", "whitelisted", "medium", "write c", "as15169", "search", "high", "write", "android", "malware", "copy", "next", "formbook cnc", "checkin", "entries", "passive dns", "next associated", "site", "neue", "ipv4", "pulse pulses", "exploit", "trojan", "virtool", "body", "refer", "present dec", "epub", "present jan", "present nov", "present oct", "showing", "urls show", "win32", "win64", "date checked", "url hostname", "server response", "google safe", "prefetch8", "localappdata", "prefetch1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3409, "hostname": 4127, "URL": 8408, "SSLCertFingerprint": 9, "FileHash-SHA256": 1175, "FileHash-MD5": 144, "FileHash-SHA1": 134, "CVE": 2 }, "indicator_count": 17408, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d18d829739be014393c59", "name": "SoundCloud - Hear the world\u2019s sounds", "description": "Social engineering included lots of contact via Facebook, Twitter, SoundCloud, Victims website, iCloud.. iCloud was erased and the hacker left the man \u2018deadmau5\u2018 . deadmau5 was used threatening posts emails and whoever they are sent photos and became overly interested in victims music. 1st to report music was not showing up on YouTube. Statements show victim had millions of views redirected. Hackers would often thank artistss for another million views. Songs pirated. Jansky on SoundCloud contacted victims daughter often, sent a photo and said he was from Great Britain. \n\u2022 ALFPER:PUA:Win32/InstallCore\n\u2022 TrojanDropper:Win32/VB.IL\n\u2022 Win.Trojan.Agent-\n|| blog.jpcert.or.jp \n\n\u2022 Registrant Org: Japan Computer Emergency Response Team Coordination Center\n\nI feel like this is very dangerous. These people are in Colorado no matter where they say they are.", "modified": "2025-08-19T14:03:11.976000", "created": "2025-07-20T16:27:04.872000", "tags": [ "read c", "search", "medium", "entries", "show", "unicode", "tls handshake", "memcommit", "delete", "crlf line", "next", "dock", "write", "execution", "malware", "copy", "no expiration", "filehashmd5", "filehashsha256", "showing", "urls", "passive dns", "http", "unique", "l add", "pulse pulses", "ip address", "related nids", "files location", "united", "code", "present jul", "present showing", "title error", "date checked", "url hostname", "server response", "google safe", "results jul", "next associated", "files show", "win32", "date", "urls show", "error", "creation date", "name servers", "value emails", "name eric", "wahlforss name", "org soundcloud", "city berlin", "country de", "dnssec unsigned", "files", "verdict", "domain", "files ip", "address", "location united", "asn as16509", "less", "results nov", "associated urls", "results jan", "present feb", "related tags", "none indicator", "facts domain", "present", "akamai external", "resources whois", "urlvoid", "related", "png image", "rgba", "alfper", "ipv4 add", "trojandropper", "present may", "present jun", "cname", "emails", "status", "servers", "less whois", "body", "fastly error", "please", "sea p", "america flag", "america asn", "trojan", "accept", "url add", "ip related", "pulses none", "cdhc", "oxq xr8w1", "fv5hc9a2l", "s showing", "next related", "domains domain", "script urls", "present sep", "cookie", "hostname add" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6020, "hostname": 1865, "FileHash-SHA256": 676, "FileHash-MD5": 106, "FileHash-SHA1": 86, "domain": 990, "email": 5 }, "indicator_count": 9748, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d18de7177474b759ab2b7", "name": "SoundCloud - Hear the world\u2019s sounds", "description": "Social engineering included lots of contact via Facebook, Twitter, SoundCloud, Victims website, iCloud.. iCloud was erased and the hacker left the man \u2018deadmau5\u2018 . deadmau5 was used threatening posts emails and whoever they are sent photos and became overly interested in victims music. 1st to report music was not showing up on YouTube. Statements show victim had millions of views redirected. Hackers would often thank artistss for another million views. Songs pirated. Jansky on SoundCloud contacted victims daughter often, sent a photo and said he was from Great Britain. \n\u2022 ALFPER:PUA:Win32/InstallCore\n\u2022 TrojanDropper:Win32/VB.IL\n\u2022 Win.Trojan.Agent-\n|| blog.jpcert.or.jp \n\n\u2022 Registrant Org: Japan Computer Emergency Response Team Coordination Center\n\nI feel like this is very dangerous. These people are in Colorado no matter where they say they are.", "modified": "2025-08-19T14:03:11.976000", "created": "2025-07-20T16:27:10.608000", "tags": [ "read c", "search", "medium", "entries", "show", "unicode", "tls handshake", "memcommit", "delete", "crlf line", "next", "dock", "write", "execution", "malware", "copy", "no expiration", "filehashmd5", "filehashsha256", "showing", "urls", "passive dns", "http", "unique", "l add", "pulse pulses", "ip address", "related nids", "files location", "united", "code", "present jul", "present showing", "title error", "date checked", "url hostname", "server response", "google safe", "results jul", "next associated", "files show", "win32", "date", "urls show", "error", "creation date", "name servers", "value emails", "name eric", "wahlforss name", "org soundcloud", "city berlin", "country de", "dnssec unsigned", "files", "verdict", "domain", "files ip", "address", "location united", "asn as16509", "less", "results nov", "associated urls", "results jan", "present feb", "related tags", "none indicator", "facts domain", "present", "akamai external", "resources whois", "urlvoid", "related", "png image", "rgba", "alfper", "ipv4 add", "trojandropper", "present may", "present jun", "cname", "emails", "status", "servers", "less whois", "body", "fastly error", "please", "sea p", "america flag", "america asn", "trojan", "accept", "url add", "ip related", "pulses none", "cdhc", "oxq xr8w1", "fv5hc9a2l", "s showing", "next related", "domains domain", "script urls", "present sep", "cookie", "hostname add" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6020, "hostname": 1865, "FileHash-SHA256": 676, "FileHash-MD5": 106, "FileHash-SHA1": 86, "domain": 990, "email": 5 }, "indicator_count": 9748, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687c07591d641de3c896d4a9", "name": "icon.palantirfoundry.com - Brazzers Porn", "description": "Another strange pulse. Persistent bad actors moved and changed name of operation; of course. Usual - Hostname\nicon.palantirfoundry.com , Apple, Samsung , X.com , Twitter , Facebook, Google, Palantir NSA or a poser? I was threatened this week, I was told that if I was on the \u2018list\u2019 they have to do anything that is asked including \u2018blow me up\u2019. Sounds nuts but I can\u2019t believe this. Whoever has been doing this is hyper dangerous.\n\nicon.palantirfoundry.com ? P.S. Huge pulse. Can\u2019t use private option to cherry pick the IoC\u2019s I\u2019d like to breakdown. Have I broken a rule?", "modified": "2025-08-18T18:01:11.130000", "created": "2025-07-19T21:00:09.343000", "tags": [ "canada unknown", "passive dns", "ransom", "entries", "ipv4", "pulse submit", "url analysis", "urls", "files", "reverse dns", "united", "unknown ns", "moved", "ip address", "creation date", "search", "omain", "pulse pulses", "body", "date", "showing", "domain", "hostname", "ocloudflare", "stca", "lsan francisco", "ecc ca3", "ecc ca2", "as16509", "unknown", "ms windows", "encrypt", "write", "next", "service", "malware", "copy", "unknown soa", "next associated", "urls show", "date checked", "url hostname", "server response", "google safe", "results jul", "present jan", "medium", "memcommit", "module load", "t1129", "regopenkeyexw", "fjlsedauv", "et useragents", "go http", "registry run", "persistence", "execution", "checks", "keys", "start folder", "richhash", "external", "virustotal api", "screenshots", "find", "show", "types", "seard type", "indicator", "data upload", "extraction", "failed", "sc data", "type", "extri included", "review data", "sugges data", "find suxxesteu", "typ indicalon" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 62, "FileHash-SHA1": 17, "FileHash-SHA256": 1433, "URL": 10188, "hostname": 5658, "domain": 5753, "email": 4, "SSLCertFingerprint": 20 }, "indicator_count": 23135, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "244 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 71292 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/awsdns-56.com", "whois": "http://whois.domaintools.com/awsdns-56.com", "domain": "awsdns-56.com", "hostname": "ns-455.awsdns-56.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "689b9b9fab42ca4f016a226f", "name": "Elastic's Al-driven Endpoint Security - Red Team Malicious (moved?)", "description": "Endgame - Unruy Activity -System infection | (Moved) Endpoint security (MOVED) from Elastic\nElastic's Al-driven security analytics empowers you with comprehensive endpoint protection. Detect, investigate, and respond to threats faster with a single agent and unified console. Gain actionable insights for a proactive defense posture. All built on the Search\nAl platform.\n| Used maliciously against monitored non-criminal targets. |\n{ virus - https://universitycenter.uccs.edu/}\n#unruy #activity #monitored_target #red_team_malicious #trojan #worm #moved\n#ai #adversarial #custom_malware #ransom #crypt #guardrails #dns #cnc #evasive #domain_generation #remote_access #devices #remotewd #virus #custom_malware #rip #endgame \n\u2022 TrojanDropper\t\t\t\n\u2022 Win32:Evo-gen\t\u2022 Cassini\n\u2022 RansomX-gen\u2022 Zombie.A\n\u2022 win32:MalwareX-gen\t\u2022 Win32:Malware-gen \u2022 Nymeria\n\u2022 Forcud +", "modified": "2025-09-11T13:03:18.814000", "created": "2025-08-12T19:53:03.953000", "tags": [ "url http", "url https", "indicator role", "title added", "active related", "pulses url", "entries", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "href", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "show technique", "ck matrix", "null", "refresh", "body", "span", "general", "local", "path", "iframe", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "united", "unknown ns", "ip address", "creation date", "search", "present sep", "moved", "domain add", "encrypt", "accept", "please", "passive dns", "msie", "next associated", "html", "background", "unknown site", "div div", "trojan", "zeus", "process32nextw", "read c", "show", "shellexecuteexw", "windows nt", "wow64", "copy", "dock", "write", "malware", "unknown", "defense evasion", "t1480 execution", "file defense", "august", "hybrid", "port", "destination", "tlsv1", "as15169", "ogoogle trust", "cngts ca", "execution", "next", "persistence", "data upload", "extraction", "win32", "ransom", "trojandropper", "mtb nov", "forcud", "files show", "date hash", "avast avg" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4179, "domain": 774, "hostname": 1673, "FileHash-MD5": 169, "FileHash-SHA1": 110, "FileHash-SHA256": 2073, "email": 1, "SSLCertFingerprint": 13, "CVE": 1 }, "indicator_count": 8993, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "220 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6894f30905efa56990bb10f6", "name": "Expanded device-local-****remotewd.com", "description": "device-local-2ffdbd74-9f90-41fa-beb8-454ed65788c5.remotewd.com", "modified": "2025-09-06T06:03:31.462000", "created": "2025-08-07T18:40:09.876000", "tags": [ "hostname", "pulse pulses", "passive dns", "urls", "files", "ip address", "nameservers", "date hash", "avast avg", "entries", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "itre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "mitre att", "pattern match", "show technique", "ck matrix", "null", "refresh", "body", "span", "august", "hybrid", "general", "local", "path", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "domain", "hostname add", "files ip", "address", "location united", "hash avast", "avg clamav", "msdefender aug", "united", "port", "destination", "as16509", "search", "unknown", "ocloudflare", "medium", "memcommit", "service", "write", "next", "persistence", "execution", "malware", "copy", "encrypt", "win32", "mtb feb", "trojan", "susp", "trojandropper", "msr feb", "trojanspy", "next associated", "urls show", "date checked", "virtool", "win64", "worm", "mtb may", "files show", "heur", "script", "dropper", "ransom", "vitro", "pe32", "intel", "ms windows", "as15169", "read c", "asnone", "show", "packing t1045", "t1045", "delphi", "code", "june" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 6741, "domain": 5822, "FileHash-SHA256": 1550, "URL": 16348, "FileHash-MD5": 287, "FileHash-SHA1": 242, "SSLCertFingerprint": 9, "email": 1 }, "indicator_count": 31000, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6894f4e6c41982f405592b55", "name": "Worm:Win32/Mydoom | Expanded device-local-****remotewd.com", "description": "", "modified": "2025-09-06T06:03:31.462000", "created": "2025-08-07T18:48:06.557000", "tags": [ "hostname", "pulse pulses", "passive dns", "urls", "files", "ip address", "nameservers", "date hash", "avast avg", "entries", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "itre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "mitre att", "pattern match", "show technique", "ck matrix", "null", "refresh", "body", "span", "august", "hybrid", "general", "local", "path", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "domain", "hostname add", "files ip", "address", "location united", "hash avast", "avg clamav", "msdefender aug", "united", "port", "destination", "as16509", "search", "unknown", "ocloudflare", "medium", "memcommit", "service", "write", "next", "persistence", "execution", "malware", "copy", "encrypt", "win32", "mtb feb", "trojan", "susp", "trojandropper", "msr feb", "trojanspy", "next associated", "urls show", "date checked", "virtool", "win64", "worm", "mtb may", "files show", "heur", "script", "dropper", "ransom", "vitro", "pe32", "intel", "ms windows", "as15169", "read c", "asnone", "show", "packing t1045", "t1045", "delphi", "code", "june" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": "6894f30905efa56990bb10f6", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 6741, "domain": 5822, "FileHash-SHA256": 1550, "URL": 16348, "FileHash-MD5": 287, "FileHash-SHA1": 242, "SSLCertFingerprint": 9, "email": 1 }, "indicator_count": 31000, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68923ea4efbf58b7ba48acec", "name": "Hosted App", "description": "", "modified": "2025-09-04T16:03:17.037000", "created": "2025-08-05T17:25:56.454000", "tags": [ "issuer wr3", "log id", "gmtn", "abn timestamp", "ad180b80", "full name", "extensionsstr", "web server", "ca issuers", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "mitre att", "sha1", "copy md5", "copy sha1", "copy sha256", "sha256", "ascii text", "pattern match", "show technique", "date", "format", "august", "hybrid", "local", "path", "click", "strings", "flag", "usa windows", "hwp support", "march", "december", "united", "markmonitor", "overview dns", "requests domain", "country", "contacted hosts", "ip address", "process details", "t1179 hooking", "access windows", "installs", "control att", "found", "development att", "name server", "show process", "programfiles", "command decode", "suricata ipv4", "ck matrix", "comspec", "model", "general", "dynamicloader", "unknown", "as16509", "whitelisted", "medium", "write c", "as15169", "search", "high", "write", "android", "malware", "copy", "next", "formbook cnc", "checkin", "entries", "passive dns", "next associated", "site", "neue", "ipv4", "pulse pulses", "exploit", "trojan", "virtool", "body", "refer", "present dec", "epub", "present jan", "present nov", "present oct", "showing", "urls show", "win32", "win64", "date checked", "url hostname", "server response", "google safe", "prefetch8", "localappdata", "prefetch1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3409, "hostname": 4127, "URL": 8408, "SSLCertFingerprint": 9, "FileHash-SHA256": 1175, "FileHash-MD5": 144, "FileHash-SHA1": 134, "CVE": 2 }, "indicator_count": 17408, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d18d829739be014393c59", "name": "SoundCloud - Hear the world\u2019s sounds", "description": "Social engineering included lots of contact via Facebook, Twitter, SoundCloud, Victims website, iCloud.. iCloud was erased and the hacker left the man \u2018deadmau5\u2018 . deadmau5 was used threatening posts emails and whoever they are sent photos and became overly interested in victims music. 1st to report music was not showing up on YouTube. Statements show victim had millions of views redirected. Hackers would often thank artistss for another million views. Songs pirated. Jansky on SoundCloud contacted victims daughter often, sent a photo and said he was from Great Britain. \n\u2022 ALFPER:PUA:Win32/InstallCore\n\u2022 TrojanDropper:Win32/VB.IL\n\u2022 Win.Trojan.Agent-\n|| blog.jpcert.or.jp \n\n\u2022 Registrant Org: Japan Computer Emergency Response Team Coordination Center\n\nI feel like this is very dangerous. These people are in Colorado no matter where they say they are.", "modified": "2025-08-19T14:03:11.976000", "created": "2025-07-20T16:27:04.872000", "tags": [ "read c", "search", "medium", "entries", "show", "unicode", "tls handshake", "memcommit", "delete", "crlf line", "next", "dock", "write", "execution", "malware", "copy", "no expiration", "filehashmd5", "filehashsha256", "showing", "urls", "passive dns", "http", "unique", "l add", "pulse pulses", "ip address", "related nids", "files location", "united", "code", "present jul", "present showing", "title error", "date checked", "url hostname", "server response", "google safe", "results jul", "next associated", "files show", "win32", "date", "urls show", "error", "creation date", "name servers", "value emails", "name eric", "wahlforss name", "org soundcloud", "city berlin", "country de", "dnssec unsigned", "files", "verdict", "domain", "files ip", "address", "location united", "asn as16509", "less", "results nov", "associated urls", "results jan", "present feb", "related tags", "none indicator", "facts domain", "present", "akamai external", "resources whois", "urlvoid", "related", "png image", "rgba", "alfper", "ipv4 add", "trojandropper", "present may", "present jun", "cname", "emails", "status", "servers", "less whois", "body", "fastly error", "please", "sea p", "america flag", "america asn", "trojan", "accept", "url add", "ip related", "pulses none", "cdhc", "oxq xr8w1", "fv5hc9a2l", "s showing", "next related", "domains domain", "script urls", "present sep", "cookie", "hostname add" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6020, "hostname": 1865, "FileHash-SHA256": 676, "FileHash-MD5": 106, "FileHash-SHA1": 86, "domain": 990, "email": 5 }, "indicator_count": 9748, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687d18de7177474b759ab2b7", "name": "SoundCloud - Hear the world\u2019s sounds", "description": "Social engineering included lots of contact via Facebook, Twitter, SoundCloud, Victims website, iCloud.. iCloud was erased and the hacker left the man \u2018deadmau5\u2018 . deadmau5 was used threatening posts emails and whoever they are sent photos and became overly interested in victims music. 1st to report music was not showing up on YouTube. Statements show victim had millions of views redirected. Hackers would often thank artistss for another million views. Songs pirated. Jansky on SoundCloud contacted victims daughter often, sent a photo and said he was from Great Britain. \n\u2022 ALFPER:PUA:Win32/InstallCore\n\u2022 TrojanDropper:Win32/VB.IL\n\u2022 Win.Trojan.Agent-\n|| blog.jpcert.or.jp \n\n\u2022 Registrant Org: Japan Computer Emergency Response Team Coordination Center\n\nI feel like this is very dangerous. These people are in Colorado no matter where they say they are.", "modified": "2025-08-19T14:03:11.976000", "created": "2025-07-20T16:27:10.608000", "tags": [ "read c", "search", "medium", "entries", "show", "unicode", "tls handshake", "memcommit", "delete", "crlf line", "next", "dock", "write", "execution", "malware", "copy", "no expiration", "filehashmd5", "filehashsha256", "showing", "urls", "passive dns", "http", "unique", "l add", "pulse pulses", "ip address", "related nids", "files location", "united", "code", "present jul", "present showing", "title error", "date checked", "url hostname", "server response", "google safe", "results jul", "next associated", "files show", "win32", "date", "urls show", "error", "creation date", "name servers", "value emails", "name eric", "wahlforss name", "org soundcloud", "city berlin", "country de", "dnssec unsigned", "files", "verdict", "domain", "files ip", "address", "location united", "asn as16509", "less", "results nov", "associated urls", "results jan", "present feb", "related tags", "none indicator", "facts domain", "present", "akamai external", "resources whois", "urlvoid", "related", "png image", "rgba", "alfper", "ipv4 add", "trojandropper", "present may", "present jun", "cname", "emails", "status", "servers", "less whois", "body", "fastly error", "please", "sea p", "america flag", "america asn", "trojan", "accept", "url add", "ip related", "pulses none", "cdhc", "oxq xr8w1", "fv5hc9a2l", "s showing", "next related", "domains domain", "script urls", "present sep", "cookie", "hostname add" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6020, "hostname": 1865, "FileHash-SHA256": 676, "FileHash-MD5": 106, "FileHash-SHA1": 86, "domain": 990, "email": 5 }, "indicator_count": 9748, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687c07591d641de3c896d4a9", "name": "icon.palantirfoundry.com - Brazzers Porn", "description": "Another strange pulse. Persistent bad actors moved and changed name of operation; of course. Usual - Hostname\nicon.palantirfoundry.com , Apple, Samsung , X.com , Twitter , Facebook, Google, Palantir NSA or a poser? I was threatened this week, I was told that if I was on the \u2018list\u2019 they have to do anything that is asked including \u2018blow me up\u2019. Sounds nuts but I can\u2019t believe this. Whoever has been doing this is hyper dangerous.\n\nicon.palantirfoundry.com ? P.S. Huge pulse. Can\u2019t use private option to cherry pick the IoC\u2019s I\u2019d like to breakdown. Have I broken a rule?", "modified": "2025-08-18T18:01:11.130000", "created": "2025-07-19T21:00:09.343000", "tags": [ "canada unknown", "passive dns", "ransom", "entries", "ipv4", "pulse submit", "url analysis", "urls", "files", "reverse dns", "united", "unknown ns", "moved", "ip address", "creation date", "search", "omain", "pulse pulses", "body", "date", "showing", "domain", "hostname", "ocloudflare", "stca", "lsan francisco", "ecc ca3", "ecc ca2", "as16509", "unknown", "ms windows", "encrypt", "write", "next", "service", "malware", "copy", "unknown soa", "next associated", "urls show", "date checked", "url hostname", "server response", "google safe", "results jul", "present jan", "medium", "memcommit", "module load", "t1129", "regopenkeyexw", "fjlsedauv", "et useragents", "go http", "registry run", "persistence", "execution", "checks", "keys", "start folder", "richhash", "external", "virustotal api", "screenshots", "find", "show", "types", "seard type", "indicator", "data upload", "extraction", "failed", "sc data", "type", "extri included", "review data", "sugges data", "find suxxesteu", "typ indicalon" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 62, "FileHash-SHA1": 17, "FileHash-SHA256": 1433, "URL": 10188, "hostname": 5658, "domain": 5753, "email": 4, "SSLCertFingerprint": 20 }, "indicator_count": 23135, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "244 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://ns-455.awsdns-56.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://ns-455.awsdns-56.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776670275.4211931 }