{ "type": "URL", "indicator": "https://ns1.fastlydns.net/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://ns1.fastlydns.net/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4113824299, "indicator": "https://ns1.fastlydns.net/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "689b9b9fab42ca4f016a226f", "name": "Elastic's Al-driven Endpoint Security - Red Team Malicious (moved?)", "description": "Endgame - Unruy Activity -System infection | (Moved) Endpoint security (MOVED) from Elastic\nElastic's Al-driven security analytics empowers you with comprehensive endpoint protection. Detect, investigate, and respond to threats faster with a single agent and unified console. Gain actionable insights for a proactive defense posture. All built on the Search\nAl platform.\n| Used maliciously against monitored non-criminal targets. |\n{ virus - https://universitycenter.uccs.edu/}\n#unruy #activity #monitored_target #red_team_malicious #trojan #worm #moved\n#ai #adversarial #custom_malware #ransom #crypt #guardrails #dns #cnc #evasive #domain_generation #remote_access #devices #remotewd #virus #custom_malware #rip #endgame \n\u2022 TrojanDropper\t\t\t\n\u2022 Win32:Evo-gen\t\u2022 Cassini\n\u2022 RansomX-gen\u2022 Zombie.A\n\u2022 win32:MalwareX-gen\t\u2022 Win32:Malware-gen \u2022 Nymeria\n\u2022 Forcud +", "modified": "2025-09-11T13:03:18.814000", "created": "2025-08-12T19:53:03.953000", "tags": [ "url http", "url https", "indicator role", "title added", "active related", "pulses url", "entries", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "href", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "show technique", "ck matrix", "null", "refresh", "body", "span", "general", "local", "path", "iframe", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "united", "unknown ns", "ip address", "creation date", "search", "present sep", "moved", "domain add", "encrypt", "accept", "please", "passive dns", "msie", "next associated", "html", "background", "unknown site", "div div", "trojan", "zeus", "process32nextw", "read c", "show", "shellexecuteexw", "windows nt", "wow64", "copy", "dock", "write", "malware", "unknown", "defense evasion", "t1480 execution", "file defense", "august", "hybrid", "port", "destination", "tlsv1", "as15169", "ogoogle trust", "cngts ca", "execution", "next", "persistence", "data upload", "extraction", "win32", "ransom", "trojandropper", "mtb nov", "forcud", "files show", "date hash", "avast avg" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4179, "domain": 774, "hostname": 1673, "FileHash-MD5": 169, "FileHash-SHA1": 110, "FileHash-SHA256": 2073, "email": 1, "SSLCertFingerprint": 13, "CVE": 1 }, "indicator_count": 8993, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "221 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68923ea4efbf58b7ba48acec", "name": "Hosted App", "description": "", "modified": "2025-09-04T16:03:17.037000", "created": "2025-08-05T17:25:56.454000", "tags": [ "issuer wr3", "log id", "gmtn", "abn timestamp", "ad180b80", "full name", "extensionsstr", "web server", "ca issuers", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "mitre att", "sha1", "copy md5", "copy sha1", "copy sha256", "sha256", "ascii text", "pattern match", "show technique", "date", "format", "august", "hybrid", "local", "path", "click", "strings", "flag", "usa windows", "hwp support", "march", "december", "united", "markmonitor", "overview dns", "requests domain", "country", "contacted hosts", "ip address", "process details", "t1179 hooking", "access windows", "installs", "control att", "found", "development att", "name server", "show process", "programfiles", "command decode", "suricata ipv4", "ck matrix", "comspec", "model", "general", "dynamicloader", "unknown", "as16509", "whitelisted", "medium", "write c", "as15169", "search", "high", "write", "android", "malware", "copy", "next", "formbook cnc", "checkin", "entries", "passive dns", "next associated", "site", "neue", "ipv4", "pulse pulses", "exploit", "trojan", "virtool", "body", "refer", "present dec", "epub", "present jan", "present nov", "present oct", "showing", "urls show", "win32", "win64", "date checked", "url hostname", "server response", "google safe", "prefetch8", "localappdata", "prefetch1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3409, "hostname": 4127, "URL": 8408, "SSLCertFingerprint": 9, "FileHash-SHA256": 1175, "FileHash-MD5": 144, "FileHash-SHA1": 134, "CVE": 2 }, "indicator_count": 17408, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "228 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 26349 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/fastlydns.net", "whois": "http://whois.domaintools.com/fastlydns.net", "domain": "fastlydns.net", "hostname": "ns1.fastlydns.net" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "689b9b9fab42ca4f016a226f", "name": "Elastic's Al-driven Endpoint Security - Red Team Malicious (moved?)", "description": "Endgame - Unruy Activity -System infection | (Moved) Endpoint security (MOVED) from Elastic\nElastic's Al-driven security analytics empowers you with comprehensive endpoint protection. Detect, investigate, and respond to threats faster with a single agent and unified console. Gain actionable insights for a proactive defense posture. All built on the Search\nAl platform.\n| Used maliciously against monitored non-criminal targets. |\n{ virus - https://universitycenter.uccs.edu/}\n#unruy #activity #monitored_target #red_team_malicious #trojan #worm #moved\n#ai #adversarial #custom_malware #ransom #crypt #guardrails #dns #cnc #evasive #domain_generation #remote_access #devices #remotewd #virus #custom_malware #rip #endgame \n\u2022 TrojanDropper\t\t\t\n\u2022 Win32:Evo-gen\t\u2022 Cassini\n\u2022 RansomX-gen\u2022 Zombie.A\n\u2022 win32:MalwareX-gen\t\u2022 Win32:Malware-gen \u2022 Nymeria\n\u2022 Forcud +", "modified": "2025-09-11T13:03:18.814000", "created": "2025-08-12T19:53:03.953000", "tags": [ "url http", "url https", "indicator role", "title added", "active related", "pulses url", "entries", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "href", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "show technique", "ck matrix", "null", "refresh", "body", "span", "general", "local", "path", "iframe", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "united", "unknown ns", "ip address", "creation date", "search", "present sep", "moved", "domain add", "encrypt", "accept", "please", "passive dns", "msie", "next associated", "html", "background", "unknown site", "div div", "trojan", "zeus", "process32nextw", "read c", "show", "shellexecuteexw", "windows nt", "wow64", "copy", "dock", "write", "malware", "unknown", "defense evasion", "t1480 execution", "file defense", "august", "hybrid", "port", "destination", "tlsv1", "as15169", "ogoogle trust", "cngts ca", "execution", "next", "persistence", "data upload", "extraction", "win32", "ransom", "trojandropper", "mtb nov", "forcud", "files show", "date hash", "avast avg" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4179, "domain": 774, "hostname": 1673, "FileHash-MD5": 169, "FileHash-SHA1": 110, "FileHash-SHA256": 2073, "email": 1, "SSLCertFingerprint": 13, "CVE": 1 }, "indicator_count": 8993, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "221 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68923ea4efbf58b7ba48acec", "name": "Hosted App", "description": "", "modified": "2025-09-04T16:03:17.037000", "created": "2025-08-05T17:25:56.454000", "tags": [ "issuer wr3", "log id", "gmtn", "abn timestamp", "ad180b80", "full name", "extensionsstr", "web server", "ca issuers", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "mitre att", "sha1", "copy md5", "copy sha1", "copy sha256", "sha256", "ascii text", "pattern match", "show technique", "date", "format", "august", "hybrid", "local", "path", "click", "strings", "flag", "usa windows", "hwp support", "march", "december", "united", "markmonitor", "overview dns", "requests domain", "country", "contacted hosts", "ip address", "process details", "t1179 hooking", "access windows", "installs", "control att", "found", "development att", "name server", "show process", "programfiles", "command decode", "suricata ipv4", "ck matrix", "comspec", "model", "general", "dynamicloader", "unknown", "as16509", "whitelisted", "medium", "write c", "as15169", "search", "high", "write", "android", "malware", "copy", "next", "formbook cnc", "checkin", "entries", "passive dns", "next associated", "site", "neue", "ipv4", "pulse pulses", "exploit", "trojan", "virtool", "body", "refer", "present dec", "epub", "present jan", "present nov", "present oct", "showing", "urls show", "win32", "win64", "date checked", "url hostname", "server response", "google safe", "prefetch8", "localappdata", "prefetch1" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3409, "hostname": 4127, "URL": 8408, "SSLCertFingerprint": 9, "FileHash-SHA256": 1175, "FileHash-MD5": 144, "FileHash-SHA1": 134, "CVE": 2 }, "indicator_count": 17408, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "228 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://ns1.fastlydns.net/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://ns1.fastlydns.net/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776712893.570571 }