{ "type": "URL", "indicator": "https://partner.outlook.cn/PowerShell/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://partner.outlook.cn/PowerShell/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3947107244, "indicator": "https://partner.outlook.cn/PowerShell/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "6893032410060f658d862c60", "name": "Hosting App - Partial research | Emotet Worm", "description": "#firebase #google #dark_web_hosting #ransom #tracking #locate #monitored_targets #worm #emotet #malware #remoted_devices #trojan #reputation\n\n\u2022 Targets likely unaware.\n\n[m.pornsexer.xxx.3.1.adiosfil.roksit.net - reputation tool]", "modified": "2025-09-05T07:00:00.711000", "created": "2025-08-06T07:24:20.645000", "tags": [ "url https", "iocs", "learn more", "ipv4", "domain", "hostname", "types of", "sweden", "united", "belgium", "indicator role", "title added", "active related", "pulses hostname", "showing", "document file", "v2 document", "search", "medium", "ms windows", "vista event", "port", "msie", "windows nt", "wow64", "dirty", "write", "powershell", "copy", "next", "defender", "dynamicloader", "high", "fwlink", "windows", "cmd c", "alerts", "bios", "related pulses", "pulses", "related tags", "file type", "ascii text", "sha256", "external", "virustotal api", "screenshots", "june", "flag", "usa windows", "input threat", "level analysis", "summary", "gbrflag", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "ssl certificate", "defense evasion", "sha1", "copy md5", "copy sha1", "copy sha256", "size", "mitre att", "date", "path", "format", "august", "hybrid", "local", "form", "click", "strings", "ubar", "truetype", "web open", "font format", "description web", "general", "iframe", "slcc2", "media center", "destination", "tlsv1", "unknown", "execution", "dock", "persistence", "malware", "encrypt", "ck techniques", "read c", "show", "entries", "delete", "data upload", "extraction", "onlv", "find", "type", "no matching", "indicator", "mtb may", "trojandropper", "passive dns", "next associated", "lowfi", "gmt cache", "sameorigin", "ipv4 add", "trojan", "mtb apr", "files show", "date hash", "avast avg", "shellterlod may", "win32qqpass apr", "trojanspy", "ransom", "wiper", "date checked", "url hostname", "server response", "ip address", "google safe", "results aug", "urls show", "hookwowlow may" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4593, "hostname": 1754, "domain": 399, "FileHash-SHA256": 2128, "FileHash-MD5": 426, "FileHash-SHA1": 299, "SSLCertFingerprint": 17 }, "indicator_count": 9616, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68930449988277cd29c25cb7", "name": "https://firebase.google.com/ - Ransom \u2022 Wiper\u2022 Trojan dropper", "description": "", "modified": "2025-09-05T07:00:00.711000", "created": "2025-08-06T07:29:13.136000", "tags": [ "url https", "iocs", "learn more", "ipv4", "domain", "hostname", "types of", "sweden", "united", "belgium", "indicator role", "title added", "active related", "pulses hostname", "showing", "document file", "v2 document", "search", "medium", "ms windows", "vista event", "port", "msie", "windows nt", "wow64", "dirty", "write", "powershell", "copy", "next", "defender", "dynamicloader", "high", "fwlink", "windows", "cmd c", "alerts", "bios", "related pulses", "pulses", "related tags", "file type", "ascii text", "sha256", "external", "virustotal api", "screenshots", "june", "flag", "usa windows", "input threat", "level analysis", "summary", "gbrflag", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "ssl certificate", "defense evasion", "sha1", "copy md5", "copy sha1", "copy sha256", "size", "mitre att", "date", "path", "format", "august", "hybrid", "local", "form", "click", "strings", "ubar", "truetype", "web open", "font format", "description web", "general", "iframe", "slcc2", "media center", "destination", "tlsv1", "unknown", "execution", "dock", "persistence", "malware", "encrypt", "ck techniques", "read c", "show", "entries", "delete", "data upload", "extraction", "onlv", "find", "type", "no matching", "indicator", "mtb may", "trojandropper", "passive dns", "next associated", "lowfi", "gmt cache", "sameorigin", "ipv4 add", "trojan", "mtb apr", "files show", "date hash", "avast avg", "shellterlod may", "win32qqpass apr", "trojanspy", "ransom", "wiper", "date checked", "url hostname", "server response", "ip address", "google safe", "results aug", "urls show", "hookwowlow may" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": "6893032410060f658d862c60", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4593, "hostname": 1754, "domain": 399, "FileHash-SHA256": 2128, "FileHash-MD5": 426, "FileHash-SHA1": 299, "SSLCertFingerprint": 17 }, "indicator_count": 9616, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6892e73b32af18aa302df0dc", "name": "Part 1.5", "description": "Dark web media \u2022 Political news \u2022 Malvertizing\nlocate \u2022\ntrack [stalk] \u2022 record calls \u2022 control media [youtube , etc] http://t.name?n[++i]=e:this.removeEventListener\t\t\nJeeng &\nPowebox [ accidentally left out in original post pulse]", "modified": "2025-09-05T04:03:06.929000", "created": "2025-08-06T05:25:15.369000", "tags": [ "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "june", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "impact", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "file defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "script", "mitre att", "pattern match", "show technique", "iframe", "refresh", "august", "general", "local", "tools", "demo", "look", "verify", "restart", "url http", "small", "pulses url", "tellyoun", "showing", "entries", "url https", "indicator role", "title added", "active related", "type indicator", "role title", "added active", "related pulses", "cc08", "f06a6b", "sfurl", "filehashsha256", "types", "indicators show", "search", "pulses", "filehashsha1", "adversaries", "found", "webp image", "ascii text", "riff", "size", "encrypt", "legacy", "filehashmd5", "united", "flag", "server", "markmonitor", "name server", "llc name", "overview dns", "requests domain", "country", "win32", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "detections", "malware", "copy", "show", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "extraction", "data upload", "enter sc", "type", "extra data", "please", "failed", "review", "exclude data", "included review", "ic data", "suggeste", "stop", "type onow", "domain", "passive dns", "urls", "files related", "pulses none", "related tags", "none google", "safe browsing", "sc data", "extr amanuav", "review included", "manualy", "sugges excluded", "filehash", "md5 add", "pulse pulses", "url add", "http", "hostname", "files domain", "pulses otx", "virustotal", "hsmi192547107", "pulses hostname", "r dec", "customer dec", "iski dec", "decision dec", "va dec", "bitcoin", "bitcoin dec", "petra", "torstatus dec", "paul dec", "sodesc", "planet dec", "emilia", "heroin dec", "difference dec", "palantir dec", "loraxlive dec", "chaturbate dec", "sandra", "free dec", "marvel dec", "benjis dec", "fresh dec", "sodesc dec", "srdirport", "srhostname", "link dec", "types of", "italy", "china", "australia", "france", "turkey", "discovery", "information", "ck ids", "t1005", "local system", "t1007", "system service", "part", "track", "locate", "political", "civil society", "news", "created", "hours ago", "report spam", "t1555", "password", "t1560", "collected data", "t1573", "channel", "t1574", "execution flow", "scan", "iocs", "t1497", "u0lhmq", "mtawmq", "t1480", "guardrails", "t1486", "data encrypted", "learn more", "unsubscribe aug", "protocol", "t1074", "staged", "t1083", "t1102", "web service", "t1105", "tool transfer", "t1140", "data engineer", "candidate", "tlsv1", "odigicert inc", "stcalifornia", "lsan jose", "oadobe systems", "incorporated", "cndigicert sha2", "push", "next", "high", "write c", "ireland as16509", "delete", "dirty", "tags", "t1012", "flow endpoint", "security scan", "t1106", "copyright", "levelblue" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 608, "FileHash-SHA1": 433, "FileHash-SHA256": 3663, "URL": 17104, "domain": 1316, "email": 39, "hostname": 4208, "SSLCertFingerprint": 17 }, "indicator_count": 27388, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d147ac5afafb76f652ccfb", "name": "cyberfolks.pl / Hosting/ 185.208.164.121 / VPS / 94.152.11.60 / 193.218.154.51", "description": "The full text of the text-free version of Microsoft's Chrome browser can be viewed here:. \u00c2\u00a31.5m.. (\u20ac2.4m) \u20ac", "modified": "2024-12-16T22:19:24.841000", "created": "2024-08-30T04:16:44.939000", "tags": [ "vhash", "ssdeep", "digicert", "g2 firmy", "digicert g3", "entrust gwny", "gwny", "microsoft ecc", "microsoft azure", "ecc tls", "rsa tls", "microsoft rsa", "aoc ca", "digicert tls", "azure rsa", "eoc ca", "digicert cloud", "azure tls", "azure ecc", "xargs", "jeli", "azure", "authority", "java", "ms windows", "dziennik zdarze", "vista", "pe32", "intel", "defender", "systemy", "plik", "tekst ascii", "dane archiwalne", "ptime", "danie", "msie", "windows nt", "okrndata", "jzyk", "cieka", "sha1", "sha256", "imphasz", "pejzasz", "windows", "eurostile", "disk1", "augustin", "butterfield", "cook", "drummer", "erickson", "fjsv", "flynn", "gorman", "easy", "rada", "xanadu", "config", "reboot", "screen", "trash", "wersja pliku", "v2 dokument", "aaaa", "cname", "aaaaa", "whasz", "dostawa", "cache entry", "wav chrome", "gzip chrome", "text chrome", "woff chrome", "cab c", "lnk c", "doc c", "doc chrome", "ttf chrome" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6307, "hostname": 7851, "domain": 1282, "FileHash-MD5": 221, "FileHash-SHA256": 1346, "IPv4": 1437, "IPv6": 8, "FileHash-SHA1": 192, "email": 3, "CIDR": 8, "CVE": 2 }, "indicator_count": 18657, "is_author": false, "is_subscribing": null, "subscriber_count": 125, "modified_text": "488 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66cb1a82b938d97fca42577b", "name": "http://sni.cloudflaressl.com/ SSL dla sni.com and Cloudflaressl.cloudflAressL.org", "description": "urz\u0105dzenie5695310-7a1dc9c7-local.wd2go.com\nurz\u0105dzenie4491421-0ffc7b50-local.wd2go.com", "modified": "2024-11-29T19:44:16.599000", "created": "2024-08-25T11:50:26.438000", "tags": [ "cloudflare", "read", "report", "zero trust", "contact", "sign", "view", "discover", "gartner magic", "quadrant", "protect", "enterprise", "fortune", "ssl certificate" ], "references": [ "http://sni.cloudflaressl.com/" ], "public": 1, "adversary": "TrojanDownloader:Win32/Nemucod", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8863, "hostname": 2526, "domain": 3054, "FileHash-SHA256": 703, "FileHash-SHA1": 16, "IPv4": 227, "FileHash-MD5": 10, "IPv6": 8, "CVE": 2 }, "indicator_count": 15409, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "505 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66cbb85a6cfde70987049f81", "name": "Hijacked Android: CryptInject | Dridex | Spyware", "description": "Hijacked basic android phone purchased in US directly from vendor not carrier. Spyware, SQL and other malware found. \nIt's a bit confusing IC3 is typically synonymous with United States FBI cyber security complaint division. Issue appear to be originating from China. This is interesting. Microsoft Teams CN have login, password, account, modification privileges as well as an 'audience'. \nVictim contacted IC3, received no response when contacting IC3 from personal devices. Calls are being made from phone as well as many other intrusive activities.\nOriginated from an IP address found on phone with a SWIPPER dba Verizon Business with a Hurricane Electric BGP relationship.", "modified": "2024-09-24T21:00:32.174000", "created": "2024-08-25T23:03:54.460000", "tags": [ "windows", "service", "shellexecuteexw", "writeconsolew", "registry", "modify existing", "dock", "write", "malware", "binary_yara", "yara rule", "binary file", "all scoreblue", "av detections", "ids detections", "yara detections", "alerts", "all search", "otx scoreblue", "analysis date", "risk", "show", "filehash", "april", "trojanspy", "file score", "june", "passive dns", "urls", "hostname", "url analysis", "domain", "china unknown", "as133775", "as4847 china", "united", "as4811 china", "as4837 china", "as54994 quantil", "as133774", "cname", "aaaa", "as20940", "registrar", "unknown related", "pulses otx", "tags", "present", "issuer cus", "odigicert inc", "road", "beijing country", "blue cloud", "apnic person", "cn phone", "ip information", "quick stats", "ip location", "china", "ltd asn", "whois lookup", "bluecloud descr", "shanghai blue", "ltd descr", "apnic irt", "beijing email", "whois lookups", "country", "filtered role", "abuse cnniccn", "algorithm", "key usage", "first", "v3 serial", "number", "cus odigicert", "inc cndigicert", "basic rsa", "cn ca", "g2 validity", "status hostname", "query type", "address first", "seen last", "country unknown", "files ip", "sql client", "historical ssl", "referrer", "win32", "entries", "scan endpoints", "pulse pulses", "copy" ], "references": [ "ic3he-ge.teams.trafficmanager.cn | ic3he-ge.teams.trafficmanager.cn | partnerapi.trafficmanager.cn | 001-ea3.chn.cos.audience.teams.microsoftonline.cn | eventsync.trafficmanager.cn", "Yara Detections: ProcessInjector_Gen , stack_string , Cabinet_Archive , VM_Unknown , UPX", "bjb.webshell.suite.partner.microsoftonline.cn | Shanghai Blue", "001-ea3.chn.cos.audience.teams.microsoftonline.cn | 001-no3.chn.cos.audience.teams.microsoftonline.cn", "https://callcontroller.cnea3-02.ic3-calling-callcontroller.chinaeast3-gallatin.cosmic.partner.outlook.cn", "partnerapi.trafficmanager.cn | 001-ea3.chn.cos.audience.teams.microsoftonline.cn | eventsync.trafficmanager.cn", "http://callcontroller.cnea3-02.ic3-calling-callcontroller.chinaeast3-gallatin.cosmic.partner.outlook.cn", "http://callcontroller.cnno3-02.ic3-calling-callcontroller.chinanorth3-gallatin.cosmic.partner.outlook.cn", "ic3-media-audiencebot.chn-ea3-001.ic3-media-audiencebot.chinaeast3-gallatin.cosmic.partner.outlook.cn", "ic3-media-mpaas-ivr.chn-no3-002.ic3-media-mpaas-ivr.chinanorth3-gallatin.cosmic.partner.outlook.cn", "ic3-media-audiencebot.chn-no3-001.ic3-media-audiencebot.chinanorth3-gallatin.cosmic.partner.outlook.cn", "http://w.cn4e.com/login/bc.jsp?p=vfqFFKW%2BIGfiCD65IDGjyLxM2SI6T01nMjOHYnstwLOHKIWDgmOKTOF1xSdw9Gcgk3Vsw%2BiMEMZg0exeBk76yA%3D%3D%26njqroJJefuLemxYifUtAyeML%2FLMURbuIPYQZrlWic%2BL8e8HVbJO9uR2YxwgfwZct39x09olEQGUt7c7AUR5VeQ%3D%3D%26KwZ41toCvJmi5lujp8N8y8fB65auqmMzD93Hpf2Y7lSTCl0TqvssvQvyWAsH9sX6ykvG0puC%2FCCRD48L9J5YjQ%3D%3D%26ck6ZnzP%2FWNQV%2BmK5uOzxgB9XdQbUEnnpNXUT0vCUKGpoDcmpZLuzbmyzsZfKKGyzo8r7L0Qwfw2mff0zdyc5BA%3D%3D&d=yongstextile.com", "http://www.forensickb.com/2013/03/file-entropy-explained.html", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "http://phoenix.yizimg.com/alabiaga/androidx/commit/d7e342ef6cfe5885f1bb786f1912a039422b9251", "TrojanSpy:Win32/Rebhip.F: http://w.cn4e.com/login/bc.jsp?p=ix5KZDRKcnWBJ6ajdBhecP1lMuzLoE1s0C1i9+ksxWcZJK/hYGZdXSDPe3xCp02xzq0EXsDt+GEIykVMplIPKA==&4lC8a2Py9lOxeYnfOWCZPU0VlLoLx7fVrfU2hBe8CgagrYeJS+SoNc3W34M2h/kbKz5RbH+OFy2SfjMAmGu74w==&A9VopQG0dDxhY+Ku/NF1C8FGNvIhy36pnzqkS4GgTjwsbI8ok+B5K8FXJW2kEIlJxYQu19lSwkqKJu+UtcZvfg==&G/9EanSL/XFEPUA7CiWzOg/9sPYcdFKz90x7wGXCESBsMdCvrrldf9ZZrjBpUx8XdG6aK/wR8sqSksJ5wA9Y6Q==&YRQGDPQJkCxAmK4eNjFDC7I0arWP+eE6UIJHCPmv/HXDcxRWPDOXlzXK7uvuVDkjA1llh8gOam+rpWLXZTx+uQ==&d=sicoto", "TrojanSpy:Win32/Rebhip.F: 5586f9b1a688d58ead675547231f84daf30c0c1c18fc6584fb37cfdaa5125fea", "VirTool:MSIL/CryptInject!: FileHash-SHA256 bbabbbdfbb40016ed75a7ceb3f983c58797577247ffba74a1d0aab46b72b0643", "Yara Detections ConventionEngine_Keyword_Launch , MS_Visual_Cpp_2003 , Cabinet_Archive , Nullsoft_NSIS", "tokenencryption.mam.manage-ppe.microsoftonline.cn | https://encrypt.enterpriseregistration.partner.microsoftonline.cn", "http://virii.es/U/Using Entropy Analysis to Find Encrypted and Packed Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:AGGR:Mytonel_Obfuscator", "display_name": "ALF:AGGR:Mytonel_Obfuscator", "target": null }, { "id": "Win.Malware.Generic-9870238-0", "display_name": "Win.Malware.Generic-9870238-0", "target": null }, { "id": "ALF:HeraklezEval:TrojanSpy:Win32/Rebhip.F", "display_name": "ALF:HeraklezEval:TrojanSpy:Win32/Rebhip.F", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Malware.Zusy-9875693-0", "display_name": "Win.Malware.Zusy-9875693-0", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Dridex!rfn", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Dridex!rfn", "target": null }, { "id": "ALF:JASYP:VirTool:MSIL/CryptInject!atmn", "display_name": "ALF:JASYP:VirTool:MSIL/CryptInject!atmn", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1673, "FileHash-SHA1": 1344, "FileHash-SHA256": 3753, "domain": 224, "hostname": 613, "URL": 490, "email": 8, "CIDR": 1 }, "indicator_count": 8106, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "571 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://phoenix.yizimg.com/alabiaga/androidx/commit/d7e342ef6cfe5885f1bb786f1912a039422b9251", "ic3-media-audiencebot.chn-no3-001.ic3-media-audiencebot.chinanorth3-gallatin.cosmic.partner.outlook.cn", "Yara Detections ConventionEngine_Keyword_Launch , MS_Visual_Cpp_2003 , Cabinet_Archive , Nullsoft_NSIS", "tokenencryption.mam.manage-ppe.microsoftonline.cn | https://encrypt.enterpriseregistration.partner.microsoftonline.cn", "https://callcontroller.cnea3-02.ic3-calling-callcontroller.chinaeast3-gallatin.cosmic.partner.outlook.cn", "VirTool:MSIL/CryptInject!: FileHash-SHA256 bbabbbdfbb40016ed75a7ceb3f983c58797577247ffba74a1d0aab46b72b0643", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "http://callcontroller.cnno3-02.ic3-calling-callcontroller.chinanorth3-gallatin.cosmic.partner.outlook.cn", "001-ea3.chn.cos.audience.teams.microsoftonline.cn | 001-no3.chn.cos.audience.teams.microsoftonline.cn", "bjb.webshell.suite.partner.microsoftonline.cn | Shanghai Blue", "Yara Detections: ProcessInjector_Gen , stack_string , Cabinet_Archive , VM_Unknown , UPX", "ic3he-ge.teams.trafficmanager.cn | ic3he-ge.teams.trafficmanager.cn | partnerapi.trafficmanager.cn | 001-ea3.chn.cos.audience.teams.microsoftonline.cn | eventsync.trafficmanager.cn", "http://virii.es/U/Using Entropy Analysis to Find Encrypted and Packed Malware.pdf", "http://www.forensickb.com/2013/03/file-entropy-explained.html", "TrojanSpy:Win32/Rebhip.F: 5586f9b1a688d58ead675547231f84daf30c0c1c18fc6584fb37cfdaa5125fea", "TrojanSpy:Win32/Rebhip.F: http://w.cn4e.com/login/bc.jsp?p=ix5KZDRKcnWBJ6ajdBhecP1lMuzLoE1s0C1i9+ksxWcZJK/hYGZdXSDPe3xCp02xzq0EXsDt+GEIykVMplIPKA==&4lC8a2Py9lOxeYnfOWCZPU0VlLoLx7fVrfU2hBe8CgagrYeJS+SoNc3W34M2h/kbKz5RbH+OFy2SfjMAmGu74w==&A9VopQG0dDxhY+Ku/NF1C8FGNvIhy36pnzqkS4GgTjwsbI8ok+B5K8FXJW2kEIlJxYQu19lSwkqKJu+UtcZvfg==&G/9EanSL/XFEPUA7CiWzOg/9sPYcdFKz90x7wGXCESBsMdCvrrldf9ZZrjBpUx8XdG6aK/wR8sqSksJ5wA9Y6Q==&YRQGDPQJkCxAmK4eNjFDC7I0arWP+eE6UIJHCPmv/HXDcxRWPDOXlzXK7uvuVDkjA1llh8gOam+rpWLXZTx+uQ==&d=sicoto", "http://sni.cloudflaressl.com/", "ic3-media-audiencebot.chn-ea3-001.ic3-media-audiencebot.chinaeast3-gallatin.cosmic.partner.outlook.cn", "http://callcontroller.cnea3-02.ic3-calling-callcontroller.chinaeast3-gallatin.cosmic.partner.outlook.cn", "http://w.cn4e.com/login/bc.jsp?p=vfqFFKW%2BIGfiCD65IDGjyLxM2SI6T01nMjOHYnstwLOHKIWDgmOKTOF1xSdw9Gcgk3Vsw%2BiMEMZg0exeBk76yA%3D%3D%26njqroJJefuLemxYifUtAyeML%2FLMURbuIPYQZrlWic%2BL8e8HVbJO9uR2YxwgfwZct39x09olEQGUt7c7AUR5VeQ%3D%3D%26KwZ41toCvJmi5lujp8N8y8fB65auqmMzD93Hpf2Y7lSTCl0TqvssvQvyWAsH9sX6ykvG0puC%2FCCRD48L9J5YjQ%3D%3D%26ck6ZnzP%2FWNQV%2BmK5uOzxgB9XdQbUEnnpNXUT0vCUKGpoDcmpZLuzbmyzsZfKKGyzo8r7L0Qwfw2mff0zdyc5BA%3D%3D&d=yongstextile.com", "ic3-media-mpaas-ivr.chn-no3-002.ic3-media-mpaas-ivr.chinanorth3-gallatin.cosmic.partner.outlook.cn", "partnerapi.trafficmanager.cn | 001-ea3.chn.cos.audience.teams.microsoftonline.cn | eventsync.trafficmanager.cn" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "TrojanDownloader:Win32/Nemucod" ], "malware_families": [ "Alf:jasyp:virtool:msil/cryptinject!atmn", "Alf:aggr:mytonel_obfuscator", "Win.malware.zusy-9875693-0", "Alf:heraklezeval:trojanspy:win32/rebhip.f", "Alf:heraklezeval:trojandownloader:win32/dridex!rfn", "Win.malware.generic-9870238-0", "Trojanspy" ], "industries": [], "unique_indicators": 60512 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/outlook.cn", "whois": "http://whois.domaintools.com/outlook.cn", "domain": "outlook.cn", "hostname": "partner.outlook.cn" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "6893032410060f658d862c60", "name": "Hosting App - Partial research | Emotet Worm", "description": "#firebase #google #dark_web_hosting #ransom #tracking #locate #monitored_targets #worm #emotet #malware #remoted_devices #trojan #reputation\n\n\u2022 Targets likely unaware.\n\n[m.pornsexer.xxx.3.1.adiosfil.roksit.net - reputation tool]", "modified": "2025-09-05T07:00:00.711000", "created": "2025-08-06T07:24:20.645000", "tags": [ "url https", "iocs", "learn more", "ipv4", "domain", "hostname", "types of", "sweden", "united", "belgium", "indicator role", "title added", "active related", "pulses hostname", "showing", "document file", "v2 document", "search", "medium", "ms windows", "vista event", "port", "msie", "windows nt", "wow64", "dirty", "write", "powershell", "copy", "next", "defender", "dynamicloader", "high", "fwlink", "windows", "cmd c", "alerts", "bios", "related pulses", "pulses", "related tags", "file type", "ascii text", "sha256", "external", "virustotal api", "screenshots", "june", "flag", "usa windows", "input threat", "level analysis", "summary", "gbrflag", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "ssl certificate", "defense evasion", "sha1", "copy md5", "copy sha1", "copy sha256", "size", "mitre att", "date", "path", "format", "august", "hybrid", "local", "form", "click", "strings", "ubar", "truetype", "web open", "font format", "description web", "general", "iframe", "slcc2", "media center", "destination", "tlsv1", "unknown", "execution", "dock", "persistence", "malware", "encrypt", "ck techniques", "read c", "show", "entries", "delete", "data upload", "extraction", "onlv", "find", "type", "no matching", "indicator", "mtb may", "trojandropper", "passive dns", "next associated", "lowfi", "gmt cache", "sameorigin", "ipv4 add", "trojan", "mtb apr", "files show", "date hash", "avast avg", "shellterlod may", "win32qqpass apr", "trojanspy", "ransom", "wiper", "date checked", "url hostname", "server response", "ip address", "google safe", "results aug", "urls show", "hookwowlow may" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4593, "hostname": 1754, "domain": 399, "FileHash-SHA256": 2128, "FileHash-MD5": 426, "FileHash-SHA1": 299, "SSLCertFingerprint": 17 }, "indicator_count": 9616, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68930449988277cd29c25cb7", "name": "https://firebase.google.com/ - Ransom \u2022 Wiper\u2022 Trojan dropper", "description": "", "modified": "2025-09-05T07:00:00.711000", "created": "2025-08-06T07:29:13.136000", "tags": [ "url https", "iocs", "learn more", "ipv4", "domain", "hostname", "types of", "sweden", "united", "belgium", "indicator role", "title added", "active related", "pulses hostname", "showing", "document file", "v2 document", "search", "medium", "ms windows", "vista event", "port", "msie", "windows nt", "wow64", "dirty", "write", "powershell", "copy", "next", "defender", "dynamicloader", "high", "fwlink", "windows", "cmd c", "alerts", "bios", "related pulses", "pulses", "related tags", "file type", "ascii text", "sha256", "external", "virustotal api", "screenshots", "june", "flag", "usa windows", "input threat", "level analysis", "summary", "gbrflag", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "ssl certificate", "defense evasion", "sha1", "copy md5", "copy sha1", "copy sha256", "size", "mitre att", "date", "path", "format", "august", "hybrid", "local", "form", "click", "strings", "ubar", "truetype", "web open", "font format", "description web", "general", "iframe", "slcc2", "media center", "destination", "tlsv1", "unknown", "execution", "dock", "persistence", "malware", "encrypt", "ck techniques", "read c", "show", "entries", "delete", "data upload", "extraction", "onlv", "find", "type", "no matching", "indicator", "mtb may", "trojandropper", "passive dns", "next associated", "lowfi", "gmt cache", "sameorigin", "ipv4 add", "trojan", "mtb apr", "files show", "date hash", "avast avg", "shellterlod may", "win32qqpass apr", "trojanspy", "ransom", "wiper", "date checked", "url hostname", "server response", "ip address", "google safe", "results aug", "urls show", "hookwowlow may" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": "6893032410060f658d862c60", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4593, "hostname": 1754, "domain": 399, "FileHash-SHA256": 2128, "FileHash-MD5": 426, "FileHash-SHA1": 299, "SSLCertFingerprint": 17 }, "indicator_count": 9616, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6892e73b32af18aa302df0dc", "name": "Part 1.5", "description": "Dark web media \u2022 Political news \u2022 Malvertizing\nlocate \u2022\ntrack [stalk] \u2022 record calls \u2022 control media [youtube , etc] http://t.name?n[++i]=e:this.removeEventListener\t\t\nJeeng &\nPowebox [ accidentally left out in original post pulse]", "modified": "2025-09-05T04:03:06.929000", "created": "2025-08-06T05:25:15.369000", "tags": [ "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "june", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "impact", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "file defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "script", "mitre att", "pattern match", "show technique", "iframe", "refresh", "august", "general", "local", "tools", "demo", "look", "verify", "restart", "url http", "small", "pulses url", "tellyoun", "showing", "entries", "url https", "indicator role", "title added", "active related", "type indicator", "role title", "added active", "related pulses", "cc08", "f06a6b", "sfurl", "filehashsha256", "types", "indicators show", "search", "pulses", "filehashsha1", "adversaries", "found", "webp image", "ascii text", "riff", "size", "encrypt", "legacy", "filehashmd5", "united", "flag", "server", "markmonitor", "name server", "llc name", "overview dns", "requests domain", "country", "win32", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "detections", "malware", "copy", "show", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "extraction", "data upload", "enter sc", "type", "extra data", "please", "failed", "review", "exclude data", "included review", "ic data", "suggeste", "stop", "type onow", "domain", "passive dns", "urls", "files related", "pulses none", "related tags", "none google", "safe browsing", "sc data", "extr amanuav", "review included", "manualy", "sugges excluded", "filehash", "md5 add", "pulse pulses", "url add", "http", "hostname", "files domain", "pulses otx", "virustotal", "hsmi192547107", "pulses hostname", "r dec", "customer dec", "iski dec", "decision dec", "va dec", "bitcoin", "bitcoin dec", "petra", "torstatus dec", "paul dec", "sodesc", "planet dec", "emilia", "heroin dec", "difference dec", "palantir dec", "loraxlive dec", "chaturbate dec", "sandra", "free dec", "marvel dec", "benjis dec", "fresh dec", "sodesc dec", "srdirport", "srhostname", "link dec", "types of", "italy", "china", "australia", "france", "turkey", "discovery", "information", "ck ids", "t1005", "local system", "t1007", "system service", "part", "track", "locate", "political", "civil society", "news", "created", "hours ago", "report spam", "t1555", "password", "t1560", "collected data", "t1573", "channel", "t1574", "execution flow", "scan", "iocs", "t1497", "u0lhmq", "mtawmq", "t1480", "guardrails", "t1486", "data encrypted", "learn more", "unsubscribe aug", "protocol", "t1074", "staged", "t1083", "t1102", "web service", "t1105", "tool transfer", "t1140", "data engineer", "candidate", "tlsv1", "odigicert inc", "stcalifornia", "lsan jose", "oadobe systems", "incorporated", "cndigicert sha2", "push", "next", "high", "write c", "ireland as16509", "delete", "dirty", "tags", "t1012", "flow endpoint", "security scan", "t1106", "copyright", "levelblue" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 608, "FileHash-SHA1": 433, "FileHash-SHA256": 3663, "URL": 17104, "domain": 1316, "email": 39, "hostname": 4208, "SSLCertFingerprint": 17 }, "indicator_count": 27388, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d147ac5afafb76f652ccfb", "name": "cyberfolks.pl / Hosting/ 185.208.164.121 / VPS / 94.152.11.60 / 193.218.154.51", "description": "The full text of the text-free version of Microsoft's Chrome browser can be viewed here:. \u00c2\u00a31.5m.. (\u20ac2.4m) \u20ac", "modified": "2024-12-16T22:19:24.841000", "created": "2024-08-30T04:16:44.939000", "tags": [ "vhash", "ssdeep", "digicert", "g2 firmy", "digicert g3", "entrust gwny", "gwny", "microsoft ecc", "microsoft azure", "ecc tls", "rsa tls", "microsoft rsa", "aoc ca", "digicert tls", "azure rsa", "eoc ca", "digicert cloud", "azure tls", "azure ecc", "xargs", "jeli", "azure", "authority", "java", "ms windows", "dziennik zdarze", "vista", "pe32", "intel", "defender", "systemy", "plik", "tekst ascii", "dane archiwalne", "ptime", "danie", "msie", "windows nt", "okrndata", "jzyk", "cieka", "sha1", "sha256", "imphasz", "pejzasz", "windows", "eurostile", "disk1", "augustin", "butterfield", "cook", "drummer", "erickson", "fjsv", "flynn", "gorman", "easy", "rada", "xanadu", "config", "reboot", "screen", "trash", "wersja pliku", "v2 dokument", "aaaa", "cname", "aaaaa", "whasz", "dostawa", "cache entry", "wav chrome", "gzip chrome", "text chrome", "woff chrome", "cab c", "lnk c", "doc c", "doc chrome", "ttf chrome" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6307, "hostname": 7851, "domain": 1282, "FileHash-MD5": 221, "FileHash-SHA256": 1346, "IPv4": 1437, "IPv6": 8, "FileHash-SHA1": 192, "email": 3, "CIDR": 8, "CVE": 2 }, "indicator_count": 18657, "is_author": false, "is_subscribing": null, "subscriber_count": 125, "modified_text": "488 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66cb1a82b938d97fca42577b", "name": "http://sni.cloudflaressl.com/ SSL dla sni.com and Cloudflaressl.cloudflAressL.org", "description": "urz\u0105dzenie5695310-7a1dc9c7-local.wd2go.com\nurz\u0105dzenie4491421-0ffc7b50-local.wd2go.com", "modified": "2024-11-29T19:44:16.599000", "created": "2024-08-25T11:50:26.438000", "tags": [ "cloudflare", "read", "report", "zero trust", "contact", "sign", "view", "discover", "gartner magic", "quadrant", "protect", "enterprise", "fortune", "ssl certificate" ], "references": [ "http://sni.cloudflaressl.com/" ], "public": 1, "adversary": "TrojanDownloader:Win32/Nemucod", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8863, "hostname": 2526, "domain": 3054, "FileHash-SHA256": 703, "FileHash-SHA1": 16, "IPv4": 227, "FileHash-MD5": 10, "IPv6": 8, "CVE": 2 }, "indicator_count": 15409, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "505 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66cbb85a6cfde70987049f81", "name": "Hijacked Android: CryptInject | Dridex | Spyware", "description": "Hijacked basic android phone purchased in US directly from vendor not carrier. Spyware, SQL and other malware found. \nIt's a bit confusing IC3 is typically synonymous with United States FBI cyber security complaint division. Issue appear to be originating from China. This is interesting. Microsoft Teams CN have login, password, account, modification privileges as well as an 'audience'. \nVictim contacted IC3, received no response when contacting IC3 from personal devices. Calls are being made from phone as well as many other intrusive activities.\nOriginated from an IP address found on phone with a SWIPPER dba Verizon Business with a Hurricane Electric BGP relationship.", "modified": "2024-09-24T21:00:32.174000", "created": "2024-08-25T23:03:54.460000", "tags": [ "windows", "service", "shellexecuteexw", "writeconsolew", "registry", "modify existing", "dock", "write", "malware", "binary_yara", "yara rule", "binary file", "all scoreblue", "av detections", "ids detections", "yara detections", "alerts", "all search", "otx scoreblue", "analysis date", "risk", "show", "filehash", "april", "trojanspy", "file score", "june", "passive dns", "urls", "hostname", "url analysis", "domain", "china unknown", "as133775", "as4847 china", "united", "as4811 china", "as4837 china", "as54994 quantil", "as133774", "cname", "aaaa", "as20940", "registrar", "unknown related", "pulses otx", "tags", "present", "issuer cus", "odigicert inc", "road", "beijing country", "blue cloud", "apnic person", "cn phone", "ip information", "quick stats", "ip location", "china", "ltd asn", "whois lookup", "bluecloud descr", "shanghai blue", "ltd descr", "apnic irt", "beijing email", "whois lookups", "country", "filtered role", "abuse cnniccn", "algorithm", "key usage", "first", "v3 serial", "number", "cus odigicert", "inc cndigicert", "basic rsa", "cn ca", "g2 validity", "status hostname", "query type", "address first", "seen last", "country unknown", "files ip", "sql client", "historical ssl", "referrer", "win32", "entries", "scan endpoints", "pulse pulses", "copy" ], "references": [ "ic3he-ge.teams.trafficmanager.cn | ic3he-ge.teams.trafficmanager.cn | partnerapi.trafficmanager.cn | 001-ea3.chn.cos.audience.teams.microsoftonline.cn | eventsync.trafficmanager.cn", "Yara Detections: ProcessInjector_Gen , stack_string , Cabinet_Archive , VM_Unknown , UPX", "bjb.webshell.suite.partner.microsoftonline.cn | Shanghai Blue", "001-ea3.chn.cos.audience.teams.microsoftonline.cn | 001-no3.chn.cos.audience.teams.microsoftonline.cn", "https://callcontroller.cnea3-02.ic3-calling-callcontroller.chinaeast3-gallatin.cosmic.partner.outlook.cn", "partnerapi.trafficmanager.cn | 001-ea3.chn.cos.audience.teams.microsoftonline.cn | eventsync.trafficmanager.cn", "http://callcontroller.cnea3-02.ic3-calling-callcontroller.chinaeast3-gallatin.cosmic.partner.outlook.cn", "http://callcontroller.cnno3-02.ic3-calling-callcontroller.chinanorth3-gallatin.cosmic.partner.outlook.cn", "ic3-media-audiencebot.chn-ea3-001.ic3-media-audiencebot.chinaeast3-gallatin.cosmic.partner.outlook.cn", "ic3-media-mpaas-ivr.chn-no3-002.ic3-media-mpaas-ivr.chinanorth3-gallatin.cosmic.partner.outlook.cn", "ic3-media-audiencebot.chn-no3-001.ic3-media-audiencebot.chinanorth3-gallatin.cosmic.partner.outlook.cn", "http://w.cn4e.com/login/bc.jsp?p=vfqFFKW%2BIGfiCD65IDGjyLxM2SI6T01nMjOHYnstwLOHKIWDgmOKTOF1xSdw9Gcgk3Vsw%2BiMEMZg0exeBk76yA%3D%3D%26njqroJJefuLemxYifUtAyeML%2FLMURbuIPYQZrlWic%2BL8e8HVbJO9uR2YxwgfwZct39x09olEQGUt7c7AUR5VeQ%3D%3D%26KwZ41toCvJmi5lujp8N8y8fB65auqmMzD93Hpf2Y7lSTCl0TqvssvQvyWAsH9sX6ykvG0puC%2FCCRD48L9J5YjQ%3D%3D%26ck6ZnzP%2FWNQV%2BmK5uOzxgB9XdQbUEnnpNXUT0vCUKGpoDcmpZLuzbmyzsZfKKGyzo8r7L0Qwfw2mff0zdyc5BA%3D%3D&d=yongstextile.com", "http://www.forensickb.com/2013/03/file-entropy-explained.html", "https://otx.alienvault.com/otxapi/indicators/url/screenshot/http://www.forensickb.com/2013/03/file-entropy-explained.html", "http://phoenix.yizimg.com/alabiaga/androidx/commit/d7e342ef6cfe5885f1bb786f1912a039422b9251", "TrojanSpy:Win32/Rebhip.F: http://w.cn4e.com/login/bc.jsp?p=ix5KZDRKcnWBJ6ajdBhecP1lMuzLoE1s0C1i9+ksxWcZJK/hYGZdXSDPe3xCp02xzq0EXsDt+GEIykVMplIPKA==&4lC8a2Py9lOxeYnfOWCZPU0VlLoLx7fVrfU2hBe8CgagrYeJS+SoNc3W34M2h/kbKz5RbH+OFy2SfjMAmGu74w==&A9VopQG0dDxhY+Ku/NF1C8FGNvIhy36pnzqkS4GgTjwsbI8ok+B5K8FXJW2kEIlJxYQu19lSwkqKJu+UtcZvfg==&G/9EanSL/XFEPUA7CiWzOg/9sPYcdFKz90x7wGXCESBsMdCvrrldf9ZZrjBpUx8XdG6aK/wR8sqSksJ5wA9Y6Q==&YRQGDPQJkCxAmK4eNjFDC7I0arWP+eE6UIJHCPmv/HXDcxRWPDOXlzXK7uvuVDkjA1llh8gOam+rpWLXZTx+uQ==&d=sicoto", "TrojanSpy:Win32/Rebhip.F: 5586f9b1a688d58ead675547231f84daf30c0c1c18fc6584fb37cfdaa5125fea", "VirTool:MSIL/CryptInject!: FileHash-SHA256 bbabbbdfbb40016ed75a7ceb3f983c58797577247ffba74a1d0aab46b72b0643", "Yara Detections ConventionEngine_Keyword_Launch , MS_Visual_Cpp_2003 , Cabinet_Archive , Nullsoft_NSIS", "tokenencryption.mam.manage-ppe.microsoftonline.cn | https://encrypt.enterpriseregistration.partner.microsoftonline.cn", "http://virii.es/U/Using Entropy Analysis to Find Encrypted and Packed Malware.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "ALF:AGGR:Mytonel_Obfuscator", "display_name": "ALF:AGGR:Mytonel_Obfuscator", "target": null }, { "id": "Win.Malware.Generic-9870238-0", "display_name": "Win.Malware.Generic-9870238-0", "target": null }, { "id": "ALF:HeraklezEval:TrojanSpy:Win32/Rebhip.F", "display_name": "ALF:HeraklezEval:TrojanSpy:Win32/Rebhip.F", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Win.Malware.Zusy-9875693-0", "display_name": "Win.Malware.Zusy-9875693-0", "target": null }, { "id": "ALF:HeraklezEval:TrojanDownloader:Win32/Dridex!rfn", "display_name": "ALF:HeraklezEval:TrojanDownloader:Win32/Dridex!rfn", "target": null }, { "id": "ALF:JASYP:VirTool:MSIL/CryptInject!atmn", "display_name": "ALF:JASYP:VirTool:MSIL/CryptInject!atmn", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1505.001", "name": "SQL Stored Procedures", "display_name": "T1505.001 - SQL Stored Procedures" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1673, "FileHash-SHA1": 1344, "FileHash-SHA256": 3753, "domain": 224, "hostname": 613, "URL": 490, "email": 8, "CIDR": 1 }, "indicator_count": 8106, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "571 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://partner.outlook.cn/PowerShell/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://partner.outlook.cn/PowerShell/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776615740.2385085 }