{ "type": "URL", "indicator": "https://play.puzzleplusgames.net", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://play.puzzleplusgames.net", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3450816455, "indicator": "https://play.puzzleplusgames.net", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "657090132deb7fd89b09d555", "name": "a whole bunch of hell effected by the recent mozilla/firefox vulns", "description": "", "modified": "2023-12-06T15:15:31.177000", "created": "2023-12-06T15:15:31.177000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 825, "domain": 308, "URL": 2036, "FileHash-SHA256": 2141 }, "indicator_count": 5310, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708fdef7d4b5483117bb67", "name": "BINGO \ud83d\udea8\ud83d\udea8\ud83d\udea8 VT Graph json upload of UBotBrowser.exe - 20.99.132.105 - 33 collections - minecraft instances", "description": "", "modified": "2023-12-06T15:14:38.824000", "created": "2023-12-06T15:14:38.824000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 812, "domain": 110, "hostname": 502, "URL": 1437 }, "indicator_count": 2861, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708f1d9c1be22930c7a9ca", "name": "This is a whoopa - vast adware camp using tweets/links/img's but equates to spyware via regular default Services, configs and cloud host", "description": "", "modified": "2023-12-06T15:11:25.389000", "created": "2023-12-06T15:11:25.389000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1341, "CVE": 1, "FileHash-SHA256": 3239, "domain": 1303, "URL": 8470, "FileHash-MD5": 893, "FileHash-SHA1": 795 }, "indicator_count": 16042, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62c035df9d1c1df8ca3fcaea", "name": "a whole bunch of hell effected by the recent mozilla/firefox vulns", "description": "", "modified": "2022-08-01T00:01:42.977000", "created": "2022-07-02T12:11:11.592000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 825, "FileHash-SHA256": 2141, "domain": 308, "URL": 2036 }, "indicator_count": 5310, "is_author": false, "is_subscribing": null, "subscriber_count": 396, "modified_text": "1357 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62bb08310a8957d97aa23c30", "name": "BINGO \ud83d\udea8\ud83d\udea8\ud83d\udea8 VT Graph json upload of UBotBrowser.exe - 20.99.132.105 - 33 collections - minecraft instances", "description": "", "modified": "2022-07-28T00:02:14.384000", "created": "2022-06-28T13:54:57.927000", "tags": [ "entity", "ubotbrowser", "20.99.132.105", "minecraft" ], "references": [ "https://www.virustotal.com/graph/g57851267a0734f7fab3824bb4cca5cb9afab6573d8fa4b54a4f624390f9ba0bc" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 502, "URL": 1437, "domain": 110, "FileHash-SHA256": 812 }, "indicator_count": 2861, "is_author": false, "is_subscribing": null, "subscriber_count": 398, "modified_text": "1361 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62bb7b6820f1de44d02cdc75", "name": "eset.rosconnect.ru -VT Graph JSON upload", "description": "", "modified": "2022-07-28T00:02:14.384000", "created": "2022-06-28T22:06:32.059000", "tags": [ "https://www.virustotal.com/graph/gebaa4d3d53cd4a3ea2559b9b96332a", "CVE-2017-11882" ], "references": [ "CVE-2017-11882", "https://www.virustotal.com/graph/gebaa4d3d53cd4a3ea2559b9b96332ac7139ae27294bc4bc2ba9728cdd62917f9" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "URL": 535, "hostname": 128, "FileHash-SHA256": 236, "domain": 197 }, "indicator_count": 1097, "is_author": false, "is_subscribing": null, "subscriber_count": 392, "modified_text": "1361 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62a3caaca484317351c448ba", "name": "JavaAppletPlugin.plugin.zip..... Downloaded from Oracle Website", "description": "JAVA??? \n\nThe full text of the text below: \u00c2\u00a31.3bn, 1.8bn euros, 2.4bn pence, or \u00a32.2bn llyb.", "modified": "2022-07-10T00:00:39.429000", "created": "2022-06-10T22:50:20.127000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "W32/BotNet.K", "display_name": "W32/BotNet.K", "target": null }, { "id": "AVG Win32:Agent-ADAU [Trj]", "display_name": "AVG Win32:Agent-ADAU [Trj]", "target": null }, { "id": "malicious.2a7bf4", "display_name": "malicious.2a7bf4", "target": null }, { "id": "AI:FileInfector.A44F3C4816", "display_name": "AI:FileInfector.A44F3C4816", "target": null }, { "id": "W32/Botgor.A", "display_name": "W32/Botgor.A", "target": null }, { "id": "Trojan.Malware.121218.susgen", "display_name": "Trojan.Malware.121218.susgen", "target": null }, { "id": "Static AI - Malicious PE", "display_name": "Static AI - Malicious PE", "target": null }, { "id": "Worm.Win32.Burn.a", "display_name": "Worm.Win32.Burn.a", "target": null }, { "id": "BKDR_BOTGOR.SML", "display_name": "BKDR_BOTGOR.SML", "target": null }, { "id": "Win32.Backdoor.Agent.A", "display_name": "Win32.Backdoor.Agent.A", "target": null }, { "id": "BScope.Backdoor.Botgor", "display_name": "BScope.Backdoor.Botgor", "target": null }, { "id": "Worm/Win32.Burn.R34863", "display_name": "Worm/Win32.Burn.R34863", "target": null }, { "id": "Backdoor:Win32/Botgor.B", "display_name": "Backdoor:Win32/Botgor.B", "target": "/malware/Backdoor:Win32/Botgor.B" }, { "id": "Backdoor.Win32.Agent.ka!s1", "display_name": "Backdoor.Win32.Agent.ka!s1", "target": null }, { "id": "BDS/Agent.qva", "display_name": "BDS/Agent.qva", "target": null }, { "id": "Backdoor/Agent.bfic", "display_name": "Backdoor/Agent.bfic", "target": null }, { "id": "Win32.Trojan.Botgor.A", "display_name": "Win32.Trojan.Botgor.A", "target": null }, { "id": "Win32.ProcessHijack", "display_name": "Win32.ProcessHijack", "target": null }, { "id": "BackDoor.Siggen.46270", "display_name": "BackDoor.Siggen.46270", "target": null }, { "id": "Backdoor.Win32.Agent.~APQ@4ud5h", "display_name": "Backdoor.Win32.Agent.~APQ@4ud5h", "target": null }, { "id": "Virus.Botgor!1.D115 (CLASSIC)", "display_name": "Virus.Botgor!1.D115 (CLASSIC)", "target": null }, { "id": "Backdoor.Win32.Agent.117760.B", "display_name": "Backdoor.Win32.Agent.117760.B", "target": null }, { "id": "Worm:Win32/Botgor.18ddf561", "display_name": "Worm:Win32/Botgor.18ddf561", "target": "/malware/Worm:Win32/Botgor.18ddf561" }, { "id": "Worm.Win32.Burn.b", "display_name": "Worm.Win32.Burn.b", "target": null }, { "id": "Win.Malware.Botgor-9853222-0", "display_name": "Win.Malware.Botgor-9853222-0", "target": null }, { "id": "generic.ml", "display_name": "generic.ml", "target": null }, { "id": "ML.Attribute.HighConfidence", "display_name": "ML.Attribute.HighConfidence", "target": null }, { "id": "W32/Backdoor.UQUT-0945", "display_name": "W32/Backdoor.UQUT-0945", "target": null }, { "id": "win/malicious_confidence_100% (W)", "display_name": "win/malicious_confidence_100% (W)", "target": null }, { "id": "Trojan ( 000569271 )", "display_name": "Trojan ( 000569271 )", "target": null }, { "id": "Worm.Win32.Burn.tnPX", "display_name": "Worm.Win32.Burn.tnPX", "target": null }, { "id": "W32.AIDetect.malware2", "display_name": "W32.AIDetect.malware2", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MarceeS26", "id": "133143", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1382, "hostname": 314, "FileHash-SHA256": 1009, "domain": 46, "FileHash-MD5": 163, "FileHash-SHA1": 612 }, "indicator_count": 3526, "is_author": false, "is_subscribing": null, "subscriber_count": 73, "modified_text": "1379 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6294d3c37b2f4fd77a5ca483", "name": "This is a whoopa - vast adware camp using tweets/links/img's but equates to spyware via regular default Services, configs and cloud host", "description": "Twitter's link shortner from original tweet\nhttps://t.co/1Snx7jYTvZ posted by itspmagazine How many #ransomware predictions by \n@cylanceinc's have/will come true? maybe this adware camp is utilising older podcasts and audio to exfil data. Its taken two days to do this pulse and its far from complete given the original had over 22k indicators", "modified": "2022-06-29T00:00:46.963000", "created": "2022-05-30T14:25:07.820000", "tags": [ "www.quantic-systems.com", "https://itspmagazine.com/from-the-newsroom/ransomware-prediction", "https://t.co/1Snx7jYTvZ" ], "references": [ "ge34d984fe0e14db9a2b1c48bdaca8e6f5b9e1e66f8ad49a580680dffaf7431ac 2.json", "https://www.virustotal.com/graph/ge34d984fe0e14db9a2b1c48bdaca8e6f5b9e1e66f8ad49a580680dffaf7431ac", "https://mobile.twitter.com/Quantic_Systems/with_replies", "https://mobile.twitter.com/ITSPmagazine/status/810428296995274752", "https://t.co/1Snx7jYTvZ", "How many #ransomware predictions by @cylanceinc 's", "https://docplayer.net/56678996-The-cyber-defense-review.html", "https://itspmagazine.com/from-the-newsroom/ransomware-predictions-past-present-future-future", "www.quantic-systems.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3239, "hostname": 1341, "URL": 8470, "domain": 1303, "CVE": 1, "FileHash-MD5": 893, "FileHash-SHA1": 795 }, "indicator_count": 16042, "is_author": false, "is_subscribing": null, "subscriber_count": 394, "modified_text": "1390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "628504463286e43fe723cead", "name": "#Firmware new relic script/update corruption riotgsmes used to deliver", "description": "Common = 162.247.243.148\nTCP traffic to 104.16.119.50 on port 49260\nTCP traffic to 104.16.206.131 on port 49263\nTCP traffic to 8.251.168.124 on port 49284\nTCP traffic to 162.247.243.238 on port", "modified": "2022-06-17T00:01:43.273000", "created": "2022-05-18T14:35:50.117000", "tags": [ "trojan", "memoryfile scan", "dropped file", "okay resizing", "okay sdk", "unicode", "error", "path", "riot client", "null", "critical", "suspicious", "delphi", "bind", "unknown", "enterprise", "executor", "riot", "rest", "local", "lockfile", "february", "click", "encrypt", "fail", "launcher", "media", "malicious", "team" ], "references": [ "VALORANT.exe", "162.247.243.148", "Queries firmware table information (may be used to fingerprint/evade) details \"RiotClientServices.exe\" at 00000000-00003384-00000033-3266853 \"RiotClientServices.exe\" at 00000000-00003384-00000033-3267044 \"RiotClientServices.exe\" at 00000000-00003400-00000033-3764888 \"RiotClientServices.exe\" at 00000000-00003400-00000033-3765111 \"RiotClientServices.exe\" at 00000000-00002172-00000033-13613833225596776 \"RiotClientServices.exe\" at 00000000-00002172-00000033-13613833225597548 \"RiotClientServices.exe\" at 00000000", "#Firmware", "https://hybrid-analysis.com/sample/c16e4bccd6961c074ec0f43d37727061e494d7647f5953c89107c98fc42a2d04/62161ffe897ab2603a7a39e9", "helped by someone else's hybrid scan thank you" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 766, "domain": 97, "hostname": 268, "email": 6, "FileHash-SHA256": 203, "CVE": 1, "FileHash-MD5": 104, "FileHash-SHA1": 40, "SSLCertFingerprint": 3 }, "indicator_count": 1488, "is_author": false, "is_subscribing": null, "subscriber_count": 399, "modified_text": "1402 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6285746e6e198cfbdba438ed", "name": "3poundmel", "description": "", "modified": "2022-06-17T00:01:43.273000", "created": "2022-05-18T22:34:22.527000", "tags": [ "trojan", "memoryfile scan", "dropped file", "okay resizing", "okay sdk", "unicode", "error", "path", "riot client", "null", "critical", "suspicious", "delphi", "bind", "unknown", "enterprise", "executor", "riot", "rest", "local", "lockfile", "february", "click", "encrypt", "fail", "launcher", "media", "malicious", "team" ], "references": [ "VALORANT.exe", "162.247.243.148", "Queries firmware table information (may be used to fingerprint/evade) details \"RiotClientServices.exe\" at 00000000-00003384-00000033-3266853 \"RiotClientServices.exe\" at 00000000-00003384-00000033-3267044 \"RiotClientServices.exe\" at 00000000-00003400-00000033-3764888 \"RiotClientServices.exe\" at 00000000-00003400-00000033-3765111 \"RiotClientServices.exe\" at 00000000-00002172-00000033-13613833225596776 \"RiotClientServices.exe\" at 00000000-00002172-00000033-13613833225597548 \"RiotClientServices.exe\" at 00000000", "#Firmware", "https://hybrid-analysis.com/sample/c16e4bccd6961c074ec0f43d37727061e494d7647f5953c89107c98fc42a2d04/62161ffe897ab2603a7a39e9", "helped by someone else's hybrid scan thank you" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": "628504463286e43fe723cead", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ELLELEVLEN11", "id": "181306", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 766, "domain": 97, "hostname": 268, "email": 6, "FileHash-SHA256": 203, "CVE": 1, "FileHash-MD5": 104, "FileHash-SHA1": 40, "SSLCertFingerprint": 3, "IPv4": 7 }, "indicator_count": 1495, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1402 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://mobile.twitter.com/ITSPmagazine/status/810428296995274752", "https://www.virustotal.com/graph/g57851267a0734f7fab3824bb4cca5cb9afab6573d8fa4b54a4f624390f9ba0bc", "www.quantic-systems.com", "https://docplayer.net/56678996-The-cyber-defense-review.html", "https://itspmagazine.com/from-the-newsroom/ransomware-predictions-past-present-future-future", "https://hybrid-analysis.com/sample/c16e4bccd6961c074ec0f43d37727061e494d7647f5953c89107c98fc42a2d04/62161ffe897ab2603a7a39e9", "https://mobile.twitter.com/Quantic_Systems/with_replies", "How many #ransomware predictions by @cylanceinc 's", "helped by someone else's hybrid scan thank you", "https://www.virustotal.com/graph/ge34d984fe0e14db9a2b1c48bdaca8e6f5b9e1e66f8ad49a580680dffaf7431ac", "#Firmware", "https://www.virustotal.com/graph/gebaa4d3d53cd4a3ea2559b9b96332ac7139ae27294bc4bc2ba9728cdd62917f9", "VALORANT.exe", "162.247.243.148", "https://t.co/1Snx7jYTvZ", "Queries firmware table information (may be used to fingerprint/evade) details \"RiotClientServices.exe\" at 00000000-00003384-00000033-3266853 \"RiotClientServices.exe\" at 00000000-00003384-00000033-3267044 \"RiotClientServices.exe\" at 00000000-00003400-00000033-3764888 \"RiotClientServices.exe\" at 00000000-00003400-00000033-3765111 \"RiotClientServices.exe\" at 00000000-00002172-00000033-13613833225596776 \"RiotClientServices.exe\" at 00000000-00002172-00000033-13613833225597548 \"RiotClientServices.exe\" at 00000000", "ge34d984fe0e14db9a2b1c48bdaca8e6f5b9e1e66f8ad49a580680dffaf7431ac 2.json", "CVE-2017-11882" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win32.processhijack", "Win32.trojan.botgor.a", "Avg win32:agent-adau [trj]", "Worm.win32.burn.a", "Virus.botgor!1.d115 (classic)", "Win32.backdoor.agent.a", "Ml.attribute.highconfidence", "Worm.win32.burn.b", "Bscope.backdoor.botgor", "Worm:win32/botgor.18ddf561", "Worm/win32.burn.r34863", "Bds/agent.qva", "Backdoor.win32.agent.ka!s1", "Backdoor/agent.bfic", "Static ai - malicious pe", "Malicious.2a7bf4", "W32.aidetect.malware2", "Trojan.malware.121218.susgen", "Worm.win32.burn.tnpx", "Backdoor.win32.agent.~apq@4ud5h", "Win/malicious_confidence_100% (w)", "Win.malware.botgor-9853222-0", "Backdoor:win32/botgor.b", "Backdoor.win32.agent.117760.b", "W32/botgor.a", "W32/backdoor.uqut-0945", "Backdoor.siggen.46270", "Generic.ml", "Trojan ( 000569271 )", "W32/botnet.k", "Bkdr_botgor.sml", "Ai:fileinfector.a44f3c4816" ], "industries": [], "unique_indicators": 29388 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/puzzleplusgames.net", "whois": "http://whois.domaintools.com/puzzleplusgames.net", "domain": "puzzleplusgames.net", "hostname": "play.puzzleplusgames.net" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "657090132deb7fd89b09d555", "name": "a whole bunch of hell effected by the recent mozilla/firefox vulns", "description": "", "modified": "2023-12-06T15:15:31.177000", "created": "2023-12-06T15:15:31.177000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 825, "domain": 308, "URL": 2036, "FileHash-SHA256": 2141 }, "indicator_count": 5310, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708fdef7d4b5483117bb67", "name": "BINGO \ud83d\udea8\ud83d\udea8\ud83d\udea8 VT Graph json upload of UBotBrowser.exe - 20.99.132.105 - 33 collections - minecraft instances", "description": "", "modified": "2023-12-06T15:14:38.824000", "created": "2023-12-06T15:14:38.824000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 812, "domain": 110, "hostname": 502, "URL": 1437 }, "indicator_count": 2861, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708f1d9c1be22930c7a9ca", "name": "This is a whoopa - vast adware camp using tweets/links/img's but equates to spyware via regular default Services, configs and cloud host", "description": "", "modified": "2023-12-06T15:11:25.389000", "created": "2023-12-06T15:11:25.389000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1341, "CVE": 1, "FileHash-SHA256": 3239, "domain": 1303, "URL": 8470, "FileHash-MD5": 893, "FileHash-SHA1": 795 }, "indicator_count": 16042, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62c035df9d1c1df8ca3fcaea", "name": "a whole bunch of hell effected by the recent mozilla/firefox vulns", "description": "", "modified": "2022-08-01T00:01:42.977000", "created": "2022-07-02T12:11:11.592000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 825, "FileHash-SHA256": 2141, "domain": 308, "URL": 2036 }, "indicator_count": 5310, "is_author": false, "is_subscribing": null, "subscriber_count": 396, "modified_text": "1357 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62bb08310a8957d97aa23c30", "name": "BINGO \ud83d\udea8\ud83d\udea8\ud83d\udea8 VT Graph json upload of UBotBrowser.exe - 20.99.132.105 - 33 collections - minecraft instances", "description": "", "modified": "2022-07-28T00:02:14.384000", "created": "2022-06-28T13:54:57.927000", "tags": [ "entity", "ubotbrowser", "20.99.132.105", "minecraft" ], "references": [ "https://www.virustotal.com/graph/g57851267a0734f7fab3824bb4cca5cb9afab6573d8fa4b54a4f624390f9ba0bc" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 502, "URL": 1437, "domain": 110, "FileHash-SHA256": 812 }, "indicator_count": 2861, "is_author": false, "is_subscribing": null, "subscriber_count": 398, "modified_text": "1361 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62bb7b6820f1de44d02cdc75", "name": "eset.rosconnect.ru -VT Graph JSON upload", "description": "", "modified": "2022-07-28T00:02:14.384000", "created": "2022-06-28T22:06:32.059000", "tags": [ "https://www.virustotal.com/graph/gebaa4d3d53cd4a3ea2559b9b96332a", "CVE-2017-11882" ], "references": [ "CVE-2017-11882", "https://www.virustotal.com/graph/gebaa4d3d53cd4a3ea2559b9b96332ac7139ae27294bc4bc2ba9728cdd62917f9" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "URL": 535, "hostname": 128, "FileHash-SHA256": 236, "domain": 197 }, "indicator_count": 1097, "is_author": false, "is_subscribing": null, "subscriber_count": 392, "modified_text": "1361 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62a3caaca484317351c448ba", "name": "JavaAppletPlugin.plugin.zip..... Downloaded from Oracle Website", "description": "JAVA??? \n\nThe full text of the text below: \u00c2\u00a31.3bn, 1.8bn euros, 2.4bn pence, or \u00a32.2bn llyb.", "modified": "2022-07-10T00:00:39.429000", "created": "2022-06-10T22:50:20.127000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "W32/BotNet.K", "display_name": "W32/BotNet.K", "target": null }, { "id": "AVG Win32:Agent-ADAU [Trj]", "display_name": "AVG Win32:Agent-ADAU [Trj]", "target": null }, { "id": "malicious.2a7bf4", "display_name": "malicious.2a7bf4", "target": null }, { "id": "AI:FileInfector.A44F3C4816", "display_name": "AI:FileInfector.A44F3C4816", "target": null }, { "id": "W32/Botgor.A", "display_name": "W32/Botgor.A", "target": null }, { "id": "Trojan.Malware.121218.susgen", "display_name": "Trojan.Malware.121218.susgen", "target": null }, { "id": "Static AI - Malicious PE", "display_name": "Static AI - Malicious PE", "target": null }, { "id": "Worm.Win32.Burn.a", "display_name": "Worm.Win32.Burn.a", "target": null }, { "id": "BKDR_BOTGOR.SML", "display_name": "BKDR_BOTGOR.SML", "target": null }, { "id": "Win32.Backdoor.Agent.A", "display_name": "Win32.Backdoor.Agent.A", "target": null }, { "id": "BScope.Backdoor.Botgor", "display_name": "BScope.Backdoor.Botgor", "target": null }, { "id": "Worm/Win32.Burn.R34863", "display_name": "Worm/Win32.Burn.R34863", "target": null }, { "id": "Backdoor:Win32/Botgor.B", "display_name": "Backdoor:Win32/Botgor.B", "target": "/malware/Backdoor:Win32/Botgor.B" }, { "id": "Backdoor.Win32.Agent.ka!s1", "display_name": "Backdoor.Win32.Agent.ka!s1", "target": null }, { "id": "BDS/Agent.qva", "display_name": "BDS/Agent.qva", "target": null }, { "id": "Backdoor/Agent.bfic", "display_name": "Backdoor/Agent.bfic", "target": null }, { "id": "Win32.Trojan.Botgor.A", "display_name": "Win32.Trojan.Botgor.A", "target": null }, { "id": "Win32.ProcessHijack", "display_name": "Win32.ProcessHijack", "target": null }, { "id": "BackDoor.Siggen.46270", "display_name": "BackDoor.Siggen.46270", "target": null }, { "id": "Backdoor.Win32.Agent.~APQ@4ud5h", "display_name": "Backdoor.Win32.Agent.~APQ@4ud5h", "target": null }, { "id": "Virus.Botgor!1.D115 (CLASSIC)", "display_name": "Virus.Botgor!1.D115 (CLASSIC)", "target": null }, { "id": "Backdoor.Win32.Agent.117760.B", "display_name": "Backdoor.Win32.Agent.117760.B", "target": null }, { "id": "Worm:Win32/Botgor.18ddf561", "display_name": "Worm:Win32/Botgor.18ddf561", "target": "/malware/Worm:Win32/Botgor.18ddf561" }, { "id": "Worm.Win32.Burn.b", "display_name": "Worm.Win32.Burn.b", "target": null }, { "id": "Win.Malware.Botgor-9853222-0", "display_name": "Win.Malware.Botgor-9853222-0", "target": null }, { "id": "generic.ml", "display_name": "generic.ml", "target": null }, { "id": "ML.Attribute.HighConfidence", "display_name": "ML.Attribute.HighConfidence", "target": null }, { "id": "W32/Backdoor.UQUT-0945", "display_name": "W32/Backdoor.UQUT-0945", "target": null }, { "id": "win/malicious_confidence_100% (W)", "display_name": "win/malicious_confidence_100% (W)", "target": null }, { "id": "Trojan ( 000569271 )", "display_name": "Trojan ( 000569271 )", "target": null }, { "id": "Worm.Win32.Burn.tnPX", "display_name": "Worm.Win32.Burn.tnPX", "target": null }, { "id": "W32.AIDetect.malware2", "display_name": "W32.AIDetect.malware2", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MarceeS26", "id": "133143", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1382, "hostname": 314, "FileHash-SHA256": 1009, "domain": 46, "FileHash-MD5": 163, "FileHash-SHA1": 612 }, "indicator_count": 3526, "is_author": false, "is_subscribing": null, "subscriber_count": 73, "modified_text": "1379 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6294d3c37b2f4fd77a5ca483", "name": "This is a whoopa - vast adware camp using tweets/links/img's but equates to spyware via regular default Services, configs and cloud host", "description": "Twitter's link shortner from original tweet\nhttps://t.co/1Snx7jYTvZ posted by itspmagazine How many #ransomware predictions by \n@cylanceinc's have/will come true? maybe this adware camp is utilising older podcasts and audio to exfil data. Its taken two days to do this pulse and its far from complete given the original had over 22k indicators", "modified": "2022-06-29T00:00:46.963000", "created": "2022-05-30T14:25:07.820000", "tags": [ "www.quantic-systems.com", "https://itspmagazine.com/from-the-newsroom/ransomware-prediction", "https://t.co/1Snx7jYTvZ" ], "references": [ "ge34d984fe0e14db9a2b1c48bdaca8e6f5b9e1e66f8ad49a580680dffaf7431ac 2.json", "https://www.virustotal.com/graph/ge34d984fe0e14db9a2b1c48bdaca8e6f5b9e1e66f8ad49a580680dffaf7431ac", "https://mobile.twitter.com/Quantic_Systems/with_replies", "https://mobile.twitter.com/ITSPmagazine/status/810428296995274752", "https://t.co/1Snx7jYTvZ", "How many #ransomware predictions by @cylanceinc 's", "https://docplayer.net/56678996-The-cyber-defense-review.html", "https://itspmagazine.com/from-the-newsroom/ransomware-predictions-past-present-future-future", "www.quantic-systems.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3239, "hostname": 1341, "URL": 8470, "domain": 1303, "CVE": 1, "FileHash-MD5": 893, "FileHash-SHA1": 795 }, "indicator_count": 16042, "is_author": false, "is_subscribing": null, "subscriber_count": 394, "modified_text": "1390 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "628504463286e43fe723cead", "name": "#Firmware new relic script/update corruption riotgsmes used to deliver", "description": "Common = 162.247.243.148\nTCP traffic to 104.16.119.50 on port 49260\nTCP traffic to 104.16.206.131 on port 49263\nTCP traffic to 8.251.168.124 on port 49284\nTCP traffic to 162.247.243.238 on port", "modified": "2022-06-17T00:01:43.273000", "created": "2022-05-18T14:35:50.117000", "tags": [ "trojan", "memoryfile scan", "dropped file", "okay resizing", "okay sdk", "unicode", "error", "path", "riot client", "null", "critical", "suspicious", "delphi", "bind", "unknown", "enterprise", "executor", "riot", "rest", "local", "lockfile", "february", "click", "encrypt", "fail", "launcher", "media", "malicious", "team" ], "references": [ "VALORANT.exe", "162.247.243.148", "Queries firmware table information (may be used to fingerprint/evade) details \"RiotClientServices.exe\" at 00000000-00003384-00000033-3266853 \"RiotClientServices.exe\" at 00000000-00003384-00000033-3267044 \"RiotClientServices.exe\" at 00000000-00003400-00000033-3764888 \"RiotClientServices.exe\" at 00000000-00003400-00000033-3765111 \"RiotClientServices.exe\" at 00000000-00002172-00000033-13613833225596776 \"RiotClientServices.exe\" at 00000000-00002172-00000033-13613833225597548 \"RiotClientServices.exe\" at 00000000", "#Firmware", "https://hybrid-analysis.com/sample/c16e4bccd6961c074ec0f43d37727061e494d7647f5953c89107c98fc42a2d04/62161ffe897ab2603a7a39e9", "helped by someone else's hybrid scan thank you" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 766, "domain": 97, "hostname": 268, "email": 6, "FileHash-SHA256": 203, "CVE": 1, "FileHash-MD5": 104, "FileHash-SHA1": 40, "SSLCertFingerprint": 3 }, "indicator_count": 1488, "is_author": false, "is_subscribing": null, "subscriber_count": 399, "modified_text": "1402 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6285746e6e198cfbdba438ed", "name": "3poundmel", "description": "", "modified": "2022-06-17T00:01:43.273000", "created": "2022-05-18T22:34:22.527000", "tags": [ "trojan", "memoryfile scan", "dropped file", "okay resizing", "okay sdk", "unicode", "error", "path", "riot client", "null", "critical", "suspicious", "delphi", "bind", "unknown", "enterprise", "executor", "riot", "rest", "local", "lockfile", "february", "click", "encrypt", "fail", "launcher", "media", "malicious", "team" ], "references": [ "VALORANT.exe", "162.247.243.148", "Queries firmware table information (may be used to fingerprint/evade) details \"RiotClientServices.exe\" at 00000000-00003384-00000033-3266853 \"RiotClientServices.exe\" at 00000000-00003384-00000033-3267044 \"RiotClientServices.exe\" at 00000000-00003400-00000033-3764888 \"RiotClientServices.exe\" at 00000000-00003400-00000033-3765111 \"RiotClientServices.exe\" at 00000000-00002172-00000033-13613833225596776 \"RiotClientServices.exe\" at 00000000-00002172-00000033-13613833225597548 \"RiotClientServices.exe\" at 00000000", "#Firmware", "https://hybrid-analysis.com/sample/c16e4bccd6961c074ec0f43d37727061e494d7647f5953c89107c98fc42a2d04/62161ffe897ab2603a7a39e9", "helped by someone else's hybrid scan thank you" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": "628504463286e43fe723cead", "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ELLELEVLEN11", "id": "181306", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 766, "domain": 97, "hostname": 268, "email": 6, "FileHash-SHA256": 203, "CVE": 1, "FileHash-MD5": 104, "FileHash-SHA1": 40, "SSLCertFingerprint": 3, "IPv4": 7 }, "indicator_count": 1495, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1402 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://play.puzzleplusgames.net", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://play.puzzleplusgames.net", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776630875.389161 }