{
  "type": "URL",
  "indicator": "https://rdap.arin.net/registry/entity/MCICS",
  "general": {
    "sections": [
      "general",
      "url_list",
      "http_scans",
      "screenshot"
    ],
    "indicator": "https://rdap.arin.net/registry/entity/MCICS",
    "type": "url",
    "type_title": "URL",
    "validation": [
      {
        "source": "akamai",
        "message": "Akamai rank: #6937",
        "name": "Akamai Popular Domain"
      },
      {
        "source": "whitelist",
        "message": "Whitelisted domain arin.net",
        "name": "Whitelisted domain"
      },
      {
        "source": "majestic",
        "message": "Whitelisted domain arin.net",
        "name": "Whitelisted domain"
      }
    ],
    "base_indicator": {
      "id": 3389785470,
      "indicator": "https://rdap.arin.net/registry/entity/MCICS",
      "type": "URL",
      "title": "",
      "description": "",
      "content": "",
      "access_type": "public",
      "access_reason": ""
    },
    "pulse_info": {
      "count": 16,
      "pulses": [
        {
          "id": "699c3b796fcaed878ca94c5c",
          "name": "https://m.vzw.com/wIvzrd8",
          "description": "the wizard",
          "modified": "2026-04-18T05:30:18.690000",
          "created": "2026-02-23T11:35:21.673000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 1818,
            "hostname": 575,
            "URL": 200,
            "FileHash-SHA1": 450,
            "CIDR": 11,
            "domain": 887,
            "email": 7,
            "FileHash-MD5": 402,
            "CVE": 21
          },
          "indicator_count": 4371,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 48,
          "modified_text": "1 day ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "69b78f062bcb1cc27d94b032",
          "name": "LifeSafety Report",
          "description": "Verizon Trademark Services LLC\nName Servers\tNS1.VERIZON.NET\nOrg\tVerizon Trademark Services LLC\nAddress\t1320 North Court House Road\nCity\tArlington\nCountry\tUS\nCreation Date\t1999-07-06T00:00:00\nDnssec\tunsigned\nDomain Name\tVERIZON.NET\nDomain Name\tverizon.net\nEmails\tdomainlegalcontact@verizon.com\nEmails\tdns@verizon.com\nExpiration Date\t2018-07-06T00:00:00\nName Servers\tNS2.VERIZON.NET\nName Servers\tNS3.VERIZON.NET\nName Servers\tNS4.VERIZON.NET\nName Servers\tns2.verizon.net\nName Servers\tns3.verizon.net\nName Servers\tns1.verizon.net\nName Servers\tns4.verizon.net\nReferral Url\thttp://www.markmonitor.com\nRegistrar\tMarkMonitor, Inc.\nState\tVA\nStatus\tclientDeleteProhibited https://icann.org/epp#clientDeleteProhibited\nStatus\tclientTransferProhibited https://icann.org/epp#clientTransferProhibited\nStatus\tclientUpdateProhibited https://icann.org/epp#clientUpdateProhibited\nStatus\tserverDeleteProhibited https://icann.org/epp#serverDeleteProhibited\nStatus\tserverTransferProhibited",
          "modified": "2026-04-15T19:46:09.801000",
          "created": "2026-03-16T05:03:02.792000",
          "tags": [
            "nethandle",
            "net108",
            "net1080000",
            "mcics",
            "orgid",
            "mcics address",
            "loudoun county",
            "pkwy city",
            "postalcode",
            "orgabusehandle",
            "passive dns",
            "urls",
            "login",
            "sign up",
            "hostname",
            "pulse pulses",
            "files",
            "verdict",
            "files ip",
            "address"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "CIDR": 4,
            "URL": 7,
            "email": 3,
            "hostname": 4,
            "domain": 1,
            "JA3": 1
          },
          "indicator_count": 20,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 48,
          "modified_text": "3 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": false,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "69c236a2d4fd8035ff724bfd",
          "name": "Privacy Notice | Newfold Digital",
          "description": "A full list of key information about the Netherlands-based RIPE Network Coordination Centre (RIPE), as compiled by the BBC's Panorama programme, as well as the official website:.<<pretext",
          "modified": "2026-03-24T07:24:01.470000",
          "created": "2026-03-24T07:00:50.366000",
          "tags": [
            "ripe ncc",
            "ripe network",
            "ripe",
            "organization",
            "orgid",
            "city",
            "orgabusehandle",
            "abuse contact",
            "orgabusephone",
            "de status",
            "handle",
            "address range",
            "cidr",
            "allocation type",
            "allocated pa",
            "status",
            "whois server",
            "entity dtagnic",
            "entity dtagripe",
            "services",
            "net100",
            "net1000000",
            "stateprov",
            "rabusehandle",
            "loudoun county",
            "postalcode",
            "mcics",
            "nethandle",
            "mcics address",
            "pkwy city",
            "orgtechhandle",
            "key identifier",
            "x509v3 subject",
            "v3 serial",
            "number",
            "issuer",
            "cnsectigo rsa",
            "secure server",
            "ca cgb",
            "subject public",
            "key info",
            "cncomodo rsa",
            "ca limited",
            "validity",
            "server",
            "registrar abuse",
            "date",
            "iana id",
            "contact phone",
            "dnssec",
            "domain status",
            "registrar url",
            "registrar whois",
            "registrar",
            "registrant ext",
            "corehub",
            "expiration date",
            "registry domain",
            "registrar iana",
            "street",
            "code",
            "redacted for",
            "privacy tech",
            "postal code",
            "registrant fax",
            "domain id",
            "admin country",
            "admin postal",
            "ma admin",
            "email",
            "registrant city",
            "tierranet",
            "fax ext",
            "privacy",
            "whois privacy",
            "san diego",
            "privacy admin",
            "cus olet",
            "encrypt cnr13",
            "key algorithm",
            "domain name",
            "contact email",
            "record type",
            "ttl value",
            "registrant name",
            "creation date",
            "iframe tags",
            "language",
            "html document",
            "unicode text",
            "utf8 text",
            "gazebo model",
            "configuration",
            "markup language",
            "doctype",
            "deny",
            "secchuamodel",
            "excellent",
            "php script",
            "crlf line",
            "php source"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 208,
            "hostname": 184,
            "IPv4": 25,
            "domain": 51,
            "email": 28,
            "FileHash-SHA256": 194,
            "CIDR": 16,
            "FileHash-MD5": 67,
            "FileHash-SHA1": 263,
            "CVE": 4
          },
          "indicator_count": 1040,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 48,
          "modified_text": "26 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "69c21ec9ed70aa8930710a51",
          "name": "google = program your answer??",
          "description": "The domain name cohassetma.org has been registered as an unregistered domain by the Internet Service Authority (icann) and is subject to an ongoing investigation into its registration and use.<<pretext not my wording but im confused at the lack of .gov protocols",
          "modified": "2026-03-24T05:22:13.842000",
          "created": "2026-03-24T05:19:05.864000",
          "tags": [
            "server",
            "registrar abuse",
            "date",
            "dnssec",
            "domain name",
            "domain status",
            "contact email",
            "contact phone",
            "registrar iana",
            "registrar url",
            "services",
            "net100",
            "net1000000",
            "stateprov",
            "rabusehandle",
            "loudoun county",
            "postalcode",
            "mcics",
            "cidr",
            "orgabusehandle",
            "address range",
            "allocation type",
            "whois server",
            "mcics handle",
            "handle",
            "orgtechhandle",
            "ipmgmt",
            "orgtechref",
            "orgabuseref",
            "nethandle",
            "orgid",
            "google",
            "ip address",
            "mcics address",
            "pkwy city",
            "city",
            "redacted for",
            "privacy",
            "email",
            "whois privacy",
            "san diego",
            "postal code",
            "privacy admin",
            "registrant fax",
            "code"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 155,
            "domain": 75,
            "email": 15,
            "hostname": 67,
            "CIDR": 6,
            "IPv4": 39,
            "FileHash-MD5": 2
          },
          "indicator_count": 359,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 48,
          "modified_text": "26 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "66ba01cb6ef731c30679908b",
          "name": "BusyBox  |Eternal Blue | MITM Attack | Linux Crime Mirai_Botnet_Malware | Brian Sabey attorney",
          "description": "Verizon Business MCICS?\nMCI Communications Services LLC Verizon Division, doing business as MCI, is a subsidiary of Verizon Communications Inc. that provides a wide range of telecommunications products and services to U.S. federal government customers.\nHandle Swipper, previously scrubbed from internet has been hovering over target for at least 10 years.\n[Known to have used Host: 152.199.19.161\n19.161 is an IP address in AS15133 owned by MCICommunicationsServices,Inc.d/b/aVerizonBusiness and located in US] + [Edgecast Inc ns1.edgecastcdn.net] Swipper, once linked to WikiLeaks threat actor who sent malicious emails to targets and Bank of America employees revealing passcodes from garage door codes to favorite color, ice cream hobbies and passwords. \n[Bin][BusyBox] BusyBox is a software suite that provides several Unix utilities in a single executable file.",
          "modified": "2024-10-12T00:01:26.015000",
          "created": "2024-08-12T12:36:27.020000",
          "tags": [
            "network",
            "orgdnsref",
            "nethandle",
            "net174",
            "net1740000",
            "mcics",
            "swipp",
            "swipper",
            "jody alaska",
            "jody huffines",
            "verizon",
            "eva120",
            "block id",
            "wirelessdatanetwork",
            "swipp9-arin",
            "united",
            "et exploit",
            "smbds ipc",
            "show",
            "search",
            "default",
            "asnone",
            "nids",
            "generic",
            "query",
            "service",
            "wannacry",
            "ransom",
            "malware",
            "copy",
            "dock",
            "write",
            "eternalblue",
            "recon",
            "suspicious",
            "realtek sdk",
            "miniigd upnp",
            "soap command",
            "exploit",
            "msie",
            "windows nt",
            "high",
            "binbusybox",
            "gafgyt",
            "execution",
            "mirai",
            "newremotehost",
            "mitm",
            "port",
            "destination",
            "newexternalport",
            "newprotocol",
            "newinternalport",
            "rf cum",
            "newenabled",
            "addpo",
            "addportmapping",
            "whois lookups",
            "city",
            "orgdnshandle",
            "stateprov",
            "loudoun county",
            "postalcode",
            "text",
            "javascript",
            "b file",
            "files",
            "file type",
            "json",
            "graph",
            "t1064 executes",
            "modify system",
            "process t1543",
            "systemd service",
            "posts",
            "mitre att",
            "ta0002 command",
            "t1059",
            "create",
            "ta0004 create",
            "ip traffic",
            "hashes",
            "file system",
            "libmultipath",
            "devftwdt101",
            "devsda1 devsda2",
            "files deleted",
            "e procselffd9",
            "h devsda2",
            "created binsh",
            "shell commands",
            "binsh binsh",
            "binsh c",
            "i lo",
            "p m0755",
            "varrunsshd",
            "processes tree",
            "referrer",
            "pe resource",
            "cry kill",
            "formbook",
            "ransomworm",
            "wannacry kill",
            "switch dns",
            "password bypass",
            "account stealer",
            "hiddentear",
            "installer",
            "skynet",
            "get http",
            "memory pattern",
            "http requests",
            "request",
            "host",
            "cachecontrol",
            "response",
            "contentlength",
            "httponly",
            "samesitelax",
            "mofresourcename",
            "settingswpad",
            "registry keys",
            "hdaudiomofname",
            "acpimofresource",
            "mofresource",
            "registry",
            "kernel context",
            "runtime modules",
            "modules",
            "urls",
            "cloudflare",
            "domains",
            "ip detections",
            "country",
            "win32 exe",
            "mb pe",
            "mb graph",
            "summary",
            "pe32 executable",
            "ms windows",
            "intel",
            "ms visual",
            "win16 ne",
            "win32 dynamic",
            "link library",
            "vs98",
            "info compiler",
            "products id",
            "sp6 build",
            "header intel",
            "name md5",
            "type",
            "language",
            "contained",
            "r english",
            "yara rule",
            "et trojan",
            "domain http",
            "cape",
            "yara detections",
            "alerts",
            "logic",
            "status",
            "passive dns",
            "creation date",
            "scan endpoints",
            "all scoreblue",
            "hostname",
            "pulse submit",
            "url analysis",
            "date",
            "next",
            "as6167 verizon",
            "as22394 verizon",
            "showing",
            "entries",
            "aaaa",
            "cname",
            "asnone united",
            "whitelisted",
            "as20446",
            "as8075",
            "ipv4",
            "unknown",
            "emails",
            "expiration date",
            "name servers",
            "aaaa nxdomain",
            "ireland unknown",
            "nxdomain",
            "soa nxdomain",
            "ns nxdomain",
            "a nxdomain",
            "as8068",
            "united kingdom",
            "domain",
            "cve201717215",
            "huawei remote",
            "huawei hg532",
            "malware worm",
            "exploit none",
            "rce",
            "ate hash",
            "spyware",
            "adversary in the middle",
            "smugglers gambit",
            "hitmen",
            "hallrender",
            "sreredrum",
            "pegasus related",
            "brute force",
            "target tsara brashears",
            "brian sabey"
          ],
          "references": [
            "Researched: 174.215.26.0/255 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks",
            "Highlighted Text: The following text was observed as standard output,  \"[THEA-MALWARE]: Gimme Cum Pwease XD\"",
            "Trojan.Linux.Mirai.1 | Crime_Mirai | DDoS:Linux/Gafgyt.YA!MTB: FILEHASH - SHA256 a1eff1e00a7d532a6e6d71b3c5328e",
            "Antivirus Detections: ELF:Mirai-AHC\\ [Trj] ,  Unix.Trojan.Mirai-7100807-0 ,  DDoS:Linux/Gafgyt.YA!MTB",
            "IDS Detections: Huawei Remote Command Execution - Outbound (CVE-2017-17215)",
            "IDS Detections: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound",
            "Yara Detections: Mirai_Botnet_Malware",
            "High Priority Alerts: dead_host network_icmp osquery_detection network_irc nolookup_communication p2p_cnc",
            "Interesting Strings: http://schemas.xmlsoap.org/soap/encoding/ http://0.0.0.0/nope",
            "Interesting Strings: http://schemas.xmlsoap.org/soap/envelope/ 185.244.25.117 127.0.0.1",
            "ELF Info Header ELF32  2's complement, little endian  1 (current)  UNIX - System V  EXEC (Executable file)  Intel 80386  0x1",
            "Matches rule Mirai_Botnet_Malware from ruleset crime_mirai by Florian Roth",
            "Matches rule Linux_Trojan_Mirai_b14f4c5d from ruleset Linux_Trojan_Mirai by Elastic Security",
            "Matches rule SUSP_XORed_Mozilla from ruleset gen_xor_hunting by Florian Roth",
            "Matches rule Linux_Trojan_Mirai_fa3ad9d0 from ruleset Linux_Trojan_Mirai by Elastic Security",
            "https://github.com/Neo23x0/signature-base/search?q=Mirai_Botnet_Malware Desc: Detects Mirai Botnet Malware RULE_AUTHOR: Florian Roth",
            "Crime_WannaCry | Ransom:Win32/WannaCrypt.H | FILEHASH - SHA256  86f7e04aed8403e6b9f0d4ae880a55f7574c1b177cf6c24234ffa992eadb2c52",
            "Yara Detections: WannaCry_Ransomware ,  Win32_Ransomware_WannaCry ,  Wanna_Cry_Ransomware_Generic ,",
            "Yara Detections: MS17_010_WanaCry_worm ,  NHS_Strain_Wanna ,  stack_string ,  MS_Visual_Cpp_6_0",
            "Alerts: nids_exploit_alert nids_malware_alert network_icmp nolookup_communication persistence_autorun network_cnc_http",
            "IDS Detections: W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1",
            "IDS Detections: Domain Sinkholed by Kryptos Logic (HTML Response)",
            "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style)",
            "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)",
            "IDS Detections: ETERNALBLUE Probe Vulnerable System Response MS17-010",
            "IDS Detections: Observed DNS Query to Suspicious Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com)",
            "IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection",
            "Antivirus Detections Sf:WNCryLdr-A\\ [Trj] ,  Win.Ransomware.WannaCry-6313787-0 ,  Ransom:Win32/WannaCrypt.H"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "DDoS:Linux/Gafgyt.YA!MTB",
              "display_name": "DDoS:Linux/Gafgyt.YA!MTB",
              "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB"
            },
            {
              "id": "Unix.Trojan.Mirai-7100807-0",
              "display_name": "Unix.Trojan.Mirai-7100807-0",
              "target": null
            },
            {
              "id": "ELF:Mirai-AHC\\ [Trj]",
              "display_name": "ELF:Mirai-AHC\\ [Trj]",
              "target": null
            },
            {
              "id": "Sf:WNCryLdr-A\\ [Trj]",
              "display_name": "Sf:WNCryLdr-A\\ [Trj]",
              "target": null
            },
            {
              "id": "Ransom:Win32/WannaCrypt.H",
              "display_name": "Ransom:Win32/WannaCrypt.H",
              "target": "/malware/Ransom:Win32/WannaCrypt.H"
            },
            {
              "id": "Win.Ransomware.WannaCry-6313787-0",
              "display_name": "Win.Ransomware.WannaCry-6313787-0",
              "target": null
            },
            {
              "id": "Mirai",
              "display_name": "Mirai",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1143",
              "name": "Hidden Window",
              "display_name": "T1143 - Hidden Window"
            },
            {
              "id": "T1158",
              "name": "Hidden Files and Directories",
              "display_name": "T1158 - Hidden Files and Directories"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1064",
              "name": "Scripting",
              "display_name": "T1064 - Scripting"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1543",
              "name": "Create or Modify System Process",
              "display_name": "T1543 - Create or Modify System Process"
            },
            {
              "id": "T1571",
              "name": "Non-Standard Port",
              "display_name": "T1571 - Non-Standard Port"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1185",
              "name": "Man in the Browser",
              "display_name": "T1185 - Man in the Browser"
            },
            {
              "id": "T1557",
              "name": "Man-in-the-Middle",
              "display_name": "T1557 - Man-in-the-Middle"
            }
          ],
          "industries": [
            "Government",
            "Healthcare",
            "Civilian Society"
          ],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 41,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 2826,
            "CIDR": 2,
            "URL": 549,
            "email": 12,
            "hostname": 587,
            "FileHash-MD5": 806,
            "FileHash-SHA1": 791,
            "BitcoinAddress": 3,
            "domain": 388,
            "CVE": 4
          },
          "indicator_count": 5968,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 230,
          "modified_text": "554 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "66ba036c462091e25e94de49",
          "name": "Lazarus Group: Crime_WannaCry | Crime Mirai_Botnet_Malware ",
          "description": "",
          "modified": "2024-10-12T00:01:26.015000",
          "created": "2024-08-12T12:43:24.286000",
          "tags": [
            "network",
            "orgdnsref",
            "nethandle",
            "net174",
            "net1740000",
            "mcics",
            "swipp",
            "swipper",
            "jody alaska",
            "jody huffines",
            "verizon",
            "eva120",
            "block id",
            "wirelessdatanetwork",
            "swipp9-arin",
            "united",
            "et exploit",
            "smbds ipc",
            "show",
            "search",
            "default",
            "asnone",
            "nids",
            "generic",
            "query",
            "service",
            "wannacry",
            "ransom",
            "malware",
            "copy",
            "dock",
            "write",
            "eternalblue",
            "recon",
            "suspicious",
            "realtek sdk",
            "miniigd upnp",
            "soap command",
            "exploit",
            "msie",
            "windows nt",
            "high",
            "binbusybox",
            "gafgyt",
            "execution",
            "mirai",
            "newremotehost",
            "mitm",
            "port",
            "destination",
            "newexternalport",
            "newprotocol",
            "newinternalport",
            "rf cum",
            "newenabled",
            "addpo",
            "addportmapping",
            "whois lookups",
            "city",
            "orgdnshandle",
            "stateprov",
            "loudoun county",
            "postalcode",
            "text",
            "javascript",
            "b file",
            "files",
            "file type",
            "json",
            "graph",
            "t1064 executes",
            "modify system",
            "process t1543",
            "systemd service",
            "posts",
            "mitre att",
            "ta0002 command",
            "t1059",
            "create",
            "ta0004 create",
            "ip traffic",
            "hashes",
            "file system",
            "libmultipath",
            "devftwdt101",
            "devsda1 devsda2",
            "files deleted",
            "e procselffd9",
            "h devsda2",
            "created binsh",
            "shell commands",
            "binsh binsh",
            "binsh c",
            "i lo",
            "p m0755",
            "varrunsshd",
            "processes tree",
            "referrer",
            "pe resource",
            "cry kill",
            "formbook",
            "ransomworm",
            "wannacry kill",
            "switch dns",
            "password bypass",
            "account stealer",
            "hiddentear",
            "installer",
            "skynet",
            "get http",
            "memory pattern",
            "http requests",
            "request",
            "host",
            "cachecontrol",
            "response",
            "contentlength",
            "httponly",
            "samesitelax",
            "mofresourcename",
            "settingswpad",
            "registry keys",
            "hdaudiomofname",
            "acpimofresource",
            "mofresource",
            "registry",
            "kernel context",
            "runtime modules",
            "modules",
            "urls",
            "cloudflare",
            "domains",
            "ip detections",
            "country",
            "win32 exe",
            "mb pe",
            "mb graph",
            "summary",
            "pe32 executable",
            "ms windows",
            "intel",
            "ms visual",
            "win16 ne",
            "win32 dynamic",
            "link library",
            "vs98",
            "info compiler",
            "products id",
            "sp6 build",
            "header intel",
            "name md5",
            "type",
            "language",
            "contained",
            "r english",
            "yara rule",
            "et trojan",
            "domain http",
            "cape",
            "yara detections",
            "alerts",
            "logic",
            "status",
            "passive dns",
            "creation date",
            "scan endpoints",
            "all scoreblue",
            "hostname",
            "pulse submit",
            "url analysis",
            "date",
            "next",
            "as6167 verizon",
            "as22394 verizon",
            "showing",
            "entries",
            "aaaa",
            "cname",
            "asnone united",
            "whitelisted",
            "as20446",
            "as8075",
            "ipv4",
            "unknown",
            "emails",
            "expiration date",
            "name servers",
            "aaaa nxdomain",
            "ireland unknown",
            "nxdomain",
            "soa nxdomain",
            "ns nxdomain",
            "a nxdomain",
            "as8068",
            "united kingdom",
            "domain",
            "cve201717215",
            "huawei remote",
            "huawei hg532",
            "malware worm",
            "exploit none",
            "rce",
            "ate hash",
            "spyware",
            "adversary in the middle",
            "smugglers gambit",
            "hitmen",
            "hallrender",
            "sreredrum",
            "pegasus related",
            "brute force",
            "target tsara brashears",
            "brian sabey"
          ],
          "references": [
            "Researched: 174.215.26.0/255 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks",
            "Highlighted Text: The following text was observed as standard output,  \"[THEA-MALWARE]: Gimme Cum Pwease XD\"",
            "Trojan.Linux.Mirai.1 | Crime_Mirai | DDoS:Linux/Gafgyt.YA!MTB: FILEHASH - SHA256 a1eff1e00a7d532a6e6d71b3c5328e",
            "Antivirus Detections: ELF:Mirai-AHC\\ [Trj] ,  Unix.Trojan.Mirai-7100807-0 ,  DDoS:Linux/Gafgyt.YA!MTB",
            "IDS Detections: Huawei Remote Command Execution - Outbound (CVE-2017-17215)",
            "IDS Detections: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound",
            "Yara Detections: Mirai_Botnet_Malware",
            "High Priority Alerts: dead_host network_icmp osquery_detection network_irc nolookup_communication p2p_cnc",
            "Interesting Strings: http://schemas.xmlsoap.org/soap/encoding/ http://0.0.0.0/nope",
            "Interesting Strings: http://schemas.xmlsoap.org/soap/envelope/ 185.244.25.117 127.0.0.1",
            "ELF Info Header ELF32  2's complement, little endian  1 (current)  UNIX - System V  EXEC (Executable file)  Intel 80386  0x1",
            "Matches rule Mirai_Botnet_Malware from ruleset crime_mirai by Florian Roth",
            "Matches rule Linux_Trojan_Mirai_b14f4c5d from ruleset Linux_Trojan_Mirai by Elastic Security",
            "Matches rule SUSP_XORed_Mozilla from ruleset gen_xor_hunting by Florian Roth",
            "Matches rule Linux_Trojan_Mirai_fa3ad9d0 from ruleset Linux_Trojan_Mirai by Elastic Security",
            "https://github.com/Neo23x0/signature-base/search?q=Mirai_Botnet_Malware Desc: Detects Mirai Botnet Malware RULE_AUTHOR: Florian Roth",
            "Crime_WannaCry | Ransom:Win32/WannaCrypt.H | FILEHASH - SHA256  86f7e04aed8403e6b9f0d4ae880a55f7574c1b177cf6c24234ffa992eadb2c52",
            "Yara Detections: WannaCry_Ransomware ,  Win32_Ransomware_WannaCry ,  Wanna_Cry_Ransomware_Generic ,",
            "Yara Detections: MS17_010_WanaCry_worm ,  NHS_Strain_Wanna ,  stack_string ,  MS_Visual_Cpp_6_0",
            "Alerts: nids_exploit_alert nids_malware_alert network_icmp nolookup_communication persistence_autorun network_cnc_http",
            "IDS Detections: W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1",
            "IDS Detections: Domain Sinkholed by Kryptos Logic (HTML Response)",
            "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style)",
            "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)",
            "IDS Detections: ETERNALBLUE Probe Vulnerable System Response MS17-010",
            "IDS Detections: Observed DNS Query to Suspicious Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com)",
            "IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection",
            "Antivirus Detections Sf:WNCryLdr-A\\ [Trj] ,  Win.Ransomware.WannaCry-6313787-0 ,  Ransom:Win32/WannaCrypt.H"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "DDoS:Linux/Gafgyt.YA!MTB",
              "display_name": "DDoS:Linux/Gafgyt.YA!MTB",
              "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB"
            },
            {
              "id": "Unix.Trojan.Mirai-7100807-0",
              "display_name": "Unix.Trojan.Mirai-7100807-0",
              "target": null
            },
            {
              "id": "ELF:Mirai-AHC\\ [Trj]",
              "display_name": "ELF:Mirai-AHC\\ [Trj]",
              "target": null
            },
            {
              "id": "Sf:WNCryLdr-A\\ [Trj]",
              "display_name": "Sf:WNCryLdr-A\\ [Trj]",
              "target": null
            },
            {
              "id": "Ransom:Win32/WannaCrypt.H",
              "display_name": "Ransom:Win32/WannaCrypt.H",
              "target": "/malware/Ransom:Win32/WannaCrypt.H"
            },
            {
              "id": "Win.Ransomware.WannaCry-6313787-0",
              "display_name": "Win.Ransomware.WannaCry-6313787-0",
              "target": null
            },
            {
              "id": "Mirai",
              "display_name": "Mirai",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1143",
              "name": "Hidden Window",
              "display_name": "T1143 - Hidden Window"
            },
            {
              "id": "T1158",
              "name": "Hidden Files and Directories",
              "display_name": "T1158 - Hidden Files and Directories"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1064",
              "name": "Scripting",
              "display_name": "T1064 - Scripting"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1543",
              "name": "Create or Modify System Process",
              "display_name": "T1543 - Create or Modify System Process"
            },
            {
              "id": "T1571",
              "name": "Non-Standard Port",
              "display_name": "T1571 - Non-Standard Port"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1185",
              "name": "Man in the Browser",
              "display_name": "T1185 - Man in the Browser"
            },
            {
              "id": "T1557",
              "name": "Man-in-the-Middle",
              "display_name": "T1557 - Man-in-the-Middle"
            }
          ],
          "industries": [
            "Government",
            "Healthcare",
            "Civilian Society"
          ],
          "TLP": "green",
          "cloned_from": "66ba01cb6ef731c30679908b",
          "export_count": 50,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 2786,
            "CIDR": 2,
            "URL": 457,
            "email": 12,
            "hostname": 535,
            "FileHash-MD5": 806,
            "FileHash-SHA1": 791,
            "BitcoinAddress": 3,
            "domain": 367,
            "CVE": 4
          },
          "indicator_count": 5763,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 233,
          "modified_text": "554 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "66eb1903bb12a0d4b524a0fb",
          "name": "HCA Healthcloid | Cellco\u00bb  Adversary in the Middle | Swipper Verizon Block ",
          "description": "",
          "modified": "2024-09-18T18:16:35.396000",
          "created": "2024-09-18T18:16:35.396000",
          "tags": [
            "swipp9-arin",
            "swipper",
            "swipp",
            "verizon",
            "cellcopart",
            "swipper",
            "ongoing",
            "get e sim",
            "as16276",
            "france unknown",
            "unknown",
            "as6167",
            "org verizon",
            "passive dns",
            "all scoreblue",
            "as8075",
            "cellco",
            "javascript",
            "help center",
            "please",
            "service privacy",
            "policy cookie",
            "policy imprint",
            "ads info",
            "cms",
            "express",
            "tsa b",
            "self",
            "server",
            "get esim",
            "wirelessdatanetwork",
            "netrange",
            "nethandle",
            "net174",
            "net1740000",
            "mcics",
            "orgid",
            "mcics address",
            "loudoun county",
            "android",
            "generic http",
            "exe upload",
            "windows nt",
            "outbound",
            "host",
            "malware beacon",
            "cape",
            "trojan",
            "copy",
            "write",
            "malware",
            "inbound",
            "impash",
            "post na",
            "search",
            "delete",
            "related pulses",
            "top source",
            "top destination",
            "source source",
            "filehash",
            "contentlength",
            "activity",
            "dns lookup",
            "flooder",
            "et",
            "aaaa",
            "nxdomain",
            "domain",
            "ipv4",
            "url analysis",
            "files",
            "malicious",
            "network",
            "historical ssl",
            "epsilon stealer",
            "traces aided",
            "dns intel",
            "remote job",
            "keeper",
            "snatch",
            "ransomware",
            "united states",
            "as8068",
            "entries",
            "mtb jan",
            "body",
            "x msedge",
            "scan endpoints",
            "trojandropper",
            "slf features",
            "file samples",
            "files matching",
            "date hash",
            "next",
            "win64",
            "win32",
            "copyright",
            "levelblue",
            "showing",
            "a domains",
            "as54113",
            "script domains",
            "script urls",
            "script script",
            "date",
            "meta",
            "window",
            "cookie",
            "trojan features",
            "worm",
            "show",
            "alf features",
            "hca",
            "target tsara brashears",
            "hostname",
            "expiration",
            "no expiration",
            "hca health",
            "eva120",
            "jody huffines",
            "jody alaska",
            "stephen r 'middleton'",
            "phone clone",
            "adversary in the middle",
            "known threat",
            "android attack",
            "web attack",
            "network",
            "dns",
            "florence co",
            "ddos",
            "google",
            "ip address",
            "ip range",
            "whois",
            "spam stats",
            "as6167 network",
            "cleantalk ip",
            "email abuse",
            "reports",
            "misc attack",
            "et tor",
            "known tor",
            "relayrouter",
            "exit",
            "node traffic",
            "suricata",
            "et intelligence",
            "known malicious ip",
            "spoof",
            "twitter",
            "x",
            "hackers"
          ],
          "references": [
            "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks  174.215.26.0",
            "uat.drw.hcahealthcare.cloud  US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.",
            "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com",
            "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10",
            "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 ,  Trojan:Win32/Vflooder.B",
            "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound",
            "Yara Detections: SUSP_Imphash_Mar23_2",
            "Alerts: cape_detected_threat",
            "http://www.govexec.com/dailyfed/0906/091806ol.htm",
            "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b",
            "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud",
            "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK",
            "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)",
            "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business",
            "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:",
            "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS",
            "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net",
            "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN",
            "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com",
            "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN",
            "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Trojan:Win32/Vflooder.A",
              "display_name": "Trojan:Win32/Vflooder.A",
              "target": "/malware/Trojan:Win32/Vflooder.A"
            },
            {
              "id": "ET",
              "display_name": "ET",
              "target": null
            },
            {
              "id": "Flooder",
              "display_name": "Flooder",
              "target": null
            },
            {
              "id": "Trojan.Upatre/Waski",
              "display_name": "Trojan.Upatre/Waski",
              "target": null
            },
            {
              "id": "SLF:Win64/CobPipe",
              "display_name": "SLF:Win64/CobPipe",
              "target": "/malware/SLF:Win64/CobPipe"
            },
            {
              "id": "TrojanDropper:Win32/Muldrop.V!MTB",
              "display_name": "TrojanDropper:Win32/Muldrop.V!MTB",
              "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB"
            },
            {
              "id": "Worm:Win32/AutoRun",
              "display_name": "Worm:Win32/AutoRun",
              "target": "/malware/Worm:Win32/AutoRun"
            },
            {
              "id": "ALF:Program:Win32/Webcompanion",
              "display_name": "ALF:Program:Win32/Webcompanion",
              "target": null
            },
            {
              "id": "Trojan:Win32/Antavmu",
              "display_name": "Trojan:Win32/Antavmu",
              "target": "/malware/Trojan:Win32/Antavmu"
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1210",
              "name": "Exploitation of Remote Services",
              "display_name": "T1210 - Exploitation of Remote Services"
            },
            {
              "id": "T1046",
              "name": "Network Service Scanning",
              "display_name": "T1046 - Network Service Scanning"
            },
            {
              "id": "T1040",
              "name": "Network Sniffing",
              "display_name": "T1040 - Network Sniffing"
            },
            {
              "id": "T1212",
              "name": "Exploitation for Credential Access",
              "display_name": "T1212 - Exploitation for Credential Access"
            },
            {
              "id": "T1003.008",
              "name": "/etc/passwd and /etc/shadow",
              "display_name": "T1003.008 - /etc/passwd and /etc/shadow"
            },
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            },
            {
              "id": "T1122",
              "name": "Component Object Model Hijacking",
              "display_name": "T1122 - Component Object Model Hijacking"
            },
            {
              "id": "T1198",
              "name": "SIP and Trust Provider Hijacking",
              "display_name": "T1198 - SIP and Trust Provider Hijacking"
            },
            {
              "id": "T1460",
              "name": "Biometric Spoofing",
              "display_name": "T1460 - Biometric Spoofing"
            },
            {
              "id": "T1502",
              "name": "Parent PID Spoofing",
              "display_name": "T1502 - Parent PID Spoofing"
            },
            {
              "id": "T1205.001",
              "name": "Port Knocking",
              "display_name": "T1205.001 - Port Knocking"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            }
          ],
          "industries": [
            "Healthcare",
            "Government",
            "Civilian Society"
          ],
          "TLP": "white",
          "cloned_from": "66ba9198fd69c93fabece38d",
          "export_count": 9,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "email": 51,
            "CIDR": 11,
            "URL": 280,
            "hostname": 426,
            "FileHash-SHA256": 4334,
            "domain": 180,
            "FileHash-MD5": 2244,
            "FileHash-SHA1": 2244,
            "CVE": 1
          },
          "indicator_count": 9771,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 224,
          "modified_text": "577 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "66ba9198fd69c93fabece38d",
          "name": "Adversary in the Middle | Cellco | Targeting | Phone Cloner | Monitoring",
          "description": "Linked to X.com research. Remotely spoofs, Ddos, blocks, intercepts, redirects, all activity of vicrim. At one time same Handle: Swipper had a malicious link attached to targets Apple notepads. The link connected to a website with targets name with photo of a jubilant arrest , or death threat. Site linked to Loudoun County, Swipper claiming to be the FBI.",
          "modified": "2024-09-18T18:12:03.438000",
          "created": "2024-08-12T22:50:00.127000",
          "tags": [
            "swipp9-arin",
            "swipper",
            "swipp",
            "verizon",
            "cellcopart",
            "swipper",
            "ongoing",
            "get e sim",
            "as16276",
            "france unknown",
            "unknown",
            "as6167",
            "org verizon",
            "passive dns",
            "all scoreblue",
            "as8075",
            "cellco",
            "javascript",
            "help center",
            "please",
            "service privacy",
            "policy cookie",
            "policy imprint",
            "ads info",
            "cms",
            "express",
            "tsa b",
            "self",
            "server",
            "get esim",
            "wirelessdatanetwork",
            "netrange",
            "nethandle",
            "net174",
            "net1740000",
            "mcics",
            "orgid",
            "mcics address",
            "loudoun county",
            "android",
            "generic http",
            "exe upload",
            "windows nt",
            "outbound",
            "host",
            "malware beacon",
            "cape",
            "trojan",
            "copy",
            "write",
            "malware",
            "inbound",
            "impash",
            "post na",
            "search",
            "delete",
            "related pulses",
            "top source",
            "top destination",
            "source source",
            "filehash",
            "contentlength",
            "activity",
            "dns lookup",
            "flooder",
            "et",
            "aaaa",
            "nxdomain",
            "domain",
            "ipv4",
            "url analysis",
            "files",
            "malicious",
            "network",
            "historical ssl",
            "epsilon stealer",
            "traces aided",
            "dns intel",
            "remote job",
            "keeper",
            "snatch",
            "ransomware",
            "united states",
            "as8068",
            "entries",
            "mtb jan",
            "body",
            "x msedge",
            "scan endpoints",
            "trojandropper",
            "slf features",
            "file samples",
            "files matching",
            "date hash",
            "next",
            "win64",
            "win32",
            "copyright",
            "levelblue",
            "showing",
            "a domains",
            "as54113",
            "script domains",
            "script urls",
            "script script",
            "date",
            "meta",
            "window",
            "cookie",
            "trojan features",
            "worm",
            "show",
            "alf features",
            "hca",
            "target tsara brashears",
            "hostname",
            "expiration",
            "no expiration",
            "hca health",
            "eva120",
            "jody huffines",
            "jody alaska",
            "stephen r 'middleton'",
            "phone clone",
            "adversary in the middle",
            "known threat",
            "android attack",
            "web attack",
            "network",
            "dns",
            "florence co",
            "ddos",
            "google",
            "ip address",
            "ip range",
            "whois",
            "spam stats",
            "as6167 network",
            "cleantalk ip",
            "email abuse",
            "reports",
            "misc attack",
            "et tor",
            "known tor",
            "relayrouter",
            "exit",
            "node traffic",
            "suricata",
            "et intelligence",
            "known malicious ip",
            "spoof",
            "twitter",
            "x",
            "hackers"
          ],
          "references": [
            "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks  174.215.26.0",
            "uat.drw.hcahealthcare.cloud  US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.",
            "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com",
            "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10",
            "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 ,  Trojan:Win32/Vflooder.B",
            "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound",
            "Yara Detections: SUSP_Imphash_Mar23_2",
            "Alerts: cape_detected_threat",
            "http://www.govexec.com/dailyfed/0906/091806ol.htm",
            "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b",
            "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud",
            "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK",
            "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)",
            "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business",
            "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:",
            "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS",
            "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net",
            "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN",
            "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com",
            "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN",
            "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Trojan:Win32/Vflooder.A",
              "display_name": "Trojan:Win32/Vflooder.A",
              "target": "/malware/Trojan:Win32/Vflooder.A"
            },
            {
              "id": "ET",
              "display_name": "ET",
              "target": null
            },
            {
              "id": "Flooder",
              "display_name": "Flooder",
              "target": null
            },
            {
              "id": "Trojan.Upatre/Waski",
              "display_name": "Trojan.Upatre/Waski",
              "target": null
            },
            {
              "id": "SLF:Win64/CobPipe",
              "display_name": "SLF:Win64/CobPipe",
              "target": "/malware/SLF:Win64/CobPipe"
            },
            {
              "id": "TrojanDropper:Win32/Muldrop.V!MTB",
              "display_name": "TrojanDropper:Win32/Muldrop.V!MTB",
              "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB"
            },
            {
              "id": "Worm:Win32/AutoRun",
              "display_name": "Worm:Win32/AutoRun",
              "target": "/malware/Worm:Win32/AutoRun"
            },
            {
              "id": "ALF:Program:Win32/Webcompanion",
              "display_name": "ALF:Program:Win32/Webcompanion",
              "target": null
            },
            {
              "id": "Trojan:Win32/Antavmu",
              "display_name": "Trojan:Win32/Antavmu",
              "target": "/malware/Trojan:Win32/Antavmu"
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1210",
              "name": "Exploitation of Remote Services",
              "display_name": "T1210 - Exploitation of Remote Services"
            },
            {
              "id": "T1046",
              "name": "Network Service Scanning",
              "display_name": "T1046 - Network Service Scanning"
            },
            {
              "id": "T1040",
              "name": "Network Sniffing",
              "display_name": "T1040 - Network Sniffing"
            },
            {
              "id": "T1212",
              "name": "Exploitation for Credential Access",
              "display_name": "T1212 - Exploitation for Credential Access"
            },
            {
              "id": "T1003.008",
              "name": "/etc/passwd and /etc/shadow",
              "display_name": "T1003.008 - /etc/passwd and /etc/shadow"
            },
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            },
            {
              "id": "T1122",
              "name": "Component Object Model Hijacking",
              "display_name": "T1122 - Component Object Model Hijacking"
            },
            {
              "id": "T1198",
              "name": "SIP and Trust Provider Hijacking",
              "display_name": "T1198 - SIP and Trust Provider Hijacking"
            },
            {
              "id": "T1460",
              "name": "Biometric Spoofing",
              "display_name": "T1460 - Biometric Spoofing"
            },
            {
              "id": "T1502",
              "name": "Parent PID Spoofing",
              "display_name": "T1502 - Parent PID Spoofing"
            },
            {
              "id": "T1205.001",
              "name": "Port Knocking",
              "display_name": "T1205.001 - Port Knocking"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            }
          ],
          "industries": [
            "Healthcare",
            "Government",
            "Civilian Society"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 29,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "email": 51,
            "CIDR": 11,
            "URL": 280,
            "hostname": 426,
            "FileHash-SHA256": 4334,
            "domain": 180,
            "FileHash-MD5": 2244,
            "FileHash-SHA1": 2244,
            "CVE": 1
          },
          "indicator_count": 9771,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 226,
          "modified_text": "577 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "66cb6092ed7d61b3a370d6cd",
          "name": "Adversary in the Middle | Cellco DBA Verizon Wireless | SWIPPER | BGP Hurricane Electric ",
          "description": "",
          "modified": "2024-09-12T00:41:55.890000",
          "created": "2024-08-25T16:49:22.975000",
          "tags": [
            "swipp9-arin",
            "swipper",
            "swipp",
            "verizon",
            "cellcopart",
            "swipper",
            "ongoing",
            "get e sim",
            "as16276",
            "france unknown",
            "unknown",
            "as6167",
            "org verizon",
            "passive dns",
            "all scoreblue",
            "as8075",
            "cellco",
            "javascript",
            "help center",
            "please",
            "service privacy",
            "policy cookie",
            "policy imprint",
            "ads info",
            "cms",
            "express",
            "tsa b",
            "self",
            "server",
            "get esim",
            "wirelessdatanetwork",
            "netrange",
            "nethandle",
            "net174",
            "net1740000",
            "mcics",
            "orgid",
            "mcics address",
            "loudoun county",
            "android",
            "generic http",
            "exe upload",
            "windows nt",
            "outbound",
            "host",
            "malware beacon",
            "cape",
            "trojan",
            "copy",
            "write",
            "malware",
            "inbound",
            "impash",
            "post na",
            "search",
            "delete",
            "related pulses",
            "top source",
            "top destination",
            "source source",
            "filehash",
            "contentlength",
            "activity",
            "dns lookup",
            "flooder",
            "et",
            "aaaa",
            "nxdomain",
            "domain",
            "ipv4",
            "url analysis",
            "files",
            "malicious",
            "network",
            "historical ssl",
            "epsilon stealer",
            "traces aided",
            "dns intel",
            "remote job",
            "keeper",
            "snatch",
            "ransomware",
            "united states",
            "as8068",
            "entries",
            "mtb jan",
            "body",
            "x msedge",
            "scan endpoints",
            "trojandropper",
            "slf features",
            "file samples",
            "files matching",
            "date hash",
            "next",
            "win64",
            "win32",
            "copyright",
            "levelblue",
            "showing",
            "a domains",
            "as54113",
            "script domains",
            "script urls",
            "script script",
            "date",
            "meta",
            "window",
            "cookie",
            "trojan features",
            "worm",
            "show",
            "alf features",
            "hca",
            "target tsara brashears",
            "hostname",
            "expiration",
            "no expiration",
            "hca health",
            "eva120",
            "jody huffines",
            "jody alaska",
            "stephen r 'middleton'",
            "phone clone",
            "adversary in the middle",
            "known threat",
            "android attack",
            "web attack",
            "network",
            "dns",
            "florence co",
            "ddos",
            "google",
            "ip address",
            "ip range",
            "whois",
            "spam stats",
            "as6167 network",
            "cleantalk ip",
            "email abuse",
            "reports",
            "misc attack",
            "et tor",
            "known tor",
            "relayrouter",
            "exit",
            "node traffic",
            "suricata",
            "et intelligence",
            "known malicious ip",
            "spoof",
            "twitter",
            "x",
            "hackers"
          ],
          "references": [
            "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks  174.215.26.0",
            "uat.drw.hcahealthcare.cloud  US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.",
            "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com",
            "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10",
            "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 ,  Trojan:Win32/Vflooder.B",
            "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound",
            "Yara Detections: SUSP_Imphash_Mar23_2",
            "Alerts: cape_detected_threat",
            "http://www.govexec.com/dailyfed/0906/091806ol.htm",
            "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b",
            "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud",
            "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK",
            "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)",
            "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business",
            "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:",
            "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS",
            "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net",
            "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN",
            "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com",
            "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN",
            "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Trojan:Win32/Vflooder.A",
              "display_name": "Trojan:Win32/Vflooder.A",
              "target": "/malware/Trojan:Win32/Vflooder.A"
            },
            {
              "id": "ET",
              "display_name": "ET",
              "target": null
            },
            {
              "id": "Flooder",
              "display_name": "Flooder",
              "target": null
            },
            {
              "id": "Trojan.Upatre/Waski",
              "display_name": "Trojan.Upatre/Waski",
              "target": null
            },
            {
              "id": "SLF:Win64/CobPipe",
              "display_name": "SLF:Win64/CobPipe",
              "target": "/malware/SLF:Win64/CobPipe"
            },
            {
              "id": "TrojanDropper:Win32/Muldrop.V!MTB",
              "display_name": "TrojanDropper:Win32/Muldrop.V!MTB",
              "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB"
            },
            {
              "id": "Worm:Win32/AutoRun",
              "display_name": "Worm:Win32/AutoRun",
              "target": "/malware/Worm:Win32/AutoRun"
            },
            {
              "id": "ALF:Program:Win32/Webcompanion",
              "display_name": "ALF:Program:Win32/Webcompanion",
              "target": null
            },
            {
              "id": "Trojan:Win32/Antavmu",
              "display_name": "Trojan:Win32/Antavmu",
              "target": "/malware/Trojan:Win32/Antavmu"
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1210",
              "name": "Exploitation of Remote Services",
              "display_name": "T1210 - Exploitation of Remote Services"
            },
            {
              "id": "T1046",
              "name": "Network Service Scanning",
              "display_name": "T1046 - Network Service Scanning"
            },
            {
              "id": "T1040",
              "name": "Network Sniffing",
              "display_name": "T1040 - Network Sniffing"
            },
            {
              "id": "T1212",
              "name": "Exploitation for Credential Access",
              "display_name": "T1212 - Exploitation for Credential Access"
            },
            {
              "id": "T1003.008",
              "name": "/etc/passwd and /etc/shadow",
              "display_name": "T1003.008 - /etc/passwd and /etc/shadow"
            },
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            },
            {
              "id": "T1122",
              "name": "Component Object Model Hijacking",
              "display_name": "T1122 - Component Object Model Hijacking"
            },
            {
              "id": "T1198",
              "name": "SIP and Trust Provider Hijacking",
              "display_name": "T1198 - SIP and Trust Provider Hijacking"
            },
            {
              "id": "T1460",
              "name": "Biometric Spoofing",
              "display_name": "T1460 - Biometric Spoofing"
            },
            {
              "id": "T1502",
              "name": "Parent PID Spoofing",
              "display_name": "T1502 - Parent PID Spoofing"
            },
            {
              "id": "T1205.001",
              "name": "Port Knocking",
              "display_name": "T1205.001 - Port Knocking"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            }
          ],
          "industries": [
            "Healthcare",
            "Government",
            "Civilian Society"
          ],
          "TLP": "white",
          "cloned_from": "66ba9198fd69c93fabece38d",
          "export_count": 31,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "email": 24,
            "CIDR": 8,
            "URL": 190,
            "hostname": 370,
            "FileHash-SHA256": 4319,
            "domain": 176,
            "FileHash-MD5": 2244,
            "FileHash-SHA1": 2244,
            "CVE": 1
          },
          "indicator_count": 9576,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 227,
          "modified_text": "584 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "66d496e04d8fa0cc8d528941",
          "name": "Adversary in the Middle | Cellco DBA Verizon Wireless | SWIPPER | BGP Hurricane Electric ",
          "description": "",
          "modified": "2024-09-12T00:25:51.199000",
          "created": "2024-09-01T16:31:28.909000",
          "tags": [
            "swipp9-arin",
            "swipper",
            "swipp",
            "verizon",
            "cellcopart",
            "swipper",
            "ongoing",
            "get e sim",
            "as16276",
            "france unknown",
            "unknown",
            "as6167",
            "org verizon",
            "passive dns",
            "all scoreblue",
            "as8075",
            "cellco",
            "javascript",
            "help center",
            "please",
            "service privacy",
            "policy cookie",
            "policy imprint",
            "ads info",
            "cms",
            "express",
            "tsa b",
            "self",
            "server",
            "get esim",
            "wirelessdatanetwork",
            "netrange",
            "nethandle",
            "net174",
            "net1740000",
            "mcics",
            "orgid",
            "mcics address",
            "loudoun county",
            "android",
            "generic http",
            "exe upload",
            "windows nt",
            "outbound",
            "host",
            "malware beacon",
            "cape",
            "trojan",
            "copy",
            "write",
            "malware",
            "inbound",
            "impash",
            "post na",
            "search",
            "delete",
            "related pulses",
            "top source",
            "top destination",
            "source source",
            "filehash",
            "contentlength",
            "activity",
            "dns lookup",
            "flooder",
            "et",
            "aaaa",
            "nxdomain",
            "domain",
            "ipv4",
            "url analysis",
            "files",
            "malicious",
            "network",
            "historical ssl",
            "epsilon stealer",
            "traces aided",
            "dns intel",
            "remote job",
            "keeper",
            "snatch",
            "ransomware",
            "united states",
            "as8068",
            "entries",
            "mtb jan",
            "body",
            "x msedge",
            "scan endpoints",
            "trojandropper",
            "slf features",
            "file samples",
            "files matching",
            "date hash",
            "next",
            "win64",
            "win32",
            "copyright",
            "levelblue",
            "showing",
            "a domains",
            "as54113",
            "script domains",
            "script urls",
            "script script",
            "date",
            "meta",
            "window",
            "cookie",
            "trojan features",
            "worm",
            "show",
            "alf features",
            "hca",
            "target tsara brashears",
            "hostname",
            "expiration",
            "no expiration",
            "hca health",
            "eva120",
            "jody huffines",
            "jody alaska",
            "stephen r 'middleton'",
            "phone clone",
            "adversary in the middle",
            "known threat",
            "android attack",
            "web attack",
            "network",
            "dns",
            "florence co",
            "ddos",
            "google",
            "ip address",
            "ip range",
            "whois",
            "spam stats",
            "as6167 network",
            "cleantalk ip",
            "email abuse",
            "reports",
            "misc attack",
            "et tor",
            "known tor",
            "relayrouter",
            "exit",
            "node traffic",
            "suricata",
            "et intelligence",
            "known malicious ip",
            "spoof",
            "twitter",
            "x",
            "hackers"
          ],
          "references": [
            "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks  174.215.26.0",
            "uat.drw.hcahealthcare.cloud  US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.",
            "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com",
            "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10",
            "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 ,  Trojan:Win32/Vflooder.B",
            "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound",
            "Yara Detections: SUSP_Imphash_Mar23_2",
            "Alerts: cape_detected_threat",
            "http://www.govexec.com/dailyfed/0906/091806ol.htm",
            "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b",
            "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud",
            "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK",
            "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)",
            "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business",
            "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:",
            "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS",
            "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net",
            "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN",
            "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com",
            "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN",
            "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Trojan:Win32/Vflooder.A",
              "display_name": "Trojan:Win32/Vflooder.A",
              "target": "/malware/Trojan:Win32/Vflooder.A"
            },
            {
              "id": "ET",
              "display_name": "ET",
              "target": null
            },
            {
              "id": "Flooder",
              "display_name": "Flooder",
              "target": null
            },
            {
              "id": "Trojan.Upatre/Waski",
              "display_name": "Trojan.Upatre/Waski",
              "target": null
            },
            {
              "id": "SLF:Win64/CobPipe",
              "display_name": "SLF:Win64/CobPipe",
              "target": "/malware/SLF:Win64/CobPipe"
            },
            {
              "id": "TrojanDropper:Win32/Muldrop.V!MTB",
              "display_name": "TrojanDropper:Win32/Muldrop.V!MTB",
              "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB"
            },
            {
              "id": "Worm:Win32/AutoRun",
              "display_name": "Worm:Win32/AutoRun",
              "target": "/malware/Worm:Win32/AutoRun"
            },
            {
              "id": "ALF:Program:Win32/Webcompanion",
              "display_name": "ALF:Program:Win32/Webcompanion",
              "target": null
            },
            {
              "id": "Trojan:Win32/Antavmu",
              "display_name": "Trojan:Win32/Antavmu",
              "target": "/malware/Trojan:Win32/Antavmu"
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1210",
              "name": "Exploitation of Remote Services",
              "display_name": "T1210 - Exploitation of Remote Services"
            },
            {
              "id": "T1046",
              "name": "Network Service Scanning",
              "display_name": "T1046 - Network Service Scanning"
            },
            {
              "id": "T1040",
              "name": "Network Sniffing",
              "display_name": "T1040 - Network Sniffing"
            },
            {
              "id": "T1212",
              "name": "Exploitation for Credential Access",
              "display_name": "T1212 - Exploitation for Credential Access"
            },
            {
              "id": "T1003.008",
              "name": "/etc/passwd and /etc/shadow",
              "display_name": "T1003.008 - /etc/passwd and /etc/shadow"
            },
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            },
            {
              "id": "T1122",
              "name": "Component Object Model Hijacking",
              "display_name": "T1122 - Component Object Model Hijacking"
            },
            {
              "id": "T1198",
              "name": "SIP and Trust Provider Hijacking",
              "display_name": "T1198 - SIP and Trust Provider Hijacking"
            },
            {
              "id": "T1460",
              "name": "Biometric Spoofing",
              "display_name": "T1460 - Biometric Spoofing"
            },
            {
              "id": "T1502",
              "name": "Parent PID Spoofing",
              "display_name": "T1502 - Parent PID Spoofing"
            },
            {
              "id": "T1205.001",
              "name": "Port Knocking",
              "display_name": "T1205.001 - Port Knocking"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            }
          ],
          "industries": [
            "Healthcare",
            "Government",
            "Civilian Society"
          ],
          "TLP": "white",
          "cloned_from": "66cb6092ed7d61b3a370d6cd",
          "export_count": 17,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "email": 33,
            "CIDR": 9,
            "URL": 221,
            "hostname": 390,
            "FileHash-SHA256": 4343,
            "domain": 177,
            "FileHash-MD5": 2244,
            "FileHash-SHA1": 2244,
            "CVE": 1
          },
          "indicator_count": 9662,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 226,
          "modified_text": "584 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "65bca8fcbe62297d71b47c33",
          "name": "Ragnar Locker",
          "description": "\u2022 FBI Flash CU-000163-MW: RagnarLocker Ransomware Indicators of Compromise\n\u2022 Found in https://www.Esurance.com\n  108.26.193.165\nAS 701 (UUNET)\n\u2022108.26.193.165 Postal Code: 02465 Reverse Domain Lookup: pool-108-26-193-165.bstnma.fios.verizon.net \n| Ragnar Locker is ransomware for Windows and Linux that exfiltrates information from a compromised machine, encrypts files using the Salsa20 encryption algorithm, and demands that victims pay a ransom to recover their data. The Ragnar Locker group is known to employ a double extortion tactic.",
          "modified": "2024-03-03T08:00:03.432000",
          "created": "2024-02-02T08:34:04.425000",
          "tags": [
            "referrer",
            "contacted",
            "whois record",
            "ssl certificate",
            "whois whois",
            "contacted urls",
            "execution",
            "historical ssl",
            "red team",
            "gang breached",
            "agent tesla",
            "redline stealer",
            "metro",
            "android",
            "urls url",
            "files",
            "kgs0",
            "kls0",
            "orgtechhandle",
            "orgtechref",
            "orgabusehandle",
            "orgdnshandle",
            "orgdnsref",
            "whois lookup",
            "netrange",
            "nethandle",
            "net108",
            "net1080000",
            "communicating",
            "urls http",
            "ransomware gang",
            "breached",
            "team",
            "first",
            "utc submissions",
            "submitters",
            "gandi sas",
            "psiusa",
            "domain robot",
            "porkbun llc",
            "keysystems gmbh",
            "csc corporate",
            "domains",
            "domain name",
            "network pty",
            "tucows",
            "com laude",
            "dynadot inc"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 23,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 8354,
            "FileHash-MD5": 104,
            "FileHash-SHA1": 81,
            "FileHash-SHA256": 2711,
            "CIDR": 5,
            "CVE": 6,
            "domain": 1489,
            "hostname": 3058,
            "email": 5
          },
          "indicator_count": 15813,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 228,
          "modified_text": "777 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "65715ad29ac565164664960b",
          "name": "InstallMate",
          "description": "",
          "modified": "2024-01-06T05:02:33.698000",
          "created": "2023-12-07T05:40:34.888000",
          "tags": [
            "as15133 verizon",
            "united",
            "unknown",
            "passive dns",
            "scan endpoints",
            "all octoseek",
            "ipv4",
            "pulse pulses",
            "urls",
            "files",
            "trojandropper",
            "body",
            "orgtechhandle",
            "orgid",
            "w jefferson",
            "blvd",
            "city",
            "los angeles",
            "stateprov",
            "postalcode",
            "sawyer",
            "kleinart",
            "mtb dec",
            "win32upatre dec",
            "win32qqpass dec",
            "entries",
            "date hash",
            "avast avg",
            "name verdict",
            "falcon sandbox",
            "generic malware",
            "tag count",
            "wed sep",
            "threat report",
            "summary",
            "sample",
            "samples",
            "detection list",
            "blacklist",
            "count blacklist",
            "generic",
            "noname057",
            "csv behavior",
            "text",
            "win32 dll",
            "win32 exe",
            "javascript",
            "office open",
            "xml document",
            "text iocs",
            "mario",
            "csv test",
            "python",
            "ip summary",
            "text query16752",
            "text edge",
            "type name",
            "services",
            "net192",
            "net1920000",
            "cidr",
            "nethandle",
            "orgabusehandle",
            "orgabusephone",
            "as14153",
            "contacted",
            "ssl certificate",
            "tsara brashears",
            "whois whois",
            "ransomware",
            "apple ios",
            "family",
            "roots",
            "lolkek",
            "tzw variants",
            "emotet",
            "bluenoroff",
            "lazarus",
            "dark power",
            "play ransomware",
            "makop",
            "attack",
            "core",
            "hacktool",
            "chaos",
            "ransomexx",
            "quasar",
            "njrat",
            "installer",
            "banker",
            "keylogger",
            "execution",
            "ermac",
            "metasploit",
            "relic",
            "monitoring",
            "qakbot",
            "thu nov",
            "url summary",
            "first",
            "cobalt strike",
            "strike cobalt",
            "malicious url",
            "tld count",
            "sun sep",
            "china cobalt",
            "strike",
            "cyber threat",
            "maltiverse",
            "malware site",
            "malicious host",
            "malware",
            "host",
            "phishing",
            "team",
            "exploit",
            "mirai",
            "pony",
            "nanocore",
            "bradesco",
            "suppobox",
            "laplasclipper",
            "asyncrat",
            "fakealert",
            "ramnit",
            "cisco umbrella",
            "site",
            "safe site",
            "heur",
            "malicious site",
            "alexa top",
            "million",
            "phishing site",
            "artemis",
            "unsafe",
            "riskware",
            "bank",
            "outbreak",
            "dropper",
            "trojanx",
            "turla",
            "installcore",
            "acint",
            "conduit",
            "installpack",
            "iobit",
            "mediaget",
            "crack",
            "iframe",
            "downldr",
            "agent",
            "presenoker",
            "alexa",
            "blacknet rat",
            "stealer",
            "unruy",
            "cleaner",
            "union",
            "dbatloader",
            "downloader",
            "blocker",
            "ransom",
            "autoit",
            "bladabindi",
            "trojan",
            "irata",
            "azorult",
            "service",
            "runescape",
            "facebook",
            "download",
            "genkryptik",
            "opencandy",
            "trojanspy",
            "relacionada",
            "referrer",
            "formbook",
            "blacklist http",
            "control server",
            "firehol",
            "botnet command",
            "http spammer",
            "mail spammer",
            "phishtank",
            "dnspionage",
            "betabot",
            "wormx",
            "redline stealer",
            "solimba",
            "zbot",
            "webtoolbar",
            "utc submissions",
            "submitters",
            "tot public",
            "company limited",
            "gandi sas",
            "ovh sas",
            "mb iesettings",
            "mb acrotray",
            "kb program",
            "team alexa",
            "quasar rat",
            "spammer",
            "team proxy",
            "ip reputation",
            "cins active",
            "online fri",
            "online sat",
            "sat apr",
            "temp",
            "windir",
            "kontakt",
            "antivirus",
            "sat jun",
            "gmt0600",
            "programdata",
            "regexpandsz d",
            "allusersprofile",
            "soar",
            "malicious",
            "programfiles",
            "sun jun",
            "mbt",
            "info api",
            "http",
            "redlinestealer",
            "score integrate",
            "siem",
            "tencent",
            "rc7 bypassed",
            "mon jun",
            "api sample",
            "hybridanalysis",
            "online sun",
            "fri jun",
            "tue apr",
            "code",
            "date",
            "hackers",
            "lumma stealer",
            "ursnif",
            "open"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "Generic",
              "display_name": "Generic",
              "target": null
            },
            {
              "id": "TrojanSpy",
              "display_name": "TrojanSpy",
              "target": null
            },
            {
              "id": "Maltiverse",
              "display_name": "Maltiverse",
              "target": null
            },
            {
              "id": "WebToolbar",
              "display_name": "WebToolbar",
              "target": null
            },
            {
              "id": "MBT",
              "display_name": "MBT",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 210,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 882,
            "FileHash-SHA1": 497,
            "FileHash-SHA256": 3763,
            "URL": 3088,
            "hostname": 1203,
            "CIDR": 2,
            "domain": 680,
            "CVE": 9,
            "email": 13
          },
          "indicator_count": 10137,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 224,
          "modified_text": "834 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "65715b49b95c13605856d6d0",
          "name": "Lazarus Group _ 192.229.211.108",
          "description": "",
          "modified": "2024-01-06T05:02:33.698000",
          "created": "2023-12-07T05:42:33.281000",
          "tags": [
            "as15133 verizon",
            "united",
            "unknown",
            "passive dns",
            "scan endpoints",
            "all octoseek",
            "ipv4",
            "pulse pulses",
            "urls",
            "files",
            "trojandropper",
            "body",
            "orgtechhandle",
            "orgid",
            "w jefferson",
            "blvd",
            "city",
            "los angeles",
            "stateprov",
            "postalcode",
            "sawyer",
            "kleinart",
            "mtb dec",
            "win32upatre dec",
            "win32qqpass dec",
            "entries",
            "date hash",
            "avast avg",
            "name verdict",
            "falcon sandbox",
            "generic malware",
            "tag count",
            "wed sep",
            "threat report",
            "summary",
            "sample",
            "samples",
            "detection list",
            "blacklist",
            "count blacklist",
            "generic",
            "noname057",
            "csv behavior",
            "text",
            "win32 dll",
            "win32 exe",
            "javascript",
            "office open",
            "xml document",
            "text iocs",
            "mario",
            "csv test",
            "python",
            "ip summary",
            "text query16752",
            "text edge",
            "type name",
            "services",
            "net192",
            "net1920000",
            "cidr",
            "nethandle",
            "orgabusehandle",
            "orgabusephone",
            "as14153",
            "contacted",
            "ssl certificate",
            "tsara brashears",
            "whois whois",
            "ransomware",
            "apple ios",
            "family",
            "roots",
            "lolkek",
            "tzw variants",
            "emotet",
            "bluenoroff",
            "lazarus",
            "dark power",
            "play ransomware",
            "makop",
            "attack",
            "core",
            "hacktool",
            "chaos",
            "ransomexx",
            "quasar",
            "njrat",
            "installer",
            "banker",
            "keylogger",
            "execution",
            "ermac",
            "metasploit",
            "relic",
            "monitoring",
            "qakbot",
            "thu nov",
            "url summary",
            "first",
            "cobalt strike",
            "strike cobalt",
            "malicious url",
            "tld count",
            "sun sep",
            "china cobalt",
            "strike",
            "cyber threat",
            "maltiverse",
            "malware site",
            "malicious host",
            "malware",
            "host",
            "phishing",
            "team",
            "exploit",
            "mirai",
            "pony",
            "nanocore",
            "bradesco",
            "suppobox",
            "laplasclipper",
            "asyncrat",
            "fakealert",
            "ramnit",
            "cisco umbrella",
            "site",
            "safe site",
            "heur",
            "malicious site",
            "alexa top",
            "million",
            "phishing site",
            "artemis",
            "unsafe",
            "riskware",
            "bank",
            "outbreak",
            "dropper",
            "trojanx",
            "turla",
            "installcore",
            "acint",
            "conduit",
            "installpack",
            "iobit",
            "mediaget",
            "crack",
            "iframe",
            "downldr",
            "agent",
            "presenoker",
            "alexa",
            "blacknet rat",
            "stealer",
            "unruy",
            "cleaner",
            "union",
            "dbatloader",
            "downloader",
            "blocker",
            "ransom",
            "autoit",
            "bladabindi",
            "trojan",
            "irata",
            "azorult",
            "service",
            "runescape",
            "facebook",
            "download",
            "genkryptik",
            "opencandy",
            "trojanspy",
            "relacionada",
            "referrer",
            "formbook",
            "blacklist http",
            "control server",
            "firehol",
            "botnet command",
            "http spammer",
            "mail spammer",
            "phishtank",
            "dnspionage",
            "betabot",
            "wormx",
            "redline stealer",
            "solimba",
            "zbot",
            "webtoolbar",
            "utc submissions",
            "submitters",
            "tot public",
            "company limited",
            "gandi sas",
            "ovh sas",
            "mb iesettings",
            "mb acrotray",
            "kb program",
            "team alexa",
            "quasar rat",
            "spammer",
            "team proxy",
            "ip reputation",
            "cins active",
            "online fri",
            "online sat",
            "sat apr",
            "temp",
            "windir",
            "kontakt",
            "antivirus",
            "sat jun",
            "gmt0600",
            "programdata",
            "regexpandsz d",
            "allusersprofile",
            "soar",
            "malicious",
            "programfiles",
            "sun jun",
            "mbt",
            "info api",
            "http",
            "redlinestealer",
            "score integrate",
            "siem",
            "tencent",
            "rc7 bypassed",
            "mon jun",
            "api sample",
            "hybridanalysis",
            "online sun",
            "fri jun",
            "tue apr",
            "code",
            "date",
            "hackers",
            "lumma stealer",
            "ursnif",
            "open"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "Generic",
              "display_name": "Generic",
              "target": null
            },
            {
              "id": "TrojanSpy",
              "display_name": "TrojanSpy",
              "target": null
            },
            {
              "id": "Maltiverse",
              "display_name": "Maltiverse",
              "target": null
            },
            {
              "id": "WebToolbar",
              "display_name": "WebToolbar",
              "target": null
            },
            {
              "id": "MBT",
              "display_name": "MBT",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": "65715ad29ac565164664960b",
          "export_count": 210,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 882,
            "FileHash-SHA1": 497,
            "FileHash-SHA256": 3763,
            "URL": 3088,
            "hostname": 1203,
            "CIDR": 2,
            "domain": 680,
            "CVE": 9,
            "email": 13
          },
          "indicator_count": 10137,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 223,
          "modified_text": "834 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "6572622bba87d8d105a7259f",
          "name": "Lazarus Group _ 192.229.211.108",
          "description": "",
          "modified": "2024-01-06T05:02:33.698000",
          "created": "2023-12-08T00:24:11.801000",
          "tags": [
            "as15133 verizon",
            "united",
            "unknown",
            "passive dns",
            "scan endpoints",
            "all octoseek",
            "ipv4",
            "pulse pulses",
            "urls",
            "files",
            "trojandropper",
            "body",
            "orgtechhandle",
            "orgid",
            "w jefferson",
            "blvd",
            "city",
            "los angeles",
            "stateprov",
            "postalcode",
            "sawyer",
            "kleinart",
            "mtb dec",
            "win32upatre dec",
            "win32qqpass dec",
            "entries",
            "date hash",
            "avast avg",
            "name verdict",
            "falcon sandbox",
            "generic malware",
            "tag count",
            "wed sep",
            "threat report",
            "summary",
            "sample",
            "samples",
            "detection list",
            "blacklist",
            "count blacklist",
            "generic",
            "noname057",
            "csv behavior",
            "text",
            "win32 dll",
            "win32 exe",
            "javascript",
            "office open",
            "xml document",
            "text iocs",
            "mario",
            "csv test",
            "python",
            "ip summary",
            "text query16752",
            "text edge",
            "type name",
            "services",
            "net192",
            "net1920000",
            "cidr",
            "nethandle",
            "orgabusehandle",
            "orgabusephone",
            "as14153",
            "contacted",
            "ssl certificate",
            "tsara brashears",
            "whois whois",
            "ransomware",
            "apple ios",
            "family",
            "roots",
            "lolkek",
            "tzw variants",
            "emotet",
            "bluenoroff",
            "lazarus",
            "dark power",
            "play ransomware",
            "makop",
            "attack",
            "core",
            "hacktool",
            "chaos",
            "ransomexx",
            "quasar",
            "njrat",
            "installer",
            "banker",
            "keylogger",
            "execution",
            "ermac",
            "metasploit",
            "relic",
            "monitoring",
            "qakbot",
            "thu nov",
            "url summary",
            "first",
            "cobalt strike",
            "strike cobalt",
            "malicious url",
            "tld count",
            "sun sep",
            "china cobalt",
            "strike",
            "cyber threat",
            "maltiverse",
            "malware site",
            "malicious host",
            "malware",
            "host",
            "phishing",
            "team",
            "exploit",
            "mirai",
            "pony",
            "nanocore",
            "bradesco",
            "suppobox",
            "laplasclipper",
            "asyncrat",
            "fakealert",
            "ramnit",
            "cisco umbrella",
            "site",
            "safe site",
            "heur",
            "malicious site",
            "alexa top",
            "million",
            "phishing site",
            "artemis",
            "unsafe",
            "riskware",
            "bank",
            "outbreak",
            "dropper",
            "trojanx",
            "turla",
            "installcore",
            "acint",
            "conduit",
            "installpack",
            "iobit",
            "mediaget",
            "crack",
            "iframe",
            "downldr",
            "agent",
            "presenoker",
            "alexa",
            "blacknet rat",
            "stealer",
            "unruy",
            "cleaner",
            "union",
            "dbatloader",
            "downloader",
            "blocker",
            "ransom",
            "autoit",
            "bladabindi",
            "trojan",
            "irata",
            "azorult",
            "service",
            "runescape",
            "facebook",
            "download",
            "genkryptik",
            "opencandy",
            "trojanspy",
            "relacionada",
            "referrer",
            "formbook",
            "blacklist http",
            "control server",
            "firehol",
            "botnet command",
            "http spammer",
            "mail spammer",
            "phishtank",
            "dnspionage",
            "betabot",
            "wormx",
            "redline stealer",
            "solimba",
            "zbot",
            "webtoolbar",
            "utc submissions",
            "submitters",
            "tot public",
            "company limited",
            "gandi sas",
            "ovh sas",
            "mb iesettings",
            "mb acrotray",
            "kb program",
            "team alexa",
            "quasar rat",
            "spammer",
            "team proxy",
            "ip reputation",
            "cins active",
            "online fri",
            "online sat",
            "sat apr",
            "temp",
            "windir",
            "kontakt",
            "antivirus",
            "sat jun",
            "gmt0600",
            "programdata",
            "regexpandsz d",
            "allusersprofile",
            "soar",
            "malicious",
            "programfiles",
            "sun jun",
            "mbt",
            "info api",
            "http",
            "redlinestealer",
            "score integrate",
            "siem",
            "tencent",
            "rc7 bypassed",
            "mon jun",
            "api sample",
            "hybridanalysis",
            "online sun",
            "fri jun",
            "tue apr",
            "code",
            "date",
            "hackers",
            "lumma stealer",
            "ursnif",
            "open"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "Generic",
              "display_name": "Generic",
              "target": null
            },
            {
              "id": "TrojanSpy",
              "display_name": "TrojanSpy",
              "target": null
            },
            {
              "id": "Maltiverse",
              "display_name": "Maltiverse",
              "target": null
            },
            {
              "id": "WebToolbar",
              "display_name": "WebToolbar",
              "target": null
            },
            {
              "id": "MBT",
              "display_name": "MBT",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": "65715b49b95c13605856d6d0",
          "export_count": 234,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 882,
            "FileHash-SHA1": 497,
            "FileHash-SHA256": 3763,
            "URL": 3088,
            "hostname": 1203,
            "CIDR": 2,
            "domain": 680,
            "CVE": 9,
            "email": 13
          },
          "indicator_count": 10137,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 231,
          "modified_text": "834 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "6504afc1f5dfd4aa87c1cd1a",
          "name": "DataCenter.BZ (Created by Kailula4)",
          "description": "",
          "modified": "2023-09-15T19:25:53.481000",
          "created": "2023-09-15T19:25:53.481000",
          "tags": [
            "beck",
            "dns replication",
            "date",
            "domain",
            "virustotal",
            "lookups",
            "email",
            "llc abuse",
            "city",
            "net714001",
            "orgtechhandle",
            "orgtechref",
            "orgabusehandle",
            "nethandle",
            "services",
            "postalcode",
            "orgabuseref",
            "datacenterbz",
            "us detection"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": "622107f78c362da5af6d46c4",
          "export_count": 9,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 2,
            "URL": 15,
            "email": 7,
            "CIDR": 2
          },
          "indicator_count": 26,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 218,
          "modified_text": "946 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": false,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "622107f78c362da5af6d46c4",
          "name": "DataCenter.BZ",
          "description": "",
          "modified": "2022-04-02T00:04:50.405000",
          "created": "2022-03-03T18:24:55.963000",
          "tags": [
            "beck",
            "dns replication",
            "date",
            "domain",
            "virustotal",
            "lookups",
            "email",
            "llc abuse",
            "city",
            "net714001",
            "orgtechhandle",
            "orgtechref",
            "orgabusehandle",
            "nethandle",
            "services",
            "postalcode",
            "orgabuseref",
            "datacenterbz",
            "us detection"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 5,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Kailula4",
            "id": "131997",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 2,
            "URL": 15,
            "email": 7,
            "CIDR": 2
          },
          "indicator_count": 26,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 406,
          "modified_text": "1478 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": false,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        }
      ],
      "references": [
        "IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection",
        "Antivirus Detections: ELF:Mirai-AHC\\ [Trj] ,  Unix.Trojan.Mirai-7100807-0 ,  DDoS:Linux/Gafgyt.YA!MTB",
        "IDS Detections: W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1",
        "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)",
        "IDS Detections: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound",
        "IDS Detections: Observed DNS Query to Suspicious Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com)",
        "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName",
        "IDS Detections: Huawei Remote Command Execution - Outbound (CVE-2017-17215)",
        "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK",
        "https://github.com/Neo23x0/signature-base/search?q=Mirai_Botnet_Malware Desc: Detects Mirai Botnet Malware RULE_AUTHOR: Florian Roth",
        "Yara Detections: MS17_010_WanaCry_worm ,  NHS_Strain_Wanna ,  stack_string ,  MS_Visual_Cpp_6_0",
        "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)",
        "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com",
        "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud",
        "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business",
        "IDS Detections: Domain Sinkholed by Kryptos Logic (HTML Response)",
        "Researched: 174.215.26.0/255 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks",
        "Alerts: nids_exploit_alert nids_malware_alert network_icmp nolookup_communication persistence_autorun network_cnc_http",
        "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks  174.215.26.0",
        "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style)",
        "http://www.govexec.com/dailyfed/0906/091806ol.htm",
        "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com",
        "Trojan.Linux.Mirai.1 | Crime_Mirai | DDoS:Linux/Gafgyt.YA!MTB: FILEHASH - SHA256 a1eff1e00a7d532a6e6d71b3c5328e",
        "Crime_WannaCry | Ransom:Win32/WannaCrypt.H | FILEHASH - SHA256  86f7e04aed8403e6b9f0d4ae880a55f7574c1b177cf6c24234ffa992eadb2c52",
        "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 ,  Trojan:Win32/Vflooder.B",
        "Matches rule Linux_Trojan_Mirai_fa3ad9d0 from ruleset Linux_Trojan_Mirai by Elastic Security",
        "Matches rule Linux_Trojan_Mirai_b14f4c5d from ruleset Linux_Trojan_Mirai by Elastic Security",
        "Interesting Strings: http://schemas.xmlsoap.org/soap/envelope/ 185.244.25.117 127.0.0.1",
        "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:",
        "Matches rule Mirai_Botnet_Malware from ruleset crime_mirai by Florian Roth",
        "Antivirus Detections Sf:WNCryLdr-A\\ [Trj] ,  Win.Ransomware.WannaCry-6313787-0 ,  Ransom:Win32/WannaCrypt.H",
        "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net",
        "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN",
        "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10",
        "Yara Detections: Mirai_Botnet_Malware",
        "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound",
        "Highlighted Text: The following text was observed as standard output,  \"[THEA-MALWARE]: Gimme Cum Pwease XD\"",
        "IDS Detections: ETERNALBLUE Probe Vulnerable System Response MS17-010",
        "ELF Info Header ELF32  2's complement, little endian  1 (current)  UNIX - System V  EXEC (Executable file)  Intel 80386  0x1",
        "Yara Detections: SUSP_Imphash_Mar23_2",
        "High Priority Alerts: dead_host network_icmp osquery_detection network_irc nolookup_communication p2p_cnc",
        "Yara Detections: WannaCry_Ransomware ,  Win32_Ransomware_WannaCry ,  Wanna_Cry_Ransomware_Generic ,",
        "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b",
        "Interesting Strings: http://schemas.xmlsoap.org/soap/encoding/ http://0.0.0.0/nope",
        "uat.drw.hcahealthcare.cloud  US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.",
        "Alerts: cape_detected_threat",
        "Matches rule SUSP_XORed_Mozilla from ruleset gen_xor_hunting by Florian Roth",
        "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN",
        "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS"
      ],
      "related": {
        "alienvault": {
          "adversary": [],
          "malware_families": [],
          "industries": [],
          "unique_indicators": 0
        },
        "other": {
          "adversary": [],
          "malware_families": [
            "Trojan.upatre/waski",
            "Trojan:win32/vflooder.a",
            "Webtoolbar",
            "Mbt",
            "Sf:wncryldr-a\\ [trj]",
            "Elf:mirai-ahc\\ [trj]",
            "Unix.trojan.mirai-7100807-0",
            "Worm:win32/autorun",
            "Win.ransomware.wannacry-6313787-0",
            "Slf:win64/cobpipe",
            "Et",
            "Ddos:linux/gafgyt.ya!mtb",
            "Ransom:win32/wannacrypt.h",
            "Alf:program:win32/webcompanion",
            "Maltiverse",
            "Generic",
            "Trojandropper:win32/muldrop.v!mtb",
            "Flooder",
            "Trojanspy",
            "Trojan:win32/antavmu",
            "Mirai"
          ],
          "industries": [
            "Government",
            "Civilian society",
            "Healthcare"
          ],
          "unique_indicators": 44523
        }
      }
    },
    "false_positive": [],
    "alexa": "http://www.alexa.com/siteinfo/arin.net",
    "whois": "http://whois.domaintools.com/arin.net",
    "domain": "arin.net",
    "hostname": "rdap.arin.net"
  },
  "geo": {},
  "geo_ipapicom": {},
  "pulse_count": 16,
  "pulses": [
    {
      "id": "699c3b796fcaed878ca94c5c",
      "name": "https://m.vzw.com/wIvzrd8",
      "description": "the wizard",
      "modified": "2026-04-18T05:30:18.690000",
      "created": "2026-02-23T11:35:21.673000",
      "tags": [],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 1818,
        "hostname": 575,
        "URL": 200,
        "FileHash-SHA1": 450,
        "CIDR": 11,
        "domain": 887,
        "email": 7,
        "FileHash-MD5": 402,
        "CVE": 21
      },
      "indicator_count": 4371,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 48,
      "modified_text": "1 day ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "69b78f062bcb1cc27d94b032",
      "name": "LifeSafety Report",
      "description": "Verizon Trademark Services LLC\nName Servers\tNS1.VERIZON.NET\nOrg\tVerizon Trademark Services LLC\nAddress\t1320 North Court House Road\nCity\tArlington\nCountry\tUS\nCreation Date\t1999-07-06T00:00:00\nDnssec\tunsigned\nDomain Name\tVERIZON.NET\nDomain Name\tverizon.net\nEmails\tdomainlegalcontact@verizon.com\nEmails\tdns@verizon.com\nExpiration Date\t2018-07-06T00:00:00\nName Servers\tNS2.VERIZON.NET\nName Servers\tNS3.VERIZON.NET\nName Servers\tNS4.VERIZON.NET\nName Servers\tns2.verizon.net\nName Servers\tns3.verizon.net\nName Servers\tns1.verizon.net\nName Servers\tns4.verizon.net\nReferral Url\thttp://www.markmonitor.com\nRegistrar\tMarkMonitor, Inc.\nState\tVA\nStatus\tclientDeleteProhibited https://icann.org/epp#clientDeleteProhibited\nStatus\tclientTransferProhibited https://icann.org/epp#clientTransferProhibited\nStatus\tclientUpdateProhibited https://icann.org/epp#clientUpdateProhibited\nStatus\tserverDeleteProhibited https://icann.org/epp#serverDeleteProhibited\nStatus\tserverTransferProhibited",
      "modified": "2026-04-15T19:46:09.801000",
      "created": "2026-03-16T05:03:02.792000",
      "tags": [
        "nethandle",
        "net108",
        "net1080000",
        "mcics",
        "orgid",
        "mcics address",
        "loudoun county",
        "pkwy city",
        "postalcode",
        "orgabusehandle",
        "passive dns",
        "urls",
        "login",
        "sign up",
        "hostname",
        "pulse pulses",
        "files",
        "verdict",
        "files ip",
        "address"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "CIDR": 4,
        "URL": 7,
        "email": 3,
        "hostname": 4,
        "domain": 1,
        "JA3": 1
      },
      "indicator_count": 20,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 48,
      "modified_text": "3 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": false,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "69c236a2d4fd8035ff724bfd",
      "name": "Privacy Notice | Newfold Digital",
      "description": "A full list of key information about the Netherlands-based RIPE Network Coordination Centre (RIPE), as compiled by the BBC's Panorama programme, as well as the official website:.<<pretext",
      "modified": "2026-03-24T07:24:01.470000",
      "created": "2026-03-24T07:00:50.366000",
      "tags": [
        "ripe ncc",
        "ripe network",
        "ripe",
        "organization",
        "orgid",
        "city",
        "orgabusehandle",
        "abuse contact",
        "orgabusephone",
        "de status",
        "handle",
        "address range",
        "cidr",
        "allocation type",
        "allocated pa",
        "status",
        "whois server",
        "entity dtagnic",
        "entity dtagripe",
        "services",
        "net100",
        "net1000000",
        "stateprov",
        "rabusehandle",
        "loudoun county",
        "postalcode",
        "mcics",
        "nethandle",
        "mcics address",
        "pkwy city",
        "orgtechhandle",
        "key identifier",
        "x509v3 subject",
        "v3 serial",
        "number",
        "issuer",
        "cnsectigo rsa",
        "secure server",
        "ca cgb",
        "subject public",
        "key info",
        "cncomodo rsa",
        "ca limited",
        "validity",
        "server",
        "registrar abuse",
        "date",
        "iana id",
        "contact phone",
        "dnssec",
        "domain status",
        "registrar url",
        "registrar whois",
        "registrar",
        "registrant ext",
        "corehub",
        "expiration date",
        "registry domain",
        "registrar iana",
        "street",
        "code",
        "redacted for",
        "privacy tech",
        "postal code",
        "registrant fax",
        "domain id",
        "admin country",
        "admin postal",
        "ma admin",
        "email",
        "registrant city",
        "tierranet",
        "fax ext",
        "privacy",
        "whois privacy",
        "san diego",
        "privacy admin",
        "cus olet",
        "encrypt cnr13",
        "key algorithm",
        "domain name",
        "contact email",
        "record type",
        "ttl value",
        "registrant name",
        "creation date",
        "iframe tags",
        "language",
        "html document",
        "unicode text",
        "utf8 text",
        "gazebo model",
        "configuration",
        "markup language",
        "doctype",
        "deny",
        "secchuamodel",
        "excellent",
        "php script",
        "crlf line",
        "php source"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 208,
        "hostname": 184,
        "IPv4": 25,
        "domain": 51,
        "email": 28,
        "FileHash-SHA256": 194,
        "CIDR": 16,
        "FileHash-MD5": 67,
        "FileHash-SHA1": 263,
        "CVE": 4
      },
      "indicator_count": 1040,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 48,
      "modified_text": "26 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "69c21ec9ed70aa8930710a51",
      "name": "google = program your answer??",
      "description": "The domain name cohassetma.org has been registered as an unregistered domain by the Internet Service Authority (icann) and is subject to an ongoing investigation into its registration and use.<<pretext not my wording but im confused at the lack of .gov protocols",
      "modified": "2026-03-24T05:22:13.842000",
      "created": "2026-03-24T05:19:05.864000",
      "tags": [
        "server",
        "registrar abuse",
        "date",
        "dnssec",
        "domain name",
        "domain status",
        "contact email",
        "contact phone",
        "registrar iana",
        "registrar url",
        "services",
        "net100",
        "net1000000",
        "stateprov",
        "rabusehandle",
        "loudoun county",
        "postalcode",
        "mcics",
        "cidr",
        "orgabusehandle",
        "address range",
        "allocation type",
        "whois server",
        "mcics handle",
        "handle",
        "orgtechhandle",
        "ipmgmt",
        "orgtechref",
        "orgabuseref",
        "nethandle",
        "orgid",
        "google",
        "ip address",
        "mcics address",
        "pkwy city",
        "city",
        "redacted for",
        "privacy",
        "email",
        "whois privacy",
        "san diego",
        "postal code",
        "privacy admin",
        "registrant fax",
        "code"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 155,
        "domain": 75,
        "email": 15,
        "hostname": 67,
        "CIDR": 6,
        "IPv4": 39,
        "FileHash-MD5": 2
      },
      "indicator_count": 359,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 48,
      "modified_text": "26 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "66ba01cb6ef731c30679908b",
      "name": "BusyBox  |Eternal Blue | MITM Attack | Linux Crime Mirai_Botnet_Malware | Brian Sabey attorney",
      "description": "Verizon Business MCICS?\nMCI Communications Services LLC Verizon Division, doing business as MCI, is a subsidiary of Verizon Communications Inc. that provides a wide range of telecommunications products and services to U.S. federal government customers.\nHandle Swipper, previously scrubbed from internet has been hovering over target for at least 10 years.\n[Known to have used Host: 152.199.19.161\n19.161 is an IP address in AS15133 owned by MCICommunicationsServices,Inc.d/b/aVerizonBusiness and located in US] + [Edgecast Inc ns1.edgecastcdn.net] Swipper, once linked to WikiLeaks threat actor who sent malicious emails to targets and Bank of America employees revealing passcodes from garage door codes to favorite color, ice cream hobbies and passwords. \n[Bin][BusyBox] BusyBox is a software suite that provides several Unix utilities in a single executable file.",
      "modified": "2024-10-12T00:01:26.015000",
      "created": "2024-08-12T12:36:27.020000",
      "tags": [
        "network",
        "orgdnsref",
        "nethandle",
        "net174",
        "net1740000",
        "mcics",
        "swipp",
        "swipper",
        "jody alaska",
        "jody huffines",
        "verizon",
        "eva120",
        "block id",
        "wirelessdatanetwork",
        "swipp9-arin",
        "united",
        "et exploit",
        "smbds ipc",
        "show",
        "search",
        "default",
        "asnone",
        "nids",
        "generic",
        "query",
        "service",
        "wannacry",
        "ransom",
        "malware",
        "copy",
        "dock",
        "write",
        "eternalblue",
        "recon",
        "suspicious",
        "realtek sdk",
        "miniigd upnp",
        "soap command",
        "exploit",
        "msie",
        "windows nt",
        "high",
        "binbusybox",
        "gafgyt",
        "execution",
        "mirai",
        "newremotehost",
        "mitm",
        "port",
        "destination",
        "newexternalport",
        "newprotocol",
        "newinternalport",
        "rf cum",
        "newenabled",
        "addpo",
        "addportmapping",
        "whois lookups",
        "city",
        "orgdnshandle",
        "stateprov",
        "loudoun county",
        "postalcode",
        "text",
        "javascript",
        "b file",
        "files",
        "file type",
        "json",
        "graph",
        "t1064 executes",
        "modify system",
        "process t1543",
        "systemd service",
        "posts",
        "mitre att",
        "ta0002 command",
        "t1059",
        "create",
        "ta0004 create",
        "ip traffic",
        "hashes",
        "file system",
        "libmultipath",
        "devftwdt101",
        "devsda1 devsda2",
        "files deleted",
        "e procselffd9",
        "h devsda2",
        "created binsh",
        "shell commands",
        "binsh binsh",
        "binsh c",
        "i lo",
        "p m0755",
        "varrunsshd",
        "processes tree",
        "referrer",
        "pe resource",
        "cry kill",
        "formbook",
        "ransomworm",
        "wannacry kill",
        "switch dns",
        "password bypass",
        "account stealer",
        "hiddentear",
        "installer",
        "skynet",
        "get http",
        "memory pattern",
        "http requests",
        "request",
        "host",
        "cachecontrol",
        "response",
        "contentlength",
        "httponly",
        "samesitelax",
        "mofresourcename",
        "settingswpad",
        "registry keys",
        "hdaudiomofname",
        "acpimofresource",
        "mofresource",
        "registry",
        "kernel context",
        "runtime modules",
        "modules",
        "urls",
        "cloudflare",
        "domains",
        "ip detections",
        "country",
        "win32 exe",
        "mb pe",
        "mb graph",
        "summary",
        "pe32 executable",
        "ms windows",
        "intel",
        "ms visual",
        "win16 ne",
        "win32 dynamic",
        "link library",
        "vs98",
        "info compiler",
        "products id",
        "sp6 build",
        "header intel",
        "name md5",
        "type",
        "language",
        "contained",
        "r english",
        "yara rule",
        "et trojan",
        "domain http",
        "cape",
        "yara detections",
        "alerts",
        "logic",
        "status",
        "passive dns",
        "creation date",
        "scan endpoints",
        "all scoreblue",
        "hostname",
        "pulse submit",
        "url analysis",
        "date",
        "next",
        "as6167 verizon",
        "as22394 verizon",
        "showing",
        "entries",
        "aaaa",
        "cname",
        "asnone united",
        "whitelisted",
        "as20446",
        "as8075",
        "ipv4",
        "unknown",
        "emails",
        "expiration date",
        "name servers",
        "aaaa nxdomain",
        "ireland unknown",
        "nxdomain",
        "soa nxdomain",
        "ns nxdomain",
        "a nxdomain",
        "as8068",
        "united kingdom",
        "domain",
        "cve201717215",
        "huawei remote",
        "huawei hg532",
        "malware worm",
        "exploit none",
        "rce",
        "ate hash",
        "spyware",
        "adversary in the middle",
        "smugglers gambit",
        "hitmen",
        "hallrender",
        "sreredrum",
        "pegasus related",
        "brute force",
        "target tsara brashears",
        "brian sabey"
      ],
      "references": [
        "Researched: 174.215.26.0/255 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks",
        "Highlighted Text: The following text was observed as standard output,  \"[THEA-MALWARE]: Gimme Cum Pwease XD\"",
        "Trojan.Linux.Mirai.1 | Crime_Mirai | DDoS:Linux/Gafgyt.YA!MTB: FILEHASH - SHA256 a1eff1e00a7d532a6e6d71b3c5328e",
        "Antivirus Detections: ELF:Mirai-AHC\\ [Trj] ,  Unix.Trojan.Mirai-7100807-0 ,  DDoS:Linux/Gafgyt.YA!MTB",
        "IDS Detections: Huawei Remote Command Execution - Outbound (CVE-2017-17215)",
        "IDS Detections: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound",
        "Yara Detections: Mirai_Botnet_Malware",
        "High Priority Alerts: dead_host network_icmp osquery_detection network_irc nolookup_communication p2p_cnc",
        "Interesting Strings: http://schemas.xmlsoap.org/soap/encoding/ http://0.0.0.0/nope",
        "Interesting Strings: http://schemas.xmlsoap.org/soap/envelope/ 185.244.25.117 127.0.0.1",
        "ELF Info Header ELF32  2's complement, little endian  1 (current)  UNIX - System V  EXEC (Executable file)  Intel 80386  0x1",
        "Matches rule Mirai_Botnet_Malware from ruleset crime_mirai by Florian Roth",
        "Matches rule Linux_Trojan_Mirai_b14f4c5d from ruleset Linux_Trojan_Mirai by Elastic Security",
        "Matches rule SUSP_XORed_Mozilla from ruleset gen_xor_hunting by Florian Roth",
        "Matches rule Linux_Trojan_Mirai_fa3ad9d0 from ruleset Linux_Trojan_Mirai by Elastic Security",
        "https://github.com/Neo23x0/signature-base/search?q=Mirai_Botnet_Malware Desc: Detects Mirai Botnet Malware RULE_AUTHOR: Florian Roth",
        "Crime_WannaCry | Ransom:Win32/WannaCrypt.H | FILEHASH - SHA256  86f7e04aed8403e6b9f0d4ae880a55f7574c1b177cf6c24234ffa992eadb2c52",
        "Yara Detections: WannaCry_Ransomware ,  Win32_Ransomware_WannaCry ,  Wanna_Cry_Ransomware_Generic ,",
        "Yara Detections: MS17_010_WanaCry_worm ,  NHS_Strain_Wanna ,  stack_string ,  MS_Visual_Cpp_6_0",
        "Alerts: nids_exploit_alert nids_malware_alert network_icmp nolookup_communication persistence_autorun network_cnc_http",
        "IDS Detections: W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1",
        "IDS Detections: Domain Sinkholed by Kryptos Logic (HTML Response)",
        "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style)",
        "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)",
        "IDS Detections: ETERNALBLUE Probe Vulnerable System Response MS17-010",
        "IDS Detections: Observed DNS Query to Suspicious Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com)",
        "IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection",
        "Antivirus Detections Sf:WNCryLdr-A\\ [Trj] ,  Win.Ransomware.WannaCry-6313787-0 ,  Ransom:Win32/WannaCrypt.H"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "DDoS:Linux/Gafgyt.YA!MTB",
          "display_name": "DDoS:Linux/Gafgyt.YA!MTB",
          "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB"
        },
        {
          "id": "Unix.Trojan.Mirai-7100807-0",
          "display_name": "Unix.Trojan.Mirai-7100807-0",
          "target": null
        },
        {
          "id": "ELF:Mirai-AHC\\ [Trj]",
          "display_name": "ELF:Mirai-AHC\\ [Trj]",
          "target": null
        },
        {
          "id": "Sf:WNCryLdr-A\\ [Trj]",
          "display_name": "Sf:WNCryLdr-A\\ [Trj]",
          "target": null
        },
        {
          "id": "Ransom:Win32/WannaCrypt.H",
          "display_name": "Ransom:Win32/WannaCrypt.H",
          "target": "/malware/Ransom:Win32/WannaCrypt.H"
        },
        {
          "id": "Win.Ransomware.WannaCry-6313787-0",
          "display_name": "Win.Ransomware.WannaCry-6313787-0",
          "target": null
        },
        {
          "id": "Mirai",
          "display_name": "Mirai",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1031",
          "name": "Modify Existing Service",
          "display_name": "T1031 - Modify Existing Service"
        },
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1143",
          "name": "Hidden Window",
          "display_name": "T1143 - Hidden Window"
        },
        {
          "id": "T1158",
          "name": "Hidden Files and Directories",
          "display_name": "T1158 - Hidden Files and Directories"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1003",
          "name": "OS Credential Dumping",
          "display_name": "T1003 - OS Credential Dumping"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1064",
          "name": "Scripting",
          "display_name": "T1064 - Scripting"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1095",
          "name": "Non-Application Layer Protocol",
          "display_name": "T1095 - Non-Application Layer Protocol"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1543",
          "name": "Create or Modify System Process",
          "display_name": "T1543 - Create or Modify System Process"
        },
        {
          "id": "T1571",
          "name": "Non-Standard Port",
          "display_name": "T1571 - Non-Standard Port"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1185",
          "name": "Man in the Browser",
          "display_name": "T1185 - Man in the Browser"
        },
        {
          "id": "T1557",
          "name": "Man-in-the-Middle",
          "display_name": "T1557 - Man-in-the-Middle"
        }
      ],
      "industries": [
        "Government",
        "Healthcare",
        "Civilian Society"
      ],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 41,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "scoreblue",
        "id": "254100",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 2826,
        "CIDR": 2,
        "URL": 549,
        "email": 12,
        "hostname": 587,
        "FileHash-MD5": 806,
        "FileHash-SHA1": 791,
        "BitcoinAddress": 3,
        "domain": 388,
        "CVE": 4
      },
      "indicator_count": 5968,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 230,
      "modified_text": "554 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "66ba036c462091e25e94de49",
      "name": "Lazarus Group: Crime_WannaCry | Crime Mirai_Botnet_Malware ",
      "description": "",
      "modified": "2024-10-12T00:01:26.015000",
      "created": "2024-08-12T12:43:24.286000",
      "tags": [
        "network",
        "orgdnsref",
        "nethandle",
        "net174",
        "net1740000",
        "mcics",
        "swipp",
        "swipper",
        "jody alaska",
        "jody huffines",
        "verizon",
        "eva120",
        "block id",
        "wirelessdatanetwork",
        "swipp9-arin",
        "united",
        "et exploit",
        "smbds ipc",
        "show",
        "search",
        "default",
        "asnone",
        "nids",
        "generic",
        "query",
        "service",
        "wannacry",
        "ransom",
        "malware",
        "copy",
        "dock",
        "write",
        "eternalblue",
        "recon",
        "suspicious",
        "realtek sdk",
        "miniigd upnp",
        "soap command",
        "exploit",
        "msie",
        "windows nt",
        "high",
        "binbusybox",
        "gafgyt",
        "execution",
        "mirai",
        "newremotehost",
        "mitm",
        "port",
        "destination",
        "newexternalport",
        "newprotocol",
        "newinternalport",
        "rf cum",
        "newenabled",
        "addpo",
        "addportmapping",
        "whois lookups",
        "city",
        "orgdnshandle",
        "stateprov",
        "loudoun county",
        "postalcode",
        "text",
        "javascript",
        "b file",
        "files",
        "file type",
        "json",
        "graph",
        "t1064 executes",
        "modify system",
        "process t1543",
        "systemd service",
        "posts",
        "mitre att",
        "ta0002 command",
        "t1059",
        "create",
        "ta0004 create",
        "ip traffic",
        "hashes",
        "file system",
        "libmultipath",
        "devftwdt101",
        "devsda1 devsda2",
        "files deleted",
        "e procselffd9",
        "h devsda2",
        "created binsh",
        "shell commands",
        "binsh binsh",
        "binsh c",
        "i lo",
        "p m0755",
        "varrunsshd",
        "processes tree",
        "referrer",
        "pe resource",
        "cry kill",
        "formbook",
        "ransomworm",
        "wannacry kill",
        "switch dns",
        "password bypass",
        "account stealer",
        "hiddentear",
        "installer",
        "skynet",
        "get http",
        "memory pattern",
        "http requests",
        "request",
        "host",
        "cachecontrol",
        "response",
        "contentlength",
        "httponly",
        "samesitelax",
        "mofresourcename",
        "settingswpad",
        "registry keys",
        "hdaudiomofname",
        "acpimofresource",
        "mofresource",
        "registry",
        "kernel context",
        "runtime modules",
        "modules",
        "urls",
        "cloudflare",
        "domains",
        "ip detections",
        "country",
        "win32 exe",
        "mb pe",
        "mb graph",
        "summary",
        "pe32 executable",
        "ms windows",
        "intel",
        "ms visual",
        "win16 ne",
        "win32 dynamic",
        "link library",
        "vs98",
        "info compiler",
        "products id",
        "sp6 build",
        "header intel",
        "name md5",
        "type",
        "language",
        "contained",
        "r english",
        "yara rule",
        "et trojan",
        "domain http",
        "cape",
        "yara detections",
        "alerts",
        "logic",
        "status",
        "passive dns",
        "creation date",
        "scan endpoints",
        "all scoreblue",
        "hostname",
        "pulse submit",
        "url analysis",
        "date",
        "next",
        "as6167 verizon",
        "as22394 verizon",
        "showing",
        "entries",
        "aaaa",
        "cname",
        "asnone united",
        "whitelisted",
        "as20446",
        "as8075",
        "ipv4",
        "unknown",
        "emails",
        "expiration date",
        "name servers",
        "aaaa nxdomain",
        "ireland unknown",
        "nxdomain",
        "soa nxdomain",
        "ns nxdomain",
        "a nxdomain",
        "as8068",
        "united kingdom",
        "domain",
        "cve201717215",
        "huawei remote",
        "huawei hg532",
        "malware worm",
        "exploit none",
        "rce",
        "ate hash",
        "spyware",
        "adversary in the middle",
        "smugglers gambit",
        "hitmen",
        "hallrender",
        "sreredrum",
        "pegasus related",
        "brute force",
        "target tsara brashears",
        "brian sabey"
      ],
      "references": [
        "Researched: 174.215.26.0/255 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks",
        "Highlighted Text: The following text was observed as standard output,  \"[THEA-MALWARE]: Gimme Cum Pwease XD\"",
        "Trojan.Linux.Mirai.1 | Crime_Mirai | DDoS:Linux/Gafgyt.YA!MTB: FILEHASH - SHA256 a1eff1e00a7d532a6e6d71b3c5328e",
        "Antivirus Detections: ELF:Mirai-AHC\\ [Trj] ,  Unix.Trojan.Mirai-7100807-0 ,  DDoS:Linux/Gafgyt.YA!MTB",
        "IDS Detections: Huawei Remote Command Execution - Outbound (CVE-2017-17215)",
        "IDS Detections: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound",
        "Yara Detections: Mirai_Botnet_Malware",
        "High Priority Alerts: dead_host network_icmp osquery_detection network_irc nolookup_communication p2p_cnc",
        "Interesting Strings: http://schemas.xmlsoap.org/soap/encoding/ http://0.0.0.0/nope",
        "Interesting Strings: http://schemas.xmlsoap.org/soap/envelope/ 185.244.25.117 127.0.0.1",
        "ELF Info Header ELF32  2's complement, little endian  1 (current)  UNIX - System V  EXEC (Executable file)  Intel 80386  0x1",
        "Matches rule Mirai_Botnet_Malware from ruleset crime_mirai by Florian Roth",
        "Matches rule Linux_Trojan_Mirai_b14f4c5d from ruleset Linux_Trojan_Mirai by Elastic Security",
        "Matches rule SUSP_XORed_Mozilla from ruleset gen_xor_hunting by Florian Roth",
        "Matches rule Linux_Trojan_Mirai_fa3ad9d0 from ruleset Linux_Trojan_Mirai by Elastic Security",
        "https://github.com/Neo23x0/signature-base/search?q=Mirai_Botnet_Malware Desc: Detects Mirai Botnet Malware RULE_AUTHOR: Florian Roth",
        "Crime_WannaCry | Ransom:Win32/WannaCrypt.H | FILEHASH - SHA256  86f7e04aed8403e6b9f0d4ae880a55f7574c1b177cf6c24234ffa992eadb2c52",
        "Yara Detections: WannaCry_Ransomware ,  Win32_Ransomware_WannaCry ,  Wanna_Cry_Ransomware_Generic ,",
        "Yara Detections: MS17_010_WanaCry_worm ,  NHS_Strain_Wanna ,  stack_string ,  MS_Visual_Cpp_6_0",
        "Alerts: nids_exploit_alert nids_malware_alert network_icmp nolookup_communication persistence_autorun network_cnc_http",
        "IDS Detections: W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1",
        "IDS Detections: Domain Sinkholed by Kryptos Logic (HTML Response)",
        "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style)",
        "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)",
        "IDS Detections: ETERNALBLUE Probe Vulnerable System Response MS17-010",
        "IDS Detections: Observed DNS Query to Suspicious Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com)",
        "IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection",
        "Antivirus Detections Sf:WNCryLdr-A\\ [Trj] ,  Win.Ransomware.WannaCry-6313787-0 ,  Ransom:Win32/WannaCrypt.H"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "DDoS:Linux/Gafgyt.YA!MTB",
          "display_name": "DDoS:Linux/Gafgyt.YA!MTB",
          "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB"
        },
        {
          "id": "Unix.Trojan.Mirai-7100807-0",
          "display_name": "Unix.Trojan.Mirai-7100807-0",
          "target": null
        },
        {
          "id": "ELF:Mirai-AHC\\ [Trj]",
          "display_name": "ELF:Mirai-AHC\\ [Trj]",
          "target": null
        },
        {
          "id": "Sf:WNCryLdr-A\\ [Trj]",
          "display_name": "Sf:WNCryLdr-A\\ [Trj]",
          "target": null
        },
        {
          "id": "Ransom:Win32/WannaCrypt.H",
          "display_name": "Ransom:Win32/WannaCrypt.H",
          "target": "/malware/Ransom:Win32/WannaCrypt.H"
        },
        {
          "id": "Win.Ransomware.WannaCry-6313787-0",
          "display_name": "Win.Ransomware.WannaCry-6313787-0",
          "target": null
        },
        {
          "id": "Mirai",
          "display_name": "Mirai",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1031",
          "name": "Modify Existing Service",
          "display_name": "T1031 - Modify Existing Service"
        },
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1143",
          "name": "Hidden Window",
          "display_name": "T1143 - Hidden Window"
        },
        {
          "id": "T1158",
          "name": "Hidden Files and Directories",
          "display_name": "T1158 - Hidden Files and Directories"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1003",
          "name": "OS Credential Dumping",
          "display_name": "T1003 - OS Credential Dumping"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1064",
          "name": "Scripting",
          "display_name": "T1064 - Scripting"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1095",
          "name": "Non-Application Layer Protocol",
          "display_name": "T1095 - Non-Application Layer Protocol"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1543",
          "name": "Create or Modify System Process",
          "display_name": "T1543 - Create or Modify System Process"
        },
        {
          "id": "T1571",
          "name": "Non-Standard Port",
          "display_name": "T1571 - Non-Standard Port"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1185",
          "name": "Man in the Browser",
          "display_name": "T1185 - Man in the Browser"
        },
        {
          "id": "T1557",
          "name": "Man-in-the-Middle",
          "display_name": "T1557 - Man-in-the-Middle"
        }
      ],
      "industries": [
        "Government",
        "Healthcare",
        "Civilian Society"
      ],
      "TLP": "green",
      "cloned_from": "66ba01cb6ef731c30679908b",
      "export_count": 50,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "scoreblue",
        "id": "254100",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 2786,
        "CIDR": 2,
        "URL": 457,
        "email": 12,
        "hostname": 535,
        "FileHash-MD5": 806,
        "FileHash-SHA1": 791,
        "BitcoinAddress": 3,
        "domain": 367,
        "CVE": 4
      },
      "indicator_count": 5763,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 233,
      "modified_text": "554 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "66eb1903bb12a0d4b524a0fb",
      "name": "HCA Healthcloid | Cellco\u00bb  Adversary in the Middle | Swipper Verizon Block ",
      "description": "",
      "modified": "2024-09-18T18:16:35.396000",
      "created": "2024-09-18T18:16:35.396000",
      "tags": [
        "swipp9-arin",
        "swipper",
        "swipp",
        "verizon",
        "cellcopart",
        "swipper",
        "ongoing",
        "get e sim",
        "as16276",
        "france unknown",
        "unknown",
        "as6167",
        "org verizon",
        "passive dns",
        "all scoreblue",
        "as8075",
        "cellco",
        "javascript",
        "help center",
        "please",
        "service privacy",
        "policy cookie",
        "policy imprint",
        "ads info",
        "cms",
        "express",
        "tsa b",
        "self",
        "server",
        "get esim",
        "wirelessdatanetwork",
        "netrange",
        "nethandle",
        "net174",
        "net1740000",
        "mcics",
        "orgid",
        "mcics address",
        "loudoun county",
        "android",
        "generic http",
        "exe upload",
        "windows nt",
        "outbound",
        "host",
        "malware beacon",
        "cape",
        "trojan",
        "copy",
        "write",
        "malware",
        "inbound",
        "impash",
        "post na",
        "search",
        "delete",
        "related pulses",
        "top source",
        "top destination",
        "source source",
        "filehash",
        "contentlength",
        "activity",
        "dns lookup",
        "flooder",
        "et",
        "aaaa",
        "nxdomain",
        "domain",
        "ipv4",
        "url analysis",
        "files",
        "malicious",
        "network",
        "historical ssl",
        "epsilon stealer",
        "traces aided",
        "dns intel",
        "remote job",
        "keeper",
        "snatch",
        "ransomware",
        "united states",
        "as8068",
        "entries",
        "mtb jan",
        "body",
        "x msedge",
        "scan endpoints",
        "trojandropper",
        "slf features",
        "file samples",
        "files matching",
        "date hash",
        "next",
        "win64",
        "win32",
        "copyright",
        "levelblue",
        "showing",
        "a domains",
        "as54113",
        "script domains",
        "script urls",
        "script script",
        "date",
        "meta",
        "window",
        "cookie",
        "trojan features",
        "worm",
        "show",
        "alf features",
        "hca",
        "target tsara brashears",
        "hostname",
        "expiration",
        "no expiration",
        "hca health",
        "eva120",
        "jody huffines",
        "jody alaska",
        "stephen r 'middleton'",
        "phone clone",
        "adversary in the middle",
        "known threat",
        "android attack",
        "web attack",
        "network",
        "dns",
        "florence co",
        "ddos",
        "google",
        "ip address",
        "ip range",
        "whois",
        "spam stats",
        "as6167 network",
        "cleantalk ip",
        "email abuse",
        "reports",
        "misc attack",
        "et tor",
        "known tor",
        "relayrouter",
        "exit",
        "node traffic",
        "suricata",
        "et intelligence",
        "known malicious ip",
        "spoof",
        "twitter",
        "x",
        "hackers"
      ],
      "references": [
        "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks  174.215.26.0",
        "uat.drw.hcahealthcare.cloud  US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.",
        "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com",
        "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10",
        "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 ,  Trojan:Win32/Vflooder.B",
        "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound",
        "Yara Detections: SUSP_Imphash_Mar23_2",
        "Alerts: cape_detected_threat",
        "http://www.govexec.com/dailyfed/0906/091806ol.htm",
        "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b",
        "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud",
        "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK",
        "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)",
        "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business",
        "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:",
        "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS",
        "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net",
        "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN",
        "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com",
        "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN",
        "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "Trojan:Win32/Vflooder.A",
          "display_name": "Trojan:Win32/Vflooder.A",
          "target": "/malware/Trojan:Win32/Vflooder.A"
        },
        {
          "id": "ET",
          "display_name": "ET",
          "target": null
        },
        {
          "id": "Flooder",
          "display_name": "Flooder",
          "target": null
        },
        {
          "id": "Trojan.Upatre/Waski",
          "display_name": "Trojan.Upatre/Waski",
          "target": null
        },
        {
          "id": "SLF:Win64/CobPipe",
          "display_name": "SLF:Win64/CobPipe",
          "target": "/malware/SLF:Win64/CobPipe"
        },
        {
          "id": "TrojanDropper:Win32/Muldrop.V!MTB",
          "display_name": "TrojanDropper:Win32/Muldrop.V!MTB",
          "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB"
        },
        {
          "id": "Worm:Win32/AutoRun",
          "display_name": "Worm:Win32/AutoRun",
          "target": "/malware/Worm:Win32/AutoRun"
        },
        {
          "id": "ALF:Program:Win32/Webcompanion",
          "display_name": "ALF:Program:Win32/Webcompanion",
          "target": null
        },
        {
          "id": "Trojan:Win32/Antavmu",
          "display_name": "Trojan:Win32/Antavmu",
          "target": "/malware/Trojan:Win32/Antavmu"
        }
      ],
      "attack_ids": [
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1210",
          "name": "Exploitation of Remote Services",
          "display_name": "T1210 - Exploitation of Remote Services"
        },
        {
          "id": "T1046",
          "name": "Network Service Scanning",
          "display_name": "T1046 - Network Service Scanning"
        },
        {
          "id": "T1040",
          "name": "Network Sniffing",
          "display_name": "T1040 - Network Sniffing"
        },
        {
          "id": "T1212",
          "name": "Exploitation for Credential Access",
          "display_name": "T1212 - Exploitation for Credential Access"
        },
        {
          "id": "T1003.008",
          "name": "/etc/passwd and /etc/shadow",
          "display_name": "T1003.008 - /etc/passwd and /etc/shadow"
        },
        {
          "id": "T1031",
          "name": "Modify Existing Service",
          "display_name": "T1031 - Modify Existing Service"
        },
        {
          "id": "T1122",
          "name": "Component Object Model Hijacking",
          "display_name": "T1122 - Component Object Model Hijacking"
        },
        {
          "id": "T1198",
          "name": "SIP and Trust Provider Hijacking",
          "display_name": "T1198 - SIP and Trust Provider Hijacking"
        },
        {
          "id": "T1460",
          "name": "Biometric Spoofing",
          "display_name": "T1460 - Biometric Spoofing"
        },
        {
          "id": "T1502",
          "name": "Parent PID Spoofing",
          "display_name": "T1502 - Parent PID Spoofing"
        },
        {
          "id": "T1205.001",
          "name": "Port Knocking",
          "display_name": "T1205.001 - Port Knocking"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        }
      ],
      "industries": [
        "Healthcare",
        "Government",
        "Civilian Society"
      ],
      "TLP": "white",
      "cloned_from": "66ba9198fd69c93fabece38d",
      "export_count": 9,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "scoreblue",
        "id": "254100",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "email": 51,
        "CIDR": 11,
        "URL": 280,
        "hostname": 426,
        "FileHash-SHA256": 4334,
        "domain": 180,
        "FileHash-MD5": 2244,
        "FileHash-SHA1": 2244,
        "CVE": 1
      },
      "indicator_count": 9771,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 224,
      "modified_text": "577 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "66ba9198fd69c93fabece38d",
      "name": "Adversary in the Middle | Cellco | Targeting | Phone Cloner | Monitoring",
      "description": "Linked to X.com research. Remotely spoofs, Ddos, blocks, intercepts, redirects, all activity of vicrim. At one time same Handle: Swipper had a malicious link attached to targets Apple notepads. The link connected to a website with targets name with photo of a jubilant arrest , or death threat. Site linked to Loudoun County, Swipper claiming to be the FBI.",
      "modified": "2024-09-18T18:12:03.438000",
      "created": "2024-08-12T22:50:00.127000",
      "tags": [
        "swipp9-arin",
        "swipper",
        "swipp",
        "verizon",
        "cellcopart",
        "swipper",
        "ongoing",
        "get e sim",
        "as16276",
        "france unknown",
        "unknown",
        "as6167",
        "org verizon",
        "passive dns",
        "all scoreblue",
        "as8075",
        "cellco",
        "javascript",
        "help center",
        "please",
        "service privacy",
        "policy cookie",
        "policy imprint",
        "ads info",
        "cms",
        "express",
        "tsa b",
        "self",
        "server",
        "get esim",
        "wirelessdatanetwork",
        "netrange",
        "nethandle",
        "net174",
        "net1740000",
        "mcics",
        "orgid",
        "mcics address",
        "loudoun county",
        "android",
        "generic http",
        "exe upload",
        "windows nt",
        "outbound",
        "host",
        "malware beacon",
        "cape",
        "trojan",
        "copy",
        "write",
        "malware",
        "inbound",
        "impash",
        "post na",
        "search",
        "delete",
        "related pulses",
        "top source",
        "top destination",
        "source source",
        "filehash",
        "contentlength",
        "activity",
        "dns lookup",
        "flooder",
        "et",
        "aaaa",
        "nxdomain",
        "domain",
        "ipv4",
        "url analysis",
        "files",
        "malicious",
        "network",
        "historical ssl",
        "epsilon stealer",
        "traces aided",
        "dns intel",
        "remote job",
        "keeper",
        "snatch",
        "ransomware",
        "united states",
        "as8068",
        "entries",
        "mtb jan",
        "body",
        "x msedge",
        "scan endpoints",
        "trojandropper",
        "slf features",
        "file samples",
        "files matching",
        "date hash",
        "next",
        "win64",
        "win32",
        "copyright",
        "levelblue",
        "showing",
        "a domains",
        "as54113",
        "script domains",
        "script urls",
        "script script",
        "date",
        "meta",
        "window",
        "cookie",
        "trojan features",
        "worm",
        "show",
        "alf features",
        "hca",
        "target tsara brashears",
        "hostname",
        "expiration",
        "no expiration",
        "hca health",
        "eva120",
        "jody huffines",
        "jody alaska",
        "stephen r 'middleton'",
        "phone clone",
        "adversary in the middle",
        "known threat",
        "android attack",
        "web attack",
        "network",
        "dns",
        "florence co",
        "ddos",
        "google",
        "ip address",
        "ip range",
        "whois",
        "spam stats",
        "as6167 network",
        "cleantalk ip",
        "email abuse",
        "reports",
        "misc attack",
        "et tor",
        "known tor",
        "relayrouter",
        "exit",
        "node traffic",
        "suricata",
        "et intelligence",
        "known malicious ip",
        "spoof",
        "twitter",
        "x",
        "hackers"
      ],
      "references": [
        "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks  174.215.26.0",
        "uat.drw.hcahealthcare.cloud  US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.",
        "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com",
        "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10",
        "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 ,  Trojan:Win32/Vflooder.B",
        "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound",
        "Yara Detections: SUSP_Imphash_Mar23_2",
        "Alerts: cape_detected_threat",
        "http://www.govexec.com/dailyfed/0906/091806ol.htm",
        "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b",
        "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud",
        "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK",
        "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)",
        "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business",
        "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:",
        "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS",
        "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net",
        "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN",
        "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com",
        "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN",
        "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "Trojan:Win32/Vflooder.A",
          "display_name": "Trojan:Win32/Vflooder.A",
          "target": "/malware/Trojan:Win32/Vflooder.A"
        },
        {
          "id": "ET",
          "display_name": "ET",
          "target": null
        },
        {
          "id": "Flooder",
          "display_name": "Flooder",
          "target": null
        },
        {
          "id": "Trojan.Upatre/Waski",
          "display_name": "Trojan.Upatre/Waski",
          "target": null
        },
        {
          "id": "SLF:Win64/CobPipe",
          "display_name": "SLF:Win64/CobPipe",
          "target": "/malware/SLF:Win64/CobPipe"
        },
        {
          "id": "TrojanDropper:Win32/Muldrop.V!MTB",
          "display_name": "TrojanDropper:Win32/Muldrop.V!MTB",
          "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB"
        },
        {
          "id": "Worm:Win32/AutoRun",
          "display_name": "Worm:Win32/AutoRun",
          "target": "/malware/Worm:Win32/AutoRun"
        },
        {
          "id": "ALF:Program:Win32/Webcompanion",
          "display_name": "ALF:Program:Win32/Webcompanion",
          "target": null
        },
        {
          "id": "Trojan:Win32/Antavmu",
          "display_name": "Trojan:Win32/Antavmu",
          "target": "/malware/Trojan:Win32/Antavmu"
        }
      ],
      "attack_ids": [
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1210",
          "name": "Exploitation of Remote Services",
          "display_name": "T1210 - Exploitation of Remote Services"
        },
        {
          "id": "T1046",
          "name": "Network Service Scanning",
          "display_name": "T1046 - Network Service Scanning"
        },
        {
          "id": "T1040",
          "name": "Network Sniffing",
          "display_name": "T1040 - Network Sniffing"
        },
        {
          "id": "T1212",
          "name": "Exploitation for Credential Access",
          "display_name": "T1212 - Exploitation for Credential Access"
        },
        {
          "id": "T1003.008",
          "name": "/etc/passwd and /etc/shadow",
          "display_name": "T1003.008 - /etc/passwd and /etc/shadow"
        },
        {
          "id": "T1031",
          "name": "Modify Existing Service",
          "display_name": "T1031 - Modify Existing Service"
        },
        {
          "id": "T1122",
          "name": "Component Object Model Hijacking",
          "display_name": "T1122 - Component Object Model Hijacking"
        },
        {
          "id": "T1198",
          "name": "SIP and Trust Provider Hijacking",
          "display_name": "T1198 - SIP and Trust Provider Hijacking"
        },
        {
          "id": "T1460",
          "name": "Biometric Spoofing",
          "display_name": "T1460 - Biometric Spoofing"
        },
        {
          "id": "T1502",
          "name": "Parent PID Spoofing",
          "display_name": "T1502 - Parent PID Spoofing"
        },
        {
          "id": "T1205.001",
          "name": "Port Knocking",
          "display_name": "T1205.001 - Port Knocking"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        }
      ],
      "industries": [
        "Healthcare",
        "Government",
        "Civilian Society"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 29,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "scoreblue",
        "id": "254100",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "email": 51,
        "CIDR": 11,
        "URL": 280,
        "hostname": 426,
        "FileHash-SHA256": 4334,
        "domain": 180,
        "FileHash-MD5": 2244,
        "FileHash-SHA1": 2244,
        "CVE": 1
      },
      "indicator_count": 9771,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 226,
      "modified_text": "577 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "66cb6092ed7d61b3a370d6cd",
      "name": "Adversary in the Middle | Cellco DBA Verizon Wireless | SWIPPER | BGP Hurricane Electric ",
      "description": "",
      "modified": "2024-09-12T00:41:55.890000",
      "created": "2024-08-25T16:49:22.975000",
      "tags": [
        "swipp9-arin",
        "swipper",
        "swipp",
        "verizon",
        "cellcopart",
        "swipper",
        "ongoing",
        "get e sim",
        "as16276",
        "france unknown",
        "unknown",
        "as6167",
        "org verizon",
        "passive dns",
        "all scoreblue",
        "as8075",
        "cellco",
        "javascript",
        "help center",
        "please",
        "service privacy",
        "policy cookie",
        "policy imprint",
        "ads info",
        "cms",
        "express",
        "tsa b",
        "self",
        "server",
        "get esim",
        "wirelessdatanetwork",
        "netrange",
        "nethandle",
        "net174",
        "net1740000",
        "mcics",
        "orgid",
        "mcics address",
        "loudoun county",
        "android",
        "generic http",
        "exe upload",
        "windows nt",
        "outbound",
        "host",
        "malware beacon",
        "cape",
        "trojan",
        "copy",
        "write",
        "malware",
        "inbound",
        "impash",
        "post na",
        "search",
        "delete",
        "related pulses",
        "top source",
        "top destination",
        "source source",
        "filehash",
        "contentlength",
        "activity",
        "dns lookup",
        "flooder",
        "et",
        "aaaa",
        "nxdomain",
        "domain",
        "ipv4",
        "url analysis",
        "files",
        "malicious",
        "network",
        "historical ssl",
        "epsilon stealer",
        "traces aided",
        "dns intel",
        "remote job",
        "keeper",
        "snatch",
        "ransomware",
        "united states",
        "as8068",
        "entries",
        "mtb jan",
        "body",
        "x msedge",
        "scan endpoints",
        "trojandropper",
        "slf features",
        "file samples",
        "files matching",
        "date hash",
        "next",
        "win64",
        "win32",
        "copyright",
        "levelblue",
        "showing",
        "a domains",
        "as54113",
        "script domains",
        "script urls",
        "script script",
        "date",
        "meta",
        "window",
        "cookie",
        "trojan features",
        "worm",
        "show",
        "alf features",
        "hca",
        "target tsara brashears",
        "hostname",
        "expiration",
        "no expiration",
        "hca health",
        "eva120",
        "jody huffines",
        "jody alaska",
        "stephen r 'middleton'",
        "phone clone",
        "adversary in the middle",
        "known threat",
        "android attack",
        "web attack",
        "network",
        "dns",
        "florence co",
        "ddos",
        "google",
        "ip address",
        "ip range",
        "whois",
        "spam stats",
        "as6167 network",
        "cleantalk ip",
        "email abuse",
        "reports",
        "misc attack",
        "et tor",
        "known tor",
        "relayrouter",
        "exit",
        "node traffic",
        "suricata",
        "et intelligence",
        "known malicious ip",
        "spoof",
        "twitter",
        "x",
        "hackers"
      ],
      "references": [
        "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks  174.215.26.0",
        "uat.drw.hcahealthcare.cloud  US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.",
        "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com",
        "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10",
        "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 ,  Trojan:Win32/Vflooder.B",
        "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound",
        "Yara Detections: SUSP_Imphash_Mar23_2",
        "Alerts: cape_detected_threat",
        "http://www.govexec.com/dailyfed/0906/091806ol.htm",
        "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b",
        "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud",
        "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK",
        "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)",
        "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business",
        "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:",
        "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS",
        "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net",
        "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN",
        "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com",
        "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN",
        "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "Trojan:Win32/Vflooder.A",
          "display_name": "Trojan:Win32/Vflooder.A",
          "target": "/malware/Trojan:Win32/Vflooder.A"
        },
        {
          "id": "ET",
          "display_name": "ET",
          "target": null
        },
        {
          "id": "Flooder",
          "display_name": "Flooder",
          "target": null
        },
        {
          "id": "Trojan.Upatre/Waski",
          "display_name": "Trojan.Upatre/Waski",
          "target": null
        },
        {
          "id": "SLF:Win64/CobPipe",
          "display_name": "SLF:Win64/CobPipe",
          "target": "/malware/SLF:Win64/CobPipe"
        },
        {
          "id": "TrojanDropper:Win32/Muldrop.V!MTB",
          "display_name": "TrojanDropper:Win32/Muldrop.V!MTB",
          "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB"
        },
        {
          "id": "Worm:Win32/AutoRun",
          "display_name": "Worm:Win32/AutoRun",
          "target": "/malware/Worm:Win32/AutoRun"
        },
        {
          "id": "ALF:Program:Win32/Webcompanion",
          "display_name": "ALF:Program:Win32/Webcompanion",
          "target": null
        },
        {
          "id": "Trojan:Win32/Antavmu",
          "display_name": "Trojan:Win32/Antavmu",
          "target": "/malware/Trojan:Win32/Antavmu"
        }
      ],
      "attack_ids": [
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1210",
          "name": "Exploitation of Remote Services",
          "display_name": "T1210 - Exploitation of Remote Services"
        },
        {
          "id": "T1046",
          "name": "Network Service Scanning",
          "display_name": "T1046 - Network Service Scanning"
        },
        {
          "id": "T1040",
          "name": "Network Sniffing",
          "display_name": "T1040 - Network Sniffing"
        },
        {
          "id": "T1212",
          "name": "Exploitation for Credential Access",
          "display_name": "T1212 - Exploitation for Credential Access"
        },
        {
          "id": "T1003.008",
          "name": "/etc/passwd and /etc/shadow",
          "display_name": "T1003.008 - /etc/passwd and /etc/shadow"
        },
        {
          "id": "T1031",
          "name": "Modify Existing Service",
          "display_name": "T1031 - Modify Existing Service"
        },
        {
          "id": "T1122",
          "name": "Component Object Model Hijacking",
          "display_name": "T1122 - Component Object Model Hijacking"
        },
        {
          "id": "T1198",
          "name": "SIP and Trust Provider Hijacking",
          "display_name": "T1198 - SIP and Trust Provider Hijacking"
        },
        {
          "id": "T1460",
          "name": "Biometric Spoofing",
          "display_name": "T1460 - Biometric Spoofing"
        },
        {
          "id": "T1502",
          "name": "Parent PID Spoofing",
          "display_name": "T1502 - Parent PID Spoofing"
        },
        {
          "id": "T1205.001",
          "name": "Port Knocking",
          "display_name": "T1205.001 - Port Knocking"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        }
      ],
      "industries": [
        "Healthcare",
        "Government",
        "Civilian Society"
      ],
      "TLP": "white",
      "cloned_from": "66ba9198fd69c93fabece38d",
      "export_count": 31,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "scoreblue",
        "id": "254100",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "email": 24,
        "CIDR": 8,
        "URL": 190,
        "hostname": 370,
        "FileHash-SHA256": 4319,
        "domain": 176,
        "FileHash-MD5": 2244,
        "FileHash-SHA1": 2244,
        "CVE": 1
      },
      "indicator_count": 9576,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 227,
      "modified_text": "584 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "66d496e04d8fa0cc8d528941",
      "name": "Adversary in the Middle | Cellco DBA Verizon Wireless | SWIPPER | BGP Hurricane Electric ",
      "description": "",
      "modified": "2024-09-12T00:25:51.199000",
      "created": "2024-09-01T16:31:28.909000",
      "tags": [
        "swipp9-arin",
        "swipper",
        "swipp",
        "verizon",
        "cellcopart",
        "swipper",
        "ongoing",
        "get e sim",
        "as16276",
        "france unknown",
        "unknown",
        "as6167",
        "org verizon",
        "passive dns",
        "all scoreblue",
        "as8075",
        "cellco",
        "javascript",
        "help center",
        "please",
        "service privacy",
        "policy cookie",
        "policy imprint",
        "ads info",
        "cms",
        "express",
        "tsa b",
        "self",
        "server",
        "get esim",
        "wirelessdatanetwork",
        "netrange",
        "nethandle",
        "net174",
        "net1740000",
        "mcics",
        "orgid",
        "mcics address",
        "loudoun county",
        "android",
        "generic http",
        "exe upload",
        "windows nt",
        "outbound",
        "host",
        "malware beacon",
        "cape",
        "trojan",
        "copy",
        "write",
        "malware",
        "inbound",
        "impash",
        "post na",
        "search",
        "delete",
        "related pulses",
        "top source",
        "top destination",
        "source source",
        "filehash",
        "contentlength",
        "activity",
        "dns lookup",
        "flooder",
        "et",
        "aaaa",
        "nxdomain",
        "domain",
        "ipv4",
        "url analysis",
        "files",
        "malicious",
        "network",
        "historical ssl",
        "epsilon stealer",
        "traces aided",
        "dns intel",
        "remote job",
        "keeper",
        "snatch",
        "ransomware",
        "united states",
        "as8068",
        "entries",
        "mtb jan",
        "body",
        "x msedge",
        "scan endpoints",
        "trojandropper",
        "slf features",
        "file samples",
        "files matching",
        "date hash",
        "next",
        "win64",
        "win32",
        "copyright",
        "levelblue",
        "showing",
        "a domains",
        "as54113",
        "script domains",
        "script urls",
        "script script",
        "date",
        "meta",
        "window",
        "cookie",
        "trojan features",
        "worm",
        "show",
        "alf features",
        "hca",
        "target tsara brashears",
        "hostname",
        "expiration",
        "no expiration",
        "hca health",
        "eva120",
        "jody huffines",
        "jody alaska",
        "stephen r 'middleton'",
        "phone clone",
        "adversary in the middle",
        "known threat",
        "android attack",
        "web attack",
        "network",
        "dns",
        "florence co",
        "ddos",
        "google",
        "ip address",
        "ip range",
        "whois",
        "spam stats",
        "as6167 network",
        "cleantalk ip",
        "email abuse",
        "reports",
        "misc attack",
        "et tor",
        "known tor",
        "relayrouter",
        "exit",
        "node traffic",
        "suricata",
        "et intelligence",
        "known malicious ip",
        "spoof",
        "twitter",
        "x",
        "hackers"
      ],
      "references": [
        "Researched: 174.192.0.0 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks  174.215.26.0",
        "uat.drw.hcahealthcare.cloud  US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.",
        "OrgTechEmail: swipper@verizonbusiness.com domains@microsotseft.com kenneth.reeb@verizonwireless.com msnhst@microsoft.com",
        "stephen.r.middleton@verizon.com sysmgr@verizon.com CIDR 174.192.0.0/10",
        "Antivirus Detections: Win.Malware.Vtflooder-9783271-0 ,  Trojan:Win32/Vflooder.B",
        "IDS Detections: Win32/Vflooder.B Checkin Generic HTTP EXE Upload Inbound Generic HTTP EXE Upload Outbound",
        "Yara Detections: SUSP_Imphash_Mar23_2",
        "Alerts: cape_detected_threat",
        "http://www.govexec.com/dailyfed/0906/091806ol.htm",
        "Researched: trueupdater.exe - FileHash-SHA256 000381f55a6406f9448533be6c87481da162f0efe7da60d6f3d8a5401ef6f66b",
        "*https://identity.cnw.hcahealthcare.cloud/Account/ForgotPassword * identity.cnw.hcahealthcare.cloud *uat.drw.hcahealthcare.cloud",
        "\"NetRange: 174.192.0.0 - 174.255.255.255 CIDR: 174.192.0.0/10 NetName: WIRELESSDATANETWORK",
        "*NetHandle: NET-174-192-0-0-1 Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS)",
        "*RegDate: 2008-12-16 Updated: 2022-05-31 Ref: https://rdap.arin.net/registry/ip/174.192.0.0 OrgName: Verizon Business",
        "*OrgId: MCICS Address: 22001 Loudoun County Pkwy City: Ashburn StateProv: VA PostalCode: 20147 Country:",
        "*US RegDate: 2006-05-30 Updated: 2024-02-12 Ref: https://rdap.arin.net/registry/entity/MCICS",
        "*OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: +1-800-900-0241 OrgAbuseEmail: abuse@verizon.net",
        "*OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE3-ARIN OrgDNSHandle: VZDNS1-ARIN OrgDNSName: VZ-DNSADMIN",
        "*OrgDNSPhone: +1-800-900-0241 OrgDNSEmail: dnsadmin@verizon.com",
        "*OrgTechEmail: swipper@verizonbusiness.com OrgTechRef: https://rdap.arin.net/registry/entity/SWIPP9-ARIN",
        "*OrgDNSRef: https://rdap.arin.net/registry/entity/VZDNS1-ARIN OrgAbuseHandle: ABUSE5603-ARIN OrgAbuseName"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "Trojan:Win32/Vflooder.A",
          "display_name": "Trojan:Win32/Vflooder.A",
          "target": "/malware/Trojan:Win32/Vflooder.A"
        },
        {
          "id": "ET",
          "display_name": "ET",
          "target": null
        },
        {
          "id": "Flooder",
          "display_name": "Flooder",
          "target": null
        },
        {
          "id": "Trojan.Upatre/Waski",
          "display_name": "Trojan.Upatre/Waski",
          "target": null
        },
        {
          "id": "SLF:Win64/CobPipe",
          "display_name": "SLF:Win64/CobPipe",
          "target": "/malware/SLF:Win64/CobPipe"
        },
        {
          "id": "TrojanDropper:Win32/Muldrop.V!MTB",
          "display_name": "TrojanDropper:Win32/Muldrop.V!MTB",
          "target": "/malware/TrojanDropper:Win32/Muldrop.V!MTB"
        },
        {
          "id": "Worm:Win32/AutoRun",
          "display_name": "Worm:Win32/AutoRun",
          "target": "/malware/Worm:Win32/AutoRun"
        },
        {
          "id": "ALF:Program:Win32/Webcompanion",
          "display_name": "ALF:Program:Win32/Webcompanion",
          "target": null
        },
        {
          "id": "Trojan:Win32/Antavmu",
          "display_name": "Trojan:Win32/Antavmu",
          "target": "/malware/Trojan:Win32/Antavmu"
        }
      ],
      "attack_ids": [
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1210",
          "name": "Exploitation of Remote Services",
          "display_name": "T1210 - Exploitation of Remote Services"
        },
        {
          "id": "T1046",
          "name": "Network Service Scanning",
          "display_name": "T1046 - Network Service Scanning"
        },
        {
          "id": "T1040",
          "name": "Network Sniffing",
          "display_name": "T1040 - Network Sniffing"
        },
        {
          "id": "T1212",
          "name": "Exploitation for Credential Access",
          "display_name": "T1212 - Exploitation for Credential Access"
        },
        {
          "id": "T1003.008",
          "name": "/etc/passwd and /etc/shadow",
          "display_name": "T1003.008 - /etc/passwd and /etc/shadow"
        },
        {
          "id": "T1031",
          "name": "Modify Existing Service",
          "display_name": "T1031 - Modify Existing Service"
        },
        {
          "id": "T1122",
          "name": "Component Object Model Hijacking",
          "display_name": "T1122 - Component Object Model Hijacking"
        },
        {
          "id": "T1198",
          "name": "SIP and Trust Provider Hijacking",
          "display_name": "T1198 - SIP and Trust Provider Hijacking"
        },
        {
          "id": "T1460",
          "name": "Biometric Spoofing",
          "display_name": "T1460 - Biometric Spoofing"
        },
        {
          "id": "T1502",
          "name": "Parent PID Spoofing",
          "display_name": "T1502 - Parent PID Spoofing"
        },
        {
          "id": "T1205.001",
          "name": "Port Knocking",
          "display_name": "T1205.001 - Port Knocking"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        }
      ],
      "industries": [
        "Healthcare",
        "Government",
        "Civilian Society"
      ],
      "TLP": "white",
      "cloned_from": "66cb6092ed7d61b3a370d6cd",
      "export_count": 17,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "scoreblue",
        "id": "254100",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "email": 33,
        "CIDR": 9,
        "URL": 221,
        "hostname": 390,
        "FileHash-SHA256": 4343,
        "domain": 177,
        "FileHash-MD5": 2244,
        "FileHash-SHA1": 2244,
        "CVE": 1
      },
      "indicator_count": 9662,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 226,
      "modified_text": "584 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    }
  ],
  "error": null,
  "vt": {
    "error": "VirusTotal rate limit reached. Try again shortly.",
    "indicator": "https://rdap.arin.net/registry/entity/MCICS",
    "type": "URL"
  },
  "abuseipdb": null,
  "urlhaus": {
    "indicator": "https://rdap.arin.net/registry/entity/MCICS",
    "type": "URL",
    "found": false,
    "verdict": "clean",
    "error": null
  },
  "from_cache": true,
  "_cached_at": 1776598506.6496074
}