{ "type": "URL", "indicator": "https://saukpgp.ru/connect/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://saukpgp.ru/connect/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3644810774, "indicator": "https://saukpgp.ru/connect/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "68cf85c694bcd2c3e76190b5", "name": "Installend.com - RMS module login", "description": "Of course VirusTotals CarlosCabal is correct. This is Russian related. I question if product (rms module) was made by a Russian company for any government that uses or abuses spyware in the same way Israel to sells spyware to allegedly\u2019 well vetted entities.It doesn\u2019t matter. It\u2019s being ab/used in the America. \n\n\n\n#trulymissed #rip #installend #rms_module #installend #roksit #pornsexer #pornhub #remoted #stillnotGodthough #snowden_warned_us #exhausting", "modified": "2025-10-21T03:01:46.531000", "created": "2025-09-21T04:57:42.269000", "tags": [ "f im", "x00 x00", "writeconsolew", "x8bxe5", "process32nextw", "xc3x8d", "script urls", "united", "x14xc7d", "search", "title", "delphi", "execution", "dock", "write", "maker", "malware", "next", "logmein", "installend", "from day", "month", "website", "ssd disk", "space unlimited", "home contact", "menu", "hosting", "read", "wordpress", "desktop", "moscow", "passive dns", "urls", "email address", "locality", "common name", "url add", "http", "ip address", "ipv4 add", "files", "federation flag", "asn as8342", "dns resolutions", "domains top", "twitter", "datacenter", "vps russian", "av detection", "ratio", "ids detections", "pe exe", "dll windows", "russia unknown", "domain", "dnssec", "domain add", "vps", "data center", "module load", "access tool", "checks", "alerts", "windows", "t1060", "win32", "location united", "america flag", "america asn", "files domain", "files related", "related tags", "none google", "msie", "chrome", "showing", "rms", "module", "hostname add", "ip whois", "registrar", "sergey b shkarupa", "russia", "present jun", "present aug", "present dec", "present apr", "present nov", "a domains", "moved", "verdict", "url analysis", "files ip", "all ipv4", "reverse dns", "gmt content", "present sep", "record value", "server", "gmt contenttype", "ru center", "meta", "date", "present mar", "present feb", "asn as48287", "entries", "access denied", "pulse pulses", "present may", "present oct", "present jul", "read c", "show", "intel", "ms windows", "globalc", "pe32", "aaaa", "record type", "ttl value", "contact", "relevance", "regardless", "news", "copyright", "themegrill", "google", "handle", "entity", "email", "code", "registrar abuse", "key identifier", "x509v3 subject", "host name", "rdap database", "iana registrar", "roles", "links", "targeting", "spyware", "revelations 21:8" ], "references": [ "https://installend.com - RMS Module login", "cs9.wac.phicdn.net.95.1.1b9102b6.roksit.net \u2022 roksit.net \u2022 blog.evidon.com.7.1.adiosnof.roksit.net", "ftp.articuler.com.4.1.adiosnof.roksit.net \u2022 ghb-unoadsrv-com.geodns.me.1.1.11cec3ef.roksit", "ekostreams.co.1.0.00000000-0.roksit.net \u2022 m.pornsexer.xxx.3.1.adiosfil.roksit.net \u2022 pornfriends.tk \u2022 porno-wiki.click", "https://kabinedasnovinhas-com.putaria.info/video/porno-com-mamaes-japonesa", "m.pornsexer.xxx.3.1.adiosfil.roksit.net \u2022 https://xvideosnovinhas-com.putaria.info/porno/amigas", "www-pornocarioca-com.sexogratis.page \u2022 https://ofdrip.net/low-keydeadinside", "https://thepiratebay11.com/search/walking dead season 11/1/99/0/", "remotewd.com x 59 devices \u2022 remote.sandwickfilms.com", "http://microsoft-360es.com/ \u2022 http://microsoft-360es.com/en-us/download/Start.exe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanDownloader:HTML/Adodb.gen!A", "display_name": "TrojanDownloader:HTML/Adodb.gen!A", "target": "/malware/TrojanDownloader:HTML/Adodb.gen!A" }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 996, "URL": 3686, "FileHash-MD5": 177, "FileHash-SHA1": 164, "FileHash-SHA256": 1281, "email": 9, "hostname": 1275, "CVE": 1 }, "indicator_count": 7589, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "223 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6696c991debb12023a1357e3", "name": "DroidJack RAT IOCs - SEC-1275-1", "description": "", "modified": "2024-08-15T19:03:41.303000", "created": "2024-07-16T19:27:13.260000", "tags": [ "droidjack", "android", "toggle", "sqlite", "sandrorat", "compromise ipv4", "urls http", "sha1", "sha256", "gigabud rat" ], "references": [ "https://1275.ru/ioc/1635/droidjack-rat-iocs/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "chiendn2k1@", "id": "286155", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 692, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 150, "hostname": 70 }, "indicator_count": 918, "is_author": false, "is_subscribing": null, "subscriber_count": 34, "modified_text": "654 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64110da83117ae635ee07446", "name": "URLHaus data - 14-03-2023", "description": "", "modified": "2023-04-14T00:04:36.827000", "created": "2023-03-15T00:13:28.296000", "tags": [ "32-bit", "arm", "elf", "Mozi", "mips", "mirai", "hajime", "dropped-by-PrivateLoader", "RedLine", "smokeloader", "BB19", "geofenced", "js", "Qakbot", "qbot", "Quakbot", "USA", "vjw0rm", "exe", "opendir", "SnakeKeylogger", "bitrat", "rat", "AgentTesla", "Loki", "doc", "ascii", "bat", "encrypted", "250255", "7710", "Gozi", "ISFB", "ITA", "redir-302", "ursnif" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 999, "domain": 240, "hostname": 132 }, "indicator_count": 1371, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1144 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "www-pornocarioca-com.sexogratis.page \u2022 https://ofdrip.net/low-keydeadinside", "remotewd.com x 59 devices \u2022 remote.sandwickfilms.com", "https://installend.com - RMS Module login", "ekostreams.co.1.0.00000000-0.roksit.net \u2022 m.pornsexer.xxx.3.1.adiosfil.roksit.net \u2022 pornfriends.tk \u2022 porno-wiki.click", "https://thepiratebay11.com/search/walking dead season 11/1/99/0/", "https://kabinedasnovinhas-com.putaria.info/video/porno-com-mamaes-japonesa", "m.pornsexer.xxx.3.1.adiosfil.roksit.net \u2022 https://xvideosnovinhas-com.putaria.info/porno/amigas", "https://urlhaus.abuse.ch/browse/", "cs9.wac.phicdn.net.95.1.1b9102b6.roksit.net \u2022 roksit.net \u2022 blog.evidon.com.7.1.adiosnof.roksit.net", "http://microsoft-360es.com/ \u2022 http://microsoft-360es.com/en-us/download/Start.exe", "ftp.articuler.com.4.1.adiosnof.roksit.net \u2022 ghb-unoadsrv-com.geodns.me.1.1.11cec3ef.roksit", "https://1275.ru/ioc/1635/droidjack-rat-iocs/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Malware packed", "Trojandownloader:html/adodb.gen!a" ], "industries": [], "unique_indicators": 9490 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/saukpgp.ru", "whois": "http://whois.domaintools.com/saukpgp.ru", "domain": "saukpgp.ru", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "68cf85c694bcd2c3e76190b5", "name": "Installend.com - RMS module login", "description": "Of course VirusTotals CarlosCabal is correct. This is Russian related. I question if product (rms module) was made by a Russian company for any government that uses or abuses spyware in the same way Israel to sells spyware to allegedly\u2019 well vetted entities.It doesn\u2019t matter. It\u2019s being ab/used in the America. \n\n\n\n#trulymissed #rip #installend #rms_module #installend #roksit #pornsexer #pornhub #remoted #stillnotGodthough #snowden_warned_us #exhausting", "modified": "2025-10-21T03:01:46.531000", "created": "2025-09-21T04:57:42.269000", "tags": [ "f im", "x00 x00", "writeconsolew", "x8bxe5", "process32nextw", "xc3x8d", "script urls", "united", "x14xc7d", "search", "title", "delphi", "execution", "dock", "write", "maker", "malware", "next", "logmein", "installend", "from day", "month", "website", "ssd disk", "space unlimited", "home contact", "menu", "hosting", "read", "wordpress", "desktop", "moscow", "passive dns", "urls", "email address", "locality", "common name", "url add", "http", "ip address", "ipv4 add", "files", "federation flag", "asn as8342", "dns resolutions", "domains top", "twitter", "datacenter", "vps russian", "av detection", "ratio", "ids detections", "pe exe", "dll windows", "russia unknown", "domain", "dnssec", "domain add", "vps", "data center", "module load", "access tool", "checks", "alerts", "windows", "t1060", "win32", "location united", "america flag", "america asn", "files domain", "files related", "related tags", "none google", "msie", "chrome", "showing", "rms", "module", "hostname add", "ip whois", "registrar", "sergey b shkarupa", "russia", "present jun", "present aug", "present dec", "present apr", "present nov", "a domains", "moved", "verdict", "url analysis", "files ip", "all ipv4", "reverse dns", "gmt content", "present sep", "record value", "server", "gmt contenttype", "ru center", "meta", "date", "present mar", "present feb", "asn as48287", "entries", "access denied", "pulse pulses", "present may", "present oct", "present jul", "read c", "show", "intel", "ms windows", "globalc", "pe32", "aaaa", "record type", "ttl value", "contact", "relevance", "regardless", "news", "copyright", "themegrill", "google", "handle", "entity", "email", "code", "registrar abuse", "key identifier", "x509v3 subject", "host name", "rdap database", "iana registrar", "roles", "links", "targeting", "spyware", "revelations 21:8" ], "references": [ "https://installend.com - RMS Module login", "cs9.wac.phicdn.net.95.1.1b9102b6.roksit.net \u2022 roksit.net \u2022 blog.evidon.com.7.1.adiosnof.roksit.net", "ftp.articuler.com.4.1.adiosnof.roksit.net \u2022 ghb-unoadsrv-com.geodns.me.1.1.11cec3ef.roksit", "ekostreams.co.1.0.00000000-0.roksit.net \u2022 m.pornsexer.xxx.3.1.adiosfil.roksit.net \u2022 pornfriends.tk \u2022 porno-wiki.click", "https://kabinedasnovinhas-com.putaria.info/video/porno-com-mamaes-japonesa", "m.pornsexer.xxx.3.1.adiosfil.roksit.net \u2022 https://xvideosnovinhas-com.putaria.info/porno/amigas", "www-pornocarioca-com.sexogratis.page \u2022 https://ofdrip.net/low-keydeadinside", "https://thepiratebay11.com/search/walking dead season 11/1/99/0/", "remotewd.com x 59 devices \u2022 remote.sandwickfilms.com", "http://microsoft-360es.com/ \u2022 http://microsoft-360es.com/en-us/download/Start.exe" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TrojanDownloader:HTML/Adodb.gen!A", "display_name": "TrojanDownloader:HTML/Adodb.gen!A", "target": "/malware/TrojanDownloader:HTML/Adodb.gen!A" }, { "id": "Malware Packed", "display_name": "Malware Packed", "target": null } ], "attack_ids": [ { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 996, "URL": 3686, "FileHash-MD5": 177, "FileHash-SHA1": 164, "FileHash-SHA256": 1281, "email": 9, "hostname": 1275, "CVE": 1 }, "indicator_count": 7589, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "223 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6696c991debb12023a1357e3", "name": "DroidJack RAT IOCs - SEC-1275-1", "description": "", "modified": "2024-08-15T19:03:41.303000", "created": "2024-07-16T19:27:13.260000", "tags": [ "droidjack", "android", "toggle", "sqlite", "sandrorat", "compromise ipv4", "urls http", "sha1", "sha256", "gigabud rat" ], "references": [ "https://1275.ru/ioc/1635/droidjack-rat-iocs/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "chiendn2k1@", "id": "286155", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 692, "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "domain": 150, "hostname": 70 }, "indicator_count": 918, "is_author": false, "is_subscribing": null, "subscriber_count": 34, "modified_text": "654 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64110da83117ae635ee07446", "name": "URLHaus data - 14-03-2023", "description": "", "modified": "2023-04-14T00:04:36.827000", "created": "2023-03-15T00:13:28.296000", "tags": [ "32-bit", "arm", "elf", "Mozi", "mips", "mirai", "hajime", "dropped-by-PrivateLoader", "RedLine", "smokeloader", "BB19", "geofenced", "js", "Qakbot", "qbot", "Quakbot", "USA", "vjw0rm", "exe", "opendir", "SnakeKeylogger", "bitrat", "rat", "AgentTesla", "Loki", "doc", "ascii", "bat", "encrypted", "250255", "7710", "Gozi", "ISFB", "ITA", "redir-302", "ursnif" ], "references": [ "https://urlhaus.abuse.ch/browse/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 999, "domain": 240, "hostname": 132 }, "indicator_count": 1371, "is_author": false, "is_subscribing": null, "subscriber_count": 1622, "modified_text": "1144 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://saukpgp.ru/connect/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://saukpgp.ru/connect/", "type": "URL", "found": true, "verdict": "malicious", "url_status": "offline", "threat": "malware_download", "tags": [ "250255", "7710", "geofenced", "Gozi", "ISFB", "ITA", "redir-302", "ursnif" ], "date_added": "2023-03-14", "last_online": "", "reporter": "abuse_ch", "host": "saukpgp.ru", "payloads": [], "error": null }, "from_cache": true, "_cached_at": 1780311583.539399 }