{ "type": "URL", "indicator": "https://ssl944625.cloudflaressl.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://ssl944625.cloudflaressl.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4084145215, "indicator": "https://ssl944625.cloudflaressl.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 18, "pulses": [ { "id": "6923408464566e39caf32285", "name": "Discord- DNS | Malvertizing | Ransom/Msilzilla (sifting IoC\u2019s created by scnrscnr)", "description": "TAGS\nActive\n443 ma2592000\nChristopher Pool\nPool's Closed\nTimothy Pool\na li\n google\namerica att\napache\napache ip\nasn as46606\nauditmode force\nbehavior\nbinary\nbinary file\nbk role\nchat\ncheck\nchrome\nck ids\ncommon stealer\ncookie\ndata upload\ndefender\ndelete c\ndirectui\ndiscord\ndns lookup\ndomain add\ndrop\ndynamicloader\neb d8\nee fc\nerror oct\nexplorer\nexternal ip\nextraction\nf0 ff\nfailed\nff bb\nff d5\nff ff\nfiles\nfoundry\ngmt content\ngmt etag\ngmt server\ngoogle chrome\nguard\nhigh\ninsert\nlolminer\nmalware\nmedia\nmeta\nmoved\nmovie\nmsie\nmsvisualbasic60\nmtb aug -present \nneversend\npowershell\nrelated nids\nresponse ip\nself\nservice domain\nsingapore\nsmartassembly\nspan\nspan a\nsx08x00x00a\ntargeting\ntls sni\ntrojan\ntrojandropper\ntwitter\ntx08x00x00n\nunique\nuser agent\nux08x00x00h\nvirtool\nvirustotal api\nvoice\nvx08x00x00j\nwrite\nwrite c\nwx08x00x00\nx08x00x00b\nx08x00x00x00\nyara\nyara rule\nyx08x00x00l\nz3je\nz3uwq7\nzx08x00x00", "modified": "2025-12-23T16:04:54.329000", "created": "2025-11-23T17:12:36.917000", "tags": [ "no expiration", "expiration", "url https", "url http", "filehashsha256", "hostname", "domain", "filehashmd5", "filehashsha1", "ipv4", "code", "pool", "timothy pool", "z3je z3uwq7", "creation date", "ip address", "emails", "expiration date", "status", "hostname add", "pulse pulses", "passive dns", "urls", "date" ], "references": [ "https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba", "Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted", "http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com", "https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com", "www.techcult.com", "http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com", "https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE", "truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com", "yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com", "lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json", "162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/", "http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing", "http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site", "2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt", "IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)", "IDS Detections: Observed Discord Domain (discord .com in TLS SNI)", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less", "Yara: Detections ConventionEngine_Term_Users", "Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents", "Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly", "Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc", "Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process", "Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name", "Yara : MS_Visual_Basic_6_0 ,", "Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly", "Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile", "Alerts: mouse_movement_detect", "Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left", "scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.", "Foundry stalking." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDropper:Win32/VB.IL0", "display_name": "TrojanDropper:Win32/VB.IL0", "target": "/malware/TrojanDropper:Win32/VB.IL0" }, { "id": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "display_name": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "target": null }, { "id": "Win.Ransomware.Msilzilla-10014498-0", "display_name": "Win.Ransomware.Msilzilla-10014498-0", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1443", "name": "Remotely Install Application", "display_name": "T1443 - Remotely Install Application" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 773, "FileHash-SHA1": 684, "FileHash-SHA256": 1910, "CVE": 2, "SSLCertFingerprint": 4, "URL": 3783, "domain": 878, "email": 7, "hostname": 1913 }, "indicator_count": 9954, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "117 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f93b1cebf80f48450bd517", "name": "Yuner - File deletion and Disk Wiping / Cyberstalking ", "description": "", "modified": "2025-11-21T18:02:11.054000", "created": "2025-10-22T20:14:20.632000", "tags": [ "server nginx", "date fri", "etag w", "urls", "passive dns", "acceptranges", "contentlength", "date thu", "gmt expires", "server", "code", "link", "script script", "south africa", "ipv4", "files", "location south", "accept", "present aug", "certificate", "hostname add", "domain", "files ip", "unknown a", "script urls", "ip address", "unknown soa", "unknown ns", "reverse dns", "africa flag", "asn as16637", "dns resolutions", "domains top", "level", "unique tld", "related pulses", "tags none", "indicator facts", "title", "ipv4 add", "opinion", "netacea", "lockbit", "wannacry attack", "nhs trusts", "council", "uk government", "protect", "cni safe", "acls", "praio", "prink", "prsc", "prla", "lg2en", "cti98", "search", "seiko epson", "corporation", "arc file", "malware", "delete c", "default", "show", "write", "next", "unknown", "united", "tlsv1", "msie", "windows nt", "wow64", "slcc2", "media center", "as15169", "port", "execution", "dock", "capture", "persistence", "yara detections", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "cabinet archive", "microsoft", "read c", "dynamicloader", "medium", "ltda me", "high", "write c", "entries", "checks", "delphi", "win32", "url pulse", "data upload", "extraction", "find suggested", "type", "domain hostname", "url add", "http", "related nids", "files location", "ireland flag", "files domain", "chrome", "ireland unknown", "pulse submit", "url analysis", "body", "date", "status", "name servers", "creation date", "expiration date", "flag united", "destination", "systemdrive", "html document", "crlf line", "updater", "copy", "unknown aaaa", "moved", "domain add", "extri data", "enter sc", "extr include", "review exclude", "sugges", "present jul", "saudi arabia", "present mar", "present oct", "present jun", "present feb", "present nov", "present may", "eeee", "eeeeeee", "eeeeee", "eefe", "ebeee", "ee eme", "eeheee", "eeefee e", "eeeee e", "vmprotect", "push", "local", "defender", "regsetvalueexa", "utf8 unicode" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lockbit", "display_name": "Lockbit", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "target": null }, { "id": "Other Dangerous Malware", "display_name": "Other Dangerous Malware", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Oil" ], "TLP": "green", "cloned_from": "68f9288e0d98f3b44c2cb90c", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 648, "hostname": 1604, "FileHash-SHA256": 1826, "URL": 4153, "FileHash-MD5": 102, "FileHash-SHA1": 60, "SSLCertFingerprint": 18, "CVE": 2, "email": 5 }, "indicator_count": 8418, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9288e0d98f3b44c2cb90c", "name": "Ultrasounds attack - South African criminal group-Denver, Vo affects critical infrastructure , Oil and public safety", "description": "South African and Ethiopian crime group with Denver , Co presence is not only infiltrating infrastructure from banking to oil, they are human traffickers, hitmen and yes, I received this tip from team member Pheona who a \u2018sassa.gov.za\u2018 South African link recurrently as a top search suggestion in a \u2018targets\u2019 browser. The most frightening piece is that a name listed is of an Ethiopian man who attempted to force a very targeted victim to go somewhere with him,, be his girlfriend and did show up outside of her residence in a different City & County. He also knew the exact name of where she purchased specific items. If you can see this. Please help the best way you can. Something is incredibly wrong. [OTX auto populated Title: We can\u2019t rely on goodwill to protect our critical infrastructure - Help Net Security]", "modified": "2025-11-21T18:02:11.054000", "created": "2025-10-22T18:55:10.527000", "tags": [ "server nginx", "date fri", "etag w", "urls", "passive dns", "acceptranges", "contentlength", "date thu", "gmt expires", "server", "code", "link", "script script", "south africa", "ipv4", "files", "location south", "accept", "present aug", "certificate", "hostname add", "domain", "files ip", "unknown a", "script urls", "ip address", "unknown soa", "unknown ns", "reverse dns", "africa flag", "asn as16637", "dns resolutions", "domains top", "level", "unique tld", "related pulses", "tags none", "indicator facts", "title", "ipv4 add", "opinion", "netacea", "lockbit", "wannacry attack", "nhs trusts", "council", "uk government", "protect", "cni safe", "acls", "praio", "prink", "prsc", "prla", "lg2en", "cti98", "search", "seiko epson", "corporation", "arc file", "malware", "delete c", "default", "show", "write", "next", "unknown", "united", "tlsv1", "msie", "windows nt", "wow64", "slcc2", "media center", "as15169", "port", "execution", "dock", "capture", "persistence", "yara detections", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "cabinet archive", "microsoft", "read c", "dynamicloader", "medium", "ltda me", "high", "write c", "entries", "checks", "delphi", "win32", "url pulse", "data upload", "extraction", "find suggested", "type", "domain hostname", "url add", "http", "related nids", "files location", "ireland flag", "files domain", "chrome", "ireland unknown", "pulse submit", "url analysis", "body", "date", "status", "name servers", "creation date", "expiration date", "flag united", "destination", "systemdrive", "html document", "crlf line", "updater", "copy", "unknown aaaa", "moved", "domain add", "extri data", "enter sc", "extr include", "review exclude", "sugges", "present jul", "saudi arabia", "present mar", "present oct", "present jun", "present feb", "present nov", "present may", "eeee", "eeeeeee", "eeeeee", "eefe", "ebeee", "ee eme", "eeheee", "eeefee e", "eeeee e", "vmprotect", "push", "local", "defender", "regsetvalueexa", "utf8 unicode" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lockbit", "display_name": "Lockbit", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "target": null }, { "id": "Other Dangerous Malware", "display_name": "Other Dangerous Malware", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Oil" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 648, "hostname": 1604, "FileHash-SHA256": 1826, "URL": 4153, "FileHash-MD5": 102, "FileHash-SHA1": 60, "SSLCertFingerprint": 18, "CVE": 2, "email": 5 }, "indicator_count": 8418, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ee5ea4d51d4a1cabdb4ee9", "name": "Gaming Studios - YouTube - MyDoom", "description": "", "modified": "2025-11-13T12:05:32.283000", "created": "2025-10-14T14:31:00.172000", "tags": [ "no expiration", "url https", "url http", "iocs", "ipv4", "enter source", "indicator role", "title added", "active related", "united", "present jul", "unknown ns", "search", "for privacy", "moved", "ip address", "encrypt", "a domains", "script urls", "meta", "pragma", "general full", "reverse dns", "software", "resource", "security tls", "piscataway", "asn20473", "asn15169", "google", "asvultr", "portfolio", "josh theriault", "upei", "university", "island", "roblox", "jmt studios", "moon engine", "android", "icpc", "north america", "qualifier", "hello", "apache", "runner", "eric everest", "games", "cloudflar", "amazon02", "as autonomous", "system", "canada", "value", "domainpath name", "cgjerrieegaggq", "name value", "form", "game development", "blog", "jmt99", "developer", "event", "bullseye", "trick or treat", "unofficial trick or treat 2014", "unofficial trick or treat 2015", "egg hunt", "gift hunt", "hallows quest", "studio", "experience", "fall", "january", "july", "founder", "studio head", "passive dns", "urls", "registrar", "title", "roblox jmt99 \"jmt studios\" \"trick or treat\" \"egg hunt\"", "press copyright", "contact", "privacy policy", "safety how", "youtube", "test", "nfl sunday", "ticket", "google llc", "data upload", "extraction", "failed", "files", "twitter", "variables", "cgjjtbieggagla", "nid value", "expiration date", "files ip", "dynamicloader", "write c", "delete c", "intel", "ms windows", "medium", "default", "write", "guard", "mozilla", "malware", "defender", "unknown", "domains", "hashes", "url analysis", "unknown aaaa", "script domains", "certificate", "game", "servers", "unofficial", "settings", "public", "endpoints", "currently", "game servers", "current", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "role title", "related pulses", "domain v", "url indicator", "nameilname", "ascii text", "mitre att", "ck id", "ck matrix", "hybrid", "general", "local", "path", "click", "strings", "pe file", "high", "yara detections", "dynamic", "v hostname", "se fos", "include v", "domain url", "data", "alltypes", "win32mydoom oct", "trojan", "url add", "http", "related nids", "files location", "canada flag", "canada hostname", "canada unknown", "canada", "present aug", "name servers", "present sep", "aaaa", "present oct", "crlf line", "unicode text", "music", "suspicious", "bricked.wtf", "flag united", "google safe", "domain", "address domain", "united states", "filehashsha256", "hostname xn", "finland unknown", "filehashmd5", "indicators hong", "kong", "south korea", "present jun", "present mar", "present may", "olet", "cnr12", "tlsv1", "get updates", "upatre", "added active", "apple", "everest", "josh paul", "upadter", "convagent", "info stealing", "delete service", "phishing", "fraud", "social engineering", "gamer", "hacker", "adversaries", "icloud", "found", "gmt content", "error", "redacted for", "meta http", "content", "gmt server", "france unknown", "poland unknown", "content type", "xml title", "hostname add", "address", "location united", "life", "century link llc", "xfinity", "livesex", "domain add", "users", "show", "delete", "blocked by quad9", "showing", "record value", "location canada", "canada asn", "accept", "cookie", "macbook", "ipv4 add", "america flag", "america asn", "asn as714", "less", "woodynet", "next associated", "status", "exclude sugges", "ip related", "t1027.013" ], "references": [ "https://www.jmtstudios.org/farewell/", "https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw", "graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system", "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html", "ConventionEngine_Term_Dropbox \u2022 Dropbox", "http://api.jmtstudios.org/", "bricked.wtf", "ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com", "http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com", "careersandenterprise.appleid.com \u2022 http://apple.appleid.com/", "https://forwardemail.net/es/blog/open-source/apple-email-clients", "accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud", "http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link", "http://www.visitbooker.com/Dropbox-07/index.htm", "dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/", "Appears to be closely associated with close relative and initial victim of attack.", "Potentially disturbing , personal , invasive, aggressive, intimate behavior of party." ], "public": 1, "adversary": "", "targeted_countries": [ "Hong Kong", "United States of America" ], "malware_families": [ { "id": "Win.Malware.Convagent-9981433-0", "display_name": "Win.Malware.Convagent-9981433-0", "target": null }, { "id": "Upadter", "display_name": "Upadter", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6996, "FileHash-MD5": 281, "FileHash-SHA1": 220, "FileHash-SHA256": 2673, "domain": 1747, "email": 24, "hostname": 2803, "SSLCertFingerprint": 3 }, "indicator_count": 14747, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ee5e9f8cfc5fbc73142660", "name": "Gaming Studios - YouTube - MyDoom", "description": "", "modified": "2025-11-13T12:05:32.283000", "created": "2025-10-14T14:30:55.471000", "tags": [ "no expiration", "url https", "url http", "iocs", "ipv4", "enter source", "indicator role", "title added", "active related", "united", "present jul", "unknown ns", "search", "for privacy", "moved", "ip address", "encrypt", "a domains", "script urls", "meta", "pragma", "general full", "reverse dns", "software", "resource", "security tls", "piscataway", "asn20473", "asn15169", "google", "asvultr", "portfolio", "josh theriault", "upei", "university", "island", "roblox", "jmt studios", "moon engine", "android", "icpc", "north america", "qualifier", "hello", "apache", "runner", "eric everest", "games", "cloudflar", "amazon02", "as autonomous", "system", "canada", "value", "domainpath name", "cgjerrieegaggq", "name value", "form", "game development", "blog", "jmt99", "developer", "event", "bullseye", "trick or treat", "unofficial trick or treat 2014", "unofficial trick or treat 2015", "egg hunt", "gift hunt", "hallows quest", "studio", "experience", "fall", "january", "july", "founder", "studio head", "passive dns", "urls", "registrar", "title", "roblox jmt99 \"jmt studios\" \"trick or treat\" \"egg hunt\"", "press copyright", "contact", "privacy policy", "safety how", "youtube", "test", "nfl sunday", "ticket", "google llc", "data upload", "extraction", "failed", "files", "twitter", "variables", "cgjjtbieggagla", "nid value", "expiration date", "files ip", "dynamicloader", "write c", "delete c", "intel", "ms windows", "medium", "default", "write", "guard", "mozilla", "malware", "defender", "unknown", "domains", "hashes", "url analysis", "unknown aaaa", "script domains", "certificate", "game", "servers", "unofficial", "settings", "public", "endpoints", "currently", "game servers", "current", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "role title", "related pulses", "domain v", "url indicator", "nameilname", "ascii text", "mitre att", "ck id", "ck matrix", "hybrid", "general", "local", "path", "click", "strings", "pe file", "high", "yara detections", "dynamic", "v hostname", "se fos", "include v", "domain url", "data", "alltypes", "win32mydoom oct", "trojan", "url add", "http", "related nids", "files location", "canada flag", "canada hostname", "canada unknown", "canada", "present aug", "name servers", "present sep", "aaaa", "present oct", "crlf line", "unicode text", "music", "suspicious", "bricked.wtf", "flag united", "google safe", "domain", "address domain", "united states", "filehashsha256", "hostname xn", "finland unknown", "filehashmd5", "indicators hong", "kong", "south korea", "present jun", "present mar", "present may", "olet", "cnr12", "tlsv1", "get updates", "upatre", "added active", "apple", "everest", "josh paul", "upadter", "convagent", "info stealing", "delete service", "phishing", "fraud", "social engineering", "gamer", "hacker", "adversaries", "icloud", "found", "gmt content", "error", "redacted for", "meta http", "content", "gmt server", "france unknown", "poland unknown", "content type", "xml title", "hostname add", "address", "location united", "life", "century link llc", "xfinity", "livesex", "domain add", "users", "show", "delete", "blocked by quad9", "showing", "record value", "location canada", "canada asn", "accept", "cookie", "macbook", "ipv4 add", "america flag", "america asn", "asn as714", "less", "woodynet", "next associated", "status", "exclude sugges", "ip related", "t1027.013" ], "references": [ "https://www.jmtstudios.org/farewell/", "https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw", "graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system", "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html", "ConventionEngine_Term_Dropbox \u2022 Dropbox", "http://api.jmtstudios.org/", "bricked.wtf", "ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com", "http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com", "careersandenterprise.appleid.com \u2022 http://apple.appleid.com/", "https://forwardemail.net/es/blog/open-source/apple-email-clients", "accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud", "http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link", "http://www.visitbooker.com/Dropbox-07/index.htm", "dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/", "Appears to be closely associated with close relative and initial victim of attack.", "Potentially disturbing , personal , invasive, aggressive, intimate behavior of party." ], "public": 1, "adversary": "", "targeted_countries": [ "Hong Kong", "United States of America" ], "malware_families": [ { "id": "Win.Malware.Convagent-9981433-0", "display_name": "Win.Malware.Convagent-9981433-0", "target": null }, { "id": "Upadter", "display_name": "Upadter", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6996, "FileHash-MD5": 281, "FileHash-SHA1": 220, "FileHash-SHA256": 2673, "domain": 1747, "email": 24, "hostname": 2803, "SSLCertFingerprint": 3 }, "indicator_count": 14747, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68dda4bcade283258f6ed707", "name": "Delta Server - Phishing", "description": "Related to FBI.gov and maliciously coded image found on Google image search result on a fully updated yet hacked iOS device.", "modified": "2025-10-31T21:05:05.615000", "created": "2025-10-01T22:01:32.571000", "tags": [ "related pulses", "delta server", "phishing", "fbi.gov?", "hacked images", "gogle", "google search", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "access att", "windows nt", "size", "mitre att", "path", "general", "local", "click", "strings", "dynamicloader", "eke eekeeeke", "eeye", "eekeee ee", "eekeeeke eekeee", "search", "delete", "yara detections", "eeeee e", "yara rule", "write", "trojan", "dynamic_loading_function", "command_and_control" ], "references": [ "http://autoconfig.delterserver.org/", "https://hybrid-analysis.com/sample/904630d9e73c404a0581c822970935ae49940d09402a55d96712293baa5e8061/68dd9a7397836f17be0d1485", "Yara Detections: stack_string , case_4485_ekix4 Alerts: procmem_yara dynamic_function_loading", "Alerts: network_cnc_https_generic", "Alerts : dead_connect antidebug_setunhandledexceptionfilter exec_crash IP\u2019s Contacted 104.20.151.16", "Alerts: dead_connect antidebug_setunhandledexceptionfilter exec_crash IP\u2019s Domains Contacted : 104.20.151.16" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 463, "domain": 60, "hostname": 210, "FileHash-MD5": 51, "FileHash-SHA1": 85, "FileHash-SHA256": 203, "SSLCertFingerprint": 1 }, "indicator_count": 1073, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "169 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d40c9a87988555c2e23626", "name": "Described as \u2018Haunted\u2019 - Ransom & espionage continues to plague residential communities | HighMark Residential", "description": "A national apartment apartment and townhome community that describes itself as luxury has developed such a poor reputation for poor conditions, communication, discrimination, a belief legal entities are running communities some which have been converted hospitals has a terrible spyware , ransom problem they seem unwilling to address. Compromised to the hilt & famously known to have its own Reddit thread dedicated to a haunted\u2019 Denver community our team has researched in the past. Denver community had a compromise that likely brought attention to or spearheaded the AT&T outage. whitesky.us or the outage was a coincidence.\n\nConcerns about espionage, passwords, outages, ransomware. \ntips from former residents from Phoenix, Texas and Utah in on weekend. Broad research required.\nThailand live?", "modified": "2025-10-24T14:04:50.784000", "created": "2025-09-24T15:22:02.262000", "tags": [ "encrypt", "residential", "benefits", "contact us", "email", "denver highmark", "windows nt", "dynamicloader", "generic http", "exe upload", "medium", "host", "inbound", "trojan", "write", "markus", "malware", "checkin", "trojandropper", "mtb sep", "united", "passive dns", "win32upatre sep", "ipv4", "reverse dns", "alerts", "av detections", "ids detections", "yara detections", "high", "dynamic", "reads", "pe file", "checks system", "write c", "a domains", "gmt server", "certificate", "hostname add", "url analysis", "title", "apache", "name servers", "ip address", "emails", "servers", "users", "recycle bin", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "t1480 execution", "windir", "openurl c", "eregec4", "kl0hsy", "pattern match", "ascii text", "mitre att", "ck matrix", "t1057", "prefetch2", "yara signature", "general", "local", "path", "click", "ipv4 add", "urls", "files", "outbound", "cname", "apache x", "powered", "modified", "moved", "body doctype", "content type", "accept", "script script", "script urls", "queue security", "script begin", "url add", "http", "hostname", "files domain", "files related", "related tags", "dominet", "record value", "domain", "meta", "gmt etag", "pulse submit", "alive thailand", "xml title", "x tec", "html public", "show", "copy", "pe section", "contacted", "md5 add", "pulse pulses", "analysis date", "file score", "search", "win64", "khtml", "gecko", "json", "themida", "download", "next", "public folder", "windows", "highest", "a file", "checks adapter", "mpgph131 hr", "hourly rl", "mpgph131 lg", "onlogon rl", "entries", "checks", "high automated", "ollydbg", "gbdyllo", "file monitor", "process monitor", "cape", "related nids", "files location", "flag united", "pulses none", "next associated", "hosting", "33", "customercare" ], "references": [ "IDS Detections: Win32/Vflooder.B Checkin | Virus Total vtapi DOS" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "Trojandownloader:Win32/Upatre", "display_name": "Trojandownloader:Win32/Upatre", "target": "/malware/Trojandownloader:Win32/Upatre" }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "ALF:Trojan:Win32/G3nasom!imp", "display_name": "ALF:Trojan:Win32/G3nasom!imp", "target": null }, { "id": "Trojandropper:Win32/Muldrop.V!MTB", "display_name": "Trojandropper:Win32/Muldrop.V!MTB", "target": "/malware/Trojandropper:Win32/Muldrop.V!MTB" }, { "id": "Themida", "display_name": "Themida", "target": null }, { "id": "TEL:CreateScheduledTask.A!Sigattr", "display_name": "TEL:CreateScheduledTask.A!Sigattr", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1048.001", "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol" }, { "id": "T1595.001", "name": "Scanning IP Blocks", "display_name": "T1595.001 - Scanning IP Blocks" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3081, "FileHash-MD5": 756, "FileHash-SHA1": 724, "FileHash-SHA256": 3089, "domain": 1476, "email": 8, "hostname": 1198, "SSLCertFingerprint": 3 }, "indicator_count": 10335, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "177 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c5d0cd10f7bf6c3e6fa513", "name": "Remote admin privileges affecting online payment service redirect", "description": "Openvision.ro.\nRemote admin privileges affecting online targeted users https://paypal.com redirect fed.paypal.com", "modified": "2025-10-13T19:29:11.484000", "created": "2025-09-13T20:15:09.236000", "tags": [ "domain", "url analysis", "passive dns", "urls", "ip address", "extraction", "s data", "extrac data", "included", "review ioc", "excluded", "data upload", "failed", "extra data", "include review", "exclude suggest", "find s", "typ no", "exclude sugges", "typ hos", "error dec", "servers", "value name", "dnssec active", "domain name", "domain status", "ok expiration", "date", "name servers", "referral url", "files", "reverse dns", "romania asn", "as20616", "dns resolutions", "domains top", "level", "unique tld", "dynamicloader", "medium", "high", "yara detections", "upxoepplace", "yara rule", "bochs", "anomalous file", "dynamic", "reads", "ping", "markus", "april", "copy", "entries exif", "data show", "search", "value exe", "script", "fileflags", "fileflagsmask", "fileos win32", "executable", "large address", "next resource", "strings show", "value ud975", "uude17\u17e9", "\u1b53 ud9ff\u1818udf1e", "uda64", "udec3", "intel", "ms windows", "ascii text", "crlf line", "registry total", "read", "write", "delete", "type", "extra", "pulse", "record type", "ttl value", "a mx", "thumbprint", "match info", "info", "mitre att", "ta0002 command", "t1059 severity", "modules t1129", "windows api", "ta0003 modify", "registry t1112", "defense evasion", "resolved ips", "files matching", "number", "sample analysis", "hide samples", "date hash", "sabey type", "rexx type", "foundry type", "palantir" ], "references": [ "openvision.ro", "sonar.tools.nonprod.civicalg.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.Remoteadmin-7056666-0", "display_name": "Win.Malware.Remoteadmin-7056666-0", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1463", "name": "Manipulate Device Communication", "display_name": "T1463 - Manipulate Device Communication" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" } ], "industries": [ "Financial", "Targeted", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 76, "FileHash-SHA256": 33, "FileHash-MD5": 27, "FileHash-SHA1": 35, "hostname": 213, "URL": 345 }, "indicator_count": 729, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "187 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ae5b9ef87646927a236b61", "name": "Privacy - Google Videos Search - Web Applications Stack Exchange = WannaCry", "description": "Description: dfir.blog - A blog about Digital Forensics & Incident Response\ndfir.blog\nDigital forensics, web browsers, visualizations, & open source tools.\n#monitoring #dod(?) #chinacache #crypt #ransom#infectedsystems", "modified": "2025-09-26T00:01:12.214000", "created": "2025-08-27T01:13:02.780000", "tags": [ "google", "mullvad browser", "value", "incognito mode", "mine", "unix time", "friday", "january", "does", "tor browser", "search", "show", "langchinese", "packing t1045", "t1045", "medium", "pe resource", "module load", "t1129", "service", "trojan", "copy", "dock", "write", "malware", "clock", "united", "passive dns", "urls", "next associated", "gmt cache", "ipv4 add", "pulse pulses", "files", "reverse dns", "win32", "title", "location united", "america flag", "america asn", "as15169 google", "dns resolutions", "domains top", "level", "unique tlds", "present aug", "china unknown", "creation date", "date", "domain", "ip address", "domain name", "expiration date", "status ok", "nanjing", "accept", "body", "div td", "td tr", "div div", "span span", "a li", "span p", "p div", "moved", "a domains", "open", "span", "uuupupu", "t1055", "process32nextw", "high", "windows", "high defense", "evasion", "delphi", "google gmail", "images sign", "advanced search", "solutions", "privacy", "store gmail", "delete delete", "report", "how search", "applying ai", "settings search", "advanced", "search search", "search help", "domainabuse", "showing", "hostname add", "url add", "http", "hostname", "files domain", "files related", "pulses none", "related tags", "read c", "tlsv1", "whitelisted", "port", "destination", "ascii text", "next", "encrypt", "script urls", "msie", "chrome", "bad gateway", "script domains", "present feb", "link", "meta", "digital", "language", "body doctype", "ghost", "present jun", "aaaa", "present jul", "present oct", "record value", "yara detections", "dock zone", "top source", "top destination", "source source", "filehash", "code", "error", "windows nt", "wow64", "slcc2", "media center", "execution", "persistence", "tulach", "brian sabey", "dod network", "orgtechref", "address range", "cidr", "network name", "allocation type", "whois server", "entity dnic", "handle", "whois lookup", "dod", "et trojan", "server header", "suspicious", "et info", "unknown", "virustotal", "specified", "download", "et", "please", "type size", "first seen", "loading", "python wheel", "dynamicloader", "intel", "ms windows", "pe32", "entries", "user agent", "powershell", "agent", "yara rule", "checks", "levelblue", "open threat", "observed dns", "query", "dns lookup", "msdos", "wannacry dns", "lookup", "wannacry", "worm", "explorer", "msil", "darkcomet", "ping", "tools", "capture", "hallrender", "dga domains", "unfurl sites", "honey net", "bot", "nxdomain", "potential-c2" ], "references": [ "Don\u2019t click! https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking | Infected systems", "DoD Network Information Center (DNIC)", "DoD Network Information Center disa.columbus.ns.mbx.arin-registrations@mail.mil [seen throughout}", "Python Wheel package", "https://www.google.com/search", "https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com", "https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Magania.DSK!MTB", "display_name": "Trojan:Win32/Magania.DSK!MTB", "target": "/malware/Trojan:Win32/Magania.DSK!MTB" }, { "id": "Trojan:Win32/Zusy", "display_name": "Trojan:Win32/Zusy", "target": "/malware/Trojan:Win32/Zusy" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "a variant of Win32/Kryptik.DEOA", "display_name": "a variant of Win32/Kryptik.DEOA", "target": null }, { "id": "ALF:Exploit:Win32/gSharedInfoRef.A", "display_name": "ALF:Exploit:Win32/gSharedInfoRef.A", "target": null }, { "id": "Wannacry", "display_name": "Wannacry", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Telecommunications", "Technology", "Civilian" ], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8221, "domain": 1216, "FileHash-SHA256": 2434, "FileHash-MD5": 296, "FileHash-SHA1": 155, "hostname": 2939, "email": 7, "SSLCertFingerprint": 8, "CIDR": 2 }, "indicator_count": 15278, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689b9b9fab42ca4f016a226f", "name": "Elastic's Al-driven Endpoint Security - Red Team Malicious (moved?)", "description": "Endgame - Unruy Activity -System infection | (Moved) Endpoint security (MOVED) from Elastic\nElastic's Al-driven security analytics empowers you with comprehensive endpoint protection. Detect, investigate, and respond to threats faster with a single agent and unified console. Gain actionable insights for a proactive defense posture. All built on the Search\nAl platform.\n| Used maliciously against monitored non-criminal targets. |\n{ virus - https://universitycenter.uccs.edu/}\n#unruy #activity #monitored_target #red_team_malicious #trojan #worm #moved\n#ai #adversarial #custom_malware #ransom #crypt #guardrails #dns #cnc #evasive #domain_generation #remote_access #devices #remotewd #virus #custom_malware #rip #endgame \n\u2022 TrojanDropper\t\t\t\n\u2022 Win32:Evo-gen\t\u2022 Cassini\n\u2022 RansomX-gen\u2022 Zombie.A\n\u2022 win32:MalwareX-gen\t\u2022 Win32:Malware-gen \u2022 Nymeria\n\u2022 Forcud +", "modified": "2025-09-11T13:03:18.814000", "created": "2025-08-12T19:53:03.953000", "tags": [ "url http", "url https", "indicator role", "title added", "active related", "pulses url", "entries", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "href", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "show technique", "ck matrix", "null", "refresh", "body", "span", "general", "local", "path", "iframe", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "united", "unknown ns", "ip address", "creation date", "search", "present sep", "moved", "domain add", "encrypt", "accept", "please", "passive dns", "msie", "next associated", "html", "background", "unknown site", "div div", "trojan", "zeus", "process32nextw", "read c", "show", "shellexecuteexw", "windows nt", "wow64", "copy", "dock", "write", "malware", "unknown", "defense evasion", "t1480 execution", "file defense", "august", "hybrid", "port", "destination", "tlsv1", "as15169", "ogoogle trust", "cngts ca", "execution", "next", "persistence", "data upload", "extraction", "win32", "ransom", "trojandropper", "mtb nov", "forcud", "files show", "date hash", "avast avg" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4179, "domain": 774, "hostname": 1673, "FileHash-MD5": 169, "FileHash-SHA1": 110, "FileHash-SHA256": 2073, "email": 1, "SSLCertFingerprint": 13, "CVE": 1 }, "indicator_count": 8993, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "220 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6894f4e6c41982f405592b55", "name": "Worm:Win32/Mydoom | Expanded device-local-****remotewd.com", "description": "", "modified": "2025-09-06T06:03:31.462000", "created": "2025-08-07T18:48:06.557000", "tags": [ "hostname", "pulse pulses", "passive dns", "urls", "files", "ip address", "nameservers", "date hash", "avast avg", "entries", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "itre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "mitre att", "pattern match", "show technique", "ck matrix", "null", "refresh", "body", "span", "august", "hybrid", "general", "local", "path", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "domain", "hostname add", "files ip", "address", "location united", "hash avast", "avg clamav", "msdefender aug", "united", "port", "destination", "as16509", "search", "unknown", "ocloudflare", "medium", "memcommit", "service", "write", "next", "persistence", "execution", "malware", "copy", "encrypt", "win32", "mtb feb", "trojan", "susp", "trojandropper", "msr feb", "trojanspy", "next associated", "urls show", "date checked", "virtool", "win64", "worm", "mtb may", "files show", "heur", "script", "dropper", "ransom", "vitro", "pe32", "intel", "ms windows", "as15169", "read c", "asnone", "show", "packing t1045", "t1045", "delphi", "code", "june" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": "6894f30905efa56990bb10f6", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 6741, "domain": 5822, "FileHash-SHA256": 1550, "URL": 16348, "FileHash-MD5": 287, "FileHash-SHA1": 242, "SSLCertFingerprint": 9, "email": 1 }, "indicator_count": 31000, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6894f30905efa56990bb10f6", "name": "Expanded device-local-****remotewd.com", "description": "device-local-2ffdbd74-9f90-41fa-beb8-454ed65788c5.remotewd.com", "modified": "2025-09-06T06:03:31.462000", "created": "2025-08-07T18:40:09.876000", "tags": [ "hostname", "pulse pulses", "passive dns", "urls", "files", "ip address", "nameservers", "date hash", "avast avg", "entries", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "itre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha256", "sha1", "mitre att", "pattern match", "show technique", "ck matrix", "null", "refresh", "body", "span", "august", "hybrid", "general", "local", "path", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "domain", "hostname add", "files ip", "address", "location united", "hash avast", "avg clamav", "msdefender aug", "united", "port", "destination", "as16509", "search", "unknown", "ocloudflare", "medium", "memcommit", "service", "write", "next", "persistence", "execution", "malware", "copy", "encrypt", "win32", "mtb feb", "trojan", "susp", "trojandropper", "msr feb", "trojanspy", "next associated", "urls show", "date checked", "virtool", "win64", "worm", "mtb may", "files show", "heur", "script", "dropper", "ransom", "vitro", "pe32", "intel", "ms windows", "as15169", "read c", "asnone", "show", "packing t1045", "t1045", "delphi", "code", "june" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 6741, "domain": 5822, "FileHash-SHA256": 1550, "URL": 16348, "FileHash-MD5": 287, "FileHash-SHA1": 242, "SSLCertFingerprint": 9, "email": 1 }, "indicator_count": 31000, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "225 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6892e73b32af18aa302df0dc", "name": "Part 1.5", "description": "Dark web media \u2022 Political news \u2022 Malvertizing\nlocate \u2022\ntrack [stalk] \u2022 record calls \u2022 control media [youtube , etc] http://t.name?n[++i]=e:this.removeEventListener\t\t\nJeeng &\nPowebox [ accidentally left out in original post pulse]", "modified": "2025-09-05T04:03:06.929000", "created": "2025-08-06T05:25:15.369000", "tags": [ "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "june", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "impact", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "file defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "script", "mitre att", "pattern match", "show technique", "iframe", "refresh", "august", "general", "local", "tools", "demo", "look", "verify", "restart", "url http", "small", "pulses url", "tellyoun", "showing", "entries", "url https", "indicator role", "title added", "active related", "type indicator", "role title", "added active", "related pulses", "cc08", "f06a6b", "sfurl", "filehashsha256", "types", "indicators show", "search", "pulses", "filehashsha1", "adversaries", "found", "webp image", "ascii text", "riff", "size", "encrypt", "legacy", "filehashmd5", "united", "flag", "server", "markmonitor", "name server", "llc name", "overview dns", "requests domain", "country", "win32", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "detections", "malware", "copy", "show", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "extraction", "data upload", "enter sc", "type", "extra data", "please", "failed", "review", "exclude data", "included review", "ic data", "suggeste", "stop", "type onow", "domain", "passive dns", "urls", "files related", "pulses none", "related tags", "none google", "safe browsing", "sc data", "extr amanuav", "review included", "manualy", "sugges excluded", "filehash", "md5 add", "pulse pulses", "url add", "http", "hostname", "files domain", "pulses otx", "virustotal", "hsmi192547107", "pulses hostname", "r dec", "customer dec", "iski dec", "decision dec", "va dec", "bitcoin", "bitcoin dec", "petra", "torstatus dec", "paul dec", "sodesc", "planet dec", "emilia", "heroin dec", "difference dec", "palantir dec", "loraxlive dec", "chaturbate dec", "sandra", "free dec", "marvel dec", "benjis dec", "fresh dec", "sodesc dec", "srdirport", "srhostname", "link dec", "types of", "italy", "china", "australia", "france", "turkey", "discovery", "information", "ck ids", "t1005", "local system", "t1007", "system service", "part", "track", "locate", "political", "civil society", "news", "created", "hours ago", "report spam", "t1555", "password", "t1560", "collected data", "t1573", "channel", "t1574", "execution flow", "scan", "iocs", "t1497", "u0lhmq", "mtawmq", "t1480", "guardrails", "t1486", "data encrypted", "learn more", "unsubscribe aug", "protocol", "t1074", "staged", "t1083", "t1102", "web service", "t1105", "tool transfer", "t1140", "data engineer", "candidate", "tlsv1", "odigicert inc", "stcalifornia", "lsan jose", "oadobe systems", "incorporated", "cndigicert sha2", "push", "next", "high", "write c", "ireland as16509", "delete", "dirty", "tags", "t1012", "flow endpoint", "security scan", "t1106", "copyright", "levelblue" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 608, "FileHash-SHA1": 433, "FileHash-SHA256": 3663, "URL": 17104, "domain": 1316, "email": 39, "hostname": 4208, "SSLCertFingerprint": 17 }, "indicator_count": 27388, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687c07591d641de3c896d4a9", "name": "icon.palantirfoundry.com - Brazzers Porn", "description": "Another strange pulse. Persistent bad actors moved and changed name of operation; of course. Usual - Hostname\nicon.palantirfoundry.com , Apple, Samsung , X.com , Twitter , Facebook, Google, Palantir NSA or a poser? I was threatened this week, I was told that if I was on the \u2018list\u2019 they have to do anything that is asked including \u2018blow me up\u2019. Sounds nuts but I can\u2019t believe this. Whoever has been doing this is hyper dangerous.\n\nicon.palantirfoundry.com ? P.S. Huge pulse. Can\u2019t use private option to cherry pick the IoC\u2019s I\u2019d like to breakdown. Have I broken a rule?", "modified": "2025-08-18T18:01:11.130000", "created": "2025-07-19T21:00:09.343000", "tags": [ "canada unknown", "passive dns", "ransom", "entries", "ipv4", "pulse submit", "url analysis", "urls", "files", "reverse dns", "united", "unknown ns", "moved", "ip address", "creation date", "search", "omain", "pulse pulses", "body", "date", "showing", "domain", "hostname", "ocloudflare", "stca", "lsan francisco", "ecc ca3", "ecc ca2", "as16509", "unknown", "ms windows", "encrypt", "write", "next", "service", "malware", "copy", "unknown soa", "next associated", "urls show", "date checked", "url hostname", "server response", "google safe", "results jul", "present jan", "medium", "memcommit", "module load", "t1129", "regopenkeyexw", "fjlsedauv", "et useragents", "go http", "registry run", "persistence", "execution", "checks", "keys", "start folder", "richhash", "external", "virustotal api", "screenshots", "find", "show", "types", "seard type", "indicator", "data upload", "extraction", "failed", "sc data", "type", "extri included", "review data", "sugges data", "find suxxesteu", "typ indicalon" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 62, "FileHash-SHA1": 17, "FileHash-SHA256": 1433, "URL": 10188, "hostname": 5658, "domain": 5753, "email": 4, "SSLCertFingerprint": 20 }, "indicator_count": 23135, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "243 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6872f4c510c590b7cdc5ff6a", "name": "Crowdsourced Collection of PayPal Mafia Monster - Foundry\u2019s Palantair", "description": "Americans are investing in what Edward Snowden foretold of\u2026 your future from beginning to end will predict how you will be treated. Preemptively policing people even if you have to make up a past.. |\n\nThe New York Times\nMay 30, 2025 \u2014 The Trump administration has expanded Palantir's work with the government, spreading the company's technology \u2014 which could easily merge data on ...\nFormer Palantir workers condemn company's work with ...\n\nNPR\nMay 5, 2025 \u2014 Thirteen former employees of influential data-mining firm Palantir are condemning the company's work with the Trump administration.\nWyden AOC Palantir Letter 061725\n\nSenate Finance (.gov)\nJun 17, 2025 \u2014 The Trump Administration has spent taxpayer dollars on Palantir software at numerous other government agencies and paid it billions of dollars ...\n#foundry #rip #palantir #jeffreyreimerdpt #lawenforcement #twitter #tsarabrashearsblessed #apple #privacynow #fightforprivacy #sabey #hallrender", "modified": "2025-08-11T23:02:24.583000", "created": "2025-07-12T23:50:29.847000", "tags": [ "url https", "url http", "type indicator", "role title", "added active", "related pulses", "entries", "indicator role", "title added", "active related", "pulses", "enter source", "urior exirag", "diri type", "data upload", "extraction", "failed", "included iocs", "review iocs", "find sugge", "extr extract", "in data", "extract", "type", "u extractio", "extra", "review ic", "ipv4", "pulses hostname", "accountunlock", "united", "ireland", "canada", "brazil", "sweden", "australia", "search", "scan", "iocs", "learn more", "filehashsha1", "filehashmd5", "types of", "extra data", "included review", "china", "colombia", "filepath https", "enter sc", "extr data", "include review", "exclude sugges", "filehashsha256", "hostname", "dicators japan", "url tor", "extrac data", "ic excluded", "suggeste", "stop", "type no", "no entrie", "included", "review locc", "excluded data", "sc data", "extri data", "includec review", "exclude data", "suggested", "se extra", "suggest", "manaiv add", "indicator", "review lace", "extri", "find s", "typ no", "no entdi", "ous u", "dron aew", "avtrat", "extre data", "manually", "add indicator", "pulses url", "url url", "typ host", "host url", "include", "z6911541", "extraction fail", "enter souf", "s type", "ur extraction", "extraction data", "jul all", "pulse data", "report external", "review", "extre please", "se extraction", "report spam", "all t8", "firmip", "bofa", "wikileaks", "tmobile", "dish", "capture", "cookie", "enter s", "please sub", "include outroov", "excludel sugges", "extra please", "high priority", "alerts ids", "priority alerts", "cnc beacon", "winver", "digitalmistica", "november", "pulse", "palantir", "foundry twitter", "arkei stealer", "config", "install", "downloader", "cidr", "domain", "indicators hong", "kong", "ukraine", "status no", "object", "unruy", "http", "remote", "keylogger", "foundry created", "days ago", "white keylogger", "apple", "foundry tech", "mafia", "t1045", "packing", "t1060", "run keys", "startup", "folder", "t1457", "showing", "types", "indicators show", "dicator role", "tsara brashears", "tsara", "porn", "porn videos", "pornhub https", "searchtsar", "watch tsara", "most relevant", "open threat", "green", "love", "daily", "videos", "free porn", "hybrid analysis", "falcon sandbox", "top tsara", "brashears porn", "stream", "spice", "download", "hybrid", "njrat", "threat network", "https", "created", "years ago", "modified", "months ago", "tinynote", "douglas county", "co sheriff", "office", "pegasus attacks", "sa victim", "octoseek public", "white", "excludedocs", "sugges", "stop data", "tsara lynn", "brashears les", "lynn brashears", "translate", "pornhub page", "emotet", "se review", "typ url", "dom hos", "hostname data", "harmful", "octoseekpulse", "attacks sa", "bandit stealer", "flubot", "agent tesla", "qbot", "qakbot", "ursnif", "azorult", "djvu", "hacktool", "maze", "dark", "linux", "android10", "khtml", "costcpc", "userosandroid", "bannerid2738231", "india", "enter so", "please subr", "suggest data", "netherlands", "russia", "america malware", "families", "sc type", "please", "show", "url data", "fanec", "include failed", "review exclude", "extre", "includea", "exclude toosrou", "sugges data", "typ data", "information", "cobalt strike", "ransomexx", "quackbot", "comspec", "span", "idn1", "sendimage0", "refts0", "include data", "uny inuuue", "fileh fileh", "exclude suggest", "uniy", "type fileh", "extr please", "ineluderc\u0660", "review data", "excludedlocs" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1065", "name": "Uncommonly Used Port", "display_name": "T1065 - Uncommonly Used Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 58, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 12679, "domain": 1134, "hostname": 3543, "FileHash-MD5": 251, "email": 7, "FileHash-SHA256": 1927, "FileHash-SHA1": 232, "CVE": 1, "CIDR": 1, "URI": 1 }, "indicator_count": 19776, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "250 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "686ab98ff0cb9baa4e2b2000", "name": "https://house.mo.gov/ Palantir Technologies HARMFUL (copied OctoseekPulse) Attacks SA victims?", "description": "", "modified": "2025-08-05T21:02:46.419000", "created": "2025-07-06T17:59:43.440000", "tags": [ "runtime process", "localappdata", "size", "sha256", "sha1", "temp", "prefetch8", "prefetch1", "unicode text", "type data", "hybrid", "general", "click", "strings", "contact", "mitre", "writes a pe file header to disc", "show process", "date", "document file", "v2 document", "ascii text", "malicious", "local", "path", "found", "ssl certificate", "whois record", "threat roundup", "contacted", "october", "resolutions", "apple ios", "referrer", "communicating", "execution", "june", "august", "emotet", "qakbot", "agent tesla", "azorult", "core", "maze", "metro", "dark", "team", "critical", "copy", "awful", "ursnif", "hacktool", "info", "qbot", "april", "njrat", "nokoyawa", "djvu", "flubot", "ransomware", "bandit stealer", "hallrender", "spyware", "safebae", "tsara brashears", "westlaw", "river.rocks", "brian sabey", "targeting", "dnspionage", "united", "unknown", "search", "aaaa", "showing", "domain", "creation date", "record value", "dnssec", "body", "passive dns", "encrypt", "as14061", "germany unknown", "as397240", "gmt server", "443 ma2592000", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "main", "installing", "as16276", "france unknown", "name servers", "as8075", "servers", "next", "as63949 linode", "as206834 team", "canada unknown", "status", "as61969 team", "msie", "chrome", "ransom", "gone", "title", "head body", "malware" ], "references": [ "\u2193\u2192Found in: https://house.mo.gov/\u2193", "dns.msftncsi.com \u2022 https://dns.msftncsi.com/ \u2022 http://dns.msftncsi.com/", "demo.auth.civicalg.com.sni.cloudflaressl.com", "happyrabbit.kr [Apple iOS threat]", "https://appletoncdn.xyz/l/26422915e0d4f6f88646?sub=5eafeec1af7c0a0001960f44&source=81 \u2022 appletoncdn.xyz", "https://tracking.s-unlock.com \u2022 https://ignaciob.com/track/click/v2-318692303 \u2022 adepttracker.com \u2022", "https://your-sugar-girls.com/cams/default/adult/5277/index.html?p1=https://bongacams10.com/track?c=621661&subid=1a1d33f51a7179480c6d4aeb40d3a5a1&subid2=16969639", "https://click.stecloud.us/campaign/track-email/384458660__3339__6837152__393", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://enter.private.com/track/MTIxODEuNjEuMi41MjEuMTAxMC4wLjAuMC4w/join", "http://nudeteenporn.site" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Nokoyawa Ransomware", "display_name": "Nokoyawa Ransomware", "target": null }, { "id": "Bandit Stealer", "display_name": "Bandit Stealer", "target": null }, { "id": "FluBot", "display_name": "FluBot", "target": null }, { "id": "Agent Tesla", "display_name": "Agent Tesla", "target": null }, { "id": "QBot", "display_name": "QBot", "target": null }, { "id": "QakBot", "display_name": "QakBot", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "Ursnif", "display_name": "Ursnif", "target": null }, { "id": "AZORult", "display_name": "AZORult", "target": null }, { "id": "Djvu", "display_name": "Djvu", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Maze", "display_name": "Maze", "target": null }, { "id": "Dark", "display_name": "Dark", "target": null }, { "id": "NjRAT", "display_name": "NjRAT", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "Tulach", "display_name": "Tulach", "target": null } ], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1065", "name": "Uncommonly Used Port", "display_name": "T1065 - Uncommonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" } ], "industries": [], "TLP": "green", "cloned_from": "65c96df8fe0657d56a206a49", "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 251, "FileHash-SHA1": 211, "FileHash-SHA256": 3226, "domain": 1867, "URL": 10030, "hostname": 2919, "CVE": 7, "email": 6 }, "indicator_count": 18517, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "256 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "686c676bcc053e0fc51f01b2", "name": "ALL T8 research led to Firm_IP\u2019s = BoFa , WikiLeaks, United Healthcare, HCA, T-Mobile, Dish , AT&T, Apple,+ Breaches despite other speculations with 0 relations", "description": "", "modified": "2025-08-05T15:03:36.451000", "created": "2025-07-08T00:33:47.021000", "tags": [ "url https", "type indicator", "role title", "added active", "related pulses", "url http", "showing", "entries", "indicator role", "title added", "active related", "pulses url", "ipv4", "filehashmd5", "filehashsha1", "filehashsha256", "indicators show", "search", "reputation", "et att", "ck id", "t1060", "run keys", "startup", "folder", "scan", "iocs", "learn more", "hostname", "types of", "pagehrsappjbpst", "actionu", "focusapplicant", "siteid1", "postingseq1", "t1036", "t1043", "port", "t1085", "rundll32", "t1114", "t1179", "fbi flash", "cu000163mw", "compromise", "found", "uunet", "code", "reverse domain", "lookup", "ragnar", "locker", "ragnar locker", "cidr", "pulses", "types", "windows", "linux", "united", "trojandropper", "mtb jun", "trojan", "win32upatre aug", "mtb may", "gmt server", "ecacc", "files", "suspicious", "body", "data upload", "extraction", "cve cve20170147", "cve cve20178570", "cve cve20178977", "url feb", "pulses hostname", "a1sticas", "next associated", "present mar", "present jun", "present may", "france", "date", "ip address", "present apr", "virtool", "name servers", "value emails", "name john", "shipton", "dynadot privacy", "po box", "city san", "mateo country", "us creation", "news videos", "maps assist", "search settings", "safe search", "date more", "images bae", "systems defense", "bae systems", "london", "britain", "akamai rank", "script urls", "status", "a domains", "accept encoding", "unknown ns", "meta", "encrypt", "https", "report spam", "created", "year ago", "modified", "octoseek public", "cyber attack", "pegasus", "westlaw", "hallrender", "front", "sabey", "enter s", "include review", "exclude sugges", "failed", "sc type", "extr included", "manually add", "puls", "excludedocs", "sugges data", "phishing", "apple pegasus", "detections", "references", "stranger things", "http", "yara", "upx alerts", "fort collins", "help4u", "communications", "orgtechhandle", "domain", "no entries", "cchk asnas26658", "vj92", "search filter", "time sabey", "x show", "indicator type", "email", "filehashimphash", "filehashpehash", "backdoor", "ransom", "checkin", "alphacrypt cnc", "beacon", "jeffrey scott", "terse http", "possible", "accept", "xorddos", "ck ids", "t1512", "camera", "t1071", "protocol", "ta0001", "access", "ta0002", "ta0003", "ta0004", "cookie", "show", "ally", "melika", "part1", "trojanclicker", "bayrob", "android", "ransomware", "sakula rat", "t1125", "video capture", "t1566", "t1068", "t1190", "application", "t1472", "t1457", "media content", "social media", "doppelgnging", "t1080", "shared content", "t1449", "exploit ss7", "phone callssms", "enter sc", "type", "no expiration", "expiration", "months ago", "expiration http", "reimer dpt", "r role", "sa victim", "daisy coleman", "source", "weeks ago", "tbmvid", "sourcelnms", "zx1724209326040", "ahtrnaah typ", "url url", "url domain", "pulse sthow", "ah types", "ind indicator", "data uptoad", "extrachttp", "dulce sphown", "aho data", "typ url", "url dom", "hos hostname", "hos host", "dom dom" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "686adf91f725a8b7f9850192", "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8149, "domain": 1067, "hostname": 2103, "FileHash-SHA256": 1617, "URI": 1, "FilePath": 1, "FileHash-MD5": 412, "FileHash-SHA1": 368, "CIDR": 4, "CVE": 6, "email": 10 }, "indicator_count": 13738, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "257 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "686adf91f725a8b7f9850192", "name": "Dystopian Life & Death of an American Crime Victim | Boldy predicted how she will die", "description": "Palantir - a data analytics company, known as a military intelligence tool. co-founded by billionaire investor , Trump supporter and Republican mega donor Musk aligned; Peter Thiel, as per New York. \n\nFounded in 2003, known for its data analytics platforms - Palantir Gotham & Palantir Foundry are used by government & private sectors for various applications, including defense & healthcare. The company faces criticism for its role in government surveillance & data privacy concerns.\nPalantir can be linked to malicious, malware packed , compromised malvertisements about victim allegedly SA\u2019d by her physical therapist Jeffrey Scott Reimer DPT. Apparently target was paid a small settlement via lengthy phone battle by a man representing himself as Brian Sabey ,Esq of Hall Render. \n Palantir, admittedly designs cyber weapon that \u2018kills people\u2019. Are governments abusing to terrorize, silence & even harm/kill American citizens. Is this an elaborate hoax?\nTeam 8 \n#rip #plantantir #Hosanna #dystopian #targeted", "modified": "2025-08-05T15:03:36.451000", "created": "2025-07-06T20:41:53.748000", "tags": [ "url https", "type indicator", "role title", "added active", "related pulses", "url http", "showing", "entries", "indicator role", "title added", "active related", "pulses url", "ipv4", "filehashmd5", "filehashsha1", "filehashsha256", "indicators show", "search", "reputation", "et att", "ck id", "t1060", "run keys", "startup", "folder", "scan", "iocs", "learn more", "hostname", "types of", "pagehrsappjbpst", "actionu", "focusapplicant", "siteid1", "postingseq1", "t1036", "t1043", "port", "t1085", "rundll32", "t1114", "t1179", "fbi flash", "cu000163mw", "compromise", "found", "uunet", "code", "reverse domain", "lookup", "ragnar", "locker", "ragnar locker", "cidr", "pulses", "types", "windows", "linux", "united", "trojandropper", "mtb jun", "trojan", "win32upatre aug", "mtb may", "gmt server", "ecacc", "files", "suspicious", "body", "data upload", "extraction", "cve cve20170147", "cve cve20178570", "cve cve20178977", "url feb", "pulses hostname", "a1sticas", "next associated", "present mar", "present jun", "present may", "france", "date", "ip address", "present apr", "virtool", "name servers", "value emails", "name john", "shipton", "dynadot privacy", "po box", "city san", "mateo country", "us creation", "news videos", "maps assist", "search settings", "safe search", "date more", "images bae", "systems defense", "bae systems", "london", "britain", "akamai rank", "script urls", "status", "a domains", "accept encoding", "unknown ns", "meta", "encrypt", "https", "report spam", "created", "year ago", "modified", "octoseek public", "cyber attack", "pegasus", "westlaw", "hallrender", "front", "sabey", "enter s", "include review", "exclude sugges", "failed", "sc type", "extr included", "manually add", "puls", "excludedocs", "sugges data", "phishing", "apple pegasus", "detections", "references", "stranger things", "http", "yara", "upx alerts", "fort collins", "help4u", "communications", "orgtechhandle", "domain", "no entries", "cchk asnas26658", "vj92", "search filter", "time sabey", "x show", "indicator type", "email", "filehashimphash", "filehashpehash", "backdoor", "ransom", "checkin", "alphacrypt cnc", "beacon", "jeffrey scott", "terse http", "possible", "accept", "xorddos", "ck ids", "t1512", "camera", "t1071", "protocol", "ta0001", "access", "ta0002", "ta0003", "ta0004", "cookie", "show", "ally", "melika", "part1", "trojanclicker", "bayrob", "android", "ransomware", "sakula rat", "t1125", "video capture", "t1566", "t1068", "t1190", "application", "t1472", "t1457", "media content", "social media", "doppelgnging", "t1080", "shared content", "t1449", "exploit ss7", "phone callssms", "enter sc", "type", "no expiration", "expiration", "months ago", "expiration http", "reimer dpt", "r role", "sa victim", "daisy coleman", "source", "weeks ago", "tbmvid", "sourcelnms", "zx1724209326040", "ahtrnaah typ", "url url", "url domain", "pulse sthow", "ah types", "ind indicator", "data uptoad", "extrachttp", "dulce sphown", "aho data", "typ url", "url dom", "hos hostname", "hos host", "dom dom" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8149, "domain": 1067, "hostname": 2103, "FileHash-SHA256": 1617, "URI": 1, "FilePath": 1, "FileHash-MD5": 412, "FileHash-SHA1": 368, "CIDR": 4, "CVE": 6, "email": 10 }, "indicator_count": 13738, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "257 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc", "http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site", "Yara: Detections ConventionEngine_Term_Users", "IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less", "Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents", "http://autoconfig.delterserver.org/", "careersandenterprise.appleid.com \u2022 http://apple.appleid.com/", "http://api.jmtstudios.org/", "http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com", "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html", "IDS Detections: Observed Discord Domain (discord .com in TLS SNI)", "Appears to be closely associated with close relative and initial victim of attack.", "IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)", "http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC", "Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left", "https://tracking.s-unlock.com \u2022 https://ignaciob.com/track/click/v2-318692303 \u2022 adepttracker.com \u2022", "ConventionEngine_Term_Dropbox \u2022 Dropbox", "https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com", "Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile", "https://hybrid-analysis.com/sample/904630d9e73c404a0581c822970935ae49940d09402a55d96712293baa5e8061/68dd9a7397836f17be0d1485", "Alerts: dead_connect antidebug_setunhandledexceptionfilter exec_crash IP\u2019s Domains Contacted : 104.20.151.16", "http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link", "demo.auth.civicalg.com.sni.cloudflaressl.com", "dns.msftncsi.com \u2022 https://dns.msftncsi.com/ \u2022 http://dns.msftncsi.com/", "https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com", "yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com", "Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted", "Alerts: mouse_movement_detect", "happyrabbit.kr [Apple iOS threat]", "www.techcult.com", "https://your-sugar-girls.com/cams/default/adult/5277/index.html?p1=https://bongacams10.com/track?c=621661&subid=1a1d33f51a7179480c6d4aeb40d3a5a1&subid2=16969639", "https://www.google.com/search", "http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com", "scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.", "https://forwardemail.net/es/blog/open-source/apple-email-clients", "Potentially disturbing , personal , invasive, aggressive, intimate behavior of party.", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE", "Python Wheel package", "Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name", "lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com", "Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly", "\u2193\u2192Found in: https://house.mo.gov/\u2193", "https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba", "https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw", "graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system", "Don\u2019t click! https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking | Infected systems", "https://click.stecloud.us/campaign/track-email/384458660__3339__6837152__393", "ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com", "https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N", "Foundry stalking.", "IDS Detections: Win32/Vflooder.B Checkin | Virus Total vtapi DOS", "dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/", "https://www.jmtstudios.org/farewell/", "Alerts : dead_connect antidebug_setunhandledexceptionfilter exec_crash IP\u2019s Contacted 104.20.151.16", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "https://appletoncdn.xyz/l/26422915e0d4f6f88646?sub=5eafeec1af7c0a0001960f44&source=81 \u2022 appletoncdn.xyz", "Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly", "https://enter.private.com/track/MTIxODEuNjEuMi41MjEuMTAxMC4wLjAuMC4w/join", "http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com", "Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process", "accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud", "Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "http://www.visitbooker.com/Dropbox-07/index.htm", "sonar.tools.nonprod.civicalg.com", "openvision.ro", "http://nudeteenporn.site", "162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/", "bricked.wtf", "Alerts: network_cnc_https_generic", "2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt", "Yara : MS_Visual_Basic_6_0 ,", "Yara Detections: stack_string , case_4485_ekix4 Alerts: procmem_yara dynamic_function_loading", "DoD Network Information Center (DNIC)", "DoD Network Information Center disa.columbus.ns.mbx.arin-registrations@mail.mil [seen throughout}" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Trojan:win32/zusy", "Qakbot", "Hallrender", "Flubot", "Win.malware.convagent-9981433-0", "Alf:heraklezeval:pua:win32/ultradownloads", "Dark", "Tulach", "Bandit stealer", "Wannacry", "Djvu", "Tel:createscheduledtask.a!sigattr", "Trojandropper:win32/vb.il0", "Trojandownloader:win32/upatre", "Azorult", "Upadter", "Maze", "A variant of win32/kryptik.deoa", "Trojandropper:win32/muldrop.v!mtb", "Alf:exploit:win32/gsharedinforef.a", "Emotet", "Ursnif", "Mydoom", "Win.malware.remoteadmin-7056666-0", "Alf:trojan:win32/cassini_56a3061!ibt", "Win.ransomware.msilzilla-10014498-0", "Hacktool", "Trojan:win32/vflooder", "Lockbit", "Nokoyawa ransomware", "Other dangerous malware", "Et", "Agent tesla", "Qbot", "Njrat", "Win.trojan.agent", "Alf:trojan:win32/g3nasom!imp", "Themida", "Trojan:win32/magania.dsk!mtb" ], "industries": [ "Civilian", "Technology", "Targeted", "Oil", "Financial", "Telecommunications" ], "unique_indicators": 173456 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/cloudflaressl.com", "whois": "http://whois.domaintools.com/cloudflaressl.com", "domain": "cloudflaressl.com", "hostname": "ssl944625.cloudflaressl.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 18, "pulses": [ { "id": "6923408464566e39caf32285", "name": "Discord- DNS | Malvertizing | Ransom/Msilzilla (sifting IoC\u2019s created by scnrscnr)", "description": "TAGS\nActive\n443 ma2592000\nChristopher Pool\nPool's Closed\nTimothy Pool\na li\n google\namerica att\napache\napache ip\nasn as46606\nauditmode force\nbehavior\nbinary\nbinary file\nbk role\nchat\ncheck\nchrome\nck ids\ncommon stealer\ncookie\ndata upload\ndefender\ndelete c\ndirectui\ndiscord\ndns lookup\ndomain add\ndrop\ndynamicloader\neb d8\nee fc\nerror oct\nexplorer\nexternal ip\nextraction\nf0 ff\nfailed\nff bb\nff d5\nff ff\nfiles\nfoundry\ngmt content\ngmt etag\ngmt server\ngoogle chrome\nguard\nhigh\ninsert\nlolminer\nmalware\nmedia\nmeta\nmoved\nmovie\nmsie\nmsvisualbasic60\nmtb aug -present \nneversend\npowershell\nrelated nids\nresponse ip\nself\nservice domain\nsingapore\nsmartassembly\nspan\nspan a\nsx08x00x00a\ntargeting\ntls sni\ntrojan\ntrojandropper\ntwitter\ntx08x00x00n\nunique\nuser agent\nux08x00x00h\nvirtool\nvirustotal api\nvoice\nvx08x00x00j\nwrite\nwrite c\nwx08x00x00\nx08x00x00b\nx08x00x00x00\nyara\nyara rule\nyx08x00x00l\nz3je\nz3uwq7\nzx08x00x00", "modified": "2025-12-23T16:04:54.329000", "created": "2025-11-23T17:12:36.917000", "tags": [ "no expiration", "expiration", "url https", "url http", "filehashsha256", "hostname", "domain", "filehashmd5", "filehashsha1", "ipv4", "code", "pool", "timothy pool", "z3je z3uwq7", "creation date", "ip address", "emails", "expiration date", "status", "hostname add", "pulse pulses", "passive dns", "urls", "date" ], "references": [ "https://otx.alienvault.com/pulse/5fa57698ac0f6638b7b9a8ba", "Examining pulse created by scnrscnr is worth reviewing. I was surprised tonal see a targets name.I didn\u2019t see Foundry highlighted", "http://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com", "https://aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html \u2022 blogspot.com \u2022 www.techcult.com/judge-the-simpsons-parody-is-child-pornography/ Whitelisted domain techcult.com\t Domain blogspot.com Whitelisted domain blogspot.com\t Domain techcult.com Whitelisted domain techcult.com\t Hostname aninditaannisa.blogspot.com \u2022 domain blogspot.com", "www.techcult.com", "http://foundry.tartarynova.com phishing \u2022 https://foundry.tartarynova.com \u2022 foundry.tartarynova.com", "https://trail.truefoundry.com/api/t/c/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE/enc_U2FsdGVkX1_wWHRx9nPGCEspZpUcIwc1yphMTxaaQ2ZAbsxOqRR4ibXcaYtcmgJ1UgabTFCHVVBLx2oAnBAW2h8el_edjHN72Ug0yKQePjKnSJEOnQvtq8MUPo0vkU1N", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_L9bYYgL2HGng9mDsC", "https://trail.truefoundry.com/api/track/open/usr_NEDuPPvnqv5DXyhti/tsk_X2YECqnpAow7t6JuE", "truefoundry.com \u2022 assets.production.truefoundry.com \u2022 cpt.llm-gateway.truefoundry.com", "yyz.llm-gateway.truefoundry.com \u2022 trail.truefoundry.com \u2022 sin.llm-gateway.truefoundry.com", "lm-gateway.truefoundry.com \u2022 https://assets.production.truefoundry.com/sample-openapi.json", "162.159.128.233 \u2022 http://tsar.vicly.org \u2022 https://tsar.vicly.org \u2022 tsar.vicly.org \u2022 vicly.org \u2022 https://tsar.vicly.org/", "http://scteamcommunity.com/4k-high-res-porn-videos/squirt phishing", "http://pic.porn.hub-accessories.site \u2022 https://pic.porn.hub-accessories.site \u2022 pic.porn.hub-accessories.site", "2022ww11.pornhubgsy.com \u2022 http://scteamcommunity.com/4k-high-res-porn-videos/squirt", "IDS Detections: Observed Discord Domain in DNS Lookup (discord .com) Discord Chat Service Domain in DNS Lookup (discord .com)", "IDS Detections: Observed Discord Domain (discord .com in TLS SNI)", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "IDS Detections: Observed Discord Domain (discordapp .com in TLS SNI) Observed Discord Service Domain (discord .com) in TLS SNI Less", "Yara: Detections ConventionEngine_Term_Users", "Yara: ConventionEngine_Anomaly_MultiPDB_Double , ConventionEngine_Term_Documents", "Alerts: infostealer_browser infostealer_cookies binary_yara procmem_yara static_pe_anomaly", "Alerts: pe_compile_timestomping antiav_detectfile antidebug_guardpages encrypted_ioc", "Alerts: dynamic_function_loading injection_write_process reads_memory_remote_process", "Alerts : network_cnc_https_generic reads_self packer_entropy injection_rwx uses_windows_utilities antivm_checks_available_memory queries_computer_name queries_user_name", "Yara : MS_Visual_Basic_6_0 ,", "Yara : UPX , Nrv2x , UPX_OEP_place , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser", "Alerts : ransomware_file_modifications stealth_file procmem_yara static_pe_anomaly", "Alerts: disables_folder_options stealth_hidden_extension stealth_hiddenreg anomalous_deletefile", "Alerts: mouse_movement_detect", "Couldn\u2019t pulse 1st pulse so here\u2019s what\u2019s left", "scnrscnr pulse is good. I\u2019m assuming they\u2019re targets.", "Foundry stalking." ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanDropper:Win32/VB.IL0", "display_name": "TrojanDropper:Win32/VB.IL0", "target": "/malware/TrojanDropper:Win32/VB.IL0" }, { "id": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "display_name": "ALF:Trojan:Win32/Cassini_56a3061!ibt", "target": null }, { "id": "Win.Ransomware.Msilzilla-10014498-0", "display_name": "Win.Ransomware.Msilzilla-10014498-0", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1443", "name": "Remotely Install Application", "display_name": "T1443 - Remotely Install Application" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 773, "FileHash-SHA1": 684, "FileHash-SHA256": 1910, "CVE": 2, "SSLCertFingerprint": 4, "URL": 3783, "domain": 878, "email": 7, "hostname": 1913 }, "indicator_count": 9954, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "117 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f93b1cebf80f48450bd517", "name": "Yuner - File deletion and Disk Wiping / Cyberstalking ", "description": "", "modified": "2025-11-21T18:02:11.054000", "created": "2025-10-22T20:14:20.632000", "tags": [ "server nginx", "date fri", "etag w", "urls", "passive dns", "acceptranges", "contentlength", "date thu", "gmt expires", "server", "code", "link", "script script", "south africa", "ipv4", "files", "location south", "accept", "present aug", "certificate", "hostname add", "domain", "files ip", "unknown a", "script urls", "ip address", "unknown soa", "unknown ns", "reverse dns", "africa flag", "asn as16637", "dns resolutions", "domains top", "level", "unique tld", "related pulses", "tags none", "indicator facts", "title", "ipv4 add", "opinion", "netacea", "lockbit", "wannacry attack", "nhs trusts", "council", "uk government", "protect", "cni safe", "acls", "praio", "prink", "prsc", "prla", "lg2en", "cti98", "search", "seiko epson", "corporation", "arc file", "malware", "delete c", "default", "show", "write", "next", "unknown", "united", "tlsv1", "msie", "windows nt", "wow64", "slcc2", "media center", "as15169", "port", "execution", "dock", "capture", "persistence", "yara detections", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "cabinet archive", "microsoft", "read c", "dynamicloader", "medium", "ltda me", "high", "write c", "entries", "checks", "delphi", "win32", "url pulse", "data upload", "extraction", "find suggested", "type", "domain hostname", "url add", "http", "related nids", "files location", "ireland flag", "files domain", "chrome", "ireland unknown", "pulse submit", "url analysis", "body", "date", "status", "name servers", "creation date", "expiration date", "flag united", "destination", "systemdrive", "html document", "crlf line", "updater", "copy", "unknown aaaa", "moved", "domain add", "extri data", "enter sc", "extr include", "review exclude", "sugges", "present jul", "saudi arabia", "present mar", "present oct", "present jun", "present feb", "present nov", "present may", "eeee", "eeeeeee", "eeeeee", "eefe", "ebeee", "ee eme", "eeheee", "eeefee e", "eeeee e", "vmprotect", "push", "local", "defender", "regsetvalueexa", "utf8 unicode" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lockbit", "display_name": "Lockbit", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "target": null }, { "id": "Other Dangerous Malware", "display_name": "Other Dangerous Malware", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Oil" ], "TLP": "green", "cloned_from": "68f9288e0d98f3b44c2cb90c", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 648, "hostname": 1604, "FileHash-SHA256": 1826, "URL": 4153, "FileHash-MD5": 102, "FileHash-SHA1": 60, "SSLCertFingerprint": 18, "CVE": 2, "email": 5 }, "indicator_count": 8418, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68f9288e0d98f3b44c2cb90c", "name": "Ultrasounds attack - South African criminal group-Denver, Vo affects critical infrastructure , Oil and public safety", "description": "South African and Ethiopian crime group with Denver , Co presence is not only infiltrating infrastructure from banking to oil, they are human traffickers, hitmen and yes, I received this tip from team member Pheona who a \u2018sassa.gov.za\u2018 South African link recurrently as a top search suggestion in a \u2018targets\u2019 browser. The most frightening piece is that a name listed is of an Ethiopian man who attempted to force a very targeted victim to go somewhere with him,, be his girlfriend and did show up outside of her residence in a different City & County. He also knew the exact name of where she purchased specific items. If you can see this. Please help the best way you can. Something is incredibly wrong. [OTX auto populated Title: We can\u2019t rely on goodwill to protect our critical infrastructure - Help Net Security]", "modified": "2025-11-21T18:02:11.054000", "created": "2025-10-22T18:55:10.527000", "tags": [ "server nginx", "date fri", "etag w", "urls", "passive dns", "acceptranges", "contentlength", "date thu", "gmt expires", "server", "code", "link", "script script", "south africa", "ipv4", "files", "location south", "accept", "present aug", "certificate", "hostname add", "domain", "files ip", "unknown a", "script urls", "ip address", "unknown soa", "unknown ns", "reverse dns", "africa flag", "asn as16637", "dns resolutions", "domains top", "level", "unique tld", "related pulses", "tags none", "indicator facts", "title", "ipv4 add", "opinion", "netacea", "lockbit", "wannacry attack", "nhs trusts", "council", "uk government", "protect", "cni safe", "acls", "praio", "prink", "prsc", "prla", "lg2en", "cti98", "search", "seiko epson", "corporation", "arc file", "malware", "delete c", "default", "show", "write", "next", "unknown", "united", "tlsv1", "msie", "windows nt", "wow64", "slcc2", "media center", "as15169", "port", "execution", "dock", "capture", "persistence", "yara detections", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "low risk", "cabinet archive", "microsoft", "read c", "dynamicloader", "medium", "ltda me", "high", "write c", "entries", "checks", "delphi", "win32", "url pulse", "data upload", "extraction", "find suggested", "type", "domain hostname", "url add", "http", "related nids", "files location", "ireland flag", "files domain", "chrome", "ireland unknown", "pulse submit", "url analysis", "body", "date", "status", "name servers", "creation date", "expiration date", "flag united", "destination", "systemdrive", "html document", "crlf line", "updater", "copy", "unknown aaaa", "moved", "domain add", "extri data", "enter sc", "extr include", "review exclude", "sugges", "present jul", "saudi arabia", "present mar", "present oct", "present jun", "present feb", "present nov", "present may", "eeee", "eeeeeee", "eeeeee", "eefe", "ebeee", "ee eme", "eeheee", "eeefee e", "eeeee e", "vmprotect", "push", "local", "defender", "regsetvalueexa", "utf8 unicode" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Lockbit", "display_name": "Lockbit", "target": null }, { "id": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "display_name": "ALF:HeraklezEval:PUA:Win32/UltraDownloads", "target": null }, { "id": "Other Dangerous Malware", "display_name": "Other Dangerous Malware", "target": null } ], "attack_ids": [ { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1561", "name": "Disk Wipe", "display_name": "T1561 - Disk Wipe" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [ "Oil" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 648, "hostname": 1604, "FileHash-SHA256": 1826, "URL": 4153, "FileHash-MD5": 102, "FileHash-SHA1": 60, "SSLCertFingerprint": 18, "CVE": 2, "email": 5 }, "indicator_count": 8418, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ee5ea4d51d4a1cabdb4ee9", "name": "Gaming Studios - YouTube - MyDoom", "description": "", "modified": "2025-11-13T12:05:32.283000", "created": "2025-10-14T14:31:00.172000", "tags": [ "no expiration", "url https", "url http", "iocs", "ipv4", "enter source", "indicator role", "title added", "active related", "united", "present jul", "unknown ns", "search", "for privacy", "moved", "ip address", "encrypt", "a domains", "script urls", "meta", "pragma", "general full", "reverse dns", "software", "resource", "security tls", "piscataway", "asn20473", "asn15169", "google", "asvultr", "portfolio", "josh theriault", "upei", "university", "island", "roblox", "jmt studios", "moon engine", "android", "icpc", "north america", "qualifier", "hello", "apache", "runner", "eric everest", "games", "cloudflar", "amazon02", "as autonomous", "system", "canada", "value", "domainpath name", "cgjerrieegaggq", "name value", "form", "game development", "blog", "jmt99", "developer", "event", "bullseye", "trick or treat", "unofficial trick or treat 2014", "unofficial trick or treat 2015", "egg hunt", "gift hunt", "hallows quest", "studio", "experience", "fall", "january", "july", "founder", "studio head", "passive dns", "urls", "registrar", "title", "roblox jmt99 \"jmt studios\" \"trick or treat\" \"egg hunt\"", "press copyright", "contact", "privacy policy", "safety how", "youtube", "test", "nfl sunday", "ticket", "google llc", "data upload", "extraction", "failed", "files", "twitter", "variables", "cgjjtbieggagla", "nid value", "expiration date", "files ip", "dynamicloader", "write c", "delete c", "intel", "ms windows", "medium", "default", "write", "guard", "mozilla", "malware", "defender", "unknown", "domains", "hashes", "url analysis", "unknown aaaa", "script domains", "certificate", "game", "servers", "unofficial", "settings", "public", "endpoints", "currently", "game servers", "current", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "role title", "related pulses", "domain v", "url indicator", "nameilname", "ascii text", "mitre att", "ck id", "ck matrix", "hybrid", "general", "local", "path", "click", "strings", "pe file", "high", "yara detections", "dynamic", "v hostname", "se fos", "include v", "domain url", "data", "alltypes", "win32mydoom oct", "trojan", "url add", "http", "related nids", "files location", "canada flag", "canada hostname", "canada unknown", "canada", "present aug", "name servers", "present sep", "aaaa", "present oct", "crlf line", "unicode text", "music", "suspicious", "bricked.wtf", "flag united", "google safe", "domain", "address domain", "united states", "filehashsha256", "hostname xn", "finland unknown", "filehashmd5", "indicators hong", "kong", "south korea", "present jun", "present mar", "present may", "olet", "cnr12", "tlsv1", "get updates", "upatre", "added active", "apple", "everest", "josh paul", "upadter", "convagent", "info stealing", "delete service", "phishing", "fraud", "social engineering", "gamer", "hacker", "adversaries", "icloud", "found", "gmt content", "error", "redacted for", "meta http", "content", "gmt server", "france unknown", "poland unknown", "content type", "xml title", "hostname add", "address", "location united", "life", "century link llc", "xfinity", "livesex", "domain add", "users", "show", "delete", "blocked by quad9", "showing", "record value", "location canada", "canada asn", "accept", "cookie", "macbook", "ipv4 add", "america flag", "america asn", "asn as714", "less", "woodynet", "next associated", "status", "exclude sugges", "ip related", "t1027.013" ], "references": [ "https://www.jmtstudios.org/farewell/", "https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw", "graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system", "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html", "ConventionEngine_Term_Dropbox \u2022 Dropbox", "http://api.jmtstudios.org/", "bricked.wtf", "ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com", "http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com", "careersandenterprise.appleid.com \u2022 http://apple.appleid.com/", "https://forwardemail.net/es/blog/open-source/apple-email-clients", "accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud", "http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link", "http://www.visitbooker.com/Dropbox-07/index.htm", "dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/", "Appears to be closely associated with close relative and initial victim of attack.", "Potentially disturbing , personal , invasive, aggressive, intimate behavior of party." ], "public": 1, "adversary": "", "targeted_countries": [ "Hong Kong", "United States of America" ], "malware_families": [ { "id": "Win.Malware.Convagent-9981433-0", "display_name": "Win.Malware.Convagent-9981433-0", "target": null }, { "id": "Upadter", "display_name": "Upadter", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6996, "FileHash-MD5": 281, "FileHash-SHA1": 220, "FileHash-SHA256": 2673, "domain": 1747, "email": 24, "hostname": 2803, "SSLCertFingerprint": 3 }, "indicator_count": 14747, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ee5e9f8cfc5fbc73142660", "name": "Gaming Studios - YouTube - MyDoom", "description": "", "modified": "2025-11-13T12:05:32.283000", "created": "2025-10-14T14:30:55.471000", "tags": [ "no expiration", "url https", "url http", "iocs", "ipv4", "enter source", "indicator role", "title added", "active related", "united", "present jul", "unknown ns", "search", "for privacy", "moved", "ip address", "encrypt", "a domains", "script urls", "meta", "pragma", "general full", "reverse dns", "software", "resource", "security tls", "piscataway", "asn20473", "asn15169", "google", "asvultr", "portfolio", "josh theriault", "upei", "university", "island", "roblox", "jmt studios", "moon engine", "android", "icpc", "north america", "qualifier", "hello", "apache", "runner", "eric everest", "games", "cloudflar", "amazon02", "as autonomous", "system", "canada", "value", "domainpath name", "cgjerrieegaggq", "name value", "form", "game development", "blog", "jmt99", "developer", "event", "bullseye", "trick or treat", "unofficial trick or treat 2014", "unofficial trick or treat 2015", "egg hunt", "gift hunt", "hallows quest", "studio", "experience", "fall", "january", "july", "founder", "studio head", "passive dns", "urls", "registrar", "title", "roblox jmt99 \"jmt studios\" \"trick or treat\" \"egg hunt\"", "press copyright", "contact", "privacy policy", "safety how", "youtube", "test", "nfl sunday", "ticket", "google llc", "data upload", "extraction", "failed", "files", "twitter", "variables", "cgjjtbieggagla", "nid value", "expiration date", "files ip", "dynamicloader", "write c", "delete c", "intel", "ms windows", "medium", "default", "write", "guard", "mozilla", "malware", "defender", "unknown", "domains", "hashes", "url analysis", "unknown aaaa", "script domains", "certificate", "game", "servers", "unofficial", "settings", "public", "endpoints", "currently", "game servers", "current", "meta name", "robots content", "x ua", "ieedge chrome1", "incapsula", "request", "role title", "related pulses", "domain v", "url indicator", "nameilname", "ascii text", "mitre att", "ck id", "ck matrix", "hybrid", "general", "local", "path", "click", "strings", "pe file", "high", "yara detections", "dynamic", "v hostname", "se fos", "include v", "domain url", "data", "alltypes", "win32mydoom oct", "trojan", "url add", "http", "related nids", "files location", "canada flag", "canada hostname", "canada unknown", "canada", "present aug", "name servers", "present sep", "aaaa", "present oct", "crlf line", "unicode text", "music", "suspicious", "bricked.wtf", "flag united", "google safe", "domain", "address domain", "united states", "filehashsha256", "hostname xn", "finland unknown", "filehashmd5", "indicators hong", "kong", "south korea", "present jun", "present mar", "present may", "olet", "cnr12", "tlsv1", "get updates", "upatre", "added active", "apple", "everest", "josh paul", "upadter", "convagent", "info stealing", "delete service", "phishing", "fraud", "social engineering", "gamer", "hacker", "adversaries", "icloud", "found", "gmt content", "error", "redacted for", "meta http", "content", "gmt server", "france unknown", "poland unknown", "content type", "xml title", "hostname add", "address", "location united", "life", "century link llc", "xfinity", "livesex", "domain add", "users", "show", "delete", "blocked by quad9", "showing", "record value", "location canada", "canada asn", "accept", "cookie", "macbook", "ipv4 add", "america flag", "america asn", "asn as714", "less", "woodynet", "next associated", "status", "exclude sugges", "ip related", "t1027.013" ], "references": [ "https://www.jmtstudios.org/farewell/", "https://www.youtube.com/channel/UCSYMkiAJcNXbO5-aemTSxvw", "graphql.accounts.instagram.disk- cloud.link encrynt lenter source leric everest l Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link Data upload Failed Extraction failed, please try again Failed to retrieve suggested indicator for graphql.accounts.instagram.disk- cloud.link showing system", "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html", "ConventionEngine_Term_Dropbox \u2022 Dropbox", "http://api.jmtstudios.org/", "bricked.wtf", "ic1-privaterelay.appleid.com \u2022 ic2-privaterelay.appleid.com\t\u2022 ic4-privaterelay.appleid.com", "http://apple-carry-relay.fastly-edge.com \u2022 appleid.com \u2022 charterhomeschoolacademy.appleid.com", "careersandenterprise.appleid.com \u2022 http://apple.appleid.com/", "https://forwardemail.net/es/blog/open-source/apple-email-clients", "accounts.instagram.disk-cloud.link \u2022\tgraphql.accounts.instagram.disk-cloud", "http://mc.yandex-team.settings.storage-cloud.link/ \u2022 ru.disk-cloud.link", "http://www.visitbooker.com/Dropbox-07/index.htm", "dash.ocrobot.com \u2022 robottherobot.com \u2022http://www.robottherobot.com/", "Appears to be closely associated with close relative and initial victim of attack.", "Potentially disturbing , personal , invasive, aggressive, intimate behavior of party." ], "public": 1, "adversary": "", "targeted_countries": [ "Hong Kong", "United States of America" ], "malware_families": [ { "id": "Win.Malware.Convagent-9981433-0", "display_name": "Win.Malware.Convagent-9981433-0", "target": null }, { "id": "Upadter", "display_name": "Upadter", "target": null }, { "id": "MyDoom", "display_name": "MyDoom", "target": null } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 23, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6996, "FileHash-MD5": 281, "FileHash-SHA1": 220, "FileHash-SHA256": 2673, "domain": 1747, "email": 24, "hostname": 2803, "SSLCertFingerprint": 3 }, "indicator_count": 14747, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "157 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68dda4bcade283258f6ed707", "name": "Delta Server - Phishing", "description": "Related to FBI.gov and maliciously coded image found on Google image search result on a fully updated yet hacked iOS device.", "modified": "2025-10-31T21:05:05.615000", "created": "2025-10-01T22:01:32.571000", "tags": [ "related pulses", "delta server", "phishing", "fbi.gov?", "hacked images", "gogle", "google search", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "defense evasion", "spawns", "access att", "windows nt", "size", "mitre att", "path", "general", "local", "click", "strings", "dynamicloader", "eke eekeeeke", "eeye", "eekeee ee", "eekeeeke eekeee", "search", "delete", "yara detections", "eeeee e", "yara rule", "write", "trojan", "dynamic_loading_function", "command_and_control" ], "references": [ "http://autoconfig.delterserver.org/", "https://hybrid-analysis.com/sample/904630d9e73c404a0581c822970935ae49940d09402a55d96712293baa5e8061/68dd9a7397836f17be0d1485", "Yara Detections: stack_string , case_4485_ekix4 Alerts: procmem_yara dynamic_function_loading", "Alerts: network_cnc_https_generic", "Alerts : dead_connect antidebug_setunhandledexceptionfilter exec_crash IP\u2019s Contacted 104.20.151.16", "Alerts: dead_connect antidebug_setunhandledexceptionfilter exec_crash IP\u2019s Domains Contacted : 104.20.151.16" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 463, "domain": 60, "hostname": 210, "FileHash-MD5": 51, "FileHash-SHA1": 85, "FileHash-SHA256": 203, "SSLCertFingerprint": 1 }, "indicator_count": 1073, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "169 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68d40c9a87988555c2e23626", "name": "Described as \u2018Haunted\u2019 - Ransom & espionage continues to plague residential communities | HighMark Residential", "description": "A national apartment apartment and townhome community that describes itself as luxury has developed such a poor reputation for poor conditions, communication, discrimination, a belief legal entities are running communities some which have been converted hospitals has a terrible spyware , ransom problem they seem unwilling to address. Compromised to the hilt & famously known to have its own Reddit thread dedicated to a haunted\u2019 Denver community our team has researched in the past. Denver community had a compromise that likely brought attention to or spearheaded the AT&T outage. whitesky.us or the outage was a coincidence.\n\nConcerns about espionage, passwords, outages, ransomware. \ntips from former residents from Phoenix, Texas and Utah in on weekend. Broad research required.\nThailand live?", "modified": "2025-10-24T14:04:50.784000", "created": "2025-09-24T15:22:02.262000", "tags": [ "encrypt", "residential", "benefits", "contact us", "email", "denver highmark", "windows nt", "dynamicloader", "generic http", "exe upload", "medium", "host", "inbound", "trojan", "write", "markus", "malware", "checkin", "trojandropper", "mtb sep", "united", "passive dns", "win32upatre sep", "ipv4", "reverse dns", "alerts", "av detections", "ids detections", "yara detections", "high", "dynamic", "reads", "pe file", "checks system", "write c", "a domains", "gmt server", "certificate", "hostname add", "url analysis", "title", "apache", "name servers", "ip address", "emails", "servers", "users", "recycle bin", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "defense evasion", "t1480 execution", "windir", "openurl c", "eregec4", "kl0hsy", "pattern match", "ascii text", "mitre att", "ck matrix", "t1057", "prefetch2", "yara signature", "general", "local", "path", "click", "ipv4 add", "urls", "files", "outbound", "cname", "apache x", "powered", "modified", "moved", "body doctype", "content type", "accept", "script script", "script urls", "queue security", "script begin", "url add", "http", "hostname", "files domain", "files related", "related tags", "dominet", "record value", "domain", "meta", "gmt etag", "pulse submit", "alive thailand", "xml title", "x tec", "html public", "show", "copy", "pe section", "contacted", "md5 add", "pulse pulses", "analysis date", "file score", "search", "win64", "khtml", "gecko", "json", "themida", "download", "next", "public folder", "windows", "highest", "a file", "checks adapter", "mpgph131 hr", "hourly rl", "mpgph131 lg", "onlogon rl", "entries", "checks", "high automated", "ollydbg", "gbdyllo", "file monitor", "process monitor", "cape", "related nids", "files location", "flag united", "pulses none", "next associated", "hosting", "33", "customercare" ], "references": [ "IDS Detections: Win32/Vflooder.B Checkin | Virus Total vtapi DOS" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "Trojandownloader:Win32/Upatre", "display_name": "Trojandownloader:Win32/Upatre", "target": "/malware/Trojandownloader:Win32/Upatre" }, { "id": "Win.Trojan.Agent", "display_name": "Win.Trojan.Agent", "target": null }, { "id": "ALF:Trojan:Win32/G3nasom!imp", "display_name": "ALF:Trojan:Win32/G3nasom!imp", "target": null }, { "id": "Trojandropper:Win32/Muldrop.V!MTB", "display_name": "Trojandropper:Win32/Muldrop.V!MTB", "target": "/malware/Trojandropper:Win32/Muldrop.V!MTB" }, { "id": "Themida", "display_name": "Themida", "target": null }, { "id": "TEL:CreateScheduledTask.A!Sigattr", "display_name": "TEL:CreateScheduledTask.A!Sigattr", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1211", "name": "Exploitation for Defense Evasion", "display_name": "T1211 - Exploitation for Defense Evasion" }, { "id": "T1048.001", "name": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol", "display_name": "T1048.001 - Exfiltration Over Symmetric Encrypted Non-C2 Protocol" }, { "id": "T1595.001", "name": "Scanning IP Blocks", "display_name": "T1595.001 - Scanning IP Blocks" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3081, "FileHash-MD5": 756, "FileHash-SHA1": 724, "FileHash-SHA256": 3089, "domain": 1476, "email": 8, "hostname": 1198, "SSLCertFingerprint": 3 }, "indicator_count": 10335, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "177 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68c5d0cd10f7bf6c3e6fa513", "name": "Remote admin privileges affecting online payment service redirect", "description": "Openvision.ro.\nRemote admin privileges affecting online targeted users https://paypal.com redirect fed.paypal.com", "modified": "2025-10-13T19:29:11.484000", "created": "2025-09-13T20:15:09.236000", "tags": [ "domain", "url analysis", "passive dns", "urls", "ip address", "extraction", "s data", "extrac data", "included", "review ioc", "excluded", "data upload", "failed", "extra data", "include review", "exclude suggest", "find s", "typ no", "exclude sugges", "typ hos", "error dec", "servers", "value name", "dnssec active", "domain name", "domain status", "ok expiration", "date", "name servers", "referral url", "files", "reverse dns", "romania asn", "as20616", "dns resolutions", "domains top", "level", "unique tld", "dynamicloader", "medium", "high", "yara detections", "upxoepplace", "yara rule", "bochs", "anomalous file", "dynamic", "reads", "ping", "markus", "april", "copy", "entries exif", "data show", "search", "value exe", "script", "fileflags", "fileflagsmask", "fileos win32", "executable", "large address", "next resource", "strings show", "value ud975", "uude17\u17e9", "\u1b53 ud9ff\u1818udf1e", "uda64", "udec3", "intel", "ms windows", "ascii text", "crlf line", "registry total", "read", "write", "delete", "type", "extra", "pulse", "record type", "ttl value", "a mx", "thumbprint", "match info", "info", "mitre att", "ta0002 command", "t1059 severity", "modules t1129", "windows api", "ta0003 modify", "registry t1112", "defense evasion", "resolved ips", "files matching", "number", "sample analysis", "hide samples", "date hash", "sabey type", "rexx type", "foundry type", "palantir" ], "references": [ "openvision.ro", "sonar.tools.nonprod.civicalg.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.Remoteadmin-7056666-0", "display_name": "Win.Malware.Remoteadmin-7056666-0", "target": null } ], "attack_ids": [ { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1609", "name": "Container Administration Command", "display_name": "T1609 - Container Administration Command" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1459", "name": "Device Unlock Code Guessing or Brute Force", "display_name": "T1459 - Device Unlock Code Guessing or Brute Force" }, { "id": "T1463", "name": "Manipulate Device Communication", "display_name": "T1463 - Manipulate Device Communication" }, { "id": "T1450", "name": "Exploit SS7 to Track Device Location", "display_name": "T1450 - Exploit SS7 to Track Device Location" } ], "industries": [ "Financial", "Targeted", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 76, "FileHash-SHA256": 33, "FileHash-MD5": 27, "FileHash-SHA1": 35, "hostname": 213, "URL": 345 }, "indicator_count": 729, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "187 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68ae5b9ef87646927a236b61", "name": "Privacy - Google Videos Search - Web Applications Stack Exchange = WannaCry", "description": "Description: dfir.blog - A blog about Digital Forensics & Incident Response\ndfir.blog\nDigital forensics, web browsers, visualizations, & open source tools.\n#monitoring #dod(?) #chinacache #crypt #ransom#infectedsystems", "modified": "2025-09-26T00:01:12.214000", "created": "2025-08-27T01:13:02.780000", "tags": [ "google", "mullvad browser", "value", "incognito mode", "mine", "unix time", "friday", "january", "does", "tor browser", "search", "show", "langchinese", "packing t1045", "t1045", "medium", "pe resource", "module load", "t1129", "service", "trojan", "copy", "dock", "write", "malware", "clock", "united", "passive dns", "urls", "next associated", "gmt cache", "ipv4 add", "pulse pulses", "files", "reverse dns", "win32", "title", "location united", "america flag", "america asn", "as15169 google", "dns resolutions", "domains top", "level", "unique tlds", "present aug", "china unknown", "creation date", "date", "domain", "ip address", "domain name", "expiration date", "status ok", "nanjing", "accept", "body", "div td", "td tr", "div div", "span span", "a li", "span p", "p div", "moved", "a domains", "open", "span", "uuupupu", "t1055", "process32nextw", "high", "windows", "high defense", "evasion", "delphi", "google gmail", "images sign", "advanced search", "solutions", "privacy", "store gmail", "delete delete", "report", "how search", "applying ai", "settings search", "advanced", "search search", "search help", "domainabuse", "showing", "hostname add", "url add", "http", "hostname", "files domain", "files related", "pulses none", "related tags", "read c", "tlsv1", "whitelisted", "port", "destination", "ascii text", "next", "encrypt", "script urls", "msie", "chrome", "bad gateway", "script domains", "present feb", "link", "meta", "digital", "language", "body doctype", "ghost", "present jun", "aaaa", "present jul", "present oct", "record value", "yara detections", "dock zone", "top source", "top destination", "source source", "filehash", "code", "error", "windows nt", "wow64", "slcc2", "media center", "execution", "persistence", "tulach", "brian sabey", "dod network", "orgtechref", "address range", "cidr", "network name", "allocation type", "whois server", "entity dnic", "handle", "whois lookup", "dod", "et trojan", "server header", "suspicious", "et info", "unknown", "virustotal", "specified", "download", "et", "please", "type size", "first seen", "loading", "python wheel", "dynamicloader", "intel", "ms windows", "pe32", "entries", "user agent", "powershell", "agent", "yara rule", "checks", "levelblue", "open threat", "observed dns", "query", "dns lookup", "msdos", "wannacry dns", "lookup", "wannacry", "worm", "explorer", "msil", "darkcomet", "ping", "tools", "capture", "hallrender", "dga domains", "unfurl sites", "honey net", "bot", "nxdomain", "potential-c2" ], "references": [ "Don\u2019t click! https://webapps.stackexchange.com/questions/172215/google-videos-search-sca-esv-query-parameter-possible-tracking | Infected systems", "DoD Network Information Center (DNIC)", "DoD Network Information Center disa.columbus.ns.mbx.arin-registrations@mail.mil [seen throughout}", "Python Wheel package", "https://www.google.com/search", "https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com", "https://otx.alienvault.com/indicator/hostname/palantir.hosted-by-discourse.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Magania.DSK!MTB", "display_name": "Trojan:Win32/Magania.DSK!MTB", "target": "/malware/Trojan:Win32/Magania.DSK!MTB" }, { "id": "Trojan:Win32/Zusy", "display_name": "Trojan:Win32/Zusy", "target": "/malware/Trojan:Win32/Zusy" }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "a variant of Win32/Kryptik.DEOA", "display_name": "a variant of Win32/Kryptik.DEOA", "target": null }, { "id": "ALF:Exploit:Win32/gSharedInfoRef.A", "display_name": "ALF:Exploit:Win32/gSharedInfoRef.A", "target": null }, { "id": "Wannacry", "display_name": "Wannacry", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [ "Telecommunications", "Technology", "Civilian" ], "TLP": "white", "cloned_from": null, "export_count": 40, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8221, "domain": 1216, "FileHash-SHA256": 2434, "FileHash-MD5": 296, "FileHash-SHA1": 155, "hostname": 2939, "email": 7, "SSLCertFingerprint": 8, "CIDR": 2 }, "indicator_count": 15278, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "205 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689b9b9fab42ca4f016a226f", "name": "Elastic's Al-driven Endpoint Security - Red Team Malicious (moved?)", "description": "Endgame - Unruy Activity -System infection | (Moved) Endpoint security (MOVED) from Elastic\nElastic's Al-driven security analytics empowers you with comprehensive endpoint protection. Detect, investigate, and respond to threats faster with a single agent and unified console. Gain actionable insights for a proactive defense posture. All built on the Search\nAl platform.\n| Used maliciously against monitored non-criminal targets. |\n{ virus - https://universitycenter.uccs.edu/}\n#unruy #activity #monitored_target #red_team_malicious #trojan #worm #moved\n#ai #adversarial #custom_malware #ransom #crypt #guardrails #dns #cnc #evasive #domain_generation #remote_access #devices #remotewd #virus #custom_malware #rip #endgame \n\u2022 TrojanDropper\t\t\t\n\u2022 Win32:Evo-gen\t\u2022 Cassini\n\u2022 RansomX-gen\u2022 Zombie.A\n\u2022 win32:MalwareX-gen\t\u2022 Win32:Malware-gen \u2022 Nymeria\n\u2022 Forcud +", "modified": "2025-09-11T13:03:18.814000", "created": "2025-08-12T19:53:03.953000", "tags": [ "url http", "url https", "indicator role", "title added", "active related", "pulses url", "entries", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "mitre att", "ck techniques", "evasion att", "href", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "show technique", "ck matrix", "null", "refresh", "body", "span", "general", "local", "path", "iframe", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "united", "unknown ns", "ip address", "creation date", "search", "present sep", "moved", "domain add", "encrypt", "accept", "please", "passive dns", "msie", "next associated", "html", "background", "unknown site", "div div", "trojan", "zeus", "process32nextw", "read c", "show", "shellexecuteexw", "windows nt", "wow64", "copy", "dock", "write", "malware", "unknown", "defense evasion", "t1480 execution", "file defense", "august", "hybrid", "port", "destination", "tlsv1", "as15169", "ogoogle trust", "cngts ca", "execution", "next", "persistence", "data upload", "extraction", "win32", "ransom", "trojandropper", "mtb nov", "forcud", "files show", "date hash", "avast avg" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4179, "domain": 774, "hostname": 1673, "FileHash-MD5": 169, "FileHash-SHA1": 110, "FileHash-SHA256": 2073, "email": 1, "SSLCertFingerprint": 13, "CVE": 1 }, "indicator_count": 8993, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "220 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://ssl944625.cloudflaressl.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://ssl944625.cloudflaressl.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776617150.0718174 }