{ "type": "URL", "indicator": "https://string.prototype.indexof.call/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://string.prototype.indexof.call/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3625430984, "indicator": "https://string.prototype.indexof.call/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 10, "pulses": [ { "id": "6892e73b32af18aa302df0dc", "name": "Part 1.5", "description": "Dark web media \u2022 Political news \u2022 Malvertizing\nlocate \u2022\ntrack [stalk] \u2022 record calls \u2022 control media [youtube , etc] http://t.name?n[++i]=e:this.removeEventListener\t\t\nJeeng &\nPowebox [ accidentally left out in original post pulse]", "modified": "2025-09-05T04:03:06.929000", "created": "2025-08-06T05:25:15.369000", "tags": [ "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "june", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "impact", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "file defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "script", "mitre att", "pattern match", "show technique", "iframe", "refresh", "august", "general", "local", "tools", "demo", "look", "verify", "restart", "url http", "small", "pulses url", "tellyoun", "showing", "entries", "url https", "indicator role", "title added", "active related", "type indicator", "role title", "added active", "related pulses", "cc08", "f06a6b", "sfurl", "filehashsha256", "types", "indicators show", "search", "pulses", "filehashsha1", "adversaries", "found", "webp image", "ascii text", "riff", "size", "encrypt", "legacy", "filehashmd5", "united", "flag", "server", "markmonitor", "name server", "llc name", "overview dns", "requests domain", "country", "win32", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "detections", "malware", "copy", "show", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "extraction", "data upload", "enter sc", "type", "extra data", "please", "failed", "review", "exclude data", "included review", "ic data", "suggeste", "stop", "type onow", "domain", "passive dns", "urls", "files related", "pulses none", "related tags", "none google", "safe browsing", "sc data", "extr amanuav", "review included", "manualy", "sugges excluded", "filehash", "md5 add", "pulse pulses", "url add", "http", "hostname", "files domain", "pulses otx", "virustotal", "hsmi192547107", "pulses hostname", "r dec", "customer dec", "iski dec", "decision dec", "va dec", "bitcoin", "bitcoin dec", "petra", "torstatus dec", "paul dec", "sodesc", "planet dec", "emilia", "heroin dec", "difference dec", "palantir dec", "loraxlive dec", "chaturbate dec", "sandra", "free dec", "marvel dec", "benjis dec", "fresh dec", "sodesc dec", "srdirport", "srhostname", "link dec", "types of", "italy", "china", "australia", "france", "turkey", "discovery", "information", "ck ids", "t1005", "local system", "t1007", "system service", "part", "track", "locate", "political", "civil society", "news", "created", "hours ago", "report spam", "t1555", "password", "t1560", "collected data", "t1573", "channel", "t1574", "execution flow", "scan", "iocs", "t1497", "u0lhmq", "mtawmq", "t1480", "guardrails", "t1486", "data encrypted", "learn more", "unsubscribe aug", "protocol", "t1074", "staged", "t1083", "t1102", "web service", "t1105", "tool transfer", "t1140", "data engineer", "candidate", "tlsv1", "odigicert inc", "stcalifornia", "lsan jose", "oadobe systems", "incorporated", "cndigicert sha2", "push", "next", "high", "write c", "ireland as16509", "delete", "dirty", "tags", "t1012", "flow endpoint", "security scan", "t1106", "copyright", "levelblue" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 608, "FileHash-SHA1": 433, "FileHash-SHA256": 3663, "URL": 17104, "domain": 1316, "email": 39, "hostname": 4208, "SSLCertFingerprint": 17 }, "indicator_count": 27388, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6892a73593f73dfc969779b0", "name": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns", "description": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns\n*[ddddd.msg]\n[http://tracking.eu1.glintinc.com]\n[stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd]\n[stackstorm.ops.dev.az.glintinc.com]\n\u2022 http://stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd.onion/peter-thiel-running-database-to-root-out-those-disloyal-to-the-leader/\\n \u2022\n[http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-at-concentra/360]\n[http://pixelrz.com/lists/keywords/tsara-brashears-dead/360]", "modified": "2025-09-05T00:03:23.223000", "created": "2025-08-06T00:52:05.051000", "tags": [ "url http", "small", "indicator role", "title added", "active related", "pulses hostname", "tellyoun", "n aug", "entries", "data upload", "extraction", "windows error", "june", "fwd urgent", "justice czech", "copy sha256", "rejectedfailed", "timestamp input", "message status", "actions august", "file", "actions june", "actions may", "cta4 https", "context related", "associated urls", "campaigncodedsc", "language", "uid http", "community", "sha256", "size42b type", "submitted", "august", "april", "internal error", "previous1", "iframe", "community score", "scan analysis", "malicious", "intelligence", "learn", "falcon sandbox", "submissions", "status", "adversaries", "ck id", "name tactics", "suspicious", "informative", "defense evasion", "windows folder", "found", "dlls", "impact", "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9062, "domain": 707, "hostname": 2318, "FileHash-MD5": 86, "FileHash-SHA1": 26, "FileHash-SHA256": 2096, "email": 5, "FilePath": 2, "URI": 1 }, "indicator_count": 14303, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6891bf5f58c1ae303f6d313e", "name": "Jeeng | Powerbox | Tracking | Mirai \u2022 Palantir plugin", "description": "#ELF:Mirai-ALC\\ [Trj]\n* [https://d1-myadmin.dpdlocal.co.uk/login]\n\u2022 [cf20ed53-cb6d-4dfd-a4e8-794fbe163efc.pcap]\nAlfper:BrowserModifier:Win32/DeepSync.C\n#prometheus #trojan #malware #elf #mirai dpd #palantir # plugin #tracking #monitoring #call #tracker #spyware #worm #virus #election_ news", "modified": "2025-09-04T08:05:56.240000", "created": "2025-08-05T08:22:55.113000", "tags": [ "url https", "indicator role", "title added", "active related", "pulses url", "entries", "url http", "type indicator", "role title", "added active", "related pulses", "showing", "iocs", "learn more", "filehashsha256", "types", "indicators show", "search", "present jul", "present jun", "present may", "present aug", "present apr", "present mar", "present feb", "united", "unknown aaaa", "all ipv4", "pulse pulses", "passive dns", "urls", "files", "reverse dns", "location united", "america flag", "america asn", "open", "registrar", "limited ta", "com laude", "nomiq", "creation date", "ip address", "date", "domain", "hostname", "files ip", "address", "asn as21342", "scan", "ipv4", "pulses", "servers", "hostname add", "pulse submit", "url analysis", "verdict", "france unknown", "name servers", "present", "whois show", "record value", "domain name", "expiration date", "status", "domain add", "filehashmd5", "idhttp", "tidcustomhttp", "classes", "medium", "crlf line", "show", "registry", "service", "copy", "patch", "write", "next", "markus", "delphi", "win32", "persistence", "execution", "http", "files domain", "files related", "pulses none", "related tags", "none google", "refresh57959", "windows xp", "pack", "shows", "cc08", "f06a6b", "pulses hostname", "germany unknown", "aaaa", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "development att", "sha1", "copy md5", "copy sha1", "copy sha256", "sha256", "ascii text", "pattern match", "mitre att", "show technique", "format", "august", "hybrid", "local", "path", "click", "strings", "filehashsha1", "palantir feb", "difference feb" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3809, "hostname": 1197, "domain": 456, "FileHash-MD5": 170, "FileHash-SHA256": 579, "FileHash-SHA1": 161, "CVE": 1, "email": 1, "SSLCertFingerprint": 6 }, "indicator_count": 6380, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67a7f06a5d0f22ad92684646", "name": "WebForm.com.gov.pl/CEIDG/ScriptResource.axd", "description": "The following is the full text of the WebForm.com.gov.pl/CEIDG/ScriptResource.axd, following the following:.au, for the first time.", "modified": "2025-05-14T21:27:17.040000", "created": "2025-02-09T00:01:46.054000", "tags": [ "null", "nie mona", "array", "input", "nonmsdombrowser", "object", "html", "component", "body", "horizontal", "date", "calendar", "february", "april", "june", "august", "iframe", "form", "friday", "explorer", "target", "error", "legend", "this", "type", "regexp", "elem", "index", "function", "handle", "check", "safari", "expando", "android", "false", "hooks", "copy", "prop", "class", "mark", "window", "code", "capture", "accept", "seed", "override", "hook", "look", "loop", "install", "pass", "enough", "bind", "core", "local", "verify", "done", "find", "internal", "inject", "possible", "hold", "middle", "guard", "fall", "stop", "panic", "back", "restrict", "speed", "turn", "grab", "getclass", "jquery", "bubble", "anchor", "shift" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1143, "domain": 155, "hostname": 523, "FileHash-SHA256": 151 }, "indicator_count": 1972, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "663d2869e0f3a42bbddc42ff", "name": "UPX executable packer.", "description": "A new rule has been introduced a \"suspicious\" ELF binary that is packed with the UPX executable packer.\nSuggested ATT&CK IDs: rule SUSP_ELF_LNX_UPX_Compressed_File { meta: description = \"Detects a suspicious ELF binary with UPX compression\" author = \"Florian Roth (Nextron Systems)\" reference = \"Internal Research\" date = \"2018-12-12\" score = 40 hash1 = \"038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4\" id = \"078937de-59b3-538e-a5c3-57f4e6050212\" strings: $s1 = \"PROT_EXEC|PROT_WRITE failed.\" fullword ascii $s2 = \"$Id: UPX\" fullword ascii $s3 = \"$Info: This file is packed with the UPX executable packer\" ascii $fp1 = \"check your UCL installation !\"", "modified": "2024-10-14T00:01:17.069000", "created": "2024-05-09T19:47:53.786000", "tags": [ "cioch adrian", "centrum usug", "sieciowych", "elf binary", "upx compression", "roth", "nextron", "info", "javascript", "html", "office open", "xml document", "network capture", "win32 exe", "xml pakietu", "pdf zestawy", "przechwytywanie", "office", "filehashsha1", "url https", "cve cve20201070", "cve cve20203153", "cve cve20201048", "cve cve20211732", "cve20201048 apr", "filehashmd5", "cve cve20010901", "cve cve20021841", "cve20153202 apr", "cve cve20160728", "cve cve20161807", "cve cve20175123", "cve20185407 apr", "cve cve20054605", "cve cve20060745", "cve cve20070452", "cve cve20070453", "cve cve20070454", "cve cve20071355", "cve cve20071358", "cve cve20071871", "cve20149614 apr", "cve cve20151503", "cve cve20152080", "cve cve20157377", "cve cve20170131", "cve20200796 may", "cve cve20113403" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6861, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5771, "domain": 3139, "URL": 14525, "FileHash-SHA1": 2610, "IPv4": 108, "CIDR": 40, "FileHash-SHA256": 10705, "FileHash-MD5": 3373, "YARA": 2, "CVE": 148, "Mutex": 7, "FilePath": 3, "SSLCertFingerprint": 3, "email": 23, "JA3": 1, "IPv6": 2 }, "indicator_count": 40460, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "552 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709786808aed5d8ee43d19", "name": "auto_open_controller.js - all the things using this .js file ;-(", "description": "", "modified": "2023-12-06T15:47:18.949000", "created": "2023-12-06T15:47:18.949000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 380, "URL": 802, "domain": 245, "hostname": 231, "FileHash-MD5": 5, "FileHash-SHA1": 1 }, "indicator_count": 1664, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657096b22a51f1cc56dcfb53", "name": "172.217.16.232 BT home router network attack 10th May 2022 - those HTTP headers and JS scripts are taking over the world", "description": "", "modified": "2023-12-06T15:43:46.083000", "created": "2023-12-06T15:43:46.083000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 802, "hostname": 392, "domain": 134, "FileHash-SHA256": 82, "FileHash-MD5": 1 }, "indicator_count": 1411, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "642eac06b2963a871b0fdd45", "name": "just a bunch of tv's - Oh maybe these tv channels are all neural \ud83e\udd37\u200d\u2640\ufe0f world tv stream infection", "description": "The Falcon Sandbox malware analysis service is available to download, download and use any of the Falcon MalQuery tools or information you may have seen on the website. \u00c2\u00a31.5m", "modified": "2023-05-06T10:00:48.707000", "created": "2023-04-06T11:24:54.313000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "dropped file", "runtime data", "chromeua", "span", "optout", "pcap processing", "pattern match", "script", "click", "date", "middle", "null", "april", "twitter", "body", "error", "jackson", "desktop", "service", "bill", "heat", "webview", "cruise", "blank", "meta", "night", "false", "contact", "suspicious", "facebook", "close", "cannon", "mayberry", "santana", "comment", "flex", "karma", "nightmare", "find", "spacer", "kitty", "mike", "local", "already", "soldier", "wallpaper", "story", "generic", "tiny", "trident", "android", "hybrid", "general", "hosts", "favorite", "homepage", "music", "code", "push", "strings", "malicious", "qakbot", "25px", "60px", "24px", "100px", "1439px", "segoe ui", "roboto", "path", "chat", "form", "embed", "unknown", "live", "network", "unicode", "feed", "5000", "next", "fullscreen", "iframe", "latv", "latino voices", "localappdata", "latino", "noscript", "pragma", "this", "hybrid analysis", "programfiles", "input", "wilstaging02", "potential ip" ], "references": [ "https://hybrid-analysis.com/sample/843923233cd86185dc3983fbe0fe3be72c6aeef0372db6c076287befc9d3fc5b/642d9d1695c2babbb70478eb", "https://hybrid-analysis.com/sample/52cd1ef12d9ec251dee2996f76150757f7247903d1cf86322569ed90536f59b3/642d9d5f20d5a59b1c0443fd", "https://hybrid-analysis.com/sample/ead272d3ccb36a5a827f80418096bfc30d1251bb739b06ff1711844d99d1b214/642d9de1e48d649afd01ad36", "https://hybrid-analysis.com/sample/3243e4a1f5a075f4d57121d5738d321dcd7e4c79bd96828442e351f660b60dc3/642d9d9c7cb35d938c068be9", "https://hybrid-analysis.com/sample/ea23092a5495e8990d050e61214866717374d79a9403232e37e271e327fe3a58/642db9b4ddc1df124a09bec0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1291, "email": 13, "domain": 591, "URL": 3931, "FileHash-SHA256": 431, "FileHash-MD5": 92, "FileHash-SHA1": 89 }, "indicator_count": 6438, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "1079 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63dbbf6ae4f5433c2bab52e9", "name": "172.217.16.232 BT home router network attack 10th May 2022 - those HTTP headers and JS scripts are taking over the world", "description": "A guide to some of the key methods used by the web browser, jQuery, to create web pages and add links to the search engine and other parts of its web address system, as well as the address bar.", "modified": "2023-03-04T13:00:43.098000", "created": "2023-02-02T13:49:30.620000", "tags": [ "null", "copyright", "jan sorgalla", "built", "bill scott", "http", "error", "function", "title", "method", "play", "fast", "click", "return", "href", "target", "span", "pass", "linear", "timebuff", "block", "trigger", "nivoslider", "display", "width", "show", "next", "arrow", "restart", "stop", "iframe", "alpha", "factory", "type", "handle", "sizzle", "match", "check", "make sure", "elem", "name", "regexp", "hooks", "false", "date", "class", "internal", "done", "bind", "test", "body", "copy", "hold", "mozilla", "logic", "flash", "jquery", "fall", "bubble", "prop", "meta", "middle", "mark", "thus", "form", "script script", "a li", "div div", "mua bn", "link", "a div", "trang ch", "gii thiu", "tin tc", "header http2", "gmt cache", "gmt server", "litespeed", "443 ma2592000", "172.217.16.232", "http://lhr48s28-in-f8.1e100.net" ], "references": [ "[object Object] is a string representation of an object instance. Take this example: When the alert runs, it returns [object Object] in the alert modal. It tries to return a string representation of what was passed into alert, but because the engine sees this as an object, and not a string, it tells us that its an instance of an Object instead.", "443 Header\tHTTP/2 200 x powered by: PHP/7.4.29 set cookie: PHPSESSID=9158e16820bdbb5be0d1faa520b7dc19 path=/ expires: Thu 19 Nov 1981 08:52:00 GMT cache control: no store no cache must revalidate pragma: no cache content type: text/html charset=UTF 8 date: Thu 02 Feb 2023 13:37:37 GMT server: LiteSpeed alt svc: quic= :443 ma=2592000 v= 35 39 43 44", "whitelists are really not the way forward unless you validate the integrity often Speedtest are also being screwed with ie allowing your neural controlled network out on a temp basis to prevent you from ousting the APT controlling your home broadband / wifi network", "xml version= 1.0 encoding= utf 8 DOCTYPE html PUBLIC //WAPFORUM//DTD XHTML Mobile 1.0//EN http://www.wapforum.org/DTD/xhtml mobile10.dtd html xmlns= http://www.w3.org/1999/xhtml head meta http equiv= Content Type content= text/html charset=utf 8 / title mua bn nh t cho thu nh t sang nhng sang nhng ca hng /title meta name= copyright content= 2010 2020 bds247.vn / meta name= google site verification content= suyiBYZARDnZ4zGeoAiF VajqMQ0pgLGnEm69aZ aIY / meta name= robots content= index follow / meta name= key", "https://m.bds247.vn//view/js/jquery6_1.js 443", "https://www.googletagmanager.com/gtag/js?id=G-56M7ZWVN9L", "https://m.bds247.vn/lib/nivo-slider/slider.js 443 Script", "https://m.bds247.vn/view/js/page.js 443 Script", "https://m.bds247.vn/lib/pikachoose/lib/jquery.jcarousel.min.js 443 Script", "https://m.bds247.vn/lib/pikachoose/lib/jquery.pikachoose.js", "This is the full text of the XHTML mobile10.dtd.xml, which is based on the code created by the developers of Google's search engine, iPlayer and other sites.", "https://m.bds247.vn//view/js/jquery6_1.js", "https://m.bds247.vn/lib/nivo-slider/slider.js", "https://m.bds247.vn/lib/pikachoose/lib/jquery.jcarousel.min.js" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 802, "hostname": 392, "FileHash-SHA256": 82, "domain": 134, "FileHash-MD5": 1 }, "indicator_count": 1411, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "1142 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63f619404ba8714b7e063140", "name": "auto_open_controller.js - all the things using this .js file ;-(", "description": "12a26eb45e5e3bd90c4578f8f07944baf981e6c083145990015ebc7474dee609", "modified": "2023-02-22T13:31:44.806000", "created": "2023-02-22T13:31:44.806000", "tags": [ "memoryfile scan", "null", "runtime data", "void", "unknown", "android", "magento", "desktop", "dark", "scroll", "addressbar", "trigger", "template", "fast", "burn", "homepage", "class", "critical", "iframe", "lick", "open", "trace", "sapphire", "screen", "small", "close", "click", "ransomware", "strings", "malicious", "contains", "xnnew weakmap", "fnnew weakmap", "auto_open_controller.js", "12a26eb45e5e3bd90c4578f8f07944baf981e6c083145990015ebc7474dee609" ], "references": [ "https://hybrid-analysis.com/sample/12a26eb45e5e3bd90c4578f8f07944baf981e6c083145990015ebc7474dee609/63f3dde5af1db0386635b153", "12a26eb45e5e3bd90c4578f8f07944baf981e6c083145990015ebc7474dee609" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 380, "URL": 802, "hostname": 231, "domain": 245, "FileHash-MD5": 5, "FileHash-SHA1": 1 }, "indicator_count": 1664, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1152 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://hybrid-analysis.com/sample/843923233cd86185dc3983fbe0fe3be72c6aeef0372db6c076287befc9d3fc5b/642d9d1695c2babbb70478eb", "https://m.bds247.vn/view/js/page.js 443 Script", "https://m.bds247.vn/lib/pikachoose/lib/jquery.pikachoose.js", "https://hybrid-analysis.com/sample/3243e4a1f5a075f4d57121d5738d321dcd7e4c79bd96828442e351f660b60dc3/642d9d9c7cb35d938c068be9", "This is the full text of the XHTML mobile10.dtd.xml, which is based on the code created by the developers of Google's search engine, iPlayer and other sites.", "https://hybrid-analysis.com/sample/12a26eb45e5e3bd90c4578f8f07944baf981e6c083145990015ebc7474dee609/63f3dde5af1db0386635b153", "https://hybrid-analysis.com/sample/ead272d3ccb36a5a827f80418096bfc30d1251bb739b06ff1711844d99d1b214/642d9de1e48d649afd01ad36", "xml version= 1.0 encoding= utf 8 DOCTYPE html PUBLIC //WAPFORUM//DTD XHTML Mobile 1.0//EN http://www.wapforum.org/DTD/xhtml mobile10.dtd html xmlns= http://www.w3.org/1999/xhtml head meta http equiv= Content Type content= text/html charset=utf 8 / title mua bn nh t cho thu nh t sang nhng sang nhng ca hng /title meta name= copyright content= 2010 2020 bds247.vn / meta name= google site verification content= suyiBYZARDnZ4zGeoAiF VajqMQ0pgLGnEm69aZ aIY / meta name= robots content= index follow / meta name= key", "12a26eb45e5e3bd90c4578f8f07944baf981e6c083145990015ebc7474dee609", "https://m.bds247.vn/lib/nivo-slider/slider.js", "443 Header\tHTTP/2 200 x powered by: PHP/7.4.29 set cookie: PHPSESSID=9158e16820bdbb5be0d1faa520b7dc19 path=/ expires: Thu 19 Nov 1981 08:52:00 GMT cache control: no store no cache must revalidate pragma: no cache content type: text/html charset=UTF 8 date: Thu 02 Feb 2023 13:37:37 GMT server: LiteSpeed alt svc: quic= :443 ma=2592000 v= 35 39 43 44", "https://m.bds247.vn/lib/pikachoose/lib/jquery.jcarousel.min.js 443 Script", "https://hybrid-analysis.com/sample/52cd1ef12d9ec251dee2996f76150757f7247903d1cf86322569ed90536f59b3/642d9d5f20d5a59b1c0443fd", "https://m.bds247.vn/lib/nivo-slider/slider.js 443 Script", "whitelists are really not the way forward unless you validate the integrity often Speedtest are also being screwed with ie allowing your neural controlled network out on a temp basis to prevent you from ousting the APT controlling your home broadband / wifi network", "https://www.googletagmanager.com/gtag/js?id=G-56M7ZWVN9L", "https://m.bds247.vn/lib/pikachoose/lib/jquery.jcarousel.min.js", "https://hybrid-analysis.com/sample/ea23092a5495e8990d050e61214866717374d79a9403232e37e271e327fe3a58/642db9b4ddc1df124a09bec0", "https://m.bds247.vn//view/js/jquery6_1.js", "https://m.bds247.vn//view/js/jquery6_1.js 443", "[object Object] is a string representation of an object instance. Take this example: When the alert runs, it returns [object Object] in the alert modal. It tries to return a string representation of what was passed into alert, but because the engine sees this as an object, and not a string, it tells us that its an instance of an Object instead." ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 70513 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/indexof.call", "whois": "http://whois.domaintools.com/indexof.call", "domain": "indexof.call", "hostname": "string.prototype.indexof.call" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 10, "pulses": [ { "id": "6892e73b32af18aa302df0dc", "name": "Part 1.5", "description": "Dark web media \u2022 Political news \u2022 Malvertizing\nlocate \u2022\ntrack [stalk] \u2022 record calls \u2022 control media [youtube , etc] http://t.name?n[++i]=e:this.removeEventListener\t\t\nJeeng &\nPowebox [ accidentally left out in original post pulse]", "modified": "2025-09-05T04:03:06.929000", "created": "2025-08-06T05:25:15.369000", "tags": [ "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "june", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "impact", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "file defense", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "script", "mitre att", "pattern match", "show technique", "iframe", "refresh", "august", "general", "local", "tools", "demo", "look", "verify", "restart", "url http", "small", "pulses url", "tellyoun", "showing", "entries", "url https", "indicator role", "title added", "active related", "type indicator", "role title", "added active", "related pulses", "cc08", "f06a6b", "sfurl", "filehashsha256", "types", "indicators show", "search", "pulses", "filehashsha1", "adversaries", "found", "webp image", "ascii text", "riff", "size", "encrypt", "legacy", "filehashmd5", "united", "flag", "server", "markmonitor", "name server", "llc name", "overview dns", "requests domain", "country", "win32", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "medium risk", "yara", "detections", "malware", "copy", "show", "icmp traffic", "packing t1045", "t1045", "pdb path", "pe resource", "extraction", "data upload", "enter sc", "type", "extra data", "please", "failed", "review", "exclude data", "included review", "ic data", "suggeste", "stop", "type onow", "domain", "passive dns", "urls", "files related", "pulses none", "related tags", "none google", "safe browsing", "sc data", "extr amanuav", "review included", "manualy", "sugges excluded", "filehash", "md5 add", "pulse pulses", "url add", "http", "hostname", "files domain", "pulses otx", "virustotal", "hsmi192547107", "pulses hostname", "r dec", "customer dec", "iski dec", "decision dec", "va dec", "bitcoin", "bitcoin dec", "petra", "torstatus dec", "paul dec", "sodesc", "planet dec", "emilia", "heroin dec", "difference dec", "palantir dec", "loraxlive dec", "chaturbate dec", "sandra", "free dec", "marvel dec", "benjis dec", "fresh dec", "sodesc dec", "srdirport", "srhostname", "link dec", "types of", "italy", "china", "australia", "france", "turkey", "discovery", "information", "ck ids", "t1005", "local system", "t1007", "system service", "part", "track", "locate", "political", "civil society", "news", "created", "hours ago", "report spam", "t1555", "password", "t1560", "collected data", "t1573", "channel", "t1574", "execution flow", "scan", "iocs", "t1497", "u0lhmq", "mtawmq", "t1480", "guardrails", "t1486", "data encrypted", "learn more", "unsubscribe aug", "protocol", "t1074", "staged", "t1083", "t1102", "web service", "t1105", "tool transfer", "t1140", "data engineer", "candidate", "tlsv1", "odigicert inc", "stcalifornia", "lsan jose", "oadobe systems", "incorporated", "cndigicert sha2", "push", "next", "high", "write c", "ireland as16509", "delete", "dirty", "tags", "t1012", "flow endpoint", "security scan", "t1106", "copyright", "levelblue" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 608, "FileHash-SHA1": 433, "FileHash-SHA256": 3663, "URL": 17104, "domain": 1316, "email": 39, "hostname": 4208, "SSLCertFingerprint": 17 }, "indicator_count": 27388, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6892a73593f73dfc969779b0", "name": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns", "description": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns\n*[ddddd.msg]\n[http://tracking.eu1.glintinc.com]\n[stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd]\n[stackstorm.ops.dev.az.glintinc.com]\n\u2022 http://stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd.onion/peter-thiel-running-database-to-root-out-those-disloyal-to-the-leader/\\n \u2022\n[http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-at-concentra/360]\n[http://pixelrz.com/lists/keywords/tsara-brashears-dead/360]", "modified": "2025-09-05T00:03:23.223000", "created": "2025-08-06T00:52:05.051000", "tags": [ "url http", "small", "indicator role", "title added", "active related", "pulses hostname", "tellyoun", "n aug", "entries", "data upload", "extraction", "windows error", "june", "fwd urgent", "justice czech", "copy sha256", "rejectedfailed", "timestamp input", "message status", "actions august", "file", "actions june", "actions may", "cta4 https", "context related", "associated urls", "campaigncodedsc", "language", "uid http", "community", "sha256", "size42b type", "submitted", "august", "april", "internal error", "previous1", "iframe", "community score", "scan analysis", "malicious", "intelligence", "learn", "falcon sandbox", "submissions", "status", "adversaries", "ck id", "name tactics", "suspicious", "informative", "defense evasion", "windows folder", "found", "dlls", "impact", "chromeua", "optout", "object", "path", "value", "access type", "setval", "windir", "localappdata", "null", "win64", "error", "generator", "close", "roboto", "date", "format", "light", "span", "template", "void", "android", "body", "trident", "mexico", "sonic", "black", "critical", "desktop", "dark", "meta", "this", "hybrid", "apache", "write", "crypto", "autodetect", "face", "courier", "gigi", "shadow", "click", "strings", "cray", "smwg", "eret", "footer", "infinity", "window", "canvas", "legend", "nuke", "lion", "4629", "ahav", "olsa", "false" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1018", "name": "Remote System Discovery", "display_name": "T1018 - Remote System Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1486", "name": "Data Encrypted for Impact", "display_name": "T1486 - Data Encrypted for Impact" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 9062, "domain": 707, "hostname": 2318, "FileHash-MD5": 86, "FileHash-SHA1": 26, "FileHash-SHA256": 2096, "email": 5, "FilePath": 2, "URI": 1 }, "indicator_count": 14303, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6891bf5f58c1ae303f6d313e", "name": "Jeeng | Powerbox | Tracking | Mirai \u2022 Palantir plugin", "description": "#ELF:Mirai-ALC\\ [Trj]\n* [https://d1-myadmin.dpdlocal.co.uk/login]\n\u2022 [cf20ed53-cb6d-4dfd-a4e8-794fbe163efc.pcap]\nAlfper:BrowserModifier:Win32/DeepSync.C\n#prometheus #trojan #malware #elf #mirai dpd #palantir # plugin #tracking #monitoring #call #tracker #spyware #worm #virus #election_ news", "modified": "2025-09-04T08:05:56.240000", "created": "2025-08-05T08:22:55.113000", "tags": [ "url https", "indicator role", "title added", "active related", "pulses url", "entries", "url http", "type indicator", "role title", "added active", "related pulses", "showing", "iocs", "learn more", "filehashsha256", "types", "indicators show", "search", "present jul", "present jun", "present may", "present aug", "present apr", "present mar", "present feb", "united", "unknown aaaa", "all ipv4", "pulse pulses", "passive dns", "urls", "files", "reverse dns", "location united", "america flag", "america asn", "open", "registrar", "limited ta", "com laude", "nomiq", "creation date", "ip address", "date", "domain", "hostname", "files ip", "address", "asn as21342", "scan", "ipv4", "pulses", "servers", "hostname add", "pulse submit", "url analysis", "verdict", "france unknown", "name servers", "present", "whois show", "record value", "domain name", "expiration date", "status", "domain add", "filehashmd5", "idhttp", "tidcustomhttp", "classes", "medium", "crlf line", "show", "registry", "service", "copy", "patch", "write", "next", "markus", "delphi", "win32", "persistence", "execution", "http", "files domain", "files related", "pulses none", "related tags", "none google", "refresh57959", "windows xp", "pack", "shows", "cc08", "f06a6b", "pulses hostname", "germany unknown", "aaaa", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "spawns", "development att", "sha1", "copy md5", "copy sha1", "copy sha256", "sha256", "ascii text", "pattern match", "mitre att", "show technique", "format", "august", "hybrid", "local", "path", "click", "strings", "filehashsha1", "palantir feb", "difference feb" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3809, "hostname": 1197, "domain": 456, "FileHash-MD5": 170, "FileHash-SHA256": 579, "FileHash-SHA1": 161, "CVE": 1, "email": 1, "SSLCertFingerprint": 6 }, "indicator_count": 6380, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "227 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67a7f06a5d0f22ad92684646", "name": "WebForm.com.gov.pl/CEIDG/ScriptResource.axd", "description": "The following is the full text of the WebForm.com.gov.pl/CEIDG/ScriptResource.axd, following the following:.au, for the first time.", "modified": "2025-05-14T21:27:17.040000", "created": "2025-02-09T00:01:46.054000", "tags": [ "null", "nie mona", "array", "input", "nonmsdombrowser", "object", "html", "component", "body", "horizontal", "date", "calendar", "february", "april", "june", "august", "iframe", "form", "friday", "explorer", "target", "error", "legend", "this", "type", "regexp", "elem", "index", "function", "handle", "check", "safari", "expando", "android", "false", "hooks", "copy", "prop", "class", "mark", "window", "code", "capture", "accept", "seed", "override", "hook", "look", "loop", "install", "pass", "enough", "bind", "core", "local", "verify", "done", "find", "internal", "inject", "possible", "hold", "middle", "guard", "fall", "stop", "panic", "back", "restrict", "speed", "turn", "grab", "getclass", "jquery", "bubble", "anchor", "shift" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1143, "domain": 155, "hostname": 523, "FileHash-SHA256": 151 }, "indicator_count": 1972, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "663d2869e0f3a42bbddc42ff", "name": "UPX executable packer.", "description": "A new rule has been introduced a \"suspicious\" ELF binary that is packed with the UPX executable packer.\nSuggested ATT&CK IDs: rule SUSP_ELF_LNX_UPX_Compressed_File { meta: description = \"Detects a suspicious ELF binary with UPX compression\" author = \"Florian Roth (Nextron Systems)\" reference = \"Internal Research\" date = \"2018-12-12\" score = 40 hash1 = \"038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4\" id = \"078937de-59b3-538e-a5c3-57f4e6050212\" strings: $s1 = \"PROT_EXEC|PROT_WRITE failed.\" fullword ascii $s2 = \"$Id: UPX\" fullword ascii $s3 = \"$Info: This file is packed with the UPX executable packer\" ascii $fp1 = \"check your UCL installation !\"", "modified": "2024-10-14T00:01:17.069000", "created": "2024-05-09T19:47:53.786000", "tags": [ "cioch adrian", "centrum usug", "sieciowych", "elf binary", "upx compression", "roth", "nextron", "info", "javascript", "html", "office open", "xml document", "network capture", "win32 exe", "xml pakietu", "pdf zestawy", "przechwytywanie", "office", "filehashsha1", "url https", "cve cve20201070", "cve cve20203153", "cve cve20201048", "cve cve20211732", "cve20201048 apr", "filehashmd5", "cve cve20010901", "cve cve20021841", "cve20153202 apr", "cve cve20160728", "cve cve20161807", "cve cve20175123", "cve20185407 apr", "cve cve20054605", "cve cve20060745", "cve cve20070452", "cve cve20070453", "cve cve20070454", "cve cve20071355", "cve cve20071358", "cve cve20071871", "cve20149614 apr", "cve cve20151503", "cve cve20152080", "cve cve20157377", "cve cve20170131", "cve20200796 may", "cve cve20113403" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6861, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 5771, "domain": 3139, "URL": 14525, "FileHash-SHA1": 2610, "IPv4": 108, "CIDR": 40, "FileHash-SHA256": 10705, "FileHash-MD5": 3373, "YARA": 2, "CVE": 148, "Mutex": 7, "FilePath": 3, "SSLCertFingerprint": 3, "email": 23, "JA3": 1, "IPv6": 2 }, "indicator_count": 40460, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "552 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709786808aed5d8ee43d19", "name": "auto_open_controller.js - all the things using this .js file ;-(", "description": "", "modified": "2023-12-06T15:47:18.949000", "created": "2023-12-06T15:47:18.949000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 380, "URL": 802, "domain": 245, "hostname": 231, "FileHash-MD5": 5, "FileHash-SHA1": 1 }, "indicator_count": 1664, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657096b22a51f1cc56dcfb53", "name": "172.217.16.232 BT home router network attack 10th May 2022 - those HTTP headers and JS scripts are taking over the world", "description": "", "modified": "2023-12-06T15:43:46.083000", "created": "2023-12-06T15:43:46.083000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 802, "hostname": 392, "domain": 134, "FileHash-SHA256": 82, "FileHash-MD5": 1 }, "indicator_count": 1411, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "642eac06b2963a871b0fdd45", "name": "just a bunch of tv's - Oh maybe these tv channels are all neural \ud83e\udd37\u200d\u2640\ufe0f world tv stream infection", "description": "The Falcon Sandbox malware analysis service is available to download, download and use any of the Falcon MalQuery tools or information you may have seen on the website. \u00c2\u00a31.5m", "modified": "2023-05-06T10:00:48.707000", "created": "2023-04-06T11:24:54.313000", "tags": [ "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "dropped file", "runtime data", "chromeua", "span", "optout", "pcap processing", "pattern match", "script", "click", "date", "middle", "null", "april", "twitter", "body", "error", "jackson", "desktop", "service", "bill", "heat", "webview", "cruise", "blank", "meta", "night", "false", "contact", "suspicious", "facebook", "close", "cannon", "mayberry", "santana", "comment", "flex", "karma", "nightmare", "find", "spacer", "kitty", "mike", "local", "already", "soldier", "wallpaper", "story", "generic", "tiny", "trident", "android", "hybrid", "general", "hosts", "favorite", "homepage", "music", "code", "push", "strings", "malicious", "qakbot", "25px", "60px", "24px", "100px", "1439px", "segoe ui", "roboto", "path", "chat", "form", "embed", "unknown", "live", "network", "unicode", "feed", "5000", "next", "fullscreen", "iframe", "latv", "latino voices", "localappdata", "latino", "noscript", "pragma", "this", "hybrid analysis", "programfiles", "input", "wilstaging02", "potential ip" ], "references": [ "https://hybrid-analysis.com/sample/843923233cd86185dc3983fbe0fe3be72c6aeef0372db6c076287befc9d3fc5b/642d9d1695c2babbb70478eb", "https://hybrid-analysis.com/sample/52cd1ef12d9ec251dee2996f76150757f7247903d1cf86322569ed90536f59b3/642d9d5f20d5a59b1c0443fd", "https://hybrid-analysis.com/sample/ead272d3ccb36a5a827f80418096bfc30d1251bb739b06ff1711844d99d1b214/642d9de1e48d649afd01ad36", "https://hybrid-analysis.com/sample/3243e4a1f5a075f4d57121d5738d321dcd7e4c79bd96828442e351f660b60dc3/642d9d9c7cb35d938c068be9", "https://hybrid-analysis.com/sample/ea23092a5495e8990d050e61214866717374d79a9403232e37e271e327fe3a58/642db9b4ddc1df124a09bec0" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1291, "email": 13, "domain": 591, "URL": 3931, "FileHash-SHA256": 431, "FileHash-MD5": 92, "FileHash-SHA1": 89 }, "indicator_count": 6438, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "1079 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63dbbf6ae4f5433c2bab52e9", "name": "172.217.16.232 BT home router network attack 10th May 2022 - those HTTP headers and JS scripts are taking over the world", "description": "A guide to some of the key methods used by the web browser, jQuery, to create web pages and add links to the search engine and other parts of its web address system, as well as the address bar.", "modified": "2023-03-04T13:00:43.098000", "created": "2023-02-02T13:49:30.620000", "tags": [ "null", "copyright", "jan sorgalla", "built", "bill scott", "http", "error", "function", "title", "method", "play", "fast", "click", "return", "href", "target", "span", "pass", "linear", "timebuff", "block", "trigger", "nivoslider", "display", "width", "show", "next", "arrow", "restart", "stop", "iframe", "alpha", "factory", "type", "handle", "sizzle", "match", "check", "make sure", "elem", "name", "regexp", "hooks", "false", "date", "class", "internal", "done", "bind", "test", "body", "copy", "hold", "mozilla", "logic", "flash", "jquery", "fall", "bubble", "prop", "meta", "middle", "mark", "thus", "form", "script script", "a li", "div div", "mua bn", "link", "a div", "trang ch", "gii thiu", "tin tc", "header http2", "gmt cache", "gmt server", "litespeed", "443 ma2592000", "172.217.16.232", "http://lhr48s28-in-f8.1e100.net" ], "references": [ "[object Object] is a string representation of an object instance. Take this example: When the alert runs, it returns [object Object] in the alert modal. It tries to return a string representation of what was passed into alert, but because the engine sees this as an object, and not a string, it tells us that its an instance of an Object instead.", "443 Header\tHTTP/2 200 x powered by: PHP/7.4.29 set cookie: PHPSESSID=9158e16820bdbb5be0d1faa520b7dc19 path=/ expires: Thu 19 Nov 1981 08:52:00 GMT cache control: no store no cache must revalidate pragma: no cache content type: text/html charset=UTF 8 date: Thu 02 Feb 2023 13:37:37 GMT server: LiteSpeed alt svc: quic= :443 ma=2592000 v= 35 39 43 44", "whitelists are really not the way forward unless you validate the integrity often Speedtest are also being screwed with ie allowing your neural controlled network out on a temp basis to prevent you from ousting the APT controlling your home broadband / wifi network", "xml version= 1.0 encoding= utf 8 DOCTYPE html PUBLIC //WAPFORUM//DTD XHTML Mobile 1.0//EN http://www.wapforum.org/DTD/xhtml mobile10.dtd html xmlns= http://www.w3.org/1999/xhtml head meta http equiv= Content Type content= text/html charset=utf 8 / title mua bn nh t cho thu nh t sang nhng sang nhng ca hng /title meta name= copyright content= 2010 2020 bds247.vn / meta name= google site verification content= suyiBYZARDnZ4zGeoAiF VajqMQ0pgLGnEm69aZ aIY / meta name= robots content= index follow / meta name= key", "https://m.bds247.vn//view/js/jquery6_1.js 443", "https://www.googletagmanager.com/gtag/js?id=G-56M7ZWVN9L", "https://m.bds247.vn/lib/nivo-slider/slider.js 443 Script", "https://m.bds247.vn/view/js/page.js 443 Script", "https://m.bds247.vn/lib/pikachoose/lib/jquery.jcarousel.min.js 443 Script", "https://m.bds247.vn/lib/pikachoose/lib/jquery.pikachoose.js", "This is the full text of the XHTML mobile10.dtd.xml, which is based on the code created by the developers of Google's search engine, iPlayer and other sites.", "https://m.bds247.vn//view/js/jquery6_1.js", "https://m.bds247.vn/lib/nivo-slider/slider.js", "https://m.bds247.vn/lib/pikachoose/lib/jquery.jcarousel.min.js" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 802, "hostname": 392, "FileHash-SHA256": 82, "domain": 134, "FileHash-MD5": 1 }, "indicator_count": 1411, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "1142 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63f619404ba8714b7e063140", "name": "auto_open_controller.js - all the things using this .js file ;-(", "description": "12a26eb45e5e3bd90c4578f8f07944baf981e6c083145990015ebc7474dee609", "modified": "2023-02-22T13:31:44.806000", "created": "2023-02-22T13:31:44.806000", "tags": [ "memoryfile scan", "null", "runtime data", "void", "unknown", "android", "magento", "desktop", "dark", "scroll", "addressbar", "trigger", "template", "fast", "burn", "homepage", "class", "critical", "iframe", "lick", "open", "trace", "sapphire", "screen", "small", "close", "click", "ransomware", "strings", "malicious", "contains", "xnnew weakmap", "fnnew weakmap", "auto_open_controller.js", "12a26eb45e5e3bd90c4578f8f07944baf981e6c083145990015ebc7474dee609" ], "references": [ "https://hybrid-analysis.com/sample/12a26eb45e5e3bd90c4578f8f07944baf981e6c083145990015ebc7474dee609/63f3dde5af1db0386635b153", "12a26eb45e5e3bd90c4578f8f07944baf981e6c083145990015ebc7474dee609" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1614", "name": "System Location Discovery", "display_name": "T1614 - System Location Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 380, "URL": 802, "hostname": 231, "domain": 245, "FileHash-MD5": 5, "FileHash-SHA1": 1 }, "indicator_count": 1664, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1152 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://string.prototype.indexof.call/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://string.prototype.indexof.call/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776631221.3438292 }