{ "type": "URL", "indicator": "https://t.co/1/i/adsct", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://t.co/1/i/adsct", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #286", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #331", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain t.co", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain t.co", "name": "Whitelisted domain" } ], "base_indicator": { "id": 3875191878, "indicator": "https://t.co/1/i/adsct", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 14, "pulses": [ { "id": "6a191c2f71c868406024097f", "name": "\u0432\u0437\u043b\u043e\u043c\u0430\u043d\u043d\u044b\u0439", "description": "\u041a \u0447\u0451\u0440\u0442\u0443 \u044d\u0442\u0443 \u043f\u0440\u043e\u0432\u0438\u043d\u0446\u0438\u044e. \u0417\u0430\u0445\u043e\u0434\u0438\u0442\u0435 \u0432\u0441\u0435, \u0432\u043e\u0434\u0430 \u043e\u0442\u043b\u0438\u0447\u043d\u0430\u044f.", "modified": "2026-05-29T04:55:11.325000", "created": "2026-05-29T04:55:11.325000", "tags": [ "tuca", "sct1", "seg0", "gaz1", "p1780029305477", "sid1780029305", "euaaaaagac", "nsi1", "p1780029178835", "ccc https", "locale" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "Poland" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 543, "FileHash-MD5": 3, "FileHash-SHA256": 3, "IPv4": 119, "domain": 44, "hostname": 86 }, "indicator_count": 798, "is_author": false, "is_subscribing": null, "subscriber_count": 18, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a16afb92680fcea084bb7b0", "name": "credit: scoreblue ['Eternal Blue_Wana Cry MS'] clone - user notes: interesting name tagged", "description": "", "modified": "2026-05-27T08:54:31.968000", "created": "2026-05-27T08:47:53.724000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536c8eee8d42d670e27723", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2662, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17084, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a16ab45548ef01419902c8f", "name": "Credit: Scoreblue - \"iOS Attack - Crouching Yeti: http://x.[com]/denverpolice/status/| CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue Public", "description": "", "modified": "2026-05-27T08:28:53.256000", "created": "2026-05-27T08:28:53.256000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a16ab3f9578fcc7ffd52a3a", "name": "Credit: Scoreblue - \"iOS Attack - Crouching Yeti: http://x.[com]/denverpolice/status/| CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue Public", "description": "", "modified": "2026-05-27T08:28:47.467000", "created": "2026-05-27T08:28:47.467000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6608aaf7ca0e965e593ed1d4", "name": "MUI programu Microsoft Office Access (w j\u0119zyku angielskim) zosta\u0142o u\u017cyte do wys\u0142ania z\u0142o\u015bliwego oprogramowania na serwer w Czechach jest to pierwszy tego typu atak na komputer. e", "description": "A look back at some of the key words and phrases used to describe the situation in Italy, as \"probacja\" (or \"democrata), as they were translated into English.", "modified": "2025-10-17T11:03:07.034000", "created": "2024-03-31T00:14:47.183000", "tags": [ "sha256", "ssdeep", "reputacja", "tworzy pliki", "informacje", "bardzo duga", "tworzy", "adresy url", "tworzy katalog", "win64", "ameryki", "typ pliku", "serwer nazw", "san jose", "adres", "digital", "data wyganicia", "csc corporate", "domains", "ca data", "data utworzenia", "dnssec" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6432, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2140, "hostname": 5874, "FileHash-SHA256": 12539, "FileHash-MD5": 3686, "FileHash-SHA1": 2751, "IPv4": 503, "URL": 10770, "email": 26, "CVE": 88, "YARA": 6, "JA3": 2, "IPv6": 28, "SSLCertFingerprint": 5, "BitcoinAddress": 3, "CIDR": 1 }, "indicator_count": 38422, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689af6a1704fa2745bc8c2a3", "name": "Hijacked Twitter / X.com account. Phishing | Abnormal use", "description": "Hijacked phishing Twitter/ X.com.\nWin32/Unruy.C Activity\n#phishing #hijacked #intercoms #unruy #trojan #VTflood #malware #attack", "modified": "2025-09-11T08:02:36.759000", "created": "2025-08-12T08:09:05.642000", "tags": [ "log id", "gmtn", "secure", "tls web", "passive dns", "urls", "path", "self", "encrypt", "ca issuers", "false", "search", "read c", "united", "entries", "show", "showing", "msie", "windows nt", "wow64", "slcc2", "copy", "write", "suspicious", "malware", "unknown", "process32nextw", "shellexecuteexw", "medium process", "discovery t1057", "t1057", "discovery", "medium", "locally unique", "identifier", "veailmboprd", "next associated", "ipv4 add", "pulse pulses", "files", "asn as13335", "dns resolutions", "domains top", "smoke loader", "trojan", "body", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "show process", "programfiles", "command decode", "flag", "suricata ipv4", "mitre att", "show technique", "ck matrix", "date", "comspec", "model", "twitter", "august", "hybrid", "general", "click", "strings" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1504, "FileHash-SHA256": 1232, "SSLCertFingerprint": 14, "domain": 245, "hostname": 526, "FileHash-MD5": 43, "FileHash-SHA1": 38 }, "indicator_count": 3602, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "262 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68451577ada8bb0aa0834edb", "name": "X - Business Social Media Account used to attack victim", "description": "Victims business social media accounts deleted. Used to commit malicious activity against businesses, espionage , financial abuse.", "modified": "2025-07-08T04:03:04.386000", "created": "2025-06-08T04:45:43.423000", "tags": [ "trojan", "ids detections", "yara detections", "alerts", "analysis date", "file score", "upxoepplace", "pulses none", "related tags", "none file", "markus", "april", "win32", "copy", "usvwu", "usvw", "high", "medium", "show", "uss c", "binary file", "yara", "write", "delphi", "enigma", "present mar", "aaaa", "united", "passive dns", "date", "present nov", "moved", "urls", "creation date", "entries", "body", "trojandropper", "susp", "msr jul", "next associated", "pulse pulses", "mtb jun", "backdoor", "content length", "html document", "ascii text", "search", "internalname", "entries pe", "showing", "filehash", "md5 add", "av detections", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "size", "encrypt", "june", "hybrid", "local", "path", "click", "twitter", "strings", "url https", "url http", "report spam", "created", "hours ago", "bad actor", "ck ids", "t1057", "discovery", "t1071", "amer", "ipv4", "indicator role", "title added", "active related", "pulses", "china", "hong kong", "russia", "type indicator", "role title", "added active", "related pulses", "pulses url", "filehashsha256", "url add", "http", "ip address", "related nids", "files location", "flag united", "domain", "hostname", "next", "filehashmd5", "protocol", "t1105", "tool transfer", "t1480" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 637, "FileHash-SHA1": 639, "FileHash-SHA256": 5380, "domain": 676, "hostname": 1120, "URL": 1031, "SSLCertFingerprint": 4 }, "indicator_count": 9487, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "327 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6843fe89793d0ef8e2afc34d", "name": "Deleted SocialMedia", "description": "Bad Actor Deleted SocialMedia account found in breach forum.", "modified": "2025-07-07T08:03:42.325000", "created": "2025-06-07T08:55:37.612000", "tags": [ "body", "secure", "self", "path", "date sat", "gmt contenttype", "connection", "accept", "gmt pragma", "deny", "maxage34214400", "learn", "spawns", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "ssl certificate", "found", "copy sha256", "copy md5", "copy sha1", "sha1", "sha256", "size", "type data", "ascii text", "pattern match", "mitre att", "show technique", "ck matrix", "file", "indicator", "show process", "encrypt", "june", "hybrid", "local" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1628, "domain": 58, "URL": 390, "hostname": 204, "FileHash-MD5": 84, "FileHash-SHA1": 88, "SSLCertFingerprint": 4 }, "indicator_count": 2456, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "328 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "681386d75c34469176686756", "name": "x.com/KulinskiArkadi", "description": "", "modified": "2025-05-31T14:01:10.044000", "created": "2025-05-01T14:36:07.422000", "tags": [ "script", "etag", "sharing", "cors", "mediatype", "mediasubtype", "contenttype", "header", "combination", "compression", "encrypt", "cookie", "critical", "twitter", "iframe", "insert", "info", "error", "suspicious", "find", "screen", "grok", "body" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 471, "CIDR": 34, "FileHash-MD5": 9, "FileHash-SHA1": 5, "FileHash-SHA256": 1177, "domain": 214, "hostname": 430, "email": 2 }, "indicator_count": 2342, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "365 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6759e015bddb89de26c4219a", "name": "fonts.gstatic.com/s/opensans/v15/mem8YaGs126MiZpBA-UFVZ0b.woff2", "description": "The full text of the text above the line of this page, which has been published by BBC Radio 5 live, can be viewed by the BBC iPlayer, iplayer, app and website.", "modified": "2025-05-14T21:24:40.387000", "created": "2024-12-11T18:55:17.578000", "tags": [ "callnexthookex", "callwindowprocw", "createbitmap", "createfilea", "createwindowexw", "decodepointer", "defwindowprocw", "destroywindow", "enablewindow", "encodepointer", "cachebuster", "or requesturl", "url praca", "opswatreputacja", "ssdeep", "brak", "blob", "indie", "hetzner online", "gmbh", "helsinki", "niemcy", "finlandia", "globe telecoms", "ovh hosting", "zredagowano dla", "prywatnoci" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "FileHash-SHA1": 3, "URL": 378, "domain": 43, "hostname": 151, "FileHash-MD5": 2, "IPv4": 36 }, "indicator_count": 616, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66b910d6b8a1a2fade2e72f1", "name": "Twitter.com = X.com Migration to malware templates Brian Sabey photos| | Framing target| HoneyPots?", "description": "Again, multiple malicious X.com Twitter migration templates with photos of Brian Sabey and wife appear separately Sabey appear in Tsara Brashears search results with 'LDS Mafia' and Dia Sabey's 'Anti Trump' sentiment. Believed to be 'remotely' self hosted on a server purported to belong to Brashears. This has been done for a while to implicate target hosting and spreading well over 1 million illegal adult, murder,threat and darker sites,murls,domains. It's untrue and is considered framing since 2017, who reported it. \nRedirects to:\n\nhttps://twitter.com?mx=1\nTsara Brashears fake server is Brian Sabey, Red Team, potentially Law Enforcement, idk. \nIP address: 104.244.42.129\n\nHosting: Unknown\n\nRunning on: Tsa B (Tsara Brashears)\nCMS: Express\nPowered by: Express\n\n#VirTool:Win32/Obfuscator.ADB\nALF:E5.SpikeAex.DYNHASH\nTrojan:Win32/Upatre\nTrojan:Win32/Vflooder", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-11T19:28:22.948000", "tags": [ "ip address", "b cms", "express", "security risk", "found https", "server tsa", "b server", "digicert inc", "web application", "expiresthu", "path", "secure", "self", "body", "sha256 hash", "http response", "gmt perf", "accept expiry", "gmt pragma", "referrer", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "united", "flag", "contacted", "http traffic", "as20940", "name servers", "status", "search", "invalid url", "passive dns", "urls", "next", "as13414 twitter", "as15133 verizon", "nxdomain", "whitelisted", "a nxdomain", "aaaa", "trojan", "virtool", "twitter", "date hash", "avast avg", "related pulses", "file samples", "files matching", "show", "copyright", "levelblue", "showing", "scan endpoints", "all scoreblue", "server tsa b", "trojan features", "brian sabey", "cname", "as35994 akamai", "as4230 claro", "brazil", "date", "unknown", "ireland unknown", "registrar", "ionos se", "brain sabey" ], "references": [ "Researched Link: https://twitter.com/x/migrate?tok=7b2265223a222f5265786f725663302f7374617475732f31373335353637303533363938383236343333267665643d326168554b45776a7836506d37714f3248417858516d496b454864736445653851716f55426567514941784142267573673d414f76566177333047616a6b6e31444f6c50716444715861477457632532302532302f75726c3f657372633d7326713d267263743d6a2673613d552675726c3d68747470733a2f2f747769747465722e636f6d2f5265786f725663302f7374617475732f31373335353637303533363938383236343333267665643d326168554b45776a783", "https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8QqoUBegQIAxAB&usg=AOvVaw30Gajkn1DOlPqdDqXaGtWc /.git/HEAD", "https://twitter.com/404javascript.js", "https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8QqoUBegQIAxAB&usg=AOvVaw30Gajkn1DOlPqdDqXaGtWc /url?esrc=s&q=&rct=j&sa=U&url=https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8Qr4kDegQIAxAC&usg=AOvVaw3hTJ23b0U6ZvO_HwyLOEoQ", "https://unify.apideck.com/vault/callback", "https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8QqoUBegQIAxAB&usg=AOvVaw30Gajkn1DOlPqdDqXaGtWc%20%20/url?esrc=s&q=&rct=j&sa=U&url=https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8Qr4kDegQIAxAC&usg=AOvVaw3hTJ23b0U6ZvO_HwyLOEoQ", "Framing target as a self host of malicious, malware filled templates via twitter.com migrate to X.com", "Redirects to: https://twitter.com?mx=1 IP address: 104.244.42.129 Hosting: Unknown Running on: Tsa B CMS: Express Powered by: Express", "Block ID:\tEVA120 ?" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Belgium", "Ireland" ], "malware_families": [ { "id": "ALF:E5.SpikeAex.DYNHASH", "display_name": "ALF:E5.SpikeAex.DYNHASH", "target": null }, { "id": "Trojan:Win32/Upatre", "display_name": "Trojan:Win32/Upatre", "target": "/malware/Trojan:Win32/Upatre" }, { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1110.004", "name": "Credential Stuffing", "display_name": "T1110.004 - Credential Stuffing" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 451, "domain": 353, "FileHash-SHA256": 1714, "hostname": 418, "FileHash-MD5": 419, "FileHash-SHA1": 419, "email": 7 }, "indicator_count": 3781, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "597 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66c5e0783f84565b1fe842e1", "name": "Twitter\u00bbX.com migration to malware templates Attorney Brian Sabey Hall Render ", "description": "", "modified": "2024-10-11T00:04:00.735000", "created": "2024-08-21T12:41:28.437000", "tags": [ "ip address", "b cms", "express", "security risk", "found https", "server tsa", "b server", "digicert inc", "web application", "expiresthu", "path", "secure", "self", "body", "sha256 hash", "http response", "gmt perf", "accept expiry", "gmt pragma", "referrer", "misc attack", "et tor", "known tor", "relayrouter", "exit", "node traffic", "united", "flag", "contacted", "http traffic", "as20940", "name servers", "status", "search", "invalid url", "passive dns", "urls", "next", "as13414 twitter", "as15133 verizon", "nxdomain", "whitelisted", "a nxdomain", "aaaa", "trojan", "virtool", "twitter", "date hash", "avast avg", "related pulses", "file samples", "files matching", "show", "copyright", "levelblue", "showing", "scan endpoints", "all scoreblue", "server tsa b", "trojan features", "brian sabey", "cname", "as35994 akamai", "as4230 claro", "brazil", "date", "unknown", "ireland unknown", "registrar", "ionos se", "brain sabey" ], "references": [ "Researched Link: https://twitter.com/x/migrate?tok=7b2265223a222f5265786f725663302f7374617475732f31373335353637303533363938383236343333267665643d326168554b45776a7836506d37714f3248417858516d496b454864736445653851716f55426567514941784142267573673d414f76566177333047616a6b6e31444f6c50716444715861477457632532302532302f75726c3f657372633d7326713d267263743d6a2673613d552675726c3d68747470733a2f2f747769747465722e636f6d2f5265786f725663302f7374617475732f31373335353637303533363938383236343333267665643d326168554b45776a783", "https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8QqoUBegQIAxAB&usg=AOvVaw30Gajkn1DOlPqdDqXaGtWc /.git/HEAD", "https://twitter.com/404javascript.js", "https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8QqoUBegQIAxAB&usg=AOvVaw30Gajkn1DOlPqdDqXaGtWc /url?esrc=s&q=&rct=j&sa=U&url=https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8Qr4kDegQIAxAC&usg=AOvVaw3hTJ23b0U6ZvO_HwyLOEoQ", "https://unify.apideck.com/vault/callback", "https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8QqoUBegQIAxAB&usg=AOvVaw30Gajkn1DOlPqdDqXaGtWc%20%20/url?esrc=s&q=&rct=j&sa=U&url=https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8Qr4kDegQIAxAC&usg=AOvVaw3hTJ23b0U6ZvO_HwyLOEoQ", "Framing target as a self host of malicious, malware filled templates via twitter.com migrate to X.com", "Redirects to: https://twitter.com?mx=1 IP address: 104.244.42.129 Hosting: Unknown Running on: Tsa B CMS: Express Powered by: Express", "Block ID:\tEVA120 ?" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Belgium", "Ireland" ], "malware_families": [ { "id": "ALF:E5.SpikeAex.DYNHASH", "display_name": "ALF:E5.SpikeAex.DYNHASH", "target": null }, { "id": "Trojan:Win32/Upatre", "display_name": "Trojan:Win32/Upatre", "target": "/malware/Trojan:Win32/Upatre" }, { "id": "Trojan:Win32/Vflooder", "display_name": "Trojan:Win32/Vflooder", "target": "/malware/Trojan:Win32/Vflooder" }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" } ], "attack_ids": [ { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" }, { "id": "T1212", "name": "Exploitation for Credential Access", "display_name": "T1212 - Exploitation for Credential Access" }, { "id": "T1110.004", "name": "Credential Stuffing", "display_name": "T1110.004 - Credential Stuffing" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" } ], "industries": [], "TLP": "green", "cloned_from": "66b910d6b8a1a2fade2e72f1", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 615, "domain": 368, "FileHash-SHA256": 1751, "hostname": 443, "FileHash-MD5": 419, "FileHash-SHA1": 419, "email": 7 }, "indicator_count": 4022, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "597 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66536881127f5ee988306394", "name": "iOS Attack - Crouching Yeti: http://x.com/denverpolice/status/|", "description": "Targeted triangulation. Apple iOS iPad. Attack chains of Operation Triangulation involves advanced tactics employed by those acting as secret middleman, deploying spoofed trusted websites, emails, alarming news stories, messages, Bluetooth hacking, if threat actor has full CnC of targets phone via injection (sometimes it's random) can power on B/T. In Spoofed sites, malicious redirects, iMessage 0day case. Zero-click iMessage exploit seen. Information is sent to attacker and stored. Data harvesting, financial & identity theft, service modification and DoS intended. Used by law enforcement, governments, attorney PI's, cyber security defense, red teams and/or malicious hackers.\n*Crouching Yeti threat description notes: Contextual Indicators: Domain is classified as Social Networking Contextual Indicators: The URL is known benign by Check Point's Threat Cloud Contextual Indicators: Https://x.com is popular among websites with good reputation Contextual Indicators: Domain Cisco Umbrella rank is 312.", "modified": "2024-06-25T16:05:26.604000", "created": "2024-05-26T16:51:13.962000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 48, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "704 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66536c8eee8d42d670e27723", "name": "Eternal Blue _ WannaCry MS17-010 | Apple iOS iMessage injection infiltration", "description": "", "modified": "2024-06-25T16:05:26.604000", "created": "2024-05-26T17:08:30.022000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 55, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 232, "modified_text": "704 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "http://x.com/denverpolice/status/", "Framing target as a self host of malicious, malware filled templates via twitter.com migrate to X.com", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8QqoUBegQIAxAB&usg=AOvVaw30Gajkn1DOlPqdDqXaGtWc /url?esrc=s&q=&rct=j&sa=U&url=https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8Qr4kDegQIAxAC&usg=AOvVaw3hTJ23b0U6ZvO_HwyLOEoQ", "Redirects to: https://twitter.com?mx=1 IP address: 104.244.42.129 Hosting: Unknown Running on: Tsa B CMS: Express Powered by: Express", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8QqoUBegQIAxAB&usg=AOvVaw30Gajkn1DOlPqdDqXaGtWc /.git/HEAD", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "https://unify.apideck.com/vault/callback", "Block ID:\tEVA120 ?", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "Researched Link: https://twitter.com/x/migrate?tok=7b2265223a222f5265786f725663302f7374617475732f31373335353637303533363938383236343333267665643d326168554b45776a7836506d37714f3248417858516d496b454864736445653851716f55426567514941784142267573673d414f76566177333047616a6b6e31444f6c50716444715861477457632532302532302f75726c3f657372633d7326713d267263743d6a2673613d552675726c3d68747470733a2f2f747769747465722e636f6d2f5265786f725663302f7374617475732f31373335353637303533363938383236343333267665643d326168554b45776a783", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "Redirects to https://twitter.com?mx=1", "https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8QqoUBegQIAxAB&usg=AOvVaw30Gajkn1DOlPqdDqXaGtWc%20%20/url?esrc=s&q=&rct=j&sa=U&url=https://twitter.com/RexorVc0/status/1735567053698826433&ved=2ahUKEwjx6Pm7qO2HAxXQmIkEHdsdEe8Qr4kDegQIAxAC&usg=AOvVaw3hTJ23b0U6ZvO_HwyLOEoQ", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "https://twitter.com/404javascript.js" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Win.dropper.qqpass-9895638-0", "Wannacry", "Win32/vflooder.b vtapi dos", "Win32/vflooder.b checkin", "Trojan:win32/qqpass", "Trojan:win32/upatre", "Trojan:win32/vflooder", "Alf:e5.spikeaex.dynhash", "Win.malware.vtflooder-6723768-0", "#virtool:win32/obfuscator.adb", "Win32:trojan-gen", "Clicker.bgou", "Win.trojan.downloader-63174", "Win.trojan.agent-752791", "Win32:malware-gen" ], "industries": [ "Government", "Education" ], "unique_indicators": 69744 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/t.co", "whois": "http://whois.domaintools.com/t.co", "domain": "t.co", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 14, "pulses": [ { "id": "6a191c2f71c868406024097f", "name": "\u0432\u0437\u043b\u043e\u043c\u0430\u043d\u043d\u044b\u0439", "description": "\u041a \u0447\u0451\u0440\u0442\u0443 \u044d\u0442\u0443 \u043f\u0440\u043e\u0432\u0438\u043d\u0446\u0438\u044e. \u0417\u0430\u0445\u043e\u0434\u0438\u0442\u0435 \u0432\u0441\u0435, \u0432\u043e\u0434\u0430 \u043e\u0442\u043b\u0438\u0447\u043d\u0430\u044f.", "modified": "2026-05-29T04:55:11.325000", "created": "2026-05-29T04:55:11.325000", "tags": [ "tuca", "sct1", "seg0", "gaz1", "p1780029305477", "sid1780029305", "euaaaaagac", "nsi1", "p1780029178835", "ccc https", "locale" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "Poland" ], "malware_families": [], "attack_ids": [], "industries": [ "Government", "Education" ], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "UCP_GoA23", "id": "382539", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_382539/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 543, "FileHash-MD5": 3, "FileHash-SHA256": 3, "IPv4": 119, "domain": 44, "hostname": 86 }, "indicator_count": 798, "is_author": false, "is_subscribing": null, "subscriber_count": 18, "modified_text": "2 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a16afb92680fcea084bb7b0", "name": "credit: scoreblue ['Eternal Blue_Wana Cry MS'] clone - user notes: interesting name tagged", "description": "", "modified": "2026-05-27T08:54:31.968000", "created": "2026-05-27T08:47:53.724000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536c8eee8d42d670e27723", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2662, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17084, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a16ab45548ef01419902c8f", "name": "Credit: Scoreblue - \"iOS Attack - Crouching Yeti: http://x.[com]/denverpolice/status/| CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue Public", "description": "", "modified": "2026-05-27T08:28:53.256000", "created": "2026-05-27T08:28:53.256000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a16ab3f9578fcc7ffd52a3a", "name": "Credit: Scoreblue - \"iOS Attack - Crouching Yeti: http://x.[com]/denverpolice/status/| CREATED 2 YEARS AGO MODIFIED 2 YEARS AGO by scoreblue Public", "description": "", "modified": "2026-05-27T08:28:47.467000", "created": "2026-05-27T08:28:47.467000", "tags": [ "sha256", "sha1", "pattern match", "ascii text", "document file", "v2 document", "crlf line", "size", "unicode", "beginstring", "null", "hybrid", "refresh", "body", "span", "local", "click", "strings", "error", "tools", "look", "verify", "restart", "contact", "external-resources", "dom-modification", "third-party-cookies", "iframes", "trackers", "text/html", "twitter", "final url", "ip address", "status code", "body length", "kb body", "headers", "deny", "express", "referrer", "impacting azure", "proofpoint", "sneaky server", "replacement", "unauthorized", "switch dns", "query", "vy binh", "hiddentear", "et tor", "known tor", "misc attack", "relayrouter", "exit", "node traffic", "date", "meta", "form", "submission", "expiresthu", "path", "secure", "self", "xcitium verdict", "cloud", "sophos", "history first", "analysis", "cp", "cyber", "threat", "redrum", "hit", "men", "triangulation", "historical ssl", "apt suspects", "critical cmd", "hide", "asyncrat", "jeremy", "government", "malicious", "yuming", "name servers", "united", "passive dns", "urls", "creation date", "search", "expiration date", "showing", "unknown", "next", "windows nt", "malware beacon", "memcommit", "generic http", "exe upload", "outbound", "etpro trojan", "show", "trojan", "copy", "write", "win32", "malware", "read c", "entries", "medium", "markus", "contentlength", "write c", "delete c", "create c", "yara detections", "scan endpoints", "all scoreblue", "filehash", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "file score", "next pe", "as32934", "hitmen", "local government", "scene unit", "crime", "denver police", "address", "status", "aaaa", "apple", "less whois", "registrar", "wannacry", "http", "unique", "url https", "related nids", "code", "screenshot", "anity", "nsa", "shadow", "saudi telecom", "riyadh address", "saudi arabia", "abuse", "ripe", "company isp", "number", "label saudi", "telecom company", "jsc regional", "riyadh", "ripe ncc", "registry techc", "campus", "saudi", "ripe network", "domain", "internet se", "emails", "system", "server tsa", "b server", "certificate", "digicert inc", "moved", "record value" ], "references": [ "http://x.com/denverpolice/status/", "Redirects to >https://twitter.com/x/migrate?tok=eyJlIjoiL2RlbnZlcnBvbGljZS9zdGF0dXMvIiwidCI6MTcxNjcwMzc3M33oZya0EO4PtEbRwq4XZboX", "Redirects to https://twitter.com?mx=1", "IP address: 104.244.42.1 Hosting: Unknown Running on: Tsa B CMS: Express", "Crouching Yeti: Appendixes - according to source ArcSight Threat Intelligence", "https://otx.alienvault.com/indicator/file/00001aff2ea1acd6087f9fba8d8316d90d29e391d9969bc70cc607461467797e", "Alerts: nids_malware_alert network_icmp dumped_buffer network_cnc_http network_http network_http_post allocates_rwx", "Alerts: packer_entropy packer_upx antivm_memory_available pe_features", "Yara Detections: Yara Detections Nrv2x , UPX_OEP_place , UPX_Modified_Or_Inside , UPX20030XMarkusOberhumerLaszloMolnarJohnReiser , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , Toxoplasmosis , UPX", "Packer UPX v0.89.6 - v1.02 / v1.05 -v1.24 -> Markus & Laszlo [overlay]", "Yara Detections: ConventionEngine_Term_Desktop , LZMA , mpress_2_xx_x86 , dbgdetect_procs", "pornhub.dev, http://matrix.pornhub.dev, https://twitter.com/PORNO_SEXYBABES, https://www.anon-v.com/porno/fenella/", "Hostname device-local-fb18804d-348e-49ea-8c17-cc8a29f18082.remotewd.com | 192.168.56.104: IPv4", "https://otx.alienvault.com/indicator/file/f7636eef1d9df0664cd0f205ad8864b659bf9898ce6231376778c4411986912e", "https://otx.alienvault.com/indicator/file/000054fa2b0d1004464350ee9acc40707fec51223dba36c702a3db4139af9717", "Domain: hicloudcam.com | https://otx.alienvault.com/indicator/hostname/alarmeu.sslproxy.gatewayvvlilly3lilly.alpha.hicloudcam.com", "originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com | 108.160.165.139 Location: USA |ASN AS19679 dropbox inc. Nameservers ns-136.awsdns-17.com. ns-1518.awsdns-61.org. ,\u00a0 ns-1573.awsdns-04.co.uk. ,\u00a0 ns-809.awsdns-37.net. Less WHOIS Registrar: https://www.101domain.com/,\u00a0\u00a0 Creation Date: Oct 21, 2010 Related Pulses None Related Tags None Indicator Facts Running webserver External Resources Whois,\u00a0 UrlVoid,\u00a0 VirusTotal Analysis Related Pulses Comments (0) Whois Show 100 entr", "https://otx.alienvault.com/indicator/hostname/originb0b.profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com", "PATHETIC redirect: rainn.org | victims of violence & abuse disclose extremely sensitive details. Reported false information given to disorient victims.", "WannaCry | NSA -Anity Cert: https://otx.alienvault.com/indicator/url/https://www.antiy.com/response/Antiy_Wannacry_NSA.html", "WannaCry MS17-010 'Shadow' https://otx.alienvault.com/otxapi/indicators/url/screenshot/https://www.antiy.com/response/wannacry.html", "Command and Control IP: 5.41.21.250 | Location Saudi Arabia flag Jeddah, Saudi Arabia ASN AS39891 saudi telecom company jsc", "m.pornsexer.xxx.3.1.adiosfil.roksit.net", "uploads-cserver-alumni-profile-cassandra-5.redirectme.netoppofentryd.staging.0025-kr.ali.zomans.com" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win32/Vflooder.B Checkin", "display_name": "Win32/Vflooder.B Checkin", "target": null }, { "id": "Win.Malware.Vtflooder-6723768-0", "display_name": "Win.Malware.Vtflooder-6723768-0", "target": null }, { "id": "Win32:Trojan-gen", "display_name": "Win32:Trojan-gen", "target": null }, { "id": "Win32/Vflooder.B vtapi DOS", "display_name": "Win32/Vflooder.B vtapi DOS", "target": null }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "Win.Trojan.Downloader-63174", "display_name": "Win.Trojan.Downloader-63174", "target": null }, { "id": "Clicker.BGOU", "display_name": "Clicker.BGOU", "target": null }, { "id": "Win.Trojan.Agent-752791", "display_name": "Win.Trojan.Agent-752791", "target": null }, { "id": "Win.Dropper.QQpass-9895638-0", "display_name": "Win.Dropper.QQpass-9895638-0", "target": null }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "WannaCry", "display_name": "WannaCry", "target": null } ], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1038", "name": "DLL Search Order Hijacking", "display_name": "T1038 - DLL Search Order Hijacking" }, { "id": "T1588", "name": "Obtain Capabilities", "display_name": "T1588 - Obtain Capabilities" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" } ], "industries": [], "TLP": "green", "cloned_from": "66536881127f5ee988306394", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 350, "FileHash-SHA1": 348, "FileHash-SHA256": 2659, "URL": 7850, "domain": 2245, "hostname": 3611, "SSLCertFingerprint": 4, "email": 10, "CIDR": 4 }, "indicator_count": 17081, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6608aaf7ca0e965e593ed1d4", "name": "MUI programu Microsoft Office Access (w j\u0119zyku angielskim) zosta\u0142o u\u017cyte do wys\u0142ania z\u0142o\u015bliwego oprogramowania na serwer w Czechach jest to pierwszy tego typu atak na komputer. e", "description": "A look back at some of the key words and phrases used to describe the situation in Italy, as \"probacja\" (or \"democrata), as they were translated into English.", "modified": "2025-10-17T11:03:07.034000", "created": "2024-03-31T00:14:47.183000", "tags": [ "sha256", "ssdeep", "reputacja", "tworzy pliki", "informacje", "bardzo duga", "tworzy", "adresy url", "tworzy katalog", "win64", "ameryki", "typ pliku", "serwer nazw", "san jose", "adres", "digital", "data wyganicia", "csc corporate", "domains", "ca data", "data utworzenia", "dnssec" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6432, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2140, "hostname": 5874, "FileHash-SHA256": 12539, "FileHash-MD5": 3686, "FileHash-SHA1": 2751, "IPv4": 503, "URL": 10770, "email": 26, "CVE": 88, "YARA": 6, "JA3": 2, "IPv6": 28, "SSLCertFingerprint": 5, "BitcoinAddress": 3, "CIDR": 1 }, "indicator_count": 38422, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "226 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689af6a1704fa2745bc8c2a3", "name": "Hijacked Twitter / X.com account. Phishing | Abnormal use", "description": "Hijacked phishing Twitter/ X.com.\nWin32/Unruy.C Activity\n#phishing #hijacked #intercoms #unruy #trojan #VTflood #malware #attack", "modified": "2025-09-11T08:02:36.759000", "created": "2025-08-12T08:09:05.642000", "tags": [ "log id", "gmtn", "secure", "tls web", "passive dns", "urls", "path", "self", "encrypt", "ca issuers", "false", "search", "read c", "united", "entries", "show", "showing", "msie", "windows nt", "wow64", "slcc2", "copy", "write", "suspicious", "malware", "unknown", "process32nextw", "shellexecuteexw", "medium process", "discovery t1057", "t1057", "discovery", "medium", "locally unique", "identifier", "veailmboprd", "next associated", "ipv4 add", "pulse pulses", "files", "asn as13335", "dns resolutions", "domains top", "smoke loader", "trojan", "body", "learn", "ck id", "name tactics", "informative", "adversaries", "command", "spawns", "ssl certificate", "execution att", "show process", "programfiles", "command decode", "flag", "suricata ipv4", "mitre att", "show technique", "ck matrix", "date", "comspec", "model", "twitter", "august", "hybrid", "general", "click", "strings" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1504, "FileHash-SHA256": 1232, "SSLCertFingerprint": 14, "domain": 245, "hostname": 526, "FileHash-MD5": 43, "FileHash-SHA1": 38 }, "indicator_count": 3602, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "262 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68451577ada8bb0aa0834edb", "name": "X - Business Social Media Account used to attack victim", "description": "Victims business social media accounts deleted. Used to commit malicious activity against businesses, espionage , financial abuse.", "modified": "2025-07-08T04:03:04.386000", "created": "2025-06-08T04:45:43.423000", "tags": [ "trojan", "ids detections", "yara detections", "alerts", "analysis date", "file score", "upxoepplace", "pulses none", "related tags", "none file", "markus", "april", "win32", "copy", "usvwu", "usvw", "high", "medium", "show", "uss c", "binary file", "yara", "write", "delphi", "enigma", "present mar", "aaaa", "united", "passive dns", "date", "present nov", "moved", "urls", "creation date", "entries", "body", "trojandropper", "susp", "msr jul", "next associated", "pulse pulses", "mtb jun", "backdoor", "content length", "html document", "ascii text", "search", "internalname", "entries pe", "showing", "filehash", "md5 add", "av detections", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "mitre att", "ck techniques", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "size", "encrypt", "june", "hybrid", "local", "path", "click", "twitter", "strings", "url https", "url http", "report spam", "created", "hours ago", "bad actor", "ck ids", "t1057", "discovery", "t1071", "amer", "ipv4", "indicator role", "title added", "active related", "pulses", "china", "hong kong", "russia", "type indicator", "role title", "added active", "related pulses", "pulses url", "filehashsha256", "url add", "http", "ip address", "related nids", "files location", "flag united", "domain", "hostname", "next", "filehashmd5", "protocol", "t1105", "tool transfer", "t1480" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 637, "FileHash-SHA1": 639, "FileHash-SHA256": 5380, "domain": 676, "hostname": 1120, "URL": 1031, "SSLCertFingerprint": 4 }, "indicator_count": 9487, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "327 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6843fe89793d0ef8e2afc34d", "name": "Deleted SocialMedia", "description": "Bad Actor Deleted SocialMedia account found in breach forum.", "modified": "2025-07-07T08:03:42.325000", "created": "2025-06-07T08:55:37.612000", "tags": [ "body", "secure", "self", "path", "date sat", "gmt contenttype", "connection", "accept", "gmt pragma", "deny", "maxage34214400", "learn", "spawns", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "ssl certificate", "found", "copy sha256", "copy md5", "copy sha1", "sha1", "sha256", "size", "type data", "ascii text", "pattern match", "mitre att", "show technique", "ck matrix", "file", "indicator", "show process", "encrypt", "june", "hybrid", "local" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1628, "domain": 58, "URL": 390, "hostname": 204, "FileHash-MD5": 84, "FileHash-SHA1": 88, "SSLCertFingerprint": 4 }, "indicator_count": 2456, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "328 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "681386d75c34469176686756", "name": "x.com/KulinskiArkadi", "description": "", "modified": "2025-05-31T14:01:10.044000", "created": "2025-05-01T14:36:07.422000", "tags": [ "script", "etag", "sharing", "cors", "mediatype", "mediasubtype", "contenttype", "header", "combination", "compression", "encrypt", "cookie", "critical", "twitter", "iframe", "insert", "info", "error", "suspicious", "find", "screen", "grok", "body" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 471, "CIDR": 34, "FileHash-MD5": 9, "FileHash-SHA1": 5, "FileHash-SHA256": 1177, "domain": 214, "hostname": 430, "email": 2 }, "indicator_count": 2342, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "365 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6759e015bddb89de26c4219a", "name": "fonts.gstatic.com/s/opensans/v15/mem8YaGs126MiZpBA-UFVZ0b.woff2", "description": "The full text of the text above the line of this page, which has been published by BBC Radio 5 live, can be viewed by the BBC iPlayer, iplayer, app and website.", "modified": "2025-05-14T21:24:40.387000", "created": "2024-12-11T18:55:17.578000", "tags": [ "callnexthookex", "callwindowprocw", "createbitmap", "createfilea", "createwindowexw", "decodepointer", "defwindowprocw", "destroywindow", "enablewindow", "encodepointer", "cachebuster", "or requesturl", "url praca", "opswatreputacja", "ssdeep", "brak", "blob", "indie", "hetzner online", "gmbh", "helsinki", "niemcy", "finlandia", "globe telecoms", "ovh hosting", "zredagowano dla", "prywatnoci" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "FileHash-SHA1": 3, "URL": 378, "domain": 43, "hostname": 151, "FileHash-MD5": 2, "IPv4": 36 }, "indicator_count": 616, "is_author": false, "is_subscribing": null, "subscriber_count": 123, "modified_text": "381 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://t.co/1/i/adsct", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://t.co/1/i/adsct", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780237650.2744088 }