{
"type": "URL",
"indicator": "https://thegcptest.com",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://thegcptest.com",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 3296792038,
"indicator": "https://thegcptest.com",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 18,
"pulses": [
{
"id": "69a9cd444aa144401d0c4988",
"name": "Pools Open",
"description": "",
"modified": "2026-04-15T19:21:28.851000",
"created": "2026-03-05T18:36:52.014000",
"tags": [
"Timothy Pool",
"Christopher Pool",
"Pool's Closed"
],
"references": [
"Pool Closed",
"Pool's Closed"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [
"Media",
"ad fraud"
],
"TLP": "white",
"cloned_from": "5fa57698ac0f6638b7b9a8ba",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 8098,
"URL": 23428,
"hostname": 9592,
"domain": 4727,
"SSLCertFingerprint": 22,
"FileHash-MD5": 696,
"FileHash-SHA1": 457,
"CIDR": 78,
"email": 3,
"CVE": 2
},
"indicator_count": 47103,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 50,
"modified_text": "4 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69a9cad6633206ba1204cf8f",
"name": "clone school board ",
"description": "",
"modified": "2026-03-06T11:26:19.137000",
"created": "2026-03-05T18:26:30.062000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "6211397913dcdae410959042",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2975,
"URL": 9041,
"domain": 2214,
"FileHash-SHA256": 3044,
"FileHash-MD5": 280,
"FileHash-SHA1": 327,
"CIDR": 6,
"email": 64,
"CVE": 24,
"SSLCertFingerprint": 6
},
"indicator_count": 17981,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "44 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69a9cad78745fdea3001aec9",
"name": "clone school board ",
"description": "",
"modified": "2026-03-06T05:11:24.929000",
"created": "2026-03-05T18:26:31.303000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "6211397913dcdae410959042",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2975,
"URL": 9041,
"domain": 2214,
"FileHash-SHA256": 3044,
"FileHash-MD5": 280,
"FileHash-SHA1": 327,
"CIDR": 6,
"email": 64,
"CVE": 24,
"SSLCertFingerprint": 6
},
"indicator_count": 17981,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "44 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6964c08bf79bcb252eaa9e15",
"name": "TrojanSpy - Spotify account under an attack which conceals artists releases / deletes followers",
"description": "Spotify Attacks: TrojanSpy - Streamer Spotify account under an attack which conceals artists releases / deletes followers. The attack is adversarial. I\u2019m unclear how widespread it is. . Further research required. OTX auto generated Pegasus. Released work that was once viewable is now concealed, followers deleted.\n#cloudfront #spyware #delete_service #cloudfront_attacks",
"modified": "2026-02-11T09:03:20.933000",
"created": "2026-01-12T09:36:11.701000",
"tags": [
"google",
"fastly",
"googlecl",
"january",
"http",
"domain",
"akamaias",
"cloudflar",
"page url",
"de summary",
"april",
"reverse dns",
"url https",
"general full",
"software",
"united",
"resource hash",
"protocol h3",
"security quic",
"protocol h2",
"security tls",
"main",
"present jan",
"title",
"gmt max",
"certificate",
"moved",
"lowfi",
"gmt content",
"meta",
"present dec",
"status",
"aaaa",
"passive dns",
"urls",
"search",
"expiration date",
"win32",
"files",
"verdict",
"files ip",
"address",
"mtb jan",
"trojandropper",
"backdoor",
"win32upatre jan",
"origin trial",
"gmt cache",
"443 ma2592000",
"possible",
"worm",
"trojan",
"ip address",
"record value",
"dark",
"found",
"ipv4 add",
"error",
"trojanspy",
"emails",
"servers",
"pegasus",
"america flag",
"america asn",
"tlsv1",
"read c",
"show",
"medium",
"lstockholm",
"ospotify ab",
"odigicert inc",
"execution",
"next",
"dock",
"write",
"persistence",
"dynamicloader",
"yara rule",
"ms windows",
"pe32",
"named pipe",
"smartassembly",
"delphi",
"malware",
"united states",
"pe file",
"filehash",
"md5 add",
"av detections",
"ids detections",
"yara detections",
"alerts",
"high",
"write c",
"tls sni",
"tls handshake",
"delete",
"as15169",
"stun binding",
"request",
"port",
"win64",
"themida",
"guard",
"risepro",
"sha256",
"sha1",
"pattern match",
"ascii text",
"size",
"mitre att",
"ck id",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"tools",
"look",
"verify",
"restart",
"learn",
"command",
"name tactics",
"suspicious",
"informative",
"spawns",
"ck techniques",
"evasion att",
"t1480 execution",
"directui",
"element",
"hwndhost",
"classinfobase",
"hwndelement",
"value",
"explorer",
"insert",
"movie",
"hacktool",
"showing",
"entries http",
"scans show",
"california",
"location united",
"next associated",
"pulse pulses",
"name servers",
"found request",
"unique",
"url add",
"related nids",
"files location",
"expiration",
"flag united",
"present nov",
"present sep",
"href",
"suricata stream",
"command decode",
"starfield",
"encrypt",
"iframe",
"date",
"title error",
"hostname",
"pulse submit",
"memcommit",
"checks",
"windows",
"capture",
"cloudfront",
"colorado",
"creation date",
"hostname add",
"eset",
"binary file",
"pdb path",
"internalname",
"nod32",
"amon"
],
"references": [
"open.spotify.com \u2022",
"https://open.spotify.com/intl-de/track/5KjB1j0u54VXg6M8SN8hH2",
"https://open.spotify.com/track/5KjB1j0u54VXg6M8SN8hH2",
"FileHash-SHA256 cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95",
"events.launchdarkly.com \u2022 clientstream.launchdarkly. \u2022 app.launchdarkly.com",
"https://target.tccwest.www.littleswimmers.fr/",
"www.onyx-ware.com \u2022 endgamesystems.com",
"cloudfront.net \u2022 d127qq8ld0aiq5.cloudfront.net"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Win.Packed.Stealerc-10017074-0",
"display_name": "Win.Packed.Stealerc-10017074-0",
"target": null
},
{
"id": "#Lowfi:Win32/AutoIt",
"display_name": "#Lowfi:Win32/AutoIt",
"target": "/malware/#Lowfi:Win32/AutoIt"
},
{
"id": "Win.Packed.Generic-9967832-0",
"display_name": "Win.Packed.Generic-9967832-0",
"target": null
},
{
"id": "TrojanSpy:MSIL/Yakbeex.A",
"display_name": "TrojanSpy:MSIL/Yakbeex.A",
"target": "/malware/TrojanSpy:MSIL/Yakbeex.A"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "Win32:HacktoolX-gen\\ [Trj]",
"display_name": "Win32:HacktoolX-gen\\ [Trj]",
"target": null
},
{
"id": "nUFS_unicode",
"display_name": "nUFS_unicode",
"target": null
},
{
"id": "HackTool:Win32/CobaltStrike.A",
"display_name": "HackTool:Win32/CobaltStrike.A",
"target": "/malware/HackTool:Win32/CobaltStrike.A"
},
{
"id": "Win.Dropper.PoisonIvy-9876745-0",
"display_name": "Win.Dropper.PoisonIvy-9876745-0",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Win.Trojan.Barys-10005825-0",
"display_name": "Win.Trojan.Barys-10005825-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
}
],
"industries": [
"Entertainment",
"Technology"
],
"TLP": "white",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1293,
"URL": 3389,
"FileHash-MD5": 635,
"FileHash-SHA1": 531,
"FileHash-SHA256": 2345,
"domain": 501,
"email": 12,
"SSLCertFingerprint": 16
},
"indicator_count": 8722,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69640c0afc9805a6fa2da07b",
"name": "MUSO.AI Malware \u2018Incredimail\u2019 Palantir in use[OTX auto populated title -Tsara Brashears]",
"description": "MUSO.Ai , Is have to do more research. Some searches on reports MUSO as an opt in resource for artist to view, sort, and manage legacy credits, MUSO also collects royalties. Research and investigation confirms no one on music team is associated with or l thinks they may have heard of MUSO. Is MUSO. AI Palantir customer or service ,spy app services by the folks at Palantir. . [otx auto pop praise: Tsara Brashears is the most popular songwriter in the world, but can you use the app to find out more about the artist and the musicians behind the tracks?] cute. \n#dembiak #palantir #muso #ai",
"modified": "2026-02-10T20:03:47.214000",
"created": "2026-01-11T20:46:02.176000",
"tags": [
"lark kdence",
"zack dare",
"zafira",
"jon bonus",
"andy flebbe",
"div div",
"present nov",
"a domains",
"united",
"script urls",
"div a",
"script domains",
"discover",
"moved",
"insert",
"x0 tw",
"urls",
"cloudfront x",
"title error",
"url analysis",
"reverse dns",
"servers",
"name servers",
"united states",
"all ipv4",
"aaaa",
"ip address",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"evasion att",
"t1480 execution",
"ascii text",
"mitre att",
"pattern match",
"null",
"error",
"click",
"hybrid",
"general",
"local",
"path",
"starfield",
"strings",
"refresh",
"tools",
"meta",
"onload",
"span",
"data upload",
"extraction",
"type",
"extra",
"referen https",
"include review",
"exclude sugges",
"stop",
"aivoes typ",
"passive dns",
"date",
"united states",
"status",
"domain add",
"files",
"hostname",
"read c",
"medium",
"search",
"show",
"memcommit",
"high",
"checks",
"windows",
"delete",
"execution",
"dock",
"write",
"persistence",
"capture",
"next",
"amazon02",
"as autonomous",
"system",
"asn16509",
"domain",
"current dns",
"a record",
"as16509",
"december",
"ip information",
"ipasns ip",
"google",
"fastly",
"googlecl",
"akamaias",
"cloudflar",
"domain tree",
"links ip",
"address as",
"cisco",
"umbrella rank",
"general full",
"url https",
"software",
"resource hash",
"protocol h2",
"security tls",
"hostname add",
"challengescript",
"captchascript",
"name",
"value",
"source level",
"url text",
"automatic",
"webgl",
"please",
"extr data",
"data",
"size",
"title",
"yara detections",
"filehash",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"low risk",
"entries",
"rgba",
"unicode",
"asnone",
"malware",
"port",
"destination",
"tlsv1",
"tls handshake",
"failure",
"roboto",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"expiration",
"url http",
"no expiration",
"present jan",
"unknown ns",
"certificate",
"body",
"present oct",
"present may",
"present dec",
"present sep",
"present feb",
"showing",
"next associated",
"all se",
"pulse pulses",
"http",
"files domain",
"files related",
"pulses none",
"debiak",
"tsara brashears",
"ai",
"palantir",
"muso ai",
"sort",
"artists",
"royalties",
"music",
"songwriter",
"collect",
"view",
"malicious app",
"false claims"
],
"references": [
"https://credits.muso.ai/profile/ad62a9c1-de4a-4b3a-91d4-8f1ca6b5ad7a",
"22.hio52.r.cloudfront.net",
"us-gov-west-1.gov.reveal-global.com",
"us-g0v-wact-1anvrav\u0645al=\u0635\u0639 \u0627\u062d\u0637\u0645\u0644\u0647",
"MD5 be5eae9bd85769bce02d6e52a4927bcd Pulses Integrations C EXIF Data: HTML:Title\tINetSim default HTML page",
"External Hosts Israel Unique Countries 2 Unique ASNs 2 IP",
"ASN 82.80.204.63 www5.incredimail.com \u2022 Israel",
"United States | ASNone 82.80.204.5 cen.incredibar.com \u2022 Israel",
"AS8551 bezeq international-Itd 3.163.24.31 www5l.incredimail.com \u2022 Israel",
"Antivirus Detections: Win.Malware.Incredimail-6804483-0 IDS Detections: Misspelled Mozilla User-Agent (Mozila)",
"IP\u2019s Contacted : 82.80.204.63 3.163.24.31 82.80.204.5",
"Domains Contacted: cen.incredibar.com www5l.incredimail.com www5.incredimail.com",
"medallion-compute.washington.palantircloud.com \u2022 graviera-compute.palantirfedstart.com",
"caerphilly-containers.palantirfedstart.com \u2022 equilibrium.palantirfoundry.com \u2022 palantirfoundry.com",
"upstreamx.palantirfoundry.com \u2022 https://usw-2-dev.palantirfoundry.com",
"https://upstreamx.palantirfoundry.com \u2022 edwards.palantirfoundry.com \u2022 stagwellmarketingcloud.palantirfoundry.com",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master",
"https://paloma.palantirfoundry.com https://lucyw.palantirfoundry.com \u2022 http://edwards.palantirfoundry.com/",
"http://dasima-containers.palantirfoundry.com \u2022 http://usw-2-dev.palantirfoundry.com",
"https://kt-presales.palantirfoundry.co \u2022 https://glare.palantirfoundry.com",
"engage.palantirfoundry.com \u2022 http://engage.palantirfoundry.com",
"https://equilibrium.palantirfoundry.com \u2022\u2019https://engage.palantirfoundry.com",
"http://upstreamx.palantirfoundry.com/ \u2022 https://equilibrium.palantirfoundry.com/",
"https://glare.pali om. \u2022 http://engage.palantirfou?",
"What? patch.virtualworldweb.com \u2022 s.palantirfoundry.com \u2022 http://u tirfoundry.co",
"(patch.virtualworldweb.com) why does this sound so creepy? DIT , simulation, OWO ,sentient weird.",
"www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t\u2022",
"www.endgame \u2022 http://battlefront.com/matrixgames.html \u2022 prometheus.services.myscript.com - Wild!",
"campdeadwood2026.com",
"http://www.mobile-connection-alert.fyi/eb/bn/bn-9-nopop/9-nopop-1.html?var=&var2=&var3=$device=MOBILE&brand=Apple&model=iPhone&city=San%20Antonio&os=IOS&osversion=IOS%2011.4&country=US&countryname=United%20States&carrier=&referrerdomain=&language=en&connectiontype=CABLE&ip=76.185.246.58®ion=Texas&cep=W-gWTncHS9Jzl2WpUnQW3DI5dgjcKdwNWM11yWj-BtNBDFNTD52Baezh0F6DNui3qOYcu9zUPktlUvTulBlF6GONqMgW0w5NXdG42lOJGAp8P79kEUkAM3xGHBcIuf2PfSpz0mTGxnhbXyAteh4g-wCUR45SdW6fMtSANbFpDDpNDCq8LpN8mLeQJjdLUA_TGOXW9mubTgOyAGy",
"Pornhub to your phone. Dumping or by request?",
"https://soerkvingo.msnstyle.dk/vaginas-escort-girl-ukraina-pure-nudisme-dyresex-noveller-sukker-pris-porno-med-norsk-tale/",
"www.killer333.club So I\u2019m right."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Incredimail-6804483-0",
"display_name": "Win.Malware.Incredimail-6804483-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "TA0028",
"name": "Persistence",
"display_name": "TA0028 - Persistence"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1017",
"name": "Application Deployment Software",
"display_name": "T1017 - Application Deployment Software"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 10686,
"hostname": 2427,
"domain": 1094,
"FileHash-MD5": 175,
"FileHash-SHA1": 65,
"FileHash-SHA256": 1118,
"email": 4,
"SSLCertFingerprint": 14
},
"indicator_count": 15583,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "5fa57698ac0f6638b7b9a8ba",
"name": "Pool's Closed",
"description": "Two paupers from the meadow spring forth an upheaval of nasty sites on the world wide web.",
"modified": "2025-12-27T05:02:34.910000",
"created": "2020-11-06T16:15:20.139000",
"tags": [
"Timothy Pool",
"Christopher Pool",
"Pool's Closed"
],
"references": [
"Pool Closed",
"Pool's Closed"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [
"Media",
"ad fraud"
],
"TLP": "white",
"cloned_from": null,
"export_count": 61,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 4,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scnrscnr",
"id": "126475",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 8098,
"URL": 23426,
"hostname": 9590,
"domain": 4727,
"SSLCertFingerprint": 22,
"FileHash-MD5": 696,
"FileHash-SHA1": 457,
"CIDR": 78,
"email": 3,
"CVE": 2
},
"indicator_count": 47099,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 133,
"modified_text": "113 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "67576b4cdaafecfac733fac4",
"name": "http://pit.waw.pl skrypt w pliku://C:/28f67ac2f4875f36aeb31e181e2d2d50f84b5c0791afa4b7bd6987cf00e95186.html.html http://ww53.cookiesinfo.com/",
"description": "MS Office Excel 2016\n0x2491:$h_raw1: /javascript\n0x289d:$h_raw1: /javascript\n0x2dd0:$h_raw1: /javascript\n0x182a6:$h_raw1: /javascript\n0x18dc0:$h_raw1: /javascript\n0x1a072:$h_raw1: /javascript\n0x1ad72:$h_raw1: /javascript\n0x222e6:$h_raw1: /javascript\n0x22870:$h_raw1: /javascript\n0x23lut:$h_raw1: /javascript\nskrypt w pliku://C:/28f67ac2f4875f36aeb31e181e2d2d50f84b5c0791afa4b7bd6987cf00e95186.html.html",
"modified": "2025-05-14T20:46:38.021000",
"created": "2024-12-09T22:12:28.252000",
"tags": [
"grudzie",
"typ zawartoci",
"linux x8664",
"khtml",
"gecko",
"metoda",
"adres url",
"poczenie",
"dugo treci",
"dostawa artnet",
"sha1",
"sha256",
"microsoft",
"microsoft store",
"office",
"robisz",
"zakupy w",
"dla firm",
"family",
"internetem",
"kliknij tutaj",
"microsoft i",
"bony",
"jaka",
"android",
"utc1 html",
"utc1",
"utc1 gif",
"plik",
"utc1 popieprzy",
"javascript",
"or requesturl",
"or filehash",
"maxradlinklen50",
"type3",
"june",
"copyright",
"t1027",
"warto",
"muid warto",
"mr warto",
"warto clid",
"anonchk warto"
],
"references": [
"http://office.microsoft.com/pl-pl/try/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 56,
"hostname": 96,
"URL": 348,
"FileHash-SHA256": 313,
"FileHash-MD5": 22,
"FileHash-SHA1": 12,
"IPv4": 11,
"YARA": 2
},
"indicator_count": 860,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 122,
"modified_text": "340 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6769beaee1a21227b5411707",
"name": "svchost.com",
"description": "if(3.0) =t+o, i, as a result of an error, if i=0, is any longer than a single word, then i(i) is a",
"modified": "2025-01-08T01:55:33.905000",
"created": "2024-12-23T19:49:02.840000",
"tags": [
"remoteurl",
"remoteip",
"65535",
"error",
"date",
"fingerprintjs",
"typeof e",
"promise",
"copyright",
"murmurhash3",
"karan lyons",
"msstream",
"click",
"whasz"
],
"references": [
"https://svchost.com/js/fingerprint/iife.min.js",
"http://ww16.test.windows.svchost.com/?sub1=20231019-1240-0363-984e-cb61eec5c9c7",
"http://svchost.com/?fp=-3",
"http://svchost.com/?fp=c9ef88c56cbdd266b94e81c85887b3b5",
"http://svchost.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 84,
"FileHash-SHA1": 80,
"FileHash-SHA256": 424,
"IPv4": 1,
"URL": 131,
"hostname": 45,
"domain": 16
},
"indicator_count": 781,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 122,
"modified_text": "466 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6722a579c257c8968664233a",
"name": "VirusTotal Graph - Hidden Hidden - 173[.]194[.]195[.]94 - 10.30.24",
"description": "VirusTotal Graph - Hidden Hidden - 173[.]194[.]195[.]94 - 10.30.24\nGraph Not Expanded, Not enriched on import to OTX",
"modified": "2024-11-29T21:03:08.719000",
"created": "2024-10-30T21:30:33.413000",
"tags": [
"entity",
"Certificates",
"Hidden",
"Malcerts"
],
"references": [
"https://www.virustotal.com/graph/embed/g33a1f2bab7074974aae7dcceef6a1db455f36c107676407d898b41474d9c2bdd?theme=dark",
"https://www.filescan.io/uploads/6722a6a96f9ec335191c8490/reports/b1fe9f64-f3e5-464b-8f04-6da3faa0397f/overview"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [
"Technology",
"Education",
"Government",
"Healthcare"
],
"TLP": "white",
"cloned_from": null,
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 5,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 15,
"FileHash-SHA1": 15,
"FileHash-SHA256": 119,
"URL": 82,
"domain": 13,
"hostname": 20
},
"indicator_count": 264,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 129,
"modified_text": "506 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6684ddb81f457884672174ce",
"name": "Suss & Suspicious dlls",
"description": "The full text of the dlls - 07.02.24 - has been published on the website of MSPs.bing.mm.net, with the title \"msedge\". (autopop)\nNoVirusThanks dll Tool:\n13 Suspicious - Threw these into VT -> Made a pretty Graph -> Added to VT Collection\n74 unsigned - didn't touch on these so much (cert probs)\nOG Log File:\n902414559e7f9184ed74685e6ad34ed59abe865bd75f6bc8233da00389d776b4\n07.02.24 - dos - DLLExplorer.log -> Tossed into AlienVault w. the VT Collection and some magic happened",
"modified": "2024-08-23T15:00:34.872000",
"created": "2024-07-03T05:12:24.970000",
"tags": [
"entity",
"please",
"javascript",
"suss",
"hidden",
"false file",
"description",
"hash",
"suspicious",
"duck duck",
"comodo security",
"solutions",
"inc hash",
"intel",
"compiler",
"loader"
],
"references": [
"https://www.virustotal.com/graph/embed/g993ffeadf3fd4998ab224cfe2c747905168b064bf4ca43c8aaebcbfa1218cd32?theme=dark",
"https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/summary",
"https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/iocs",
"https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/graph",
"07.02.24 - dos - DLLExplorer.log"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
}
],
"industries": [
"Technology",
"Education",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 26,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 3627,
"FileHash-SHA1": 937,
"FileHash-SHA256": 28560,
"hostname": 5477,
"domain": 8215,
"URL": 10147,
"email": 7,
"CIDR": 2
},
"indicator_count": 56972,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 132,
"modified_text": "604 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "655bb326c4023eb59c1f73b9",
"name": "WebToolbar",
"description": "\"Domain Seized - http://server3.elgenero.com/cgi-bin/xdown.cgi\"\nDomain stated ' SEIZED' by Department of Homeland Security is a 'HOAX' \nLink leads to a new domain with same behavior: http://server3.elgenero.com/iprc_seized_banner.png",
"modified": "2023-12-20T19:02:04.107000",
"created": "2023-11-20T19:27:34.827000",
"tags": [
"no data",
"tag count",
"threat report",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"detection list",
"blacklist",
"spammer",
"firehol",
"united",
"anonymizer",
"team proxy",
"cyber threat",
"team http",
"attacker",
"maltiverse http",
"phishing site",
"malware",
"team",
"phishing",
"malicious",
"facebook",
"service",
"bank",
"panama",
"suppobox",
"asyncrat",
"cobalt strike",
"cve201711882",
"cisco umbrella",
"heur",
"site",
"alexa top",
"million",
"safe site",
"alexa",
"malicious site",
"malware site",
"riskware",
"exploit",
"artemis",
"iframe",
"unsafe",
"agent",
"win64",
"zbot",
"fakealert",
"conduit",
"crack",
"back",
"download",
"acint",
"installpack",
"xtrat",
"nircmd",
"psexec",
"occamy",
"brontok",
"zpevdo",
"startpage",
"nanocore",
"keygen",
"fareit",
"secrisk",
"unruy",
"filetour",
"installcore",
"floxif",
"cleaner",
"patcher",
"opencandy",
"adload",
"presenoker",
"wacatac",
"swrort",
"fusioncore",
"pony",
"applicunwnt",
"union",
"webtoolbar",
"trojanspy",
"maltiverse",
"blacklist http",
"ssl certificate",
"execution",
"whois record",
"contacted",
"whois whois",
"historical ssl",
"communicating",
"referrer",
"pe resource",
"resolutions",
"hacktool",
"emotet",
"agent tesla",
"love",
"mirai",
"satacom",
"probe",
"critical",
"copy",
"dark power",
"core",
"chaos",
"ransomexx",
"quasar",
"malvertizing",
"spyware",
"cnc",
"trojan",
"phishing",
"botnetwork",
"fraud services",
"defacement",
"department of homeland security hoax banner",
"tulach",
"sabey",
"targeting",
"cyber threat",
"tsara brashears",
".gov",
"dhs",
"fbi",
"interpol",
"doj",
"nypd",
"dpd",
"irs",
"nsa",
"cia",
"soc",
"hacker"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "WebToolbar",
"display_name": "WebToolbar",
"target": null
},
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 37,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 573,
"FileHash-SHA1": 327,
"FileHash-SHA256": 1474,
"CVE": 20,
"domain": 546,
"hostname": 1215,
"URL": 3249
},
"indicator_count": 7404,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 219,
"modified_text": "851 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a161f0681f4ff3d67feb",
"name": "Pool's Closed (by @scnrscnr)",
"description": "",
"modified": "2023-12-06T16:29:21.844000",
"created": "2023-12-06T16:29:21.844000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 7844,
"FileHash-MD5": 562,
"FileHash-SHA1": 429,
"URL": 22749,
"hostname": 9461,
"domain": 4578,
"SSLCertFingerprint": 20,
"CIDR": 32,
"email": 3,
"CVE": 2
},
"indicator_count": 45680,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 111,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570a145926a5676de0e2a1a",
"name": "Pool's Closed (by @scnrscnr)",
"description": "",
"modified": "2023-12-06T16:28:53.979000",
"created": "2023-12-06T16:28:53.979000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 7844,
"FileHash-MD5": 562,
"FileHash-SHA1": 429,
"URL": 22749,
"hostname": 9461,
"domain": 4578,
"SSLCertFingerprint": 20,
"CIDR": 32,
"email": 3,
"CVE": 2
},
"indicator_count": 45680,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 111,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65707e9819da1f2e8e26e78e",
"name": "recallsfschoolboard.org",
"description": "",
"modified": "2023-12-06T14:00:56.019000",
"created": "2023-12-06T14:00:56.019000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"CVE": 24,
"domain": 2214,
"URL": 9040,
"FileHash-MD5": 280,
"FileHash-SHA256": 3044,
"hostname": 2973,
"FileHash-SHA1": 327,
"SSLCertFingerprint": 6,
"CIDR": 6,
"email": 64
},
"indicator_count": 17978,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65707b9630308cb99a817277",
"name": "Pool's Closed",
"description": "",
"modified": "2023-12-06T13:48:06.514000",
"created": "2023-12-06T13:48:06.514000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 7844,
"FileHash-MD5": 562,
"FileHash-SHA1": 429,
"URL": 22749,
"hostname": 9461,
"domain": 4578,
"SSLCertFingerprint": 20,
"CIDR": 32,
"email": 3,
"CVE": 2
},
"indicator_count": 45680,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 111,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "64f37719db054ccde25aa9df",
"name": "Pool's Closed (by @scnrscnr)",
"description": "",
"modified": "2023-09-02T17:55:37.269000",
"created": "2023-09-02T17:55:37.269000",
"tags": [
"Timothy Pool",
"Christopher Pool",
"Pool's Closed"
],
"references": [
"Pool Closed",
"Pool's Closed"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [
"Media",
"ad fraud"
],
"TLP": "white",
"cloned_from": "5fa57698ac0f6638b7b9a8ba",
"export_count": 16,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 7851,
"URL": 23098,
"hostname": 9521,
"domain": 4595,
"SSLCertFingerprint": 22,
"FileHash-MD5": 564,
"FileHash-SHA1": 432,
"CIDR": 32,
"email": 3,
"CVE": 2
},
"indicator_count": 46120,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 221,
"modified_text": "960 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "64f3771616d9a9891947e4df",
"name": "Pool's Closed (by @scnrscnr)",
"description": "",
"modified": "2023-09-02T17:55:34.095000",
"created": "2023-09-02T17:55:34.095000",
"tags": [
"Timothy Pool",
"Christopher Pool",
"Pool's Closed"
],
"references": [
"Pool Closed",
"Pool's Closed"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [
"Media",
"ad fraud"
],
"TLP": "white",
"cloned_from": "5fa57698ac0f6638b7b9a8ba",
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 7851,
"URL": 23098,
"hostname": 9521,
"domain": 4595,
"SSLCertFingerprint": 22,
"FileHash-MD5": 564,
"FileHash-SHA1": 432,
"CIDR": 32,
"email": 3,
"CVE": 2
},
"indicator_count": 46120,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "960 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6211397913dcdae410959042",
"name": "recallsfschoolboard.org",
"description": "garry tan has no hand",
"modified": "2022-03-26T19:02:17.827000",
"created": "2022-02-19T18:39:53.002000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scnrscnr",
"id": "126475",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2973,
"URL": 9040,
"domain": 2214,
"FileHash-SHA256": 3044,
"FileHash-MD5": 280,
"FileHash-SHA1": 327,
"CIDR": 6,
"email": 64,
"CVE": 24,
"SSLCertFingerprint": 6
},
"indicator_count": 17978,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 93,
"modified_text": "1485 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"What? patch.virtualworldweb.com \u2022 s.palantirfoundry.com \u2022 http://u tirfoundry.co",
"http://www.mobile-connection-alert.fyi/eb/bn/bn-9-nopop/9-nopop-1.html?var=&var2=&var3=$device=MOBILE&brand=Apple&model=iPhone&city=San%20Antonio&os=IOS&osversion=IOS%2011.4&country=US&countryname=United%20States&carrier=&referrerdomain=&language=en&connectiontype=CABLE&ip=76.185.246.58®ion=Texas&cep=W-gWTncHS9Jzl2WpUnQW3DI5dgjcKdwNWM11yWj-BtNBDFNTD52Baezh0F6DNui3qOYcu9zUPktlUvTulBlF6GONqMgW0w5NXdG42lOJGAp8P79kEUkAM3xGHBcIuf2PfSpz0mTGxnhbXyAteh4g-wCUR45SdW6fMtSANbFpDDpNDCq8LpN8mLeQJjdLUA_TGOXW9mubTgOyAGy",
"www.endgame \u2022 http://battlefront.com/matrixgames.html \u2022 prometheus.services.myscript.com - Wild!",
"https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/graph",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master",
"https://target.tccwest.www.littleswimmers.fr/",
"ASN 82.80.204.63 www5.incredimail.com \u2022 Israel",
"https://kt-presales.palantirfoundry.co \u2022 https://glare.palantirfoundry.com",
"http://dasima-containers.palantirfoundry.com \u2022 http://usw-2-dev.palantirfoundry.com",
"www.onyx-ware.com \u2022 endgamesystems.com",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master",
"events.launchdarkly.com \u2022 clientstream.launchdarkly. \u2022 app.launchdarkly.com",
"engage.palantirfoundry.com \u2022 http://engage.palantirfoundry.com",
"Antivirus Detections: Win.Malware.Incredimail-6804483-0 IDS Detections: Misspelled Mozilla User-Agent (Mozila)",
"upstreamx.palantirfoundry.com \u2022 https://usw-2-dev.palantirfoundry.com",
"http://office.microsoft.com/pl-pl/try/",
"IP\u2019s Contacted : 82.80.204.63 3.163.24.31 82.80.204.5",
"us-g0v-wact-1anvrav\u0645al=\u0635\u0639 \u0627\u062d\u0637\u0645\u0644\u0647",
"FileHash-SHA256 cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95",
"Pornhub to your phone. Dumping or by request?",
"Pool's Closed",
"http://upstreamx.palantirfoundry.com/ \u2022 https://equilibrium.palantirfoundry.com/",
"https://www.filescan.io/uploads/6722a6a96f9ec335191c8490/reports/b1fe9f64-f3e5-464b-8f04-6da3faa0397f/overview",
"MD5 be5eae9bd85769bce02d6e52a4927bcd Pulses Integrations C EXIF Data: HTML:Title\tINetSim default HTML page",
"https://credits.muso.ai/profile/ad62a9c1-de4a-4b3a-91d4-8f1ca6b5ad7a",
"open.spotify.com \u2022",
"(patch.virtualworldweb.com) why does this sound so creepy? DIT , simulation, OWO ,sentient weird.",
"http://svchost.com/?fp=-3",
"www.killer333.club So I\u2019m right.",
"https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/summary",
"medallion-compute.washington.palantircloud.com \u2022 graviera-compute.palantirfedstart.com",
"www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t\u2022",
"https://glare.pali om. \u2022 http://engage.palantirfou?",
"https://svchost.com/js/fingerprint/iife.min.js",
"campdeadwood2026.com",
"AS8551 bezeq international-Itd 3.163.24.31 www5l.incredimail.com \u2022 Israel",
"https://www.virustotal.com/graph/embed/g993ffeadf3fd4998ab224cfe2c747905168b064bf4ca43c8aaebcbfa1218cd32?theme=dark",
"07.02.24 - dos - DLLExplorer.log",
"us-gov-west-1.gov.reveal-global.com",
"cloudfront.net \u2022 d127qq8ld0aiq5.cloudfront.net",
"https://upstreamx.palantirfoundry.com \u2022 edwards.palantirfoundry.com \u2022 stagwellmarketingcloud.palantirfoundry.com",
"Pool Closed",
"https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/iocs",
"http://svchost.com/?fp=c9ef88c56cbdd266b94e81c85887b3b5",
"United States | ASNone 82.80.204.5 cen.incredibar.com \u2022 Israel",
"http://ww16.test.windows.svchost.com/?sub1=20231019-1240-0363-984e-cb61eec5c9c7",
"https://paloma.palantirfoundry.com https://lucyw.palantirfoundry.com \u2022 http://edwards.palantirfoundry.com/",
"https://equilibrium.palantirfoundry.com \u2022\u2019https://engage.palantirfoundry.com",
"Domains Contacted: cen.incredibar.com www5l.incredimail.com www5.incredimail.com",
"https://www.virustotal.com/graph/embed/g33a1f2bab7074974aae7dcceef6a1db455f36c107676407d898b41474d9c2bdd?theme=dark",
"caerphilly-containers.palantirfedstart.com \u2022 equilibrium.palantirfoundry.com \u2022 palantirfoundry.com",
"https://soerkvingo.msnstyle.dk/vaginas-escort-girl-ukraina-pure-nudisme-dyresex-noveller-sukker-pris-porno-med-norsk-tale/",
"22.hio52.r.cloudfront.net",
"External Hosts Israel Unique Countries 2 Unique ASNs 2 IP",
"https://open.spotify.com/track/5KjB1j0u54VXg6M8SN8hH2",
"http://svchost.com/",
"https://open.spotify.com/intl-de/track/5KjB1j0u54VXg6M8SN8hH2"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"Win.packed.generic-9967832-0",
"#lowfi:win32/autoit",
"Win.trojan.barys-10005825-0",
"Webtoolbar",
"Pegasus",
"Win.packed.stealerc-10017074-0",
"Win32:hacktoolx-gen\\ [trj]",
"Trojan:win32/zombie.a",
"Win.malware.incredimail-6804483-0",
"Hacktool:win32/cobaltstrike.a",
"Win.dropper.poisonivy-9876745-0",
"Trojanspy:msil/yakbeex.a",
"Trojanspy",
"Nufs_unicode"
],
"industries": [
"Ad fraud",
"Media",
"Government",
"Education",
"Entertainment",
"Technology",
"Healthcare",
"Telecommunications"
],
"unique_indicators": 104564
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/thegcptest.com",
"whois": "http://whois.domaintools.com/thegcptest.com",
"domain": "thegcptest.com",
"hostname": "Unavailable"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 18,
"pulses": [
{
"id": "69a9cd444aa144401d0c4988",
"name": "Pools Open",
"description": "",
"modified": "2026-04-15T19:21:28.851000",
"created": "2026-03-05T18:36:52.014000",
"tags": [
"Timothy Pool",
"Christopher Pool",
"Pool's Closed"
],
"references": [
"Pool Closed",
"Pool's Closed"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [
"Media",
"ad fraud"
],
"TLP": "white",
"cloned_from": "5fa57698ac0f6638b7b9a8ba",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 8098,
"URL": 23428,
"hostname": 9592,
"domain": 4727,
"SSLCertFingerprint": 22,
"FileHash-MD5": 696,
"FileHash-SHA1": 457,
"CIDR": 78,
"email": 3,
"CVE": 2
},
"indicator_count": 47103,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 50,
"modified_text": "4 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69a9cad6633206ba1204cf8f",
"name": "clone school board ",
"description": "",
"modified": "2026-03-06T11:26:19.137000",
"created": "2026-03-05T18:26:30.062000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "6211397913dcdae410959042",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2975,
"URL": 9041,
"domain": 2214,
"FileHash-SHA256": 3044,
"FileHash-MD5": 280,
"FileHash-SHA1": 327,
"CIDR": 6,
"email": 64,
"CVE": 24,
"SSLCertFingerprint": 6
},
"indicator_count": 17981,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 48,
"modified_text": "44 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69a9cad78745fdea3001aec9",
"name": "clone school board ",
"description": "",
"modified": "2026-03-06T05:11:24.929000",
"created": "2026-03-05T18:26:31.303000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": "6211397913dcdae410959042",
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "msudosos",
"id": "381696",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 2975,
"URL": 9041,
"domain": 2214,
"FileHash-SHA256": 3044,
"FileHash-MD5": 280,
"FileHash-SHA1": 327,
"CIDR": 6,
"email": 64,
"CVE": 24,
"SSLCertFingerprint": 6
},
"indicator_count": 17981,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 49,
"modified_text": "44 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6964c08bf79bcb252eaa9e15",
"name": "TrojanSpy - Spotify account under an attack which conceals artists releases / deletes followers",
"description": "Spotify Attacks: TrojanSpy - Streamer Spotify account under an attack which conceals artists releases / deletes followers. The attack is adversarial. I\u2019m unclear how widespread it is. . Further research required. OTX auto generated Pegasus. Released work that was once viewable is now concealed, followers deleted.\n#cloudfront #spyware #delete_service #cloudfront_attacks",
"modified": "2026-02-11T09:03:20.933000",
"created": "2026-01-12T09:36:11.701000",
"tags": [
"google",
"fastly",
"googlecl",
"january",
"http",
"domain",
"akamaias",
"cloudflar",
"page url",
"de summary",
"april",
"reverse dns",
"url https",
"general full",
"software",
"united",
"resource hash",
"protocol h3",
"security quic",
"protocol h2",
"security tls",
"main",
"present jan",
"title",
"gmt max",
"certificate",
"moved",
"lowfi",
"gmt content",
"meta",
"present dec",
"status",
"aaaa",
"passive dns",
"urls",
"search",
"expiration date",
"win32",
"files",
"verdict",
"files ip",
"address",
"mtb jan",
"trojandropper",
"backdoor",
"win32upatre jan",
"origin trial",
"gmt cache",
"443 ma2592000",
"possible",
"worm",
"trojan",
"ip address",
"record value",
"dark",
"found",
"ipv4 add",
"error",
"trojanspy",
"emails",
"servers",
"pegasus",
"america flag",
"america asn",
"tlsv1",
"read c",
"show",
"medium",
"lstockholm",
"ospotify ab",
"odigicert inc",
"execution",
"next",
"dock",
"write",
"persistence",
"dynamicloader",
"yara rule",
"ms windows",
"pe32",
"named pipe",
"smartassembly",
"delphi",
"malware",
"united states",
"pe file",
"filehash",
"md5 add",
"av detections",
"ids detections",
"yara detections",
"alerts",
"high",
"write c",
"tls sni",
"tls handshake",
"delete",
"as15169",
"stun binding",
"request",
"port",
"win64",
"themida",
"guard",
"risepro",
"sha256",
"sha1",
"pattern match",
"ascii text",
"size",
"mitre att",
"ck id",
"null",
"refresh",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"strings",
"tools",
"look",
"verify",
"restart",
"learn",
"command",
"name tactics",
"suspicious",
"informative",
"spawns",
"ck techniques",
"evasion att",
"t1480 execution",
"directui",
"element",
"hwndhost",
"classinfobase",
"hwndelement",
"value",
"explorer",
"insert",
"movie",
"hacktool",
"showing",
"entries http",
"scans show",
"california",
"location united",
"next associated",
"pulse pulses",
"name servers",
"found request",
"unique",
"url add",
"related nids",
"files location",
"expiration",
"flag united",
"present nov",
"present sep",
"href",
"suricata stream",
"command decode",
"starfield",
"encrypt",
"iframe",
"date",
"title error",
"hostname",
"pulse submit",
"memcommit",
"checks",
"windows",
"capture",
"cloudfront",
"colorado",
"creation date",
"hostname add",
"eset",
"binary file",
"pdb path",
"internalname",
"nod32",
"amon"
],
"references": [
"open.spotify.com \u2022",
"https://open.spotify.com/intl-de/track/5KjB1j0u54VXg6M8SN8hH2",
"https://open.spotify.com/track/5KjB1j0u54VXg6M8SN8hH2",
"FileHash-SHA256 cb40cd426d6e55c2b175b5be3327bfdf8d5a0074bf48b823121bd4720ed2ad95",
"events.launchdarkly.com \u2022 clientstream.launchdarkly. \u2022 app.launchdarkly.com",
"https://target.tccwest.www.littleswimmers.fr/",
"www.onyx-ware.com \u2022 endgamesystems.com",
"cloudfront.net \u2022 d127qq8ld0aiq5.cloudfront.net"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "TrojanSpy",
"display_name": "TrojanSpy",
"target": null
},
{
"id": "Win.Packed.Stealerc-10017074-0",
"display_name": "Win.Packed.Stealerc-10017074-0",
"target": null
},
{
"id": "#Lowfi:Win32/AutoIt",
"display_name": "#Lowfi:Win32/AutoIt",
"target": "/malware/#Lowfi:Win32/AutoIt"
},
{
"id": "Win.Packed.Generic-9967832-0",
"display_name": "Win.Packed.Generic-9967832-0",
"target": null
},
{
"id": "TrojanSpy:MSIL/Yakbeex.A",
"display_name": "TrojanSpy:MSIL/Yakbeex.A",
"target": "/malware/TrojanSpy:MSIL/Yakbeex.A"
},
{
"id": "Pegasus",
"display_name": "Pegasus",
"target": null
},
{
"id": "Win32:HacktoolX-gen\\ [Trj]",
"display_name": "Win32:HacktoolX-gen\\ [Trj]",
"target": null
},
{
"id": "nUFS_unicode",
"display_name": "nUFS_unicode",
"target": null
},
{
"id": "HackTool:Win32/CobaltStrike.A",
"display_name": "HackTool:Win32/CobaltStrike.A",
"target": "/malware/HackTool:Win32/CobaltStrike.A"
},
{
"id": "Win.Dropper.PoisonIvy-9876745-0",
"display_name": "Win.Dropper.PoisonIvy-9876745-0",
"target": null
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Win.Trojan.Barys-10005825-0",
"display_name": "Win.Trojan.Barys-10005825-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1189",
"name": "Drive-by Compromise",
"display_name": "T1189 - Drive-by Compromise"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
}
],
"industries": [
"Entertainment",
"Technology"
],
"TLP": "white",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1293,
"URL": 3389,
"FileHash-MD5": 635,
"FileHash-SHA1": 531,
"FileHash-SHA256": 2345,
"domain": 501,
"email": 12,
"SSLCertFingerprint": 16
},
"indicator_count": 8722,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "67 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "69640c0afc9805a6fa2da07b",
"name": "MUSO.AI Malware \u2018Incredimail\u2019 Palantir in use[OTX auto populated title -Tsara Brashears]",
"description": "MUSO.Ai , Is have to do more research. Some searches on reports MUSO as an opt in resource for artist to view, sort, and manage legacy credits, MUSO also collects royalties. Research and investigation confirms no one on music team is associated with or l thinks they may have heard of MUSO. Is MUSO. AI Palantir customer or service ,spy app services by the folks at Palantir. . [otx auto pop praise: Tsara Brashears is the most popular songwriter in the world, but can you use the app to find out more about the artist and the musicians behind the tracks?] cute. \n#dembiak #palantir #muso #ai",
"modified": "2026-02-10T20:03:47.214000",
"created": "2026-01-11T20:46:02.176000",
"tags": [
"lark kdence",
"zack dare",
"zafira",
"jon bonus",
"andy flebbe",
"div div",
"present nov",
"a domains",
"united",
"script urls",
"div a",
"script domains",
"discover",
"moved",
"insert",
"x0 tw",
"urls",
"cloudfront x",
"title error",
"url analysis",
"reverse dns",
"servers",
"name servers",
"united states",
"all ipv4",
"aaaa",
"ip address",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"adversaries",
"spawns",
"evasion att",
"t1480 execution",
"ascii text",
"mitre att",
"pattern match",
"null",
"error",
"click",
"hybrid",
"general",
"local",
"path",
"starfield",
"strings",
"refresh",
"tools",
"meta",
"onload",
"span",
"data upload",
"extraction",
"type",
"extra",
"referen https",
"include review",
"exclude sugges",
"stop",
"aivoes typ",
"passive dns",
"date",
"united states",
"status",
"domain add",
"files",
"hostname",
"read c",
"medium",
"search",
"show",
"memcommit",
"high",
"checks",
"windows",
"delete",
"execution",
"dock",
"write",
"persistence",
"capture",
"next",
"amazon02",
"as autonomous",
"system",
"asn16509",
"domain",
"current dns",
"a record",
"as16509",
"december",
"ip information",
"ipasns ip",
"google",
"fastly",
"googlecl",
"akamaias",
"cloudflar",
"domain tree",
"links ip",
"address as",
"cisco",
"umbrella rank",
"general full",
"url https",
"software",
"resource hash",
"protocol h2",
"security tls",
"hostname add",
"challengescript",
"captchascript",
"name",
"value",
"source level",
"url text",
"automatic",
"webgl",
"please",
"extr data",
"data",
"size",
"title",
"yara detections",
"filehash",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"low risk",
"entries",
"rgba",
"unicode",
"asnone",
"malware",
"port",
"destination",
"tlsv1",
"tls handshake",
"failure",
"roboto",
"msie",
"windows nt",
"wow64",
"slcc2",
"media center",
"expiration",
"url http",
"no expiration",
"present jan",
"unknown ns",
"certificate",
"body",
"present oct",
"present may",
"present dec",
"present sep",
"present feb",
"showing",
"next associated",
"all se",
"pulse pulses",
"http",
"files domain",
"files related",
"pulses none",
"debiak",
"tsara brashears",
"ai",
"palantir",
"muso ai",
"sort",
"artists",
"royalties",
"music",
"songwriter",
"collect",
"view",
"malicious app",
"false claims"
],
"references": [
"https://credits.muso.ai/profile/ad62a9c1-de4a-4b3a-91d4-8f1ca6b5ad7a",
"22.hio52.r.cloudfront.net",
"us-gov-west-1.gov.reveal-global.com",
"us-g0v-wact-1anvrav\u0645al=\u0635\u0639 \u0627\u062d\u0637\u0645\u0644\u0647",
"MD5 be5eae9bd85769bce02d6e52a4927bcd Pulses Integrations C EXIF Data: HTML:Title\tINetSim default HTML page",
"External Hosts Israel Unique Countries 2 Unique ASNs 2 IP",
"ASN 82.80.204.63 www5.incredimail.com \u2022 Israel",
"United States | ASNone 82.80.204.5 cen.incredibar.com \u2022 Israel",
"AS8551 bezeq international-Itd 3.163.24.31 www5l.incredimail.com \u2022 Israel",
"Antivirus Detections: Win.Malware.Incredimail-6804483-0 IDS Detections: Misspelled Mozilla User-Agent (Mozila)",
"IP\u2019s Contacted : 82.80.204.63 3.163.24.31 82.80.204.5",
"Domains Contacted: cen.incredibar.com www5l.incredimail.com www5.incredimail.com",
"medallion-compute.washington.palantircloud.com \u2022 graviera-compute.palantirfedstart.com",
"caerphilly-containers.palantirfedstart.com \u2022 equilibrium.palantirfoundry.com \u2022 palantirfoundry.com",
"upstreamx.palantirfoundry.com \u2022 https://usw-2-dev.palantirfoundry.com",
"https://upstreamx.palantirfoundry.com \u2022 edwards.palantirfoundry.com \u2022 stagwellmarketingcloud.palantirfoundry.com",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.ce31c01d-0b84-4e29-906f-1b8057568d49/master",
"https://paloma.palantirfoundry.com/workspace/data-health/redirect/ri.foundry.main.dataset.878cb49b-395c-4c82-8db8-5e2bb0e628ce/master",
"https://paloma.palantirfoundry.com https://lucyw.palantirfoundry.com \u2022 http://edwards.palantirfoundry.com/",
"http://dasima-containers.palantirfoundry.com \u2022 http://usw-2-dev.palantirfoundry.com",
"https://kt-presales.palantirfoundry.co \u2022 https://glare.palantirfoundry.com",
"engage.palantirfoundry.com \u2022 http://engage.palantirfoundry.com",
"https://equilibrium.palantirfoundry.com \u2022\u2019https://engage.palantirfoundry.com",
"http://upstreamx.palantirfoundry.com/ \u2022 https://equilibrium.palantirfoundry.com/",
"https://glare.pali om. \u2022 http://engage.palantirfou?",
"What? patch.virtualworldweb.com \u2022 s.palantirfoundry.com \u2022 http://u tirfoundry.co",
"(patch.virtualworldweb.com) why does this sound so creepy? DIT , simulation, OWO ,sentient weird.",
"www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t\u2022",
"www.endgame \u2022 http://battlefront.com/matrixgames.html \u2022 prometheus.services.myscript.com - Wild!",
"campdeadwood2026.com",
"http://www.mobile-connection-alert.fyi/eb/bn/bn-9-nopop/9-nopop-1.html?var=&var2=&var3=$device=MOBILE&brand=Apple&model=iPhone&city=San%20Antonio&os=IOS&osversion=IOS%2011.4&country=US&countryname=United%20States&carrier=&referrerdomain=&language=en&connectiontype=CABLE&ip=76.185.246.58®ion=Texas&cep=W-gWTncHS9Jzl2WpUnQW3DI5dgjcKdwNWM11yWj-BtNBDFNTD52Baezh0F6DNui3qOYcu9zUPktlUvTulBlF6GONqMgW0w5NXdG42lOJGAp8P79kEUkAM3xGHBcIuf2PfSpz0mTGxnhbXyAteh4g-wCUR45SdW6fMtSANbFpDDpNDCq8LpN8mLeQJjdLUA_TGOXW9mubTgOyAGy",
"Pornhub to your phone. Dumping or by request?",
"https://soerkvingo.msnstyle.dk/vaginas-escort-girl-ukraina-pure-nudisme-dyresex-noveller-sukker-pris-porno-med-norsk-tale/",
"www.killer333.club So I\u2019m right."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Win.Malware.Incredimail-6804483-0",
"display_name": "Win.Malware.Incredimail-6804483-0",
"target": null
}
],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1568.002",
"name": "Domain Generation Algorithms",
"display_name": "T1568.002 - Domain Generation Algorithms"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "TA0003",
"name": "Persistence",
"display_name": "TA0003 - Persistence"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1158",
"name": "Hidden Files and Directories",
"display_name": "T1158 - Hidden Files and Directories"
},
{
"id": "T1036.004",
"name": "Masquerade Task or Service",
"display_name": "T1036.004 - Masquerade Task or Service"
},
{
"id": "TA0028",
"name": "Persistence",
"display_name": "TA0028 - Persistence"
},
{
"id": "T1147",
"name": "Hidden Users",
"display_name": "T1147 - Hidden Users"
},
{
"id": "T1017",
"name": "Application Deployment Software",
"display_name": "T1017 - Application Deployment Software"
},
{
"id": "T1587.001",
"name": "Malware",
"display_name": "T1587.001 - Malware"
},
{
"id": "T1608.001",
"name": "Upload Malware",
"display_name": "T1608.001 - Upload Malware"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 10686,
"hostname": 2427,
"domain": 1094,
"FileHash-MD5": 175,
"FileHash-SHA1": 65,
"FileHash-SHA256": 1118,
"email": 4,
"SSLCertFingerprint": 14
},
"indicator_count": 15583,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "5fa57698ac0f6638b7b9a8ba",
"name": "Pool's Closed",
"description": "Two paupers from the meadow spring forth an upheaval of nasty sites on the world wide web.",
"modified": "2025-12-27T05:02:34.910000",
"created": "2020-11-06T16:15:20.139000",
"tags": [
"Timothy Pool",
"Christopher Pool",
"Pool's Closed"
],
"references": [
"Pool Closed",
"Pool's Closed"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
}
],
"industries": [
"Media",
"ad fraud"
],
"TLP": "white",
"cloned_from": null,
"export_count": 61,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 4,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scnrscnr",
"id": "126475",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 8098,
"URL": 23426,
"hostname": 9590,
"domain": 4727,
"SSLCertFingerprint": 22,
"FileHash-MD5": 696,
"FileHash-SHA1": 457,
"CIDR": 78,
"email": 3,
"CVE": 2
},
"indicator_count": 47099,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 133,
"modified_text": "113 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "67576b4cdaafecfac733fac4",
"name": "http://pit.waw.pl skrypt w pliku://C:/28f67ac2f4875f36aeb31e181e2d2d50f84b5c0791afa4b7bd6987cf00e95186.html.html http://ww53.cookiesinfo.com/",
"description": "MS Office Excel 2016\n0x2491:$h_raw1: /javascript\n0x289d:$h_raw1: /javascript\n0x2dd0:$h_raw1: /javascript\n0x182a6:$h_raw1: /javascript\n0x18dc0:$h_raw1: /javascript\n0x1a072:$h_raw1: /javascript\n0x1ad72:$h_raw1: /javascript\n0x222e6:$h_raw1: /javascript\n0x22870:$h_raw1: /javascript\n0x23lut:$h_raw1: /javascript\nskrypt w pliku://C:/28f67ac2f4875f36aeb31e181e2d2d50f84b5c0791afa4b7bd6987cf00e95186.html.html",
"modified": "2025-05-14T20:46:38.021000",
"created": "2024-12-09T22:12:28.252000",
"tags": [
"grudzie",
"typ zawartoci",
"linux x8664",
"khtml",
"gecko",
"metoda",
"adres url",
"poczenie",
"dugo treci",
"dostawa artnet",
"sha1",
"sha256",
"microsoft",
"microsoft store",
"office",
"robisz",
"zakupy w",
"dla firm",
"family",
"internetem",
"kliknij tutaj",
"microsoft i",
"bony",
"jaka",
"android",
"utc1 html",
"utc1",
"utc1 gif",
"plik",
"utc1 popieprzy",
"javascript",
"or requesturl",
"or filehash",
"maxradlinklen50",
"type3",
"june",
"copyright",
"t1027",
"warto",
"muid warto",
"mr warto",
"warto clid",
"anonchk warto"
],
"references": [
"http://office.microsoft.com/pl-pl/try/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 12,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 56,
"hostname": 96,
"URL": 348,
"FileHash-SHA256": 313,
"FileHash-MD5": 22,
"FileHash-SHA1": 12,
"IPv4": 11,
"YARA": 2
},
"indicator_count": 860,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 122,
"modified_text": "340 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6769beaee1a21227b5411707",
"name": "svchost.com",
"description": "if(3.0) =t+o, i, as a result of an error, if i=0, is any longer than a single word, then i(i) is a",
"modified": "2025-01-08T01:55:33.905000",
"created": "2024-12-23T19:49:02.840000",
"tags": [
"remoteurl",
"remoteip",
"65535",
"error",
"date",
"fingerprintjs",
"typeof e",
"promise",
"copyright",
"murmurhash3",
"karan lyons",
"msstream",
"click",
"whasz"
],
"references": [
"https://svchost.com/js/fingerprint/iife.min.js",
"http://ww16.test.windows.svchost.com/?sub1=20231019-1240-0363-984e-cb61eec5c9c7",
"http://svchost.com/?fp=-3",
"http://svchost.com/?fp=c9ef88c56cbdd266b94e81c85887b3b5",
"http://svchost.com/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 1,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 84,
"FileHash-SHA1": 80,
"FileHash-SHA256": 424,
"IPv4": 1,
"URL": 131,
"hostname": 45,
"domain": 16
},
"indicator_count": 781,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 122,
"modified_text": "466 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6722a579c257c8968664233a",
"name": "VirusTotal Graph - Hidden Hidden - 173[.]194[.]195[.]94 - 10.30.24",
"description": "VirusTotal Graph - Hidden Hidden - 173[.]194[.]195[.]94 - 10.30.24\nGraph Not Expanded, Not enriched on import to OTX",
"modified": "2024-11-29T21:03:08.719000",
"created": "2024-10-30T21:30:33.413000",
"tags": [
"entity",
"Certificates",
"Hidden",
"Malcerts"
],
"references": [
"https://www.virustotal.com/graph/embed/g33a1f2bab7074974aae7dcceef6a1db455f36c107676407d898b41474d9c2bdd?theme=dark",
"https://www.filescan.io/uploads/6722a6a96f9ec335191c8490/reports/b1fe9f64-f3e5-464b-8f04-6da3faa0397f/overview"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [
"Technology",
"Education",
"Government",
"Healthcare"
],
"TLP": "white",
"cloned_from": null,
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 5,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 15,
"FileHash-SHA1": 15,
"FileHash-SHA256": 119,
"URL": 82,
"domain": 13,
"hostname": 20
},
"indicator_count": 264,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 129,
"modified_text": "506 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6684ddb81f457884672174ce",
"name": "Suss & Suspicious dlls",
"description": "The full text of the dlls - 07.02.24 - has been published on the website of MSPs.bing.mm.net, with the title \"msedge\". (autopop)\nNoVirusThanks dll Tool:\n13 Suspicious - Threw these into VT -> Made a pretty Graph -> Added to VT Collection\n74 unsigned - didn't touch on these so much (cert probs)\nOG Log File:\n902414559e7f9184ed74685e6ad34ed59abe865bd75f6bc8233da00389d776b4\n07.02.24 - dos - DLLExplorer.log -> Tossed into AlienVault w. the VT Collection and some magic happened",
"modified": "2024-08-23T15:00:34.872000",
"created": "2024-07-03T05:12:24.970000",
"tags": [
"entity",
"please",
"javascript",
"suss",
"hidden",
"false file",
"description",
"hash",
"suspicious",
"duck duck",
"comodo security",
"solutions",
"inc hash",
"intel",
"compiler",
"loader"
],
"references": [
"https://www.virustotal.com/graph/embed/g993ffeadf3fd4998ab224cfe2c747905168b064bf4ca43c8aaebcbfa1218cd32?theme=dark",
"https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/summary",
"https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/iocs",
"https://www.virustotal.com/gui/collection/2b4bc65a1e84ddb7b105db1d321d35473978d8a0f29fe78f54400f08a3d8caff/graph",
"07.02.24 - dos - DLLExplorer.log"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"Canada"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
}
],
"industries": [
"Technology",
"Education",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 26,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 3627,
"FileHash-SHA1": 937,
"FileHash-SHA256": 28560,
"hostname": 5477,
"domain": 8215,
"URL": 10147,
"email": 7,
"CIDR": 2
},
"indicator_count": 56972,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 132,
"modified_text": "604 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://thegcptest.com",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://thegcptest.com",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776639526.1369534
}