{
  "type": "URL",
  "indicator": "https://translate.googleapis.com",
  "general": {
    "sections": [
      "general",
      "url_list",
      "http_scans",
      "screenshot"
    ],
    "indicator": "https://translate.googleapis.com",
    "type": "url",
    "type_title": "URL",
    "validation": [
      {
        "source": "akamai",
        "message": "Akamai rank: #5790",
        "name": "Akamai Popular Domain"
      },
      {
        "source": "whitelist",
        "message": "Whitelisted domain googleapis.com",
        "name": "Whitelisted domain"
      },
      {
        "source": "majestic",
        "message": "Whitelisted domain googleapis.com",
        "name": "Whitelisted domain"
      }
    ],
    "base_indicator": {
      "id": 2904826598,
      "indicator": "https://translate.googleapis.com",
      "type": "URL",
      "title": "",
      "description": "",
      "content": "",
      "access_type": "public",
      "access_reason": ""
    },
    "pulse_info": {
      "count": 8,
      "pulses": [
        {
          "id": "69db4f2dc509a1e8210f1b68",
          "name": "CAPE Sandbox",
          "description": "CivicPlus, LLC (ICONE-2) is a US-based company with a name that includes the word \"CIVICPLUS\", \"civicplus\", and \"icon Enterprises, Inc\".",
          "modified": "2026-04-12T08:36:17.724000",
          "created": "2026-04-12T07:52:13.594000",
          "tags": [
            "network admin",
            "civicplus",
            "net192",
            "net1920000",
            "houston",
            "suite e",
            "city",
            "server",
            "select contact",
            "domain holder",
            "date",
            "form",
            "submission",
            "ssdeep",
            "file type",
            "text text",
            "magic unicode",
            "utf8",
            "crlf line",
            "trid text",
            "magika txt",
            "file size",
            "chatgpt",
            "doctype html",
            "meta",
            "ai system",
            "research",
            "preview",
            "gmt server",
            "self",
            "dynamic",
            "html info",
            "title chatgpt",
            "meta tags",
            "thumbprint"
          ],
          "references": [
            "https://vtbehaviour.commondatastorage.googleapis.com/528831360d5c49743bf0dcf9cb0af1f76c694de9dfff79b32098d68c3c592f8a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775980441&Signature=QefJtz2s096UJTV1NljpeJrvdFWJBbHJre5UDOJQeemvu9EGI8UaxLTPvZxejJToeSgqCCu4zCWniB2V9Xer1ozcM5Vy2xhgRO%2BaFeWFRkjfd5yRyZIGLi65ORYA2oyDhTBUZuQco3NNHZWaS0mWYOpAI662c%2BecYNp5SJTXMB4oKzu9bstiszUfM1HNlWjSpySaxCD4j34gZFgiv5xZGW34IcBSvzfQUWECgUu6jW5Pu4Rr%2FH5TJS%2"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "CIDR": 2,
            "URL": 602,
            "domain": 166,
            "email": 37,
            "hostname": 837,
            "FileHash-MD5": 125,
            "FileHash-SHA1": 136,
            "FileHash-SHA256": 1230,
            "IPv4": 399
          },
          "indicator_count": 3534,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 49,
          "modified_text": "7 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "69c5c7194394ff775d44f7e0",
          "name": "WaypointsStickyChromeCache",
          "description": "A complete analysis of user-created Pulses (AVs) at the University of California, Los Angeles, has been published by the BBC's Newsnight website, along with a series of links.<pretext",
          "modified": "2026-03-27T00:12:08.015000",
          "created": "2026-03-26T23:54:01.493000",
          "tags": [
            "http",
            "urls",
            "unique",
            "pulse pulses",
            "location united",
            "flag united",
            "related",
            "pulses",
            "related tags",
            "x tec",
            "log id",
            "gmtn",
            "tls web",
            "self",
            "encrypt",
            "b2 f6",
            "b0n timestamp",
            "f9401a",
            "timestamp",
            "url add",
            "false"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 121,
            "hostname": 31,
            "domain": 5,
            "FileHash-MD5": 20,
            "FileHash-SHA1": 18,
            "FileHash-SHA256": 98,
            "SSLCertFingerprint": 2,
            "IPv4": 1,
            "CVE": 1
          },
          "indicator_count": 297,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 48,
          "modified_text": "23 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "68cb233ba91aa1eb958b3f31",
          "name": "Home - RMHS | APT 10 \u2022 Andromeda \u2022  OneLouder",
          "description": "I don\u2019t even know what to say. I\u2019ve received several complaints. This is 2nd time checking out technical issues that do exist. Operates as a Human Service entity for injured persons. OTX auto populated \u2018Golfing\u2019 as industry. \n\nDoes serve the severely disabled population. Does pay caregivers. Possibly a front page a FF link page, I have no idea",
          "modified": "2025-10-17T19:03:15.031000",
          "created": "2025-09-17T21:08:11.518000",
          "tags": [
            "script urls",
            "meta",
            "moved",
            "x tec",
            "passive dns",
            "encrypt",
            "america flag",
            "san francisco",
            "extraction",
            "data upload",
            "type indicatod",
            "united states",
            "a domains",
            "united",
            "gmt server",
            "jose",
            "university",
            "bill",
            "rmhs",
            "information",
            "board",
            "lorin",
            "joseph",
            "all veterans",
            "rocky mountain",
            "mission",
            "vice",
            "april",
            "school",
            "austin",
            "prior",
            "ipv4 add",
            "urls",
            "files",
            "location united",
            "wordpress",
            "rmhs meta",
            "tags viewport",
            "rmhs og",
            "rmhs article",
            "wpbakery page",
            "builder",
            "slider plugin",
            "google tag",
            "mountain human",
            "denver",
            "connecting",
            "denver start",
            "relevance home",
            "providers",
            "contact us",
            "rmhs main",
            "server",
            "redacted tech",
            "redacted admin",
            "registrar abuse",
            "algorithm",
            "key identifier",
            "x509v3 subject",
            "dnssec",
            "country",
            "ttl value",
            "graph summary",
            "resolved ips",
            "ip address",
            "port",
            "data",
            "screenshots no",
            "involved direct",
            "country name",
            "name response",
            "tcp connections",
            "learn",
            "ck id",
            "name tactics",
            "suspicious",
            "informative",
            "command",
            "adversaries",
            "found",
            "spawns",
            "t1590 gather",
            "path",
            "ascii text",
            "exif standard",
            "tiff image",
            "format",
            "stop",
            "false",
            "soldier",
            "model",
            "youth",
            "baby",
            "june",
            "general",
            "local",
            "click",
            "strings",
            "core",
            "warrior",
            "green",
            "emotion",
            "flash",
            "nina",
            "hunk",
            "fono",
            "daam",
            "mitre att",
            "ck techniques",
            "id name",
            "malicious",
            "windows nt",
            "win64",
            "khtml",
            "gecko",
            "brand",
            "microsoft edge",
            "show process",
            "self",
            "date",
            "comspec",
            "hybrid",
            "form",
            "log id",
            "gmtn",
            "tls web",
            "b2 f6",
            "b0n timestamp",
            "f9401a",
            "record value",
            "x wix",
            "certificate",
            "domain add",
            "pulse submit",
            "body",
            "domain related",
            "blackbox",
            "apple",
            "helix",
            "dvrdns",
            "tracking",
            "remote access",
            "ios",
            "spyware",
            "hoax",
            "dynamicloader",
            "ptls6",
            "medium",
            "flashpix",
            "high",
            "ygjpavclsline",
            "officespace",
            "chartshared",
            "powershell",
            "write",
            "malware",
            "ygjpaulscontext",
            "status",
            "japan unknown",
            "domain",
            "pulses",
            "search",
            "accept",
            "apt10",
            "trojanspy",
            "win32",
            "entries",
            "susp",
            "backdoor",
            "useragent",
            "showing",
            "virtool",
            "twitter",
            "mozilla",
            "trojandropper",
            "trojan",
            "title",
            "onelouder",
            "yara det",
            "maware samoe",
            "genaco x",
            "ids detec",
            "ids terse",
            "win3 data",
            "include review",
            "exclude sugges",
            "targeting",
            "show",
            "copy",
            "reads",
            "dynamic",
            "vendor finding",
            "notes clamav",
            "files matching",
            "number",
            "sample analysis",
            "hide samples",
            "date hash",
            "next yara"
          ],
          "references": [
            "rmhumanservices.org",
            "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt",
            "ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
            "http://www.dvrdns.net/BlackBox/google/googleMapKey.txt",
            "http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe",
            "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player",
            "http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt",
            "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe",
            "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/",
            "https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound",
            "https://www.mlkfoundation.net/ (Foundry DGA)",
            "remotewd.com x 34 devices",
            "South Africa based:  remote.advisoroffice.com",
            "acc.lehigtapp.com - malware",
            "http://watchhers.net/index.php (espionage entity /palantir relationship  - seen before with palantir and Pegasus sometimes simultaneously )",
            "Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022  emails.redvue.com \u2022",
            "Active - pointing:  https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
            "http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
            "http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
            "Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/",
            "https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting",
            "YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
            "acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
            "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net",
            "IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2",
            "IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)",
            "IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname",
            "1.organization.api.powerplatform.partner.microsoftonline.cn",
            "chinaeast2.admin.api.powerautomate.cn",
            "https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/",
            "https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A",
            "ssa-gov.authorizeddns",
            "hmmm\u2026http://palander.stjernstrom.se/",
            "https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU"
          ],
          "public": 1,
          "adversary": "APT 10",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "APT 10",
              "display_name": "APT 10",
              "target": null
            },
            {
              "id": "OneLouder",
              "display_name": "OneLouder",
              "target": null
            },
            {
              "id": "Andromeda",
              "display_name": "Andromeda",
              "target": null
            },
            {
              "id": "Sality",
              "display_name": "Sality",
              "target": null
            },
            {
              "id": "KoobFace",
              "display_name": "KoobFace",
              "target": null
            },
            {
              "id": "Bayrob",
              "display_name": "Bayrob",
              "target": null
            },
            {
              "id": "Nivdort Checkin",
              "display_name": "Nivdort Checkin",
              "target": null
            },
            {
              "id": "Win.Malware.Installcore-6950365-0",
              "display_name": "Win.Malware.Installcore-6950365-0",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1102",
              "name": "Web Service",
              "display_name": "T1102 - Web Service"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "T1590",
              "name": "Gather Victim Network Information",
              "display_name": "T1590 - Gather Victim Network Information"
            },
            {
              "id": "T1113",
              "name": "Screen Capture",
              "display_name": "T1113 - Screen Capture"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1132",
              "name": "Data Encoding",
              "display_name": "T1132 - Data Encoding"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1574.006",
              "name": "Dynamic Linker Hijacking",
              "display_name": "T1574.006 - Dynamic Linker Hijacking"
            },
            {
              "id": "T1210",
              "name": "Exploitation of Remote Services",
              "display_name": "T1210 - Exploitation of Remote Services"
            },
            {
              "id": "T1449",
              "name": "Exploit SS7 to Redirect Phone Calls/SMS",
              "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
            },
            {
              "id": "TA0011",
              "name": "Command and Control",
              "display_name": "TA0011 - Command and Control"
            }
          ],
          "industries": [
            "Golfing",
            "Healthcare",
            "Government"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 9,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 690,
            "hostname": 1912,
            "URL": 5925,
            "FileHash-SHA1": 273,
            "email": 8,
            "FileHash-SHA256": 3618,
            "CIDR": 3,
            "FileHash-MD5": 254,
            "SSLCertFingerprint": 19,
            "CVE": 2
          },
          "indicator_count": 12704,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 141,
          "modified_text": "184 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "685afb805ba518e374abc735",
          "name": "Home - RMHS - Ransom",
          "description": "I can only  imagine what is going on. This is a real organization, with a building,  ever changing case workers who don\u2019t want to meet with clients in person . I have received several incoming concerns since 2021. It seems that a threat actor may be ringing along or certain people are being handled / investigated / silenced and closely monitored by a very large interconnected Cyber Intelligence entity  \u2022 Trojan:X97M/ShellHide.C |\n\u2022 Trojan:PDF/Phish.RR!MTB |\n\u2022 Win.Trojan.Agent-370485 |\nAntivirus Detections:\n\u2022 Win.Trojan.Agent-370485\nYara: VirusWin32Span |\nAlerts\nransomware_file_modifications\nstealth_file\nDomains Contacted: Unknown\n(efbkfqpcdh.com) [\t\t\t\t2025-07-24T16:00:00\t14\t\n\nURL\nhttp://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel] #phishing #malware #intel? #trojan #infectiin",
          "modified": "2025-07-24T19:04:24.993000",
          "created": "2025-06-24T19:24:48.632000",
          "tags": [
            "wordpress",
            "home",
            "rmhs og",
            "rmhs article",
            "wpbakery page",
            "builder",
            "slider plugin",
            "utc google",
            "tag manager",
            "g5cygkcj7g1",
            "dynamicloader",
            "ms windows",
            "intel",
            "users",
            "medium",
            "pe32",
            "search",
            "show",
            "windows",
            "videos",
            "music",
            "copy",
            "write",
            "next",
            "ford mustang",
            "converter pdf",
            "gt convertible",
            "trim",
            "models ford",
            "mustang coupe",
            "createdate",
            "producer solid",
            "filehash",
            "trojan",
            "format",
            "united",
            "moved",
            "passive dns",
            "ipv4 add",
            "pulse submit",
            "url analysis",
            "urls",
            "files",
            "location united",
            "america flag",
            "encrypt",
            "date",
            "sc onlogon",
            "write c",
            "port",
            "showing",
            "entries",
            "module load",
            "execution",
            "malware",
            "self",
            "reverse dns",
            "url https",
            "resource",
            "general full",
            "name value",
            "security tls",
            "hash",
            "san francisco",
            "june",
            "input",
            "form",
            "dom get",
            "search start",
            "get https",
            "post",
            "value",
            "variables",
            "msgoriginaltext",
            "msgoptions",
            "isns function",
            "setupns",
            "rsiw number",
            "rsih object",
            "learn",
            "ck id",
            "name tactics",
            "suspicious",
            "informative",
            "command",
            "adversaries",
            "found",
            "spawns",
            "ck techniques",
            "flag",
            "markmonitor",
            "name server",
            "server",
            "rocky mountain",
            "human",
            "domain address",
            "enom",
            "copy sha256",
            "path",
            "copy md5",
            "copy sha1",
            "sha256",
            "size",
            "sha1",
            "attrib",
            "rowcycur",
            "hz4urdyi",
            "stop",
            "false",
            "soldier",
            "model",
            "youth",
            "baby",
            "core",
            "warrior",
            "green",
            "emotion",
            "flash",
            "nina",
            "hunk",
            "fono",
            "daam",
            "destination",
            "tlsv1",
            "dyndns domain",
            "irfan skiljan",
            "yara detections",
            "pdf pdf",
            "producer pdftk",
            "title data",
            "pulse pulses",
            "av detections",
            "ids detections",
            "alerts",
            "analysis date",
            "pictures",
            "read",
            "delete",
            "thumbprint",
            "graph summary",
            "url http",
            "gna7hdu",
            "g4 rsa4096",
            "adobe systems",
            "services1",
            "adobe product",
            "creatortool",
            "ascii text",
            "description svg",
            "scalable vector",
            "graphics image"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1158",
              "name": "Hidden Files and Directories",
              "display_name": "T1158 - Hidden Files and Directories"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "T1590",
              "name": "Gather Victim Network Information",
              "display_name": "T1590 - Gather Victim Network Information"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 34,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 56,
            "URL": 262,
            "hostname": 165,
            "FileHash-SHA256": 2141,
            "FileHash-MD5": 308,
            "FileHash-SHA1": 308,
            "SSLCertFingerprint": 3,
            "email": 1
          },
          "indicator_count": 3244,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 138,
          "modified_text": "269 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "6570972ccaeed5791f7bf452",
          "name": "https://itunes.apple.com/us/app/live-sport-tv-listing-guide/id1182257083?ls=1&mt=8 and https://play.google.com/store/apps/details?id=sport.mobile2ads.com",
          "description": "",
          "modified": "2023-12-06T15:45:48.530000",
          "created": "2023-12-06T15:45:48.530000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 3,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "api",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "StreamMiningEx",
            "id": "262917",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 406,
            "FileHash-MD5": 53,
            "FileHash-SHA1": 51,
            "hostname": 58,
            "domain": 49,
            "URL": 169,
            "email": 2
          },
          "indicator_count": 788,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 110,
          "modified_text": "865 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "6570972886cebe9b81c62534",
          "name": "oops wrong title this was the goo playstore version for 2m.ma sporttotal",
          "description": "",
          "modified": "2023-12-06T15:45:44.788000",
          "created": "2023-12-06T15:45:44.788000",
          "tags": [],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 3,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "api",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "StreamMiningEx",
            "id": "262917",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 264,
            "hostname": 20,
            "URL": 55,
            "domain": 1
          },
          "indicator_count": 340,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 110,
          "modified_text": "865 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "63ee3cebfc1591ef9628202c",
          "name": "https://itunes.apple.com/us/app/live-sport-tv-listing-guide/id1182257083?ls=1&mt=8 and https://play.google.com/store/apps/details?id=sport.mobile2ads.com",
          "description": "A chronology of key events:-1.1-3.4-4.3-year-old, 1.2-2.5-magnitude, 2.6-million-second.",
          "modified": "2023-03-18T14:03:15.873000",
          "created": "2023-02-16T14:25:47.934000",
          "tags": [
            "tcpmiss",
            "cookie",
            "sandbox",
            "malware",
            "analysis",
            "online",
            "submit",
            "vxstream",
            "sample",
            "download",
            "trojan",
            "apt",
            "runtime data",
            "ansi",
            "localappdata",
            "hash seen",
            "size",
            "runtime process",
            "unicode",
            "sha256",
            "sha1",
            "temp",
            "entropy",
            "date",
            "hybrid",
            "close",
            "click",
            "ransomware",
            "february",
            "general",
            "strings",
            "format",
            "suspicious",
            "self",
            "script",
            "live sport tv listing guide",
            "gregor jutrisa",
            "sports",
            "entertainment",
            "ios apps",
            "app",
            "appstore",
            "app store",
            "iphone",
            "ipad",
            "ipod touch",
            "itouch",
            "itunes",
            "sport tv",
            "ziggo sport",
            "fox sports",
            "sky sport",
            "golf channel",
            "eurosport",
            "sport",
            "football",
            "baseball",
            "golf",
            "calendar"
          ],
          "references": [
            "https://itunes.apple.com/us/app/live-sport-tv-listing-guide/id1182257083?ls=1&mt=8",
            "Live Sport TV Listings Guide is a comprehensive sports TV listings guide for iPad, iPhone, iPad and Android devices, available on the Apple Store, Apple TV, Connected TV and app.",
            "Content Security policy for https://play.google.com/store/apps/details?id=sport.mobile2ads.com",
            "Content-Security-Policy\tscript-src 'report-sample' 'nonce-7kIhV_bemRSTmuEs7_xY3A' 'unsafe-inline' 'unsafe-eval';object-src 'none';base-uri 'self';report-uri /_/PlayStoreUi/cspreport;worker-src 'self', script-src 'unsafe-inline' 'unsafe-eval' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com https://market.android.com https://clients2.google.com https://payments.sandbox.google.com https://pay",
            "https://hybrid-analysis.com/sample/1226ee40a542e22e99e73f8cb2cb310609eae8914923b7fe57f7a28c5aa48c16/63ee2b8543b88778ed20724d",
            "hybrid scan upload of above URL",
            "content-length\t0 x-true-cache-key\t/L/itunes.apple.com/us/app/live-sport-tv-listing-guide/id1182257083?ls=1&mt=8Browser vcd=2897 x-cache\tTCP_MISS from a23-47-195-69.deploy.akamaitechnologies.com (AkamaiGHost/10.3.4.1-33174363) (-) expires\tFri, 30 Apr 2021 04:29:13 GMT vary\tX-Apple-Store-Front, Cookie, X-Apple-Store-Front, Cookie x-responding-instance\tMZStore:3015901::: x-apple-lokamai-no-cache\ttrue pragma\tno-cache date\tFri, 30 Apr 2021 04:29:13 GMT",
            "x-apple-partner\torigin.0 access-control-allow-origin\t* x-cache-remote\tTCP_MISS from a23-47-58-148.deploy.akamaitechnologies.com (AkamaiGHost/10.4.0-33449709) (-) x-daiquiri-instance\tdaiquiri:18626002:mr47p00it-qujn07082301:7987:21RELEASE69 strict-transport-security\tmax-age=31536000; includeSubDomains apple-timing-app\t3 ms server\tdaiquiri/3.0.0 x-apple-jingle-correlation-key\tCIKYKHURNQMKOWELARQB6Y5KHI connection\tkeep-alive cache-control\tmax-age=0, no-cache, no-store"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 5,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "callmeDoris",
            "id": "205385",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 58,
            "URL": 169,
            "domain": 49,
            "FileHash-SHA256": 406,
            "email": 2,
            "FileHash-MD5": 53,
            "FileHash-SHA1": 51
          },
          "indicator_count": 788,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 91,
          "modified_text": "1128 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        },
        {
          "id": "63ee3335ae058966dd91ebf3",
          "name": "oops wrong title this was the goo playstore version for 2m.ma sporttotal",
          "description": "Just the Content-Security-Policy\tscript-src ?!?!",
          "modified": "2023-02-16T18:26:20.591000",
          "created": "2023-02-16T13:44:21.521000",
          "tags": [
            "self",
            "script",
            "live sport tv listing guide",
            "gregor jutrisa",
            "sports",
            "entertainment",
            "ios apps",
            "app",
            "appstore",
            "app store",
            "iphone",
            "ipad",
            "ipod touch",
            "itouch",
            "itunes",
            "sport tv",
            "ziggo sport",
            "fox sports",
            "sky sport",
            "golf channel",
            "eurosport",
            "sport",
            "football",
            "baseball",
            "golf",
            "calendar"
          ],
          "references": [
            "https://itunes.apple.com/us/app/live-sport-tv-listing-guide/id1182257083?ls=1&mt=8",
            "Live Sport TV Listings Guide is a comprehensive sports TV listings guide for iPad, iPhone, iPad and Android devices, available on the Apple Store, Apple TV, Connected TV and app.",
            "Content Security policy for itunes app store URL",
            "Content-Security-Policy\tscript-src 'report-sample' 'nonce-7kIhV_bemRSTmuEs7_xY3A' 'unsafe-inline' 'unsafe-eval';object-src 'none';base-uri 'self';report-uri /_/PlayStoreUi/cspreport;worker-src 'self', script-src 'unsafe-inline' 'unsafe-eval' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com https://market.android.com https://clients2.google.com https://payments.sandbox.google.com https://pay"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 5,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "callmeDoris",
            "id": "205385",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 264,
            "URL": 55,
            "hostname": 20,
            "domain": 1
          },
          "indicator_count": 340,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 91,
          "modified_text": "1158 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "URL",
          "related_indicator_is_active": 1
        }
      ],
      "references": [
        "chinaeast2.admin.api.powerautomate.cn",
        "remotewd.com x 34 devices",
        "acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
        "http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe",
        "http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
        "Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/",
        "https://itunes.apple.com/us/app/live-sport-tv-listing-guide/id1182257083?ls=1&mt=8",
        "https://vtbehaviour.commondatastorage.googleapis.com/528831360d5c49743bf0dcf9cb0af1f76c694de9dfff79b32098d68c3c592f8a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775980441&Signature=QefJtz2s096UJTV1NljpeJrvdFWJBbHJre5UDOJQeemvu9EGI8UaxLTPvZxejJToeSgqCCu4zCWniB2V9Xer1ozcM5Vy2xhgRO%2BaFeWFRkjfd5yRyZIGLi65ORYA2oyDhTBUZuQco3NNHZWaS0mWYOpAI662c%2BecYNp5SJTXMB4oKzu9bstiszUfM1HNlWjSpySaxCD4j34gZFgiv5xZGW34IcBSvzfQUWECgUu6jW5Pu4Rr%2FH5TJS%2",
        "IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
        "http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt",
        "x-apple-partner\torigin.0 access-control-allow-origin\t* x-cache-remote\tTCP_MISS from a23-47-58-148.deploy.akamaitechnologies.com (AkamaiGHost/10.4.0-33449709) (-) x-daiquiri-instance\tdaiquiri:18626002:mr47p00it-qujn07082301:7987:21RELEASE69 strict-transport-security\tmax-age=31536000; includeSubDomains apple-timing-app\t3 ms server\tdaiquiri/3.0.0 x-apple-jingle-correlation-key\tCIKYKHURNQMKOWELARQB6Y5KHI connection\tkeep-alive cache-control\tmax-age=0, no-cache, no-store",
        "https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting",
        "hybrid scan upload of above URL",
        "acc.lehigtapp.com - malware",
        "Active - pointing:  https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
        "Content-Security-Policy\tscript-src 'report-sample' 'nonce-7kIhV_bemRSTmuEs7_xY3A' 'unsafe-inline' 'unsafe-eval';object-src 'none';base-uri 'self';report-uri /_/PlayStoreUi/cspreport;worker-src 'self', script-src 'unsafe-inline' 'unsafe-eval' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com https://market.android.com https://clients2.google.com https://payments.sandbox.google.com https://pay",
        "https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound",
        "ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com",
        "Live Sport TV Listings Guide is a comprehensive sports TV listings guide for iPad, iPhone, iPad and Android devices, available on the Apple Store, Apple TV, Connected TV and app.",
        "https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/",
        "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net",
        "Content Security policy for itunes app store URL",
        "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player",
        "https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A",
        "http://watchhers.net/index.php (espionage entity /palantir relationship  - seen before with palantir and Pegasus sometimes simultaneously )",
        "ssa-gov.authorizeddns",
        "Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022  emails.redvue.com \u2022",
        "Content Security policy for https://play.google.com/store/apps/details?id=sport.mobile2ads.com",
        "http://www.dvrdns.net/BlackBox/google/googleMapKey.txt",
        "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe",
        "http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
        "https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU",
        "content-length\t0 x-true-cache-key\t/L/itunes.apple.com/us/app/live-sport-tv-listing-guide/id1182257083?ls=1&mt=8Browser vcd=2897 x-cache\tTCP_MISS from a23-47-195-69.deploy.akamaitechnologies.com (AkamaiGHost/10.3.4.1-33174363) (-) expires\tFri, 30 Apr 2021 04:29:13 GMT vary\tX-Apple-Store-Front, Cookie, X-Apple-Store-Front, Cookie x-responding-instance\tMZStore:3015901::: x-apple-lokamai-no-cache\ttrue pragma\tno-cache date\tFri, 30 Apr 2021 04:29:13 GMT",
        "South Africa based:  remote.advisoroffice.com",
        "https://www.mlkfoundation.net/ (Foundry DGA)",
        "YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
        "hmmm\u2026http://palander.stjernstrom.se/",
        "IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)",
        "rmhumanservices.org",
        "https://hybrid-analysis.com/sample/1226ee40a542e22e99e73f8cb2cb310609eae8914923b7fe57f7a28c5aa48c16/63ee2b8543b88778ed20724d",
        "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/",
        "1.organization.api.powerplatform.partner.microsoftonline.cn",
        "IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname",
        "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt"
      ],
      "related": {
        "alienvault": {
          "adversary": [],
          "malware_families": [],
          "industries": [],
          "unique_indicators": 0
        },
        "other": {
          "adversary": [
            "APT 10"
          ],
          "malware_families": [
            "Sality",
            "Onelouder",
            "Win.malware.installcore-6950365-0",
            "Bayrob",
            "Koobface",
            "Andromeda",
            "Nivdort checkin",
            "Apt 10"
          ],
          "industries": [
            "Golfing",
            "Government",
            "Healthcare"
          ],
          "unique_indicators": 17876
        }
      }
    },
    "false_positive": [],
    "alexa": "http://www.alexa.com/siteinfo/googleapis.com",
    "whois": "http://whois.domaintools.com/googleapis.com",
    "domain": "googleapis.com",
    "hostname": "translate.googleapis.com"
  },
  "geo": {},
  "geo_ipapicom": {},
  "pulse_count": 8,
  "pulses": [
    {
      "id": "69db4f2dc509a1e8210f1b68",
      "name": "CAPE Sandbox",
      "description": "CivicPlus, LLC (ICONE-2) is a US-based company with a name that includes the word \"CIVICPLUS\", \"civicplus\", and \"icon Enterprises, Inc\".",
      "modified": "2026-04-12T08:36:17.724000",
      "created": "2026-04-12T07:52:13.594000",
      "tags": [
        "network admin",
        "civicplus",
        "net192",
        "net1920000",
        "houston",
        "suite e",
        "city",
        "server",
        "select contact",
        "domain holder",
        "date",
        "form",
        "submission",
        "ssdeep",
        "file type",
        "text text",
        "magic unicode",
        "utf8",
        "crlf line",
        "trid text",
        "magika txt",
        "file size",
        "chatgpt",
        "doctype html",
        "meta",
        "ai system",
        "research",
        "preview",
        "gmt server",
        "self",
        "dynamic",
        "html info",
        "title chatgpt",
        "meta tags",
        "thumbprint"
      ],
      "references": [
        "https://vtbehaviour.commondatastorage.googleapis.com/528831360d5c49743bf0dcf9cb0af1f76c694de9dfff79b32098d68c3c592f8a_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775980441&Signature=QefJtz2s096UJTV1NljpeJrvdFWJBbHJre5UDOJQeemvu9EGI8UaxLTPvZxejJToeSgqCCu4zCWniB2V9Xer1ozcM5Vy2xhgRO%2BaFeWFRkjfd5yRyZIGLi65ORYA2oyDhTBUZuQco3NNHZWaS0mWYOpAI662c%2BecYNp5SJTXMB4oKzu9bstiszUfM1HNlWjSpySaxCD4j34gZFgiv5xZGW34IcBSvzfQUWECgUu6jW5Pu4Rr%2FH5TJS%2"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        }
      ],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "CIDR": 2,
        "URL": 602,
        "domain": 166,
        "email": 37,
        "hostname": 837,
        "FileHash-MD5": 125,
        "FileHash-SHA1": 136,
        "FileHash-SHA256": 1230,
        "IPv4": 399
      },
      "indicator_count": 3534,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 49,
      "modified_text": "7 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "69c5c7194394ff775d44f7e0",
      "name": "WaypointsStickyChromeCache",
      "description": "A complete analysis of user-created Pulses (AVs) at the University of California, Los Angeles, has been published by the BBC's Newsnight website, along with a series of links.<pretext",
      "modified": "2026-03-27T00:12:08.015000",
      "created": "2026-03-26T23:54:01.493000",
      "tags": [
        "http",
        "urls",
        "unique",
        "pulse pulses",
        "location united",
        "flag united",
        "related",
        "pulses",
        "related tags",
        "x tec",
        "log id",
        "gmtn",
        "tls web",
        "self",
        "encrypt",
        "b2 f6",
        "b0n timestamp",
        "f9401a",
        "timestamp",
        "url add",
        "false"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 121,
        "hostname": 31,
        "domain": 5,
        "FileHash-MD5": 20,
        "FileHash-SHA1": 18,
        "FileHash-SHA256": 98,
        "SSLCertFingerprint": 2,
        "IPv4": 1,
        "CVE": 1
      },
      "indicator_count": 297,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 48,
      "modified_text": "23 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "68cb233ba91aa1eb958b3f31",
      "name": "Home - RMHS | APT 10 \u2022 Andromeda \u2022  OneLouder",
      "description": "I don\u2019t even know what to say. I\u2019ve received several complaints. This is 2nd time checking out technical issues that do exist. Operates as a Human Service entity for injured persons. OTX auto populated \u2018Golfing\u2019 as industry. \n\nDoes serve the severely disabled population. Does pay caregivers. Possibly a front page a FF link page, I have no idea",
      "modified": "2025-10-17T19:03:15.031000",
      "created": "2025-09-17T21:08:11.518000",
      "tags": [
        "script urls",
        "meta",
        "moved",
        "x tec",
        "passive dns",
        "encrypt",
        "america flag",
        "san francisco",
        "extraction",
        "data upload",
        "type indicatod",
        "united states",
        "a domains",
        "united",
        "gmt server",
        "jose",
        "university",
        "bill",
        "rmhs",
        "information",
        "board",
        "lorin",
        "joseph",
        "all veterans",
        "rocky mountain",
        "mission",
        "vice",
        "april",
        "school",
        "austin",
        "prior",
        "ipv4 add",
        "urls",
        "files",
        "location united",
        "wordpress",
        "rmhs meta",
        "tags viewport",
        "rmhs og",
        "rmhs article",
        "wpbakery page",
        "builder",
        "slider plugin",
        "google tag",
        "mountain human",
        "denver",
        "connecting",
        "denver start",
        "relevance home",
        "providers",
        "contact us",
        "rmhs main",
        "server",
        "redacted tech",
        "redacted admin",
        "registrar abuse",
        "algorithm",
        "key identifier",
        "x509v3 subject",
        "dnssec",
        "country",
        "ttl value",
        "graph summary",
        "resolved ips",
        "ip address",
        "port",
        "data",
        "screenshots no",
        "involved direct",
        "country name",
        "name response",
        "tcp connections",
        "learn",
        "ck id",
        "name tactics",
        "suspicious",
        "informative",
        "command",
        "adversaries",
        "found",
        "spawns",
        "t1590 gather",
        "path",
        "ascii text",
        "exif standard",
        "tiff image",
        "format",
        "stop",
        "false",
        "soldier",
        "model",
        "youth",
        "baby",
        "june",
        "general",
        "local",
        "click",
        "strings",
        "core",
        "warrior",
        "green",
        "emotion",
        "flash",
        "nina",
        "hunk",
        "fono",
        "daam",
        "mitre att",
        "ck techniques",
        "id name",
        "malicious",
        "windows nt",
        "win64",
        "khtml",
        "gecko",
        "brand",
        "microsoft edge",
        "show process",
        "self",
        "date",
        "comspec",
        "hybrid",
        "form",
        "log id",
        "gmtn",
        "tls web",
        "b2 f6",
        "b0n timestamp",
        "f9401a",
        "record value",
        "x wix",
        "certificate",
        "domain add",
        "pulse submit",
        "body",
        "domain related",
        "blackbox",
        "apple",
        "helix",
        "dvrdns",
        "tracking",
        "remote access",
        "ios",
        "spyware",
        "hoax",
        "dynamicloader",
        "ptls6",
        "medium",
        "flashpix",
        "high",
        "ygjpavclsline",
        "officespace",
        "chartshared",
        "powershell",
        "write",
        "malware",
        "ygjpaulscontext",
        "status",
        "japan unknown",
        "domain",
        "pulses",
        "search",
        "accept",
        "apt10",
        "trojanspy",
        "win32",
        "entries",
        "susp",
        "backdoor",
        "useragent",
        "showing",
        "virtool",
        "twitter",
        "mozilla",
        "trojandropper",
        "trojan",
        "title",
        "onelouder",
        "yara det",
        "maware samoe",
        "genaco x",
        "ids detec",
        "ids terse",
        "win3 data",
        "include review",
        "exclude sugges",
        "targeting",
        "show",
        "copy",
        "reads",
        "dynamic",
        "vendor finding",
        "notes clamav",
        "files matching",
        "number",
        "sample analysis",
        "hide samples",
        "date hash",
        "next yara"
      ],
      "references": [
        "rmhumanservices.org",
        "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt",
        "ntp17.dn.n-helix.com \u2022 ntp6.n-helix.com \u2022\tn-helix.com",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
        "http://www.dvrdns.net/BlackBox/google/googleMapKey.txt",
        "http://www.dvrdns.net/BlackBox/AOKI/AMEXA07/AMEX-A07%20PCViewer(3.9.8.1).exe",
        "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H%2520Player",
        "http://www.dvrdns.net/BlackBox/IROAD/IROAD_X9/version.txt",
        "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/IROAD%20Viewer(4.1.6.1).exe",
        "http://www.dvrdns.net/BlackBox/IROAD/IROAD_T8S2/",
        "https://we4.ondemand.esker.com/ondemand/webaccess/logon.aspx?status=CookieNotFound",
        "https://www.mlkfoundation.net/ (Foundry DGA)",
        "remotewd.com x 34 devices",
        "South Africa based:  remote.advisoroffice.com",
        "acc.lehigtapp.com - malware",
        "http://watchhers.net/index.php (espionage entity /palantir relationship  - seen before with palantir and Pegasus sometimes simultaneously )",
        "Active - apple-dns.net \u2022 nr-data.net \u2022 tunes.apple.com \u2022  emails.redvue.com \u2022",
        "Active - pointing:  https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635",
        "http://help.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
        "http://wpgchanfp01.cangene.com/tmp/javascript/tiny_mce/plugins/imagepaste/applet/cp.jar",
        "Excess porn -http://barbaramarx.com/__media__/js/netsoltrademark.php?d=www.pornxxxgals.info/feet-licking-porn/",
        "https://www.rmhumanservices.org/wp-content/themes/unicon/framework/js/isotope.pkgd.min.js malware hosting",
        "YARA Detections: NAME STRINGS CATEGORY APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
        "acc.lehigtapp.com - APT10_Malware_Sample_Gen acc.lehigtapp.com FILE",
        "http://www.dvrdns.net/BlackBox/LVR_SD310HWG/SD310H/Player(3.7.2.0).exe.txt \u2022 www.dvrdns.net",
        "IDS Detections: Koobface HTTP Request (2) W32/Bayrob Attempted Checkin 2",
        "IDS Terse HTTP 1.0 Request Possible Nivdort Probable OneLouder downloader (Zeus P2P)",
        "IDS: Win32/Nivdort Checkin Win32.Sality.bh Checkin 2 Andromeda Checkin Hostname",
        "1.organization.api.powerplatform.partner.microsoftonline.cn",
        "chinaeast2.admin.api.powerautomate.cn",
        "https://cisomag.com/mysterious-malware-infects-over-45000-android-phones/amp/",
        "https://hhahiag.r.af.d.sendibt2.com/tr/cl/k5n4lETrM7BShW8xAUoWzvHtXjUA9oY0eN0p94b4t6YmDCrHhUgR0CnWSrSU4oUFIIWHm33C5ltugoVezhyEVu8aXyY_lcNjanZPDFg-LOsishNuFrY6IJn0V0mjTudzlxtGsp9Cf04n9fUhwGutzxcgUbjXHhhy9RZdcxw9Z89-_v9NL4wQvbEhDhAlekBXUxvWjkXG_WyC8myfJAYzXL_43Cok-YEiyDHA7JvRwSX9aWdWtcE5N-kL3K-VM_-tvhSJcLt-mXjsbAN6DYkoz2r7j11242EYDQHdzTiC1Or0k6_Ptz-GvAw4cZyo3978asi27ijV89a5ngu_Ene6XOjg_UMpexvj9Zrihu4i9EPTSC-5-7qKwlTLKNHiwI6DvmurR5IoMJVMPa-xIDMUN2LCMTwUHMvfo0q2a0btH2Fx2A",
        "ssa-gov.authorizeddns",
        "hmmm\u2026http://palander.stjernstrom.se/",
        "https://jt667.keap-link003.com/v2/click/063b9634a5ebbdf34f43cbbbca6019ca/eJyNkEEPwUAQhf_LnEularE3EZGmOAhn2bRTlu2abIdEpP_dEHEicZ335nvz5g6M3njOStBwZKWGEEHAwpJFz9OzZ1O8xH6Spr1BBM760zycLwT6_m33oz-n6ThNBioCvhGKZ7OeTPNsNd8tslUuXjJBQv4BDVUyUqMPaLacZAto259krC3PrgJvQHO44LNTaaUXb4MT_4GZGh3HJzTUJbPH-BUbY22s61DACuW0AjuFMDB0D1w7wRoi9OX7KzneQFfGNdg-ANNtagU"
      ],
      "public": 1,
      "adversary": "APT 10",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "APT 10",
          "display_name": "APT 10",
          "target": null
        },
        {
          "id": "OneLouder",
          "display_name": "OneLouder",
          "target": null
        },
        {
          "id": "Andromeda",
          "display_name": "Andromeda",
          "target": null
        },
        {
          "id": "Sality",
          "display_name": "Sality",
          "target": null
        },
        {
          "id": "KoobFace",
          "display_name": "KoobFace",
          "target": null
        },
        {
          "id": "Bayrob",
          "display_name": "Bayrob",
          "target": null
        },
        {
          "id": "Nivdort Checkin",
          "display_name": "Nivdort Checkin",
          "target": null
        },
        {
          "id": "Win.Malware.Installcore-6950365-0",
          "display_name": "Win.Malware.Installcore-6950365-0",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1102",
          "name": "Web Service",
          "display_name": "T1102 - Web Service"
        },
        {
          "id": "T1566",
          "name": "Phishing",
          "display_name": "T1566 - Phishing"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        },
        {
          "id": "T1590",
          "name": "Gather Victim Network Information",
          "display_name": "T1590 - Gather Victim Network Information"
        },
        {
          "id": "T1113",
          "name": "Screen Capture",
          "display_name": "T1113 - Screen Capture"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1132",
          "name": "Data Encoding",
          "display_name": "T1132 - Data Encoding"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1119",
          "name": "Automated Collection",
          "display_name": "T1119 - Automated Collection"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1574.006",
          "name": "Dynamic Linker Hijacking",
          "display_name": "T1574.006 - Dynamic Linker Hijacking"
        },
        {
          "id": "T1210",
          "name": "Exploitation of Remote Services",
          "display_name": "T1210 - Exploitation of Remote Services"
        },
        {
          "id": "T1449",
          "name": "Exploit SS7 to Redirect Phone Calls/SMS",
          "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
        },
        {
          "id": "TA0011",
          "name": "Command and Control",
          "display_name": "TA0011 - Command and Control"
        }
      ],
      "industries": [
        "Golfing",
        "Healthcare",
        "Government"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 9,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 690,
        "hostname": 1912,
        "URL": 5925,
        "FileHash-SHA1": 273,
        "email": 8,
        "FileHash-SHA256": 3618,
        "CIDR": 3,
        "FileHash-MD5": 254,
        "SSLCertFingerprint": 19,
        "CVE": 2
      },
      "indicator_count": 12704,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 141,
      "modified_text": "184 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "685afb805ba518e374abc735",
      "name": "Home - RMHS - Ransom",
      "description": "I can only  imagine what is going on. This is a real organization, with a building,  ever changing case workers who don\u2019t want to meet with clients in person . I have received several incoming concerns since 2021. It seems that a threat actor may be ringing along or certain people are being handled / investigated / silenced and closely monitored by a very large interconnected Cyber Intelligence entity  \u2022 Trojan:X97M/ShellHide.C |\n\u2022 Trojan:PDF/Phish.RR!MTB |\n\u2022 Win.Trojan.Agent-370485 |\nAntivirus Detections:\n\u2022 Win.Trojan.Agent-370485\nYara: VirusWin32Span |\nAlerts\nransomware_file_modifications\nstealth_file\nDomains Contacted: Unknown\n(efbkfqpcdh.com) [\t\t\t\t2025-07-24T16:00:00\t14\t\n\nURL\nhttp://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel] #phishing #malware #intel? #trojan #infectiin",
      "modified": "2025-07-24T19:04:24.993000",
      "created": "2025-06-24T19:24:48.632000",
      "tags": [
        "wordpress",
        "home",
        "rmhs og",
        "rmhs article",
        "wpbakery page",
        "builder",
        "slider plugin",
        "utc google",
        "tag manager",
        "g5cygkcj7g1",
        "dynamicloader",
        "ms windows",
        "intel",
        "users",
        "medium",
        "pe32",
        "search",
        "show",
        "windows",
        "videos",
        "music",
        "copy",
        "write",
        "next",
        "ford mustang",
        "converter pdf",
        "gt convertible",
        "trim",
        "models ford",
        "mustang coupe",
        "createdate",
        "producer solid",
        "filehash",
        "trojan",
        "format",
        "united",
        "moved",
        "passive dns",
        "ipv4 add",
        "pulse submit",
        "url analysis",
        "urls",
        "files",
        "location united",
        "america flag",
        "encrypt",
        "date",
        "sc onlogon",
        "write c",
        "port",
        "showing",
        "entries",
        "module load",
        "execution",
        "malware",
        "self",
        "reverse dns",
        "url https",
        "resource",
        "general full",
        "name value",
        "security tls",
        "hash",
        "san francisco",
        "june",
        "input",
        "form",
        "dom get",
        "search start",
        "get https",
        "post",
        "value",
        "variables",
        "msgoriginaltext",
        "msgoptions",
        "isns function",
        "setupns",
        "rsiw number",
        "rsih object",
        "learn",
        "ck id",
        "name tactics",
        "suspicious",
        "informative",
        "command",
        "adversaries",
        "found",
        "spawns",
        "ck techniques",
        "flag",
        "markmonitor",
        "name server",
        "server",
        "rocky mountain",
        "human",
        "domain address",
        "enom",
        "copy sha256",
        "path",
        "copy md5",
        "copy sha1",
        "sha256",
        "size",
        "sha1",
        "attrib",
        "rowcycur",
        "hz4urdyi",
        "stop",
        "false",
        "soldier",
        "model",
        "youth",
        "baby",
        "core",
        "warrior",
        "green",
        "emotion",
        "flash",
        "nina",
        "hunk",
        "fono",
        "daam",
        "destination",
        "tlsv1",
        "dyndns domain",
        "irfan skiljan",
        "yara detections",
        "pdf pdf",
        "producer pdftk",
        "title data",
        "pulse pulses",
        "av detections",
        "ids detections",
        "alerts",
        "analysis date",
        "pictures",
        "read",
        "delete",
        "thumbprint",
        "graph summary",
        "url http",
        "gna7hdu",
        "g4 rsa4096",
        "adobe systems",
        "services1",
        "adobe product",
        "creatortool",
        "ascii text",
        "description svg",
        "scalable vector",
        "graphics image"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1158",
          "name": "Hidden Files and Directories",
          "display_name": "T1158 - Hidden Files and Directories"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        },
        {
          "id": "T1590",
          "name": "Gather Victim Network Information",
          "display_name": "T1590 - Gather Victim Network Information"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 34,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 56,
        "URL": 262,
        "hostname": 165,
        "FileHash-SHA256": 2141,
        "FileHash-MD5": 308,
        "FileHash-SHA1": 308,
        "SSLCertFingerprint": 3,
        "email": 1
      },
      "indicator_count": 3244,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 138,
      "modified_text": "269 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "6570972ccaeed5791f7bf452",
      "name": "https://itunes.apple.com/us/app/live-sport-tv-listing-guide/id1182257083?ls=1&mt=8 and https://play.google.com/store/apps/details?id=sport.mobile2ads.com",
      "description": "",
      "modified": "2023-12-06T15:45:48.530000",
      "created": "2023-12-06T15:45:48.530000",
      "tags": [],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 3,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "api",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "StreamMiningEx",
        "id": "262917",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 406,
        "FileHash-MD5": 53,
        "FileHash-SHA1": 51,
        "hostname": 58,
        "domain": 49,
        "URL": 169,
        "email": 2
      },
      "indicator_count": 788,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 110,
      "modified_text": "865 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "6570972886cebe9b81c62534",
      "name": "oops wrong title this was the goo playstore version for 2m.ma sporttotal",
      "description": "",
      "modified": "2023-12-06T15:45:44.788000",
      "created": "2023-12-06T15:45:44.788000",
      "tags": [],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 3,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "api",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "StreamMiningEx",
        "id": "262917",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 264,
        "hostname": 20,
        "URL": 55,
        "domain": 1
      },
      "indicator_count": 340,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 110,
      "modified_text": "865 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "63ee3cebfc1591ef9628202c",
      "name": "https://itunes.apple.com/us/app/live-sport-tv-listing-guide/id1182257083?ls=1&mt=8 and https://play.google.com/store/apps/details?id=sport.mobile2ads.com",
      "description": "A chronology of key events:-1.1-3.4-4.3-year-old, 1.2-2.5-magnitude, 2.6-million-second.",
      "modified": "2023-03-18T14:03:15.873000",
      "created": "2023-02-16T14:25:47.934000",
      "tags": [
        "tcpmiss",
        "cookie",
        "sandbox",
        "malware",
        "analysis",
        "online",
        "submit",
        "vxstream",
        "sample",
        "download",
        "trojan",
        "apt",
        "runtime data",
        "ansi",
        "localappdata",
        "hash seen",
        "size",
        "runtime process",
        "unicode",
        "sha256",
        "sha1",
        "temp",
        "entropy",
        "date",
        "hybrid",
        "close",
        "click",
        "ransomware",
        "february",
        "general",
        "strings",
        "format",
        "suspicious",
        "self",
        "script",
        "live sport tv listing guide",
        "gregor jutrisa",
        "sports",
        "entertainment",
        "ios apps",
        "app",
        "appstore",
        "app store",
        "iphone",
        "ipad",
        "ipod touch",
        "itouch",
        "itunes",
        "sport tv",
        "ziggo sport",
        "fox sports",
        "sky sport",
        "golf channel",
        "eurosport",
        "sport",
        "football",
        "baseball",
        "golf",
        "calendar"
      ],
      "references": [
        "https://itunes.apple.com/us/app/live-sport-tv-listing-guide/id1182257083?ls=1&mt=8",
        "Live Sport TV Listings Guide is a comprehensive sports TV listings guide for iPad, iPhone, iPad and Android devices, available on the Apple Store, Apple TV, Connected TV and app.",
        "Content Security policy for https://play.google.com/store/apps/details?id=sport.mobile2ads.com",
        "Content-Security-Policy\tscript-src 'report-sample' 'nonce-7kIhV_bemRSTmuEs7_xY3A' 'unsafe-inline' 'unsafe-eval';object-src 'none';base-uri 'self';report-uri /_/PlayStoreUi/cspreport;worker-src 'self', script-src 'unsafe-inline' 'unsafe-eval' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com https://market.android.com https://clients2.google.com https://payments.sandbox.google.com https://pay",
        "https://hybrid-analysis.com/sample/1226ee40a542e22e99e73f8cb2cb310609eae8914923b7fe57f7a28c5aa48c16/63ee2b8543b88778ed20724d",
        "hybrid scan upload of above URL",
        "content-length\t0 x-true-cache-key\t/L/itunes.apple.com/us/app/live-sport-tv-listing-guide/id1182257083?ls=1&mt=8Browser vcd=2897 x-cache\tTCP_MISS from a23-47-195-69.deploy.akamaitechnologies.com (AkamaiGHost/10.3.4.1-33174363) (-) expires\tFri, 30 Apr 2021 04:29:13 GMT vary\tX-Apple-Store-Front, Cookie, X-Apple-Store-Front, Cookie x-responding-instance\tMZStore:3015901::: x-apple-lokamai-no-cache\ttrue pragma\tno-cache date\tFri, 30 Apr 2021 04:29:13 GMT",
        "x-apple-partner\torigin.0 access-control-allow-origin\t* x-cache-remote\tTCP_MISS from a23-47-58-148.deploy.akamaitechnologies.com (AkamaiGHost/10.4.0-33449709) (-) x-daiquiri-instance\tdaiquiri:18626002:mr47p00it-qujn07082301:7987:21RELEASE69 strict-transport-security\tmax-age=31536000; includeSubDomains apple-timing-app\t3 ms server\tdaiquiri/3.0.0 x-apple-jingle-correlation-key\tCIKYKHURNQMKOWELARQB6Y5KHI connection\tkeep-alive cache-control\tmax-age=0, no-cache, no-store"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 5,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "callmeDoris",
        "id": "205385",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "hostname": 58,
        "URL": 169,
        "domain": 49,
        "FileHash-SHA256": 406,
        "email": 2,
        "FileHash-MD5": 53,
        "FileHash-SHA1": 51
      },
      "indicator_count": 788,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 91,
      "modified_text": "1128 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    },
    {
      "id": "63ee3335ae058966dd91ebf3",
      "name": "oops wrong title this was the goo playstore version for 2m.ma sporttotal",
      "description": "Just the Content-Security-Policy\tscript-src ?!?!",
      "modified": "2023-02-16T18:26:20.591000",
      "created": "2023-02-16T13:44:21.521000",
      "tags": [
        "self",
        "script",
        "live sport tv listing guide",
        "gregor jutrisa",
        "sports",
        "entertainment",
        "ios apps",
        "app",
        "appstore",
        "app store",
        "iphone",
        "ipad",
        "ipod touch",
        "itouch",
        "itunes",
        "sport tv",
        "ziggo sport",
        "fox sports",
        "sky sport",
        "golf channel",
        "eurosport",
        "sport",
        "football",
        "baseball",
        "golf",
        "calendar"
      ],
      "references": [
        "https://itunes.apple.com/us/app/live-sport-tv-listing-guide/id1182257083?ls=1&mt=8",
        "Live Sport TV Listings Guide is a comprehensive sports TV listings guide for iPad, iPhone, iPad and Android devices, available on the Apple Store, Apple TV, Connected TV and app.",
        "Content Security policy for itunes app store URL",
        "Content-Security-Policy\tscript-src 'report-sample' 'nonce-7kIhV_bemRSTmuEs7_xY3A' 'unsafe-inline' 'unsafe-eval';object-src 'none';base-uri 'self';report-uri /_/PlayStoreUi/cspreport;worker-src 'self', script-src 'unsafe-inline' 'unsafe-eval' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com https://market.android.com https://clients2.google.com https://payments.sandbox.google.com https://pay"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 5,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "callmeDoris",
        "id": "205385",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 264,
        "URL": 55,
        "hostname": 20,
        "domain": 1
      },
      "indicator_count": 340,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 91,
      "modified_text": "1158 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "URL",
      "related_indicator_is_active": 1
    }
  ],
  "error": null,
  "vt": {
    "error": "VirusTotal rate limit reached. Try again shortly.",
    "indicator": "https://translate.googleapis.com",
    "type": "URL"
  },
  "abuseipdb": null,
  "urlhaus": {
    "indicator": "https://translate.googleapis.com",
    "type": "URL",
    "found": false,
    "verdict": "clean",
    "error": null
  },
  "from_cache": true,
  "_cached_at": 1776639689.1828754
}