{
"type": "URL",
"indicator": "https://u.d.next",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://u.d.next",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 3390507630,
"indicator": "https://u.d.next",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 50,
"pulses": [
{
"id": "6963596c4cd594b77b4675ec",
"name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - PalantirFoundry | The State of Colorado | ",
"description": "",
"modified": "2026-02-10T06:05:39.764000",
"created": "2026-01-11T08:03:56.534000",
"tags": [
"colorado state",
"freeman mathis",
"history",
"cyber risk",
"aspen insureds",
"gaig insureds",
"landy insureds",
"nip group",
"purm insureds",
"overview core",
"united",
"ip address",
"present nov",
"present may",
"moved",
"encrypt",
"unknown",
"backdoor",
"passive dns",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"twitter",
"trojan",
"data upload",
"extraction",
"failed",
"united states",
"server response",
"google safe",
"results may",
"lowfi",
"virtool",
"mtb alf",
"mh alf",
"port",
"windows nt",
"destination",
"msie",
"khtml",
"gecko",
"unknown aaaa",
"a domains",
"meta",
"for privacy",
"cop supply",
"urls",
"as139646 hong",
"hostname",
"files",
"hong kong",
"domain add",
"ip related",
"hash avast",
"avg clamav",
"msdefender may",
"ddos",
"as13335",
"ipv4",
"certificate",
"hostname add",
"url analysis",
"files ip",
"name strings",
"category",
"united states",
"pulse indicator",
"address",
"error",
"null",
"object",
"string",
"number",
"google maps",
"promise",
"javascript api",
"dataset",
"bigint",
"dark",
"android",
"infinity",
"internal",
"roboto",
"trident",
"void",
"small",
"lightrail",
"false",
"span",
"close",
"light",
"hybrid",
"embed",
"iframe",
"keygen",
"this",
"february",
"bounce",
"drop",
"inside",
"outside",
"marker",
"present dec",
"pulses otx",
"aaaa",
"asnone country",
"record value",
"title",
"pulse pulses",
"pulses",
"showing",
"unknown cname",
"unknown soa",
"next associated",
"ipv4 add",
"cycbot",
"extract indic",
"sneaker bots",
"proxies data",
"script script",
"adult content",
"nextimage",
"porn site",
"div div",
"platform make",
"cloudfront x",
"hio52 p3",
"unknown ns",
"pulse submit",
"title error",
"reverse dns",
"status",
"servers",
"name servers",
"vashti hostname",
"scan endpoints",
"url http",
"http",
"files domain",
"files related",
"pulses none",
"dnssec",
"sec ch",
"ch ua",
"ua full",
"ua platform",
"ua bitness",
"ua arch",
"version sec",
"mobile sec",
"model sec",
"version list",
"domain",
"emails",
"cookie",
"url https",
"show",
"filehash",
"urls show",
"date checked",
"url hostname",
"results nov",
"win32",
"type",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"ssl certificate",
"defense evasion",
"spawns",
"flag",
"llc name",
"server",
"markmonitor",
"name server",
"windir",
"openurl c",
"prefetch2",
"show technique",
"mitre att",
"ck matrix",
"pattern match",
"ascii text",
"sha1",
"href",
"show process",
"file",
"general",
"local",
"path",
"germany unknown",
"date",
"registrar",
"ip whois",
"dynamicloader",
"high",
"medium",
"search",
"displayname",
"tofsee",
"win64",
"write",
"stream",
"malware",
"push",
"entries",
"tls handshake",
"failure",
"forbidden",
"tlsv1",
"april",
"next",
"write c",
"intel",
"ms windows",
"sha1 add",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"sha256 add",
"present jun",
"present mar",
"medelln",
"colombia asn",
"dns resolutions",
"address domain",
"related tags",
"none google",
"safe browsing",
"external",
"present sep",
"present aug",
"as54113",
"present jul",
"as8068",
"gmt content",
"total",
"read",
"delete",
"top source",
"quasi",
"murderers",
"christopher ahmann",
"buzz ahmann",
"wow64",
"slcc2",
"media center",
"labor",
"employment",
"cdle",
"dowc",
"colorado",
"workers",
"coloradoif",
"independent",
"state",
"company",
"entity type",
"authorized line",
"analysis",
"tor analysis",
"process details",
"network traffic",
"t1071",
"potential ip",
"click",
"found",
"t1480 execution",
"bad traffic",
"et info",
"ck techniques",
"evasion att",
"t1057",
"refresh",
"body",
"strings",
"tools",
"look",
"verify",
"restart",
"cname",
"form",
"pulse",
"script domains",
"script urls",
"administrator",
"services llc",
"dns admin",
"domain admin",
"global llc",
"domain manager",
"computer system",
"ltd domain",
"network",
"alibaba",
"facebook",
"phishme",
"sogou",
"present jan",
"present feb",
"present oct"
],
"references": [
"https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.",
"Sneaker Bots Proxies Servers Cook Groups Cop Supply",
"archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/",
"https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/",
"https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/",
"dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army",
"https://maps.googleapis.com/maps/api/js?sensor=false",
"cell-0.af-south-1.prod.telemetry.console.api.aws",
"howtoworkacrickoutofyourneck2.pages.dev",
"firebase-auth-eich0v.pages.dev",
"http://ianswertomom.com/develop-wise-woman-within-yourself",
"http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I",
"https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo",
"makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make",
"https://khmerpornvideo.signup0.y.id/",
"https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html",
"https://clear.ml/infrastructure-control-plane",
"dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)",
"https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier",
"https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.",
"https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82",
"https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored",
"Everyone has simply asked you alll to stop. Target never asked anyone for money.",
"Legal court documented agreement to allow and pay target to hire cyber investigators",
"Attacks are being carried out by The State of Colorado"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Japan",
"France",
"Ireland",
"Spain",
"Italy",
"Aruba",
"Australia",
"Denmark",
"United Kingdom of Great Britain and Northern Ireland",
"Germany",
"T\u00fcrkiye",
"Indonesia"
],
"malware_families": [
{
"id": "Win.Trojan.GravityRAT-6511862-0",
"display_name": "Win.Trojan.GravityRAT-6511862-0",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"target": null
},
{
"id": "Unix.Trojan.Tsunami-6981155-0",
"display_name": "Unix.Trojan.Tsunami-6981155-0",
"target": null
},
{
"id": "TrojanDropper:Win32/Systex.A",
"display_name": "TrojanDropper:Win32/Systex.A",
"target": "/malware/TrojanDropper:Win32/Systex.A"
},
{
"id": "Win.Trojan.Tepfer-61",
"display_name": "Win.Trojan.Tepfer-61",
"target": null
},
{
"id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
"display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
"target": null
},
{
"id": "VirTool:Win32/VBInject.gen!MH",
"display_name": "VirTool:Win32/VBInject.gen!MH",
"target": "/malware/VirTool:Win32/VBInject.gen!MH"
},
{
"id": "ALF:NID:Susp_NSIS_Stub.A",
"display_name": "ALF:NID:Susp_NSIS_Stub.A",
"target": null
},
{
"id": "#LOWFI:HSTR:Criakl.B1",
"display_name": "#LOWFI:HSTR:Criakl.B1",
"target": null
},
{
"id": "Backdoor:Win32/Arwobot.B",
"display_name": "Backdoor:Win32/Arwobot.B",
"target": "/malware/Backdoor:Win32/Arwobot.B"
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
},
{
"id": "Win.Downloader.Small-4507",
"display_name": "Win.Downloader.Small-4507",
"target": null
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "Win.Malware.Mikey-9949492-0",
"display_name": "Win.Malware.Mikey-9949492-0",
"target": null
},
{
"id": "Ransom:Win32/Crowti.A",
"display_name": "Ransom:Win32/Crowti.A",
"target": "/malware/Ransom:Win32/Crowti.A"
},
{
"id": "Backdoor:Linux/DemonBot.Aa!MTB",
"display_name": "Backdoor:Linux/DemonBot.Aa!MTB",
"target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB"
},
{
"id": "Unix.Trojan.Gafgyt-6981154-0",
"display_name": "Unix.Trojan.Gafgyt-6981154-0",
"target": null
},
{
"id": "DDOS:Linux/Gafgyt.YA!MTB",
"display_name": "DDOS:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDOS:Linux/Gafgyt.YA!MTB"
},
{
"id": "CVE-2017-11882",
"display_name": "CVE-2017-11882",
"target": null
},
{
"id": "ALF:Exploit:O97M/CVE-2017-8977",
"display_name": "ALF:Exploit:O97M/CVE-2017-8977",
"target": null
},
{
"id": "Cycbot",
"display_name": "Cycbot",
"target": null
},
{
"id": "Win32:BotX-gen\\ [Trj]",
"display_name": "Win32:BotX-gen\\ [Trj]",
"target": null
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "Mirai (ELF)",
"display_name": "Mirai (ELF)",
"target": null
},
{
"id": "Worm",
"display_name": "Worm",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1574.008",
"name": "Path Interception by Search Order Hijacking",
"display_name": "T1574.008 - Path Interception by Search Order Hijacking"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1593.002",
"name": "Search Engines",
"display_name": "T1593.002 - Search Engines"
}
],
"industries": [
"Insurance",
"Construction"
],
"TLP": "green",
"cloned_from": "693cdc5b8ebc10664439c2fb",
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 54118,
"domain": 11153,
"hostname": 18578,
"email": 21,
"FileHash-SHA256": 4905,
"FileHash-MD5": 548,
"FileHash-SHA1": 534,
"CVE": 7,
"SSLCertFingerprint": 20,
"CIDR": 1
},
"indicator_count": 89885,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "693cdc5b8ebc10664439c2fb",
"name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - Freeman Mathis & Gary for The State of Colorado",
"description": "State of Colorado attackers use DGA domains set up multiple Law Firms.. Christopher P. \u2019Buzz\u2019 Ahmann Is a legal consultant / attorney./ hacker \nWorks for the State of Colorado/ quasi. Is malicious and doesn\u2019t work alone. Continues to target \nState had relative contacted by a fake entity \u2018Goodness Health\u2019\nLeft vague VM for relative message \u201cWe work on the Medicare side of things.\u201d and? \nSocial engineering call , malicious domain. The State of Colorado has been on a relentless pursuit against target. Fully compromised targets relatives brand new phone. Hacked target since 10/2013.\nMultiple cyber and physical attacks carried out against target and family members.. There are attacks make to look like accidents or malfunctions. This harmful, silencing behavior is somehow illegal for anyone else.",
"modified": "2026-02-10T06:05:39.764000",
"created": "2025-12-13T03:24:11.414000",
"tags": [
"colorado state",
"freeman mathis",
"history",
"cyber risk",
"aspen insureds",
"gaig insureds",
"landy insureds",
"nip group",
"purm insureds",
"overview core",
"united",
"ip address",
"present nov",
"present may",
"moved",
"encrypt",
"unknown",
"backdoor",
"passive dns",
"ransom",
"checkin",
"trojandropper",
"mtb nov",
"twitter",
"trojan",
"data upload",
"extraction",
"failed",
"united states",
"server response",
"google safe",
"results may",
"lowfi",
"virtool",
"mtb alf",
"mh alf",
"port",
"windows nt",
"destination",
"msie",
"khtml",
"gecko",
"unknown aaaa",
"a domains",
"meta",
"for privacy",
"cop supply",
"urls",
"as139646 hong",
"hostname",
"files",
"hong kong",
"domain add",
"ip related",
"hash avast",
"avg clamav",
"msdefender may",
"ddos",
"as13335",
"ipv4",
"certificate",
"hostname add",
"url analysis",
"files ip",
"name strings",
"category",
"united states",
"pulse indicator",
"address",
"error",
"null",
"object",
"string",
"number",
"google maps",
"promise",
"javascript api",
"dataset",
"bigint",
"dark",
"android",
"infinity",
"internal",
"roboto",
"trident",
"void",
"small",
"lightrail",
"false",
"span",
"close",
"light",
"hybrid",
"embed",
"iframe",
"keygen",
"this",
"february",
"bounce",
"drop",
"inside",
"outside",
"marker",
"present dec",
"pulses otx",
"aaaa",
"asnone country",
"record value",
"title",
"pulse pulses",
"pulses",
"showing",
"unknown cname",
"unknown soa",
"next associated",
"ipv4 add",
"cycbot",
"extract indic",
"sneaker bots",
"proxies data",
"script script",
"adult content",
"nextimage",
"porn site",
"div div",
"platform make",
"cloudfront x",
"hio52 p3",
"unknown ns",
"pulse submit",
"title error",
"reverse dns",
"status",
"servers",
"name servers",
"vashti hostname",
"scan endpoints",
"url http",
"http",
"files domain",
"files related",
"pulses none",
"dnssec",
"sec ch",
"ch ua",
"ua full",
"ua platform",
"ua bitness",
"ua arch",
"version sec",
"mobile sec",
"model sec",
"version list",
"domain",
"emails",
"cookie",
"url https",
"show",
"filehash",
"urls show",
"date checked",
"url hostname",
"results nov",
"win32",
"type",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"ssl certificate",
"defense evasion",
"spawns",
"flag",
"llc name",
"server",
"markmonitor",
"name server",
"windir",
"openurl c",
"prefetch2",
"show technique",
"mitre att",
"ck matrix",
"pattern match",
"ascii text",
"sha1",
"href",
"show process",
"file",
"general",
"local",
"path",
"germany unknown",
"date",
"registrar",
"ip whois",
"dynamicloader",
"high",
"medium",
"search",
"displayname",
"tofsee",
"win64",
"write",
"stream",
"malware",
"push",
"entries",
"tls handshake",
"failure",
"forbidden",
"tlsv1",
"april",
"next",
"write c",
"intel",
"ms windows",
"sha1 add",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"sha256 add",
"present jun",
"present mar",
"medelln",
"colombia asn",
"dns resolutions",
"address domain",
"related tags",
"none google",
"safe browsing",
"external",
"present sep",
"present aug",
"as54113",
"present jul",
"as8068",
"gmt content",
"total",
"read",
"delete",
"top source",
"quasi",
"murderers",
"christopher ahmann",
"buzz ahmann",
"wow64",
"slcc2",
"media center",
"labor",
"employment",
"cdle",
"dowc",
"colorado",
"workers",
"coloradoif",
"independent",
"state",
"company",
"entity type",
"authorized line",
"analysis",
"tor analysis",
"process details",
"network traffic",
"t1071",
"potential ip",
"click",
"found",
"t1480 execution",
"bad traffic",
"et info",
"ck techniques",
"evasion att",
"t1057",
"refresh",
"body",
"strings",
"tools",
"look",
"verify",
"restart",
"cname",
"form",
"pulse",
"script domains",
"script urls",
"administrator",
"services llc",
"dns admin",
"domain admin",
"global llc",
"domain manager",
"computer system",
"ltd domain",
"network",
"alibaba",
"facebook",
"phishme",
"sogou",
"present jan",
"present feb",
"present oct"
],
"references": [
"https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.",
"Sneaker Bots Proxies Servers Cook Groups Cop Supply",
"archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/",
"https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/",
"https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/",
"dns.army \u2022 www.dcopr.dns.army \u2022 www.glsyaiwjj.dns.army \u2022 www.wgmvk.dns.army",
"https://maps.googleapis.com/maps/api/js?sensor=false",
"cell-0.af-south-1.prod.telemetry.console.api.aws",
"howtoworkacrickoutofyourneck2.pages.dev",
"firebase-auth-eich0v.pages.dev",
"http://ianswertomom.com/develop-wise-woman-within-yourself",
"http://ianswertomom.com/bible-verses-struggling-contentment-mom/ I",
"https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo",
"makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make",
"https://khmerpornvideo.signup0.y.id/",
"https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html",
"https://clear.ml/infrastructure-control-plane",
"dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)",
"https://amano.inboundtools.com/tpcontact URL https://armg.inboundtools.com/ URL https://gaiax.inboundtools.com/internship URL https://hmk.inboundtools.com/ URL https://hmk.inboundtools.com/form/assetview_siryo_sier",
"https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.",
"https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82",
"https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored",
"Everyone has simply asked you alll to stop. Target never asked anyone for money.",
"Legal court documented agreement to allow and pay target to hire cyber investigators",
"Attacks are being carried out by The State of Colorado"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Japan",
"France",
"Ireland",
"Spain",
"Italy",
"Aruba",
"Australia",
"Denmark",
"United Kingdom of Great Britain and Northern Ireland",
"Germany",
"T\u00fcrkiye",
"Indonesia"
],
"malware_families": [
{
"id": "Win.Trojan.GravityRAT-6511862-0",
"display_name": "Win.Trojan.GravityRAT-6511862-0",
"target": null
},
{
"id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
"target": null
},
{
"id": "Unix.Trojan.Tsunami-6981155-0",
"display_name": "Unix.Trojan.Tsunami-6981155-0",
"target": null
},
{
"id": "TrojanDropper:Win32/Systex.A",
"display_name": "TrojanDropper:Win32/Systex.A",
"target": "/malware/TrojanDropper:Win32/Systex.A"
},
{
"id": "Win.Trojan.Tepfer-61",
"display_name": "Win.Trojan.Tepfer-61",
"target": null
},
{
"id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
"display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
"target": null
},
{
"id": "VirTool:Win32/VBInject.gen!MH",
"display_name": "VirTool:Win32/VBInject.gen!MH",
"target": "/malware/VirTool:Win32/VBInject.gen!MH"
},
{
"id": "ALF:NID:Susp_NSIS_Stub.A",
"display_name": "ALF:NID:Susp_NSIS_Stub.A",
"target": null
},
{
"id": "#LOWFI:HSTR:Criakl.B1",
"display_name": "#LOWFI:HSTR:Criakl.B1",
"target": null
},
{
"id": "Backdoor:Win32/Arwobot.B",
"display_name": "Backdoor:Win32/Arwobot.B",
"target": "/malware/Backdoor:Win32/Arwobot.B"
},
{
"id": "Win.Packed.Bandook-9882274-1",
"display_name": "Win.Packed.Bandook-9882274-1",
"target": null
},
{
"id": "TrojanDownloader:Win32/Cutwail",
"display_name": "TrojanDownloader:Win32/Cutwail",
"target": "/malware/TrojanDownloader:Win32/Cutwail"
},
{
"id": "Win.Downloader.Small-4507",
"display_name": "Win.Downloader.Small-4507",
"target": null
},
{
"id": "Trojan:Win32/Qbot.R!MTB",
"display_name": "Trojan:Win32/Qbot.R!MTB",
"target": "/malware/Trojan:Win32/Qbot.R!MTB"
},
{
"id": "Win.Malware.Mikey-9949492-0",
"display_name": "Win.Malware.Mikey-9949492-0",
"target": null
},
{
"id": "Ransom:Win32/Crowti.A",
"display_name": "Ransom:Win32/Crowti.A",
"target": "/malware/Ransom:Win32/Crowti.A"
},
{
"id": "Backdoor:Linux/DemonBot.Aa!MTB",
"display_name": "Backdoor:Linux/DemonBot.Aa!MTB",
"target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB"
},
{
"id": "Unix.Trojan.Gafgyt-6981154-0",
"display_name": "Unix.Trojan.Gafgyt-6981154-0",
"target": null
},
{
"id": "DDOS:Linux/Gafgyt.YA!MTB",
"display_name": "DDOS:Linux/Gafgyt.YA!MTB",
"target": "/malware/DDOS:Linux/Gafgyt.YA!MTB"
},
{
"id": "CVE-2017-11882",
"display_name": "CVE-2017-11882",
"target": null
},
{
"id": "ALF:Exploit:O97M/CVE-2017-8977",
"display_name": "ALF:Exploit:O97M/CVE-2017-8977",
"target": null
},
{
"id": "Cycbot",
"display_name": "Cycbot",
"target": null
},
{
"id": "Win32:BotX-gen\\ [Trj]",
"display_name": "Win32:BotX-gen\\ [Trj]",
"target": null
},
{
"id": "NIDS",
"display_name": "NIDS",
"target": null
},
{
"id": "Mirai (ELF)",
"display_name": "Mirai (ELF)",
"target": null
},
{
"id": "Worm",
"display_name": "Worm",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1204.001",
"name": "Malicious Link",
"display_name": "T1204.001 - Malicious Link"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1155",
"name": "AppleScript",
"display_name": "T1155 - AppleScript"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1210",
"name": "Exploitation of Remote Services",
"display_name": "T1210 - Exploitation of Remote Services"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
},
{
"id": "T1176",
"name": "Browser Extensions",
"display_name": "T1176 - Browser Extensions"
},
{
"id": "T1185",
"name": "Man in the Browser",
"display_name": "T1185 - Man in the Browser"
},
{
"id": "T1574.008",
"name": "Path Interception by Search Order Hijacking",
"display_name": "T1574.008 - Path Interception by Search Order Hijacking"
},
{
"id": "T1410",
"name": "Network Traffic Capture or Redirection",
"display_name": "T1410 - Network Traffic Capture or Redirection"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
},
{
"id": "T1593.002",
"name": "Search Engines",
"display_name": "T1593.002 - Search Engines"
}
],
"industries": [
"Insurance",
"Construction"
],
"TLP": "green",
"cloned_from": null,
"export_count": 8,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 54118,
"domain": 11153,
"hostname": 18578,
"email": 21,
"FileHash-SHA256": 4905,
"FileHash-MD5": 548,
"FileHash-SHA1": 534,
"CVE": 7,
"SSLCertFingerprint": 20,
"CIDR": 1
},
"indicator_count": 89885,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "68 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68c954a80675ccc89b0e9b63",
"name": "Trump #45470 | Palantir container | virus:DOS/Hellspawn + ioS (compromised)",
"description": "Overt. Trump support campaign text message from #45470. Malicious. Received on a victims hyper compromised iPhone. Attempts to or did take CnC of device. Stutters device, changed App Store , has delete service, device sweep, shuts down service , halts all pages, denial of service, throttles service, steals\npasswords, bots , I don\u2019t know if device can be refurbished or research purposes - Palantir DC DGA domains - Trump. Multiple IoC\u2019s , malware with code overlap, it appears to be from a legitimate text for updates #. Visibly affected all aspects of device and software. Commands device shut down. \n[OTX populated: Failed to retrieve suggested indicator for beta-ui, according to the latest results from the Welsh Government's Office for National Statistics (ONS) and the National Data Centre (NDS))",
"modified": "2025-10-16T12:03:14.279000",
"created": "2025-09-16T12:14:32.327000",
"tags": [
"ttl value",
"extraction",
"data upload",
"failed",
"extra data",
"include review",
"exclude sugges",
"stop",
"line",
"path",
"polyline",
"getprocaddress",
"circle",
"span",
"ck id",
"mitre att",
"ck matrix",
"null",
"error",
"open",
"spinner",
"title",
"code",
"iframe",
"window",
"void",
"infinity",
"crypto",
"footer",
"generator",
"general",
"format",
"click",
"strings",
"meta",
"install",
"encoder",
"learn",
"command",
"name tactics",
"suspicious",
"informative",
"spawns",
"evasion att",
"t1480 execution",
"file defense",
"adversaries",
"calls",
"reads",
"defense evasion",
"model",
"server",
"registrar abuse",
"ascio",
"contact phone",
"admin city",
"admin country",
"admin postal",
"dnssec",
"http",
"ip address",
"passive dns",
"related nids",
"urls",
"files location",
"united",
"flag united",
"a domains",
"search",
"unknown aaaa",
"certificate",
"yara detections",
"av detections",
"ids detections",
"alerts",
"entries elf",
"filehash",
"name servers",
"servers",
"moved",
"script script",
"aaaa",
"unknown ns",
"domain add",
"formbook cnc",
"checkin",
"lowfi",
"mtb jun",
"github pages",
"twitter",
"accept",
"cryptobit",
"extra",
"referen data",
"trojanproxy",
"dynamicloader",
"high",
"write c",
"medium",
"intel",
"ms windows",
"entries",
"pe32",
"explorer",
"worm",
"write",
"next",
"trojan",
"hellspawn",
"md5 add",
"malware",
"data",
"included iocs",
"script urls",
"script domains",
"gmt content",
"cash amtincart",
"expirestue",
"domain related",
"sea x",
"accept encoding",
"request id",
"body doctype",
"apache",
"encrypt",
"skynet",
"third eye tv",
"calling",
"delete app",
"potus",
"mtb aug",
"backdoor",
"gmt cache",
"sameorigin",
"443 ma2592000",
"ipv4 add",
"utilads",
"trojandropper",
"mtb sep",
"win32upatre aug",
"yara rule",
"as15169",
"guard",
"smartassembly",
"associated urls",
"date checked",
"url hostname",
"server response",
"domain",
"url analysis",
"files",
"date",
"delete service",
"45470",
"text",
"hybrid",
"present sep",
"body",
"fastly error",
"please",
"xor xor",
"sha256 add",
"analysis date",
"file score",
"detections alf",
"june",
"delphi",
"attempts",
"yara",
"high security",
"file type",
"pe packer",
"ransom"
],
"references": [
"skynet-dev.tcxn.net tcxn.net Registrar Ascio Technologies, Inc - connection to cloud proxy",
"TrojanProxy:Win32/Malynfits CodeOverlap TrojanSpy:Win32/Nivdort CodeOverlap virus:Win32/Lywer CodeOverlap",
"https://cryptobit.live/build/assets/app-CkRYqsKL.js \u2022 cryptobit.live \u2022 t.page \u2022 cdn.wallets.cryptobit.live",
"Trump Support campaign \u2022_\u2022 lantana-mgmt.washington.palantircloud.com \u2022 containers-reishi.palantirfedstart.com",
"Virus:DOS/Hellspawn 192.168.122.49 10/16/25\t\u2022 IPv4 142.251.9.105",
"IDS Detections: Win32/Enosch.A gtalk connectivity check | W32/MoonLight.worm User-Agent (HellSpawn)",
"PWS:Win32/Ymacco.AA50 Win.Trojan.Generic-9959068-0\t SLF:MSIL/PSTAnomaly.A Win.Dropper.Shakblades-7614016-0\t#LowFI:VBExpensiveLoop Win.Packed.Barys-10031677-0\tTEL:Trojan:MSIL/AgentTesla.VPA!MTB Win.Trojan. Backdoor:MSIL/Remcos!MTB",
"hasownproperty.call \u2022 fireeye.grhd.",
"Apple Store verified drop down breach \u2018Apple took a screenshot of pages\u201d"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "TrojanSpy:Win32/Nivdort",
"display_name": "TrojanSpy:Win32/Nivdort",
"target": "/malware/TrojanSpy:Win32/Nivdort"
},
{
"id": "TrojanProxy:Win32/Malynfits",
"display_name": "TrojanProxy:Win32/Malynfits",
"target": "/malware/TrojanProxy:Win32/Malynfits"
},
{
"id": "Virus:Win32/Lywer",
"display_name": "Virus:Win32/Lywer",
"target": "/malware/Virus:Win32/Lywer"
},
{
"id": "Worm:Win32/Lightmoon.H",
"display_name": "Worm:Win32/Lightmoon.H",
"target": "/malware/Worm:Win32/Lightmoon.H"
},
{
"id": "Virus:DOS/Hellspawn",
"display_name": "Virus:DOS/Hellspawn",
"target": "/malware/Virus:DOS/Hellspawn"
},
{
"id": "Win.Trojan.Dialer-266",
"display_name": "Win.Trojan.Dialer-266",
"target": null
},
{
"id": "AgentTesla",
"display_name": "AgentTesla",
"target": null
},
{
"id": "Backdoor:MSIL/Remcos",
"display_name": "Backdoor:MSIL/Remcos",
"target": "/malware/Backdoor:MSIL/Remcos"
},
{
"id": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"display_name": "ALF:JASYP:Trojan:Win32/IRCbot!atmn",
"target": null
},
{
"id": "Trojandropper:Win32/Muldrop.V!MTB",
"display_name": "Trojandropper:Win32/Muldrop.V!MTB",
"target": "/malware/Trojandropper:Win32/Muldrop.V!MTB"
},
{
"id": "#LowFI:VBExpensiveLoop",
"display_name": "#LowFI:VBExpensiveLoop",
"target": null
},
{
"id": "TEL:Trojan:MSIL/AgentTesla.VPA!MTB",
"display_name": "TEL:Trojan:MSIL/AgentTesla.VPA!MTB",
"target": null
},
{
"id": "PWS:Win32/VB.CU",
"display_name": "PWS:Win32/VB.CU",
"target": "/malware/PWS:Win32/VB.CU"
},
{
"id": "ALF:Ransom:Win32/Babax.SG!MTB",
"display_name": "ALF:Ransom:Win32/Babax.SG!MTB",
"target": null
}
],
"attack_ids": [
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1489",
"name": "Service Stop",
"display_name": "T1489 - Service Stop"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
},
{
"id": "T1090",
"name": "Proxy",
"display_name": "T1090 - Proxy"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 690,
"URL": 1479,
"domain": 476,
"FileHash-MD5": 526,
"FileHash-SHA1": 505,
"FileHash-SHA256": 1509,
"email": 6
},
"indicator_count": 5191,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 138,
"modified_text": "185 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6892e73b32af18aa302df0dc",
"name": "Part 1.5",
"description": "Dark web media \u2022 Political news \u2022 Malvertizing\nlocate \u2022\ntrack [stalk] \u2022 record calls \u2022 control media [youtube , etc] http://t.name?n[++i]=e:this.removeEventListener\t\t\nJeeng &\nPowebox [ accidentally left out in original post pulse]",
"modified": "2025-09-05T04:03:06.929000",
"created": "2025-08-06T05:25:15.369000",
"tags": [
"chromeua",
"optout",
"object",
"path",
"value",
"access type",
"setval",
"windir",
"localappdata",
"null",
"win64",
"error",
"generator",
"close",
"roboto",
"date",
"format",
"light",
"span",
"template",
"void",
"android",
"body",
"trident",
"mexico",
"sonic",
"black",
"critical",
"desktop",
"dark",
"meta",
"this",
"june",
"hybrid",
"apache",
"write",
"crypto",
"autodetect",
"face",
"courier",
"gigi",
"impact",
"shadow",
"click",
"strings",
"cray",
"smwg",
"eret",
"footer",
"infinity",
"window",
"canvas",
"legend",
"nuke",
"lion",
"4629",
"ahav",
"olsa",
"false",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"defense evasion",
"t1480 execution",
"file defense",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"script",
"mitre att",
"pattern match",
"show technique",
"iframe",
"refresh",
"august",
"general",
"local",
"tools",
"demo",
"look",
"verify",
"restart",
"url http",
"small",
"pulses url",
"tellyoun",
"showing",
"entries",
"url https",
"indicator role",
"title added",
"active related",
"type indicator",
"role title",
"added active",
"related pulses",
"cc08",
"f06a6b",
"sfurl",
"filehashsha256",
"types",
"indicators show",
"search",
"pulses",
"filehashsha1",
"adversaries",
"found",
"webp image",
"ascii text",
"riff",
"size",
"encrypt",
"legacy",
"filehashmd5",
"united",
"flag",
"server",
"markmonitor",
"name server",
"llc name",
"overview dns",
"requests domain",
"country",
"win32",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"medium risk",
"yara",
"detections",
"malware",
"copy",
"show",
"icmp traffic",
"packing t1045",
"t1045",
"pdb path",
"pe resource",
"extraction",
"data upload",
"enter sc",
"type",
"extra data",
"please",
"failed",
"review",
"exclude data",
"included review",
"ic data",
"suggeste",
"stop",
"type onow",
"domain",
"passive dns",
"urls",
"files related",
"pulses none",
"related tags",
"none google",
"safe browsing",
"sc data",
"extr amanuav",
"review included",
"manualy",
"sugges excluded",
"filehash",
"md5 add",
"pulse pulses",
"url add",
"http",
"hostname",
"files domain",
"pulses otx",
"virustotal",
"hsmi192547107",
"pulses hostname",
"r dec",
"customer dec",
"iski dec",
"decision dec",
"va dec",
"bitcoin",
"bitcoin dec",
"petra",
"torstatus dec",
"paul dec",
"sodesc",
"planet dec",
"emilia",
"heroin dec",
"difference dec",
"palantir dec",
"loraxlive dec",
"chaturbate dec",
"sandra",
"free dec",
"marvel dec",
"benjis dec",
"fresh dec",
"sodesc dec",
"srdirport",
"srhostname",
"link dec",
"types of",
"italy",
"china",
"australia",
"france",
"turkey",
"discovery",
"information",
"ck ids",
"t1005",
"local system",
"t1007",
"system service",
"part",
"track",
"locate",
"political",
"civil society",
"news",
"created",
"hours ago",
"report spam",
"t1555",
"password",
"t1560",
"collected data",
"t1573",
"channel",
"t1574",
"execution flow",
"scan",
"iocs",
"t1497",
"u0lhmq",
"mtawmq",
"t1480",
"guardrails",
"t1486",
"data encrypted",
"learn more",
"unsubscribe aug",
"protocol",
"t1074",
"staged",
"t1083",
"t1102",
"web service",
"t1105",
"tool transfer",
"t1140",
"data engineer",
"candidate",
"tlsv1",
"odigicert inc",
"stcalifornia",
"lsan jose",
"oadobe systems",
"incorporated",
"cndigicert sha2",
"push",
"next",
"high",
"write c",
"ireland as16509",
"delete",
"dirty",
"tags",
"t1012",
"flow endpoint",
"security scan",
"t1106",
"copyright",
"levelblue"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1074",
"name": "Data Staged",
"display_name": "T1074 - Data Staged"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1120",
"name": "Peripheral Device Discovery",
"display_name": "T1120 - Peripheral Device Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1486",
"name": "Data Encrypted for Impact",
"display_name": "T1486 - Data Encrypted for Impact"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1063",
"name": "Security Software Discovery",
"display_name": "T1063 - Security Software Discovery"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 18,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 608,
"FileHash-SHA1": 433,
"FileHash-SHA256": 3663,
"URL": 17104,
"domain": 1316,
"email": 39,
"hostname": 4208,
"SSLCertFingerprint": 17
},
"indicator_count": 27388,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "226 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6892a73593f73dfc969779b0",
"name": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns",
"description": "Part I | Track | Locate | Political & Civil society \u2018news\u2019 campaigns\n*[ddddd.msg]\n[http://tracking.eu1.glintinc.com]\n[stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd]\n[stackstorm.ops.dev.az.glintinc.com]\n\u2022 http://stormer5v52vjsw66jmds7ndeecudq444woadhzr2plxlaayexnh6eqd.onion/peter-thiel-running-database-to-root-out-those-disloyal-to-the-leader/\\n \u2022\n[http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-at-concentra/360]\n[http://pixelrz.com/lists/keywords/tsara-brashears-dead/360]",
"modified": "2025-09-05T00:03:23.223000",
"created": "2025-08-06T00:52:05.051000",
"tags": [
"url http",
"small",
"indicator role",
"title added",
"active related",
"pulses hostname",
"tellyoun",
"n aug",
"entries",
"data upload",
"extraction",
"windows error",
"june",
"fwd urgent",
"justice czech",
"copy sha256",
"rejectedfailed",
"timestamp input",
"message status",
"actions august",
"file",
"actions june",
"actions may",
"cta4 https",
"context related",
"associated urls",
"campaigncodedsc",
"language",
"uid http",
"community",
"sha256",
"size42b type",
"submitted",
"august",
"april",
"internal error",
"previous1",
"iframe",
"community score",
"scan analysis",
"malicious",
"intelligence",
"learn",
"falcon sandbox",
"submissions",
"status",
"adversaries",
"ck id",
"name tactics",
"suspicious",
"informative",
"defense evasion",
"windows folder",
"found",
"dlls",
"impact",
"chromeua",
"optout",
"object",
"path",
"value",
"access type",
"setval",
"windir",
"localappdata",
"null",
"win64",
"error",
"generator",
"close",
"roboto",
"date",
"format",
"light",
"span",
"template",
"void",
"android",
"body",
"trident",
"mexico",
"sonic",
"black",
"critical",
"desktop",
"dark",
"meta",
"this",
"hybrid",
"apache",
"write",
"crypto",
"autodetect",
"face",
"courier",
"gigi",
"shadow",
"click",
"strings",
"cray",
"smwg",
"eret",
"footer",
"infinity",
"window",
"canvas",
"legend",
"nuke",
"lion",
"4629",
"ahav",
"olsa",
"false"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1005",
"name": "Data from Local System",
"display_name": "T1005 - Data from Local System"
},
{
"id": "T1007",
"name": "System Service Discovery",
"display_name": "T1007 - System Service Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1018",
"name": "Remote System Discovery",
"display_name": "T1018 - Remote System Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1033",
"name": "System Owner/User Discovery",
"display_name": "T1033 - System Owner/User Discovery"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1041",
"name": "Exfiltration Over C2 Channel",
"display_name": "T1041 - Exfiltration Over C2 Channel"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1074",
"name": "Data Staged",
"display_name": "T1074 - Data Staged"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1102",
"name": "Web Service",
"display_name": "T1102 - Web Service"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1120",
"name": "Peripheral Device Discovery",
"display_name": "T1120 - Peripheral Device Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1486",
"name": "Data Encrypted for Impact",
"display_name": "T1486 - Data Encrypted for Impact"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1555",
"name": "Credentials from Password Stores",
"display_name": "T1555 - Credentials from Password Stores"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 9,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 9062,
"domain": 707,
"hostname": 2318,
"FileHash-MD5": 86,
"FileHash-SHA1": 26,
"FileHash-SHA256": 2096,
"email": 5,
"FilePath": 2,
"URI": 1
},
"indicator_count": 14303,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "226 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "684c65464466dd19b089f325",
"name": "Zesp\u00f3\u0142 Profilaktyki i Rehabilitacji w Janowicach Wielkich - YouTube",
"description": "If d=void 0===c,w(\"trustedResourceUrl\",d: \"Trusted resourceUrl,\" thend=c.src,d, c.js, then d:",
"modified": "2025-06-13T17:56:28.689000",
"created": "2025-06-13T17:52:06.399000",
"tags": [
"rehabilitacji w",
"youtube tv",
"dami jelenia",
"tv dami",
"jelenia gra",
"zakupy wycz",
"jeli",
"nie korzystasz",
"filmy",
"aby tego",
"copyright",
"closure library",
"argument",
"ifunction",
"error",
"null",
"type",
"cast",
"webchannel",
"su2028u2029",
"chrome",
"xmlhttp",
"kkvoid",
"remotecontrol",
"android",
"unknown",
"screen",
"desktop",
"function",
"string",
"array",
"number",
"vfunction",
"f8192",
"n432",
"true",
"j2048",
"this",
"window",
"void",
"date",
"pokau017c",
"pytfunction",
"fe8function",
"qgzfunction",
"afunction",
"hb28",
"r150",
"promise",
"bigint",
"post",
"edge",
"swhealthlog",
"symbol",
"trident",
"infinity",
"embed",
"webkitkeyframes",
"zoomin",
"zoominx",
"zoomoutx",
"zoominy",
"zoomouty",
"2000px",
"90deg",
"20px",
"30deg",
"30px",
"10px",
"10deg",
"3deg",
"5deg",
"djmegamenu",
"use license",
"tabindex",
"menu",
"close",
"msie",
"beforechange",
"imagehassize",
"buildcontrols",
"magnific popup",
"dmitry semenov",
"http",
"beforeclose",
"afterclose",
"open",
"next",
"open source",
"bsd license",
"george mcginley",
"smith",
"djimageslider",
"subpackage",
"webkit",
"khtml",
"icab",
"countto",
"callback",
"handler",
"object",
"typeof",
"method",
"gnugplv2",
"website",
"set module",
"height script",
"regexp",
"screenheight",
"highcontrast2",
"highcontrast3",
"highcontrast",
"wide",
"night",
"body",
"normalbutton",
"cookie plugin",
"https",
"klaus hartl",
"mit license",
"register",
"nodecommonjs",
"factory",
"jquery",
"write",
"sticky bar",
"stickybar",
"count",
"offcanvas",
"html",
"noscroll",
"offcanvas var",
"toggle nav",
"click jquery",
"ajax",
"autocomplete",
"tomas kirda",
"typeof define",
"esc27",
"tab9",
"return13",
"left37",
"up38",
"twitter",
"custom version",
"joomla",
"rolemenu",
"boolean",
"get adobe",
"flash player",
"title",
"text",
"typeof data",
"typeof s",
"accept",
"width",
"foundation",
"backspace8",
"comma188",
"delete46",
"down40",
"end35",
"enter13",
"escape27",
"value",
"migrate",
"backcompat",
"quirks mode",
"typeof f",
"xtablet768",
"document",
"ui sortable",
"leftright",
"gnu general",
"public license",
"dddddd",
"ffffcc",
"eeeeee",
"verdana",
"geneva",
"arial",
"helvetica",
"f0f0f0",
"sans",
"charset",
"utf8",
"fontawesome",
"typeof b",
"pseudo",
"child",
"sufeffxa0",
"class",
"attr",
"general slider",
"slide",
"rgba",
"navigation",
"15deg",
"300px",
"20deg",
"transition",
"scale",
"baskerville",
"main image",
"bdbdbd",
"f3f3f3",
"remove",
"fontface",
"woff2",
"u0131",
"u01520153",
"u02bb02bc",
"u02c6",
"u02da",
"u02dc",
"u0304",
"dirrtl",
"msviewport",
"href",
"span",
"legend",
"halflings",
"fieldset",
"typeimage",
"f2f2f2",
"d9edf7",
"dff0d8",
"f2dede",
"thead",
"tbody",
"tahoma",
"00a0",
"video",
"script",
"2500",
"xnew ita",
"dnew jta",
"dataset",
"orfunction",
"prfunction",
"nsafunction",
"xsafunction",
"vrfunction",
"cakes",
"ovbfunction",
"pvbfunction",
"rvbfunction",
"qvbfunction",
"tvbfunction",
"uvbfunction",
"vvbclass",
"xvbclass",
"yvbclass",
"svbclass",
"lvafunction",
"ggfunction",
"mvafunction",
"ovafunction",
"pvafunction",
"uvafunction",
"tvafunction",
"qvafunction",
"vvafunction",
"nvaclass",
"dark",
"vector",
"yy49",
"raster",
"roboto",
"new tk",
"qael",
"przechyl",
"mars",
"mercury",
"venus",
"pluto",
"titan",
"weakset",
"wfclass",
"googlelayer",
"uint8array",
"weakmap",
"5001",
"mouseevent",
"webassembly",
"180180",
"9090",
"google maps",
"javascript api",
"internal",
"small",
"lightrail",
"false",
"february",
"light",
"hybrid",
"bounce",
"drop",
"inside",
"outside",
"marker",
"gc"
],
"references": [
"embed.html",
"ad_status.js.pobrane",
"f5Y41t9wqY4.html",
"cast_sender.js.pobrane",
"remote.js.pobrane",
"sw3VTUzeRvWIVwvWSyk6S5gHWPxOOwU1OxerozmN4Hw.js.pobrane",
"embed.js.pobrane",
"www-embed-player.js.pobrane",
"animate.ext.css",
"animate.min.css",
"jquery.djmegamenu.js.pobrane",
"jquery.djmobilemenu.js.pobrane",
"magnific.js.pobrane",
"jquery.easing.min.js.pobrane",
"slider.js.pobrane",
"jquery.countTo.js.pobrane",
"scripts.js.pobrane",
"magnific-init.js.pobrane",
"pagesettings.js.pobrane",
"jquery.cookie.js.pobrane",
"stickybar.js.pobrane",
"fontswitcher.js.pobrane",
"offcanvas.js.pobrane",
"jquery.autocomplete.min.js.pobrane",
"bootstrap.min.js.pobrane",
"jcemediabox.js.pobrane",
"jquery.ui.core.min.js.pobrane",
"jquery-migrate.min.js.pobrane",
"layout.min.js.pobrane",
"jquery.ui.sortable.min.js.pobrane",
"caption.js.pobrane",
"finder.css",
"jquery-noconflict.js.pobrane",
"djmegamenu.26.css",
"animations.css",
"djmobilemenu.css",
"jquery.min.js.pobrane",
"djimageslider.css",
"offcanvas.css",
"magnific.css",
"font_switcher.26.css",
"css",
"template_responsive.26.css",
"offcanvas.26.css",
"bootstrap_responsive.26.css",
"extended_layouts.26.css",
"style.css",
"content.css",
"template.26.css",
"bootstrap.26.css",
"jcemediabox.css",
"js",
"onion.js.pobrane",
"search_impl.js.pobrane",
"overlay.js.pobrane",
"map.js.pobrane",
"util.js.pobrane",
"search.js.pobrane",
"common.js.pobrane",
"geometry.js.pobrane",
"main.js.pobrane"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Gc",
"display_name": "Gc",
"target": null
}
],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 26,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 2779,
"hostname": 661,
"domain": 684,
"email": 4,
"FileHash-MD5": 1,
"FileHash-SHA256": 689
},
"indicator_count": 4818,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 122,
"modified_text": "310 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "663d2869e0f3a42bbddc42ff",
"name": "UPX executable packer.",
"description": "A new rule has been introduced a \"suspicious\" ELF binary that is packed with the UPX executable packer.\nSuggested ATT&CK IDs: rule SUSP_ELF_LNX_UPX_Compressed_File { meta: description = \"Detects a suspicious ELF binary with UPX compression\" author = \"Florian Roth (Nextron Systems)\" reference = \"Internal Research\" date = \"2018-12-12\" score = 40 hash1 = \"038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4\" id = \"078937de-59b3-538e-a5c3-57f4e6050212\" strings: $s1 = \"PROT_EXEC|PROT_WRITE failed.\" fullword ascii $s2 = \"$Id: UPX\" fullword ascii $s3 = \"$Info: This file is packed with the UPX executable packer\" ascii $fp1 = \"check your UCL installation !\"",
"modified": "2024-10-14T00:01:17.069000",
"created": "2024-05-09T19:47:53.786000",
"tags": [
"cioch adrian",
"centrum usug",
"sieciowych",
"elf binary",
"upx compression",
"roth",
"nextron",
"info",
"javascript",
"html",
"office open",
"xml document",
"network capture",
"win32 exe",
"xml pakietu",
"pdf zestawy",
"przechwytywanie",
"office",
"filehashsha1",
"url https",
"cve cve20201070",
"cve cve20203153",
"cve cve20201048",
"cve cve20211732",
"cve20201048 apr",
"filehashmd5",
"cve cve20010901",
"cve cve20021841",
"cve20153202 apr",
"cve cve20160728",
"cve cve20161807",
"cve cve20175123",
"cve20185407 apr",
"cve cve20054605",
"cve cve20060745",
"cve cve20070452",
"cve cve20070453",
"cve cve20070454",
"cve cve20071355",
"cve cve20071358",
"cve cve20071871",
"cve20149614 apr",
"cve cve20151503",
"cve cve20152080",
"cve cve20157377",
"cve cve20170131",
"cve20200796 may",
"cve cve20113403"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 6861,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 5771,
"domain": 3139,
"URL": 14525,
"FileHash-SHA1": 2610,
"IPv4": 108,
"CIDR": 40,
"FileHash-SHA256": 10705,
"FileHash-MD5": 3373,
"YARA": 2,
"CVE": 148,
"Mutex": 7,
"FilePath": 3,
"SSLCertFingerprint": 3,
"email": 23,
"JA3": 1,
"IPv6": 2
},
"indicator_count": 40460,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 137,
"modified_text": "552 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708ef0cdb40fa0e7d239ca",
"name": "either emotet or a part of it",
"description": "",
"modified": "2023-12-06T15:10:40.867000",
"created": "2023-12-06T15:10:40.867000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 342,
"hostname": 456,
"domain": 349,
"URL": 1730,
"FileHash-MD5": 1,
"FileHash-SHA1": 1
},
"indicator_count": 2879,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708eedef45abdffcb1a9ae",
"name": "tracking more than space junk",
"description": "",
"modified": "2023-12-06T15:10:37.631000",
"created": "2023-12-06T15:10:37.631000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 371,
"domain": 139,
"URL": 1034,
"FileHash-SHA256": 113,
"FileHash-MD5": 1
},
"indicator_count": 1658,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708ed8f7d4b5483117bb66",
"name": "abuse.ch",
"description": "",
"modified": "2023-12-06T15:10:16.397000",
"created": "2023-12-06T15:10:16.397000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 223,
"domain": 383,
"URL": 1639,
"hostname": 560,
"email": 1,
"FileHash-MD5": 2
},
"indicator_count": 2808,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 114,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708e2d7cb4228401888b63",
"name": "possibly a central bank",
"description": "",
"modified": "2023-12-06T15:07:25.990000",
"created": "2023-12-06T15:07:25.990000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 622,
"domain": 2558,
"URL": 4203,
"hostname": 1221,
"CVE": 1
},
"indicator_count": 8605,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708d657f0895a860febf8f",
"name": "SafeFrame Container",
"description": "",
"modified": "2023-12-06T15:04:05.932000",
"created": "2023-12-06T15:04:05.932000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1416,
"domain": 2979,
"URL": 8250,
"hostname": 2262
},
"indicator_count": 14907,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708cc78755574d9812e4c8",
"name": "one google maps api call and one generic key - causing a large chunk of cyber disruption and compromise",
"description": "",
"modified": "2023-12-06T15:01:27.166000",
"created": "2023-12-06T15:01:27.166000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 135,
"hostname": 149,
"URL": 352,
"domain": 53
},
"indicator_count": 689,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708cac217e290594a79ecb",
"name": "188.166.154.118",
"description": "",
"modified": "2023-12-06T15:01:00.949000",
"created": "2023-12-06T15:01:00.949000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 162,
"hostname": 494,
"domain": 375,
"URL": 1404,
"FileHash-MD5": 4,
"FileHash-SHA1": 1
},
"indicator_count": 2440,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708ca99b684204a04e0b36",
"name": "188.166.154.118",
"description": "",
"modified": "2023-12-06T15:00:57.293000",
"created": "2023-12-06T15:00:57.293000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 162,
"hostname": 494,
"domain": 375,
"URL": 1404,
"FileHash-MD5": 4,
"FileHash-SHA1": 1
},
"indicator_count": 2440,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708ca60be7cea12070cd6e",
"name": "188.166.154.118",
"description": "",
"modified": "2023-12-06T15:00:54.743000",
"created": "2023-12-06T15:00:54.743000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 162,
"hostname": 494,
"domain": 375,
"URL": 1404,
"FileHash-MD5": 4,
"FileHash-SHA1": 1
},
"indicator_count": 2440,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708c9ab9d83866b134caea",
"name": "TopInjurySettlements.com",
"description": "",
"modified": "2023-12-06T15:00:42.186000",
"created": "2023-12-06T15:00:42.186000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 300,
"hostname": 760,
"domain": 617,
"URL": 1744,
"FileHash-SHA1": 1,
"FileHash-MD5": 2
},
"indicator_count": 3424,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708c57c7b19b62c501601a",
"name": "Hurricane Electric - csp.he.net :)",
"description": "",
"modified": "2023-12-06T14:59:35.479000",
"created": "2023-12-06T14:59:35.479000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 186,
"hostname": 490,
"URL": 1339,
"domain": 311
},
"indicator_count": 2326,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708c0f5981b6d81d0fa423",
"name": "data102 and colohouse. Malware hosting",
"description": "",
"modified": "2023-12-06T14:58:23.206000",
"created": "2023-12-06T14:58:23.206000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 458,
"domain": 557,
"URL": 2599,
"hostname": 952
},
"indicator_count": 4566,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708beba2ba8bcfb1d10237",
"name": "hostkey - Industroyer&ReduceRight",
"description": "",
"modified": "2023-12-06T14:57:47.430000",
"created": "2023-12-06T14:57:47.430000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 3,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 304,
"hostname": 563,
"domain": 407,
"URL": 1776,
"FileHash-SHA1": 2
},
"indicator_count": 3052,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65708b72abe90961af1737c9",
"name": "reCAPTCHA",
"description": "",
"modified": "2023-12-06T14:55:46.172000",
"created": "2023-12-06T14:55:46.172000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 362,
"domain": 330,
"URL": 1790,
"hostname": 586,
"email": 1
},
"indicator_count": 3069,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657080d20f7e10c1e37fcf89",
"name": "TarrantCounty.com ~ 03.01.2022",
"description": "",
"modified": "2023-12-06T14:10:26.301000",
"created": "2023-12-06T14:10:26.301000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 1078,
"domain": 838,
"hostname": 1607,
"URL": 4134,
"email": 3,
"FileHash-SHA1": 2,
"CIDR": 4,
"FileHash-MD5": 15
},
"indicator_count": 7681,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "657080735501c11ddbb7a988",
"name": "Dominionvoting.com 03.03.22",
"description": "",
"modified": "2023-12-06T14:08:51.329000",
"created": "2023-12-06T14:08:51.329000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 663,
"hostname": 588,
"domain": 413,
"URL": 2183,
"FileHash-MD5": 7
},
"indicator_count": 3854,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 110,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6570805953274b32ec1f981b",
"name": "Votebuilder.com",
"description": "",
"modified": "2023-12-06T14:08:25.588000",
"created": "2023-12-06T14:08:25.588000",
"tags": [],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 2,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "api",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "StreamMiningEx",
"id": "262917",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 869,
"domain": 834,
"URL": 4755,
"hostname": 1559,
"CIDR": 2,
"FileHash-MD5": 10
},
"indicator_count": 8029,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 109,
"modified_text": "865 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "653f1d947db1f44d13bf9982",
"name": " Malicious Google - Sign in? https://accounts.google.com/speedbump",
"description": "",
"modified": "2023-11-22T03:03:38.455000",
"created": "2023-10-30T03:05:56.431000",
"tags": [
"detection list",
"ip address",
"blacklist",
"united",
"cisco umbrella",
"site",
"alexa top",
"safe site",
"malicious url",
"million",
"facebook",
"hsbc group",
"blacknet rat",
"stealer",
"fakedout threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"noname057",
"name verdict",
"falcon sandbox",
"date",
"markmonitor",
"name server",
"opera",
"edge",
"error",
"hidden",
"windir",
"silk",
"unknown",
"android",
"hybrid",
"general",
"click",
"strings",
"trident",
"class",
"critical",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"script",
"self",
"pragma",
"html info",
"title sign",
"meta tags"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": "6535ef14a479ec0ed4c895b4",
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 208,
"FileHash-MD5": 1206,
"FileHash-SHA1": 609,
"FileHash-SHA256": 564,
"domain": 116,
"URL": 457
},
"indicator_count": 3160,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 220,
"modified_text": "879 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6535ef14a479ec0ed4c895b4",
"name": "Malicious Google - Sign in? https://accounts.google.com/speedbump/changepassword",
"description": "Is account part of Botnet. I witnessed; login needs to be reset, logged out [get this 'https://accounts.google.com/speedbump/changepassword' read browser bar when looks suspect, log in to a Google interface, titled Google Account, font is different. Says this device logged in for the first time 10/19/2023. Untrue. Implicated someone had password and Google critical security alert email.\nI haven't had enough time to research. Hostile bruteforce account login.? Complete CNC on Google email accounts.",
"modified": "2023-11-22T03:03:38.455000",
"created": "2023-10-23T03:57:08.696000",
"tags": [
"detection list",
"ip address",
"blacklist",
"united",
"cisco umbrella",
"site",
"alexa top",
"safe site",
"malicious url",
"million",
"facebook",
"hsbc group",
"blacknet rat",
"stealer",
"fakedout threat",
"ip summary",
"url summary",
"summary",
"sample",
"samples",
"noname057",
"name verdict",
"falcon sandbox",
"date",
"markmonitor",
"name server",
"opera",
"edge",
"error",
"hidden",
"windir",
"silk",
"unknown",
"android",
"hybrid",
"general",
"click",
"strings",
"trident",
"class",
"critical",
"http response",
"final url",
"serving ip",
"address",
"status code",
"body length",
"kb body",
"sha256",
"script",
"self",
"pragma",
"html info",
"title sign",
"meta tags"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 19,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 208,
"FileHash-MD5": 1206,
"FileHash-SHA1": 609,
"FileHash-SHA256": 564,
"domain": 116,
"URL": 457
},
"indicator_count": 3160,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 227,
"modified_text": "879 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6426dda295502d82e6e6ef7f",
"name": "v4 - Hybrid scan uploaded + all suggested ioc's - vendor.3a0e728a.js another gem in edge on twitter.com/i/flow/login source code",
"description": "WebpackChunk_Twitter-responsive_web is built on a single web address, which will allow users to upload images, tweets and videos to be stored in the same place as the hashtag.",
"modified": "2023-03-31T13:18:26.733000",
"created": "2023-03-31T13:18:26.733000",
"tags": [
"trojan",
"apt",
"ansi",
"memoryfile scan",
"error",
"runtime data",
"typeof e",
"regexp",
"array",
"object",
"typeof t",
"void",
"null",
"unknown",
"path",
"facebook",
"4096",
"suspicious",
"meta",
"lazy",
"entity",
"union",
"body",
"idkey",
"scroll",
"backspace",
"insert",
"roboto",
"target",
"stack",
"hybrid",
"model",
"click",
"stream",
"strings",
"qakbot",
"pattern match",
"ud801",
"ud804",
"ud805",
"ud806",
"ud81a",
"ud835",
"ud800",
"ud802",
"sha1",
"sha256",
"vendor.3a0e728a.js"
],
"references": [
"https://hybrid-analysis.com/sample/9bf30967dfbf84d91ff4a1ca66dcd6c3383e679917e8b7aa4f659ff9f4e848d7/6426cf48655f94b6b303704c"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1106",
"name": "Native API",
"display_name": "T1106 - Native API"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1115",
"name": "Clipboard Data",
"display_name": "T1115 - Clipboard Data"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1546",
"name": "Event Triggered Execution",
"display_name": "T1546 - Event Triggered Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1614",
"name": "System Location Discovery",
"display_name": "T1614 - System Location Discovery"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 5,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "callmeDoris",
"id": "205385",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1353,
"hostname": 222,
"domain": 221,
"FileHash-SHA256": 85,
"FileHash-MD5": 3,
"FileHash-SHA1": 1
},
"indicator_count": 1885,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 90,
"modified_text": "1115 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "63ed8628367c1a4f3f8e773a",
"name": "just a load of errors on edge watching twitch",
"description": "load of unknown user pics, but that could just be a twitch thing",
"modified": "2023-03-18T00:05:45.328000",
"created": "2023-02-16T01:26:00.959000",
"tags": [
"object",
"typeerror",
"typeof symbol",
"error",
"typeof t",
"array",
"string",
"typeof e",
"typeof n",
"referenceerror",
"date",
"body",
"null",
"local",
"generator",
"class",
"typeof tcfapi",
"tcfapi",
"daten",
"image",
"typeof comscore",
"true",
"regexp",
"config",
"nolbundle",
"novmsjs",
"nlssdk",
"retry request",
"nolsdkbundle",
"typeof o",
"bsdk check",
"optout",
"basever",
"lsid",
"qqfunction",
"nielsen log",
"info",
"stop",
"logger",
"android",
"donate",
"ukraine relief",
"requestbuilder",
"slotbuilder",
"uint8array",
"nthis",
"promise",
"symbol",
"fullscreen",
"adload",
"false",
"facebook",
"unknown",
"meta",
"direct",
"this",
"close",
"locale",
"model",
"survey",
"companion",
"scroll",
"backspace",
"insert",
"infinity",
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"runtime data",
"ansi",
"path",
"hybrid analysis",
"api call",
"registry access",
"function",
"calls",
"window",
"hybrid",
"general",
"click",
"ransomware",
"february",
"strings",
"suspicious",
"irequestslot",
"islotbuilder",
"amazonerrorcode",
"errortype",
"adunit",
"conflict",
"please"
],
"references": [
"https://hybrid-analysis.com/sample/5da0de230eb98e5598b152944d0e7e6b355485484052df6c7f1c747e2c5564c0/63ed708125f47738b45a6520",
"webpack buildin global.js",
"SlotBuilder.ts",
"P34D56F9D-5684-4C83-8EE1-5EA7DE9CF45D.js",
"apstag.js",
"nlsSDK600.bundle.min.js",
"v6s.js",
"https://sb.scorecardresearch.com/p?c1=2&c2=6745306&ns_type=hidden&ns_st_sv=5.1.3.160420&ns_st_smv=5.1&ns_st_it=r&ns_st_id=1676508021004&ns_st_ec=3&ns_st_sp=1&ns_st_sc=1&ns_st_sq=1&ns_st_ppc=1&ns_st_apc=1&ns_st_spc=1&ns_st_cn=1&ns_st_ev=hb&ns_st_po=1560430&ns_st_cl=0&ns_st_hc=31&ns_st_mp=js_api&ns_st_mv=5.1.3.160420&ns_st_pn=1&ns_st_tp=0&ns_st_ci=47976339133&ns_st_pt=1560430&ns_st_dpt=360423&ns_st_ipt=60010&ns_st_et=1560430&ns_st_det=360423&ns_st_upc=1560430&ns_st_dupc=360423&ns_st_iupc=60010&ns_st_upa=15604",
"https://sb.scorecardresearch.com/p?ax_uuid=d247c6142f285bb0488533aa7f2d53c5&c1=9&c2=31864766&ns__t=1676508027511&ns_c=UTF-8&cv=3.1&c8=SecurityWeekly%20-%20Twitch&c7=https%3A%2F%2Fwww.twitch.tv%2Fsecurityweekly&c9=",
"https://hybrid-analysis.com/sample/b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b/",
"beacon.js",
"https://static-cdn.jtvnw.net/jtv_user_pictures/6f4129f6-3750-4c02-b7c8-c88a05064129-profile_image-70x70.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "SlotBuilder",
"display_name": "SlotBuilder",
"target": null
},
{
"id": "RequestBuilder",
"display_name": "RequestBuilder",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "callmeDoris",
"id": "205385",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1353,
"hostname": 363,
"domain": 201,
"FileHash-SHA256": 203,
"FileHash-MD5": 9,
"FileHash-SHA1": 3
},
"indicator_count": 2132,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 90,
"modified_text": "1128 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "63ed86228ecb2b03d35b046f",
"name": "just a load of errors on edge watching twitch",
"description": "load of unknown user pics, but that could just be a twitch thing",
"modified": "2023-03-18T00:05:45.328000",
"created": "2023-02-16T01:25:54.305000",
"tags": [
"object",
"typeerror",
"typeof symbol",
"error",
"typeof t",
"array",
"string",
"typeof e",
"typeof n",
"referenceerror",
"date",
"body",
"null",
"local",
"generator",
"class",
"typeof tcfapi",
"tcfapi",
"daten",
"image",
"typeof comscore",
"true",
"regexp",
"config",
"nolbundle",
"novmsjs",
"nlssdk",
"retry request",
"nolsdkbundle",
"typeof o",
"bsdk check",
"optout",
"basever",
"lsid",
"qqfunction",
"nielsen log",
"info",
"stop",
"logger",
"android",
"donate",
"ukraine relief",
"requestbuilder",
"slotbuilder",
"uint8array",
"nthis",
"promise",
"symbol",
"fullscreen",
"adload",
"false",
"facebook",
"unknown",
"meta",
"direct",
"this",
"close",
"locale",
"model",
"survey",
"companion",
"scroll",
"backspace",
"insert",
"infinity",
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"runtime data",
"ansi",
"path",
"hybrid analysis",
"api call",
"registry access",
"function",
"calls",
"window",
"hybrid",
"general",
"click",
"ransomware",
"february",
"strings",
"suspicious",
"irequestslot",
"islotbuilder",
"amazonerrorcode",
"errortype",
"adunit",
"conflict",
"please"
],
"references": [
"https://hybrid-analysis.com/sample/5da0de230eb98e5598b152944d0e7e6b355485484052df6c7f1c747e2c5564c0/63ed708125f47738b45a6520",
"webpack buildin global.js",
"SlotBuilder.ts",
"P34D56F9D-5684-4C83-8EE1-5EA7DE9CF45D.js",
"apstag.js",
"nlsSDK600.bundle.min.js",
"v6s.js",
"https://sb.scorecardresearch.com/p?c1=2&c2=6745306&ns_type=hidden&ns_st_sv=5.1.3.160420&ns_st_smv=5.1&ns_st_it=r&ns_st_id=1676508021004&ns_st_ec=3&ns_st_sp=1&ns_st_sc=1&ns_st_sq=1&ns_st_ppc=1&ns_st_apc=1&ns_st_spc=1&ns_st_cn=1&ns_st_ev=hb&ns_st_po=1560430&ns_st_cl=0&ns_st_hc=31&ns_st_mp=js_api&ns_st_mv=5.1.3.160420&ns_st_pn=1&ns_st_tp=0&ns_st_ci=47976339133&ns_st_pt=1560430&ns_st_dpt=360423&ns_st_ipt=60010&ns_st_et=1560430&ns_st_det=360423&ns_st_upc=1560430&ns_st_dupc=360423&ns_st_iupc=60010&ns_st_upa=15604",
"https://sb.scorecardresearch.com/p?ax_uuid=d247c6142f285bb0488533aa7f2d53c5&c1=9&c2=31864766&ns__t=1676508027511&ns_c=UTF-8&cv=3.1&c8=SecurityWeekly%20-%20Twitch&c7=https%3A%2F%2Fwww.twitch.tv%2Fsecurityweekly&c9=",
"https://hybrid-analysis.com/sample/b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b/",
"beacon.js",
"https://static-cdn.jtvnw.net/jtv_user_pictures/6f4129f6-3750-4c02-b7c8-c88a05064129-profile_image-70x70.png"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "SlotBuilder",
"display_name": "SlotBuilder",
"target": null
},
{
"id": "RequestBuilder",
"display_name": "RequestBuilder",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 7,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "callmeDoris",
"id": "205385",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 1353,
"hostname": 363,
"domain": 201,
"FileHash-SHA256": 203,
"FileHash-MD5": 9,
"FileHash-SHA1": 3
},
"indicator_count": 2132,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 90,
"modified_text": "1128 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "63af1572a13e2f65db3a88ac",
"name": "ttps://apis.google.com/_/scs/abc-static/_/js/k=gapi.lb.en.ydLROSGdlBE.O/m=gapi_iframes/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_OUY4V-VcsLuRVnUuYVO758FydkA/cb=gapi.loaded_0?le=scs",
"description": "oh",
"modified": "2022-12-30T16:44:34.174000",
"created": "2022-12-30T16:44:34.174000",
"tags": [
"string",
"edge",
"error",
"date",
"weakmap",
"keme",
"iframe",
"typeerror",
"symbol",
"array int8array",
"trident",
"android",
"javascript",
"help center",
"please",
"service privacy",
"policy cookie",
"policy imprint",
"ads info",
"twitter"
],
"references": [
"https://twitter.com/i/flow/signup?input_flow_data=%7B%22requested_variant%22%3A%22eyJyZWRpcmVjdF91cmwiOiIvc2V0dGluZ3MvYWNjb3VudC9wZXJzb25hbGl6YXRpb24ifQ%3D%3D%22%7D",
"Here's a look at some of the best tweets from the past 12 months, as well as the top ones from Twitter and other social media sites, including Facebook, Twitter, Instagram and Instagram.",
"VirusTotal - Single Sign On.pdf",
"https://apis.google.com/_/scs/abc-static/_/js/k=gapi.lb.en.ydLROSGdlBE.O/m=gapi_iframes/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_OUY4V-VcsLuRVnUuYVO758FydkA/cb=gapi.loaded_0?le=scs"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "callmeDoris",
"id": "205385",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 75,
"URL": 284,
"domain": 46,
"FileHash-SHA256": 20
},
"indicator_count": 425,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 90,
"modified_text": "1206 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "63af156f5c4390b95bc7f8e7",
"name": "ttps://apis.google.com/_/scs/abc-static/_/js/k=gapi.lb.en.ydLROSGdlBE.O/m=gapi_iframes/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_OUY4V-VcsLuRVnUuYVO758FydkA/cb=gapi.loaded_0?le=scs",
"description": "oh",
"modified": "2022-12-30T16:44:31.609000",
"created": "2022-12-30T16:44:31.609000",
"tags": [
"string",
"edge",
"error",
"date",
"weakmap",
"keme",
"iframe",
"typeerror",
"symbol",
"array int8array",
"trident",
"android",
"javascript",
"help center",
"please",
"service privacy",
"policy cookie",
"policy imprint",
"ads info",
"twitter"
],
"references": [
"https://twitter.com/i/flow/signup?input_flow_data=%7B%22requested_variant%22%3A%22eyJyZWRpcmVjdF91cmwiOiIvc2V0dGluZ3MvYWNjb3VudC9wZXJzb25hbGl6YXRpb24ifQ%3D%3D%22%7D",
"Here's a look at some of the best tweets from the past 12 months, as well as the top ones from Twitter and other social media sites, including Facebook, Twitter, Instagram and Instagram.",
"VirusTotal - Single Sign On.pdf",
"https://apis.google.com/_/scs/abc-static/_/js/k=gapi.lb.en.ydLROSGdlBE.O/m=gapi_iframes/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_OUY4V-VcsLuRVnUuYVO758FydkA/cb=gapi.loaded_0?le=scs"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 10,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "callmeDoris",
"id": "205385",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 75,
"URL": 284,
"domain": 46,
"FileHash-SHA256": 20
},
"indicator_count": 425,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 90,
"modified_text": "1206 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "634b4481d97a69446b750e82",
"name": "adsbygoogle.js hybrid-A ts 55/100 seems mych worse here",
"description": "",
"modified": "2022-10-15T23:52:08.907000",
"created": "2022-10-15T23:38:41.311000",
"tags": [
"sandbox",
"malware",
"analysis",
"online",
"submit",
"vxstream",
"sample",
"download",
"trojan",
"apt",
"ansi",
"memoryfile scan",
"error",
"null",
"string",
"runtime data",
"number",
"object",
"chrome",
"void",
"date",
"android",
"path",
"iframe",
"window",
"this",
"trident",
"meta",
"suspicious",
"infinity",
"hybrid",
"close",
"click",
"general",
"strings",
"malicious",
"august"
],
"references": [
"https://hybrid-analysis.com/sample/fbba6129666c709aae5bcc8f49cffc28ad0d0c6d5b22fb4ee69da66e5d5fd7d9/634753ff96b237006c46584e"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1012",
"name": "Query Registry",
"display_name": "T1012 - Query Registry"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "callmeDoris",
"id": "205385",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 62,
"URL": 835,
"domain": 65,
"FileHash-SHA256": 81,
"FileHash-MD5": 1,
"FileHash-SHA1": 1
},
"indicator_count": 1045,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 90,
"modified_text": "1281 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "62e1ca167a1591e7b4ca1129",
"name": "VirusTotal view-source on https://www.virustotal.com/en/file/undefined/analysis/",
"description": "someone really needs to figure out wtf this is all doing it has to be part of the net.sh",
"modified": "2022-07-28T02:05:04.183000",
"created": "2022-07-27T23:28:22.504000",
"tags": [
"array",
"object",
"typeof t",
"layer1",
"error",
"path",
"function",
"typeerror",
"date",
"svg export",
"span",
"null",
"unknown",
"click",
"february",
"april",
"june",
"august",
"this",
"void",
"bounce",
"string",
"regexp",
"number",
"sxa0",
"amptoken",
"optout",
"notfound",
"contenttype",
"form",
"copyright",
"element",
"polymer project",
"authors",
"bsd style",
"code",
"google",
"software",
"window",
"generator",
"comment",
"trident",
"typeof e",
"typeof symbol",
"typeof btoa",
"btoa",
"typeof reflect",
"boolean",
"customevent",
"plugin",
"build",
"home",
"intelligence",
"graph",
"report",
"urls",
"please",
"javascript",
"https://www.virustotal.com/en/file/undefined/analysis/",
"net.sh"
],
"references": [
"entity%3Aip%20whois%3Ainfo%40anodicnetwork.com.html",
"14.main.bundle.91f9f7ff635e0b797de3.js",
"5.main.bundle.e92e5e24e074f9c2a52b.js",
"0.main.bundle.a9d68f5204cd3ac257b6.js",
"webcomponent-polyfill.js",
"analytics.js",
"12.main.bundle.50be73a11d1d3745a5ee.js",
"\" Page not found Page not found