{ "type": "URL", "indicator": "https://ww12.egscorp.net/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://ww12.egscorp.net/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4047086527, "indicator": "https://ww12.egscorp.net/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "67f6c635cb8c3c8b256b6dba", "name": "sdfzsdf.ele fac1ec40eea5a4fc05f17e019328e287", "description": "SHA1- 33008f85428a83996083c3da92a8f00595071403\nSHA256\ncdab1c3196887d4f749d82f014786a966c87f35a7189f0f3d078558b957847bf\nhttps://sandbox.ti.qianxin.com/sandbox/page/detail?type=file&id=7b6726e20c513baebf7fd387a3dd1b7d67a4c7c4\nhttps://ti.qianxin.com/v2/search?type=file&value=fac1ec40eea5a4fc05f17e019328e287\nhttps://www.virustotal.com/gui/file/cdab1c3196887d4f749d82f014786a966c87f35a7189f0f3d078558b957847bf/relations", "modified": "2025-09-01T08:05:17.675000", "created": "2025-04-09T19:10:45.337000", "tags": [ "sha1", "rozmiar", "typ pliku", "win32", "numer wersji", "wersja", "nieznany", "sha512", "crc32", "ssd gboki", "win64", "security", "license v2", "f6 d9", "windows nt", "detects", "gecko", "khtml", "msie", "wow64", "stealer", "error", "userprofile", "hunt", "keylogger", "encrypt", "antivm", "span", "main", "grabber", "hello", "android", "dcrat", "kill", "revengerat", "sandbox", "pass", "chat", "first", "asyncrat", "crypto", "injector", "dropper", "infostealer", "lockfile", "worldwind", "stealerium", "toxiceye", "avemaria", "fast", "persistence", "trojan", "restart", "snakekeylogger", "snake", "accept", "cookie", "code", "killproc", "lazarus", "dearcry", "njrat", "cyrus", "powershell", "info", "body", "floodfix", "downloader", "ransomware", "core", "loki", "fpspy", "klogexe", "firebird", "patch", "explorer", "avkiller", "masslogger", "baldr", "modi rat", "helpme", "osno", "import", "keylog", "screencapture", "ransom", "crypted", "silent", "xorddos", "stormkitty", "ordinal", "locker", "hyperbro", "lamepyre", "parallaxrat", "null", "shurk steal", "arkeistealer", "strongpity", "desktop", "myagent", "bypass", "fatduke", "miniduke", "polyglotduke", "guildma", "spyeye", "corebot", "killmbr", "ooops", "lcpdot", "torisma", "codec", "prometheus", "spook", "crypt", "logger", "zegost", "poshkeylogger", "systembc", "hdlocker", "cryptolocker", "fivehands", "kitty", "goldmax", "rents", "maurigo", "done", "hidewindow", "bokbot", "bladabindi", "darktrack", "darksky", "alien", "karkoff", "inject", "windigo", "rest", "softcnapp", "elysiumstealer", "leivion", "banload", "ultrareach", "ultrasurf", "buterat", "tools", "beasty", "shut", "gravityrat", "fatalrat", "discord", "deadwood", "turian", "markirat", "mark", "klingonrat", "path", "reverserat", "grab", "meta", "voidcrypt", "darkvnc", "ryzerlo", "hiddentear", "boxcaon", "stream", "crimsonrat", "delfi", "infinity", "stealthworker", "gasket", "spoolss", "lu0bot", "target", "attack", "cobaltstrike", "bits", "chaos", "bitcoin", "wiper", "delphi", "slackbot", "neshta", "belarus", "apanas", "runner", "darkcomet", "macoute", "iframe", "vanillarat", "sectoprat", "melt", "tomiris", "apostle", "blackbyte", "kutaki", "override", "windealer", "mkdir", "brbbot", "config", "babylon rat", "spynet", "bazarloader", "clipper", "banker", "gh0st", "piratestealer", "witch", "killme", "vulturi", "tofsee", "slow", "owowa", "flagpro", "write", "dazzlespy", "decryptor", "bandit stealer", "bandit", "darkeye", "recordbreaker", "truebot", "svchost", "clipbanker", "service", "koivm", "arrowrat", "ducktail", "confuser", "gobrat", "modiloader", "chilelocker", "noclose", "strelastealer", "comfoo", "babar", "blankgrabber", "solarmarker", "darkgate", "stub", "banned", "globeimposter", "rhysida", "janelarat", "kraken", "recon", "quiterat", "venomrat", "venom rat", "sapphirestealer", "ntospy", "raccoon", "shifu", "mediapi", "poolrat", "cicada3301", "remoteexec", "babylockerkz", "new service", "creation id", "nextron" ], "references": [ "Windows_Trojan_Tofsee.yar", "Suspicious New Service Creation (1).yml" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 353, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 28, "FileHash-SHA1": 27, "FileHash-SHA256": 1077, "domain": 282, "hostname": 316, "URL": 1092, "YARA": 535, "email": 4 }, "indicator_count": 3361, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "230 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67d460d4b6a8130a65ac334c", "name": "Government Spyware | Mirai & Berbew Trojans | Microsoft and Linux systems | Malware", "description": "Just a small sample of the servers used by law enforcement, governments, and intelligence agencies, invading the right to privacy of all citizens. In a typical situation, the router of the person being investigated is first infected with malware, then through the router itself and other IoT devices connected to the network, the open services are scanned. Afterwards, DDoS attacks and zero-day exploits are executed on the vulnerable services, and the intrusion is carried out without the person's knowledge. An attack that only law enforcement can execute. The right to privacy and intimacy must prevail. The use of a powerful firewall and an HIDS/HIPS system is recommended. Devices affected: All IoT, Samsung, HP, TP-Link, Asus, Lenovo, LG, etc..... [Systems affected]: All Windows and Linux versions. These attacks are made possible thanks to the collaboration of companies like Adobe, Microsoft, Samsung, HP, Asus, Intel, Acer, Apple, and a very long list.", "modified": "2025-04-13T16:01:30.107000", "created": "2025-03-14T17:01:08.144000", "tags": [ "Police", "Government", "CIA", "NSO", "CNI", "Intelligence Agencies", "Spyware", "Trojan", "Unix", "Mirai", "Berbew", "Powershell", "Javascript", "Man in the middle", "Man in the browser", "Router infection", "ISP infecion", "Samsung", "Lenovo", "LG", "Microsoft", "Pegasus", "Graphite", "Windows", "Linux" ], "references": [], "public": 1, "adversary": "Government", "targeted_countries": [ "United States of America", "Spain", "Russian Federation", "Argentina", "Brazil", "Chile", "Costa Rica", "Mexico", "Venezuela, Bolivarian Republic of", "Peru", "Panama" ], "malware_families": [ { "id": "Trojan:Unix/Rootkit", "display_name": "Trojan:Unix/Rootkit", "target": "/malware/Trojan:Unix/Rootkit" }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "Trojan:Win32/Berbew", "display_name": "Trojan:Win32/Berbew", "target": "/malware/Trojan:Win32/Berbew" }, { "id": "Backdoor:Linux/Homeunix", "display_name": "Backdoor:Linux/Homeunix", "target": "/malware/Backdoor:Linux/Homeunix" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "#HackTool:PowerShell/Powersploit", "display_name": "#HackTool:PowerShell/Powersploit", "target": "/malware/#HackTool:PowerShell/Powersploit" }, { "id": "EVILNUM (Javascript)", "display_name": "EVILNUM (Javascript)", "target": null } ], "attack_ids": [ { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1557.001", "name": "LLMNR/NBT-NS Poisoning and SMB Relay", "display_name": "T1557.001 - LLMNR/NBT-NS Poisoning and SMB Relay" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1037.003", "name": "Network Logon Script", "display_name": "T1037.003 - Network Logon Script" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1084", "name": "Windows Management Instrumentation Event Subscription", "display_name": "T1084 - Windows Management Instrumentation Event Subscription" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" }, { "id": "T1171", "name": "LLMNR/NBT-NS Poisoning and Relay", "display_name": "T1171 - LLMNR/NBT-NS Poisoning and Relay" }, { "id": "T1404", "name": "Exploit OS Vulnerability", "display_name": "T1404 - Exploit OS Vulnerability" }, { "id": "T1556.001", "name": "Domain Controller Authentication", "display_name": "T1556.001 - Domain Controller Authentication" }, { "id": "T1546.013", "name": "PowerShell Profile", "display_name": "T1546.013 - PowerShell Profile" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" } ], "industries": [ "Civil", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "donotspyme", "id": "312388", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 479, "domain": 84, "hostname": 151, "FileHash-SHA256": 83 }, "indicator_count": 797, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "370 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Suspicious New Service Creation (1).yml", "Windows_Trojan_Tofsee.yar" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Government" ], "malware_families": [ "Backdoor:linux/mirai", "Evilnum (javascript)", "Pegasus - mob-s0005", "#hacktool:powershell/powersploit", "Trojan:js/berbew", "Mirai (windows)", "Backdoor:linux/homeunix", "Trojan:win32/berbew", "Trojan:unix/rootkit" ], "industries": [ "Government", "Civil" ], "unique_indicators": 4118 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/egscorp.net", "whois": "http://whois.domaintools.com/egscorp.net", "domain": "egscorp.net", "hostname": "ww12.egscorp.net" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "67f6c635cb8c3c8b256b6dba", "name": "sdfzsdf.ele fac1ec40eea5a4fc05f17e019328e287", "description": "SHA1- 33008f85428a83996083c3da92a8f00595071403\nSHA256\ncdab1c3196887d4f749d82f014786a966c87f35a7189f0f3d078558b957847bf\nhttps://sandbox.ti.qianxin.com/sandbox/page/detail?type=file&id=7b6726e20c513baebf7fd387a3dd1b7d67a4c7c4\nhttps://ti.qianxin.com/v2/search?type=file&value=fac1ec40eea5a4fc05f17e019328e287\nhttps://www.virustotal.com/gui/file/cdab1c3196887d4f749d82f014786a966c87f35a7189f0f3d078558b957847bf/relations", "modified": "2025-09-01T08:05:17.675000", "created": "2025-04-09T19:10:45.337000", "tags": [ "sha1", "rozmiar", "typ pliku", "win32", "numer wersji", "wersja", "nieznany", "sha512", "crc32", "ssd gboki", "win64", "security", "license v2", "f6 d9", "windows nt", "detects", "gecko", "khtml", "msie", "wow64", "stealer", "error", "userprofile", "hunt", "keylogger", "encrypt", "antivm", "span", "main", "grabber", "hello", "android", "dcrat", "kill", "revengerat", "sandbox", "pass", "chat", "first", "asyncrat", "crypto", "injector", "dropper", "infostealer", "lockfile", "worldwind", "stealerium", "toxiceye", "avemaria", "fast", "persistence", "trojan", "restart", "snakekeylogger", "snake", "accept", "cookie", "code", "killproc", "lazarus", "dearcry", "njrat", "cyrus", "powershell", "info", "body", "floodfix", "downloader", "ransomware", "core", "loki", "fpspy", "klogexe", "firebird", "patch", "explorer", "avkiller", "masslogger", "baldr", "modi rat", "helpme", "osno", "import", "keylog", "screencapture", "ransom", "crypted", "silent", "xorddos", "stormkitty", "ordinal", "locker", "hyperbro", "lamepyre", "parallaxrat", "null", "shurk steal", "arkeistealer", "strongpity", "desktop", "myagent", "bypass", "fatduke", "miniduke", "polyglotduke", "guildma", "spyeye", "corebot", "killmbr", "ooops", "lcpdot", "torisma", "codec", "prometheus", "spook", "crypt", "logger", "zegost", "poshkeylogger", "systembc", "hdlocker", "cryptolocker", "fivehands", "kitty", "goldmax", "rents", "maurigo", "done", "hidewindow", "bokbot", "bladabindi", "darktrack", "darksky", "alien", "karkoff", "inject", "windigo", "rest", "softcnapp", "elysiumstealer", "leivion", "banload", "ultrareach", "ultrasurf", "buterat", "tools", "beasty", "shut", "gravityrat", "fatalrat", "discord", "deadwood", "turian", "markirat", "mark", "klingonrat", "path", "reverserat", "grab", "meta", "voidcrypt", "darkvnc", "ryzerlo", "hiddentear", "boxcaon", "stream", "crimsonrat", "delfi", "infinity", "stealthworker", "gasket", "spoolss", "lu0bot", "target", "attack", "cobaltstrike", "bits", "chaos", "bitcoin", "wiper", "delphi", "slackbot", "neshta", "belarus", "apanas", "runner", "darkcomet", "macoute", "iframe", "vanillarat", "sectoprat", "melt", "tomiris", "apostle", "blackbyte", "kutaki", "override", "windealer", "mkdir", "brbbot", "config", "babylon rat", "spynet", "bazarloader", "clipper", "banker", "gh0st", "piratestealer", "witch", "killme", "vulturi", "tofsee", "slow", "owowa", "flagpro", "write", "dazzlespy", "decryptor", "bandit stealer", "bandit", "darkeye", "recordbreaker", "truebot", "svchost", "clipbanker", "service", "koivm", "arrowrat", "ducktail", "confuser", "gobrat", "modiloader", "chilelocker", "noclose", "strelastealer", "comfoo", "babar", "blankgrabber", "solarmarker", "darkgate", "stub", "banned", "globeimposter", "rhysida", "janelarat", "kraken", "recon", "quiterat", "venomrat", "venom rat", "sapphirestealer", "ntospy", "raccoon", "shifu", "mediapi", "poolrat", "cicada3301", "remoteexec", "babylockerkz", "new service", "creation id", "nextron" ], "references": [ "Windows_Trojan_Tofsee.yar", "Suspicious New Service Creation (1).yml" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 353, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 28, "FileHash-SHA1": 27, "FileHash-SHA256": 1077, "domain": 282, "hostname": 316, "URL": 1092, "YARA": 535, "email": 4 }, "indicator_count": 3361, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "230 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "67d460d4b6a8130a65ac334c", "name": "Government Spyware | Mirai & Berbew Trojans | Microsoft and Linux systems | Malware", "description": "Just a small sample of the servers used by law enforcement, governments, and intelligence agencies, invading the right to privacy of all citizens. In a typical situation, the router of the person being investigated is first infected with malware, then through the router itself and other IoT devices connected to the network, the open services are scanned. Afterwards, DDoS attacks and zero-day exploits are executed on the vulnerable services, and the intrusion is carried out without the person's knowledge. An attack that only law enforcement can execute. The right to privacy and intimacy must prevail. The use of a powerful firewall and an HIDS/HIPS system is recommended. Devices affected: All IoT, Samsung, HP, TP-Link, Asus, Lenovo, LG, etc..... [Systems affected]: All Windows and Linux versions. These attacks are made possible thanks to the collaboration of companies like Adobe, Microsoft, Samsung, HP, Asus, Intel, Acer, Apple, and a very long list.", "modified": "2025-04-13T16:01:30.107000", "created": "2025-03-14T17:01:08.144000", "tags": [ "Police", "Government", "CIA", "NSO", "CNI", "Intelligence Agencies", "Spyware", "Trojan", "Unix", "Mirai", "Berbew", "Powershell", "Javascript", "Man in the middle", "Man in the browser", "Router infection", "ISP infecion", "Samsung", "Lenovo", "LG", "Microsoft", "Pegasus", "Graphite", "Windows", "Linux" ], "references": [], "public": 1, "adversary": "Government", "targeted_countries": [ "United States of America", "Spain", "Russian Federation", "Argentina", "Brazil", "Chile", "Costa Rica", "Mexico", "Venezuela, Bolivarian Republic of", "Peru", "Panama" ], "malware_families": [ { "id": "Trojan:Unix/Rootkit", "display_name": "Trojan:Unix/Rootkit", "target": "/malware/Trojan:Unix/Rootkit" }, { "id": "Backdoor:Linux/Mirai", "display_name": "Backdoor:Linux/Mirai", "target": "/malware/Backdoor:Linux/Mirai" }, { "id": "Trojan:JS/Berbew", "display_name": "Trojan:JS/Berbew", "target": "/malware/Trojan:JS/Berbew" }, { "id": "Trojan:Win32/Berbew", "display_name": "Trojan:Win32/Berbew", "target": "/malware/Trojan:Win32/Berbew" }, { "id": "Backdoor:Linux/Homeunix", "display_name": "Backdoor:Linux/Homeunix", "target": "/malware/Backdoor:Linux/Homeunix" }, { "id": "Mirai (Windows)", "display_name": "Mirai (Windows)", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null }, { "id": "#HackTool:PowerShell/Powersploit", "display_name": "#HackTool:PowerShell/Powersploit", "target": "/malware/#HackTool:PowerShell/Powersploit" }, { "id": "EVILNUM (Javascript)", "display_name": "EVILNUM (Javascript)", "target": null } ], "attack_ids": [ { "id": "T1021.006", "name": "Windows Remote Management", "display_name": "T1021.006 - Windows Remote Management" }, { "id": "T1021.001", "name": "Remote Desktop Protocol", "display_name": "T1021.001 - Remote Desktop Protocol" }, { "id": "T1596.001", "name": "DNS/Passive DNS", "display_name": "T1596.001 - DNS/Passive DNS" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1557.001", "name": "LLMNR/NBT-NS Poisoning and SMB Relay", "display_name": "T1557.001 - LLMNR/NBT-NS Poisoning and SMB Relay" }, { "id": "T1007", "name": "System Service Discovery", "display_name": "T1007 - System Service Discovery" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1037.003", "name": "Network Logon Script", "display_name": "T1037.003 - Network Logon Script" }, { "id": "T1011", "name": "Exfiltration Over Other Network Medium", "display_name": "T1011 - Exfiltration Over Other Network Medium" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1516", "name": "Input Injection", "display_name": "T1516 - Input Injection" }, { "id": "T1003.004", "name": "LSA Secrets", "display_name": "T1003.004 - LSA Secrets" }, { "id": "T1084", "name": "Windows Management Instrumentation Event Subscription", "display_name": "T1084 - Windows Management Instrumentation Event Subscription" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1583.002", "name": "DNS Server", "display_name": "T1583.002 - DNS Server" }, { "id": "T1171", "name": "LLMNR/NBT-NS Poisoning and Relay", "display_name": "T1171 - LLMNR/NBT-NS Poisoning and Relay" }, { "id": "T1404", "name": "Exploit OS Vulnerability", "display_name": "T1404 - Exploit OS Vulnerability" }, { "id": "T1556.001", "name": "Domain Controller Authentication", "display_name": "T1556.001 - Domain Controller Authentication" }, { "id": "T1546.013", "name": "PowerShell Profile", "display_name": "T1546.013 - PowerShell Profile" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1003.002", "name": "Security Account Manager", "display_name": "T1003.002 - Security Account Manager" } ], "industries": [ "Civil", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "donotspyme", "id": "312388", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 479, "domain": 84, "hostname": 151, "FileHash-SHA256": 83 }, "indicator_count": 797, "is_author": false, "is_subscribing": null, "subscriber_count": 26, "modified_text": "370 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://ww12.egscorp.net/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://ww12.egscorp.net/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776598216.7299707 }