{ "type": "URL", "indicator": "https://www.cloudflare.com/abuse", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.cloudflare.com/abuse", "type": "url", "type_title": "URL", "validation": [ { "source": "alexa", "message": "Alexa rank: #465", "name": "Listed on Alexa" }, { "source": "akamai", "message": "Akamai rank: #268", "name": "Akamai Popular Domain" }, { "source": "whitelist", "message": "Whitelisted domain cloudflare.com", "name": "Whitelisted domain" }, { "source": "majestic", "message": "Whitelisted domain cloudflare.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2722537936, "indicator": "https://www.cloudflare.com/abuse", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 14, "pulses": [ { "id": "69e2f8974b0c67b2d0177561", "name": "CAPE Sandbox", "description": "\"RTA-5042-1996-1400-1577-RTA\nMotherless.com is a moral free file host where anything legal is hosted forever.\" disgusting the 'place' who put me in this domain.", "modified": "2026-04-18T05:46:34.061000", "created": "2026-04-18T03:20:55.778000", "tags": [ "script", "meta", "location", "href", "doctype html", "ahead", "title", "motherless", "global", "googlebot", "elite", "tracker", "date", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "phishing", "next", "rta description", "googlebot index", "ip address", "z233", "drip:05d0af0f092f1b54641ee3d58af676f5 14e7d2e335765d99ad7ec6cd24" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/22e702fc31752b1ff0ca59efb58d943282dff34b9e8ce61867d8c831b0d8de35_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776480788&Signature=GKnoamXxZLyFfntMDXBWi2gnSzHRWJJRZPaofPOvzgQF6ygdQKEJpX4eJ2AASUeDQ3L4AO7Os%2FgNOl0CeG5%2FN9aVgljvd3WBiA8ZTwba5tFflRJKWcwOA5l4osDG6BDtNNiE8hqlOPhwMa4lIHfx8LNSu8B%2Fbm0n7Y28iDLdwSs9GCpFCVriebOwI1VNCU3BxzR0lKHa1DH6ijmLa6nxX4TOwNTZ47Os2KLel2k0E0K7sedhXKjWD1rz", "https://vtbehaviour.commondatastorage.googleapis.com/22e702fc31752b1ff0ca59efb58d943282dff34b9e8ce61867d8c831b0d8de35_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776480900&Signature=juTMRwWs%2FTJqrDMvBJfYmPzSfXx4a%2F31AjChMKGg%2FigOb2ayCytmhgn%2FfGStvobwbbyL9t1dHYxFX0QZz%2F4zM3vebhPQPBm0BElUabRpjfY6q01wMlTu3q5T5uw1sSchvwR7n0H4t%2FnoMPiFRXns84ZWvQeTTNJYKtg5P29B6CE%2BbXfGQ%2FTKhS9ZR8bI09EyLS2y3Ob3boKLMZ4MNvq6nLIHO2373XOpgfJhsBQej6xZ8%2BlIe0T4" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 86, "FileHash-MD5": 51, "FileHash-SHA1": 4, "FileHash-SHA256": 66, "URL": 362, "domain": 131, "hostname": 201, "CVE": 2, "email": 7, "IPv6": 3, "CIDR": 2 }, "indicator_count": 915, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dff4fbb4f7d05b46e99978", "name": ".net, ripe", "description": "<< full list of names, addresses and details has been released by Rpe.net, the site where the name and address of a group of users is set to be posted on its website.>>", "modified": "2026-04-16T03:40:17.303000", "created": "2026-04-15T20:28:43.400000", "tags": [ "handle", "address range", "cidr", "network name", "allocation type", "assigned pa", "status", "whois server", "plaza", "street", "marbella", "bella vista", "panama city", "panama phone", "ripe", "filtered person", "alina gatsaniuk", "cloudflare", "entity cloud14" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 2, "CIDR": 2, "URL": 117, "hostname": 42, "FileHash-SHA256": 376, "domain": 8, "email": 8, "FileHash-MD5": 24, "FileHash-SHA1": 24 }, "indicator_count": 603, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e01b6fb3a0564fe8a9a976", "name": "104.18.35.94 (104.16.0.0/14) AS 13335 ( Cloudflare, Inc. )", "description": "Communicating files and passive dns. Research.", "modified": "2026-04-16T00:00:50.998000", "created": "2026-04-15T23:12:47.466000", "tags": [ "cloudflare", "net104", "net1040000", "cloud14", "geofeed", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "handle", "address range", "cidr", "network name", "type", "status", "whois server", "entity cloud14", "postalcode" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 92, "CIDR": 1, "URL": 16, "hostname": 950, "FileHash-MD5": 26, "FileHash-SHA1": 17, "domain": 134, "email": 3 }, "indicator_count": 1239, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69aed0a541b6a7982b9ce13c", "name": "CVE-2020-0796", "description": "", "modified": "2026-04-08T13:18:54.656000", "created": "2026-03-09T13:52:37.838000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "URL": 58, "hostname": 18, "FileHash-MD5": 400, "FileHash-SHA1": 400, "FileHash-SHA256": 400, "domain": 9, "email": 4 }, "indicator_count": 1294, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ccfe49ec22d0810b88717f", "name": "VirusTotal Windows Sandbox", "description": "7f85522cb5f554c82df4a37937f2362c3e28af554ab8bfda7436ac968b1b806b, as part of a series of events\n#chaos. android.permission.READ_EXTERNAL_STORAGE\nandroid.permission.WRITE_EXTERNAL_STORAGE\nandroid.permission.REQUEST_INSTALL_PACKAGES\nandroid.permission.VIBRATE\nandroid.permission.RECEIVE_BOOT_COMPLETED\nAllows the app to view information about Wi-Fi networking, such as whether Wi-Fi is enabled and name of connected Wi-Fi devices.\nandroid.permission.ACCESS_WIFI_STATE\ncom.google.android.gms.permission.AD_ID\nandroid.permission.GET_TASKS\nandroid.permission.ACCESS_NETWORK_STATE\nandroid.permission.INTERNET\ncom.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE", "modified": "2026-04-01T11:15:21.005000", "created": "2026-04-01T11:15:21.005000", "tags": [ "windows sandbox", "clear filters", "android", "zip archive", "android package", "java archive", "sweet home", "design", "handle", "cloudflare", "address range", "cidr", "network name", "type", "status", "whois server", "entity cloud14" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/2ebd49a3392a832d62495940ebbc87bc3306dca2582ef8cb646cedba86e1e5fe_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775041335&Signature=GofM9lUksdYg01bEPyBQFuSnOQRBy2FkWGJd55DCU2ihR%2Bgx6OHQLWuDqaElq68i%2FoFD%2FOopPpyHBx4tpxhN6gFBSkhFUtda4GRJvzfbcVx%2BVkSzW9sgub4rG3P4Uw5MkwgccgOM96UulwyMNMDZtPtAWNK8488pmm4jx%2FzJamSg8oonpL4XX74h4ZkLWWfl%2BbmTkPWeZGwxeAS%2Be5Wm8FV%2Fdh4BYS6wEq5ZOw1Ew", "https://vtbehaviour.commondatastorage.googleapis.com/fc574f36fa5f3968313faede9b7ed8653edc2145e803a9e5e07c2a566dd8df49_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775042164&Signature=W1y6KzU8OvbKX%2F6m%2FWDjI1wdTsuw8Wg1AwXkOiLE80MT3uiTHmCWD34whFZAwsMBVvPWEPaIgyd06W3y9Y17ySrRqonbmvRKgtuvEm0IDDI6%2FJdWpV9L82BAdFjjUKkX%2Fvqd%2BEqpObaECVfgHK2PoW448dKYY5NEBv8tq9mQkUDJbJh15dHxR%2F2z3eSiV6WlXoeBdUlnpP77kqNSzxDPDEYIdBVEaEnmL3wHsmaoBrbas" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 55, "FileHash-SHA1": 57, "FileHash-SHA256": 191, "IPv4": 11, "domain": 2, "hostname": 23, "CIDR": 1, "URL": 13 }, "indicator_count": 353, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ccfe1c5bda9758fa78277a", "name": "VirusTotal Windows Sandbox", "description": "7f85522cb5f554c82df4a37937f2362c3e28af554ab8bfda7436ac968b1b806b, as part of a series of events\n#chaos. android.permission.READ_EXTERNAL_STORAGE\nandroid.permission.WRITE_EXTERNAL_STORAGE\nandroid.permission.REQUEST_INSTALL_PACKAGES\nandroid.permission.VIBRATE\nandroid.permission.RECEIVE_BOOT_COMPLETED\nAllows the app to view information about Wi-Fi networking, such as whether Wi-Fi is enabled and name of connected Wi-Fi devices.\nandroid.permission.ACCESS_WIFI_STATE\ncom.google.android.gms.permission.AD_ID\nandroid.permission.GET_TASKS\nandroid.permission.ACCESS_NETWORK_STATE\nandroid.permission.INTERNET\ncom.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE", "modified": "2026-04-01T11:14:36.817000", "created": "2026-04-01T11:14:36.817000", "tags": [ "windows sandbox", "clear filters", "android", "zip archive", "android package", "java archive", "sweet home", "design", "handle", "cloudflare", "address range", "cidr", "network name", "type", "status", "whois server", "entity cloud14" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/2ebd49a3392a832d62495940ebbc87bc3306dca2582ef8cb646cedba86e1e5fe_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775041335&Signature=GofM9lUksdYg01bEPyBQFuSnOQRBy2FkWGJd55DCU2ihR%2Bgx6OHQLWuDqaElq68i%2FoFD%2FOopPpyHBx4tpxhN6gFBSkhFUtda4GRJvzfbcVx%2BVkSzW9sgub4rG3P4Uw5MkwgccgOM96UulwyMNMDZtPtAWNK8488pmm4jx%2FzJamSg8oonpL4XX74h4ZkLWWfl%2BbmTkPWeZGwxeAS%2Be5Wm8FV%2Fdh4BYS6wEq5ZOw1Ew", "https://vtbehaviour.commondatastorage.googleapis.com/fc574f36fa5f3968313faede9b7ed8653edc2145e803a9e5e07c2a566dd8df49_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775042164&Signature=W1y6KzU8OvbKX%2F6m%2FWDjI1wdTsuw8Wg1AwXkOiLE80MT3uiTHmCWD34whFZAwsMBVvPWEPaIgyd06W3y9Y17ySrRqonbmvRKgtuvEm0IDDI6%2FJdWpV9L82BAdFjjUKkX%2Fvqd%2BEqpObaECVfgHK2PoW448dKYY5NEBv8tq9mQkUDJbJh15dHxR%2F2z3eSiV6WlXoeBdUlnpP77kqNSzxDPDEYIdBVEaEnmL3wHsmaoBrbas" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 55, "FileHash-SHA1": 57, "FileHash-SHA256": 191, "IPv4": 11, "domain": 2, "hostname": 23, "CIDR": 1, "URL": 13 }, "indicator_count": 353, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ccfe1ce5811ee000871717", "name": "VirusTotal Windows Sandbox", "description": "7f85522cb5f554c82df4a37937f2362c3e28af554ab8bfda7436ac968b1b806b, as part of a series of events\n#chaos. android.permission.READ_EXTERNAL_STORAGE\nandroid.permission.WRITE_EXTERNAL_STORAGE\nandroid.permission.REQUEST_INSTALL_PACKAGES\nandroid.permission.VIBRATE\nandroid.permission.RECEIVE_BOOT_COMPLETED\nAllows the app to view information about Wi-Fi networking, such as whether Wi-Fi is enabled and name of connected Wi-Fi devices.\nandroid.permission.ACCESS_WIFI_STATE\ncom.google.android.gms.permission.AD_ID\nandroid.permission.GET_TASKS\nandroid.permission.ACCESS_NETWORK_STATE\nandroid.permission.INTERNET\ncom.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE", "modified": "2026-04-01T11:14:36.015000", "created": "2026-04-01T11:14:36.015000", "tags": [ "windows sandbox", "clear filters", "android", "zip archive", "android package", "java archive", "sweet home", "design", "handle", "cloudflare", "address range", "cidr", "network name", "type", "status", "whois server", "entity cloud14" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/2ebd49a3392a832d62495940ebbc87bc3306dca2582ef8cb646cedba86e1e5fe_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775041335&Signature=GofM9lUksdYg01bEPyBQFuSnOQRBy2FkWGJd55DCU2ihR%2Bgx6OHQLWuDqaElq68i%2FoFD%2FOopPpyHBx4tpxhN6gFBSkhFUtda4GRJvzfbcVx%2BVkSzW9sgub4rG3P4Uw5MkwgccgOM96UulwyMNMDZtPtAWNK8488pmm4jx%2FzJamSg8oonpL4XX74h4ZkLWWfl%2BbmTkPWeZGwxeAS%2Be5Wm8FV%2Fdh4BYS6wEq5ZOw1Ew", "https://vtbehaviour.commondatastorage.googleapis.com/fc574f36fa5f3968313faede9b7ed8653edc2145e803a9e5e07c2a566dd8df49_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775042164&Signature=W1y6KzU8OvbKX%2F6m%2FWDjI1wdTsuw8Wg1AwXkOiLE80MT3uiTHmCWD34whFZAwsMBVvPWEPaIgyd06W3y9Y17ySrRqonbmvRKgtuvEm0IDDI6%2FJdWpV9L82BAdFjjUKkX%2Fvqd%2BEqpObaECVfgHK2PoW448dKYY5NEBv8tq9mQkUDJbJh15dHxR%2F2z3eSiV6WlXoeBdUlnpP77kqNSzxDPDEYIdBVEaEnmL3wHsmaoBrbas" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 55, "FileHash-SHA1": 57, "FileHash-SHA256": 191, "IPv4": 11, "domain": 2, "hostname": 23, "CIDR": 1, "URL": 13 }, "indicator_count": 353, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6996eacbe2d99caae4a5b2d7", "name": "172.69.58.33", "description": "potential rogue exploit kit", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-19T10:49:47.043000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 18, "FileHash-MD5": 31, "FileHash-SHA1": 29, "FileHash-SHA256": 171, "URL": 432, "domain": 629, "hostname": 461, "CIDR": 6, "email": 23 }, "indicator_count": 1800, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6998d15c75b59044877602c1", "name": "Corrupt.... Files", "description": "beaware", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-20T21:25:48.559000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 706, "FileHash-SHA1": 859, "FileHash-SHA256": 1480, "URL": 743, "domain": 1565, "email": 55, "hostname": 912, "CVE": 54, "CIDR": 27 }, "indicator_count": 6401, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68245681009c35da8f04b45b", "name": "2606:4700:3036::ac43:a8cb (2606:4700:3000::/42)", "description": "Here is a full set of words and phrases used by the BBC to describe the various types of ransomware that can be used to target victims of the Windows operating system, as well as the UK.", "modified": "2025-06-13T07:02:14.919000", "created": "2025-05-14T08:38:25.425000", "tags": [ "assignment", "cloudflare", "admin", "cloudflarenet", "allocation", "cloud14", "townsend stnsan", "warp abuse", "service", "arin rdapwhois", "rdapwhois", "reporting", "copyright", "registry", "wallet", "azaz09", "firefox", "windows nt", "windows", "data", "value", "sandbox", "edge", "msie", "example", "terminal", "phantom", "anubis", "bitcoin", "crypto", "exodus", "android", "keeper", "steam", "webdav", "explorer", "finger", "malware", "schmidti", "dllimport", "emotet", "mozilla", "win64", "insta", "solo", "union", "discord", "liberty", "saturn", "terra", "temple", "harmony", "core", "easy", "ultimate", "cash", "therat", "python image", "load", "python core", "python script", "py2exe", "john", "open threat", "research", "files", "comment", "python dll", "sideloading id", "dll sideloading", "poudel date", "filespython3", "studio", "python dlls", "confuserex mod", "aspirecrypt", "detects", "reactor", "beds protector", "ps2exe", "bsjb", "boxedapp", "cyaxsharp", "cyaxpng", "smartassembly", "koivm", "confuserex", "obfuscator", "aspack", "titan", "enigma", "vmprotect", "strings", "rlpack", "antiem", "antisb", "themida", "loader", "sality", "dnguard" ], "references": [ "https://rdap.arin.net/registry/entity/CLOUD14", "https://rdap.arin.net/registry/entity/CLOUD146-ARIN", "https://rdap.arin.net/registry/entity/ABUSE2916-ARIN", "https://rdap.arin.net/registry/entity/ADMIN2521-ARIN", "https://rdap.arin.net/registry/entity/NOC11962-ARIN", "indicator_suspicious.yar", "Python Image Load By Non-Python Process.yml", "Potential Python DLL SideLoading.yml", "indicator_packed.yar" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TheRat", "display_name": "TheRat", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 870, "email": 4, "hostname": 148, "FileHash-SHA256": 471, "domain": 47, "FileHash-MD5": 2, "FileHash-SHA1": 2, "YARA": 163, "CVE": 1 }, "indicator_count": 1710, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "310 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6824158cb3baefe699954b1f", "name": "https://www.cloudflare.com/abuse 76fb2165980e78795e0410ba1f162608", "description": "Cloudflare provides security and reliability services to millions of websites, but how do we respond to reports of abuse on websites that use our services and how we deal with them? and what are we doing?", "modified": "2025-05-14T04:19:15.044000", "created": "2025-05-14T04:01:16.836000", "tags": [ "cloudflare", "copyright act" ], "references": [ "https://www.cloudflare.com/abuse" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 30, "hostname": 12, "FileHash-SHA256": 20, "SSLCertFingerprint": 99, "domain": 1 }, "indicator_count": 163, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "340 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658dd276d03bca9b7a93b724", "name": "Makop | Lazarus | Spyware", "description": "Privilege abuse. Spyware and miscellaneous cyber attacks leveraged against various individuals using escalated privileges. Pegasus was found, not thoroughly explored.", "modified": "2024-01-27T18:02:23.517000", "created": "2023-12-28T19:54:30.287000", "tags": [ "no expiration", "domain", "hostname", "expiration", "iocs", "ipv4", "filehashmd5", "next", "scan endpoints", "all octoseek", "url http", "url https", "create new", "deptid24124", "deptid23922", "deptid23936", "sid339", "filehashsha256", "navmode3", "ommidsf3558", "usbuy no", "type33554433", "guid", "smauthreason0", "methodhead", "targetsmhttps", "exact", "a9 no", "langid1", "actmsgs1", "christmas", "pinlbtn", "pinl2", "uidtokenhttps", "pulse use", "pdf report", "pcap", "stix", "filehashsha1", "email", "contact", "contacted", "pegasus", "T1622 - Debugger Evasion", "wmi string", "windows nt", "request email", "apple", "search", "server", "resolutions", "san francisco", "route", "server ca", "sha2 secure", "show technique", "sign", "sprint personal", "status", "ssl certificate", "stateprovince", "text", "test", "subdomains", "surry hills", "teams api", "uknown", "threat analyzer", "threat", "target", "tsara brashears", "united", "urls", "win64", "windir", "urls http", "v3 serial", "validity", "referrer", "registrar abuse", "report", "report registrar abuse", "ransomware", "record value", "programfiles", "priority", "port scan", "pe32", "pegasus", "pe resource", "path", "paste", "passive dns", "password", "orgtechhandle", "orgtechphone", "orgtechref", "open", "orgabusehandle", "orgabuseref", "asn asn", "asn database", "bernhardplein", "big tech", "body xml", "body", "xml", "ck id", "cloudflare", "as8100", "akamai as36786", "as16625", "arin", "analyze", "api ip", "amazons3", "akamaias", "akamai", "aibv hostmaster", "access type", "abuse contact", "audiologist inc", "nothing number", "united", "brashears", "verdict", "net10464001", "new ioc", "next noc", "bv", "bv orgid cambridge", "cambridge", "certificate", "certificate city", "ck id", "city", "brute force", "communicating", "copy core", "copy", "core", "cus", "cndigicert", "date", "detections", "detection type", "dhs discover", "dns", "discover", "hallrender", "briansabey", "brian sabey", "hall render", "dhs", "domain name", "download", "download sample", "email", "europeberlin", "execution", "falcon", "falcon sandbox", "false", "feeds", "feeds ioc", "first", "form", "frankfurt", "full name", "gameskinny", "gecko", "germany", "getprocaddress", "hacktool", "historical ssl", "hostnames", "hybrid", "ibm", "ibm business", "installer", "installer internet", "ioc search", "iocs", "ip address", "ip geolocation", "stealer", "ipinfo", "issuer", "javascript", "jb", "jb country", "khtml", "lazarus", "little", "lolkek", "main", "makop", "markmonitor", "microsoft", "mitre att", "ms windows", "name name" ], "references": [ "uat.identityssl.newscdn.com.au", "gameskinny.com", "https://hybrid-analysis.com/sample/7ba985d328ac4d9be47826ae3f98b513ca00b1609d82fe1d4aa365e7cfb54f48", "https://hybrid-analysis.com/sample/55af17e7ea6e0884ed102bb2cb21844ab2bf3330dd46aace4c736be5c55b0257/658d97df7e57b7b66c00b342" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "Makop Ransomware", "display_name": "Makop Ransomware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "Little", "display_name": "Little", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2108, "FileHash-SHA1": 1248, "domain": 668, "hostname": 1340, "URL": 2652, "FileHash-SHA256": 1070, "email": 25, "CIDR": 4 }, "indicator_count": 9115, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "812 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "658ef84e3324dfdb9d16bd73", "name": "Makop | Lazarus | Spyware (if it looks like a Pegasus...)", "description": "", "modified": "2024-01-27T18:02:23.517000", "created": "2023-12-29T16:48:15", "tags": [ "no expiration", "domain", "hostname", "expiration", "iocs", "ipv4", "filehashmd5", "next", "scan endpoints", "all octoseek", "url http", "url https", "create new", "deptid24124", "deptid23922", "deptid23936", "sid339", "filehashsha256", "navmode3", "ommidsf3558", "usbuy no", "type33554433", "guid", "smauthreason0", "methodhead", "targetsmhttps", "exact", "a9 no", "langid1", "actmsgs1", "christmas", "pinlbtn", "pinl2", "uidtokenhttps", "pulse use", "pdf report", "pcap", "stix", "filehashsha1", "email", "contact", "contacted", "pegasus", "T1622 - Debugger Evasion", "wmi string", "windows nt", "request email", "apple", "search", "server", "resolutions", "san francisco", "route", "server ca", "sha2 secure", "show technique", "sign", "sprint personal", "status", "ssl certificate", "stateprovince", "text", "test", "subdomains", "surry hills", "teams api", "uknown", "threat analyzer", "threat", "target", "tsara brashears", "united", "urls", "win64", "windir", "urls http", "v3 serial", "validity", "referrer", "registrar abuse", "report", "report registrar abuse", "ransomware", "record value", "programfiles", "priority", "port scan", "pe32", "pegasus", "pe resource", "path", "paste", "passive dns", "password", "orgtechhandle", "orgtechphone", "orgtechref", "open", "orgabusehandle", "orgabuseref", "asn asn", "asn database", "bernhardplein", "big tech", "body xml", "body", "xml", "ck id", "cloudflare", "as8100", "akamai as36786", "as16625", "arin", "analyze", "api ip", "amazons3", "akamaias", "akamai", "aibv hostmaster", "access type", "abuse contact", "audiologist inc", "nothing number", "united", "brashears", "verdict", "net10464001", "new ioc", "next noc", "bv", "bv orgid cambridge", "cambridge", "certificate", "certificate city", "ck id", "city", "brute force", "communicating", "copy core", "copy", "core", "cus", "cndigicert", "date", "detections", "detection type", "dhs discover", "dns", "discover", "hallrender", "briansabey", "brian sabey", "hall render", "dhs", "domain name", "download", "download sample", "email", "europeberlin", "execution", "falcon", "falcon sandbox", "false", "feeds", "feeds ioc", "first", "form", "frankfurt", "full name", "gameskinny", "gecko", "germany", "getprocaddress", "hacktool", "historical ssl", "hostnames", "hybrid", "ibm", "ibm business", "installer", "installer internet", "ioc search", "iocs", "ip address", "ip geolocation", "stealer", "ipinfo", "issuer", "javascript", "jb", "jb country", "khtml", "lazarus", "little", "lolkek", "main", "makop", "markmonitor", "microsoft", "mitre att", "ms windows", "name name" ], "references": [ "uat.identityssl.newscdn.com.au", "gameskinny.com", "https://hybrid-analysis.com/sample/7ba985d328ac4d9be47826ae3f98b513ca00b1609d82fe1d4aa365e7cfb54f48", "https://hybrid-analysis.com/sample/55af17e7ea6e0884ed102bb2cb21844ab2bf3330dd46aace4c736be5c55b0257/658d97df7e57b7b66c00b342" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "BRASHEARS", "display_name": "BRASHEARS", "target": null }, { "id": "Makop Ransomware", "display_name": "Makop Ransomware", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Sabey", "display_name": "Sabey", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Lazarus", "display_name": "Lazarus", "target": null }, { "id": "Little", "display_name": "Little", "target": null }, { "id": "HallRender", "display_name": "HallRender", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1559", "name": "Inter-Process Communication", "display_name": "T1559 - Inter-Process Communication" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1074", "name": "Data Staged", "display_name": "T1074 - Data Staged" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" } ], "industries": [], "TLP": "white", "cloned_from": "658dd276d03bca9b7a93b724", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2108, "FileHash-SHA1": 1248, "domain": 668, "hostname": 1340, "URL": 2652, "FileHash-SHA256": 1070, "email": 25, "CIDR": 4 }, "indicator_count": 9115, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "812 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6228ee8d746a815a5fb01ed2", "name": "https://rdap.arin.net/registry/ip/104.16.0.0", "description": "", "modified": "2022-04-08T00:05:40.239000", "created": "2022-03-09T18:14:37.037000", "tags": [ "arin", "townsend street", "francisco nca", "cloudflare", "arin value", "cloudflare noc", "abuse2916 arin", "abuse", "abuse kind", "poc description", "date" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 244, "hostname": 68, "domain": 9, "FileHash-SHA256": 56 }, "indicator_count": 377, "is_author": false, "is_subscribing": null, "subscriber_count": 408, "modified_text": "1472 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://rdap.arin.net/registry/entity/ADMIN2521-ARIN", "https://rdap.arin.net/registry/entity/CLOUD14", "https://rdap.arin.net/registry/entity/ABUSE2916-ARIN", "https://rdap.arin.net/registry/entity/NOC11962-ARIN", "https://rdap.arin.net/registry/entity/CLOUD146-ARIN", "https://vtbehaviour.commondatastorage.googleapis.com/22e702fc31752b1ff0ca59efb58d943282dff34b9e8ce61867d8c831b0d8de35_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776480788&Signature=GKnoamXxZLyFfntMDXBWi2gnSzHRWJJRZPaofPOvzgQF6ygdQKEJpX4eJ2AASUeDQ3L4AO7Os%2FgNOl0CeG5%2FN9aVgljvd3WBiA8ZTwba5tFflRJKWcwOA5l4osDG6BDtNNiE8hqlOPhwMa4lIHfx8LNSu8B%2Fbm0n7Y28iDLdwSs9GCpFCVriebOwI1VNCU3BxzR0lKHa1DH6ijmLa6nxX4TOwNTZ47Os2KLel2k0E0K7sedhXKjWD1rz", "https://vtbehaviour.commondatastorage.googleapis.com/fc574f36fa5f3968313faede9b7ed8653edc2145e803a9e5e07c2a566dd8df49_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775042164&Signature=W1y6KzU8OvbKX%2F6m%2FWDjI1wdTsuw8Wg1AwXkOiLE80MT3uiTHmCWD34whFZAwsMBVvPWEPaIgyd06W3y9Y17ySrRqonbmvRKgtuvEm0IDDI6%2FJdWpV9L82BAdFjjUKkX%2Fvqd%2BEqpObaECVfgHK2PoW448dKYY5NEBv8tq9mQkUDJbJh15dHxR%2F2z3eSiV6WlXoeBdUlnpP77kqNSzxDPDEYIdBVEaEnmL3wHsmaoBrbas", "Python Image Load By Non-Python Process.yml", "https://vtbehaviour.commondatastorage.googleapis.com/2ebd49a3392a832d62495940ebbc87bc3306dca2582ef8cb646cedba86e1e5fe_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775041335&Signature=GofM9lUksdYg01bEPyBQFuSnOQRBy2FkWGJd55DCU2ihR%2Bgx6OHQLWuDqaElq68i%2FoFD%2FOopPpyHBx4tpxhN6gFBSkhFUtda4GRJvzfbcVx%2BVkSzW9sgub4rG3P4Uw5MkwgccgOM96UulwyMNMDZtPtAWNK8488pmm4jx%2FzJamSg8oonpL4XX74h4ZkLWWfl%2BbmTkPWeZGwxeAS%2Be5Wm8FV%2Fdh4BYS6wEq5ZOw1Ew", "uat.identityssl.newscdn.com.au", "gameskinny.com", "https://www.cloudflare.com/abuse", "indicator_packed.yar", "https://hybrid-analysis.com/sample/7ba985d328ac4d9be47826ae3f98b513ca00b1609d82fe1d4aa365e7cfb54f48", "Potential Python DLL SideLoading.yml", "indicator_suspicious.yar", "https://vtbehaviour.commondatastorage.googleapis.com/22e702fc31752b1ff0ca59efb58d943282dff34b9e8ce61867d8c831b0d8de35_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776480900&Signature=juTMRwWs%2FTJqrDMvBJfYmPzSfXx4a%2F31AjChMKGg%2FigOb2ayCytmhgn%2FfGStvobwbbyL9t1dHYxFX0QZz%2F4zM3vebhPQPBm0BElUabRpjfY6q01wMlTu3q5T5uw1sSchvwR7n0H4t%2FnoMPiFRXns84ZWvQeTTNJYKtg5P29B6CE%2BbXfGQ%2FTKhS9ZR8bI09EyLS2y3Ob3boKLMZ4MNvq6nLIHO2373XOpgfJhsBQej6xZ8%2BlIe0T4", "https://hybrid-analysis.com/sample/55af17e7ea6e0884ed102bb2cb21844ab2bf3330dd46aace4c736be5c55b0257/658d97df7e57b7b66c00b342" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Little", "Therat", "Sabey", "Hacktool", "Lazarus", "Hallrender", "Brashears", "Lolkek", "Ransomware", "Makop ransomware" ], "industries": [], "unique_indicators": 20573 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/cloudflare.com", "whois": "http://whois.domaintools.com/cloudflare.com", "domain": "cloudflare.com", "hostname": "www.cloudflare.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 14, "pulses": [ { "id": "69e2f8974b0c67b2d0177561", "name": "CAPE Sandbox", "description": "\"RTA-5042-1996-1400-1577-RTA\nMotherless.com is a moral free file host where anything legal is hosted forever.\" disgusting the 'place' who put me in this domain.", "modified": "2026-04-18T05:46:34.061000", "created": "2026-04-18T03:20:55.778000", "tags": [ "script", "meta", "location", "href", "doctype html", "ahead", "title", "motherless", "global", "googlebot", "elite", "tracker", "date", "performs dns", "https", "mitre attack", "network info", "processes extra", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "phishing", "next", "rta description", "googlebot index", "ip address", "z233", "drip:05d0af0f092f1b54641ee3d58af676f5 14e7d2e335765d99ad7ec6cd24" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/22e702fc31752b1ff0ca59efb58d943282dff34b9e8ce61867d8c831b0d8de35_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776480788&Signature=GKnoamXxZLyFfntMDXBWi2gnSzHRWJJRZPaofPOvzgQF6ygdQKEJpX4eJ2AASUeDQ3L4AO7Os%2FgNOl0CeG5%2FN9aVgljvd3WBiA8ZTwba5tFflRJKWcwOA5l4osDG6BDtNNiE8hqlOPhwMa4lIHfx8LNSu8B%2Fbm0n7Y28iDLdwSs9GCpFCVriebOwI1VNCU3BxzR0lKHa1DH6ijmLa6nxX4TOwNTZ47Os2KLel2k0E0K7sedhXKjWD1rz", "https://vtbehaviour.commondatastorage.googleapis.com/22e702fc31752b1ff0ca59efb58d943282dff34b9e8ce61867d8c831b0d8de35_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1776480900&Signature=juTMRwWs%2FTJqrDMvBJfYmPzSfXx4a%2F31AjChMKGg%2FigOb2ayCytmhgn%2FfGStvobwbbyL9t1dHYxFX0QZz%2F4zM3vebhPQPBm0BElUabRpjfY6q01wMlTu3q5T5uw1sSchvwR7n0H4t%2FnoMPiFRXns84ZWvQeTTNJYKtg5P29B6CE%2BbXfGQ%2FTKhS9ZR8bI09EyLS2y3Ob3boKLMZ4MNvq6nLIHO2373XOpgfJhsBQej6xZ8%2BlIe0T4" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 86, "FileHash-MD5": 51, "FileHash-SHA1": 4, "FileHash-SHA256": 66, "URL": 362, "domain": 131, "hostname": 201, "CVE": 2, "email": 7, "IPv6": 3, "CIDR": 2 }, "indicator_count": 915, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69dff4fbb4f7d05b46e99978", "name": ".net, ripe", "description": "<< full list of names, addresses and details has been released by Rpe.net, the site where the name and address of a group of users is set to be posted on its website.>>", "modified": "2026-04-16T03:40:17.303000", "created": "2026-04-15T20:28:43.400000", "tags": [ "handle", "address range", "cidr", "network name", "allocation type", "assigned pa", "status", "whois server", "plaza", "street", "marbella", "bella vista", "panama city", "panama phone", "ripe", "filtered person", "alina gatsaniuk", "cloudflare", "entity cloud14" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 2, "CIDR": 2, "URL": 117, "hostname": 42, "FileHash-SHA256": 376, "domain": 8, "email": 8, "FileHash-MD5": 24, "FileHash-SHA1": 24 }, "indicator_count": 603, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69e01b6fb3a0564fe8a9a976", "name": "104.18.35.94 (104.16.0.0/14) AS 13335 ( Cloudflare, Inc. )", "description": "Communicating files and passive dns. Research.", "modified": "2026-04-16T00:00:50.998000", "created": "2026-04-15T23:12:47.466000", "tags": [ "cloudflare", "net104", "net1040000", "cloud14", "geofeed", "cloud14 address", "townsend street", "city", "san francisco", "stateprov", "handle", "address range", "cidr", "network name", "type", "status", "whois server", "entity cloud14", "postalcode" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 92, "CIDR": 1, "URL": 16, "hostname": 950, "FileHash-MD5": 26, "FileHash-SHA1": 17, "domain": 134, "email": 3 }, "indicator_count": 1239, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "3 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69aed0a541b6a7982b9ce13c", "name": "CVE-2020-0796", "description": "", "modified": "2026-04-08T13:18:54.656000", "created": "2026-03-09T13:52:37.838000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 5, "URL": 58, "hostname": 18, "FileHash-MD5": 400, "FileHash-SHA1": 400, "FileHash-SHA256": 400, "domain": 9, "email": 4 }, "indicator_count": 1294, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "11 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ccfe49ec22d0810b88717f", "name": "VirusTotal Windows Sandbox", "description": "7f85522cb5f554c82df4a37937f2362c3e28af554ab8bfda7436ac968b1b806b, as part of a series of events\n#chaos. android.permission.READ_EXTERNAL_STORAGE\nandroid.permission.WRITE_EXTERNAL_STORAGE\nandroid.permission.REQUEST_INSTALL_PACKAGES\nandroid.permission.VIBRATE\nandroid.permission.RECEIVE_BOOT_COMPLETED\nAllows the app to view information about Wi-Fi networking, such as whether Wi-Fi is enabled and name of connected Wi-Fi devices.\nandroid.permission.ACCESS_WIFI_STATE\ncom.google.android.gms.permission.AD_ID\nandroid.permission.GET_TASKS\nandroid.permission.ACCESS_NETWORK_STATE\nandroid.permission.INTERNET\ncom.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE", "modified": "2026-04-01T11:15:21.005000", "created": "2026-04-01T11:15:21.005000", "tags": [ "windows sandbox", "clear filters", "android", "zip archive", "android package", "java archive", "sweet home", "design", "handle", "cloudflare", "address range", "cidr", "network name", "type", "status", "whois server", "entity cloud14" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/2ebd49a3392a832d62495940ebbc87bc3306dca2582ef8cb646cedba86e1e5fe_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775041335&Signature=GofM9lUksdYg01bEPyBQFuSnOQRBy2FkWGJd55DCU2ihR%2Bgx6OHQLWuDqaElq68i%2FoFD%2FOopPpyHBx4tpxhN6gFBSkhFUtda4GRJvzfbcVx%2BVkSzW9sgub4rG3P4Uw5MkwgccgOM96UulwyMNMDZtPtAWNK8488pmm4jx%2FzJamSg8oonpL4XX74h4ZkLWWfl%2BbmTkPWeZGwxeAS%2Be5Wm8FV%2Fdh4BYS6wEq5ZOw1Ew", "https://vtbehaviour.commondatastorage.googleapis.com/fc574f36fa5f3968313faede9b7ed8653edc2145e803a9e5e07c2a566dd8df49_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775042164&Signature=W1y6KzU8OvbKX%2F6m%2FWDjI1wdTsuw8Wg1AwXkOiLE80MT3uiTHmCWD34whFZAwsMBVvPWEPaIgyd06W3y9Y17ySrRqonbmvRKgtuvEm0IDDI6%2FJdWpV9L82BAdFjjUKkX%2Fvqd%2BEqpObaECVfgHK2PoW448dKYY5NEBv8tq9mQkUDJbJh15dHxR%2F2z3eSiV6WlXoeBdUlnpP77kqNSzxDPDEYIdBVEaEnmL3wHsmaoBrbas" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 55, "FileHash-SHA1": 57, "FileHash-SHA256": 191, "IPv4": 11, "domain": 2, "hostname": 23, "CIDR": 1, "URL": 13 }, "indicator_count": 353, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ccfe1c5bda9758fa78277a", "name": "VirusTotal Windows Sandbox", "description": "7f85522cb5f554c82df4a37937f2362c3e28af554ab8bfda7436ac968b1b806b, as part of a series of events\n#chaos. android.permission.READ_EXTERNAL_STORAGE\nandroid.permission.WRITE_EXTERNAL_STORAGE\nandroid.permission.REQUEST_INSTALL_PACKAGES\nandroid.permission.VIBRATE\nandroid.permission.RECEIVE_BOOT_COMPLETED\nAllows the app to view information about Wi-Fi networking, such as whether Wi-Fi is enabled and name of connected Wi-Fi devices.\nandroid.permission.ACCESS_WIFI_STATE\ncom.google.android.gms.permission.AD_ID\nandroid.permission.GET_TASKS\nandroid.permission.ACCESS_NETWORK_STATE\nandroid.permission.INTERNET\ncom.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE", "modified": "2026-04-01T11:14:36.817000", "created": "2026-04-01T11:14:36.817000", "tags": [ "windows sandbox", "clear filters", "android", "zip archive", "android package", "java archive", "sweet home", "design", "handle", "cloudflare", "address range", "cidr", "network name", "type", "status", "whois server", "entity cloud14" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/2ebd49a3392a832d62495940ebbc87bc3306dca2582ef8cb646cedba86e1e5fe_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775041335&Signature=GofM9lUksdYg01bEPyBQFuSnOQRBy2FkWGJd55DCU2ihR%2Bgx6OHQLWuDqaElq68i%2FoFD%2FOopPpyHBx4tpxhN6gFBSkhFUtda4GRJvzfbcVx%2BVkSzW9sgub4rG3P4Uw5MkwgccgOM96UulwyMNMDZtPtAWNK8488pmm4jx%2FzJamSg8oonpL4XX74h4ZkLWWfl%2BbmTkPWeZGwxeAS%2Be5Wm8FV%2Fdh4BYS6wEq5ZOw1Ew", "https://vtbehaviour.commondatastorage.googleapis.com/fc574f36fa5f3968313faede9b7ed8653edc2145e803a9e5e07c2a566dd8df49_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775042164&Signature=W1y6KzU8OvbKX%2F6m%2FWDjI1wdTsuw8Wg1AwXkOiLE80MT3uiTHmCWD34whFZAwsMBVvPWEPaIgyd06W3y9Y17ySrRqonbmvRKgtuvEm0IDDI6%2FJdWpV9L82BAdFjjUKkX%2Fvqd%2BEqpObaECVfgHK2PoW448dKYY5NEBv8tq9mQkUDJbJh15dHxR%2F2z3eSiV6WlXoeBdUlnpP77kqNSzxDPDEYIdBVEaEnmL3wHsmaoBrbas" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 55, "FileHash-SHA1": 57, "FileHash-SHA256": 191, "IPv4": 11, "domain": 2, "hostname": 23, "CIDR": 1, "URL": 13 }, "indicator_count": 353, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ccfe1ce5811ee000871717", "name": "VirusTotal Windows Sandbox", "description": "7f85522cb5f554c82df4a37937f2362c3e28af554ab8bfda7436ac968b1b806b, as part of a series of events\n#chaos. android.permission.READ_EXTERNAL_STORAGE\nandroid.permission.WRITE_EXTERNAL_STORAGE\nandroid.permission.REQUEST_INSTALL_PACKAGES\nandroid.permission.VIBRATE\nandroid.permission.RECEIVE_BOOT_COMPLETED\nAllows the app to view information about Wi-Fi networking, such as whether Wi-Fi is enabled and name of connected Wi-Fi devices.\nandroid.permission.ACCESS_WIFI_STATE\ncom.google.android.gms.permission.AD_ID\nandroid.permission.GET_TASKS\nandroid.permission.ACCESS_NETWORK_STATE\nandroid.permission.INTERNET\ncom.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE", "modified": "2026-04-01T11:14:36.015000", "created": "2026-04-01T11:14:36.015000", "tags": [ "windows sandbox", "clear filters", "android", "zip archive", "android package", "java archive", "sweet home", "design", "handle", "cloudflare", "address range", "cidr", "network name", "type", "status", "whois server", "entity cloud14" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/2ebd49a3392a832d62495940ebbc87bc3306dca2582ef8cb646cedba86e1e5fe_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775041335&Signature=GofM9lUksdYg01bEPyBQFuSnOQRBy2FkWGJd55DCU2ihR%2Bgx6OHQLWuDqaElq68i%2FoFD%2FOopPpyHBx4tpxhN6gFBSkhFUtda4GRJvzfbcVx%2BVkSzW9sgub4rG3P4Uw5MkwgccgOM96UulwyMNMDZtPtAWNK8488pmm4jx%2FzJamSg8oonpL4XX74h4ZkLWWfl%2BbmTkPWeZGwxeAS%2Be5Wm8FV%2Fdh4BYS6wEq5ZOw1Ew", "https://vtbehaviour.commondatastorage.googleapis.com/fc574f36fa5f3968313faede9b7ed8653edc2145e803a9e5e07c2a566dd8df49_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775042164&Signature=W1y6KzU8OvbKX%2F6m%2FWDjI1wdTsuw8Wg1AwXkOiLE80MT3uiTHmCWD34whFZAwsMBVvPWEPaIgyd06W3y9Y17ySrRqonbmvRKgtuvEm0IDDI6%2FJdWpV9L82BAdFjjUKkX%2Fvqd%2BEqpObaECVfgHK2PoW448dKYY5NEBv8tq9mQkUDJbJh15dHxR%2F2z3eSiV6WlXoeBdUlnpP77kqNSzxDPDEYIdBVEaEnmL3wHsmaoBrbas" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 55, "FileHash-SHA1": 57, "FileHash-SHA256": 191, "IPv4": 11, "domain": 2, "hostname": 23, "CIDR": 1, "URL": 13 }, "indicator_count": 353, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6996eacbe2d99caae4a5b2d7", "name": "172.69.58.33", "description": "potential rogue exploit kit", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-19T10:49:47.043000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 18, "FileHash-MD5": 31, "FileHash-SHA1": 29, "FileHash-SHA256": 171, "URL": 432, "domain": 629, "hostname": 461, "CIDR": 6, "email": 23 }, "indicator_count": 1800, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6998d15c75b59044877602c1", "name": "Corrupt.... Files", "description": "beaware", "modified": "2026-04-01T00:44:45.494000", "created": "2026-02-20T21:25:48.559000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 706, "FileHash-SHA1": 859, "FileHash-SHA256": 1480, "URL": 743, "domain": 1565, "email": 55, "hostname": 912, "CVE": 54, "CIDR": 27 }, "indicator_count": 6401, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "18 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68245681009c35da8f04b45b", "name": "2606:4700:3036::ac43:a8cb (2606:4700:3000::/42)", "description": "Here is a full set of words and phrases used by the BBC to describe the various types of ransomware that can be used to target victims of the Windows operating system, as well as the UK.", "modified": "2025-06-13T07:02:14.919000", "created": "2025-05-14T08:38:25.425000", "tags": [ "assignment", "cloudflare", "admin", "cloudflarenet", "allocation", "cloud14", "townsend stnsan", "warp abuse", "service", "arin rdapwhois", "rdapwhois", "reporting", "copyright", "registry", "wallet", "azaz09", "firefox", "windows nt", "windows", "data", "value", "sandbox", "edge", "msie", "example", "terminal", "phantom", "anubis", "bitcoin", "crypto", "exodus", "android", "keeper", "steam", "webdav", "explorer", "finger", "malware", "schmidti", "dllimport", "emotet", "mozilla", "win64", "insta", "solo", "union", "discord", "liberty", "saturn", "terra", "temple", "harmony", "core", "easy", "ultimate", "cash", "therat", "python image", "load", "python core", "python script", "py2exe", "john", "open threat", "research", "files", "comment", "python dll", "sideloading id", "dll sideloading", "poudel date", "filespython3", "studio", "python dlls", "confuserex mod", "aspirecrypt", "detects", "reactor", "beds protector", "ps2exe", "bsjb", "boxedapp", "cyaxsharp", "cyaxpng", "smartassembly", "koivm", "confuserex", "obfuscator", "aspack", "titan", "enigma", "vmprotect", "strings", "rlpack", "antiem", "antisb", "themida", "loader", "sality", "dnguard" ], "references": [ "https://rdap.arin.net/registry/entity/CLOUD14", "https://rdap.arin.net/registry/entity/CLOUD146-ARIN", "https://rdap.arin.net/registry/entity/ABUSE2916-ARIN", "https://rdap.arin.net/registry/entity/ADMIN2521-ARIN", "https://rdap.arin.net/registry/entity/NOC11962-ARIN", "indicator_suspicious.yar", "Python Image Load By Non-Python Process.yml", "Potential Python DLL SideLoading.yml", "indicator_packed.yar" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "TheRat", "display_name": "TheRat", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 2, "URL": 870, "email": 4, "hostname": 148, "FileHash-SHA256": 471, "domain": 47, "FileHash-MD5": 2, "FileHash-SHA1": 2, "YARA": 163, "CVE": 1 }, "indicator_count": 1710, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "310 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.cloudflare.com/abuse", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.cloudflare.com/abuse", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776612692.9272382 }