{ "type": "URL", "indicator": "https://www.teensnow.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.teensnow.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3741603483, "indicator": "https://www.teensnow.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 23, "pulses": [ { "id": "6879093e8658df9f35683846", "name": "Worm:Win32/Benjamin continues to impact network", "description": "Worm:Win32/Benjamin continues to impact network operations of a little known, limited national cybers space organization. P2P-Worm.\n*IDS Detections: \n\u2022 Win32.Worm.Benjamin.A CnC Checkin Alerts\n\u2022 nids_malware_alert\n\u2022 network_icmp\n\u2022 network_irc\n\u2022 persistence_autorun\n| Multiple network issues from outages, stolen password keychains, credentials dumping, impressive espionage attacks. Likely goes unnoticed to many. Widely regarded/reported as an outage that is really an unpatched, ongoing cyber attack.", "modified": "2025-08-16T14:00:26.166000", "created": "2025-07-17T14:31:26.824000", "tags": [ "include review", "data upload", "extraction", "read c", "search", "medium", "show", "msie", "windows nt", "wow64", "slcc2", "media center", "entries", "dock", "write", "execution", "capture", "next", "copy", "date", "aaaa", "present may", "present nov", "passive dns", "ip address", "domain", "status", "next associated", "delete", "iocs", "failed", "sc data", "type", "extr data", "included", "review iocs", "memcommit", "user execution", "module load", "t1129", "icmp traffic", "high", "collection", "cmd c", "t1055", "enter", "extract", "enter sc", "drop or", "browse t", "oprop", "extraction data", "enter source", "url or", "texorag", "browse", "urls", "dnssec", "hostname add", "pulse pulses", "files", "files ip", "domainadmin", "showing", "ttl value", "thumbprint", "onlv", "find", "extri data", "dran anu", "extr", "manually add", "review exclude", "sugges", "find s", "typ hos", "se data", "include data", "review locs", "exclude", "suggested es", "intel", "ms windows", "write c", "pe32", "pe32 executable", "copy c", "worm", "win32", "benjamin", "june", "delphi", "malware", "nids", "icmp delphi", "yara detections", "malware traffic", "checkin", "code", "name servers", "servers", "pulses", "expiration date", "united", "body", "cookie", "related tags", "file type", "pe packer", "pm size", "sha1 sha256", "imphash pehash", "virustotal api", "screenshots", "comments" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 536, "FileHash-SHA1": 465, "FileHash-SHA256": 1836, "domain": 766, "hostname": 960, "URL": 2879, "CVE": 1, "email": 4 }, "indicator_count": 7447, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "246 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6888a85aa32aab22f638d0e6", "name": "Autodesk issue in CrowdStrike prior to outage | [by scoreblue]", "description": "", "modified": "2025-07-29T10:54:18.501000", "created": "2025-07-29T10:54:18.501000", "tags": [ "healthy check", "ssl bypass", "domain tracker", "privacy badger", "startpage", "w11 pc", "pass", "iocs", "all scoreblue", "pdf report", "pcap", "stix", "avast avg", "no expiration", "status", "name servers", "moved", "h1 center", "next", "sec ch", "ch ua", "ua platform", "emails", "certificate", "passive dns", "urls", "encrypt", "body", "pe32 executable", "ms windows", "intel", "windows control", "panel item", "dos borland", "executable", "algorithm", "thumbprint", "serial number", "signing ca", "symantec time", "stamping", "g2 name", "g2 issuer", "class", "code", "kb pe", "csc corporate", "porkbun llc", "gandi sas", "request", "path", "get https", "get http", "response", "cachecontrol", "pragma", "connection", "gmt connection", "accept", "slug", "as29789", "united", "unknown", "ransom", "heur", "server", "registrar abuse", "san rafael", "autodesk", "contact phone", "registrar url", "process32nextw", "create c", "read c", "writeconsolew", "delete", "write", "show", "malware", "write c", "regsetvalueexa", "delete c", "search", "regdword", "whitelisted", "panda banker", "ursnif", "win32", "persistence", "execution", "banker", "local", "domain", "servers", "pulse pulses", "files", "ip address", "creation date", "united kingdom", "as9009 m247", "ipv4", "pulse submit", "url analysis", "twitter", "as16552 tiggee", "as397241", "as397240", "entries", "cname", "nxdomain", "a nxdomain", "worm", "file samples", "files matching", "alf features", "denver co", "wewatta", "scan endpoints", "related pulses", "date hash", "showing", "as62597 nsone", "date", "trojanspy", "cookie", "hostmaster", "expiration date", "msie", "windows nt", "wow64", "slcc2", "media center", "tls handshake", "et info", "getdc0x2a", "failure", "post http", "copy", "crash", "ascii text", "ascii", "jpeg image", "artemis", "trojan", "virustotal", "mike", "vipre", "panda", "win32mediadrug", "win324shared", "win32spigot", "hstr", "lowfi", "yara detections", "contacted", "report spam", "mozilla", "trojanclicker", "url http", "url https", "role title", "added active", "type indicator", "source domain", "akamai rank", "hostname", "ver2", "msclkidn", "vids0", "global outage", "cobalt strike", "fancy bear", "communications", "android device", "cnc beacon", "suspicious ua", "youtube", "sakula rat", "mivast", "sakula", "windows", "samuel tulach", "light dark", "samuel", "tulach", "hyperv", "detecting", "writing gui", "bootkits", "world", "information", "discovery", "t1027", "t1057", "t1071", "protocol", "t1105", "tool transfer", "t1129", "capture", "service", "t1119" ], "references": [ "autodesk.com [ Everything below was found in Autodesk [including crowdstrike & any.desk] Found in in Crowdsrike if labeled.", "66.254.114.234 | reflectededge.reflected.net | reflected.net | 192.0.2.0 | https://www.brazzers.com/ | brazzers.com | brazzersnetwork.com", "keezmovies.com | redtube.com | tube8.com | tube8.com | youporn.com| 0.brazzers.com | www.g-tunnel.comwww.brazzers.com |", "Win32:Mystic , Win.Trojan.Xblocker-236 \u00bbFileHash-SHA256 8c59adbccc1987d13fec983f1e2be046611511b65479d1719bda77c5c90bbe21", "IDS Detections: TLS Handshake Failure | Alerts: network_icmp , injection", "Win32:BankerX-gen\\ [Trj] \u00bb FileHash-SHA256 2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c", "IDS Detections: Zeus Panda Banker / Ursnif Malicious SSL Certificate Detected TLS Handshake Failure", "Alerts: network_icmp antisandbox_idletime modifies_certificates modifies_proxy_wpad disables_proxy", "RedTube.com Detections: ALF:AGGR:OpcCl:95!ml , ALF:JASYP:Backdoor:Win32/Cycbot!atmn , Win.Downloader.117423-1 ,", "RedTube.com Detections: Win.Trojan.Crypt-321 , Win.Trojan.FakeAV-4166 , Win.Trojan.Fakeav-10977 , Win.Trojan.Fakeav-3386", "Crowdstrike: wildcard.352-445-1166.device.sim.to.img.sedoparking.com", "Crowdstrike: maxfehlinger.de http://auth.cranberry.testing.maxfehlinger.de | http://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://traefik.cranberry.testing.maxfehlinger.de | http://traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: http://watchtower.cranberry.testing.maxfehlinger.de| https://auth.cranberry.testing.maxfehlinger.de |", "Crowdstrike: auth.cranberry.testing.maxfehlinger.de | latex.cranberry.testing.maxfehlinger.de | traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: watchtower.cranberry.testing.maxfehlinger.de | https://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing\t| https://www.anyxxxtube.net/sitemap.xml", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brash |", "Crowdstrike: autodesk.com | 0ds.autodesk.com | aknanalytics.autodesk.com | anubis.autodesk.com | autobetaint.autodesk.com", "Crowdstrike: autodeskarchitecture.autodesk.com | beacon-dev3.autodesk.com | boxtooffice365.autodesk.com | brahma-studio.autodesk.com", "Crowdstrike: cdc-stg-emea.autodesk.com | cloudcost.autodesk.com | cloudpc-stg.autodesk.com | d-s.autodesk.com |", "Crowdstrike: daiwahouse-learning.autodesk.com| datagovernance-dev.autodesk.com | enterprise-api-np.autodesk.com", "Crowdstrike: symcd.com [Certificate Subjectaltname \u00bb\u00bb anydesk.com \u00bb\u00bb http://gn.symcb.com/gn.crt Ocsp\thttp://gn.symcd.com] ANYDESK.COM-unsigned", "Crowdstrike: https://bat.bing.com/action/0?ti=12001672&tm=al001&Ver=2&mid=12436868-a484-4998-931c-980262982f67&sid=b92cd8f0483e11efa3c96fe28be413cb&vid=b92cdd10483e11efb1024309353d849f&vids=1&msclkid=N&pi=-740138922&lg=en-US&sw=800&sh=600&sc=24&tl=CrowdStrike%3A%20Stop%20breaches.%20Drive%20business.&p=https%3A%2F%2Fwww.crowdstrike.com%2Fen-us%2F&r=<=1022&pt=1721661968606", "Crowdstrike: \tbat.bing.com, https://tulach.cc, https://otx.alienvault.com/indicator/url/http://www.hallrender.com/attorney/brian-sabey", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | https://www.pornhub.com/video/search?search=tsara+brashears | www.youtube.com/watch?v=GyuMozsVyYs | www.pornhub.com | www.youtube.com", "Crowdstrike: https://hr.employmenthero.com/rs/387-SZZ-170/images/youtube-icon-emp-hero-violet.png", "Crowdstrike + Autodesk.com: hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "Crowdstrike + Autodesk.com: brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "Crowdstrike + Autodesk.com: 128 + symcd.com some w/issues | 658 autodesk.com pulse some w/issues | removed any.desk & boot", "The more I say...Any.Desk + boot.net.anydesk.com was in OG Private CrowdsStrike pulse", "Above links in search results direct out with and arrow pointing out.", "https://otx.alienvault.com/browse/global/pulses?q=tag:%22esta%20caliente%22&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=esta%20caliente", "Above link opened 'esta caliente'= 'it's hot'| I did NOT do that | All connected links gone. This has become common.", "I didn't add pertinent findings back to Pulse. Pulse comp,eyes says ago . Couldn't submit. It's was actually a tiny pulse of autodesk.com with crowdstrike relationship references,", "boot.net.anydesk.com removed from my Pulse below", "https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "Win32:Mystic", "display_name": "Win32:Mystic", "target": null }, { "id": "Win.Trojan.Xblocker-236", "display_name": "Win.Trojan.Xblocker-236", "target": null }, { "id": "Ransom:Win32/Genasom", "display_name": "Ransom:Win32/Genasom", "target": "/malware/Ransom:Win32/Genasom" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "ALF:JASYP:Backdoor:Win32/Cycbot", "display_name": "ALF:JASYP:Backdoor:Win32/Cycbot", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanSpy:Win32/Usteal", "display_name": "TrojanSpy:Win32/Usteal", "target": "/malware/TrojanSpy:Win32/Usteal" }, { "id": "Win.Trojan.PoetRat-7669676-0", "display_name": "Win.Trojan.PoetRat-7669676-0", "target": null }, { "id": "Mivast", "display_name": "Mivast", "target": null }, { "id": "Sakula", "display_name": "Sakula", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "66d89c45ddc0c7db084b75b7", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1417, "FileHash-SHA1": 1165, "FileHash-SHA256": 6536, "URL": 6112, "domain": 1340, "hostname": 2654, "email": 15, "SSLCertFingerprint": 9 }, "indicator_count": 19248, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "264 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684c792c7a89d98470ecef31", "name": "aws.dev - Emotet - Hub for malicious activity", "description": "\u2022 Domain Name: aws.dev |\n\u2022 (DGA) https://www.google.com/search?client=ms-google-coop&q=%22deploy-delete-app-eu-west-1-0.deploy-delete-test-eu-west-1-oigwi9v.us-east-1.forgeapps.ec2.aws.dev%22&cx=003414466004237966221:dgg7iftvryo | \n\u2022 34.226.76.55 |\n\u2022\u2019domains.amazon | \n\u2022 devilspen.com |\n\u2022 aisux.aws.dev |\t\t\n\u2022 alex.aws.dev |\t\n\u2022 askjarvis.aws.dev |\n\u2022 atrium.aws.dev |\n\u2022 automated-runbooks.aws.dev |\nFalse 404 codes and Error pages - very active malicious behavior", "modified": "2025-07-13T18:02:18.648000", "created": "2025-06-13T19:17:00.818000", "tags": [ "united", "creation date", "search", "entries", "passive dns", "urls", "showing", "pulse pulses", "files", "domain", "dnssec", "expiration date", "unknown cname", "hostname add", "date", "redacted for", "email", "code", "organization", "privacy billing", "privacy tech", "postal code", "privacy admin", "com laude", "ltd dba", "nomiq", "limited dba", "admin city", "country", "stateprovince", "city", "mtb oct", "win32", "next associated", "mtb mar", "ipv4 add", "trojan", "apanas", "ransom", "body" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1111, "hostname": 1014, "URL": 2554, "FileHash-SHA256": 1461, "FileHash-MD5": 64, "email": 6, "FileHash-SHA1": 63 }, "indicator_count": 6273, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "280 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66f351ce26a103377d8eb5fa", "name": "Sex Tokens | Injection \u00bb Porn dumping - Cyber Folks .PL | Spectrum", "description": "Porn dumping into targeted devices after great effort. \nHall Render has always been a Malware Hosting website.\nDrive by compromise, \nPorn Storm compilation.\n\nhttps://api.dotz.com.br/accounts/api/default/externallogin/login", "modified": "2024-10-24T22:01:13.406000", "created": "2024-09-24T23:57:02.111000", "tags": [ "url https", "search", "type indicator", "role title", "added active", "related pulses", "url http", "porn type", "showing", "entries", "tsara type", "pulses url", "adware backdoor", "email document", "exploit domain", "owner exploit", "kit exploit", "source file", "hacking tools", "hunting macro", "malware hosting", "memory scanning", "wild fantasy", "world", "download", "xxx video", "xxx sex", "desi", "tamil", "videos xxx", "hd posts", "photos pics", "https", "indicator role", "title added", "active related", "unknown", "united", "for privacy", "nxdomain", "meta", "internet gmbh", "creation date", "date", "audio", "clear hindi", "bhabi sex", "bedroom indian", "fakaid", "ww3008", "fingering her", "young boy", "sexy", "next", "witch", "filehashmd5", "ipv4", "months ago", "information", "scan endpoints", "all scoreblue", "report spam", "created", "modified", "zbot", "keyword", "latina", "teen sex", "jeffrey reimer", "reimer dpt", "jeff reimer sex", "reimer type", "hostname", "domain", "copyright", "remote", "t1003", "os credential", "dumping", "t1012", "t1036", "t1071", "protocol", "t1082", "as8075", "aaaa", "as30148 sucuri", "certificate", "record value", "body", "status", "passive dns", "urls", "hallrender", "brian sabey", "sabey xxx", "drive by compromise", "cobalt strike", "overview ip", "address", "related nids", "files location", "china flag", "china domain", "files related", "pulses none", "files domain", "analyzer paste", "iocs", "hostnames", "urls https", "china unknown", "as4837 china", "redacted for", "a domains", "cname", "jeffrey reimer pt", "sucuri website", "span td", "time", "firewall", "win64", "back", "xtra", "name servers", "files", "tls web", "log id", "gmtn", "false", "ocsp", "ca issuers", "phucket news", "hacking", "registrar abuse", "gateway protocol abuse", "swipper relationship" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1599, "hostname": 2988, "URL": 8561, "FileHash-SHA256": 1207, "email": 41, "FileHash-MD5": 126, "FileHash-SHA1": 36, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 14561, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "542 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d89c45ddc0c7db084b75b7", "name": "Autodesk weakens CS | Unauthorized AlienVault API | Stolen pulsed", "description": "Critical issues within AlienVault , VT & my devices. Plugins auto installed after I opened message from AV user. Sudden redirects to 0/ http/s. Heavy modifications, removal of IoC's on AV & VT & Virus Total. Autodesk.com was under CrowdStrike until last night. Links where vulnerabilities were originating from completely disappeared from graph I kindly kept private. Continuous mods for months to Crowdstrike and other pulses. [https://otx.alienvault.com/api appears in search] A page opens with Tag: \"esta caliente\" | All linked pulses Gone. Only person who frequently contacted me appears where they didn't before & These dishonest billion $ companies cover up though they are at fault for allowing ALL threat actor to be protected with non adversarial businesses. Besides other compromises, surprisingly Brashears porn found in Crowdstrike/Autodesk others. Disappointing.", "modified": "2024-10-04T17:02:07.067000", "created": "2024-09-04T17:43:33.123000", "tags": [ "healthy check", "ssl bypass", "domain tracker", "privacy badger", "startpage", "w11 pc", "pass", "iocs", "all scoreblue", "pdf report", "pcap", "stix", "avast avg", "no expiration", "status", "name servers", "moved", "h1 center", "next", "sec ch", "ch ua", "ua platform", "emails", "certificate", "passive dns", "urls", "encrypt", "body", "pe32 executable", "ms windows", "intel", "windows control", "panel item", "dos borland", "executable", "algorithm", "thumbprint", "serial number", "signing ca", "symantec time", "stamping", "g2 name", "g2 issuer", "class", "code", "kb pe", "csc corporate", "porkbun llc", "gandi sas", "request", "path", "get https", "get http", "response", "cachecontrol", "pragma", "connection", "gmt connection", "accept", "slug", "as29789", "united", "unknown", "ransom", "heur", "server", "registrar abuse", "san rafael", "autodesk", "contact phone", "registrar url", "process32nextw", "create c", "read c", "writeconsolew", "delete", "write", "show", "malware", "write c", "regsetvalueexa", "delete c", "search", "regdword", "whitelisted", "panda banker", "ursnif", "win32", "persistence", "execution", "banker", "local", "domain", "servers", "pulse pulses", "files", "ip address", "creation date", "united kingdom", "as9009 m247", "ipv4", "pulse submit", "url analysis", "twitter", "as16552 tiggee", "as397241", "as397240", "entries", "cname", "nxdomain", "a nxdomain", "worm", "file samples", "files matching", "alf features", "denver co", "wewatta", "scan endpoints", "related pulses", "date hash", "showing", "as62597 nsone", "date", "trojanspy", "cookie", "hostmaster", "expiration date", "msie", "windows nt", "wow64", "slcc2", "media center", "tls handshake", "et info", "getdc0x2a", "failure", "post http", "copy", "crash", "ascii text", "ascii", "jpeg image", "artemis", "trojan", "virustotal", "mike", "vipre", "panda", "win32mediadrug", "win324shared", "win32spigot", "hstr", "lowfi", "yara detections", "contacted", "report spam", "mozilla", "trojanclicker", "url http", "url https", "role title", "added active", "type indicator", "source domain", "akamai rank", "hostname", "ver2", "msclkidn", "vids0", "global outage", "cobalt strike", "fancy bear", "communications", "android device", "cnc beacon", "suspicious ua", "youtube", "sakula rat", "mivast", "sakula", "windows", "samuel tulach", "light dark", "samuel", "tulach", "hyperv", "detecting", "writing gui", "bootkits", "world", "information", "discovery", "t1027", "t1057", "t1071", "protocol", "t1105", "tool transfer", "t1129", "capture", "service", "t1119" ], "references": [ "autodesk.com [ Everything below was found in Autodesk [including crowdstrike & any.desk] Found in in Crowdsrike if labeled.", "66.254.114.234 | reflectededge.reflected.net | reflected.net | 192.0.2.0 | https://www.brazzers.com/ | brazzers.com | brazzersnetwork.com", "keezmovies.com | redtube.com | tube8.com | tube8.com | youporn.com| 0.brazzers.com | www.g-tunnel.comwww.brazzers.com |", "Win32:Mystic , Win.Trojan.Xblocker-236 \u00bbFileHash-SHA256 8c59adbccc1987d13fec983f1e2be046611511b65479d1719bda77c5c90bbe21", "IDS Detections: TLS Handshake Failure | Alerts: network_icmp , injection", "Win32:BankerX-gen\\ [Trj] \u00bb FileHash-SHA256 2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c", "IDS Detections: Zeus Panda Banker / Ursnif Malicious SSL Certificate Detected TLS Handshake Failure", "Alerts: network_icmp antisandbox_idletime modifies_certificates modifies_proxy_wpad disables_proxy", "RedTube.com Detections: ALF:AGGR:OpcCl:95!ml , ALF:JASYP:Backdoor:Win32/Cycbot!atmn , Win.Downloader.117423-1 ,", "RedTube.com Detections: Win.Trojan.Crypt-321 , Win.Trojan.FakeAV-4166 , Win.Trojan.Fakeav-10977 , Win.Trojan.Fakeav-3386", "Crowdstrike: wildcard.352-445-1166.device.sim.to.img.sedoparking.com", "Crowdstrike: maxfehlinger.de http://auth.cranberry.testing.maxfehlinger.de | http://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://traefik.cranberry.testing.maxfehlinger.de | http://traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: http://watchtower.cranberry.testing.maxfehlinger.de| https://auth.cranberry.testing.maxfehlinger.de |", "Crowdstrike: auth.cranberry.testing.maxfehlinger.de | latex.cranberry.testing.maxfehlinger.de | traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: watchtower.cranberry.testing.maxfehlinger.de | https://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing\t| https://www.anyxxxtube.net/sitemap.xml", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brash |", "Crowdstrike: autodesk.com | 0ds.autodesk.com | aknanalytics.autodesk.com | anubis.autodesk.com | autobetaint.autodesk.com", "Crowdstrike: autodeskarchitecture.autodesk.com | beacon-dev3.autodesk.com | boxtooffice365.autodesk.com | brahma-studio.autodesk.com", "Crowdstrike: cdc-stg-emea.autodesk.com | cloudcost.autodesk.com | cloudpc-stg.autodesk.com | d-s.autodesk.com |", "Crowdstrike: daiwahouse-learning.autodesk.com| datagovernance-dev.autodesk.com | enterprise-api-np.autodesk.com", "Crowdstrike: symcd.com [Certificate Subjectaltname \u00bb\u00bb anydesk.com \u00bb\u00bb http://gn.symcb.com/gn.crt Ocsp\thttp://gn.symcd.com] ANYDESK.COM-unsigned", "Crowdstrike: https://bat.bing.com/action/0?ti=12001672&tm=al001&Ver=2&mid=12436868-a484-4998-931c-980262982f67&sid=b92cd8f0483e11efa3c96fe28be413cb&vid=b92cdd10483e11efb1024309353d849f&vids=1&msclkid=N&pi=-740138922&lg=en-US&sw=800&sh=600&sc=24&tl=CrowdStrike%3A%20Stop%20breaches.%20Drive%20business.&p=https%3A%2F%2Fwww.crowdstrike.com%2Fen-us%2F&r=<=1022&pt=1721661968606", "Crowdstrike: \tbat.bing.com, https://tulach.cc, https://otx.alienvault.com/indicator/url/http://www.hallrender.com/attorney/brian-sabey", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | https://www.pornhub.com/video/search?search=tsara+brashears | www.youtube.com/watch?v=GyuMozsVyYs | www.pornhub.com | www.youtube.com", "Crowdstrike: https://hr.employmenthero.com/rs/387-SZZ-170/images/youtube-icon-emp-hero-violet.png", "Crowdstrike + Autodesk.com: hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "Crowdstrike + Autodesk.com: brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "Crowdstrike + Autodesk.com: 128 + symcd.com some w/issues | 658 autodesk.com pulse some w/issues | removed any.desk & boot", "The more I say...Any.Desk + boot.net.anydesk.com was in OG Private CrowdsStrike pulse", "Above links in search results direct out with and arrow pointing out.", "https://otx.alienvault.com/browse/global/pulses?q=tag:%22esta%20caliente%22&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=esta%20caliente", "Above link opened 'esta caliente'= 'it's hot'| I did NOT do that | All connected links gone. This has become common.", "I didn't add pertinent findings back to Pulse. Pulse comp,eyes says ago . Couldn't submit. It's was actually a tiny pulse of autodesk.com with crowdstrike relationship references,", "boot.net.anydesk.com removed from my Pulse below", "https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "Win32:Mystic", "display_name": "Win32:Mystic", "target": null }, { "id": "Win.Trojan.Xblocker-236", "display_name": "Win.Trojan.Xblocker-236", "target": null }, { "id": "Ransom:Win32/Genasom", "display_name": "Ransom:Win32/Genasom", "target": "/malware/Ransom:Win32/Genasom" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "ALF:JASYP:Backdoor:Win32/Cycbot", "display_name": "ALF:JASYP:Backdoor:Win32/Cycbot", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanSpy:Win32/Usteal", "display_name": "TrojanSpy:Win32/Usteal", "target": "/malware/TrojanSpy:Win32/Usteal" }, { "id": "Win.Trojan.PoetRat-7669676-0", "display_name": "Win.Trojan.PoetRat-7669676-0", "target": null }, { "id": "Mivast", "display_name": "Mivast", "target": null }, { "id": "Sakula", "display_name": "Sakula", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1417, "FileHash-SHA1": 1165, "FileHash-SHA256": 6536, "URL": 6112, "domain": 1340, "hostname": 2654, "email": 15, "SSLCertFingerprint": 9 }, "indicator_count": 19248, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "562 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655dafbe9ac9ac786fde45ad", "name": "http://malwaredomainlist.com/ \u2022 CNC \u2022 Spyware \u2022 Tracking", "description": "Network capture, dga domain, ecc domain, data collection, voicemail access, mail spammer, registrar abuse\n\n[Auto populated. I can't cannot confirm or deny the accuracy of the following information: A summary of key facts and information about a malicious web domain, hosted by the US government, has been released by Google.com and its parent company, Alphabet, for use on its website.]", "modified": "2023-12-22T06:03:01.993000", "created": "2023-11-22T07:37:34.595000", "tags": [ "united", "as22612", "as2637", "creation date", "search", "moved", "expiration date", "date", "showing", "as397240", "next", "entries", "scan endpoints", "all octoseek", "dns replication", "win32 exe", "network capture", "android", "android adaway", "html", "files", "detections type", "name", "office open", "xml document", "namecheap", "namecheap inc", "whois lookups", "win32 dll", "text", "wextract", "text htaccess", "powershell", "detection list", "blacklist", "first", "ssl certificate", "whois record", "contacted", "december", "whois whois", "threat roundup", "historical ssl", "problems", "referrer", "pe resource", "startpage", "cyber threat", "redline stealer", "mail spammer", "hostname", "phishing site", "malicious site", "installcore", "http spammer", "malware site", "malware", "generic malware", "heur", "generic", "alexa top", "million", "site", "cisco umbrella", "alexa", "ip address", "algorithm", "data", "v3 serial", "number", "cat cnzerossl", "ecc domain", "secure site", "ca ozerossl", "validity", "subject public", "server", "email", "code", "registrar abuse", "country", "privacy service", "withheld", "privacy", "domain name", "pattern match", "ascii text", "appdata", "file", "windows nt", "svg scalable", "vector graphics", "indicator", "gif image", "accept", "hybrid", "general", "local", "pixel", "click", "twitter", "strings", "class", "generator", "critical", "command_and_control", "spyware", "tracking", "voicemail access", "dga", "apple" ], "references": [ "https://www.hybrid-analysis.com/sample/c0c84df54b890bb408fc2289f1e75a29991127bbe207aa30042616b5ea150342/655d9af5679c7afcc409895e", "\u2193Interesting\u2193", "IPv4 198.54.117.211 command_and_control", "IPv4 198.54.117.210 command_and_control", "IPv4 198.54.117.212 command_and_control", "IPv4 198.54.117.215 command_and_control", "IPv4 198.54.117.217 command_and_control", "IPv4 198.54.117.218 command_and_control", "apple-securityiphone-icloud.com", "tx-p2p-pull.video-voip.com.dorm.com", "http://updates.voicemailaccess.net/b0f6a00b15311023", "tvapp-server.de", "zeustracker.abuse.ch", "ransomwaretracker.abuse.ch", "http://t.trkitok.com/track/rep?oid=2001&st=1&id=DP2441--w1VJE427J8SGGRTP02MD7UEG___93737493-c08b-4dc7-ad30-b17a2c09e771___$mid", "louisianarooflawyers.com [phishing]", "hasownproperty.call" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 105, "FileHash-SHA1": 100, "FileHash-SHA256": 3072, "domain": 1188, "email": 5, "URL": 7940, "hostname": 1925, "CVE": 1 }, "indicator_count": 14336, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "849 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a6b7ff4216fe9cd82625", "name": "DGA Domain", "description": "", "modified": "2023-12-06T16:52:05.939000", "created": "2023-12-06T16:52:05.939000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1181, "CVE": 1, "FileHash-SHA256": 1556, "URL": 2748, "domain": 419, "FileHash-MD5": 646, "FileHash-SHA1": 348, "email": 3, "CIDR": 1 }, "indicator_count": 6903, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a53f5c404226f3d77347", "name": "DGA Domain", "description": "", "modified": "2023-12-06T16:45:51.053000", "created": "2023-12-06T16:45:51.053000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 347, "FileHash-SHA256": 225, "domain": 242, "URL": 1522, "email": 1, "CIDR": 1, "FileHash-MD5": 2 }, "indicator_count": 2340, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a53b9421d107b6ade1c1", "name": "DGA Domain", "description": "", "modified": "2023-12-06T16:45:47.109000", "created": "2023-12-06T16:45:47.109000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 347, "FileHash-SHA256": 225, "domain": 242, "URL": 1522, "email": 1, "CIDR": 1, "FileHash-MD5": 2 }, "indicator_count": 2340, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a0421567e0f495b14cd0", "name": "DGA Domain", "description": "", "modified": "2023-12-06T16:24:34.371000", "created": "2023-12-06T16:24:34.371000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 347, "FileHash-SHA256": 225, "domain": 242, "URL": 1522, "email": 1, "CIDR": 1, "FileHash-MD5": 2 }, "indicator_count": 2340, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a03f87b83a2b197bf33b", "name": "DGA Domain", "description": "", "modified": "2023-12-06T16:24:31.813000", "created": "2023-12-06T16:24:31.813000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 347, "FileHash-SHA256": 225, "domain": 242, "URL": 1522, "email": 1, "CIDR": 1, "FileHash-MD5": 2 }, "indicator_count": 2340, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a032d1f648020fa5206b", "name": "DGA Domain", "description": "", "modified": "2023-12-06T16:24:18.733000", "created": "2023-12-06T16:24:18.733000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 347, "FileHash-SHA256": 225, "domain": 242, "URL": 1522, "email": 1, "CIDR": 1, "FileHash-MD5": 2 }, "indicator_count": 2340, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a02fad7881a4d09c1ad7", "name": "DGA Domain", "description": "", "modified": "2023-12-06T16:24:15.255000", "created": "2023-12-06T16:24:15.255000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 347, "FileHash-SHA256": 225, "domain": 242, "URL": 1522, "email": 1, "CIDR": 1, "FileHash-MD5": 2 }, "indicator_count": 2340, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a029f7654ae30157d89f", "name": "DGA Domain", "description": "", "modified": "2023-12-06T16:24:07.472000", "created": "2023-12-06T16:24:07.472000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1181, "CVE": 1, "FileHash-SHA256": 1556, "URL": 2748, "domain": 419, "FileHash-MD5": 646, "FileHash-SHA1": 348, "email": 3, "CIDR": 1 }, "indicator_count": 6903, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "653f123278ba7a9e62fdc4cb", "name": "DGA Domain", "description": "", "modified": "2023-10-30T02:17:22.194000", "created": "2023-10-30T02:17:22.194000", "tags": [ "domain related", "united", "as32244 liquid", "creation date", "search", "for privacy", "entries", "unknown", "moved", "frame", "passive dns", "date", "body", "footer", "apache", "abuse", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65134ae8fc70cf6ef83d7d74", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 950, "email": 7, "CIDR": 2, "FileHash-MD5": 650, "FileHash-SHA256": 2081, "URL": 3334, "hostname": 1804, "CVE": 1, "FileHash-SHA1": 353 }, "indicator_count": 9182, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "902 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65134ae8fc70cf6ef83d7d74", "name": "DGA Domain", "description": "", "modified": "2023-09-26T21:19:36.331000", "created": "2023-09-26T21:19:36.331000", "tags": [ "domain related", "united", "as32244 liquid", "creation date", "search", "for privacy", "entries", "unknown", "moved", "frame", "passive dns", "date", "body", "footer", "apache", "abuse", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64df7031dfbe14bb4c3d7de0", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 950, "email": 7, "CIDR": 2, "FileHash-MD5": 650, "FileHash-SHA256": 2081, "URL": 3334, "hostname": 1804, "CVE": 1, "FileHash-SHA1": 353 }, "indicator_count": 9182, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "936 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6507d5dc417a578a2e864610", "name": "DGA Domain", "description": "", "modified": "2023-09-18T04:45:16.384000", "created": "2023-09-18T04:45:16.384000", "tags": [ "domain related", "united", "as32244 liquid", "creation date", "search", "for privacy", "entries", "unknown", "moved", "frame", "passive dns", "date", "body", "footer", "apache", "abuse", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64df7038cc4e3463eb78ff27", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 242, "email": 1, "CIDR": 1, "FileHash-MD5": 2, "FileHash-SHA256": 225, "URL": 1522, "hostname": 347 }, "indicator_count": 2340, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "944 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6507d5d4f466641281acd78e", "name": "DGA Domain", "description": "", "modified": "2023-09-18T04:45:08.298000", "created": "2023-09-18T04:45:08.298000", "tags": [ "domain related", "united", "as32244 liquid", "creation date", "search", "for privacy", "entries", "unknown", "moved", "frame", "passive dns", "date", "body", "footer", "apache", "abuse", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "64df7038cc4e3463eb78ff27", "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 242, "email": 1, "CIDR": 1, "FileHash-MD5": 2, "FileHash-SHA256": 225, "URL": 1522, "hostname": 347 }, "indicator_count": 2340, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "944 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64df7031dfbe14bb4c3d7de0", "name": "DGA Domain", "description": "nsis\ncontains-pe\ndownloads-pdf\nupx\nDGA domain. Host at least 2 malicious files.\nA domain generation algorithm (DGA) is a program that generates a large list of domain names. DGAs provide malware with new domains in order to evade security countermeasures. DGA can provide hundreds of new, random domains. This enables hackers to keep their servers up and running without being blocklisted or taken down by the victim. Malware switch between domains faster than security software can take them down.\nUsed by Adversarial businesses, authentication and especially law firms to silence victims of crime.", "modified": "2023-09-17T18:04:52.183000", "created": "2023-08-18T13:20:49.696000", "tags": [ "domain related", "united", "as32244 liquid", "creation date", "search", "for privacy", "entries", "unknown", "moved", "frame", "passive dns", "date", "body", "footer", "apache", "abuse", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 950, "email": 7, "CIDR": 2, "FileHash-MD5": 650, "FileHash-SHA256": 2081, "URL": 3334, "hostname": 1804, "CVE": 1, "FileHash-SHA1": 353 }, "indicator_count": 9182, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "945 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64df703a4f3fa01a8973efba", "name": "DGA Domain", "description": "nsis\ncontains-pe\ndownloads-pdf\nupx\nDGA domain. Host at least 2 malicious files.\nA domain generation algorithm (DGA) is a program that generates a large list of domain names. DGAs provide malware with new domains in order to evade security countermeasures. DGA can provide hundreds of new, random domains. This enables hackers to keep their servers up and running without being blocklisted or taken down by the victim. Malware switch between domains faster than security software can take them down.\nUsed by Adversarial businesses, authentication and especially law firms to silence victims of crime.", "modified": "2023-09-17T12:01:26.028000", "created": "2023-08-18T13:20:58.051000", "tags": [ "domain related", "united", "as32244 liquid", "creation date", "search", "for privacy", "entries", "unknown", "moved", "frame", "passive dns", "date", "body", "footer", "apache", "abuse", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 242, "email": 1, "CIDR": 1, "FileHash-MD5": 2, "FileHash-SHA256": 225, "URL": 1522, "hostname": 347 }, "indicator_count": 2340, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "945 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64df70390b3584b7291eea68", "name": "DGA Domain", "description": "nsis\ncontains-pe\ndownloads-pdf\nupx\nDGA domain. Host at least 2 malicious files.\nA domain generation algorithm (DGA) is a program that generates a large list of domain names. DGAs provide malware with new domains in order to evade security countermeasures. DGA can provide hundreds of new, random domains. This enables hackers to keep their servers up and running without being blocklisted or taken down by the victim. Malware switch between domains faster than security software can take them down.\nUsed by Adversarial businesses, authentication and especially law firms to silence victims of crime.", "modified": "2023-09-17T12:01:26.028000", "created": "2023-08-18T13:20:57.788000", "tags": [ "domain related", "united", "as32244 liquid", "creation date", "search", "for privacy", "entries", "unknown", "moved", "frame", "passive dns", "date", "body", "footer", "apache", "abuse", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 242, "email": 1, "CIDR": 1, "FileHash-MD5": 2, "FileHash-SHA256": 225, "URL": 1522, "hostname": 347 }, "indicator_count": 2340, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "945 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64df7038cc4e3463eb78ff27", "name": "DGA Domain", "description": "nsis\ncontains-pe\ndownloads-pdf\nupx\nDGA domain. Host at least 2 malicious files.\nA domain generation algorithm (DGA) is a program that generates a large list of domain names. DGAs provide malware with new domains in order to evade security countermeasures. DGA can provide hundreds of new, random domains. This enables hackers to keep their servers up and running without being blocklisted or taken down by the victim. Malware switch between domains faster than security software can take them down.\nUsed by Adversarial businesses, authentication and especially law firms to silence victims of crime.", "modified": "2023-09-17T12:01:26.028000", "created": "2023-08-18T13:20:56.820000", "tags": [ "domain related", "united", "as32244 liquid", "creation date", "search", "for privacy", "entries", "unknown", "moved", "frame", "passive dns", "date", "body", "footer", "apache", "abuse", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 242, "email": 1, "CIDR": 1, "FileHash-MD5": 2, "FileHash-SHA256": 225, "URL": 1522, "hostname": 347 }, "indicator_count": 2340, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "945 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64df70342977f4a2d34df76f", "name": "DGA Domain", "description": "nsis\ncontains-pe\ndownloads-pdf\nupx\nDGA domain. Host at least 2 malicious files.\nA domain generation algorithm (DGA) is a program that generates a large list of domain names. DGAs provide malware with new domains in order to evade security countermeasures. DGA can provide hundreds of new, random domains. This enables hackers to keep their servers up and running without being blocklisted or taken down by the victim. Malware switch between domains faster than security software can take them down.\nUsed by Adversarial businesses, authentication and especially law firms to silence victims of crime.", "modified": "2023-09-17T12:01:26.028000", "created": "2023-08-18T13:20:52.030000", "tags": [ "domain related", "united", "as32244 liquid", "creation date", "search", "for privacy", "entries", "unknown", "moved", "frame", "passive dns", "date", "body", "footer", "apache", "abuse", "status hostname", "query type", "address first", "seen last", "seen asn", "country unknown" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 242, "email": 1, "CIDR": 1, "FileHash-MD5": 2, "FileHash-SHA256": 225, "URL": 1522, "hostname": 347 }, "indicator_count": 2340, "is_author": false, "is_subscribing": null, "subscriber_count": 219, "modified_text": "945 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Crowdstrike: \tbat.bing.com, https://tulach.cc, https://otx.alienvault.com/indicator/url/http://www.hallrender.com/attorney/brian-sabey", "IPv4 198.54.117.211 command_and_control", "Alerts: network_icmp antisandbox_idletime modifies_certificates modifies_proxy_wpad disables_proxy", "keezmovies.com | redtube.com | tube8.com | tube8.com | youporn.com| 0.brazzers.com | www.g-tunnel.comwww.brazzers.com |", "IPv4 198.54.117.212 command_and_control", "IPv4 198.54.117.217 command_and_control", "Crowdstrike: watchtower.cranberry.testing.maxfehlinger.de | https://latex.cranberry.testing.maxfehlinger.de |", "RedTube.com Detections: Win.Trojan.Crypt-321 , Win.Trojan.FakeAV-4166 , Win.Trojan.Fakeav-10977 , Win.Trojan.Fakeav-3386", "https://otx.alienvault.com/browse/global/pulses?q=tag:%22esta%20caliente%22&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=esta%20caliente", "zeustracker.abuse.ch", "http://t.trkitok.com/track/rep?oid=2001&st=1&id=DP2441--w1VJE427J8SGGRTP02MD7UEG___93737493-c08b-4dc7-ad30-b17a2c09e771___$mid", "Crowdstrike: wildcard.352-445-1166.device.sim.to.img.sedoparking.com", "boot.net.anydesk.com removed from my Pulse below", "apple-securityiphone-icloud.com", "Win32:BankerX-gen\\ [Trj] \u00bb FileHash-SHA256 2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c", "autodesk.com [ Everything below was found in Autodesk [including crowdstrike & any.desk] Found in in Crowdsrike if labeled.", "Crowdstrike + Autodesk.com: brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "Above link opened 'esta caliente'= 'it's hot'| I did NOT do that | All connected links gone. This has become common.", "Crowdstrike: auth.cranberry.testing.maxfehlinger.de | latex.cranberry.testing.maxfehlinger.de | traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: autodesk.com | 0ds.autodesk.com | aknanalytics.autodesk.com | anubis.autodesk.com | autobetaint.autodesk.com", "tx-p2p-pull.video-voip.com.dorm.com", "66.254.114.234 | reflectededge.reflected.net | reflected.net | 192.0.2.0 | https://www.brazzers.com/ | brazzers.com | brazzersnetwork.com", "ransomwaretracker.abuse.ch", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | https://www.pornhub.com/video/search?search=tsara+brashears | www.youtube.com/watch?v=GyuMozsVyYs | www.pornhub.com | www.youtube.com", "Crowdstrike + Autodesk.com: 128 + symcd.com some w/issues | 658 autodesk.com pulse some w/issues | removed any.desk & boot", "Crowdstrike: http://watchtower.cranberry.testing.maxfehlinger.de| https://auth.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brash |", "Crowdstrike: autodeskarchitecture.autodesk.com | beacon-dev3.autodesk.com | boxtooffice365.autodesk.com | brahma-studio.autodesk.com", "The more I say...Any.Desk + boot.net.anydesk.com was in OG Private CrowdsStrike pulse", "https://www.hybrid-analysis.com/sample/c0c84df54b890bb408fc2289f1e75a29991127bbe207aa30042616b5ea150342/655d9af5679c7afcc409895e", "\u2193Interesting\u2193", "louisianarooflawyers.com [phishing]", "Crowdstrike: daiwahouse-learning.autodesk.com| datagovernance-dev.autodesk.com | enterprise-api-np.autodesk.com", "IPv4 198.54.117.218 command_and_control", "Crowdstrike: symcd.com [Certificate Subjectaltname \u00bb\u00bb anydesk.com \u00bb\u00bb http://gn.symcb.com/gn.crt Ocsp\thttp://gn.symcd.com] ANYDESK.COM-unsigned", "IDS Detections: Zeus Panda Banker / Ursnif Malicious SSL Certificate Detected TLS Handshake Failure", "Crowdstrike: https://bat.bing.com/action/0?ti=12001672&tm=al001&Ver=2&mid=12436868-a484-4998-931c-980262982f67&sid=b92cd8f0483e11efa3c96fe28be413cb&vid=b92cdd10483e11efb1024309353d849f&vids=1&msclkid=N&pi=-740138922&lg=en-US&sw=800&sh=600&sc=24&tl=CrowdStrike%3A%20Stop%20breaches.%20Drive%20business.&p=https%3A%2F%2Fwww.crowdstrike.com%2Fen-us%2F&r=<=1022&pt=1721661968606", "Crowdstrike: cdc-stg-emea.autodesk.com | cloudcost.autodesk.com | cloudpc-stg.autodesk.com | d-s.autodesk.com |", "IPv4 198.54.117.210 command_and_control", "Crowdstrike: https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing\t| https://www.anyxxxtube.net/sitemap.xml", "I didn't add pertinent findings back to Pulse. Pulse comp,eyes says ago . Couldn't submit. It's was actually a tiny pulse of autodesk.com with crowdstrike relationship references,", "Crowdstrike: maxfehlinger.de http://auth.cranberry.testing.maxfehlinger.de | http://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://hr.employmenthero.com/rs/387-SZZ-170/images/youtube-icon-emp-hero-violet.png", "Crowdstrike + Autodesk.com: hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "Crowdstrike: https://traefik.cranberry.testing.maxfehlinger.de | http://traefik.cranberry.testing.maxfehlinger.de |", "https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d", "IDS Detections: TLS Handshake Failure | Alerts: network_icmp , injection", "hasownproperty.call", "http://updates.voicemailaccess.net/b0f6a00b15311023", "Win32:Mystic , Win.Trojan.Xblocker-236 \u00bbFileHash-SHA256 8c59adbccc1987d13fec983f1e2be046611511b65479d1719bda77c5c90bbe21", "IPv4 198.54.117.215 command_and_control", "tvapp-server.de", "RedTube.com Detections: ALF:AGGR:OpcCl:95!ml , ALF:JASYP:Backdoor:Win32/Cycbot!atmn , Win.Downloader.117423-1 ,", "Above links in search results direct out with and arrow pointing out." ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Mivast", "Worm:win32/autorun", "Sakula", "Ransom:win32/genasom", "Win.trojan.xblocker-236", "Trojanspy", "Generic", "#lowfienabledtcontinueafterunpacking", "Blacknet", "Win32:mystic", "Win.trojan.poetrat-7669676-0", "Installcore", "Alf:jasyp:backdoor:win32/cycbot", "Trojanspy:win32/usteal" ], "industries": [], "unique_indicators": 63299 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/teensnow.com", "whois": "http://whois.domaintools.com/teensnow.com", "domain": "teensnow.com", "hostname": "www.teensnow.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 23, "pulses": [ { "id": "6879093e8658df9f35683846", "name": "Worm:Win32/Benjamin continues to impact network", "description": "Worm:Win32/Benjamin continues to impact network operations of a little known, limited national cybers space organization. P2P-Worm.\n*IDS Detections: \n\u2022 Win32.Worm.Benjamin.A CnC Checkin Alerts\n\u2022 nids_malware_alert\n\u2022 network_icmp\n\u2022 network_irc\n\u2022 persistence_autorun\n| Multiple network issues from outages, stolen password keychains, credentials dumping, impressive espionage attacks. Likely goes unnoticed to many. Widely regarded/reported as an outage that is really an unpatched, ongoing cyber attack.", "modified": "2025-08-16T14:00:26.166000", "created": "2025-07-17T14:31:26.824000", "tags": [ "include review", "data upload", "extraction", "read c", "search", "medium", "show", "msie", "windows nt", "wow64", "slcc2", "media center", "entries", "dock", "write", "execution", "capture", "next", "copy", "date", "aaaa", "present may", "present nov", "passive dns", "ip address", "domain", "status", "next associated", "delete", "iocs", "failed", "sc data", "type", "extr data", "included", "review iocs", "memcommit", "user execution", "module load", "t1129", "icmp traffic", "high", "collection", "cmd c", "t1055", "enter", "extract", "enter sc", "drop or", "browse t", "oprop", "extraction data", "enter source", "url or", "texorag", "browse", "urls", "dnssec", "hostname add", "pulse pulses", "files", "files ip", "domainadmin", "showing", "ttl value", "thumbprint", "onlv", "find", "extri data", "dran anu", "extr", "manually add", "review exclude", "sugges", "find s", "typ hos", "se data", "include data", "review locs", "exclude", "suggested es", "intel", "ms windows", "write c", "pe32", "pe32 executable", "copy c", "worm", "win32", "benjamin", "june", "delphi", "malware", "nids", "icmp delphi", "yara detections", "malware traffic", "checkin", "code", "name servers", "servers", "pulses", "expiration date", "united", "body", "cookie", "related tags", "file type", "pe packer", "pm size", "sha1 sha256", "imphash pehash", "virustotal api", "screenshots", "comments" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 50, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 536, "FileHash-SHA1": 465, "FileHash-SHA256": 1836, "domain": 766, "hostname": 960, "URL": 2879, "CVE": 1, "email": 4 }, "indicator_count": 7447, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "246 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6888a85aa32aab22f638d0e6", "name": "Autodesk issue in CrowdStrike prior to outage | [by scoreblue]", "description": "", "modified": "2025-07-29T10:54:18.501000", "created": "2025-07-29T10:54:18.501000", "tags": [ "healthy check", "ssl bypass", "domain tracker", "privacy badger", "startpage", "w11 pc", "pass", "iocs", "all scoreblue", "pdf report", "pcap", "stix", "avast avg", "no expiration", "status", "name servers", "moved", "h1 center", "next", "sec ch", "ch ua", "ua platform", "emails", "certificate", "passive dns", "urls", "encrypt", "body", "pe32 executable", "ms windows", "intel", "windows control", "panel item", "dos borland", "executable", "algorithm", "thumbprint", "serial number", "signing ca", "symantec time", "stamping", "g2 name", "g2 issuer", "class", "code", "kb pe", "csc corporate", "porkbun llc", "gandi sas", "request", "path", "get https", "get http", "response", "cachecontrol", "pragma", "connection", "gmt connection", "accept", "slug", "as29789", "united", "unknown", "ransom", "heur", "server", "registrar abuse", "san rafael", "autodesk", "contact phone", "registrar url", "process32nextw", "create c", "read c", "writeconsolew", "delete", "write", "show", "malware", "write c", "regsetvalueexa", "delete c", "search", "regdword", "whitelisted", "panda banker", "ursnif", "win32", "persistence", "execution", "banker", "local", "domain", "servers", "pulse pulses", "files", "ip address", "creation date", "united kingdom", "as9009 m247", "ipv4", "pulse submit", "url analysis", "twitter", "as16552 tiggee", "as397241", "as397240", "entries", "cname", "nxdomain", "a nxdomain", "worm", "file samples", "files matching", "alf features", "denver co", "wewatta", "scan endpoints", "related pulses", "date hash", "showing", "as62597 nsone", "date", "trojanspy", "cookie", "hostmaster", "expiration date", "msie", "windows nt", "wow64", "slcc2", "media center", "tls handshake", "et info", "getdc0x2a", "failure", "post http", "copy", "crash", "ascii text", "ascii", "jpeg image", "artemis", "trojan", "virustotal", "mike", "vipre", "panda", "win32mediadrug", "win324shared", "win32spigot", "hstr", "lowfi", "yara detections", "contacted", "report spam", "mozilla", "trojanclicker", "url http", "url https", "role title", "added active", "type indicator", "source domain", "akamai rank", "hostname", "ver2", "msclkidn", "vids0", "global outage", "cobalt strike", "fancy bear", "communications", "android device", "cnc beacon", "suspicious ua", "youtube", "sakula rat", "mivast", "sakula", "windows", "samuel tulach", "light dark", "samuel", "tulach", "hyperv", "detecting", "writing gui", "bootkits", "world", "information", "discovery", "t1027", "t1057", "t1071", "protocol", "t1105", "tool transfer", "t1129", "capture", "service", "t1119" ], "references": [ "autodesk.com [ Everything below was found in Autodesk [including crowdstrike & any.desk] Found in in Crowdsrike if labeled.", "66.254.114.234 | reflectededge.reflected.net | reflected.net | 192.0.2.0 | https://www.brazzers.com/ | brazzers.com | brazzersnetwork.com", "keezmovies.com | redtube.com | tube8.com | tube8.com | youporn.com| 0.brazzers.com | www.g-tunnel.comwww.brazzers.com |", "Win32:Mystic , Win.Trojan.Xblocker-236 \u00bbFileHash-SHA256 8c59adbccc1987d13fec983f1e2be046611511b65479d1719bda77c5c90bbe21", "IDS Detections: TLS Handshake Failure | Alerts: network_icmp , injection", "Win32:BankerX-gen\\ [Trj] \u00bb FileHash-SHA256 2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c", "IDS Detections: Zeus Panda Banker / Ursnif Malicious SSL Certificate Detected TLS Handshake Failure", "Alerts: network_icmp antisandbox_idletime modifies_certificates modifies_proxy_wpad disables_proxy", "RedTube.com Detections: ALF:AGGR:OpcCl:95!ml , ALF:JASYP:Backdoor:Win32/Cycbot!atmn , Win.Downloader.117423-1 ,", "RedTube.com Detections: Win.Trojan.Crypt-321 , Win.Trojan.FakeAV-4166 , Win.Trojan.Fakeav-10977 , Win.Trojan.Fakeav-3386", "Crowdstrike: wildcard.352-445-1166.device.sim.to.img.sedoparking.com", "Crowdstrike: maxfehlinger.de http://auth.cranberry.testing.maxfehlinger.de | http://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://traefik.cranberry.testing.maxfehlinger.de | http://traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: http://watchtower.cranberry.testing.maxfehlinger.de| https://auth.cranberry.testing.maxfehlinger.de |", "Crowdstrike: auth.cranberry.testing.maxfehlinger.de | latex.cranberry.testing.maxfehlinger.de | traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: watchtower.cranberry.testing.maxfehlinger.de | https://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing\t| https://www.anyxxxtube.net/sitemap.xml", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brash |", "Crowdstrike: autodesk.com | 0ds.autodesk.com | aknanalytics.autodesk.com | anubis.autodesk.com | autobetaint.autodesk.com", "Crowdstrike: autodeskarchitecture.autodesk.com | beacon-dev3.autodesk.com | boxtooffice365.autodesk.com | brahma-studio.autodesk.com", "Crowdstrike: cdc-stg-emea.autodesk.com | cloudcost.autodesk.com | cloudpc-stg.autodesk.com | d-s.autodesk.com |", "Crowdstrike: daiwahouse-learning.autodesk.com| datagovernance-dev.autodesk.com | enterprise-api-np.autodesk.com", "Crowdstrike: symcd.com [Certificate Subjectaltname \u00bb\u00bb anydesk.com \u00bb\u00bb http://gn.symcb.com/gn.crt Ocsp\thttp://gn.symcd.com] ANYDESK.COM-unsigned", "Crowdstrike: https://bat.bing.com/action/0?ti=12001672&tm=al001&Ver=2&mid=12436868-a484-4998-931c-980262982f67&sid=b92cd8f0483e11efa3c96fe28be413cb&vid=b92cdd10483e11efb1024309353d849f&vids=1&msclkid=N&pi=-740138922&lg=en-US&sw=800&sh=600&sc=24&tl=CrowdStrike%3A%20Stop%20breaches.%20Drive%20business.&p=https%3A%2F%2Fwww.crowdstrike.com%2Fen-us%2F&r=<=1022&pt=1721661968606", "Crowdstrike: \tbat.bing.com, https://tulach.cc, https://otx.alienvault.com/indicator/url/http://www.hallrender.com/attorney/brian-sabey", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | https://www.pornhub.com/video/search?search=tsara+brashears | www.youtube.com/watch?v=GyuMozsVyYs | www.pornhub.com | www.youtube.com", "Crowdstrike: https://hr.employmenthero.com/rs/387-SZZ-170/images/youtube-icon-emp-hero-violet.png", "Crowdstrike + Autodesk.com: hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "Crowdstrike + Autodesk.com: brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "Crowdstrike + Autodesk.com: 128 + symcd.com some w/issues | 658 autodesk.com pulse some w/issues | removed any.desk & boot", "The more I say...Any.Desk + boot.net.anydesk.com was in OG Private CrowdsStrike pulse", "Above links in search results direct out with and arrow pointing out.", "https://otx.alienvault.com/browse/global/pulses?q=tag:%22esta%20caliente%22&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=esta%20caliente", "Above link opened 'esta caliente'= 'it's hot'| I did NOT do that | All connected links gone. This has become common.", "I didn't add pertinent findings back to Pulse. Pulse comp,eyes says ago . Couldn't submit. It's was actually a tiny pulse of autodesk.com with crowdstrike relationship references,", "boot.net.anydesk.com removed from my Pulse below", "https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "Win32:Mystic", "display_name": "Win32:Mystic", "target": null }, { "id": "Win.Trojan.Xblocker-236", "display_name": "Win.Trojan.Xblocker-236", "target": null }, { "id": "Ransom:Win32/Genasom", "display_name": "Ransom:Win32/Genasom", "target": "/malware/Ransom:Win32/Genasom" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "ALF:JASYP:Backdoor:Win32/Cycbot", "display_name": "ALF:JASYP:Backdoor:Win32/Cycbot", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanSpy:Win32/Usteal", "display_name": "TrojanSpy:Win32/Usteal", "target": "/malware/TrojanSpy:Win32/Usteal" }, { "id": "Win.Trojan.PoetRat-7669676-0", "display_name": "Win.Trojan.PoetRat-7669676-0", "target": null }, { "id": "Mivast", "display_name": "Mivast", "target": null }, { "id": "Sakula", "display_name": "Sakula", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": "66d89c45ddc0c7db084b75b7", "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1417, "FileHash-SHA1": 1165, "FileHash-SHA256": 6536, "URL": 6112, "domain": 1340, "hostname": 2654, "email": 15, "SSLCertFingerprint": 9 }, "indicator_count": 19248, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "264 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "684c792c7a89d98470ecef31", "name": "aws.dev - Emotet - Hub for malicious activity", "description": "\u2022 Domain Name: aws.dev |\n\u2022 (DGA) https://www.google.com/search?client=ms-google-coop&q=%22deploy-delete-app-eu-west-1-0.deploy-delete-test-eu-west-1-oigwi9v.us-east-1.forgeapps.ec2.aws.dev%22&cx=003414466004237966221:dgg7iftvryo | \n\u2022 34.226.76.55 |\n\u2022\u2019domains.amazon | \n\u2022 devilspen.com |\n\u2022 aisux.aws.dev |\t\t\n\u2022 alex.aws.dev |\t\n\u2022 askjarvis.aws.dev |\n\u2022 atrium.aws.dev |\n\u2022 automated-runbooks.aws.dev |\nFalse 404 codes and Error pages - very active malicious behavior", "modified": "2025-07-13T18:02:18.648000", "created": "2025-06-13T19:17:00.818000", "tags": [ "united", "creation date", "search", "entries", "passive dns", "urls", "showing", "pulse pulses", "files", "domain", "dnssec", "expiration date", "unknown cname", "hostname add", "date", "redacted for", "email", "code", "organization", "privacy billing", "privacy tech", "postal code", "privacy admin", "com laude", "ltd dba", "nomiq", "limited dba", "admin city", "country", "stateprovince", "city", "mtb oct", "win32", "next associated", "mtb mar", "ipv4 add", "trojan", "apanas", "ransom", "body" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 32, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1111, "hostname": 1014, "URL": 2554, "FileHash-SHA256": 1461, "FileHash-MD5": 64, "email": 6, "FileHash-SHA1": 63 }, "indicator_count": 6273, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "280 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66f351ce26a103377d8eb5fa", "name": "Sex Tokens | Injection \u00bb Porn dumping - Cyber Folks .PL | Spectrum", "description": "Porn dumping into targeted devices after great effort. \nHall Render has always been a Malware Hosting website.\nDrive by compromise, \nPorn Storm compilation.\n\nhttps://api.dotz.com.br/accounts/api/default/externallogin/login", "modified": "2024-10-24T22:01:13.406000", "created": "2024-09-24T23:57:02.111000", "tags": [ "url https", "search", "type indicator", "role title", "added active", "related pulses", "url http", "porn type", "showing", "entries", "tsara type", "pulses url", "adware backdoor", "email document", "exploit domain", "owner exploit", "kit exploit", "source file", "hacking tools", "hunting macro", "malware hosting", "memory scanning", "wild fantasy", "world", "download", "xxx video", "xxx sex", "desi", "tamil", "videos xxx", "hd posts", "photos pics", "https", "indicator role", "title added", "active related", "unknown", "united", "for privacy", "nxdomain", "meta", "internet gmbh", "creation date", "date", "audio", "clear hindi", "bhabi sex", "bedroom indian", "fakaid", "ww3008", "fingering her", "young boy", "sexy", "next", "witch", "filehashmd5", "ipv4", "months ago", "information", "scan endpoints", "all scoreblue", "report spam", "created", "modified", "zbot", "keyword", "latina", "teen sex", "jeffrey reimer", "reimer dpt", "jeff reimer sex", "reimer type", "hostname", "domain", "copyright", "remote", "t1003", "os credential", "dumping", "t1012", "t1036", "t1071", "protocol", "t1082", "as8075", "aaaa", "as30148 sucuri", "certificate", "record value", "body", "status", "passive dns", "urls", "hallrender", "brian sabey", "sabey xxx", "drive by compromise", "cobalt strike", "overview ip", "address", "related nids", "files location", "china flag", "china domain", "files related", "pulses none", "files domain", "analyzer paste", "iocs", "hostnames", "urls https", "china unknown", "as4837 china", "redacted for", "a domains", "cname", "jeffrey reimer pt", "sucuri website", "span td", "time", "firewall", "win64", "back", "xtra", "name servers", "files", "tls web", "log id", "gmtn", "false", "ocsp", "ca issuers", "phucket news", "hacking", "registrar abuse", "gateway protocol abuse", "swipper relationship" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1023", "name": "Shortcut Modification", "display_name": "T1023 - Shortcut Modification" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1133", "name": "External Remote Services", "display_name": "T1133 - External Remote Services" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1599, "hostname": 2988, "URL": 8561, "FileHash-SHA256": 1207, "email": 41, "FileHash-MD5": 126, "FileHash-SHA1": 36, "CVE": 1, "SSLCertFingerprint": 2 }, "indicator_count": 14561, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "542 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d89c45ddc0c7db084b75b7", "name": "Autodesk weakens CS | Unauthorized AlienVault API | Stolen pulsed", "description": "Critical issues within AlienVault , VT & my devices. Plugins auto installed after I opened message from AV user. Sudden redirects to 0/ http/s. Heavy modifications, removal of IoC's on AV & VT & Virus Total. Autodesk.com was under CrowdStrike until last night. Links where vulnerabilities were originating from completely disappeared from graph I kindly kept private. Continuous mods for months to Crowdstrike and other pulses. [https://otx.alienvault.com/api appears in search] A page opens with Tag: \"esta caliente\" | All linked pulses Gone. Only person who frequently contacted me appears where they didn't before & These dishonest billion $ companies cover up though they are at fault for allowing ALL threat actor to be protected with non adversarial businesses. Besides other compromises, surprisingly Brashears porn found in Crowdstrike/Autodesk others. Disappointing.", "modified": "2024-10-04T17:02:07.067000", "created": "2024-09-04T17:43:33.123000", "tags": [ "healthy check", "ssl bypass", "domain tracker", "privacy badger", "startpage", "w11 pc", "pass", "iocs", "all scoreblue", "pdf report", "pcap", "stix", "avast avg", "no expiration", "status", "name servers", "moved", "h1 center", "next", "sec ch", "ch ua", "ua platform", "emails", "certificate", "passive dns", "urls", "encrypt", "body", "pe32 executable", "ms windows", "intel", "windows control", "panel item", "dos borland", "executable", "algorithm", "thumbprint", "serial number", "signing ca", "symantec time", "stamping", "g2 name", "g2 issuer", "class", "code", "kb pe", "csc corporate", "porkbun llc", "gandi sas", "request", "path", "get https", "get http", "response", "cachecontrol", "pragma", "connection", "gmt connection", "accept", "slug", "as29789", "united", "unknown", "ransom", "heur", "server", "registrar abuse", "san rafael", "autodesk", "contact phone", "registrar url", "process32nextw", "create c", "read c", "writeconsolew", "delete", "write", "show", "malware", "write c", "regsetvalueexa", "delete c", "search", "regdword", "whitelisted", "panda banker", "ursnif", "win32", "persistence", "execution", "banker", "local", "domain", "servers", "pulse pulses", "files", "ip address", "creation date", "united kingdom", "as9009 m247", "ipv4", "pulse submit", "url analysis", "twitter", "as16552 tiggee", "as397241", "as397240", "entries", "cname", "nxdomain", "a nxdomain", "worm", "file samples", "files matching", "alf features", "denver co", "wewatta", "scan endpoints", "related pulses", "date hash", "showing", "as62597 nsone", "date", "trojanspy", "cookie", "hostmaster", "expiration date", "msie", "windows nt", "wow64", "slcc2", "media center", "tls handshake", "et info", "getdc0x2a", "failure", "post http", "copy", "crash", "ascii text", "ascii", "jpeg image", "artemis", "trojan", "virustotal", "mike", "vipre", "panda", "win32mediadrug", "win324shared", "win32spigot", "hstr", "lowfi", "yara detections", "contacted", "report spam", "mozilla", "trojanclicker", "url http", "url https", "role title", "added active", "type indicator", "source domain", "akamai rank", "hostname", "ver2", "msclkidn", "vids0", "global outage", "cobalt strike", "fancy bear", "communications", "android device", "cnc beacon", "suspicious ua", "youtube", "sakula rat", "mivast", "sakula", "windows", "samuel tulach", "light dark", "samuel", "tulach", "hyperv", "detecting", "writing gui", "bootkits", "world", "information", "discovery", "t1027", "t1057", "t1071", "protocol", "t1105", "tool transfer", "t1129", "capture", "service", "t1119" ], "references": [ "autodesk.com [ Everything below was found in Autodesk [including crowdstrike & any.desk] Found in in Crowdsrike if labeled.", "66.254.114.234 | reflectededge.reflected.net | reflected.net | 192.0.2.0 | https://www.brazzers.com/ | brazzers.com | brazzersnetwork.com", "keezmovies.com | redtube.com | tube8.com | tube8.com | youporn.com| 0.brazzers.com | www.g-tunnel.comwww.brazzers.com |", "Win32:Mystic , Win.Trojan.Xblocker-236 \u00bbFileHash-SHA256 8c59adbccc1987d13fec983f1e2be046611511b65479d1719bda77c5c90bbe21", "IDS Detections: TLS Handshake Failure | Alerts: network_icmp , injection", "Win32:BankerX-gen\\ [Trj] \u00bb FileHash-SHA256 2e5118d15a18ae852bf94d91707ff634d9d8354fef492f5c4e1c46b9cf96184c", "IDS Detections: Zeus Panda Banker / Ursnif Malicious SSL Certificate Detected TLS Handshake Failure", "Alerts: network_icmp antisandbox_idletime modifies_certificates modifies_proxy_wpad disables_proxy", "RedTube.com Detections: ALF:AGGR:OpcCl:95!ml , ALF:JASYP:Backdoor:Win32/Cycbot!atmn , Win.Downloader.117423-1 ,", "RedTube.com Detections: Win.Trojan.Crypt-321 , Win.Trojan.FakeAV-4166 , Win.Trojan.Fakeav-10977 , Win.Trojan.Fakeav-3386", "Crowdstrike: wildcard.352-445-1166.device.sim.to.img.sedoparking.com", "Crowdstrike: maxfehlinger.de http://auth.cranberry.testing.maxfehlinger.de | http://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://traefik.cranberry.testing.maxfehlinger.de | http://traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: http://watchtower.cranberry.testing.maxfehlinger.de| https://auth.cranberry.testing.maxfehlinger.de |", "Crowdstrike: auth.cranberry.testing.maxfehlinger.de | latex.cranberry.testing.maxfehlinger.de | traefik.cranberry.testing.maxfehlinger.de |", "Crowdstrike: watchtower.cranberry.testing.maxfehlinger.de | https://latex.cranberry.testing.maxfehlinger.de |", "Crowdstrike: https://www.anyxxxtube.net/search-porn/tsara-brashears/\tphishing\t| https://www.anyxxxtube.net/sitemap.xml", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brash |", "Crowdstrike: autodesk.com | 0ds.autodesk.com | aknanalytics.autodesk.com | anubis.autodesk.com | autobetaint.autodesk.com", "Crowdstrike: autodeskarchitecture.autodesk.com | beacon-dev3.autodesk.com | boxtooffice365.autodesk.com | brahma-studio.autodesk.com", "Crowdstrike: cdc-stg-emea.autodesk.com | cloudcost.autodesk.com | cloudpc-stg.autodesk.com | d-s.autodesk.com |", "Crowdstrike: daiwahouse-learning.autodesk.com| datagovernance-dev.autodesk.com | enterprise-api-np.autodesk.com", "Crowdstrike: symcd.com [Certificate Subjectaltname \u00bb\u00bb anydesk.com \u00bb\u00bb http://gn.symcb.com/gn.crt Ocsp\thttp://gn.symcd.com] ANYDESK.COM-unsigned", "Crowdstrike: https://bat.bing.com/action/0?ti=12001672&tm=al001&Ver=2&mid=12436868-a484-4998-931c-980262982f67&sid=b92cd8f0483e11efa3c96fe28be413cb&vid=b92cdd10483e11efb1024309353d849f&vids=1&msclkid=N&pi=-740138922&lg=en-US&sw=800&sh=600&sc=24&tl=CrowdStrike%3A%20Stop%20breaches.%20Drive%20business.&p=https%3A%2F%2Fwww.crowdstrike.com%2Fen-us%2F&r=<=1022&pt=1721661968606", "Crowdstrike: \tbat.bing.com, https://tulach.cc, https://otx.alienvault.com/indicator/url/http://www.hallrender.com/attorney/brian-sabey", "Crowdstrike: https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | https://www.pornhub.com/video/search?search=tsara+brashears | www.youtube.com/watch?v=GyuMozsVyYs | www.pornhub.com | www.youtube.com", "Crowdstrike: https://hr.employmenthero.com/rs/387-SZZ-170/images/youtube-icon-emp-hero-violet.png", "Crowdstrike + Autodesk.com: hallrender.com/attorney/brian-sabey www.hallrender.com/attorney/brian-sabey hallrender.com www.hallrender.com https://hallrender.com milehighmedia.com https://www.milehighmedia.com/ https://www.milehighmedia.com/legal/2257", "Crowdstrike + Autodesk.com: brassiere.world mail.brassiere.world webdisk.brassiere.world webmail.brassiere.world", "Crowdstrike + Autodesk.com: 128 + symcd.com some w/issues | 658 autodesk.com pulse some w/issues | removed any.desk & boot", "The more I say...Any.Desk + boot.net.anydesk.com was in OG Private CrowdsStrike pulse", "Above links in search results direct out with and arrow pointing out.", "https://otx.alienvault.com/browse/global/pulses?q=tag:%22esta%20caliente%22&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=esta%20caliente", "Above link opened 'esta caliente'= 'it's hot'| I did NOT do that | All connected links gone. This has become common.", "I didn't add pertinent findings back to Pulse. Pulse comp,eyes says ago . Couldn't submit. It's was actually a tiny pulse of autodesk.com with crowdstrike relationship references,", "boot.net.anydesk.com removed from my Pulse below", "https://otx.alienvault.com/pulse/66d4c125ad61ee5577639a2d" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands" ], "malware_families": [ { "id": "Win32:Mystic", "display_name": "Win32:Mystic", "target": null }, { "id": "Win.Trojan.Xblocker-236", "display_name": "Win.Trojan.Xblocker-236", "target": null }, { "id": "Ransom:Win32/Genasom", "display_name": "Ransom:Win32/Genasom", "target": "/malware/Ransom:Win32/Genasom" }, { "id": "Worm:Win32/Autorun", "display_name": "Worm:Win32/Autorun", "target": "/malware/Worm:Win32/Autorun" }, { "id": "ALF:JASYP:Backdoor:Win32/Cycbot", "display_name": "ALF:JASYP:Backdoor:Win32/Cycbot", "target": null }, { "id": "#LowFiEnableDTContinueAfterUnpacking", "display_name": "#LowFiEnableDTContinueAfterUnpacking", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "TrojanSpy:Win32/Usteal", "display_name": "TrojanSpy:Win32/Usteal", "target": "/malware/TrojanSpy:Win32/Usteal" }, { "id": "Win.Trojan.PoetRat-7669676-0", "display_name": "Win.Trojan.PoetRat-7669676-0", "target": null }, { "id": "Mivast", "display_name": "Mivast", "target": null }, { "id": "Sakula", "display_name": "Sakula", "target": null } ], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1081", "name": "Credentials in Files", "display_name": "T1081 - Credentials in Files" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1021", "name": "Remote Services", "display_name": "T1021 - Remote Services" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 38, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1417, "FileHash-SHA1": 1165, "FileHash-SHA256": 6536, "URL": 6112, "domain": 1340, "hostname": 2654, "email": 15, "SSLCertFingerprint": 9 }, "indicator_count": 19248, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "562 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655dafbe9ac9ac786fde45ad", "name": "http://malwaredomainlist.com/ \u2022 CNC \u2022 Spyware \u2022 Tracking", "description": "Network capture, dga domain, ecc domain, data collection, voicemail access, mail spammer, registrar abuse\n\n[Auto populated. I can't cannot confirm or deny the accuracy of the following information: A summary of key facts and information about a malicious web domain, hosted by the US government, has been released by Google.com and its parent company, Alphabet, for use on its website.]", "modified": "2023-12-22T06:03:01.993000", "created": "2023-11-22T07:37:34.595000", "tags": [ "united", "as22612", "as2637", "creation date", "search", "moved", "expiration date", "date", "showing", "as397240", "next", "entries", "scan endpoints", "all octoseek", "dns replication", "win32 exe", "network capture", "android", "android adaway", "html", "files", "detections type", "name", "office open", "xml document", "namecheap", "namecheap inc", "whois lookups", "win32 dll", "text", "wextract", "text htaccess", "powershell", "detection list", "blacklist", "first", "ssl certificate", "whois record", "contacted", "december", "whois whois", "threat roundup", "historical ssl", "problems", "referrer", "pe resource", "startpage", "cyber threat", "redline stealer", "mail spammer", "hostname", "phishing site", "malicious site", "installcore", "http spammer", "malware site", "malware", "generic malware", "heur", "generic", "alexa top", "million", "site", "cisco umbrella", "alexa", "ip address", "algorithm", "data", "v3 serial", "number", "cat cnzerossl", "ecc domain", "secure site", "ca ozerossl", "validity", "subject public", "server", "email", "code", "registrar abuse", "country", "privacy service", "withheld", "privacy", "domain name", "pattern match", "ascii text", "appdata", "file", "windows nt", "svg scalable", "vector graphics", "indicator", "gif image", "accept", "hybrid", "general", "local", "pixel", "click", "twitter", "strings", "class", "generator", "critical", "command_and_control", "spyware", "tracking", "voicemail access", "dga", "apple" ], "references": [ "https://www.hybrid-analysis.com/sample/c0c84df54b890bb408fc2289f1e75a29991127bbe207aa30042616b5ea150342/655d9af5679c7afcc409895e", "\u2193Interesting\u2193", "IPv4 198.54.117.211 command_and_control", "IPv4 198.54.117.210 command_and_control", "IPv4 198.54.117.212 command_and_control", "IPv4 198.54.117.215 command_and_control", "IPv4 198.54.117.217 command_and_control", "IPv4 198.54.117.218 command_and_control", "apple-securityiphone-icloud.com", "tx-p2p-pull.video-voip.com.dorm.com", "http://updates.voicemailaccess.net/b0f6a00b15311023", "tvapp-server.de", "zeustracker.abuse.ch", "ransomwaretracker.abuse.ch", "http://t.trkitok.com/track/rep?oid=2001&st=1&id=DP2441--w1VJE427J8SGGRTP02MD7UEG___93737493-c08b-4dc7-ad30-b17a2c09e771___$mid", "louisianarooflawyers.com [phishing]", "hasownproperty.call" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "InstallCore", "display_name": "InstallCore", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 51, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 105, "FileHash-SHA1": 100, "FileHash-SHA256": 3072, "domain": 1188, "email": 5, "URL": 7940, "hostname": 1925, "CVE": 1 }, "indicator_count": 14336, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "849 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a6b7ff4216fe9cd82625", "name": "DGA Domain", "description": "", "modified": "2023-12-06T16:52:05.939000", "created": "2023-12-06T16:52:05.939000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1181, "CVE": 1, "FileHash-SHA256": 1556, "URL": 2748, "domain": 419, "FileHash-MD5": 646, "FileHash-SHA1": 348, "email": 3, "CIDR": 1 }, "indicator_count": 6903, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a53f5c404226f3d77347", "name": "DGA Domain", "description": "", "modified": "2023-12-06T16:45:51.053000", "created": "2023-12-06T16:45:51.053000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 347, "FileHash-SHA256": 225, "domain": 242, "URL": 1522, "email": 1, "CIDR": 1, "FileHash-MD5": 2 }, "indicator_count": 2340, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a53b9421d107b6ade1c1", "name": "DGA Domain", "description": "", "modified": "2023-12-06T16:45:47.109000", "created": "2023-12-06T16:45:47.109000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 347, "FileHash-SHA256": 225, "domain": 242, "URL": 1522, "email": 1, "CIDR": 1, "FileHash-MD5": 2 }, "indicator_count": 2340, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a0421567e0f495b14cd0", "name": "DGA Domain", "description": "", "modified": "2023-12-06T16:24:34.371000", "created": "2023-12-06T16:24:34.371000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 347, "FileHash-SHA256": 225, "domain": 242, "URL": 1522, "email": 1, "CIDR": 1, "FileHash-MD5": 2 }, "indicator_count": 2340, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.teensnow.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.teensnow.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776642000.001385 }