{ "type": "Domain", "indicator": "openlibrary.org", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/openlibrary.org", "alexa": "http://www.alexa.com/siteinfo/openlibrary.org", "indicator": "openlibrary.org", "type": "domain", "type_title": "Domain", "validation": [ { "source": "majestic", "message": "Whitelisted domain openlibrary.org", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2659127992, "indicator": "openlibrary.org", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 9, "pulses": [ { "id": "6a0fa31ce70576377500359f", "name": "VirusTotal report\n for script.js", "description": "1045615ac32ca94a152a05d1816dc3e7fd7390744d16c8a34e5f563bbb2076f8 Toddcombos mail pass[.txt] and write changes [.com]", "modified": "2026-05-22T01:36:54.439000", "created": "2026-05-22T00:28:12.117000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 41, "FileHash-SHA256": 11, "IPv4": 51, "URL": 75, "domain": 6, "hostname": 61, "CVE": 1 }, "indicator_count": 265, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fa31b7da23cd14a8abe3b", "name": "VirusTotal report\n for script.js", "description": "1045615ac32ca94a152a05d1816dc3e7fd7390744d16c8a34e5f563bbb2076f8 Toddcombos mail pass[.txt] and write changes [.com]", "modified": "2026-05-22T00:51:40.201000", "created": "2026-05-22T00:28:11.566000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 34, "FileHash-SHA1": 87, "FileHash-SHA256": 36, "IPv4": 95, "URL": 290, "domain": 152, "hostname": 374, "CIDR": 1, "email": 4, "IPv6": 16 }, "indicator_count": 1089, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0f9a099247c8bf12f41f37", "name": "Dr Watson User Agent - the wizard8 peering #stalkerware", "description": "Microsoft has created its own \"cloud\" for the internet, which can be accessed from the firm's servers in Redmond, Washington, and is being used to connect to the rest of the world", "modified": "2026-05-22T00:22:04.450000", "created": "2026-05-21T23:49:29.146000", "tags": [ "assigned pa", "date", "peering", "dns address", "microsoft way", "redmond", "divya quamara", "algorithm", "ocsp", "key identifier", "x509v3 subject", "v3 serial", "number", "cus omicrosoft", "tls g2", "rsa ca", "validity", "handle", "address range", "cidr", "network name", "allocation type", "status", "whois server", "ripe", "filtered person" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "URL": 283, "FileHash-SHA1": 16, "FileHash-SHA256": 34, "IPv4": 171, "hostname": 171, "email": 4, "domain": 134, "URI": 2, "IPv6": 21, "Mutex": 2, "FileHash-MD5": 17 }, "indicator_count": 856, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c5422054edcb22f072e562", "name": "VirusTotal report\n for document.html", "description": "A full report of the 2015-16 edition of Firefox, published on 26 March, is published online by the Mozilla Foundation and is available to download at any time on the web or on desktop.", "modified": "2026-04-25T14:03:52.240000", "created": "2026-03-26T14:26:40.544000", "tags": [ "https", "mitre attack", "network info", "processes extra", "performs dns", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "next" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/e51c228a26775c378579778f9719c10daf06bd5f80086ca37ee8076c201dfbd1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774535157&Signature=FcGC7sWUVaOwcfXDiUYxSh1bbA5ygqMSjFVQFfBHehFc31tg99PjHjuAXS4iWqrv6bv%2BRUfe48IF7e5Sc06tkVRz3Mx%2B7ZE05Ujlm%2Bc%2FIgS5nk5TZWJ5Mg5zzNL1vUKcohtMdg4z7t7%2Biexq%2BwlaxRXlwJhEdBZiryXKKNDvxpXJVQEQgGFN%2FJeRXgFIpXMjM%2BCHlnOgFpZ0WgxiF2oyPIMa4mZWJeawvfMqDtv%2FiaQO%2BYSjLn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 25, "URL": 35, "domain": 18, "hostname": 18 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "36 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c5422bd6b0041449dac5ed", "name": "VirusTotal report\n for document.html", "description": "A full report of the 2015-16 edition of Firefox, published on 26 March, is published online by the Mozilla Foundation and is available to download at any time on the web or on desktop.", "modified": "2026-04-25T14:03:52.240000", "created": "2026-03-26T14:26:51.308000", "tags": [ "https", "mitre attack", "network info", "processes extra", "performs dns", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "next" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/e51c228a26775c378579778f9719c10daf06bd5f80086ca37ee8076c201dfbd1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774535157&Signature=FcGC7sWUVaOwcfXDiUYxSh1bbA5ygqMSjFVQFfBHehFc31tg99PjHjuAXS4iWqrv6bv%2BRUfe48IF7e5Sc06tkVRz3Mx%2B7ZE05Ujlm%2Bc%2FIgS5nk5TZWJ5Mg5zzNL1vUKcohtMdg4z7t7%2Biexq%2BwlaxRXlwJhEdBZiryXKKNDvxpXJVQEQgGFN%2FJeRXgFIpXMjM%2BCHlnOgFpZ0WgxiF2oyPIMa4mZWJeawvfMqDtv%2FiaQO%2BYSjLn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 25, "URL": 35, "domain": 18, "hostname": 18 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "36 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c5422de705001184788201", "name": "VirusTotal report\n for document.html", "description": "A full report of the 2015-16 edition of Firefox, published on 26 March, is published online by the Mozilla Foundation and is available to download at any time on the web or on desktop.", "modified": "2026-04-25T14:03:52.240000", "created": "2026-03-26T14:26:53.491000", "tags": [ "https", "mitre attack", "network info", "processes extra", "performs dns", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "next" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/e51c228a26775c378579778f9719c10daf06bd5f80086ca37ee8076c201dfbd1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774535157&Signature=FcGC7sWUVaOwcfXDiUYxSh1bbA5ygqMSjFVQFfBHehFc31tg99PjHjuAXS4iWqrv6bv%2BRUfe48IF7e5Sc06tkVRz3Mx%2B7ZE05Ujlm%2Bc%2FIgS5nk5TZWJ5Mg5zzNL1vUKcohtMdg4z7t7%2Biexq%2BwlaxRXlwJhEdBZiryXKKNDvxpXJVQEQgGFN%2FJeRXgFIpXMjM%2BCHlnOgFpZ0WgxiF2oyPIMa4mZWJeawvfMqDtv%2FiaQO%2BYSjLn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 25, "URL": 35, "domain": 18, "hostname": 18 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "36 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c5422ece04f4276f8e68c6", "name": "VirusTotal report\n for document.html", "description": "A full report of the 2015-16 edition of Firefox, published on 26 March, is published online by the Mozilla Foundation and is available to download at any time on the web or on desktop.", "modified": "2026-04-25T14:03:52.240000", "created": "2026-03-26T14:26:54.781000", "tags": [ "https", "mitre attack", "network info", "processes extra", "performs dns", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "next" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/e51c228a26775c378579778f9719c10daf06bd5f80086ca37ee8076c201dfbd1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774535157&Signature=FcGC7sWUVaOwcfXDiUYxSh1bbA5ygqMSjFVQFfBHehFc31tg99PjHjuAXS4iWqrv6bv%2BRUfe48IF7e5Sc06tkVRz3Mx%2B7ZE05Ujlm%2Bc%2FIgS5nk5TZWJ5Mg5zzNL1vUKcohtMdg4z7t7%2Biexq%2BwlaxRXlwJhEdBZiryXKKNDvxpXJVQEQgGFN%2FJeRXgFIpXMjM%2BCHlnOgFpZ0WgxiF2oyPIMa4mZWJeawvfMqDtv%2FiaQO%2BYSjLn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 25, "URL": 35, "domain": 18, "hostname": 18 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "36 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699c3b796fcaed878ca94c5c", "name": "https://m.vzw.com/wIvzrd8", "description": "the wizard", "modified": "2026-04-18T05:30:18.690000", "created": "2026-02-23T11:35:21.673000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1818, "hostname": 575, "URL": 200, "FileHash-SHA1": 450, "CIDR": 11, "domain": 887, "email": 7, "FileHash-MD5": 402, "CVE": 21 }, "indicator_count": 4371, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "43 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689ae28d66814f3c2cbf1791", "name": "Botnet Sinkhole | Potential WannaCry DNS Lookup", "description": "*iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Botnet Sinkhole | Potential WannaCry DNSLookup. Targeting , Project Content Reputation. Backdoor:Win32/Fynloski \u2022\nWas [Win.Trojan.DarkKomet-1] now- [Worm:Win32/Mofksys.R!MTB] \u2022\nPotential WannaCry DNS lookup\nIllegal Content 20 + teen p0r\u0146 content sites for reputation abuse and or framing.\n| highjacked? URL\nhttps://archive.org/web/petabox.php |\n| cdn1.onlyteenporn.com |\n| http://onlyteenporn.com/go.php.php?link=top |\n| http://onlyteenporn.com/go.php?link= |\n\n#botnet #sinkhole #worm #trojan #injection #socialengineering #wannacry #dns #teen_porn #content_reputation #dumpsite #petabox #webarchive #photography", "modified": "2025-09-11T05:01:39.966000", "created": "2025-08-12T06:43:25.992000", "tags": [ "show process", "united", "command decode", "mitre att", "suricata ipv4", "ck id", "show technique", "ck matrix", "programfiles", "sha1", "date", "comspec", "class", "august", "hybrid", "general", "path", "model", "click", "strings", "meta", "body", "present jun", "present aug", "present may", "present apr", "present feb", "creation date", "worm", "search", "present jul", "error", "msil", "passive dns", "urls", "url add", "pulse pulses", "http", "hostname", "files domain", "files related", "pulses none", "related tags", "unknown ns", "ip address", "name servers", "status", "showing", "found title", "open ports", "backdoor", "hacktool", "entries", "next associated", "ipv4", "trojan", "domain", "authority", "record value", "script script", "cname", "script urls", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "ssl certificate", "execution att", "present mar", "mtb sep", "ransom", "win32", "gmt contenttype", "ipv4 add", "files", "location united", "development att", "extra data", "extraction", "please", "sc data", "type", "failed", "extr data", "ox sunnort", "include review", "exclude data", "sugges", "process32nextw", "observed dns", "query", "read c", "medium", "dns lookup", "msdos", "wannacry dns", "lookup", "wannacry", "delphi", "malware", "copy", "service", "explorer", "write", "darkcomet", "ping", "tools", "capture", "next" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 145, "FileHash-SHA1": 138, "FileHash-SHA256": 398, "SSLCertFingerprint": 12, "URL": 876, "domain": 136, "hostname": 216, "email": 3, "CVE": 1 }, "indicator_count": 1925, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "262 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/e51c228a26775c378579778f9719c10daf06bd5f80086ca37ee8076c201dfbd1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774535157&Signature=FcGC7sWUVaOwcfXDiUYxSh1bbA5ygqMSjFVQFfBHehFc31tg99PjHjuAXS4iWqrv6bv%2BRUfe48IF7e5Sc06tkVRz3Mx%2B7ZE05Ujlm%2Bc%2FIgS5nk5TZWJ5Mg5zzNL1vUKcohtMdg4z7t7%2Biexq%2BwlaxRXlwJhEdBZiryXKKNDvxpXJVQEQgGFN%2FJeRXgFIpXMjM%2BCHlnOgFpZ0WgxiF2oyPIMa4mZWJeawvfMqDtv%2FiaQO%2BYSjLn" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 9, "pulses": [ { "id": "6a0fa31ce70576377500359f", "name": "VirusTotal report\n for script.js", "description": "1045615ac32ca94a152a05d1816dc3e7fd7390744d16c8a34e5f563bbb2076f8 Toddcombos mail pass[.txt] and write changes [.com]", "modified": "2026-05-22T01:36:54.439000", "created": "2026-05-22T00:28:12.117000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 19, "FileHash-SHA1": 41, "FileHash-SHA256": 11, "IPv4": 51, "URL": 75, "domain": 6, "hostname": 61, "CVE": 1 }, "indicator_count": 265, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0fa31b7da23cd14a8abe3b", "name": "VirusTotal report\n for script.js", "description": "1045615ac32ca94a152a05d1816dc3e7fd7390744d16c8a34e5f563bbb2076f8 Toddcombos mail pass[.txt] and write changes [.com]", "modified": "2026-05-22T00:51:40.201000", "created": "2026-05-22T00:28:11.566000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 34, "FileHash-SHA1": 87, "FileHash-SHA256": 36, "IPv4": 95, "URL": 290, "domain": 152, "hostname": 374, "CIDR": 1, "email": 4, "IPv6": 16 }, "indicator_count": 1089, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0f9a099247c8bf12f41f37", "name": "Dr Watson User Agent - the wizard8 peering #stalkerware", "description": "Microsoft has created its own \"cloud\" for the internet, which can be accessed from the firm's servers in Redmond, Washington, and is being used to connect to the rest of the world", "modified": "2026-05-22T00:22:04.450000", "created": "2026-05-21T23:49:29.146000", "tags": [ "assigned pa", "date", "peering", "dns address", "microsoft way", "redmond", "divya quamara", "algorithm", "ocsp", "key identifier", "x509v3 subject", "v3 serial", "number", "cus omicrosoft", "tls g2", "rsa ca", "validity", "handle", "address range", "cidr", "network name", "allocation type", "status", "whois server", "ripe", "filtered person" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CIDR": 1, "URL": 283, "FileHash-SHA1": 16, "FileHash-SHA256": 34, "IPv4": 171, "hostname": 171, "email": 4, "domain": 134, "URI": 2, "IPv6": 21, "Mutex": 2, "FileHash-MD5": 17 }, "indicator_count": 856, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "9 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c5422054edcb22f072e562", "name": "VirusTotal report\n for document.html", "description": "A full report of the 2015-16 edition of Firefox, published on 26 March, is published online by the Mozilla Foundation and is available to download at any time on the web or on desktop.", "modified": "2026-04-25T14:03:52.240000", "created": "2026-03-26T14:26:40.544000", "tags": [ "https", "mitre attack", "network info", "processes extra", "performs dns", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "next" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/e51c228a26775c378579778f9719c10daf06bd5f80086ca37ee8076c201dfbd1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774535157&Signature=FcGC7sWUVaOwcfXDiUYxSh1bbA5ygqMSjFVQFfBHehFc31tg99PjHjuAXS4iWqrv6bv%2BRUfe48IF7e5Sc06tkVRz3Mx%2B7ZE05Ujlm%2Bc%2FIgS5nk5TZWJ5Mg5zzNL1vUKcohtMdg4z7t7%2Biexq%2BwlaxRXlwJhEdBZiryXKKNDvxpXJVQEQgGFN%2FJeRXgFIpXMjM%2BCHlnOgFpZ0WgxiF2oyPIMa4mZWJeawvfMqDtv%2FiaQO%2BYSjLn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 25, "URL": 35, "domain": 18, "hostname": 18 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "36 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c5422bd6b0041449dac5ed", "name": "VirusTotal report\n for document.html", "description": "A full report of the 2015-16 edition of Firefox, published on 26 March, is published online by the Mozilla Foundation and is available to download at any time on the web or on desktop.", "modified": "2026-04-25T14:03:52.240000", "created": "2026-03-26T14:26:51.308000", "tags": [ "https", "mitre attack", "network info", "processes extra", "performs dns", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "next" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/e51c228a26775c378579778f9719c10daf06bd5f80086ca37ee8076c201dfbd1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774535157&Signature=FcGC7sWUVaOwcfXDiUYxSh1bbA5ygqMSjFVQFfBHehFc31tg99PjHjuAXS4iWqrv6bv%2BRUfe48IF7e5Sc06tkVRz3Mx%2B7ZE05Ujlm%2Bc%2FIgS5nk5TZWJ5Mg5zzNL1vUKcohtMdg4z7t7%2Biexq%2BwlaxRXlwJhEdBZiryXKKNDvxpXJVQEQgGFN%2FJeRXgFIpXMjM%2BCHlnOgFpZ0WgxiF2oyPIMa4mZWJeawvfMqDtv%2FiaQO%2BYSjLn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 25, "URL": 35, "domain": 18, "hostname": 18 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "36 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c5422de705001184788201", "name": "VirusTotal report\n for document.html", "description": "A full report of the 2015-16 edition of Firefox, published on 26 March, is published online by the Mozilla Foundation and is available to download at any time on the web or on desktop.", "modified": "2026-04-25T14:03:52.240000", "created": "2026-03-26T14:26:53.491000", "tags": [ "https", "mitre attack", "network info", "processes extra", "performs dns", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "next" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/e51c228a26775c378579778f9719c10daf06bd5f80086ca37ee8076c201dfbd1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774535157&Signature=FcGC7sWUVaOwcfXDiUYxSh1bbA5ygqMSjFVQFfBHehFc31tg99PjHjuAXS4iWqrv6bv%2BRUfe48IF7e5Sc06tkVRz3Mx%2B7ZE05Ujlm%2Bc%2FIgS5nk5TZWJ5Mg5zzNL1vUKcohtMdg4z7t7%2Biexq%2BwlaxRXlwJhEdBZiryXKKNDvxpXJVQEQgGFN%2FJeRXgFIpXMjM%2BCHlnOgFpZ0WgxiF2oyPIMa4mZWJeawvfMqDtv%2FiaQO%2BYSjLn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 25, "URL": 35, "domain": 18, "hostname": 18 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "36 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c5422ece04f4276f8e68c6", "name": "VirusTotal report\n for document.html", "description": "A full report of the 2015-16 edition of Firefox, published on 26 March, is published online by the Mozilla Foundation and is available to download at any time on the web or on desktop.", "modified": "2026-04-25T14:03:52.240000", "created": "2026-03-26T14:26:54.781000", "tags": [ "https", "mitre attack", "network info", "processes extra", "performs dns", "t1055 process", "layer protocol", "overview", "overview zenbox", "verdict", "next" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/e51c228a26775c378579778f9719c10daf06bd5f80086ca37ee8076c201dfbd1_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1774535157&Signature=FcGC7sWUVaOwcfXDiUYxSh1bbA5ygqMSjFVQFfBHehFc31tg99PjHjuAXS4iWqrv6bv%2BRUfe48IF7e5Sc06tkVRz3Mx%2B7ZE05Ujlm%2Bc%2FIgS5nk5TZWJ5Mg5zzNL1vUKcohtMdg4z7t7%2Biexq%2BwlaxRXlwJhEdBZiryXKKNDvxpXJVQEQgGFN%2FJeRXgFIpXMjM%2BCHlnOgFpZ0WgxiF2oyPIMa4mZWJeawvfMqDtv%2FiaQO%2BYSjLn" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 25, "URL": 35, "domain": 18, "hostname": 18 }, "indicator_count": 98, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "36 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699c3b796fcaed878ca94c5c", "name": "https://m.vzw.com/wIvzrd8", "description": "the wizard", "modified": "2026-04-18T05:30:18.690000", "created": "2026-02-23T11:35:21.673000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1818, "hostname": 575, "URL": 200, "FileHash-SHA1": 450, "CIDR": 11, "domain": 887, "email": 7, "FileHash-MD5": 402, "CVE": 21 }, "indicator_count": 4371, "is_author": false, "is_subscribing": null, "subscriber_count": 66, "modified_text": "43 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "689ae28d66814f3c2cbf1791", "name": "Botnet Sinkhole | Potential WannaCry DNS Lookup", "description": "*iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Botnet Sinkhole | Potential WannaCry DNSLookup. Targeting , Project Content Reputation. Backdoor:Win32/Fynloski \u2022\nWas [Win.Trojan.DarkKomet-1] now- [Worm:Win32/Mofksys.R!MTB] \u2022\nPotential WannaCry DNS lookup\nIllegal Content 20 + teen p0r\u0146 content sites for reputation abuse and or framing.\n| highjacked? URL\nhttps://archive.org/web/petabox.php |\n| cdn1.onlyteenporn.com |\n| http://onlyteenporn.com/go.php.php?link=top |\n| http://onlyteenporn.com/go.php?link= |\n\n#botnet #sinkhole #worm #trojan #injection #socialengineering #wannacry #dns #teen_porn #content_reputation #dumpsite #petabox #webarchive #photography", "modified": "2025-09-11T05:01:39.966000", "created": "2025-08-12T06:43:25.992000", "tags": [ "show process", "united", "command decode", "mitre att", "suricata ipv4", "ck id", "show technique", "ck matrix", "programfiles", "sha1", "date", "comspec", "class", "august", "hybrid", "general", "path", "model", "click", "strings", "meta", "body", "present jun", "present aug", "present may", "present apr", "present feb", "creation date", "worm", "search", "present jul", "error", "msil", "passive dns", "urls", "url add", "pulse pulses", "http", "hostname", "files domain", "files related", "pulses none", "related tags", "unknown ns", "ip address", "name servers", "status", "showing", "found title", "open ports", "backdoor", "hacktool", "entries", "next associated", "ipv4", "trojan", "domain", "authority", "record value", "script script", "cname", "script urls", "learn", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "ssl certificate", "execution att", "present mar", "mtb sep", "ransom", "win32", "gmt contenttype", "ipv4 add", "files", "location united", "development att", "extra data", "extraction", "please", "sc data", "type", "failed", "extr data", "ox sunnort", "include review", "exclude data", "sugges", "process32nextw", "observed dns", "query", "read c", "medium", "dns lookup", "msdos", "wannacry dns", "lookup", "wannacry", "delphi", "malware", "copy", "service", "explorer", "write", "darkcomet", "ping", "tools", "capture", "next" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1054", "name": "Indicator Blocking", "display_name": "T1054 - Indicator Blocking" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1089", "name": "Disabling Security Tools", "display_name": "T1089 - Disabling Security Tools" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 145, "FileHash-SHA1": 138, "FileHash-SHA256": 398, "SSLCertFingerprint": 12, "URL": 876, "domain": 136, "hostname": 216, "email": 3, "CVE": 1 }, "indicator_count": 1925, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "262 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "openlibrary.org", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "openlibrary.org", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780258604.9945645 }