{ "type": "Domain", "indicator": "pupypiv.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/pupypiv.com", "alexa": "http://www.alexa.com/siteinfo/pupypiv.com", "indicator": "pupypiv.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 144246828, "indicator": "pupypiv.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 41, "pulses": [ { "id": "63456c2a30b92337ea1670e0", "name": "IOC Records Provided by @NextRayAI", "description": "This IOC report provided and daily updated by NextRay AI Detection & Response Inc.", "modified": "2026-05-31T01:02:14", "created": "2022-10-11T13:14:18.676000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1330, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "NextRay-AI", "id": "210822", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_210822/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 498917, "IPv4": 64343, "IPv6": 459, "hostname": 59385, "URL": 166783, "CIDR": 5266, "FileHash-MD5": 29699, "FileHash-SHA256": 50449, "CVE": 348, "email": 914, "Mutex": 49, "FileHash-SHA1": 3453, "FilePath": 34 }, "indicator_count": 880099, "is_author": false, "is_subscribing": null, "subscriber_count": 300, "modified_text": "22 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68705b9e13e074fa3c778902", "name": "check", "description": "", "modified": "2026-01-23T01:10:39.457000", "created": "2025-07-11T00:32:30.277000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 421, "FileHash-MD5": 25, "FileHash-SHA1": 22, "FileHash-SHA256": 133, "domain": 270, "hostname": 35 }, "indicator_count": 906, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688d5bab9ce44c4321064457", "name": "xloader", "description": "", "modified": "2026-01-12T23:06:55.682000", "created": "2025-08-02T00:28:27.331000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 388, "FileHash-MD5": 83, "FileHash-SHA1": 45, "FileHash-SHA256": 308, "domain": 392, "hostname": 107 }, "indicator_count": 1323, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "139 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688c8526be7a4df33863b5c5", "name": "VirusTotal - Shiz.ivr", "description": "*Win.Trojan.Shiz.ivr\n*PWS:Win32/Simda.D\n*virtool #injection#infostealer #network #cnc #block_not #virustotal_google #cnc #checking #procmem_yara\n#injection_inter_process\n#injection_create_remote_thread\n#antidebug_windows\n#multiple_useragents\n#network_fake_useragent\n#persistence_autorun\n#cape_detected_threat\n#antiav_detectfile\n#modify_proxy\n#deletes_self\n#infostealer_cookies\n#injection_createremotethread\n#suricata_alert\n~ vashti", "modified": "2025-08-31T08:01:04.297000", "created": "2025-08-01T09:13:10.510000", "tags": [ "dynamicloader", "unknown", "msie", "windows nt", "slcc2", "media center", "suspicious", "search", "high", "show", "copy", "possible", "write", "internal", "malware", "push", "local", "next", "contacted", "domains", "pulses", "related tags", "file type", "date april", "pm size", "sha1 sha256", "imphash pehash", "virustotal api", "bq jul", "united", "trojan", "backdoor", "virtool", "cnc beacon", "entries", "path max", "passive dns", "next associated", "cookie", "twitter", "body", "date", "medium", "simda", "global" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10303, "hostname": 1413, "FileHash-SHA256": 1868, "domain": 1877, "FileHash-MD5": 357, "FileHash-SHA1": 348, "SSLCertFingerprint": 2 }, "indicator_count": 16168, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "273 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5daf09a6d16f1e2c5c594c22", "name": "Simda - Malware Domain Feed V2", "description": "Command and Control domains for malware known as Simda. These domains are extracted from malware sandbox reports using a Machine Learning model trained on a corpus of good and bad domains.", "modified": "2025-07-15T21:13:57.066000", "created": "2019-10-22T13:52:38.770000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 209, "hostname": 5 }, "indicator_count": 214, "is_author": false, "is_subscribing": null, "subscriber_count": 1085, "modified_text": "320 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6786a59af06fee17c8decf9d", "name": "netcfg", "description": "000ceafd276003f46d06828bb0459b3ccdc2b44013a313b69d6270a224199034", "modified": "2025-05-31T02:36:52.299000", "created": "2025-01-14T17:57:46.687000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 222, "domain": 216, "hostname": 4, "FileHash-SHA256": 1 }, "indicator_count": 443, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "365 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67fb185eb96e9791cf24ced4", "name": "Shiz/Packy", "description": "", "modified": "2025-05-13T01:03:15.390000", "created": "2025-04-13T01:50:22.707000", "tags": [], "references": [ "https://www.virustotal.com/graph/gf9fb2090ae8e450dadda45c0596ab774ed1984e89aab4679bc3fc02096e22fa3" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 26, "URL": 191, "domain": 344, "hostname": 2 }, "indicator_count": 563, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "383 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "678349edca4868e4cf8b298b", "name": "tfdbpg", "description": "0000121f09166c3e1e001b833301977f3f9461f756b46818e1acf377edb2454f", "modified": "2025-01-12T04:49:49.365000", "created": "2025-01-12T04:49:49.365000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 237, "domain": 228, "hostname": 8, "FileHash-SHA256": 1 }, "indicator_count": 474, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "504 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d34c8a64436a7aee2e25a1", "name": "Locky: File Deletion targeting incriminating archived files.", "description": "redhatdelete.com : Adversaries are deleting files in bulk from Virustotal, otx AlienVault, WebArchive, Perma.cc Urlscan.io, Archive.Today, Archive.ph, iCloud, apple data, photo deletion.\nVarious ransomware used. iOS service modified, cloud encrypted by adversary. Indicator point to a target with a zombie device. An iPhone and potentially other devices were targeted in a specific attack. | Locky Ransomware is a piece of malware that encrypts important files on your device, rendering them inaccessible and unusable.", "modified": "2024-03-20T12:00:39.809000", "created": "2024-02-19T12:41:46.707000", "tags": [ "it consultant", "uk collection", "dns intel", "ips collection", "suspicous ip", "whois file", "cname", "record type", "ttl value", "algorithm", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "whois lookup", "region create", "domain", "name server", "registrant name", "technical city", "region update", "united", "command decode", "mitre att", "suricata ipv4", "windows nt", "win64", "khtml", "gecko", "ck id", "cookie", "meta", "february", "hybrid", "general", "click", "strings", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "dns replication", "code", "namecheap", "registrar abuse", "namecheap inc", "privacy service", "withheld", "privacy", "dnssec", "email", "first", "bodis", "unknown", "creation date", "search", "emails", "as397240", "date", "next", "all octoseek", "threat roundup", "january", "june", "historical ssl", "referrer", "contacted", "group", "execution", "phishing", "malware", "core", "malicious", "dark power", "play ransomware", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 linker", "gnu linker", "compiler", "info header", "name md5", "overlay", "passive dns", "entries", "ipv4", "pulse pulses", "urls", "files", "trojan", "location united", "query", "activity dns", "observed dns", "msie", "high", "copy", "write", "win32", "hashes", "host interaction", "sabey type", "hallrender", "brian sabey", "memory pattern", "http requests", "http method", "get response", "dns resolutions", "ip traffic", "domains", "mutex", "samplepath", "created", "shell commands", "r processes", "tree", "analyze", "hostnames", "url https", "samples", "hostname", "pattern urls", "memory", "pattern", "pattern domains", "roundup", "formbook", "mirai", "ben c", "injection", "server", "scan endpoints", "show", "august", "bq feb", "chrome", "precondition", "virtool", "downloadmr", "body", "status", "servers", "record value", "name servers", "showing", "mailrubar", "trojanclicker", "slcc2", "media center", "delete c", "malware beacon", "suspicious", "class", "internal", "local", "encrypt", "as15169 google", "gmt cache", "twitter", "rostpay", "date hash", "avast avg", "mtb may", "susp", "cryp", "win32upatre may", "mtb showing", "lowfi", "aaaa", "win32pcmega jan", "urlshortner dec", "urlshortner sep", "as133618", "nxdomain", "as133775 xiamen", "germany unknown", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "whois record", "ssl certificate", "tsara brashears", "resolutions", "critical risk", "apple phone", "unlocker", "shell code", "installer", "ursnif", "hacktool", "emotet", "tracker", "chaos", "ransomexx", "xor ddos", "xorddos", "mitre attack", "parent domain", "urls url", "siblings", "metro", "communicating", "collection", "dropped", "skynet", "youth", "com laude", "ltd dba", "utc submissions", "submitters", "cloudflarenet", "akamaias", "digitaloceanasn", "csc corporate", "pt mora", "univjos", "etisalat misr", "acurix networks", "pty ltd", "beijing baidu", "highly targeted", "http", "network hijacks", "redline stealer", "whois sslcert", "contacted urls", "whois whois", "september", "hidden cobra", "threats", "kimsuky", "service", "read c", "create c", "write c", "regsetvalueexa", "mozilla", "capture", "asnone", "domain http", "request", "malware dns", "lookup wannacry", "default", "ransom", "push", "playgame", "command", "email document", "exploit domain", "owner exploit", "kit exploit", "source file", "hacking tools", "hunting macro", "malware hosting", "memory scanning", "yara detections", "debug", "icmp traffic", "pdb path", "pe section", "low software", "packing t1045", "ransomware", "egregor", "find", "false", "psexec", "powershell", "qakbot", "qbot", "icedid" ], "references": [ "redhatdelete.com", "Mutexes Opened {0C8E6D89-EA51-848A-7775-6C2CC072CA88}", "explorer.exe \u2022 Explorer.EXE \u2022\tupnaneat-xex.exe \u2022 akgibik.exe \u2022 wmiadap.exe \u2022 wmiprvse.exe \u2022 winlogon.exe \u2022 tmpo3rfa1vg.exe", "https://otx.alienvault.com/indicator/file/f58f360a1f6b5e3e28fa64dd88ec2c9893f2f1d290f4a8cf67ac49952e32cc60", "Trojan-Ransom.Win32.Blocker.jgb Checkin", "https://otx.alienvault.com/indicator/file/000ad3f22cedbd36e425ca046b2aa0c228754b6fd94d30105ad9343ad9742695" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "display_name": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "target": null }, { "id": "Rostpay", "display_name": "Rostpay", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "Chaos (ELF)", "display_name": "Chaos (ELF)", "target": null }, { "id": "TrojanDropper:Win32/GameHack", "display_name": "TrojanDropper:Win32/GameHack", "target": "/malware/TrojanDropper:Win32/GameHack" }, { "id": "Win.Ransomware.Locky-7766366-0", "display_name": "Win.Ransomware.Locky-7766366-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "ALF:E5.SpikeAex.rhh_pid", "display_name": "ALF:E5.SpikeAex.rhh_pid", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1848, "FileHash-SHA1": 1783, "FileHash-SHA256": 7170, "domain": 1649, "hostname": 1191, "email": 9, "URL": 729, "CVE": 2, "SSLCertFingerprint": 2, "CIDR": 1 }, "indicator_count": 14384, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "802 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d34c91868744aa1449fef2", "name": "Locky: File Deletion targeting incriminating archived files.", "description": "redhatdelete.com : Adversaries are deleting files in bulk from Virustotal, otx AlienVault, WebArchive, Perma.cc Urlscan.io, Archive.Today, Archive.ph, iCloud, apple data, photo deletion.\nVarious ransomware used. iOS service modified, cloud encrypted by adversary. Indicator point to a target with a zombie device. An iPhone and potentially other devices were targeted in a specific attack. | Locky Ransomware is a piece of malware that encrypts important files on your device, rendering them inaccessible and unusable.", "modified": "2024-03-20T12:00:39.809000", "created": "2024-02-19T12:41:52.846000", "tags": [ "it consultant", "uk collection", "dns intel", "ips collection", "suspicous ip", "whois file", "cname", "record type", "ttl value", "algorithm", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "whois lookup", "region create", "domain", "name server", "registrant name", "technical city", "region update", "united", "command decode", "mitre att", "suricata ipv4", "windows nt", "win64", "khtml", "gecko", "ck id", "cookie", "meta", "february", "hybrid", "general", "click", "strings", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "dns replication", "code", "namecheap", "registrar abuse", "namecheap inc", "privacy service", "withheld", "privacy", "dnssec", "email", "first", "bodis", "unknown", "creation date", "search", "emails", "as397240", "date", "next", "all octoseek", "threat roundup", "january", "june", "historical ssl", "referrer", "contacted", "group", "execution", "phishing", "malware", "core", "malicious", "dark power", "play ransomware", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 linker", "gnu linker", "compiler", "info header", "name md5", "overlay", "passive dns", "entries", "ipv4", "pulse pulses", "urls", "files", "trojan", "location united", "query", "activity dns", "observed dns", "msie", "high", "copy", "write", "win32", "hashes", "host interaction", "sabey type", "hallrender", "brian sabey", "memory pattern", "http requests", "http method", "get response", "dns resolutions", "ip traffic", "domains", "mutex", "samplepath", "created", "shell commands", "r processes", "tree", "analyze", "hostnames", "url https", "samples", "hostname", "pattern urls", "memory", "pattern", "pattern domains", "roundup", "formbook", "mirai", "ben c", "injection", "server", "scan endpoints", "show", "august", "bq feb", "chrome", "precondition", "virtool", "downloadmr", "body", "status", "servers", "record value", "name servers", "showing", "mailrubar", "trojanclicker", "slcc2", "media center", "delete c", "malware beacon", "suspicious", "class", "internal", "local", "encrypt", "as15169 google", "gmt cache", "twitter", "rostpay", "date hash", "avast avg", "mtb may", "susp", "cryp", "win32upatre may", "mtb showing", "lowfi", "aaaa", "win32pcmega jan", "urlshortner dec", "urlshortner sep", "as133618", "nxdomain", "as133775 xiamen", "germany unknown", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "whois record", "ssl certificate", "tsara brashears", "resolutions", "critical risk", "apple phone", "unlocker", "shell code", "installer", "ursnif", "hacktool", "emotet", "tracker", "chaos", "ransomexx", "xor ddos", "xorddos", "mitre attack", "parent domain", "urls url", "siblings", "metro", "communicating", "collection", "dropped", "skynet", "youth", "com laude", "ltd dba", "utc submissions", "submitters", "cloudflarenet", "akamaias", "digitaloceanasn", "csc corporate", "pt mora", "univjos", "etisalat misr", "acurix networks", "pty ltd", "beijing baidu", "highly targeted", "http", "network hijacks", "redline stealer", "whois sslcert", "contacted urls", "whois whois", "september", "hidden cobra", "threats", "kimsuky", "service", "read c", "create c", "write c", "regsetvalueexa", "mozilla", "capture", "asnone", "domain http", "request", "malware dns", "lookup wannacry", "default", "ransom", "push", "playgame", "command", "email document", "exploit domain", "owner exploit", "kit exploit", "source file", "hacking tools", "hunting macro", "malware hosting", "memory scanning", "yara detections", "debug", "icmp traffic", "pdb path", "pe section", "low software", "packing t1045", "ransomware", "egregor", "find", "false", "psexec", "powershell", "qakbot", "qbot", "icedid" ], "references": [ "redhatdelete.com", "Mutexes Opened {0C8E6D89-EA51-848A-7775-6C2CC072CA88}", "explorer.exe \u2022 Explorer.EXE \u2022\tupnaneat-xex.exe \u2022 akgibik.exe \u2022 wmiadap.exe \u2022 wmiprvse.exe \u2022 winlogon.exe \u2022 tmpo3rfa1vg.exe", "https://otx.alienvault.com/indicator/file/f58f360a1f6b5e3e28fa64dd88ec2c9893f2f1d290f4a8cf67ac49952e32cc60", "Trojan-Ransom.Win32.Blocker.jgb Checkin", "https://otx.alienvault.com/indicator/file/000ad3f22cedbd36e425ca046b2aa0c228754b6fd94d30105ad9343ad9742695" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "display_name": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "target": null }, { "id": "Rostpay", "display_name": "Rostpay", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "Chaos (ELF)", "display_name": "Chaos (ELF)", "target": null }, { "id": "TrojanDropper:Win32/GameHack", "display_name": "TrojanDropper:Win32/GameHack", "target": "/malware/TrojanDropper:Win32/GameHack" }, { "id": "Win.Ransomware.Locky-7766366-0", "display_name": "Win.Ransomware.Locky-7766366-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "ALF:E5.SpikeAex.rhh_pid", "display_name": "ALF:E5.SpikeAex.rhh_pid", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 57, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1848, "FileHash-SHA1": 1783, "FileHash-SHA256": 7170, "domain": 1649, "hostname": 1191, "email": 9, "URL": 729, "CVE": 2, "SSLCertFingerprint": 2, "CIDR": 1 }, "indicator_count": 14384, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "802 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d3acf32e1088e76165a307", "name": "Locky: File Deletion targeting incriminating archived files.", "description": "", "modified": "2024-03-20T12:00:39.809000", "created": "2024-02-19T19:33:07.504000", "tags": [ "it consultant", "uk collection", "dns intel", "ips collection", "suspicous ip", "whois file", "cname", "record type", "ttl value", "algorithm", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "whois lookup", "region create", "domain", "name server", "registrant name", "technical city", "region update", "united", "command decode", "mitre att", "suricata ipv4", "windows nt", "win64", "khtml", "gecko", "ck id", "cookie", "meta", "february", "hybrid", "general", "click", "strings", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "dns replication", "code", "namecheap", "registrar abuse", "namecheap inc", "privacy service", "withheld", "privacy", "dnssec", "email", "first", "bodis", "unknown", "creation date", "search", "emails", "as397240", "date", "next", "all octoseek", "threat roundup", "january", "june", "historical ssl", "referrer", "contacted", "group", "execution", "phishing", "malware", "core", "malicious", "dark power", "play ransomware", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 linker", "gnu linker", "compiler", "info header", "name md5", "overlay", "passive dns", "entries", "ipv4", "pulse pulses", "urls", "files", "trojan", "location united", "query", "activity dns", "observed dns", "msie", "high", "copy", "write", "win32", "hashes", "host interaction", "sabey type", "hallrender", "brian sabey", "memory pattern", "http requests", "http method", "get response", "dns resolutions", "ip traffic", "domains", "mutex", "samplepath", "created", "shell commands", "r processes", "tree", "analyze", "hostnames", "url https", "samples", "hostname", "pattern urls", "memory", "pattern", "pattern domains", "roundup", "formbook", "mirai", "ben c", "injection", "server", "scan endpoints", "show", "august", "bq feb", "chrome", "precondition", "virtool", "downloadmr", "body", "status", "servers", "record value", "name servers", "showing", "mailrubar", "trojanclicker", "slcc2", "media center", "delete c", "malware beacon", "suspicious", "class", "internal", "local", "encrypt", "as15169 google", "gmt cache", "twitter", "rostpay", "date hash", "avast avg", "mtb may", "susp", "cryp", "win32upatre may", "mtb showing", "lowfi", "aaaa", "win32pcmega jan", "urlshortner dec", "urlshortner sep", "as133618", "nxdomain", "as133775 xiamen", "germany unknown", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "whois record", "ssl certificate", "tsara brashears", "resolutions", "critical risk", "apple phone", "unlocker", "shell code", "installer", "ursnif", "hacktool", "emotet", "tracker", "chaos", "ransomexx", "xor ddos", "xorddos", "mitre attack", "parent domain", "urls url", "siblings", "metro", "communicating", "collection", "dropped", "skynet", "youth", "com laude", "ltd dba", "utc submissions", "submitters", "cloudflarenet", "akamaias", "digitaloceanasn", "csc corporate", "pt mora", "univjos", "etisalat misr", "acurix networks", "pty ltd", "beijing baidu", "highly targeted", "http", "network hijacks", "redline stealer", "whois sslcert", "contacted urls", "whois whois", "september", "hidden cobra", "threats", "kimsuky", "service", "read c", "create c", "write c", "regsetvalueexa", "mozilla", "capture", "asnone", "domain http", "request", "malware dns", "lookup wannacry", "default", "ransom", "push", "playgame", "command", "email document", "exploit domain", "owner exploit", "kit exploit", "source file", "hacking tools", "hunting macro", "malware hosting", "memory scanning", "yara detections", "debug", "icmp traffic", "pdb path", "pe section", "low software", "packing t1045", "ransomware", "egregor", "find", "false", "psexec", "powershell", "qakbot", "qbot", "icedid" ], "references": [ "redhatdelete.com", "Mutexes Opened {0C8E6D89-EA51-848A-7775-6C2CC072CA88}", "explorer.exe \u2022 Explorer.EXE \u2022\tupnaneat-xex.exe \u2022 akgibik.exe \u2022 wmiadap.exe \u2022 wmiprvse.exe \u2022 winlogon.exe \u2022 tmpo3rfa1vg.exe", "https://otx.alienvault.com/indicator/file/f58f360a1f6b5e3e28fa64dd88ec2c9893f2f1d290f4a8cf67ac49952e32cc60", "Trojan-Ransom.Win32.Blocker.jgb Checkin", "https://otx.alienvault.com/indicator/file/000ad3f22cedbd36e425ca046b2aa0c228754b6fd94d30105ad9343ad9742695" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "display_name": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "target": null }, { "id": "Rostpay", "display_name": "Rostpay", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "Chaos (ELF)", "display_name": "Chaos (ELF)", "target": null }, { "id": "TrojanDropper:Win32/GameHack", "display_name": "TrojanDropper:Win32/GameHack", "target": "/malware/TrojanDropper:Win32/GameHack" }, { "id": "Win.Ransomware.Locky-7766366-0", "display_name": "Win.Ransomware.Locky-7766366-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "ALF:E5.SpikeAex.rhh_pid", "display_name": "ALF:E5.SpikeAex.rhh_pid", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": "65d34c91868744aa1449fef2", "export_count": 64, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1848, "FileHash-SHA1": 1783, "FileHash-SHA256": 7170, "domain": 1649, "hostname": 1191, "email": 9, "URL": 729, "CVE": 2, "SSLCertFingerprint": 2, "CIDR": 1 }, "indicator_count": 14384, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "802 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d3c31230455f6d8da3a9f0", "name": "Locky: File Deletion targeting incriminating archived files II", "description": "", "modified": "2024-03-20T12:00:39.809000", "created": "2024-02-19T21:07:30.887000", "tags": [ "it consultant", "uk collection", "dns intel", "ips collection", "suspicous ip", "whois file", "cname", "record type", "ttl value", "algorithm", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "whois lookup", "region create", "domain", "name server", "registrant name", "technical city", "region update", "united", "command decode", "mitre att", "suricata ipv4", "windows nt", "win64", "khtml", "gecko", "ck id", "cookie", "meta", "february", "hybrid", "general", "click", "strings", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "dns replication", "code", "namecheap", "registrar abuse", "namecheap inc", "privacy service", "withheld", "privacy", "dnssec", "email", "first", "bodis", "unknown", "creation date", "search", "emails", "as397240", "date", "next", "all octoseek", "threat roundup", "january", "june", "historical ssl", "referrer", "contacted", "group", "execution", "phishing", "malware", "core", "malicious", "dark power", "play ransomware", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 linker", "gnu linker", "compiler", "info header", "name md5", "overlay", "passive dns", "entries", "ipv4", "pulse pulses", "urls", "files", "trojan", "location united", "query", "activity dns", "observed dns", "msie", "high", "copy", "write", "win32", "hashes", "host interaction", "sabey type", "hallrender", "brian sabey", "memory pattern", "http requests", "http method", "get response", "dns resolutions", "ip traffic", "domains", "mutex", "samplepath", "created", "shell commands", "r processes", "tree", "analyze", "hostnames", "url https", "samples", "hostname", "pattern urls", "memory", "pattern", "pattern domains", "roundup", "formbook", "mirai", "ben c", "injection", "server", "scan endpoints", "show", "august", "bq feb", "chrome", "precondition", "virtool", "downloadmr", "body", "status", "servers", "record value", "name servers", "showing", "mailrubar", "trojanclicker", "slcc2", "media center", "delete c", "malware beacon", "suspicious", "class", "internal", "local", "encrypt", "as15169 google", "gmt cache", "twitter", "rostpay", "date hash", "avast avg", "mtb may", "susp", "cryp", "win32upatre may", "mtb showing", "lowfi", "aaaa", "win32pcmega jan", "urlshortner dec", "urlshortner sep", "as133618", "nxdomain", "as133775 xiamen", "germany unknown", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "whois record", "ssl certificate", "tsara brashears", "resolutions", "critical risk", "apple phone", "unlocker", "shell code", "installer", "ursnif", "hacktool", "emotet", "tracker", "chaos", "ransomexx", "xor ddos", "xorddos", "mitre attack", "parent domain", "urls url", "siblings", "metro", "communicating", "collection", "dropped", "skynet", "youth", "com laude", "ltd dba", "utc submissions", "submitters", "cloudflarenet", "akamaias", "digitaloceanasn", "csc corporate", "pt mora", "univjos", "etisalat misr", "acurix networks", "pty ltd", "beijing baidu", "highly targeted", "http", "network hijacks", "redline stealer", "whois sslcert", "contacted urls", "whois whois", "september", "hidden cobra", "threats", "kimsuky", "service", "read c", "create c", "write c", "regsetvalueexa", "mozilla", "capture", "asnone", "domain http", "request", "malware dns", "lookup wannacry", "default", "ransom", "push", "playgame", "command", "email document", "exploit domain", "owner exploit", "kit exploit", "source file", "hacking tools", "hunting macro", "malware hosting", "memory scanning", "yara detections", "debug", "icmp traffic", "pdb path", "pe section", "low software", "packing t1045", "ransomware", "egregor", "find", "false", "psexec", "powershell", "qakbot", "qbot", "icedid" ], "references": [ "redhatdelete.com", "Mutexes Opened {0C8E6D89-EA51-848A-7775-6C2CC072CA88}", "explorer.exe \u2022 Explorer.EXE \u2022\tupnaneat-xex.exe \u2022 akgibik.exe \u2022 wmiadap.exe \u2022 wmiprvse.exe \u2022 winlogon.exe \u2022 tmpo3rfa1vg.exe", "https://otx.alienvault.com/indicator/file/f58f360a1f6b5e3e28fa64dd88ec2c9893f2f1d290f4a8cf67ac49952e32cc60", "Trojan-Ransom.Win32.Blocker.jgb Checkin", "https://otx.alienvault.com/indicator/file/000ad3f22cedbd36e425ca046b2aa0c228754b6fd94d30105ad9343ad9742695" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "display_name": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "target": null }, { "id": "Rostpay", "display_name": "Rostpay", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "Chaos (ELF)", "display_name": "Chaos (ELF)", "target": null }, { "id": "TrojanDropper:Win32/GameHack", "display_name": "TrojanDropper:Win32/GameHack", "target": "/malware/TrojanDropper:Win32/GameHack" }, { "id": "Win.Ransomware.Locky-7766366-0", "display_name": "Win.Ransomware.Locky-7766366-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "ALF:E5.SpikeAex.rhh_pid", "display_name": "ALF:E5.SpikeAex.rhh_pid", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": "65d34c8a64436a7aee2e25a1", "export_count": 73, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Enqrypted", "id": "272105", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_272105/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1848, "FileHash-SHA1": 1783, "FileHash-SHA256": 7170, "domain": 1649, "hostname": 1191, "email": 9, "URL": 729, "CVE": 2, "SSLCertFingerprint": 2, "CIDR": 1 }, "indicator_count": 14384, "is_author": false, "is_subscribing": null, "subscriber_count": 62, "modified_text": "802 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f5828f8217ecbe6ce3a89b", "name": "IOCs Industriales", "description": "", "modified": "2024-03-16T11:29:19.302000", "created": "2024-03-16T11:29:19.302000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 81, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dtatov00", "id": "256758", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "806 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f5827a4e23b095e5af5f44", "name": "IOCs Industriales", "description": "", "modified": "2024-03-16T11:28:58.984000", "created": "2024-03-16T11:28:58.984000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dtatov00", "id": "256758", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "806 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f582700d35b0e7c8dd9df8", "name": "IOCs Industriales", "description": "", "modified": "2024-03-16T11:28:48.062000", "created": "2024-03-16T11:28:48.062000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dtatov00", "id": "256758", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "806 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65f5823b9d7bc6b422256296", "name": "IOCs Industriales", "description": "", "modified": "2024-03-16T11:27:55.808000", "created": "2024-03-16T11:27:55.808000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dtatov00", "id": "256758", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "806 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "659560d63178b32f07838efb", "name": "Covert | Big O Tires active cyber threat | Dark Power | Emotet|", "description": "Active, ongoing cyber threat, multiple malicious activities including, network rat, ransomware encryption, social engineering, spammers, infostealer, botnet activity.\nConsumers may also be contacted by mail or phone or find account seized. I haven't benn able to properly access the magnitude of the issue, there has been at least a handful of customers in good standing , with higher limits on paid of cards that ended up being stolen or according to Big O Representatives 'closed' for unfounded reasons; failure to confirm citizenship, identity, unknown patriot act offences, failure to comply Big O Tires via mail.", "modified": "2024-02-02T12:04:41.638000", "created": "2024-01-03T13:27:50.685000", "tags": [ "ioc search", "new ioc", "teams api", "contact", "threat analyzer", "threat", "paste", "iocs", "hostnames", "urls https", "http response", "final url", "ip address", "status code", "body length", "kb body", "sha256", "unsafeeval", "path", "expiressat", "auto", "wheels online", "o tires", "shop tires", "html info", "title shop", "tires", "meta tags", "big o", "tires language", "name verdict", "falcon sandbox", "samples", "localappdata", "json data", "temp", "getprocaddress", "ascii text", "windir", "file", "indicator", "mitre att", "ck id", "factory", "hybrid", "model", "comspec", "ssl certificate", "whois record", "execution", "contacted", "historical ssl", "whois whois", "simda http", "collections", "historical", "dropped", "backdoor", "unknown", "united", "asnone", "show", "entries", "search", "intel", "ms windows", "pe32", "windows nt", "copy", "write", "logic", "download", "malware", "suspicious", "next", "destination", "port", "components", "globalnpf", "china as23724", "music", "data c", "mexico", "as15169 google", "passive dns", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "urls", "files", "win32", "united kingdom", "explorer", "xserver", "mtb aug", "location united", "america asn", "open", "trojan", "worm", "dataadobereader", "as397240", "msie", "etpro trojan", "virgin islands", "script urls", "creation date", "record value", "date", "a domains", "all search", "otx octoseek", "url http", "http", "related nids", "pulse http", "url https", "files location", "as20940", "aaaa", "as2914 ntt", "canada unknown", "japan unknown", "as16625 akamai", "domain", "hostname", "gmt content", "gmt report", "0 report", "sea alt", "body", "encrypt", "social engineering", "revenge rat", "rat", "identity theft", "credit card", "referrer", "communicating", "bundled", "family", "roots", "lolkek", "tzw variants", "quasar rat", "dark power", "swisyn", "wiper", "ransomware", "cobalt strike", "attack", "core", "emotet", "exploit", "hacktool", "mail spammer", "as63949 linode", "mtb dec", "checkin m1", "trojanspy", "artro", "remote", "infostealer" ], "references": [ "https://hybrid-analysis.com/sample/3fb8f0af07a9e94045be0f592c675e4f6146c95523f1774bc03f8eb5cf8c7d4e/65951c3d58467c9eb00f69dc" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Ukraine", "Georgia", "India", "Hong Kong", "Canada", "China", "Indonesia", "South Africa", "Germany", "Slovenia", "Mexico", "Netherlands", "Japan", "Spain", "Argentina", "France", "Chile", "Italy", "Aruba", "Switzerland", "United Kingdom of Great Britain and Northern Ireland", "Denmark", "Poland", "Colombia", "Taiwan", "Bulgaria", "Austria", "Russian Federation", "Australia", "Philippines", "Norway", "Sweden" ], "malware_families": [ { "id": "Trojan:Win32/Comspec", "display_name": "Trojan:Win32/Comspec", "target": "/malware/Trojan:Win32/Comspec" }, { "id": "#Lowfi:SCPT:KiraAsciiObfuscator", "display_name": "#Lowfi:SCPT:KiraAsciiObfuscator", "target": null }, { "id": "Backdoor:Win32/Simda", "display_name": "Backdoor:Win32/Simda", "target": "/malware/Backdoor:Win32/Simda" }, { "id": "Crypt3.BLXP", "display_name": "Crypt3.BLXP", "target": null }, { "id": "PWS:Win32/VB.CU", "display_name": "PWS:Win32/VB.CU", "target": "/malware/PWS:Win32/VB.CU" }, { "id": "Trojan:MSIL/ClipBanker.GB!MTB", "display_name": "Trojan:MSIL/ClipBanker.GB!MTB", "target": "/malware/Trojan:MSIL/ClipBanker.GB!MTB" }, { "id": "Virus:Win32/Floxif.H", "display_name": "Virus:Win32/Floxif.H", "target": "/malware/Virus:Win32/Floxif.H" }, { "id": "Win.Packed.Zusy-7170176-0", "display_name": "Win.Packed.Zusy-7170176-0", "target": null }, { "id": "Win.Trojan.Zbot-9880005-0", "display_name": "Win.Trojan.Zbot-9880005-0", "target": null }, { "id": "'Win32:Trojan-gen", "display_name": "'Win32:Trojan-gen", "target": null }, { "id": "TEL:TrojanDownloader:O97M/MsiexecAbuse", "display_name": "TEL:TrojanDownloader:O97M/MsiexecAbuse", "target": null }, { "id": "Worm:Win32/Mofksys.B", "display_name": "Worm:Win32/Mofksys.B", "target": "/malware/Worm:Win32/Mofksys.B" }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Worm:LOGO/Logic", "display_name": "Worm:LOGO/Logic", "target": "/malware/Worm:LOGO/Logic" }, { "id": "ETPro Trojan", "display_name": "ETPro Trojan", "target": null }, { "id": "LolKek", "display_name": "LolKek", "target": null }, { "id": "Ransomware", "display_name": "Ransomware", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null }, { "id": "Emotet", "display_name": "Emotet", "target": null }, { "id": "TrojanSpy:Win32/Swisyn", "display_name": "TrojanSpy:Win32/Swisyn", "target": "/malware/TrojanSpy:Win32/Swisyn" }, { "id": "Dark Power", "display_name": "Dark Power", "target": null }, { "id": "Cobalt Strike", "display_name": "Cobalt Strike", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1546.015", "name": "Component Object Model Hijacking", "display_name": "T1546.015 - Component Object Model Hijacking" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" } ], "industries": [ "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 29, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 560, "FileHash-SHA1": 350, "FileHash-SHA256": 4371, "URL": 8165, "domain": 2548, "hostname": 2813, "CVE": 4, "email": 3 }, "indicator_count": 18814, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "849 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e7995af8d4a3461031898b", "name": "IOC Records \u2192Provided by @NextRayAI", "description": "", "modified": "2023-10-02T00:00:29.692000", "created": "2023-08-24T17:54:34.404000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 233, "modified_text": "972 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6507dcf477ef9466c2de35e3", "name": "HIVE (Pulse created by RVS_i_am)", "description": "For more information, please see:\n\nContact info: wnd5xkus@duck.com / kcqhf2ok@duck.com (Email & Phone has 'not been very effective' means of communication)\nTwitter: @NorrisN60014\nDiscord: inawj_2\nMastadon: Disable_Duck@nerdculture.de\n\nOther:\nAlienVault: DISABLE_DUCK\nFileScan: DISABLE_DUCK\nMetadefender: red_snow_ak3jzram", "modified": "2023-09-18T05:15:32.926000", "created": "2023-09-18T05:15:32.926000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "64fa30d707f35d3c9d8bd1cd", "export_count": 43, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 234, "modified_text": "986 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6507dcf100d8bde09b555013", "name": "HIVE (Pulse created by RVS_i_am)", "description": "", "modified": "2023-09-18T05:15:29.671000", "created": "2023-09-18T05:15:29.671000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "64fa30d707f35d3c9d8bd1cd", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "986 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64fa30d7bc2e4d93884b2a4c", "name": "HIVE", "description": "", "modified": "2023-09-07T20:21:43.678000", "created": "2023-09-07T20:21:43.678000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RVS_i_am", "id": "251642", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "997 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64fa30d707f35d3c9d8bd1cd", "name": "HIVE", "description": "", "modified": "2023-09-07T20:21:43.271000", "created": "2023-09-07T20:21:43.271000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RVS_i_am", "id": "251642", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "997 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64fa30cce362cbd8ba18c887", "name": "HIVE", "description": "", "modified": "2023-09-07T20:21:32.701000", "created": "2023-09-07T20:21:32.701000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RVS_i_am", "id": "251642", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "997 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64fa30c8b0f038985fbce564", "name": "HIVE", "description": "", "modified": "2023-09-07T20:21:28.946000", "created": "2023-09-07T20:21:28.946000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RVS_i_am", "id": "251642", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "997 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64fa30b1c5599ae3fd943671", "name": "HIVE", "description": "", "modified": "2023-09-07T20:21:05.125000", "created": "2023-09-07T20:21:05.125000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RVS_i_am", "id": "251642", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 46, "modified_text": "997 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64fa30a3429961426a8c9f3f", "name": "HIVE", "description": "", "modified": "2023-09-07T20:20:51.389000", "created": "2023-09-07T20:20:51.389000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RVS_i_am", "id": "251642", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "997 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64fa309b486cb2d0cacbc33e", "name": "HIVE", "description": "", "modified": "2023-09-07T20:20:43.518000", "created": "2023-09-07T20:20:43.518000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RVS_i_am", "id": "251642", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 47, "modified_text": "997 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64fa309b8869335d1a9e6293", "name": "HIVE", "description": "", "modified": "2023-09-07T20:20:43.122000", "created": "2023-09-07T20:20:43.122000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RVS_i_am", "id": "251642", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 44, "modified_text": "997 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64fa3090d3eb1de3bad58767", "name": "HIVE", "description": "", "modified": "2023-09-07T20:20:32.583000", "created": "2023-09-07T20:20:32.583000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RVS_i_am", "id": "251642", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 46, "modified_text": "997 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64fa308c07f35d3c9d8bd1cc", "name": "HIVE", "description": "", "modified": "2023-09-07T20:20:28.541000", "created": "2023-09-07T20:20:28.541000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "RVS_i_am", "id": "251642", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 45, "modified_text": "997 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e799845f4ca1eaee3b9957", "name": "IOC Records \u2192Provided by @NextRayAI", "description": "", "modified": "2023-08-24T17:55:16.165000", "created": "2023-08-24T17:55:16.165000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "1011 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e79960d336b6a4b53c561e", "name": "IOC Records \u2192Provided by @NextRayAI", "description": "", "modified": "2023-08-24T17:54:40.425000", "created": "2023-08-24T17:54:40.425000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "1011 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e7995f5e8231aa87cdddc5", "name": "IOC Records \u2192Provided by @NextRayAI", "description": "", "modified": "2023-08-24T17:54:39.765000", "created": "2023-08-24T17:54:39.765000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "1011 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e7995ece1da1e24e444a27", "name": "IOC Records \u2192Provided by @NextRayAI", "description": "", "modified": "2023-08-24T17:54:38.909000", "created": "2023-08-24T17:54:38.909000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "1011 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e799540d4697a46f8f230c", "name": "IOC Records \u2192Provided by @NextRayAI", "description": "", "modified": "2023-08-24T17:54:28.757000", "created": "2023-08-24T17:54:28.757000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "1011 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e799240e77a37a1a1fd255", "name": "IOC Records \u2192 Provided by @NextRayAI", "description": "", "modified": "2023-08-24T17:53:40.054000", "created": "2023-08-24T17:53:40.054000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "1011 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e79923528ad3eb11ea884c", "name": "IOC Records \u2192 Provided by @NextRayAI", "description": "", "modified": "2023-08-24T17:53:39.444000", "created": "2023-08-24T17:53:39.444000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "1011 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e7992247e0b22db4bd642a", "name": "IOC Records \u2192 Provided by @NextRayAI", "description": "", "modified": "2023-08-24T17:53:38.528000", "created": "2023-08-24T17:53:38.528000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "1011 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e7991e0e88ef39bef95a12", "name": "IOC Records \u2192 Provided by @NextRayAI", "description": "", "modified": "2023-08-24T17:53:34.071000", "created": "2023-08-24T17:53:34.071000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "1011 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e79918d81a265ff4d3d514", "name": "IOC Records \u2192 Provided by @NextRayAI", "description": "", "modified": "2023-08-24T17:53:28.601000", "created": "2023-08-24T17:53:28.601000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "1011 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64e7990cbf87cda6c38013cf", "name": "IOC Records \u2192 Provided by @NextRayAI", "description": "", "modified": "2023-08-24T17:53:16.082000", "created": "2023-08-24T17:53:16.082000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": "63456c2a30b92337ea1670e0", "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 493080, "IPv4": 3458, "IPv6": 519, "hostname": 41105, "URL": 155223, "CIDR": 5266 }, "indicator_count": 698651, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "1011 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "redhatdelete.com", "https://hybrid-analysis.com/sample/3fb8f0af07a9e94045be0f592c675e4f6146c95523f1774bc03f8eb5cf8c7d4e/65951c3d58467c9eb00f69dc", "Trojan-Ransom.Win32.Blocker.jgb Checkin", "https://otx.alienvault.com/indicator/file/f58f360a1f6b5e3e28fa64dd88ec2c9893f2f1d290f4a8cf67ac49952e32cc60", "https://otx.alienvault.com/indicator/file/000ad3f22cedbd36e425ca046b2aa0c228754b6fd94d30105ad9343ad9742695", "https://www.virustotal.com/graph/gf9fb2090ae8e450dadda45c0596ab774ed1984e89aab4679bc3fc02096e22fa3", "Mutexes Opened {0C8E6D89-EA51-848A-7775-6C2CC072CA88}", "explorer.exe \u2022 Explorer.EXE \u2022\tupnaneat-xex.exe \u2022 akgibik.exe \u2022 wmiadap.exe \u2022 wmiprvse.exe \u2022 winlogon.exe \u2022 tmpo3rfa1vg.exe" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Win.packed.zusy-7170176-0", "Virtool", "Hacktool", "Artro", "Tel:trojandownloader:o97m/msiexecabuse", "Trojan-ransom.win32.blocker.jgb checkin", "Trojanspy", "Worm:logo/logic", "Pws:win32/vb.cu", "'win32:trojan-gen", "Crypt3.blxp", "Worm:win32/mofksys.rnd!mtb", "Dark power", "Lolkek", "Trojan:win32/comspec", "Mirai", "Emotet", "Win.trojan.zbot-9880005-0", "Ransom:win32/wannacrypt.a!rsm", "Trojanspy:win32/swisyn", "Mitre attack", "Etpro trojan", "Cobalt strike", "Trojan:msil/clipbanker.gb!mtb", "Quasar rat", "#lowfi:scpt:kiraasciiobfuscator", "Virus:win32/floxif.h", "Win.ransomware.locky-7766366-0", "Trojandropper:win32/gamehack", "Rostpay", "Chaos (elf)", "Backdoor:win32/simda", "Worm:win32/mofksys.b", "Ransomware", "Alf:e5.spikeaex.rhh_pid" ], "industries": [ "Government", "Defense", "Industrial", "Telecommunications" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 41, "pulses": [ { "id": "63456c2a30b92337ea1670e0", "name": "IOC Records Provided by @NextRayAI", "description": "This IOC report provided and daily updated by NextRay AI Detection & Response Inc.", "modified": "2026-05-31T01:02:14", "created": "2022-10-11T13:14:18.676000", "tags": [ "Nextray", "cyber security", "ioc", "phishing", "malicious" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Turkey", "Ukraine", "Romania", "Czechia", "United Kingdom of Great Britain and Northern Ireland", "Norway", "Lithuania", "Estonia", "Latvia", "Poland", "Germany", "Canada", "France", "Denmark" ], "malware_families": [], "attack_ids": [], "industries": [ "Defense", "Industrial", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 1330, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "NextRay-AI", "id": "210822", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_210822/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 498917, "IPv4": 64343, "IPv6": 459, "hostname": 59385, "URL": 166783, "CIDR": 5266, "FileHash-MD5": 29699, "FileHash-SHA256": 50449, "CVE": 348, "email": 914, "Mutex": 49, "FileHash-SHA1": 3453, "FilePath": 34 }, "indicator_count": 880099, "is_author": false, "is_subscribing": null, "subscriber_count": 300, "modified_text": "22 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68705b9e13e074fa3c778902", "name": "check", "description": "", "modified": "2026-01-23T01:10:39.457000", "created": "2025-07-11T00:32:30.277000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 421, "FileHash-MD5": 25, "FileHash-SHA1": 22, "FileHash-SHA256": 133, "domain": 270, "hostname": 35 }, "indicator_count": 906, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688d5bab9ce44c4321064457", "name": "xloader", "description": "", "modified": "2026-01-12T23:06:55.682000", "created": "2025-08-02T00:28:27.331000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 388, "FileHash-MD5": 83, "FileHash-SHA1": 45, "FileHash-SHA256": 308, "domain": 392, "hostname": 107 }, "indicator_count": 1323, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "139 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "688c8526be7a4df33863b5c5", "name": "VirusTotal - Shiz.ivr", "description": "*Win.Trojan.Shiz.ivr\n*PWS:Win32/Simda.D\n*virtool #injection#infostealer #network #cnc #block_not #virustotal_google #cnc #checking #procmem_yara\n#injection_inter_process\n#injection_create_remote_thread\n#antidebug_windows\n#multiple_useragents\n#network_fake_useragent\n#persistence_autorun\n#cape_detected_threat\n#antiav_detectfile\n#modify_proxy\n#deletes_self\n#infostealer_cookies\n#injection_createremotethread\n#suricata_alert\n~ vashti", "modified": "2025-08-31T08:01:04.297000", "created": "2025-08-01T09:13:10.510000", "tags": [ "dynamicloader", "unknown", "msie", "windows nt", "slcc2", "media center", "suspicious", "search", "high", "show", "copy", "possible", "write", "internal", "malware", "push", "local", "next", "contacted", "domains", "pulses", "related tags", "file type", "date april", "pm size", "sha1 sha256", "imphash pehash", "virustotal api", "bq jul", "united", "trojan", "backdoor", "virtool", "cnc beacon", "entries", "path max", "passive dns", "next associated", "cookie", "twitter", "body", "date", "medium", "simda", "global" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 10303, "hostname": 1413, "FileHash-SHA256": 1868, "domain": 1877, "FileHash-MD5": 357, "FileHash-SHA1": 348, "SSLCertFingerprint": 2 }, "indicator_count": 16168, "is_author": false, "is_subscribing": null, "subscriber_count": 149, "modified_text": "273 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5daf09a6d16f1e2c5c594c22", "name": "Simda - Malware Domain Feed V2", "description": "Command and Control domains for malware known as Simda. These domains are extracted from malware sandbox reports using a Machine Learning model trained on a corpus of good and bad domains.", "modified": "2025-07-15T21:13:57.066000", "created": "2019-10-22T13:52:38.770000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 33, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 209, "hostname": 5 }, "indicator_count": 214, "is_author": false, "is_subscribing": null, "subscriber_count": 1085, "modified_text": "320 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6786a59af06fee17c8decf9d", "name": "netcfg", "description": "000ceafd276003f46d06828bb0459b3ccdc2b44013a313b69d6270a224199034", "modified": "2025-05-31T02:36:52.299000", "created": "2025-01-14T17:57:46.687000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 222, "domain": 216, "hostname": 4, "FileHash-SHA256": 1 }, "indicator_count": 443, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "365 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67fb185eb96e9791cf24ced4", "name": "Shiz/Packy", "description": "", "modified": "2025-05-13T01:03:15.390000", "created": "2025-04-13T01:50:22.707000", "tags": [], "references": [ "https://www.virustotal.com/graph/gf9fb2090ae8e450dadda45c0596ab774ed1984e89aab4679bc3fc02096e22fa3" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 26, "URL": 191, "domain": 344, "hostname": 2 }, "indicator_count": 563, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "383 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "678349edca4868e4cf8b298b", "name": "tfdbpg", "description": "0000121f09166c3e1e001b833301977f3f9461f756b46818e1acf377edb2454f", "modified": "2025-01-12T04:49:49.365000", "created": "2025-01-12T04:49:49.365000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 237, "domain": 228, "hostname": 8, "FileHash-SHA256": 1 }, "indicator_count": 474, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "504 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d34c8a64436a7aee2e25a1", "name": "Locky: File Deletion targeting incriminating archived files.", "description": "redhatdelete.com : Adversaries are deleting files in bulk from Virustotal, otx AlienVault, WebArchive, Perma.cc Urlscan.io, Archive.Today, Archive.ph, iCloud, apple data, photo deletion.\nVarious ransomware used. iOS service modified, cloud encrypted by adversary. Indicator point to a target with a zombie device. An iPhone and potentially other devices were targeted in a specific attack. | Locky Ransomware is a piece of malware that encrypts important files on your device, rendering them inaccessible and unusable.", "modified": "2024-03-20T12:00:39.809000", "created": "2024-02-19T12:41:46.707000", "tags": [ "it consultant", "uk collection", "dns intel", "ips collection", "suspicous ip", "whois file", "cname", "record type", "ttl value", "algorithm", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "whois lookup", "region create", "domain", "name server", "registrant name", "technical city", "region update", "united", "command decode", "mitre att", "suricata ipv4", "windows nt", "win64", "khtml", "gecko", "ck id", "cookie", "meta", "february", "hybrid", "general", "click", "strings", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "dns replication", "code", "namecheap", "registrar abuse", "namecheap inc", "privacy service", "withheld", "privacy", "dnssec", "email", "first", "bodis", "unknown", "creation date", "search", "emails", "as397240", "date", "next", "all octoseek", "threat roundup", "january", "june", "historical ssl", "referrer", "contacted", "group", "execution", "phishing", "malware", "core", "malicious", "dark power", "play ransomware", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 linker", "gnu linker", "compiler", "info header", "name md5", "overlay", "passive dns", "entries", "ipv4", "pulse pulses", "urls", "files", "trojan", "location united", "query", "activity dns", "observed dns", "msie", "high", "copy", "write", "win32", "hashes", "host interaction", "sabey type", "hallrender", "brian sabey", "memory pattern", "http requests", "http method", "get response", "dns resolutions", "ip traffic", "domains", "mutex", "samplepath", "created", "shell commands", "r processes", "tree", "analyze", "hostnames", "url https", "samples", "hostname", "pattern urls", "memory", "pattern", "pattern domains", "roundup", "formbook", "mirai", "ben c", "injection", "server", "scan endpoints", "show", "august", "bq feb", "chrome", "precondition", "virtool", "downloadmr", "body", "status", "servers", "record value", "name servers", "showing", "mailrubar", "trojanclicker", "slcc2", "media center", "delete c", "malware beacon", "suspicious", "class", "internal", "local", "encrypt", "as15169 google", "gmt cache", "twitter", "rostpay", "date hash", "avast avg", "mtb may", "susp", "cryp", "win32upatre may", "mtb showing", "lowfi", "aaaa", "win32pcmega jan", "urlshortner dec", "urlshortner sep", "as133618", "nxdomain", "as133775 xiamen", "germany unknown", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "whois record", "ssl certificate", "tsara brashears", "resolutions", "critical risk", "apple phone", "unlocker", "shell code", "installer", "ursnif", "hacktool", "emotet", "tracker", "chaos", "ransomexx", "xor ddos", "xorddos", "mitre attack", "parent domain", "urls url", "siblings", "metro", "communicating", "collection", "dropped", "skynet", "youth", "com laude", "ltd dba", "utc submissions", "submitters", "cloudflarenet", "akamaias", "digitaloceanasn", "csc corporate", "pt mora", "univjos", "etisalat misr", "acurix networks", "pty ltd", "beijing baidu", "highly targeted", "http", "network hijacks", "redline stealer", "whois sslcert", "contacted urls", "whois whois", "september", "hidden cobra", "threats", "kimsuky", "service", "read c", "create c", "write c", "regsetvalueexa", "mozilla", "capture", "asnone", "domain http", "request", "malware dns", "lookup wannacry", "default", "ransom", "push", "playgame", "command", "email document", "exploit domain", "owner exploit", "kit exploit", "source file", "hacking tools", "hunting macro", "malware hosting", "memory scanning", "yara detections", "debug", "icmp traffic", "pdb path", "pe section", "low software", "packing t1045", "ransomware", "egregor", "find", "false", "psexec", "powershell", "qakbot", "qbot", "icedid" ], "references": [ "redhatdelete.com", "Mutexes Opened {0C8E6D89-EA51-848A-7775-6C2CC072CA88}", "explorer.exe \u2022 Explorer.EXE \u2022\tupnaneat-xex.exe \u2022 akgibik.exe \u2022 wmiadap.exe \u2022 wmiprvse.exe \u2022 winlogon.exe \u2022 tmpo3rfa1vg.exe", "https://otx.alienvault.com/indicator/file/f58f360a1f6b5e3e28fa64dd88ec2c9893f2f1d290f4a8cf67ac49952e32cc60", "Trojan-Ransom.Win32.Blocker.jgb Checkin", "https://otx.alienvault.com/indicator/file/000ad3f22cedbd36e425ca046b2aa0c228754b6fd94d30105ad9343ad9742695" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "display_name": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "target": null }, { "id": "Rostpay", "display_name": "Rostpay", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "Chaos (ELF)", "display_name": "Chaos (ELF)", "target": null }, { "id": "TrojanDropper:Win32/GameHack", "display_name": "TrojanDropper:Win32/GameHack", "target": "/malware/TrojanDropper:Win32/GameHack" }, { "id": "Win.Ransomware.Locky-7766366-0", "display_name": "Win.Ransomware.Locky-7766366-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "ALF:E5.SpikeAex.rhh_pid", "display_name": "ALF:E5.SpikeAex.rhh_pid", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 65, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1848, "FileHash-SHA1": 1783, "FileHash-SHA256": 7170, "domain": 1649, "hostname": 1191, "email": 9, "URL": 729, "CVE": 2, "SSLCertFingerprint": 2, "CIDR": 1 }, "indicator_count": 14384, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "802 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d34c91868744aa1449fef2", "name": "Locky: File Deletion targeting incriminating archived files.", "description": "redhatdelete.com : Adversaries are deleting files in bulk from Virustotal, otx AlienVault, WebArchive, Perma.cc Urlscan.io, Archive.Today, Archive.ph, iCloud, apple data, photo deletion.\nVarious ransomware used. iOS service modified, cloud encrypted by adversary. Indicator point to a target with a zombie device. An iPhone and potentially other devices were targeted in a specific attack. | Locky Ransomware is a piece of malware that encrypts important files on your device, rendering them inaccessible and unusable.", "modified": "2024-03-20T12:00:39.809000", "created": "2024-02-19T12:41:52.846000", "tags": [ "it consultant", "uk collection", "dns intel", "ips collection", "suspicous ip", "whois file", "cname", "record type", "ttl value", "algorithm", "v3 serial", "number", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "whois lookup", "region create", "domain", "name server", "registrant name", "technical city", "region update", "united", "command decode", "mitre att", "suricata ipv4", "windows nt", "win64", "khtml", "gecko", "ck id", "cookie", "meta", "february", "hybrid", "general", "click", "strings", "contact", "threat analyzer", "threat", "paste", "iocs", "urls http", "dns replication", "code", "namecheap", "registrar abuse", "namecheap inc", "privacy service", "withheld", "privacy", "dnssec", "email", "first", "bodis", "unknown", "creation date", "search", "emails", "as397240", "date", "next", "all octoseek", "threat roundup", "january", "june", "historical ssl", "referrer", "contacted", "group", "execution", "phishing", "malware", "core", "malicious", "dark power", "play ransomware", "pe32", "intel", "ms windows", "win32 dynamic", "link library", "win16 ne", "icons library", "os2 executable", "pe32 linker", "gnu linker", "compiler", "info header", "name md5", "overlay", "passive dns", "entries", "ipv4", "pulse pulses", "urls", "files", "trojan", "location united", "query", "activity dns", "observed dns", "msie", "high", "copy", "write", "win32", "hashes", "host interaction", "sabey type", "hallrender", "brian sabey", "memory pattern", "http requests", "http method", "get response", "dns resolutions", "ip traffic", "domains", "mutex", "samplepath", "created", "shell commands", "r processes", "tree", "analyze", "hostnames", "url https", "samples", "hostname", "pattern urls", "memory", "pattern", "pattern domains", "roundup", "formbook", "mirai", "ben c", "injection", "server", "scan endpoints", "show", "august", "bq feb", "chrome", "precondition", "virtool", "downloadmr", "body", "status", "servers", "record value", "name servers", "showing", "mailrubar", "trojanclicker", "slcc2", "media center", "delete c", "malware beacon", "suspicious", "class", "internal", "local", "encrypt", "as15169 google", "gmt cache", "twitter", "rostpay", "date hash", "avast avg", "mtb may", "susp", "cryp", "win32upatre may", "mtb showing", "lowfi", "aaaa", "win32pcmega jan", "urlshortner dec", "urlshortner sep", "as133618", "nxdomain", "as133775 xiamen", "germany unknown", "webtoolbar", "nanocore rat", "gamehack", "cobalt strike", "whois record", "ssl certificate", "tsara brashears", "resolutions", "critical risk", "apple phone", "unlocker", "shell code", "installer", "ursnif", "hacktool", "emotet", "tracker", "chaos", "ransomexx", "xor ddos", "xorddos", "mitre attack", "parent domain", "urls url", "siblings", "metro", "communicating", "collection", "dropped", "skynet", "youth", "com laude", "ltd dba", "utc submissions", "submitters", "cloudflarenet", "akamaias", "digitaloceanasn", "csc corporate", "pt mora", "univjos", "etisalat misr", "acurix networks", "pty ltd", "beijing baidu", "highly targeted", "http", "network hijacks", "redline stealer", "whois sslcert", "contacted urls", "whois whois", "september", "hidden cobra", "threats", "kimsuky", "service", "read c", "create c", "write c", "regsetvalueexa", "mozilla", "capture", "asnone", "domain http", "request", "malware dns", "lookup wannacry", "default", "ransom", "push", "playgame", "command", "email document", "exploit domain", "owner exploit", "kit exploit", "source file", "hacking tools", "hunting macro", "malware hosting", "memory scanning", "yara detections", "debug", "icmp traffic", "pdb path", "pe section", "low software", "packing t1045", "ransomware", "egregor", "find", "false", "psexec", "powershell", "qakbot", "qbot", "icedid" ], "references": [ "redhatdelete.com", "Mutexes Opened {0C8E6D89-EA51-848A-7775-6C2CC072CA88}", "explorer.exe \u2022 Explorer.EXE \u2022\tupnaneat-xex.exe \u2022 akgibik.exe \u2022 wmiadap.exe \u2022 wmiprvse.exe \u2022 winlogon.exe \u2022 tmpo3rfa1vg.exe", "https://otx.alienvault.com/indicator/file/f58f360a1f6b5e3e28fa64dd88ec2c9893f2f1d290f4a8cf67ac49952e32cc60", "Trojan-Ransom.Win32.Blocker.jgb Checkin", "https://otx.alienvault.com/indicator/file/000ad3f22cedbd36e425ca046b2aa0c228754b6fd94d30105ad9343ad9742695" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United States of America" ], "malware_families": [ { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "display_name": "Trojan-Ransom.Win32.Blocker.jgb Checkin", "target": null }, { "id": "Rostpay", "display_name": "Rostpay", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "Mitre Attack", "display_name": "Mitre Attack", "target": null }, { "id": "Chaos (ELF)", "display_name": "Chaos (ELF)", "target": null }, { "id": "TrojanDropper:Win32/GameHack", "display_name": "TrojanDropper:Win32/GameHack", "target": "/malware/TrojanDropper:Win32/GameHack" }, { "id": "Win.Ransomware.Locky-7766366-0", "display_name": "Win.Ransomware.Locky-7766366-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.A!rsm", "display_name": "Ransom:Win32/WannaCrypt.A!rsm", "target": "/malware/Ransom:Win32/WannaCrypt.A!rsm" }, { "id": "ALF:E5.SpikeAex.rhh_pid", "display_name": "ALF:E5.SpikeAex.rhh_pid", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1063", "name": "Security Software Discovery", "display_name": "T1063 - Security Software Discovery" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1107", "name": "File Deletion", "display_name": "T1107 - File Deletion" }, { "id": "T1563", "name": "Remote Service Session Hijacking", "display_name": "T1563 - Remote Service Session Hijacking" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 57, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1848, "FileHash-SHA1": 1783, "FileHash-SHA256": 7170, "domain": 1649, "hostname": 1191, "email": 9, "URL": 729, "CVE": 2, "SSLCertFingerprint": 2, "CIDR": 1 }, "indicator_count": 14384, "is_author": false, "is_subscribing": null, "subscriber_count": 228, "modified_text": "802 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "pupypiv.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "pupypiv.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780269995.6940355 }