{ "type": "Domain", "indicator": "skylineceiling.ph", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/skylineceiling.ph", "alexa": "http://www.alexa.com/siteinfo/skylineceiling.ph", "indicator": "skylineceiling.ph", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4139651264, "indicator": "skylineceiling.ph", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69c4281f5f232316375b225e", "name": "CoolWebSearch \u2022 Engine \u2022 Browser Hijack | Ransomware | Checkin | Tracking | Installer #pegasus_related", "description": "", "modified": "2026-03-25T18:23:27.601000", "created": "2026-03-25T18:23:27.601000", "tags": [ "lowfi", "ransom", "trojan", "mtb oct", "win32", "kingwe", "files", "files ip", "all ipv4", "america flag", "United States", "win32mydoom", "otx logo", "urls", "reverse dns", "cnc style", "cnc checkin", "style", "install cnc", "initial install", "activity", "win32mydoom sep", "worm", "win32mydoom oct", "win32getnow oct", "unknown ns", "search", "browser", "hijackers", "file format", "malwarerid", "majauskas", "google", "report", "once", "malicious", "malware", "overview ip", "address", "asn as46475", "nameservers", "related tags", "spf record", "tags", "domain", "name", "query time", "cyprus update", "united states", "browser hijacker", "install", "handle", "entity", "key identifier", "x509v3 subject", "host name", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "ttl value", "thumbprint", "enabled", "malvertising", "encoded_htm!", "new_domain", "suspicious_redirect", "proximity", "tracking_infrastructure", "passive dns", "http", "ip address", "related nids", "files location", "checkin worm", "mydoom checkin", "useragent", "checkin cnc", "acti cnc", "beac track", "failed\u0661\u0668", "data upload", "extraction", "winsoft", "checkin", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "defense evasion", "spawns", "over", "mitre att", "show technique", "ck matrix", "ascii text", "body", "title", "encrypt", "refresh", "hybrid", "general", "local", "path", "click", "strings", "dynamicloader", "medium", "high", "et exploit", "write c", "default", "probe ms17010", "write", "copy", "pegasus related" ], "references": [ "coolwebsearch.info | browser hijacker, malware , malicious", "Winsoft.E Checkin 3 Trojan.Generic.KDV.91800 Checkin PUP Win32/GetNow.B", "Checkin Worm.Mydoom Checkin User-Agent (explwer) Win32/Fosniw MacTryCnt CnC Style", "Checkin Win32/Fosniw CnC Checkin Style 2 Win32/Adware.iBryte.BO", "CnC Activity W32/SpeedingUpMyPC.Rootkit Install", "CnC Beacon Win32/InstallCore Initial Install Activity 2", "track.aptitudemedia.co/redirect?target=BASE64aHR0cDovL3RyYWNrLmNxcXNmLmNvbS9hZmZfYz9vZmZlcl9pZD0zNDI3JmFmZl9pZD0yNDM4NyZzb3VyY2U9OTI0MzhmOTktOGM5Yi00ODBjLWJjN2ItZGRiYzc2NDRhMjI3JmFmZl9zdWI9d001T0gxUUtVNzk5MUJUS0hDUklMSjhL" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.Generickdz-9918324-0", "display_name": "Win.Malware.Generickdz-9918324-0", "target": null }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "target": null }, { "id": "Win.Trojan.Generic-9909777-0", "display_name": "Win.Trojan.Generic-9909777-0", "target": null }, { "id": "Win.Malware.Installcore-9794583-0", "display_name": "Win.Malware.Installcore-9794583-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Win.Malware.Generic-9963787-0", "display_name": "Win.Malware.Generic-9963787-0", "target": null }, { "id": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "display_name": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "target": null }, { "id": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "display_name": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "target": null }, { "id": "Tags", "display_name": "Tags", "target": null }, { "id": "Winsoft", "display_name": "Winsoft", "target": null }, { "id": "Checkin", "display_name": "Checkin", "target": null }, { "id": "CoolWebService", "display_name": "CoolWebService", "target": null } ], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" } ], "industries": [], "TLP": "white", "cloned_from": "69c425ecfef08de19b962774", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1541, "URL": 2403, "domain": 328, "hostname": 593, "FileHash-MD5": 142, "FileHash-SHA1": 176, "FileHash-SHA256": 574, "email": 3, "SSLCertFingerprint": 10 }, "indicator_count": 5770, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c425ecfef08de19b962774", "name": "CoolWebSearc \u2022 Engine -Browser Hijack | Affects DropBox + other services | Checkin | Tracking | Installer #pegasus_related", "description": "", "modified": "2026-03-25T18:14:04.398000", "created": "2026-03-25T18:14:04.398000", "tags": [ "lowfi", "ransom", "trojan", "mtb oct", "win32", "kingwe", "files", "files ip", "all ipv4", "america flag", "United States", "win32mydoom", "otx logo", "urls", "reverse dns", "cnc style", "cnc checkin", "style", "install cnc", "initial install", "activity", "win32mydoom sep", "worm", "win32mydoom oct", "win32getnow oct", "unknown ns", "search", "browser", "hijackers", "file format", "malwarerid", "majauskas", "google", "report", "once", "malicious", "malware", "overview ip", "address", "asn as46475", "nameservers", "related tags", "spf record", "tags", "domain", "name", "query time", "cyprus update", "united states", "browser hijacker", "install", "handle", "entity", "key identifier", "x509v3 subject", "host name", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "ttl value", "thumbprint", "enabled", "malvertising", "encoded_htm!", "new_domain", "suspicious_redirect", "proximity", "tracking_infrastructure", "passive dns", "http", "ip address", "related nids", "files location", "checkin worm", "mydoom checkin", "useragent", "checkin cnc", "acti cnc", "beac track", "failed\u0661\u0668", "data upload", "extraction", "winsoft", "checkin", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "defense evasion", "spawns", "over", "mitre att", "show technique", "ck matrix", "ascii text", "body", "title", "encrypt", "refresh", "hybrid", "general", "local", "path", "click", "strings", "dynamicloader", "medium", "high", "et exploit", "write c", "default", "probe ms17010", "write", "copy", "pegasus related" ], "references": [ "coolwebsearch.info | browser hijacker, malware , malicious", "Winsoft.E Checkin 3 Trojan.Generic.KDV.91800 Checkin PUP Win32/GetNow.B", "Checkin Worm.Mydoom Checkin User-Agent (explwer) Win32/Fosniw MacTryCnt CnC Style", "Checkin Win32/Fosniw CnC Checkin Style 2 Win32/Adware.iBryte.BO", "CnC Activity W32/SpeedingUpMyPC.Rootkit Install", "CnC Beacon Win32/InstallCore Initial Install Activity 2", "track.aptitudemedia.co/redirect?target=BASE64aHR0cDovL3RyYWNrLmNxcXNmLmNvbS9hZmZfYz9vZmZlcl9pZD0zNDI3JmFmZl9pZD0yNDM4NyZzb3VyY2U9OTI0MzhmOTktOGM5Yi00ODBjLWJjN2ItZGRiYzc2NDRhMjI3JmFmZl9zdWI9d001T0gxUUtVNzk5MUJUS0hDUklMSjhL" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.Generickdz-9918324-0", "display_name": "Win.Malware.Generickdz-9918324-0", "target": null }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "target": null }, { "id": "Win.Trojan.Generic-9909777-0", "display_name": "Win.Trojan.Generic-9909777-0", "target": null }, { "id": "Win.Malware.Installcore-9794583-0", "display_name": "Win.Malware.Installcore-9794583-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Win.Malware.Generic-9963787-0", "display_name": "Win.Malware.Generic-9963787-0", "target": null }, { "id": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "display_name": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "target": null }, { "id": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "display_name": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "target": null }, { "id": "Tags", "display_name": "Tags", "target": null }, { "id": "Winsoft", "display_name": "Winsoft", "target": null }, { "id": "Checkin", "display_name": "Checkin", "target": null }, { "id": "CoolWebService", "display_name": "CoolWebService", "target": null } ], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" } ], "industries": [], "TLP": "white", "cloned_from": "69c41ac489f8cd00a59ef43e", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1541, "URL": 2403, "domain": 328, "hostname": 593, "FileHash-MD5": 142, "FileHash-SHA1": 176, "FileHash-SHA256": 574, "email": 3, "SSLCertFingerprint": 10 }, "indicator_count": 5770, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c41ac489f8cd00a59ef43e", "name": "CoolWebService -Browser Hijack | Affects DropBox and other services | Checkin", "description": "CoolWebService -Browser Hijack | Affects DropBox and other services | Checkin | Tracking \n| Search Engine Installer \n#pegasus_related", "modified": "2026-03-25T17:26:28.750000", "created": "2026-03-25T17:26:28.750000", "tags": [ "lowfi", "ransom", "trojan", "mtb oct", "win32", "kingwe", "files", "files ip", "all ipv4", "america flag", "United States", "win32mydoom", "otx logo", "urls", "reverse dns", "cnc style", "cnc checkin", "style", "install cnc", "initial install", "activity", "win32mydoom sep", "worm", "win32mydoom oct", "win32getnow oct", "unknown ns", "search", "browser", "hijackers", "file format", "malwarerid", "majauskas", "google", "report", "once", "malicious", "malware", "overview ip", "address", "asn as46475", "nameservers", "related tags", "spf record", "tags", "domain", "name", "query time", "cyprus update", "united states", "browser hijacker", "install", "handle", "entity", "key identifier", "x509v3 subject", "host name", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "ttl value", "thumbprint", "enabled", "malvertising", "encoded_htm!", "new_domain", "suspicious_redirect", "proximity", "tracking_infrastructure", "passive dns", "http", "ip address", "related nids", "files location", "checkin worm", "mydoom checkin", "useragent", "checkin cnc", "acti cnc", "beac track", "failed\u0661\u0668", "data upload", "extraction", "winsoft", "checkin", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "defense evasion", "spawns", "over", "mitre att", "show technique", "ck matrix", "ascii text", "body", "title", "encrypt", "refresh", "hybrid", "general", "local", "path", "click", "strings", "dynamicloader", "medium", "high", "et exploit", "write c", "default", "probe ms17010", "write", "copy", "pegasus related" ], "references": [ "coolwebsearch.info | browser hijacker, malware , malicious", "Winsoft.E Checkin 3 Trojan.Generic.KDV.91800 Checkin PUP Win32/GetNow.B", "Checkin Worm.Mydoom Checkin User-Agent (explwer) Win32/Fosniw MacTryCnt CnC Style", "Checkin Win32/Fosniw CnC Checkin Style 2 Win32/Adware.iBryte.BO", "CnC Activity W32/SpeedingUpMyPC.Rootkit Install", "CnC Beacon Win32/InstallCore Initial Install Activity 2", "track.aptitudemedia.co/redirect?target=BASE64aHR0cDovL3RyYWNrLmNxcXNmLmNvbS9hZmZfYz9vZmZlcl9pZD0zNDI3JmFmZl9pZD0yNDM4NyZzb3VyY2U9OTI0MzhmOTktOGM5Yi00ODBjLWJjN2ItZGRiYzc2NDRhMjI3JmFmZl9zdWI9d001T0gxUUtVNzk5MUJUS0hDUklMSjhL" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.Generickdz-9918324-0", "display_name": "Win.Malware.Generickdz-9918324-0", "target": null }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "target": null }, { "id": "Win.Trojan.Generic-9909777-0", "display_name": "Win.Trojan.Generic-9909777-0", "target": null }, { "id": "Win.Malware.Installcore-9794583-0", "display_name": "Win.Malware.Installcore-9794583-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Win.Malware.Generic-9963787-0", "display_name": "Win.Malware.Generic-9963787-0", "target": null }, { "id": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "display_name": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "target": null }, { "id": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "display_name": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "target": null }, { "id": "Tags", "display_name": "Tags", "target": null }, { "id": "Winsoft", "display_name": "Winsoft", "target": null }, { "id": "Checkin", "display_name": "Checkin", "target": null }, { "id": "CoolWebService", "display_name": "CoolWebService", "target": null } ], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1541, "URL": 2403, "domain": 328, "hostname": 593, "FileHash-MD5": 142, "FileHash-SHA1": 176, "FileHash-SHA256": 574, "email": 3, "SSLCertFingerprint": 10 }, "indicator_count": 5770, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "25 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ec0870475174302c733fa2", "name": "Cyber Crime - Emotet | Tofsee CnC | Targeting \u2022 Streaming \u2022 Stealing", "description": "I\u2019ve heard of mortis.com from a target. It was heavily suggested on targets YouTube homepage. I hadn\u2019t had thought to research link until Friday.\n\n Doing my due diligence I\u2019ve been viewing potential issues targets family member/s may be and his having with technology.\n\nSmart TV is completely hacked. playlist tampering , heavy downloading daily when TV is on , off or unplugged. \n I watched this TV monitored data volume , noted continued suggestions for Mortis.com , \ntouted . Obviously, a threat. YouTuber warns not go in and no one can get in which is insanely stupid. OTX issues,. Several pulse attempts later , constant refreshing and deleting of IoC this is all what remains. Streaming services, webcams and multiple labeled rooms. I have no idea the point of death threats especially since God can mow anyone down. Who promised you another breath? Target seems to be the only person targeted. Multiple Foundry , PayPal Palantir\nLinks , Boeing, JetBlue Twitter , Apple loading issues.", "modified": "2025-11-11T04:02:27.091000", "created": "2025-10-12T19:58:40.472000", "tags": [ "url https", "indicator role", "active related", "united", "ip address", "unknown ns", "x82xd4", "x86xd3", "xa1xf1", "xe8xc2x14", "win32tofsee", "trojan", "win32tofsee att", "ck ids", "t1096", "ntfs file", "service", "united kingdom", "germany", "netherlands", "mortis.com", "dead", "death", "foundry", "paypal", "home visitor", "psalms 37", "trojan", "emotet", "boeing", "apple", "streaming", "kryptik", "myundeadneighbor", "windstream communications llc", "command", "tofsee", "kx81xdbx0f", "wx99xcdx11", "stream", "write", "malware", "tsara brashears", "regsetvalueexa", "malware", "win32", "persistence", "execution", "push", "shellexecuteexw", "windows", "botnet", "backdoor", "writeconsolew", "displayname", "sddl", "hash", "ip address", "ssl certificate", "spawns", "initial access", "adversaries", "name tactics", "t1031", "registry", "dock", "suspicious", "learn", "phishing att", "infection", "commandand_and_control", "informative", "jetblue", "porn", "keylogger", "remote keylogger", "parklogic", "parking crew", "park pages", "cyber crime", "data brokers", "info stealers", "password", "masquerading", "discord", "sophisticated", "dga domains", "pit", "rotor", "hello", "targeting", "games" ], "references": [ "mortis.com", "I unintentionally made the first pulse Public.", "Stalker/Lurker?http://myundeadneighbor.com | Parking Crews | Parklogic", "assassinationmarkets.com", "https://id.security.trackid", "https://id.security.trackid.piwikb7c1867dd7ba9c57.2ce7e2c4000f72e3204af57fac31aafd.mailingmarketing.net/", "https://id.login.update.ssl.encryption-6159368de39251d7a-login.id.security.trackid.piwikb7c1867dd7ba9c57.e988d676bdb63f3b4dbcdc53578a9b26.mailingmarketing.net/", "Hmm, cyber criminals use parking pages for malvertizing malicious content & intent , reputation content, etc", "https://www.gov.pl/attachment/65dfce94-31f9-4523-8d3b-89df3d4c5f75" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Trojan:Win32/Emotet.KDS!MTB", "display_name": "Trojan:Win32/Emotet.KDS!MTB", "target": "/malware/Trojan:Win32/Emotet.KDS!MTB" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win.Malware.Tofsee-6880878-0", "display_name": "Win.Malware.Tofsee-6880878-0", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win32:Kryptik-PLL", "display_name": "Win32:Kryptik-PLL", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2407, "domain": 2321, "hostname": 983, "FileHash-SHA256": 3035, "FileHash-MD5": 228, "FileHash-SHA1": 231, "email": 1, "FilePath": 3 }, "indicator_count": 9209, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "159 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://id.security.trackid", "track.aptitudemedia.co/redirect?target=BASE64aHR0cDovL3RyYWNrLmNxcXNmLmNvbS9hZmZfYz9vZmZlcl9pZD0zNDI3JmFmZl9pZD0yNDM4NyZzb3VyY2U9OTI0MzhmOTktOGM5Yi00ODBjLWJjN2ItZGRiYzc2NDRhMjI3JmFmZl9zdWI9d001T0gxUUtVNzk5MUJUS0hDUklMSjhL", "coolwebsearch.info | browser hijacker, malware , malicious", "Checkin Worm.Mydoom Checkin User-Agent (explwer) Win32/Fosniw MacTryCnt CnC Style", "CnC Activity W32/SpeedingUpMyPC.Rootkit Install", "CnC Beacon Win32/InstallCore Initial Install Activity 2", "I unintentionally made the first pulse Public.", "https://id.login.update.ssl.encryption-6159368de39251d7a-login.id.security.trackid.piwikb7c1867dd7ba9c57.e988d676bdb63f3b4dbcdc53578a9b26.mailingmarketing.net/", "https://www.gov.pl/attachment/65dfce94-31f9-4523-8d3b-89df3d4c5f75", "assassinationmarkets.com", "mortis.com", "Winsoft.E Checkin 3 Trojan.Generic.KDV.91800 Checkin PUP Win32/GetNow.B", "https://id.security.trackid.piwikb7c1867dd7ba9c57.2ce7e2c4000f72e3204af57fac31aafd.mailingmarketing.net/", "Stalker/Lurker?http://myundeadneighbor.com | Parking Crews | Parklogic", "Hmm, cyber criminals use parking pages for malvertizing malicious content & intent , reputation content, etc", "Checkin Win32/Fosniw CnC Checkin Style 2 Win32/Adware.iBryte.BO" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Win.trojan.generic-9909777-0", "Checkin", "Tags", "Win.dropper.darkkomet-9370806-0", "Win.trojan.generic-9909777-0 #lowfi:hstr:optimuminstaller", "Win.malware.installcore-9794583-0", "Win.malware.mydoom-6804696-0\tworm:win32/mydoom win.malware.mydoom-6804696-0\tworm:win32/mydoom sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#lowfi:hstr:optimuminstal", "Ransom:win32/wannacrypt.h", "Win.malware.generickdz-9918324-0", "Coolwebservice", "Winsoft", "Win.malware.generic-9963787-0", "Win.malware.tofsee-6880878-0", "Trojan:win32/mydoom", "Win32:kryptik-pll", "Trojan:win32/emotet.kds!mtb", "Trojan:win32/emotet.pc!mtb", "Backdoor:win32/tofsee.t", "Alf:heraklezeval:pua:win32/installcore.r", "Tofsee" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69c4281f5f232316375b225e", "name": "CoolWebSearch \u2022 Engine \u2022 Browser Hijack | Ransomware | Checkin | Tracking | Installer #pegasus_related", "description": "", "modified": "2026-03-25T18:23:27.601000", "created": "2026-03-25T18:23:27.601000", "tags": [ "lowfi", "ransom", "trojan", "mtb oct", "win32", "kingwe", "files", "files ip", "all ipv4", "america flag", "United States", "win32mydoom", "otx logo", "urls", "reverse dns", "cnc style", "cnc checkin", "style", "install cnc", "initial install", "activity", "win32mydoom sep", "worm", "win32mydoom oct", "win32getnow oct", "unknown ns", "search", "browser", "hijackers", "file format", "malwarerid", "majauskas", "google", "report", "once", "malicious", "malware", "overview ip", "address", "asn as46475", "nameservers", "related tags", "spf record", "tags", "domain", "name", "query time", "cyprus update", "united states", "browser hijacker", "install", "handle", "entity", "key identifier", "x509v3 subject", "host name", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "ttl value", "thumbprint", "enabled", "malvertising", "encoded_htm!", "new_domain", "suspicious_redirect", "proximity", "tracking_infrastructure", "passive dns", "http", "ip address", "related nids", "files location", "checkin worm", "mydoom checkin", "useragent", "checkin cnc", "acti cnc", "beac track", "failed\u0661\u0668", "data upload", "extraction", "winsoft", "checkin", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "defense evasion", "spawns", "over", "mitre att", "show technique", "ck matrix", "ascii text", "body", "title", "encrypt", "refresh", "hybrid", "general", "local", "path", "click", "strings", "dynamicloader", "medium", "high", "et exploit", "write c", "default", "probe ms17010", "write", "copy", "pegasus related" ], "references": [ "coolwebsearch.info | browser hijacker, malware , malicious", "Winsoft.E Checkin 3 Trojan.Generic.KDV.91800 Checkin PUP Win32/GetNow.B", "Checkin Worm.Mydoom Checkin User-Agent (explwer) Win32/Fosniw MacTryCnt CnC Style", "Checkin Win32/Fosniw CnC Checkin Style 2 Win32/Adware.iBryte.BO", "CnC Activity W32/SpeedingUpMyPC.Rootkit Install", "CnC Beacon Win32/InstallCore Initial Install Activity 2", "track.aptitudemedia.co/redirect?target=BASE64aHR0cDovL3RyYWNrLmNxcXNmLmNvbS9hZmZfYz9vZmZlcl9pZD0zNDI3JmFmZl9pZD0yNDM4NyZzb3VyY2U9OTI0MzhmOTktOGM5Yi00ODBjLWJjN2ItZGRiYzc2NDRhMjI3JmFmZl9zdWI9d001T0gxUUtVNzk5MUJUS0hDUklMSjhL" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.Generickdz-9918324-0", "display_name": "Win.Malware.Generickdz-9918324-0", "target": null }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "target": null }, { "id": "Win.Trojan.Generic-9909777-0", "display_name": "Win.Trojan.Generic-9909777-0", "target": null }, { "id": "Win.Malware.Installcore-9794583-0", "display_name": "Win.Malware.Installcore-9794583-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Win.Malware.Generic-9963787-0", "display_name": "Win.Malware.Generic-9963787-0", "target": null }, { "id": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "display_name": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "target": null }, { "id": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "display_name": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "target": null }, { "id": "Tags", "display_name": "Tags", "target": null }, { "id": "Winsoft", "display_name": "Winsoft", "target": null }, { "id": "Checkin", "display_name": "Checkin", "target": null }, { "id": "CoolWebService", "display_name": "CoolWebService", "target": null } ], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" } ], "industries": [], "TLP": "white", "cloned_from": "69c425ecfef08de19b962774", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1541, "URL": 2403, "domain": 328, "hostname": 593, "FileHash-MD5": 142, "FileHash-SHA1": 176, "FileHash-SHA256": 574, "email": 3, "SSLCertFingerprint": 10 }, "indicator_count": 5770, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c425ecfef08de19b962774", "name": "CoolWebSearc \u2022 Engine -Browser Hijack | Affects DropBox + other services | Checkin | Tracking | Installer #pegasus_related", "description": "", "modified": "2026-03-25T18:14:04.398000", "created": "2026-03-25T18:14:04.398000", "tags": [ "lowfi", "ransom", "trojan", "mtb oct", "win32", "kingwe", "files", "files ip", "all ipv4", "america flag", "United States", "win32mydoom", "otx logo", "urls", "reverse dns", "cnc style", "cnc checkin", "style", "install cnc", "initial install", "activity", "win32mydoom sep", "worm", "win32mydoom oct", "win32getnow oct", "unknown ns", "search", "browser", "hijackers", "file format", "malwarerid", "majauskas", "google", "report", "once", "malicious", "malware", "overview ip", "address", "asn as46475", "nameservers", "related tags", "spf record", "tags", "domain", "name", "query time", "cyprus update", "united states", "browser hijacker", "install", "handle", "entity", "key identifier", "x509v3 subject", "host name", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "ttl value", "thumbprint", "enabled", "malvertising", "encoded_htm!", "new_domain", "suspicious_redirect", "proximity", "tracking_infrastructure", "passive dns", "http", "ip address", "related nids", "files location", "checkin worm", "mydoom checkin", "useragent", "checkin cnc", "acti cnc", "beac track", "failed\u0661\u0668", "data upload", "extraction", "winsoft", "checkin", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "defense evasion", "spawns", "over", "mitre att", "show technique", "ck matrix", "ascii text", "body", "title", "encrypt", "refresh", "hybrid", "general", "local", "path", "click", "strings", "dynamicloader", "medium", "high", "et exploit", "write c", "default", "probe ms17010", "write", "copy", "pegasus related" ], "references": [ "coolwebsearch.info | browser hijacker, malware , malicious", "Winsoft.E Checkin 3 Trojan.Generic.KDV.91800 Checkin PUP Win32/GetNow.B", "Checkin Worm.Mydoom Checkin User-Agent (explwer) Win32/Fosniw MacTryCnt CnC Style", "Checkin Win32/Fosniw CnC Checkin Style 2 Win32/Adware.iBryte.BO", "CnC Activity W32/SpeedingUpMyPC.Rootkit Install", "CnC Beacon Win32/InstallCore Initial Install Activity 2", "track.aptitudemedia.co/redirect?target=BASE64aHR0cDovL3RyYWNrLmNxcXNmLmNvbS9hZmZfYz9vZmZlcl9pZD0zNDI3JmFmZl9pZD0yNDM4NyZzb3VyY2U9OTI0MzhmOTktOGM5Yi00ODBjLWJjN2ItZGRiYzc2NDRhMjI3JmFmZl9zdWI9d001T0gxUUtVNzk5MUJUS0hDUklMSjhL" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.Generickdz-9918324-0", "display_name": "Win.Malware.Generickdz-9918324-0", "target": null }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "target": null }, { "id": "Win.Trojan.Generic-9909777-0", "display_name": "Win.Trojan.Generic-9909777-0", "target": null }, { "id": "Win.Malware.Installcore-9794583-0", "display_name": "Win.Malware.Installcore-9794583-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Win.Malware.Generic-9963787-0", "display_name": "Win.Malware.Generic-9963787-0", "target": null }, { "id": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "display_name": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "target": null }, { "id": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "display_name": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "target": null }, { "id": "Tags", "display_name": "Tags", "target": null }, { "id": "Winsoft", "display_name": "Winsoft", "target": null }, { "id": "Checkin", "display_name": "Checkin", "target": null }, { "id": "CoolWebService", "display_name": "CoolWebService", "target": null } ], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" } ], "industries": [], "TLP": "white", "cloned_from": "69c41ac489f8cd00a59ef43e", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1541, "URL": 2403, "domain": 328, "hostname": 593, "FileHash-MD5": 142, "FileHash-SHA1": 176, "FileHash-SHA256": 574, "email": 3, "SSLCertFingerprint": 10 }, "indicator_count": 5770, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "24 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c41ac489f8cd00a59ef43e", "name": "CoolWebService -Browser Hijack | Affects DropBox and other services | Checkin", "description": "CoolWebService -Browser Hijack | Affects DropBox and other services | Checkin | Tracking \n| Search Engine Installer \n#pegasus_related", "modified": "2026-03-25T17:26:28.750000", "created": "2026-03-25T17:26:28.750000", "tags": [ "lowfi", "ransom", "trojan", "mtb oct", "win32", "kingwe", "files", "files ip", "all ipv4", "america flag", "United States", "win32mydoom", "otx logo", "urls", "reverse dns", "cnc style", "cnc checkin", "style", "install cnc", "initial install", "activity", "win32mydoom sep", "worm", "win32mydoom oct", "win32getnow oct", "unknown ns", "search", "browser", "hijackers", "file format", "malwarerid", "majauskas", "google", "report", "once", "malicious", "malware", "overview ip", "address", "asn as46475", "nameservers", "related tags", "spf record", "tags", "domain", "name", "query time", "cyprus update", "united states", "browser hijacker", "install", "handle", "entity", "key identifier", "x509v3 subject", "host name", "data", "v3 serial", "number", "cus olet", "encrypt cnr12", "ttl value", "thumbprint", "enabled", "malvertising", "encoded_htm!", "new_domain", "suspicious_redirect", "proximity", "tracking_infrastructure", "passive dns", "http", "ip address", "related nids", "files location", "checkin worm", "mydoom checkin", "useragent", "checkin cnc", "acti cnc", "beac track", "failed\u0661\u0668", "data upload", "extraction", "winsoft", "checkin", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "javascript", "defense evasion", "spawns", "over", "mitre att", "show technique", "ck matrix", "ascii text", "body", "title", "encrypt", "refresh", "hybrid", "general", "local", "path", "click", "strings", "dynamicloader", "medium", "high", "et exploit", "write c", "default", "probe ms17010", "write", "copy", "pegasus related" ], "references": [ "coolwebsearch.info | browser hijacker, malware , malicious", "Winsoft.E Checkin 3 Trojan.Generic.KDV.91800 Checkin PUP Win32/GetNow.B", "Checkin Worm.Mydoom Checkin User-Agent (explwer) Win32/Fosniw MacTryCnt CnC Style", "Checkin Win32/Fosniw CnC Checkin Style 2 Win32/Adware.iBryte.BO", "CnC Activity W32/SpeedingUpMyPC.Rootkit Install", "CnC Beacon Win32/InstallCore Initial Install Activity 2", "track.aptitudemedia.co/redirect?target=BASE64aHR0cDovL3RyYWNrLmNxcXNmLmNvbS9hZmZfYz9vZmZlcl9pZD0zNDI3JmFmZl9pZD0yNDM4NyZzb3VyY2U9OTI0MzhmOTktOGM5Yi00ODBjLWJjN2ItZGRiYzc2NDRhMjI3JmFmZl9zdWI9d001T0gxUUtVNzk5MUJUS0hDUklMSjhL" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.Generickdz-9918324-0", "display_name": "Win.Malware.Generickdz-9918324-0", "target": null }, { "id": "Trojan:Win32/Mydoom", "display_name": "Trojan:Win32/Mydoom", "target": "/malware/Trojan:Win32/Mydoom" }, { "id": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "display_name": "ALF:HeraklezEval:PUA:Win32/InstallCore.R", "target": null }, { "id": "Win.Trojan.Generic-9909777-0", "display_name": "Win.Trojan.Generic-9909777-0", "target": null }, { "id": "Win.Malware.Installcore-9794583-0", "display_name": "Win.Malware.Installcore-9794583-0", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Dropper.DarkKomet-9370806-0", "display_name": "Win.Dropper.DarkKomet-9370806-0", "target": null }, { "id": "Win.Malware.Generic-9963787-0", "display_name": "Win.Malware.Generic-9963787-0", "target": null }, { "id": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "display_name": "Win.Trojan.Generic-9909777-0 #LowFi:HSTR:OptimumInstaller", "target": null }, { "id": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "display_name": "Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Win.Malware.Mydoom-6804696-0\tWorm:Win32/Mydoom Sep 18, 2023\t0d35f0736ce0f4d24c31ec3e940ffb1378d3151d7038a859819d2640cab30da1\t\t\t\t#LowFi:HSTR:OptimumInstal", "target": null }, { "id": "Tags", "display_name": "Tags", "target": null }, { "id": "Winsoft", "display_name": "Winsoft", "target": null }, { "id": "Checkin", "display_name": "Checkin", "target": null }, { "id": "CoolWebService", "display_name": "CoolWebService", "target": null } ], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1048.003", "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", "display_name": "T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 1541, "URL": 2403, "domain": 328, "hostname": 593, "FileHash-MD5": 142, "FileHash-SHA1": 176, "FileHash-SHA256": 574, "email": 3, "SSLCertFingerprint": 10 }, "indicator_count": 5770, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "25 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "68ec0870475174302c733fa2", "name": "Cyber Crime - Emotet | Tofsee CnC | Targeting \u2022 Streaming \u2022 Stealing", "description": "I\u2019ve heard of mortis.com from a target. It was heavily suggested on targets YouTube homepage. I hadn\u2019t had thought to research link until Friday.\n\n Doing my due diligence I\u2019ve been viewing potential issues targets family member/s may be and his having with technology.\n\nSmart TV is completely hacked. playlist tampering , heavy downloading daily when TV is on , off or unplugged. \n I watched this TV monitored data volume , noted continued suggestions for Mortis.com , \ntouted . Obviously, a threat. YouTuber warns not go in and no one can get in which is insanely stupid. OTX issues,. Several pulse attempts later , constant refreshing and deleting of IoC this is all what remains. Streaming services, webcams and multiple labeled rooms. I have no idea the point of death threats especially since God can mow anyone down. Who promised you another breath? Target seems to be the only person targeted. Multiple Foundry , PayPal Palantir\nLinks , Boeing, JetBlue Twitter , Apple loading issues.", "modified": "2025-11-11T04:02:27.091000", "created": "2025-10-12T19:58:40.472000", "tags": [ "url https", "indicator role", "active related", "united", "ip address", "unknown ns", "x82xd4", "x86xd3", "xa1xf1", "xe8xc2x14", "win32tofsee", "trojan", "win32tofsee att", "ck ids", "t1096", "ntfs file", "service", "united kingdom", "germany", "netherlands", "mortis.com", "dead", "death", "foundry", "paypal", "home visitor", "psalms 37", "trojan", "emotet", "boeing", "apple", "streaming", "kryptik", "myundeadneighbor", "windstream communications llc", "command", "tofsee", "kx81xdbx0f", "wx99xcdx11", "stream", "write", "malware", "tsara brashears", "regsetvalueexa", "malware", "win32", "persistence", "execution", "push", "shellexecuteexw", "windows", "botnet", "backdoor", "writeconsolew", "displayname", "sddl", "hash", "ip address", "ssl certificate", "spawns", "initial access", "adversaries", "name tactics", "t1031", "registry", "dock", "suspicious", "learn", "phishing att", "infection", "commandand_and_control", "informative", "jetblue", "porn", "keylogger", "remote keylogger", "parklogic", "parking crew", "park pages", "cyber crime", "data brokers", "info stealers", "password", "masquerading", "discord", "sophisticated", "dga domains", "pit", "rotor", "hello", "targeting", "games" ], "references": [ "mortis.com", "I unintentionally made the first pulse Public.", "Stalker/Lurker?http://myundeadneighbor.com | Parking Crews | Parklogic", "assassinationmarkets.com", "https://id.security.trackid", "https://id.security.trackid.piwikb7c1867dd7ba9c57.2ce7e2c4000f72e3204af57fac31aafd.mailingmarketing.net/", "https://id.login.update.ssl.encryption-6159368de39251d7a-login.id.security.trackid.piwikb7c1867dd7ba9c57.e988d676bdb63f3b4dbcdc53578a9b26.mailingmarketing.net/", "Hmm, cyber criminals use parking pages for malvertizing malicious content & intent , reputation content, etc", "https://www.gov.pl/attachment/65dfce94-31f9-4523-8d3b-89df3d4c5f75" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Trojan:Win32/Emotet.KDS!MTB", "display_name": "Trojan:Win32/Emotet.KDS!MTB", "target": "/malware/Trojan:Win32/Emotet.KDS!MTB" }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "Win.Malware.Tofsee-6880878-0", "display_name": "Win.Malware.Tofsee-6880878-0", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Win32:Kryptik-PLL", "display_name": "Win32:Kryptik-PLL", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1096", "name": "NTFS File Attributes", "display_name": "T1096 - NTFS File Attributes" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1003.008", "name": "/etc/passwd and /etc/shadow", "display_name": "T1003.008 - /etc/passwd and /etc/shadow" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2407, "domain": 2321, "hostname": 983, "FileHash-SHA256": 3035, "FileHash-MD5": 228, "FileHash-SHA1": 231, "email": 1, "FilePath": 3 }, "indicator_count": 9209, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "159 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "skylineceiling.ph", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "skylineceiling.ph", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776619772.191784 }