{
  "type": "Domain",
  "indicator": "srcaccess.net",
  "general": {
    "sections": [
      "general",
      "geo",
      "url_list",
      "passive_dns",
      "malware",
      "whois",
      "http_scans"
    ],
    "whois": "http://whois.domaintools.com/srcaccess.net",
    "alexa": "http://www.alexa.com/siteinfo/srcaccess.net",
    "indicator": "srcaccess.net",
    "type": "domain",
    "type_title": "Domain",
    "validation": [],
    "base_indicator": {
      "id": 3782398148,
      "indicator": "srcaccess.net",
      "type": "domain",
      "title": "",
      "description": "",
      "content": "",
      "access_type": "public",
      "access_reason": ""
    },
    "pulse_info": {
      "count": 11,
      "pulses": [
        {
          "id": "69f30ef4033560d49d39ac55",
          "name": "VirusTotal report\n                    for executable.exe",
          "description": "[security firm has developed a tool that can automatically identify a Wi-Fi password and make it easy to access it via the net. and use it to create a secure log-in system.] <remote, .net, failed cryptographic validation chains cause this.",
          "modified": "2026-05-30T09:04:01.553000",
          "created": "2026-04-30T08:12:36.771000",
          "tags": [
            "wifi password",
            "joe security",
            "nextron",
            "new run",
            "key pointing",
            "run key",
            "roth",
            "markus neis",
            "sander wiebing",
            "poudel",
            "public",
            "appdata"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1005",
              "name": "Data from Local System",
              "display_name": "T1005 - Data from Local System"
            },
            {
              "id": "T1010",
              "name": "Application Window Discovery",
              "display_name": "T1010 - Application Window Discovery"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1218",
              "name": "Signed Binary Proxy Execution",
              "display_name": "T1218 - Signed Binary Proxy Execution"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1552",
              "name": "Unsecured Credentials",
              "display_name": "T1552 - Unsecured Credentials"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 1069,
            "FileHash-SHA1": 868,
            "FileHash-SHA256": 2783,
            "URL": 764,
            "hostname": 756,
            "domain": 293,
            "email": 44,
            "CVE": 44
          },
          "indicator_count": 6621,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "1 day ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69efc567ae24b8285a71099d",
          "name": "Enemy of the State: Order in the Court \u2022 Part 4 - World Media",
          "description": "Critical, out of control targeting. Suspected Pegasus related campaign seen in State of Colorado court and Hospital systems+++. The answer is NO. The crime victim / survivor was never going to be given a chance to bring forward a case of any type of. Silenced. Not allowed to pursue justice. Car accident. No. Robbed. No Assault. No. Either the State is heavily involved or systems are manipulated by adversaries.\n\nCVE found more than a year ago, Original OTX researchers Pulses not found.\nCVE Overview:\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.",
          "modified": "2026-05-27T18:05:26.880000",
          "created": "2026-04-27T20:21:59.824000",
          "tags": [
            "wifi id",
            "april",
            "extraction",
            "enter sc",
            "type ol",
            "data upload",
            "extra",
            "referen",
            "wifi data",
            "wifi",
            "ntgraph xe",
            "dynamicloader",
            "high",
            "port",
            "a8 f0",
            "c0 a0",
            "c4 d8",
            "a4 c4",
            "cache",
            "yara rule",
            "write",
            "music",
            "explorer",
            "guard",
            "tracker",
            "media",
            "default",
            "file",
            "id login",
            "mwdb",
            "bazaar",
            "sha3384",
            "ssdeep",
            "xport",
            "accept",
            "agent",
            "shutdown",
            "pe file",
            "network info",
            "sample",
            "aslr",
            "program",
            "mitre attack",
            "processes extra",
            "overview zenbox",
            "verdict",
            "iocs",
            "extra data",
            "included iocs",
            "indicator",
            "review iocs",
            "find",
            "dr wifi",
            "include review",
            "exclude sugges",
            "find s",
            "failed",
            "typ url",
            "registrant name",
            "all domain",
            "passive dns",
            "urls",
            "files",
            "access",
            "all ipv4",
            "america flag",
            "des moines",
            "level",
            "zeppelin",
            "domain add",
            "united states",
            "active",
            "msie",
            "windows nt",
            "united",
            "search",
            "medium",
            "as16509",
            "unknown",
            "upatre",
            "malware",
            "next",
            "ip address",
            "pty ltd",
            "url analysis",
            "trojan",
            "write c",
            "suspicious",
            "tt tr",
            "ultradns client",
            "service",
            "name servers",
            "emails",
            "world media",
            "contacted",
            "post",
            "u001b4nu0017",
            "powershell",
            "sc data",
            "type",
            "enter",
            "data",
            "cre pul",
            "enric",
            "extraction data",
            "denver courts",
            "hacking",
            "mitm_attacks",
            "injustice",
            "tracking",
            "ai",
            "ee fc",
            "ff d5",
            "domain",
            "australia",
            "files ip",
            "script script",
            "set cookie",
            "cookie",
            "related pulses",
            "learn",
            "ck id",
            "name tactics",
            "informative",
            "adversaries",
            "command",
            "defense evasion",
            "spawns",
            "javascript",
            "ascii text",
            "pattern match",
            "mitre att",
            "null",
            "refresh",
            "span",
            "hybrid",
            "general",
            "local",
            "path",
            "click",
            "strings",
            "error",
            "tools",
            "title",
            "look",
            "verify",
            "restart",
            "australia asn",
            "as9714 vocus",
            "body",
            "certificate",
            "present may",
            "japan unknown",
            "a domains",
            "value",
            "content type",
            "location japan",
            "shibuya",
            "japan asn",
            "as2497 internet",
            "dns resolutions",
            "domains top",
            "united states",
            "ipv4",
            "targeting",
            "tsara brashears",
            "state colorado",
            "critical",
            "pornhub",
            "tulach",
            "sabey",
            "poleass",
            "foundrypalantir",
            "pegasus",
            "state",
            "quasi",
            "shhh",
            "denver",
            "dougco",
            "jeffrey reimer",
            "reimer gropes",
            "christopher ahmann",
            "workers compensation",
            "commerce industry",
            "aig",
            "industry commerce",
            "confluence"
          ],
          "references": [
            "[DR] Wifi ID Login v1.3 [03 April 2014].exe",
            "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a",
            "bell.ca",
            "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http",
            "https://welcome.indonesiawifi.net/wifi.id/flexizone",
            "SLF:MSIL/PSTAnomaly.A  SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb",
            "A target pursued post criminal assault on Pinnacol Assuranve insured premises",
            "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp",
            "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD",
            "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...",
            "Yara Detections: PWSWin32Kegotip ,  VirusWin32Gogo ,  VirusWin32Hala ,  VirusWin32Wholdor",
            "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect",
            "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep  dynamic_function_loading",
            "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx",
            "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
            "IP\u2019s Contacted: 143.204.237.45  58.138.175.188  65.38.128.10  147.21.128.26  78.41.204.31  132.148.77.44",
            "IP\u2019s Contacted: 185.104.29.148  92.122.107.204  139.76.134.15  184.150.211.195",
            "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net",
            "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au",
            "Backdoor.Win32.Pushdo.s Checkin",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)",
            "Name Servers PDNS1.ULTRADNS.NET Org",
            "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #",
            "https://otx.alienvault.com/indicator/cve/CVE-2022-26134",
            "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO",
            "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado",
            "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected",
            "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration",
            "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png",
            "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms",
            "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY",
            "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH",
            "CVE-2022-26134 \u2022  PRIVILEGES REQUIRED: NONE"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "SLF:MSIL/PSTAnomaly.A",
              "display_name": "SLF:MSIL/PSTAnomaly.A",
              "target": "/malware/SLF:MSIL/PSTAnomaly.A"
            },
            {
              "id": "Win.Trojan.Pushdo-20",
              "display_name": "Win.Trojan.Pushdo-20",
              "target": null
            },
            {
              "id": "TrojanDownloader:Win32/Cutwail.BS",
              "display_name": "TrojanDownloader:Win32/Cutwail.BS",
              "target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
            },
            {
              "id": "TrojanDownloader:Win32/Cutwail.BV",
              "display_name": "TrojanDownloader:Win32/Cutwail.BV",
              "target": "/malware/TrojanDownloader:Win32/Cutwail.BV"
            },
            {
              "id": "World Media",
              "display_name": "World Media",
              "target": null
            },
            {
              "id": "CVE-2022-26134",
              "display_name": "CVE-2022-26134",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1069",
              "name": "Permission Groups Discovery",
              "display_name": "T1069 - Permission Groups Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1560",
              "name": "Archive Collected Data",
              "display_name": "T1560 - Archive Collected Data"
            },
            {
              "id": "T1553.002",
              "name": "Code Signing",
              "display_name": "T1553.002 - Code Signing"
            },
            {
              "id": "T1069.002",
              "name": "Domain Groups",
              "display_name": "T1069.002 - Domain Groups"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1071.001",
              "name": "Web Protocols",
              "display_name": "T1071.001 - Web Protocols"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            }
          ],
          "industries": [
            "Government",
            "Legal",
            "Judicial",
            "Technology",
            "Telecommunications"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 1037,
            "hostname": 865,
            "domain": 685,
            "URL": 2224,
            "FileHash-MD5": 131,
            "FileHash-SHA1": 94,
            "CVE": 1,
            "email": 8,
            "SSLCertFingerprint": 6
          },
          "indicator_count": 5051,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 143,
          "modified_text": "3 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69efc7a6778f84c179d27073",
          "name": "Credit Q.Vashti - Cloned Pulse [\"Enemy of the State: Order in the Court\"]",
          "description": "",
          "modified": "2026-05-27T18:05:26.880000",
          "created": "2026-04-27T20:31:34.221000",
          "tags": [
            "wifi id",
            "april",
            "extraction",
            "enter sc",
            "type ol",
            "data upload",
            "extra",
            "referen",
            "wifi data",
            "wifi",
            "ntgraph xe",
            "dynamicloader",
            "high",
            "port",
            "a8 f0",
            "c0 a0",
            "c4 d8",
            "a4 c4",
            "cache",
            "yara rule",
            "write",
            "music",
            "explorer",
            "guard",
            "tracker",
            "media",
            "default",
            "file",
            "id login",
            "mwdb",
            "bazaar",
            "sha3384",
            "ssdeep",
            "xport",
            "accept",
            "agent",
            "shutdown",
            "pe file",
            "network info",
            "sample",
            "aslr",
            "program",
            "mitre attack",
            "processes extra",
            "overview zenbox",
            "verdict",
            "iocs",
            "extra data",
            "included iocs",
            "indicator",
            "review iocs",
            "find",
            "dr wifi",
            "include review",
            "exclude sugges",
            "find s",
            "failed",
            "typ url",
            "registrant name",
            "all domain",
            "passive dns",
            "urls",
            "files",
            "access",
            "all ipv4",
            "america flag",
            "des moines",
            "level",
            "zeppelin",
            "domain add",
            "united states",
            "active",
            "msie",
            "windows nt",
            "united",
            "search",
            "medium",
            "as16509",
            "unknown",
            "upatre",
            "malware",
            "next",
            "ip address",
            "pty ltd",
            "url analysis",
            "trojan",
            "write c",
            "suspicious",
            "tt tr",
            "ultradns client",
            "service",
            "name servers",
            "emails",
            "world media",
            "contacted",
            "post",
            "u001b4nu0017",
            "powershell",
            "sc data",
            "type",
            "enter",
            "data",
            "cre pul",
            "enric",
            "extraction data",
            "denver courts",
            "hacking",
            "mitm_attacks",
            "injustice",
            "tracking",
            "ai",
            "ee fc",
            "ff d5",
            "domain",
            "australia",
            "files ip",
            "script script",
            "set cookie",
            "cookie",
            "related pulses",
            "learn",
            "ck id",
            "name tactics",
            "informative",
            "adversaries",
            "command",
            "defense evasion",
            "spawns",
            "javascript",
            "ascii text",
            "pattern match",
            "mitre att",
            "null",
            "refresh",
            "span",
            "hybrid",
            "general",
            "local",
            "path",
            "click",
            "strings",
            "error",
            "tools",
            "title",
            "look",
            "verify",
            "restart",
            "australia asn",
            "as9714 vocus",
            "body",
            "certificate",
            "present may",
            "japan unknown",
            "a domains",
            "value",
            "content type",
            "location japan",
            "shibuya",
            "japan asn",
            "as2497 internet",
            "dns resolutions",
            "domains top",
            "united states",
            "ipv4",
            "targeting",
            "tsara brashears",
            "state colorado",
            "critical",
            "pornhub",
            "tulach",
            "sabey",
            "poleass",
            "foundrypalantir",
            "pegasus",
            "state",
            "quasi",
            "shhh",
            "denver",
            "dougco",
            "jeffrey reimer",
            "reimer gropes",
            "christopher ahmann",
            "workers compensation",
            "commerce industry",
            "aig",
            "industry commerce",
            "confluence"
          ],
          "references": [
            "[DR] Wifi ID Login v1.3 [03 April 2014].exe",
            "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a",
            "bell.ca",
            "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http",
            "https://welcome.indonesiawifi.net/wifi.id/flexizone",
            "SLF:MSIL/PSTAnomaly.A  SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb",
            "A target pursued post criminal assault on Pinnacol Assuranve insured premises",
            "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp",
            "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD",
            "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...",
            "Yara Detections: PWSWin32Kegotip ,  VirusWin32Gogo ,  VirusWin32Hala ,  VirusWin32Wholdor",
            "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect",
            "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep  dynamic_function_loading",
            "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx",
            "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
            "IP\u2019s Contacted: 143.204.237.45  58.138.175.188  65.38.128.10  147.21.128.26  78.41.204.31  132.148.77.44",
            "IP\u2019s Contacted: 185.104.29.148  92.122.107.204  139.76.134.15  184.150.211.195",
            "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net",
            "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au",
            "Backdoor.Win32.Pushdo.s Checkin",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)",
            "Name Servers PDNS1.ULTRADNS.NET Org",
            "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #",
            "https://otx.alienvault.com/indicator/cve/CVE-2022-26134",
            "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO",
            "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado",
            "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected",
            "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration",
            "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png",
            "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms",
            "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY",
            "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH",
            "CVE-2022-26134 \u2022  PRIVILEGES REQUIRED: NONE"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "SLF:MSIL/PSTAnomaly.A",
              "display_name": "SLF:MSIL/PSTAnomaly.A",
              "target": "/malware/SLF:MSIL/PSTAnomaly.A"
            },
            {
              "id": "Win.Trojan.Pushdo-20",
              "display_name": "Win.Trojan.Pushdo-20",
              "target": null
            },
            {
              "id": "TrojanDownloader:Win32/Cutwail.BS",
              "display_name": "TrojanDownloader:Win32/Cutwail.BS",
              "target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
            },
            {
              "id": "TrojanDownloader:Win32/Cutwail.BV",
              "display_name": "TrojanDownloader:Win32/Cutwail.BV",
              "target": "/malware/TrojanDownloader:Win32/Cutwail.BV"
            },
            {
              "id": "World Media",
              "display_name": "World Media",
              "target": null
            },
            {
              "id": "CVE-2022-26134",
              "display_name": "CVE-2022-26134",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1059.001",
              "name": "PowerShell",
              "display_name": "T1059.001 - PowerShell"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1069",
              "name": "Permission Groups Discovery",
              "display_name": "T1069 - Permission Groups Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1560",
              "name": "Archive Collected Data",
              "display_name": "T1560 - Archive Collected Data"
            },
            {
              "id": "T1553.002",
              "name": "Code Signing",
              "display_name": "T1553.002 - Code Signing"
            },
            {
              "id": "T1069.002",
              "name": "Domain Groups",
              "display_name": "T1069.002 - Domain Groups"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1071.001",
              "name": "Web Protocols",
              "display_name": "T1071.001 - Web Protocols"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            }
          ],
          "industries": [
            "Government",
            "Legal",
            "Judicial",
            "Technology",
            "Telecommunications"
          ],
          "TLP": "white",
          "cloned_from": "69efc567ae24b8285a71099d",
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 1039,
            "hostname": 868,
            "domain": 687,
            "URL": 2226,
            "FileHash-MD5": 133,
            "FileHash-SHA1": 96,
            "CVE": 1,
            "email": 8,
            "SSLCertFingerprint": 6
          },
          "indicator_count": 5064,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 67,
          "modified_text": "3 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "691e2279ac1ef8b9dbfbc2b3",
          "name": "Mirai \u2022 Neurotox Institute",
          "description": "Found in peripheral. Lazarus. Related tomOperation Endgame. Strangely related to the entertainment industry. \nRelated to treatments facilities where a target I\u2019ve been researching received \u2018care\u2019. Also links to Major Entertainment conglomerate : not surprisingly Hall Render and Foundry.\nPage was stated to expire 11/21 | expired after I was able to capture a live screenshot (not updated for years) \n\n[The Neurotoxin Institute (NTI) is a multidisciplinary organization created to serve as a comprehensive independent source of information related to the basic science and the clinical applications of neurotoxins. The Institute fosters the learning and teaching of both theory and practical techniques, and encourages further research in support of these goals.\nExperimental Biology (EB)\nwww.aapmr.org]",
          "modified": "2025-12-19T19:00:18.927000",
          "created": "2025-11-19T20:03:05.195000",
          "tags": [
            "united",
            "link",
            "virtool",
            "meta",
            "atom",
            "pragma",
            "dynamicloader",
            "msie",
            "windows nt",
            "tls handshake",
            "failure",
            "tlsv1",
            "forbidden",
            "ogoogle trust",
            "encrypt",
            "possible",
            "write",
            "malware",
            "consumed",
            "netherlands",
            "united kingdom",
            "read c",
            "sality",
            "delphi",
            "win32",
            "strings",
            "xserver",
            "post http",
            "post method",
            "cryptexportkey",
            "ocloudflare",
            "cryptgenkey",
            "calgrc4",
            "persistence",
            "execution",
            "div div",
            "script script",
            "span a",
            "a li",
            "unknown ns",
            "span",
            "april",
            "passive dns",
            "hosting",
            "reverse dns",
            "hostname add",
            "files ip",
            "asn as32475",
            "address domain",
            "mirai",
            "united states",
            "facebook",
            "twitter",
            "youtube",
            "ck ids",
            "mh may",
            "t1204 technique",
            "user execution",
            "suggested",
            "port",
            "destination",
            "telnet login",
            "high",
            "tcp syn",
            "infectednight",
            "resolverror",
            "suspicious path",
            "ids detections",
            "yara detections",
            "sinkhole cookie",
            "file score",
            "detections sf",
            "value snkz",
            "forbidden tls",
            "et trojan",
            "value",
            "et info",
            "et",
            "present oct",
            "domain",
            "title",
            "present sep",
            "moved",
            "server",
            "next associated",
            "ipv4 add",
            "urls",
            "files",
            "trojan",
            "cookie",
            "predict70 sep",
            "next http",
            "scans record",
            "forbidden date",
            "gmt content",
            "type",
            "unix",
            "namecheap url",
            "forward elf",
            "md5 add",
            "less see",
            "contacted",
            "pulse pulses",
            "av detections",
            "analysis date",
            "virus",
            "ee fc",
            "unknown",
            "yara rule",
            "ff d5",
            "search",
            "show",
            "suspicious",
            "fbq object",
            "ide value",
            "source level",
            "url text",
            "line",
            "allow attribute",
            "mootools",
            "class function",
            "chain",
            "options",
            "elements",
            "garbage",
            "drag",
            "xhr function",
            "ajax",
            "itemid14",
            "kb image",
            "kb script",
            "b image",
            "b stylesheet",
            "b script",
            "kb stylesheet",
            "stylesheet",
            "redirect chain",
            "path size",
            "type mimetype",
            "resource",
            "general full",
            "montreal",
            "canada",
            "asn16276",
            "debian",
            "url http",
            "hash",
            "main",
            "cookie object",
            "dns any",
            "date",
            "entries",
            "url https",
            "Foundry",
            "Lazarus",
            "Endgame",
            "Neurotoxin Institute",
            "Hall Render",
            "Brian Sabey",
            "UC Health",
            "Britney Spears Official"
          ],
          "references": [
            "https://www.neurotoxininstitute.com/",
            "Backdoor.Win32.Pushdo.s Checkin",
            "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Possible Compromised Host AnubisNetworks",
            "IDS Detections: Sinkhole Cookie Value Snkz 403 Forbidden TLS Handshake Failure",
            "IDS Detections: ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole",
            "IDS Detections: Cookie Value btst ET INFO Namecheap URL Forward",
            "IDS Detections : SUSPICIOUS Path to BusyBox root login TELNET login failed",
            "http://appelfarm.org",
            "IDS Signatures : root login 175.203.174.23 \u2022 192.168.122.52",
            "IDS Signatures :TELNET login failed\t77.66.206.206 \u2022 192.168.122.52",
            "IDS Signatures :  SUSPICIOUS Path to BusyBox\t192.168.122.52\t\u2022 77.66.206.206",
            "Interesting Strings : 13.79.87.163",
            "https://urlscan.io/screenshots/32b0614f-1148-49ea-aed4-4f23afd33e56.png",
            "https://otx.alienvault.com/pulse/68d0f099f60e98e6c4ffc1e5",
            "https://otx.alienvault.com/pulse/68b5e672f492fdc96cf997aa",
            "https://otx.alienvault.com/pulse/68d12dd7e357755235f007e8",
            "https://britneyspears.com/",
            "hallrender.com \u2022  https://hallrender.com/resources/blog/ \u2022 https://urlmail.hallrender.com \u2022 https://urlwww.hallrender.com",
            "https://citrix.hallrender.com/vpn/install/ \u2022  https://citrix.hallrender.com/vpn/install/mac.htm \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept",
            "http://hallrender.com/attorney/brian-sabey \u2022 http://hallrender.com/attorney/brian-sabey/",
            "http://elite.hallrender.com/TE_3E_PROD/web/ui/dashboard/ActionList_CCC",
            "https://elite.hallrender.com \u2022  https://hallrender.com/attorney/gregg-m-wallander/",
            "brian-sabey-anyxxxtube.net \u2022 hallrender.com",
            "dev.hallrender.com \u2022 elite.hallrender.com \u2022 image.marketing.hallrender.com",
            "Now https://urlscan.io/liveshot/?width=1600&height=1200&url=http%3A%2F%2Fwww.neurotoxininstitute.com%2Findex.php%3Foption%5C%3Dcom_content%26view%5C%3Darticle%26id%5C%3D70%26Itemid%5C%3D14",
            "feastfoundry.com\t\u2022 https://www.feastfoundry.com/ \u2022 https://www.feastfoundry.com/mini-apple-pies/"
          ],
          "public": 1,
          "adversary": "Lazarus",
          "targeted_countries": [
            "United States of America",
            "Japan",
            "France",
            "Germany",
            "Canada",
            "Netherlands",
            "United Kingdom of Great Britain and Northern Ireland",
            "New Zealand",
            "Italy",
            "Aruba",
            "Poland",
            "Singapore",
            "T\u00fcrkiye",
            "Indonesia",
            "Spain",
            "Hong Kong"
          ],
          "malware_families": [
            {
              "id": "TrojanDownloader:Win32/Cutwail",
              "display_name": "TrojanDownloader:Win32/Cutwail",
              "target": "/malware/TrojanDownloader:Win32/Cutwail"
            },
            {
              "id": "Netherlands",
              "display_name": "Netherlands",
              "target": null
            },
            {
              "id": "Sality",
              "display_name": "Sality",
              "target": null
            },
            {
              "id": "Virus:Win32/Krepper.30760",
              "display_name": "Virus:Win32/Krepper.30760",
              "target": "/malware/Virus:Win32/Krepper.30760"
            },
            {
              "id": "Mirai",
              "display_name": "Mirai",
              "target": null
            },
            {
              "id": "ALF:HeraklezEval:Backdoor:Linux/Mirai.A!rf",
              "display_name": "ALF:HeraklezEval:Backdoor:Linux/Mirai.A!rf",
              "target": null
            },
            {
              "id": "Suggested",
              "display_name": "Suggested",
              "target": null
            },
            {
              "id": "VirTool:Win32/VBInject.gen!MH",
              "display_name": "VirTool:Win32/VBInject.gen!MH",
              "target": "/malware/VirTool:Win32/VBInject.gen!MH"
            },
            {
              "id": "ET",
              "display_name": "ET",
              "target": null
            },
            {
              "id": "Softcnapp",
              "display_name": "Softcnapp",
              "target": null
            },
            {
              "id": "ALF:RPF:PEATTR_SIGATTR:PREDICT:70",
              "display_name": "ALF:RPF:PEATTR_SIGATTR:PREDICT:70",
              "target": null
            },
            {
              "id": "Win32:Zbot-RUV",
              "display_name": "Win32:Zbot-RUV",
              "target": null
            },
            {
              "id": "Win32:Evo-gen",
              "display_name": "Win32:Evo-gen",
              "target": null
            },
            {
              "id": "Win32:Kryptik",
              "display_name": "Win32:Kryptik",
              "target": null
            },
            {
              "id": "Trojan:Win32/Bulta",
              "display_name": "Trojan:Win32/Bulta",
              "target": "/malware/Trojan:Win32/Bulta"
            }
          ],
          "attack_ids": [
            {
              "id": "T1204",
              "name": "User Execution",
              "display_name": "T1204 - User Execution"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1040",
              "name": "Network Sniffing",
              "display_name": "T1040 - Network Sniffing"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 10,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 511,
            "hostname": 198,
            "domain": 471,
            "FileHash-SHA256": 1442,
            "FileHash-MD5": 183,
            "FileHash-SHA1": 79,
            "email": 5,
            "SSLCertFingerprint": 63
          },
          "indicator_count": 2952,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 148,
          "modified_text": "162 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66f100d791f9f9f6ab7b4f24",
          "name": "Cerber \u00bb Charter Communications \u00bb Spectrum Denver",
          "description": "[107.14.73.70] IP address range owned by Charter Communications Inc and located in Denver, Co United States.\n\nTargets & family neighborhood ISP's attacked again.  Internet and targets devices attacked , Internet had to be reset twice by tech teams. Our team was able to track comprises directed towards target and families devices, which they are destroying. Stolen passwords, leaks, forced content, dumping. Both Spectrum &  Quantum fiber positive for malicious activity within targeted devices. Fake iOS update pushed to a device. It comes with an agreement from Apple Singapore, LTD. \n\nMalware Families ,\nBackdoor:Win32/Tofse , \nCerber Ransomware ,\nET.  \nETPRO ,\nInject3.QGY ,\nKelihos ,\nNIDS ,\nNOD32 ,\nSf:ShellCode-AU\\ [Trj] , \nTrojan:Win32/Glupteba ,\nTrojanDownloader:Win32/Cutwail ,\nVirTool:Win32/Obfuscator",
          "modified": "2024-10-23T05:03:21.045000",
          "created": "2024-09-23T05:47:03.625000",
          "tags": [
            "isp charter",
            "usage type",
            "fixed line",
            "isp hostname",
            "domain name",
            "country united",
            "america city",
            "denver",
            "colorado",
            "ip address",
            "whois",
            "check",
            "information isp",
            "inc usage",
            "type fixed",
            "line isp",
            "hostname",
            "plesk forum",
            "centos web",
            "panel forum",
            "whois lookup",
            "netrange",
            "nethandle",
            "net107",
            "net1070000",
            "cc3517",
            "inc orgid",
            "dr city",
            "stateprov",
            "postalcode",
            "status",
            "as7843 charter",
            "united",
            "name servers",
            "passive dns",
            "urls",
            "domain",
            "search",
            "emails",
            "unknown",
            "scan endpoints",
            "all scoreblue",
            "ipv4",
            "files",
            "reverse dns",
            "location united",
            "win32",
            "abuseipdb",
            "read",
            "write",
            "read c",
            "server header",
            "show",
            "suspicious",
            "kelihos",
            "trojan",
            "artemis",
            "virustotal",
            "download",
            "drweb",
            "vipre",
            "panda",
            "malware",
            "specified",
            "next",
            "et trojan",
            "et info",
            "medium",
            "http",
            "ids detections",
            "yara detections",
            "e98c1cec8156",
            "as11426 charter",
            "as20001 charter",
            "as11427 charter",
            "as11351 charter",
            "as16787 charter",
            "as33363 charter",
            "as20115 charter",
            "as10796 charter",
            "as12271 charter",
            "body",
            "servers",
            "all search",
            "entries",
            "intel",
            "ms windows",
            "windows nt",
            "destination",
            "port",
            "asnone",
            "heurunsec",
            "etpro trojan",
            "nxdomain",
            "a nxdomain",
            "aaaa",
            "asnone united",
            "aaaa nxdomain",
            "backdoor",
            "pulse submit",
            "url analysis",
            "location oxford",
            "as3456 charter",
            "moved",
            "showing",
            "body doctype",
            "html public",
            "ietfdtd html",
            "as6976 verizon",
            "as701 verizon",
            "file samples",
            "files matching",
            "date hash",
            "copyright",
            "levelblue",
            "related pulses",
            "pulse pulses",
            "kryptikpii",
            "msr apr",
            "date",
            "creation date",
            "analyzer paste",
            "iocs",
            "samples",
            "secure server",
            "cname",
            "as5742",
            "body head",
            "object moved",
            "content length",
            "content type",
            "cookie",
            "as15133 verizon",
            "lowfi",
            "gmt server",
            "ecacc",
            "record value",
            "oxford",
            "michigan",
            "ns nxdomain",
            "soa nxdomain",
            "url http",
            "mitre att",
            "evasion ta0005",
            "creates",
            "discovery t1082",
            "reads software",
            "file",
            "t1083 reads",
            "jujubox",
            "zenbox",
            "get http",
            "request",
            "host",
            "win64",
            "khtml",
            "gecko",
            "response",
            "cus cndigicert",
            "tls rsa",
            "user",
            "javascript c",
            "doscom c",
            "text c",
            "files c",
            "storage",
            "file system",
            "filesadobe c",
            "appdata",
            "appdatalocal",
            "hostnames",
            "ta0002 command",
            "t1059 very",
            "t1064",
            "javascript",
            "modules t1129",
            "ta0003 create",
            "modify system",
            "process t1543",
            "windows service",
            "cisco umbrella",
            "blacklist",
            "safe site",
            "filerepmalware",
            "microsoft",
            "phishing bank",
            "sgeneric",
            "malware site",
            "unsafe",
            "number",
            "cus cngts",
            "ogoogle trust",
            "subject",
            "algorithm",
            "cus ouserver",
            "ouserver ca",
            "record type",
            "ttl value",
            "msms86718722",
            "query",
            "open",
            "capa",
            "create process",
            "windows create",
            "delete file",
            "write file",
            "windows check",
            "os version",
            "enumerate",
            "hashes",
            "signals mutexes",
            "mutexes",
            "open threat",
            "location los",
            "emails info",
            "expiration date",
            "write c",
            "process32nextw",
            "regsetvalueexa",
            "regdword",
            "module load",
            "t1129",
            "as51167 contabo",
            "germany unknown",
            "as40021 contabo",
            "encrypt",
            "hosting",
            "netherlands asn",
            "as204601 zomro",
            "pulses",
            "tags",
            "related tags",
            "indicator facts",
            "historical otx",
            "files ip",
            "asnone germany",
            "as174 cogent",
            "czechia unknown",
            "whitelisted",
            "certificate",
            "bittorrent dht",
            "post http",
            "et p2p",
            "cryptexportkey",
            "invalid pointer",
            "delete c",
            "post utcore",
            "benchhttp",
            "mozilla",
            "maldoc",
            "service",
            "tools",
            "nids",
            "et",
            "x95xd3xa4",
            "regbinary",
            "hx88x89",
            "kx82xd3x11",
            "xb9x8b",
            "x8dxb7xb7",
            "hx88x9ax1e",
            "mx81xd1r",
            "x92xac",
            "stream",
            "persistence",
            "execution",
            "dynamicloader",
            "contacted",
            "domains",
            "yara rule",
            "high",
            "dynamic",
            "pcap",
            "pushdo",
            "msie",
            "activity beacon",
            "malware beacon",
            "default",
            "redacted for",
            "for privacy",
            "as3379 kaiser",
            "server",
            "gmt content",
            "type",
            "x frame",
            "entries http",
            "scans show",
            "domain related",
            "no data",
            "tag count",
            "fakedout threat",
            "analyzer threat",
            "url summary",
            "ip summary",
            "summary",
            "sample",
            "detection list",
            "components",
            "zune",
            "etpro",
            "nod32",
            "avast avg",
            "next http",
            "example domain",
            "title meta",
            "invalid url",
            "akamai",
            "urls http",
            "as20940",
            "as16625 akamai",
            "netherlands",
            "germany",
            "france",
            "virtool",
            "rock",
            "address",
            "apache",
            "accept",
            "as8075",
            "pulse http",
            "related nids",
            "files location",
            "moldova related",
            "pulses none",
            "as31898 oracle",
            "title",
            "kryptiklfq",
            "win32dh",
            "vitro",
            "shutdown",
            "erase",
            "find",
            "close",
            "as53418",
            "hat server",
            "as797 att",
            "script urls",
            "a domains",
            "as10753 level",
            "script script",
            "meta",
            "path",
            "null",
            "stop",
            "as54113",
            "chrome",
            "as7018 att",
            "as28521",
            "mexico unknown",
            "fastly error",
            "please",
            "sea p",
            "object",
            "set cookie",
            "pragma",
            "as19536 directv",
            "united kingdom",
            "as60664 xion",
            "trojan features",
            "moldova unknown",
            "susp",
            "breaking news",
            "business",
            "finance",
            "entertainment",
            "sports",
            "games",
            "trending videos",
            "weather",
            "home",
            "as396982 google",
            "url https",
            "type indicator",
            "role title",
            "added active",
            "cyberfolks",
            ".pl",
            "level 3"
          ],
          "references": [
            "ISP: Charter Communications Inc Usage Type\tFixed Line ISP",
            "dnvrco-pub-iedge-vip.email.rr.com \tspectrum.com Denver, Colorado USA",
            "dnscache2b.cdptpa dnvrco-oms2ims-mta-svip-01.email dnvrco-queue04-ac.email dnvrco-ring-a62.email dnvrco-smss-f01-ac.email dnvrco-west-dhcpw-02.",
            "Reverse DNS dnvrco-pub-iedge-vip.email.rr.com",
            "Crypt3.COYL FileHash - SHA256 cb536e2e5eb3b23a74702f80832ab964e7dfe07763300437b5ba581f464a108e",
            "IDS Detections: Suspicious double Server Header Possible Kelihos",
            "IDS Detections: Possible Kelihos Infection Executable Download With Malformed Header",
            "telemetry-incoming.r53-2.services.mozilla.com",
            "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel",
            "http://www.door.net/ARISBE/arisbe.htm",
            "talk.plesk.com | 4evermusic.pl |  nist.gov | alaska.gov.inbound10.mxlogic.net | publicfiles.fcc.gov",
            "https://cdns.directv.com/resources/js/dtv/framework/plugins/jquery.placeholder.min.js | peri.com.pl"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Germany",
            "Hungary",
            "Ukraine",
            "Spain",
            "Brazil",
            "Russian Federation",
            "Moldova, Republic of",
            "Japan",
            "Ireland",
            "Luxembourg",
            "Canada"
          ],
          "malware_families": [
            {
              "id": "TrojanDownloader:Win32/Cutwail",
              "display_name": "TrojanDownloader:Win32/Cutwail",
              "target": "/malware/TrojanDownloader:Win32/Cutwail"
            },
            {
              "id": "Backdoor:Win32/Tofsee",
              "display_name": "Backdoor:Win32/Tofsee",
              "target": "/malware/Backdoor:Win32/Tofsee"
            },
            {
              "id": "Cerber Ransomware",
              "display_name": "Cerber Ransomware",
              "target": null
            },
            {
              "id": "NIDS",
              "display_name": "NIDS",
              "target": null
            },
            {
              "id": "ET",
              "display_name": "ET",
              "target": null
            },
            {
              "id": "Inject3.QGY",
              "display_name": "Inject3.QGY",
              "target": null
            },
            {
              "id": "Kelihos",
              "display_name": "Kelihos",
              "target": null
            },
            {
              "id": "ETPRO",
              "display_name": "ETPRO",
              "target": null
            },
            {
              "id": "NOD32",
              "display_name": "NOD32",
              "target": null
            },
            {
              "id": "VirTool:Win32/Obfuscator",
              "display_name": "VirTool:Win32/Obfuscator",
              "target": "/malware/VirTool:Win32/Obfuscator"
            },
            {
              "id": "Sf:ShellCode-AU\\ [Trj]",
              "display_name": "Sf:ShellCode-AU\\ [Trj]",
              "target": null
            },
            {
              "id": "Trojan:Win32/Glupteba",
              "display_name": "Trojan:Win32/Glupteba",
              "target": "/malware/Trojan:Win32/Glupteba"
            }
          ],
          "attack_ids": [
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1064",
              "name": "Scripting",
              "display_name": "T1064 - Scripting"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1543",
              "name": "Create or Modify System Process",
              "display_name": "T1543 - Create or Modify System Process"
            },
            {
              "id": "T1547",
              "name": "Boot or Logon Autostart Execution",
              "display_name": "T1547 - Boot or Logon Autostart Execution"
            },
            {
              "id": "T1023",
              "name": "Shortcut Modification",
              "display_name": "T1023 - Shortcut Modification"
            },
            {
              "id": "T1040",
              "name": "Network Sniffing",
              "display_name": "T1040 - Network Sniffing"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1047",
              "name": "Windows Management Instrumentation",
              "display_name": "T1047 - Windows Management Instrumentation"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1204",
              "name": "User Execution",
              "display_name": "T1204 - User Execution"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            },
            {
              "id": "T1089",
              "name": "Disabling Security Tools",
              "display_name": "T1089 - Disabling Security Tools"
            },
            {
              "id": "T1096",
              "name": "NTFS File Attributes",
              "display_name": "T1096 - NTFS File Attributes"
            },
            {
              "id": "T1112",
              "name": "Modify Registry",
              "display_name": "T1112 - Modify Registry"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 37,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 2060,
            "hostname": 3067,
            "CIDR": 4,
            "URL": 1300,
            "email": 29,
            "FileHash-MD5": 3181,
            "FileHash-SHA1": 1994,
            "FileHash-SHA256": 3228,
            "CVE": 2,
            "SSLCertFingerprint": 1
          },
          "indicator_count": 14866,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 233,
          "modified_text": "585 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65536bc6301b7cdf7d04e095",
          "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20",
          "description": "backdoor,trojan downloaders, networm, phishing, tracking, spyware, device commands...",
          "modified": "2023-12-14T12:03:15.957000",
          "created": "2023-11-14T12:44:54.422000",
          "tags": [
            "passive dns",
            "urls",
            "t1604023287",
            "scan endpoints",
            "all search",
            "otx octoseek",
            "url http",
            "pulse pulses",
            "http",
            "ip address",
            "ssl certificate",
            "whois record",
            "resolutions",
            "referrer",
            "historical ssl",
            "communicating",
            "threat roundup",
            "whois whois",
            "apple",
            "stopransomware",
            "core",
            "discord",
            "metro",
            "blister",
            "cobalt strike",
            "hacktool",
            "june",
            "name verdict",
            "pattern match",
            "et tor",
            "known tor",
            "misc attack",
            "link",
            "woff2",
            "relayrouter",
            "exit",
            "node traffic",
            "ascii text",
            "date",
            "click",
            "unknown",
            "meta",
            "hybrid",
            "general",
            "local",
            "strings",
            "class",
            "generator",
            "critical",
            "error",
            "execution",
            "malware",
            "network",
            "roblox",
            "united",
            "as13335",
            "a domains",
            "status",
            "aaaa",
            "search",
            "script urls",
            "creation date",
            "showing",
            "pixel",
            "win32",
            "download",
            "t1507537243"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "Roblox",
              "display_name": "Roblox",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 29,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 11333,
            "FileHash-MD5": 81,
            "FileHash-SHA1": 74,
            "FileHash-SHA256": 3269,
            "domain": 2748,
            "hostname": 3475,
            "email": 2,
            "CVE": 2
          },
          "indicator_count": 20984,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 224,
          "modified_text": "898 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65536bdc3676a40633a619be",
          "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20",
          "description": "backdoor,trojan downloaders, networm, phishing, tracking, spyware, device commands...",
          "modified": "2023-12-14T12:03:15.957000",
          "created": "2023-11-14T12:45:16.667000",
          "tags": [
            "passive dns",
            "urls",
            "t1604023287",
            "scan endpoints",
            "all search",
            "otx octoseek",
            "url http",
            "pulse pulses",
            "http",
            "ip address",
            "ssl certificate",
            "whois record",
            "resolutions",
            "referrer",
            "historical ssl",
            "communicating",
            "threat roundup",
            "whois whois",
            "apple",
            "stopransomware",
            "core",
            "discord",
            "metro",
            "blister",
            "cobalt strike",
            "hacktool",
            "june",
            "name verdict",
            "pattern match",
            "et tor",
            "known tor",
            "misc attack",
            "link",
            "woff2",
            "relayrouter",
            "exit",
            "node traffic",
            "ascii text",
            "date",
            "click",
            "unknown",
            "meta",
            "hybrid",
            "general",
            "local",
            "strings",
            "class",
            "generator",
            "critical",
            "error",
            "execution",
            "malware",
            "network",
            "roblox",
            "united",
            "as13335",
            "a domains",
            "status",
            "aaaa",
            "search",
            "script urls",
            "creation date",
            "showing",
            "pixel",
            "win32",
            "download",
            "t1507537243"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "Roblox",
              "display_name": "Roblox",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 35,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 11333,
            "FileHash-MD5": 81,
            "FileHash-SHA1": 74,
            "FileHash-SHA256": 3269,
            "domain": 2748,
            "hostname": 3475,
            "email": 2,
            "CVE": 2
          },
          "indicator_count": 20984,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 224,
          "modified_text": "898 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65568d67bd96e06ab44b9b95",
          "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20",
          "description": "",
          "modified": "2023-12-14T12:03:15.957000",
          "created": "2023-11-16T21:45:11.721000",
          "tags": [
            "passive dns",
            "urls",
            "t1604023287",
            "scan endpoints",
            "all search",
            "otx octoseek",
            "url http",
            "pulse pulses",
            "http",
            "ip address",
            "ssl certificate",
            "whois record",
            "resolutions",
            "referrer",
            "historical ssl",
            "communicating",
            "threat roundup",
            "whois whois",
            "apple",
            "stopransomware",
            "core",
            "discord",
            "metro",
            "blister",
            "cobalt strike",
            "hacktool",
            "june",
            "name verdict",
            "pattern match",
            "et tor",
            "known tor",
            "misc attack",
            "link",
            "woff2",
            "relayrouter",
            "exit",
            "node traffic",
            "ascii text",
            "date",
            "click",
            "unknown",
            "meta",
            "hybrid",
            "general",
            "local",
            "strings",
            "class",
            "generator",
            "critical",
            "error",
            "execution",
            "malware",
            "network",
            "roblox",
            "united",
            "as13335",
            "a domains",
            "status",
            "aaaa",
            "search",
            "script urls",
            "creation date",
            "showing",
            "pixel",
            "win32",
            "download",
            "t1507537243"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "Roblox",
              "display_name": "Roblox",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": "65536bdc3676a40633a619be",
          "export_count": 25,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 11333,
            "FileHash-MD5": 81,
            "FileHash-SHA1": 74,
            "FileHash-SHA256": 3269,
            "domain": 2748,
            "hostname": 3475,
            "email": 2,
            "CVE": 2
          },
          "indicator_count": 20984,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 228,
          "modified_text": "898 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6552d60aae6e1b3c22455088",
          "name": "Hive 0065",
          "description": "Hive 0065\nURL: https://applemusic-spotlight.myunidays.com/US/en-US?\n\nHive 0065\nHostname: applemusic-spotlight.myunidays.com",
          "modified": "2023-12-13T16:00:45.799000",
          "created": "2023-11-14T02:06:02.329000",
          "tags": [
            "united",
            "as8075",
            "creation date",
            "unknown",
            "search",
            "entries",
            "asnone country",
            "scan endpoints",
            "all search",
            "otx octoseek",
            "related domains",
            "show",
            "domain related",
            "xbox",
            "whois record",
            "contacted",
            "whois whois",
            "ssl certificate",
            "communicating",
            "referrer",
            "execution",
            "historical ssl",
            "bundled",
            "family",
            "lolkek",
            "formbook",
            "skynet",
            "lockbit",
            "ursnif",
            "attack",
            "core"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 29,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 4276,
            "email": 3,
            "hostname": 2288,
            "FileHash-MD5": 51,
            "FileHash-SHA1": 49,
            "FileHash-SHA256": 2756,
            "URL": 8696,
            "CVE": 1
          },
          "indicator_count": 18120,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 226,
          "modified_text": "899 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6552d6f5f56d2e9cd9e18a30",
          "name": "Lolkek \u2022 FormBook \u2022 Lokbit \u2022 Skynet",
          "description": "Hive 0065\nURL: https://applemusic-spotlight.myunidays.com/US/en-US?\n\nHive 0065\nHostname: applemusic-spotlight.myunidays.com",
          "modified": "2023-12-13T16:00:45.799000",
          "created": "2023-11-14T02:09:57.370000",
          "tags": [
            "united",
            "as8075",
            "creation date",
            "unknown",
            "search",
            "entries",
            "asnone country",
            "scan endpoints",
            "all search",
            "otx octoseek",
            "related domains",
            "show",
            "domain related",
            "xbox",
            "whois record",
            "contacted",
            "whois whois",
            "ssl certificate",
            "communicating",
            "referrer",
            "execution",
            "historical ssl",
            "bundled",
            "family",
            "lolkek",
            "formbook",
            "skynet",
            "lockbit",
            "ursnif",
            "attack",
            "core"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 29,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "OctoSeek",
            "id": "243548",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 4276,
            "email": 3,
            "hostname": 2288,
            "FileHash-MD5": 51,
            "FileHash-SHA1": 49,
            "FileHash-SHA256": 2756,
            "URL": 8696,
            "CVE": 1
          },
          "indicator_count": 18120,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 225,
          "modified_text": "899 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "65568b00198f82af2e88d463",
          "name": "Lolkek \u2022 FormBook \u2022 Lokbit \u2022 Skynet",
          "description": "",
          "modified": "2023-12-13T16:00:45.799000",
          "created": "2023-11-16T21:34:56.016000",
          "tags": [
            "united",
            "as8075",
            "creation date",
            "unknown",
            "search",
            "entries",
            "asnone country",
            "scan endpoints",
            "all search",
            "otx octoseek",
            "related domains",
            "show",
            "domain related",
            "xbox",
            "whois record",
            "contacted",
            "whois whois",
            "ssl certificate",
            "communicating",
            "referrer",
            "execution",
            "historical ssl",
            "bundled",
            "family",
            "lolkek",
            "formbook",
            "skynet",
            "lockbit",
            "ursnif",
            "attack",
            "core"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": "6552d6f5f56d2e9cd9e18a30",
          "export_count": 21,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 4276,
            "email": 3,
            "hostname": 2288,
            "FileHash-MD5": 51,
            "FileHash-SHA1": 49,
            "FileHash-SHA256": 2756,
            "URL": 8696,
            "CVE": 1
          },
          "indicator_count": 18120,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 231,
          "modified_text": "899 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        }
      ],
      "references": [
        "hallrender.com \u2022  https://hallrender.com/resources/blog/ \u2022 https://urlmail.hallrender.com \u2022 https://urlwww.hallrender.com",
        "https://britneyspears.com/",
        "Now https://urlscan.io/liveshot/?width=1600&height=1200&url=http%3A%2F%2Fwww.neurotoxininstitute.com%2Findex.php%3Foption%5C%3Dcom_content%26view%5C%3Darticle%26id%5C%3D70%26Itemid%5C%3D14",
        "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a",
        "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx",
        "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net",
        "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect",
        "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado",
        "dev.hallrender.com \u2022 elite.hallrender.com \u2022 image.marketing.hallrender.com",
        "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep  dynamic_function_loading",
        "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #",
        "dnscache2b.cdptpa dnvrco-oms2ims-mta-svip-01.email dnvrco-queue04-ac.email dnvrco-ring-a62.email dnvrco-smss-f01-ac.email dnvrco-west-dhcpw-02.",
        "Name Servers PDNS1.ULTRADNS.NET Org",
        "https://urlscan.io/screenshots/32b0614f-1148-49ea-aed4-4f23afd33e56.png",
        "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...",
        "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration",
        "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au",
        "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp",
        "CVE-2022-26134 \u2022  PRIVILEGES REQUIRED: NONE",
        "IDS Detections: Sinkhole Cookie Value Snkz 403 Forbidden TLS Handshake Failure",
        "https://otx.alienvault.com/pulse/68b5e672f492fdc96cf997aa",
        "https://citrix.hallrender.com/vpn/install/ \u2022  https://citrix.hallrender.com/vpn/install/mac.htm \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept",
        "https://otx.alienvault.com/pulse/68d0f099f60e98e6c4ffc1e5",
        "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH",
        "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY",
        "https://otx.alienvault.com/pulse/68d12dd7e357755235f007e8",
        "Backdoor.Win32.Pushdo.s Checkin",
        "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD",
        "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms",
        "http://appelfarm.org",
        "https://www.neurotoxininstitute.com/",
        "dnvrco-pub-iedge-vip.email.rr.com \tspectrum.com Denver, Colorado USA",
        "IDS Detections: Possible Kelihos Infection Executable Download With Malformed Header",
        "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http",
        "Reverse DNS dnvrco-pub-iedge-vip.email.rr.com",
        "IP\u2019s Contacted: 143.204.237.45  58.138.175.188  65.38.128.10  147.21.128.26  78.41.204.31  132.148.77.44",
        "[DR] Wifi ID Login v1.3 [03 April 2014].exe",
        "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected",
        "IDS Detections: Cookie Value btst ET INFO Namecheap URL Forward",
        "http://elite.hallrender.com/TE_3E_PROD/web/ui/dashboard/ActionList_CCC",
        "Interesting Strings : 13.79.87.163",
        "IDS Detections: Suspicious double Server Header Possible Kelihos",
        "feastfoundry.com\t\u2022 https://www.feastfoundry.com/ \u2022 https://www.feastfoundry.com/mini-apple-pies/",
        "http://www.door.net/ARISBE/arisbe.htm",
        "https://elite.hallrender.com \u2022  https://hallrender.com/attorney/gregg-m-wallander/",
        "Yara Detections: PWSWin32Kegotip ,  VirusWin32Gogo ,  VirusWin32Hala ,  VirusWin32Wholdor",
        "IDS Detections: ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole",
        "https://welcome.indonesiawifi.net/wifi.id/flexizone",
        "IDS Signatures : root login 175.203.174.23 \u2022 192.168.122.52",
        "telemetry-incoming.r53-2.services.mozilla.com",
        "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel",
        "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO",
        "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)",
        "http://hallrender.com/attorney/brian-sabey \u2022 http://hallrender.com/attorney/brian-sabey/",
        "brian-sabey-anyxxxtube.net \u2022 hallrender.com",
        "SLF:MSIL/PSTAnomaly.A  SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb",
        "Crypt3.COYL FileHash - SHA256 cb536e2e5eb3b23a74702f80832ab964e7dfe07763300437b5ba581f464a108e",
        "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Possible Compromised Host AnubisNetworks",
        "A target pursued post criminal assault on Pinnacol Assuranve insured premises",
        "ISP: Charter Communications Inc Usage Type\tFixed Line ISP",
        "IDS Signatures :  SUSPICIOUS Path to BusyBox\t192.168.122.52\t\u2022 77.66.206.206",
        "https://cdns.directv.com/resources/js/dtv/framework/plugins/jquery.placeholder.min.js | peri.com.pl",
        "IDS Detections : SUSPICIOUS Path to BusyBox root login TELNET login failed",
        "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
        "IDS Signatures :TELNET login failed\t77.66.206.206 \u2022 192.168.122.52",
        "IP\u2019s Contacted: 185.104.29.148  92.122.107.204  139.76.134.15  184.150.211.195",
        "bell.ca",
        "talk.plesk.com | 4evermusic.pl |  nist.gov | alaska.gov.inbound10.mxlogic.net | publicfiles.fcc.gov",
        "https://otx.alienvault.com/indicator/cve/CVE-2022-26134"
      ],
      "related": {
        "alienvault": {
          "adversary": [],
          "malware_families": [],
          "industries": []
        },
        "other": {
          "adversary": [
            "Lazarus"
          ],
          "malware_families": [
            "Backdoor:win32/tofsee",
            "Trojandownloader:win32/cutwail",
            "Virtool:win32/vbinject.gen!mh",
            "Alf:rpf:peattr_sigattr:predict:70",
            "Trojan:win32/glupteba",
            "Nod32",
            "Cve-2022-26134",
            "Win.trojan.pushdo-20",
            "Win32:zbot-ruv",
            "Mirai",
            "Slf:msil/pstanomaly.a",
            "Win32:kryptik",
            "Cerber ransomware",
            "Trojan:win32/bulta",
            "Virtool:win32/obfuscator",
            "Kelihos",
            "Roblox",
            "Inject3.qgy",
            "Win32:evo-gen",
            "Sality",
            "Trojandownloader:win32/cutwail.bs",
            "World media",
            "Alf:heraklezeval:backdoor:linux/mirai.a!rf",
            "Trojandownloader:win32/cutwail.bv",
            "Suggested",
            "Softcnapp",
            "Virus:win32/krepper.30760",
            "Sf:shellcode-au\\ [trj]",
            "Netherlands",
            "Nids",
            "Et",
            "Etpro"
          ],
          "industries": [
            "Government",
            "Legal",
            "Telecommunications",
            "Technology",
            "Judicial"
          ]
        }
      }
    },
    "false_positive": []
  },
  "geo": {},
  "geo_ipapicom": {},
  "pulse_count": 11,
  "pulses": [
    {
      "id": "69f30ef4033560d49d39ac55",
      "name": "VirusTotal report\n                    for executable.exe",
      "description": "[security firm has developed a tool that can automatically identify a Wi-Fi password and make it easy to access it via the net. and use it to create a secure log-in system.] <remote, .net, failed cryptographic validation chains cause this.",
      "modified": "2026-05-30T09:04:01.553000",
      "created": "2026-04-30T08:12:36.771000",
      "tags": [
        "wifi password",
        "joe security",
        "nextron",
        "new run",
        "key pointing",
        "run key",
        "roth",
        "markus neis",
        "sander wiebing",
        "poudel",
        "public",
        "appdata"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1003",
          "name": "OS Credential Dumping",
          "display_name": "T1003 - OS Credential Dumping"
        },
        {
          "id": "T1005",
          "name": "Data from Local System",
          "display_name": "T1005 - Data from Local System"
        },
        {
          "id": "T1010",
          "name": "Application Window Discovery",
          "display_name": "T1010 - Application Window Discovery"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1095",
          "name": "Non-Application Layer Protocol",
          "display_name": "T1095 - Non-Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1218",
          "name": "Signed Binary Proxy Execution",
          "display_name": "T1218 - Signed Binary Proxy Execution"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1552",
          "name": "Unsecured Credentials",
          "display_name": "T1552 - Unsecured Credentials"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 1069,
        "FileHash-SHA1": 868,
        "FileHash-SHA256": 2783,
        "URL": 764,
        "hostname": 756,
        "domain": 293,
        "email": 44,
        "CVE": 44
      },
      "indicator_count": 6621,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "1 day ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69efc567ae24b8285a71099d",
      "name": "Enemy of the State: Order in the Court \u2022 Part 4 - World Media",
      "description": "Critical, out of control targeting. Suspected Pegasus related campaign seen in State of Colorado court and Hospital systems+++. The answer is NO. The crime victim / survivor was never going to be given a chance to bring forward a case of any type of. Silenced. Not allowed to pursue justice. Car accident. No. Robbed. No Assault. No. Either the State is heavily involved or systems are manipulated by adversaries.\n\nCVE found more than a year ago, Original OTX researchers Pulses not found.\nCVE Overview:\nIn affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.",
      "modified": "2026-05-27T18:05:26.880000",
      "created": "2026-04-27T20:21:59.824000",
      "tags": [
        "wifi id",
        "april",
        "extraction",
        "enter sc",
        "type ol",
        "data upload",
        "extra",
        "referen",
        "wifi data",
        "wifi",
        "ntgraph xe",
        "dynamicloader",
        "high",
        "port",
        "a8 f0",
        "c0 a0",
        "c4 d8",
        "a4 c4",
        "cache",
        "yara rule",
        "write",
        "music",
        "explorer",
        "guard",
        "tracker",
        "media",
        "default",
        "file",
        "id login",
        "mwdb",
        "bazaar",
        "sha3384",
        "ssdeep",
        "xport",
        "accept",
        "agent",
        "shutdown",
        "pe file",
        "network info",
        "sample",
        "aslr",
        "program",
        "mitre attack",
        "processes extra",
        "overview zenbox",
        "verdict",
        "iocs",
        "extra data",
        "included iocs",
        "indicator",
        "review iocs",
        "find",
        "dr wifi",
        "include review",
        "exclude sugges",
        "find s",
        "failed",
        "typ url",
        "registrant name",
        "all domain",
        "passive dns",
        "urls",
        "files",
        "access",
        "all ipv4",
        "america flag",
        "des moines",
        "level",
        "zeppelin",
        "domain add",
        "united states",
        "active",
        "msie",
        "windows nt",
        "united",
        "search",
        "medium",
        "as16509",
        "unknown",
        "upatre",
        "malware",
        "next",
        "ip address",
        "pty ltd",
        "url analysis",
        "trojan",
        "write c",
        "suspicious",
        "tt tr",
        "ultradns client",
        "service",
        "name servers",
        "emails",
        "world media",
        "contacted",
        "post",
        "u001b4nu0017",
        "powershell",
        "sc data",
        "type",
        "enter",
        "data",
        "cre pul",
        "enric",
        "extraction data",
        "denver courts",
        "hacking",
        "mitm_attacks",
        "injustice",
        "tracking",
        "ai",
        "ee fc",
        "ff d5",
        "domain",
        "australia",
        "files ip",
        "script script",
        "set cookie",
        "cookie",
        "related pulses",
        "learn",
        "ck id",
        "name tactics",
        "informative",
        "adversaries",
        "command",
        "defense evasion",
        "spawns",
        "javascript",
        "ascii text",
        "pattern match",
        "mitre att",
        "null",
        "refresh",
        "span",
        "hybrid",
        "general",
        "local",
        "path",
        "click",
        "strings",
        "error",
        "tools",
        "title",
        "look",
        "verify",
        "restart",
        "australia asn",
        "as9714 vocus",
        "body",
        "certificate",
        "present may",
        "japan unknown",
        "a domains",
        "value",
        "content type",
        "location japan",
        "shibuya",
        "japan asn",
        "as2497 internet",
        "dns resolutions",
        "domains top",
        "united states",
        "ipv4",
        "targeting",
        "tsara brashears",
        "state colorado",
        "critical",
        "pornhub",
        "tulach",
        "sabey",
        "poleass",
        "foundrypalantir",
        "pegasus",
        "state",
        "quasi",
        "shhh",
        "denver",
        "dougco",
        "jeffrey reimer",
        "reimer gropes",
        "christopher ahmann",
        "workers compensation",
        "commerce industry",
        "aig",
        "industry commerce",
        "confluence"
      ],
      "references": [
        "[DR] Wifi ID Login v1.3 [03 April 2014].exe",
        "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a",
        "bell.ca",
        "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http",
        "https://welcome.indonesiawifi.net/wifi.id/flexizone",
        "SLF:MSIL/PSTAnomaly.A  SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb",
        "A target pursued post criminal assault on Pinnacol Assuranve insured premises",
        "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp",
        "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD",
        "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...",
        "Yara Detections: PWSWin32Kegotip ,  VirusWin32Gogo ,  VirusWin32Hala ,  VirusWin32Wholdor",
        "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect",
        "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep  dynamic_function_loading",
        "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx",
        "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
        "IP\u2019s Contacted: 143.204.237.45  58.138.175.188  65.38.128.10  147.21.128.26  78.41.204.31  132.148.77.44",
        "IP\u2019s Contacted: 185.104.29.148  92.122.107.204  139.76.134.15  184.150.211.195",
        "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net",
        "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au",
        "Backdoor.Win32.Pushdo.s Checkin",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)",
        "Name Servers PDNS1.ULTRADNS.NET Org",
        "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #",
        "https://otx.alienvault.com/indicator/cve/CVE-2022-26134",
        "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO",
        "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado",
        "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected",
        "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration",
        "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png",
        "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms",
        "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY",
        "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH",
        "CVE-2022-26134 \u2022  PRIVILEGES REQUIRED: NONE"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "SLF:MSIL/PSTAnomaly.A",
          "display_name": "SLF:MSIL/PSTAnomaly.A",
          "target": "/malware/SLF:MSIL/PSTAnomaly.A"
        },
        {
          "id": "Win.Trojan.Pushdo-20",
          "display_name": "Win.Trojan.Pushdo-20",
          "target": null
        },
        {
          "id": "TrojanDownloader:Win32/Cutwail.BS",
          "display_name": "TrojanDownloader:Win32/Cutwail.BS",
          "target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
        },
        {
          "id": "TrojanDownloader:Win32/Cutwail.BV",
          "display_name": "TrojanDownloader:Win32/Cutwail.BV",
          "target": "/malware/TrojanDownloader:Win32/Cutwail.BV"
        },
        {
          "id": "World Media",
          "display_name": "World Media",
          "target": null
        },
        {
          "id": "CVE-2022-26134",
          "display_name": "CVE-2022-26134",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1069",
          "name": "Permission Groups Discovery",
          "display_name": "T1069 - Permission Groups Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1560",
          "name": "Archive Collected Data",
          "display_name": "T1560 - Archive Collected Data"
        },
        {
          "id": "T1553.002",
          "name": "Code Signing",
          "display_name": "T1553.002 - Code Signing"
        },
        {
          "id": "T1069.002",
          "name": "Domain Groups",
          "display_name": "T1069.002 - Domain Groups"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1071.001",
          "name": "Web Protocols",
          "display_name": "T1071.001 - Web Protocols"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        }
      ],
      "industries": [
        "Government",
        "Legal",
        "Judicial",
        "Technology",
        "Telecommunications"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 1037,
        "hostname": 865,
        "domain": 685,
        "URL": 2224,
        "FileHash-MD5": 131,
        "FileHash-SHA1": 94,
        "CVE": 1,
        "email": 8,
        "SSLCertFingerprint": 6
      },
      "indicator_count": 5051,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 143,
      "modified_text": "3 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69efc7a6778f84c179d27073",
      "name": "Credit Q.Vashti - Cloned Pulse [\"Enemy of the State: Order in the Court\"]",
      "description": "",
      "modified": "2026-05-27T18:05:26.880000",
      "created": "2026-04-27T20:31:34.221000",
      "tags": [
        "wifi id",
        "april",
        "extraction",
        "enter sc",
        "type ol",
        "data upload",
        "extra",
        "referen",
        "wifi data",
        "wifi",
        "ntgraph xe",
        "dynamicloader",
        "high",
        "port",
        "a8 f0",
        "c0 a0",
        "c4 d8",
        "a4 c4",
        "cache",
        "yara rule",
        "write",
        "music",
        "explorer",
        "guard",
        "tracker",
        "media",
        "default",
        "file",
        "id login",
        "mwdb",
        "bazaar",
        "sha3384",
        "ssdeep",
        "xport",
        "accept",
        "agent",
        "shutdown",
        "pe file",
        "network info",
        "sample",
        "aslr",
        "program",
        "mitre attack",
        "processes extra",
        "overview zenbox",
        "verdict",
        "iocs",
        "extra data",
        "included iocs",
        "indicator",
        "review iocs",
        "find",
        "dr wifi",
        "include review",
        "exclude sugges",
        "find s",
        "failed",
        "typ url",
        "registrant name",
        "all domain",
        "passive dns",
        "urls",
        "files",
        "access",
        "all ipv4",
        "america flag",
        "des moines",
        "level",
        "zeppelin",
        "domain add",
        "united states",
        "active",
        "msie",
        "windows nt",
        "united",
        "search",
        "medium",
        "as16509",
        "unknown",
        "upatre",
        "malware",
        "next",
        "ip address",
        "pty ltd",
        "url analysis",
        "trojan",
        "write c",
        "suspicious",
        "tt tr",
        "ultradns client",
        "service",
        "name servers",
        "emails",
        "world media",
        "contacted",
        "post",
        "u001b4nu0017",
        "powershell",
        "sc data",
        "type",
        "enter",
        "data",
        "cre pul",
        "enric",
        "extraction data",
        "denver courts",
        "hacking",
        "mitm_attacks",
        "injustice",
        "tracking",
        "ai",
        "ee fc",
        "ff d5",
        "domain",
        "australia",
        "files ip",
        "script script",
        "set cookie",
        "cookie",
        "related pulses",
        "learn",
        "ck id",
        "name tactics",
        "informative",
        "adversaries",
        "command",
        "defense evasion",
        "spawns",
        "javascript",
        "ascii text",
        "pattern match",
        "mitre att",
        "null",
        "refresh",
        "span",
        "hybrid",
        "general",
        "local",
        "path",
        "click",
        "strings",
        "error",
        "tools",
        "title",
        "look",
        "verify",
        "restart",
        "australia asn",
        "as9714 vocus",
        "body",
        "certificate",
        "present may",
        "japan unknown",
        "a domains",
        "value",
        "content type",
        "location japan",
        "shibuya",
        "japan asn",
        "as2497 internet",
        "dns resolutions",
        "domains top",
        "united states",
        "ipv4",
        "targeting",
        "tsara brashears",
        "state colorado",
        "critical",
        "pornhub",
        "tulach",
        "sabey",
        "poleass",
        "foundrypalantir",
        "pegasus",
        "state",
        "quasi",
        "shhh",
        "denver",
        "dougco",
        "jeffrey reimer",
        "reimer gropes",
        "christopher ahmann",
        "workers compensation",
        "commerce industry",
        "aig",
        "industry commerce",
        "confluence"
      ],
      "references": [
        "[DR] Wifi ID Login v1.3 [03 April 2014].exe",
        "7d10881f146e0d4659948a3555b1eee33950647a3c830978d26f2c8e88d2a90a",
        "bell.ca",
        "indonesiawifi.net \u2022 http://welcome.indonesiawifi.net/wifi.id/speedy/?switch_url=http",
        "https://welcome.indonesiawifi.net/wifi.id/flexizone",
        "SLF:MSIL/PSTAnomaly.A  SHA1 826d75e406808e3f002cb2b6da09003f78d612a1 [winPEAS.exe] SQLite.Interop.pdb",
        "A target pursued post criminal assault on Pinnacol Assuranve insured premises",
        "https://tms.lingyiitech.com/ELSServer_LYZZ/ \u2022 https://oa.lingyiitech.com/login.jsp",
        "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Observed DNS Query to .biz TLD",
        "IDS Detections: HTTP Request to a *.tw domain 403 Forbiddenau ...",
        "Yara Detections: PWSWin32Kegotip ,  VirusWin32Gogo ,  VirusWin32Hala ,  VirusWin32Wholdor",
        "Alerts: behavior_upatre multiple_useragents persistence_autorun network_icmp dead_connect",
        "Alerts:static_pe_anomaly suricata_alert antisandbox_sleep  dynamic_function_loading",
        "Alerts: http_request network_cnc_http network_http packer_entropy injection_rwx",
        "Alerts: antidebug_setunhandledexceptionfilter antivm_network_adapters",
        "IP\u2019s Contacted: 143.204.237.45  58.138.175.188  65.38.128.10  147.21.128.26  78.41.204.31  132.148.77.44",
        "IP\u2019s Contacted: 185.104.29.148  92.122.107.204  139.76.134.15  184.150.211.195",
        "Domains Contacted: 0handicap.at accountingtechs.biz 4dbenelux.be accountant.com knology.net",
        "Domains Contacted: badactor.us revasal.com yahoo.se excite.fr primus.com.au",
        "Backdoor.Win32.Pushdo.s Checkin",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2018nonsense Denver County Courts)",
        "Name Servers PDNS1.ULTRADNS.NET Org",
        "World Media Group, LLC Address 90 lrojanbownloader.vns. Washington Valley Rd., #",
        "https://otx.alienvault.com/indicator/cve/CVE-2022-26134",
        "Phishing: http://gravityboard.com/?ptrxcz_quy147AEHKNQUXadgkorvy158BFILO",
        "Created Pulses: NSO Group [Unnamed group] Unnamed group pi, pdfkit.net State of Colorado",
        "CVE-2022-26134\t Base Severity: Critical | Targeted | NSO Pegasus Relationships suspected",
        "https://www.mirvish.com/shows/come-from-away&geo=ca&merchantid=407759&useragent=Mozilla/5.0 (Linux; Android 13; Pixel 4a (5G) Build/TQ2A.230505.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/112.0.5615.136 Mobile Safari/537.36 GoogleApp/14.16.27.29.arm64 AppEngine-Google; (+ No Expiration",
        "Apple Cons: https://stetsed.xyz/apple \u2022 https://www.collierhonorflight.org/apple-touch-icon.png",
        "nr-data.net \u2022 https://www.sandoll.co.kr/AppleSDGothicNeo \u2022 aka.ms",
        "CVE-2022-26134 \u2022 CVSS V3 Severity ATTACK COMPLEXITY: LOW ATTACK VECTOR: NETWORK AVAILABILITY",
        "IMPACT: HIGH BASE SCORE: 9.8 BASE SEVERITY: CRITICAL CONFIDENTIALITY IMPACT: HIGH INTEGRITY IMPACT: HIGH",
        "CVE-2022-26134 \u2022  PRIVILEGES REQUIRED: NONE"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "SLF:MSIL/PSTAnomaly.A",
          "display_name": "SLF:MSIL/PSTAnomaly.A",
          "target": "/malware/SLF:MSIL/PSTAnomaly.A"
        },
        {
          "id": "Win.Trojan.Pushdo-20",
          "display_name": "Win.Trojan.Pushdo-20",
          "target": null
        },
        {
          "id": "TrojanDownloader:Win32/Cutwail.BS",
          "display_name": "TrojanDownloader:Win32/Cutwail.BS",
          "target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
        },
        {
          "id": "TrojanDownloader:Win32/Cutwail.BV",
          "display_name": "TrojanDownloader:Win32/Cutwail.BV",
          "target": "/malware/TrojanDownloader:Win32/Cutwail.BV"
        },
        {
          "id": "World Media",
          "display_name": "World Media",
          "target": null
        },
        {
          "id": "CVE-2022-26134",
          "display_name": "CVE-2022-26134",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1059.001",
          "name": "PowerShell",
          "display_name": "T1059.001 - PowerShell"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1069",
          "name": "Permission Groups Discovery",
          "display_name": "T1069 - Permission Groups Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1560",
          "name": "Archive Collected Data",
          "display_name": "T1560 - Archive Collected Data"
        },
        {
          "id": "T1553.002",
          "name": "Code Signing",
          "display_name": "T1553.002 - Code Signing"
        },
        {
          "id": "T1069.002",
          "name": "Domain Groups",
          "display_name": "T1069.002 - Domain Groups"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1071.001",
          "name": "Web Protocols",
          "display_name": "T1071.001 - Web Protocols"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        }
      ],
      "industries": [
        "Government",
        "Legal",
        "Judicial",
        "Technology",
        "Telecommunications"
      ],
      "TLP": "white",
      "cloned_from": "69efc567ae24b8285a71099d",
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 1039,
        "hostname": 868,
        "domain": 687,
        "URL": 2226,
        "FileHash-MD5": 133,
        "FileHash-SHA1": 96,
        "CVE": 1,
        "email": 8,
        "SSLCertFingerprint": 6
      },
      "indicator_count": 5064,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 67,
      "modified_text": "3 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "691e2279ac1ef8b9dbfbc2b3",
      "name": "Mirai \u2022 Neurotox Institute",
      "description": "Found in peripheral. Lazarus. Related tomOperation Endgame. Strangely related to the entertainment industry. \nRelated to treatments facilities where a target I\u2019ve been researching received \u2018care\u2019. Also links to Major Entertainment conglomerate : not surprisingly Hall Render and Foundry.\nPage was stated to expire 11/21 | expired after I was able to capture a live screenshot (not updated for years) \n\n[The Neurotoxin Institute (NTI) is a multidisciplinary organization created to serve as a comprehensive independent source of information related to the basic science and the clinical applications of neurotoxins. The Institute fosters the learning and teaching of both theory and practical techniques, and encourages further research in support of these goals.\nExperimental Biology (EB)\nwww.aapmr.org]",
      "modified": "2025-12-19T19:00:18.927000",
      "created": "2025-11-19T20:03:05.195000",
      "tags": [
        "united",
        "link",
        "virtool",
        "meta",
        "atom",
        "pragma",
        "dynamicloader",
        "msie",
        "windows nt",
        "tls handshake",
        "failure",
        "tlsv1",
        "forbidden",
        "ogoogle trust",
        "encrypt",
        "possible",
        "write",
        "malware",
        "consumed",
        "netherlands",
        "united kingdom",
        "read c",
        "sality",
        "delphi",
        "win32",
        "strings",
        "xserver",
        "post http",
        "post method",
        "cryptexportkey",
        "ocloudflare",
        "cryptgenkey",
        "calgrc4",
        "persistence",
        "execution",
        "div div",
        "script script",
        "span a",
        "a li",
        "unknown ns",
        "span",
        "april",
        "passive dns",
        "hosting",
        "reverse dns",
        "hostname add",
        "files ip",
        "asn as32475",
        "address domain",
        "mirai",
        "united states",
        "facebook",
        "twitter",
        "youtube",
        "ck ids",
        "mh may",
        "t1204 technique",
        "user execution",
        "suggested",
        "port",
        "destination",
        "telnet login",
        "high",
        "tcp syn",
        "infectednight",
        "resolverror",
        "suspicious path",
        "ids detections",
        "yara detections",
        "sinkhole cookie",
        "file score",
        "detections sf",
        "value snkz",
        "forbidden tls",
        "et trojan",
        "value",
        "et info",
        "et",
        "present oct",
        "domain",
        "title",
        "present sep",
        "moved",
        "server",
        "next associated",
        "ipv4 add",
        "urls",
        "files",
        "trojan",
        "cookie",
        "predict70 sep",
        "next http",
        "scans record",
        "forbidden date",
        "gmt content",
        "type",
        "unix",
        "namecheap url",
        "forward elf",
        "md5 add",
        "less see",
        "contacted",
        "pulse pulses",
        "av detections",
        "analysis date",
        "virus",
        "ee fc",
        "unknown",
        "yara rule",
        "ff d5",
        "search",
        "show",
        "suspicious",
        "fbq object",
        "ide value",
        "source level",
        "url text",
        "line",
        "allow attribute",
        "mootools",
        "class function",
        "chain",
        "options",
        "elements",
        "garbage",
        "drag",
        "xhr function",
        "ajax",
        "itemid14",
        "kb image",
        "kb script",
        "b image",
        "b stylesheet",
        "b script",
        "kb stylesheet",
        "stylesheet",
        "redirect chain",
        "path size",
        "type mimetype",
        "resource",
        "general full",
        "montreal",
        "canada",
        "asn16276",
        "debian",
        "url http",
        "hash",
        "main",
        "cookie object",
        "dns any",
        "date",
        "entries",
        "url https",
        "Foundry",
        "Lazarus",
        "Endgame",
        "Neurotoxin Institute",
        "Hall Render",
        "Brian Sabey",
        "UC Health",
        "Britney Spears Official"
      ],
      "references": [
        "https://www.neurotoxininstitute.com/",
        "Backdoor.Win32.Pushdo.s Checkin",
        "IDS Detections: Backdoor.Win32.Pushdo.s Checkin Possible Compromised Host AnubisNetworks",
        "IDS Detections: Sinkhole Cookie Value Snkz 403 Forbidden TLS Handshake Failure",
        "IDS Detections: ET TROJAN Possible Compromised Host AnubisNetworks Sinkhole",
        "IDS Detections: Cookie Value btst ET INFO Namecheap URL Forward",
        "IDS Detections : SUSPICIOUS Path to BusyBox root login TELNET login failed",
        "http://appelfarm.org",
        "IDS Signatures : root login 175.203.174.23 \u2022 192.168.122.52",
        "IDS Signatures :TELNET login failed\t77.66.206.206 \u2022 192.168.122.52",
        "IDS Signatures :  SUSPICIOUS Path to BusyBox\t192.168.122.52\t\u2022 77.66.206.206",
        "Interesting Strings : 13.79.87.163",
        "https://urlscan.io/screenshots/32b0614f-1148-49ea-aed4-4f23afd33e56.png",
        "https://otx.alienvault.com/pulse/68d0f099f60e98e6c4ffc1e5",
        "https://otx.alienvault.com/pulse/68b5e672f492fdc96cf997aa",
        "https://otx.alienvault.com/pulse/68d12dd7e357755235f007e8",
        "https://britneyspears.com/",
        "hallrender.com \u2022  https://hallrender.com/resources/blog/ \u2022 https://urlmail.hallrender.com \u2022 https://urlwww.hallrender.com",
        "https://citrix.hallrender.com/vpn/install/ \u2022  https://citrix.hallrender.com/vpn/install/mac.htm \u2022 https://www.hallrender.com/attorney/brian-sabey/Accept",
        "http://hallrender.com/attorney/brian-sabey \u2022 http://hallrender.com/attorney/brian-sabey/",
        "http://elite.hallrender.com/TE_3E_PROD/web/ui/dashboard/ActionList_CCC",
        "https://elite.hallrender.com \u2022  https://hallrender.com/attorney/gregg-m-wallander/",
        "brian-sabey-anyxxxtube.net \u2022 hallrender.com",
        "dev.hallrender.com \u2022 elite.hallrender.com \u2022 image.marketing.hallrender.com",
        "Now https://urlscan.io/liveshot/?width=1600&height=1200&url=http%3A%2F%2Fwww.neurotoxininstitute.com%2Findex.php%3Foption%5C%3Dcom_content%26view%5C%3Darticle%26id%5C%3D70%26Itemid%5C%3D14",
        "feastfoundry.com\t\u2022 https://www.feastfoundry.com/ \u2022 https://www.feastfoundry.com/mini-apple-pies/"
      ],
      "public": 1,
      "adversary": "Lazarus",
      "targeted_countries": [
        "United States of America",
        "Japan",
        "France",
        "Germany",
        "Canada",
        "Netherlands",
        "United Kingdom of Great Britain and Northern Ireland",
        "New Zealand",
        "Italy",
        "Aruba",
        "Poland",
        "Singapore",
        "T\u00fcrkiye",
        "Indonesia",
        "Spain",
        "Hong Kong"
      ],
      "malware_families": [
        {
          "id": "TrojanDownloader:Win32/Cutwail",
          "display_name": "TrojanDownloader:Win32/Cutwail",
          "target": "/malware/TrojanDownloader:Win32/Cutwail"
        },
        {
          "id": "Netherlands",
          "display_name": "Netherlands",
          "target": null
        },
        {
          "id": "Sality",
          "display_name": "Sality",
          "target": null
        },
        {
          "id": "Virus:Win32/Krepper.30760",
          "display_name": "Virus:Win32/Krepper.30760",
          "target": "/malware/Virus:Win32/Krepper.30760"
        },
        {
          "id": "Mirai",
          "display_name": "Mirai",
          "target": null
        },
        {
          "id": "ALF:HeraklezEval:Backdoor:Linux/Mirai.A!rf",
          "display_name": "ALF:HeraklezEval:Backdoor:Linux/Mirai.A!rf",
          "target": null
        },
        {
          "id": "Suggested",
          "display_name": "Suggested",
          "target": null
        },
        {
          "id": "VirTool:Win32/VBInject.gen!MH",
          "display_name": "VirTool:Win32/VBInject.gen!MH",
          "target": "/malware/VirTool:Win32/VBInject.gen!MH"
        },
        {
          "id": "ET",
          "display_name": "ET",
          "target": null
        },
        {
          "id": "Softcnapp",
          "display_name": "Softcnapp",
          "target": null
        },
        {
          "id": "ALF:RPF:PEATTR_SIGATTR:PREDICT:70",
          "display_name": "ALF:RPF:PEATTR_SIGATTR:PREDICT:70",
          "target": null
        },
        {
          "id": "Win32:Zbot-RUV",
          "display_name": "Win32:Zbot-RUV",
          "target": null
        },
        {
          "id": "Win32:Evo-gen",
          "display_name": "Win32:Evo-gen",
          "target": null
        },
        {
          "id": "Win32:Kryptik",
          "display_name": "Win32:Kryptik",
          "target": null
        },
        {
          "id": "Trojan:Win32/Bulta",
          "display_name": "Trojan:Win32/Bulta",
          "target": "/malware/Trojan:Win32/Bulta"
        }
      ],
      "attack_ids": [
        {
          "id": "T1204",
          "name": "User Execution",
          "display_name": "T1204 - User Execution"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1040",
          "name": "Network Sniffing",
          "display_name": "T1040 - Network Sniffing"
        },
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1112",
          "name": "Modify Registry",
          "display_name": "T1112 - Modify Registry"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 10,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 511,
        "hostname": 198,
        "domain": 471,
        "FileHash-SHA256": 1442,
        "FileHash-MD5": 183,
        "FileHash-SHA1": 79,
        "email": 5,
        "SSLCertFingerprint": 63
      },
      "indicator_count": 2952,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 148,
      "modified_text": "162 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "66f100d791f9f9f6ab7b4f24",
      "name": "Cerber \u00bb Charter Communications \u00bb Spectrum Denver",
      "description": "[107.14.73.70] IP address range owned by Charter Communications Inc and located in Denver, Co United States.\n\nTargets & family neighborhood ISP's attacked again.  Internet and targets devices attacked , Internet had to be reset twice by tech teams. Our team was able to track comprises directed towards target and families devices, which they are destroying. Stolen passwords, leaks, forced content, dumping. Both Spectrum &  Quantum fiber positive for malicious activity within targeted devices. Fake iOS update pushed to a device. It comes with an agreement from Apple Singapore, LTD. \n\nMalware Families ,\nBackdoor:Win32/Tofse , \nCerber Ransomware ,\nET.  \nETPRO ,\nInject3.QGY ,\nKelihos ,\nNIDS ,\nNOD32 ,\nSf:ShellCode-AU\\ [Trj] , \nTrojan:Win32/Glupteba ,\nTrojanDownloader:Win32/Cutwail ,\nVirTool:Win32/Obfuscator",
      "modified": "2024-10-23T05:03:21.045000",
      "created": "2024-09-23T05:47:03.625000",
      "tags": [
        "isp charter",
        "usage type",
        "fixed line",
        "isp hostname",
        "domain name",
        "country united",
        "america city",
        "denver",
        "colorado",
        "ip address",
        "whois",
        "check",
        "information isp",
        "inc usage",
        "type fixed",
        "line isp",
        "hostname",
        "plesk forum",
        "centos web",
        "panel forum",
        "whois lookup",
        "netrange",
        "nethandle",
        "net107",
        "net1070000",
        "cc3517",
        "inc orgid",
        "dr city",
        "stateprov",
        "postalcode",
        "status",
        "as7843 charter",
        "united",
        "name servers",
        "passive dns",
        "urls",
        "domain",
        "search",
        "emails",
        "unknown",
        "scan endpoints",
        "all scoreblue",
        "ipv4",
        "files",
        "reverse dns",
        "location united",
        "win32",
        "abuseipdb",
        "read",
        "write",
        "read c",
        "server header",
        "show",
        "suspicious",
        "kelihos",
        "trojan",
        "artemis",
        "virustotal",
        "download",
        "drweb",
        "vipre",
        "panda",
        "malware",
        "specified",
        "next",
        "et trojan",
        "et info",
        "medium",
        "http",
        "ids detections",
        "yara detections",
        "e98c1cec8156",
        "as11426 charter",
        "as20001 charter",
        "as11427 charter",
        "as11351 charter",
        "as16787 charter",
        "as33363 charter",
        "as20115 charter",
        "as10796 charter",
        "as12271 charter",
        "body",
        "servers",
        "all search",
        "entries",
        "intel",
        "ms windows",
        "windows nt",
        "destination",
        "port",
        "asnone",
        "heurunsec",
        "etpro trojan",
        "nxdomain",
        "a nxdomain",
        "aaaa",
        "asnone united",
        "aaaa nxdomain",
        "backdoor",
        "pulse submit",
        "url analysis",
        "location oxford",
        "as3456 charter",
        "moved",
        "showing",
        "body doctype",
        "html public",
        "ietfdtd html",
        "as6976 verizon",
        "as701 verizon",
        "file samples",
        "files matching",
        "date hash",
        "copyright",
        "levelblue",
        "related pulses",
        "pulse pulses",
        "kryptikpii",
        "msr apr",
        "date",
        "creation date",
        "analyzer paste",
        "iocs",
        "samples",
        "secure server",
        "cname",
        "as5742",
        "body head",
        "object moved",
        "content length",
        "content type",
        "cookie",
        "as15133 verizon",
        "lowfi",
        "gmt server",
        "ecacc",
        "record value",
        "oxford",
        "michigan",
        "ns nxdomain",
        "soa nxdomain",
        "url http",
        "mitre att",
        "evasion ta0005",
        "creates",
        "discovery t1082",
        "reads software",
        "file",
        "t1083 reads",
        "jujubox",
        "zenbox",
        "get http",
        "request",
        "host",
        "win64",
        "khtml",
        "gecko",
        "response",
        "cus cndigicert",
        "tls rsa",
        "user",
        "javascript c",
        "doscom c",
        "text c",
        "files c",
        "storage",
        "file system",
        "filesadobe c",
        "appdata",
        "appdatalocal",
        "hostnames",
        "ta0002 command",
        "t1059 very",
        "t1064",
        "javascript",
        "modules t1129",
        "ta0003 create",
        "modify system",
        "process t1543",
        "windows service",
        "cisco umbrella",
        "blacklist",
        "safe site",
        "filerepmalware",
        "microsoft",
        "phishing bank",
        "sgeneric",
        "malware site",
        "unsafe",
        "number",
        "cus cngts",
        "ogoogle trust",
        "subject",
        "algorithm",
        "cus ouserver",
        "ouserver ca",
        "record type",
        "ttl value",
        "msms86718722",
        "query",
        "open",
        "capa",
        "create process",
        "windows create",
        "delete file",
        "write file",
        "windows check",
        "os version",
        "enumerate",
        "hashes",
        "signals mutexes",
        "mutexes",
        "open threat",
        "location los",
        "emails info",
        "expiration date",
        "write c",
        "process32nextw",
        "regsetvalueexa",
        "regdword",
        "module load",
        "t1129",
        "as51167 contabo",
        "germany unknown",
        "as40021 contabo",
        "encrypt",
        "hosting",
        "netherlands asn",
        "as204601 zomro",
        "pulses",
        "tags",
        "related tags",
        "indicator facts",
        "historical otx",
        "files ip",
        "asnone germany",
        "as174 cogent",
        "czechia unknown",
        "whitelisted",
        "certificate",
        "bittorrent dht",
        "post http",
        "et p2p",
        "cryptexportkey",
        "invalid pointer",
        "delete c",
        "post utcore",
        "benchhttp",
        "mozilla",
        "maldoc",
        "service",
        "tools",
        "nids",
        "et",
        "x95xd3xa4",
        "regbinary",
        "hx88x89",
        "kx82xd3x11",
        "xb9x8b",
        "x8dxb7xb7",
        "hx88x9ax1e",
        "mx81xd1r",
        "x92xac",
        "stream",
        "persistence",
        "execution",
        "dynamicloader",
        "contacted",
        "domains",
        "yara rule",
        "high",
        "dynamic",
        "pcap",
        "pushdo",
        "msie",
        "activity beacon",
        "malware beacon",
        "default",
        "redacted for",
        "for privacy",
        "as3379 kaiser",
        "server",
        "gmt content",
        "type",
        "x frame",
        "entries http",
        "scans show",
        "domain related",
        "no data",
        "tag count",
        "fakedout threat",
        "analyzer threat",
        "url summary",
        "ip summary",
        "summary",
        "sample",
        "detection list",
        "components",
        "zune",
        "etpro",
        "nod32",
        "avast avg",
        "next http",
        "example domain",
        "title meta",
        "invalid url",
        "akamai",
        "urls http",
        "as20940",
        "as16625 akamai",
        "netherlands",
        "germany",
        "france",
        "virtool",
        "rock",
        "address",
        "apache",
        "accept",
        "as8075",
        "pulse http",
        "related nids",
        "files location",
        "moldova related",
        "pulses none",
        "as31898 oracle",
        "title",
        "kryptiklfq",
        "win32dh",
        "vitro",
        "shutdown",
        "erase",
        "find",
        "close",
        "as53418",
        "hat server",
        "as797 att",
        "script urls",
        "a domains",
        "as10753 level",
        "script script",
        "meta",
        "path",
        "null",
        "stop",
        "as54113",
        "chrome",
        "as7018 att",
        "as28521",
        "mexico unknown",
        "fastly error",
        "please",
        "sea p",
        "object",
        "set cookie",
        "pragma",
        "as19536 directv",
        "united kingdom",
        "as60664 xion",
        "trojan features",
        "moldova unknown",
        "susp",
        "breaking news",
        "business",
        "finance",
        "entertainment",
        "sports",
        "games",
        "trending videos",
        "weather",
        "home",
        "as396982 google",
        "url https",
        "type indicator",
        "role title",
        "added active",
        "cyberfolks",
        ".pl",
        "level 3"
      ],
      "references": [
        "ISP: Charter Communications Inc Usage Type\tFixed Line ISP",
        "dnvrco-pub-iedge-vip.email.rr.com \tspectrum.com Denver, Colorado USA",
        "dnscache2b.cdptpa dnvrco-oms2ims-mta-svip-01.email dnvrco-queue04-ac.email dnvrco-ring-a62.email dnvrco-smss-f01-ac.email dnvrco-west-dhcpw-02.",
        "Reverse DNS dnvrco-pub-iedge-vip.email.rr.com",
        "Crypt3.COYL FileHash - SHA256 cb536e2e5eb3b23a74702f80832ab964e7dfe07763300437b5ba581f464a108e",
        "IDS Detections: Suspicious double Server Header Possible Kelihos",
        "IDS Detections: Possible Kelihos Infection Executable Download With Malformed Header",
        "telemetry-incoming.r53-2.services.mozilla.com",
        "https://otx.alienvault.com/indicator/url/http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel",
        "http://www.door.net/ARISBE/arisbe.htm",
        "talk.plesk.com | 4evermusic.pl |  nist.gov | alaska.gov.inbound10.mxlogic.net | publicfiles.fcc.gov",
        "https://cdns.directv.com/resources/js/dtv/framework/plugins/jquery.placeholder.min.js | peri.com.pl"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America",
        "Germany",
        "Hungary",
        "Ukraine",
        "Spain",
        "Brazil",
        "Russian Federation",
        "Moldova, Republic of",
        "Japan",
        "Ireland",
        "Luxembourg",
        "Canada"
      ],
      "malware_families": [
        {
          "id": "TrojanDownloader:Win32/Cutwail",
          "display_name": "TrojanDownloader:Win32/Cutwail",
          "target": "/malware/TrojanDownloader:Win32/Cutwail"
        },
        {
          "id": "Backdoor:Win32/Tofsee",
          "display_name": "Backdoor:Win32/Tofsee",
          "target": "/malware/Backdoor:Win32/Tofsee"
        },
        {
          "id": "Cerber Ransomware",
          "display_name": "Cerber Ransomware",
          "target": null
        },
        {
          "id": "NIDS",
          "display_name": "NIDS",
          "target": null
        },
        {
          "id": "ET",
          "display_name": "ET",
          "target": null
        },
        {
          "id": "Inject3.QGY",
          "display_name": "Inject3.QGY",
          "target": null
        },
        {
          "id": "Kelihos",
          "display_name": "Kelihos",
          "target": null
        },
        {
          "id": "ETPRO",
          "display_name": "ETPRO",
          "target": null
        },
        {
          "id": "NOD32",
          "display_name": "NOD32",
          "target": null
        },
        {
          "id": "VirTool:Win32/Obfuscator",
          "display_name": "VirTool:Win32/Obfuscator",
          "target": "/malware/VirTool:Win32/Obfuscator"
        },
        {
          "id": "Sf:ShellCode-AU\\ [Trj]",
          "display_name": "Sf:ShellCode-AU\\ [Trj]",
          "target": null
        },
        {
          "id": "Trojan:Win32/Glupteba",
          "display_name": "Trojan:Win32/Glupteba",
          "target": "/malware/Trojan:Win32/Glupteba"
        }
      ],
      "attack_ids": [
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1119",
          "name": "Automated Collection",
          "display_name": "T1119 - Automated Collection"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1064",
          "name": "Scripting",
          "display_name": "T1064 - Scripting"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1543",
          "name": "Create or Modify System Process",
          "display_name": "T1543 - Create or Modify System Process"
        },
        {
          "id": "T1547",
          "name": "Boot or Logon Autostart Execution",
          "display_name": "T1547 - Boot or Logon Autostart Execution"
        },
        {
          "id": "T1023",
          "name": "Shortcut Modification",
          "display_name": "T1023 - Shortcut Modification"
        },
        {
          "id": "T1040",
          "name": "Network Sniffing",
          "display_name": "T1040 - Network Sniffing"
        },
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1047",
          "name": "Windows Management Instrumentation",
          "display_name": "T1047 - Windows Management Instrumentation"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1204",
          "name": "User Execution",
          "display_name": "T1204 - User Execution"
        },
        {
          "id": "T1106",
          "name": "Native API",
          "display_name": "T1106 - Native API"
        },
        {
          "id": "T1031",
          "name": "Modify Existing Service",
          "display_name": "T1031 - Modify Existing Service"
        },
        {
          "id": "T1089",
          "name": "Disabling Security Tools",
          "display_name": "T1089 - Disabling Security Tools"
        },
        {
          "id": "T1096",
          "name": "NTFS File Attributes",
          "display_name": "T1096 - NTFS File Attributes"
        },
        {
          "id": "T1112",
          "name": "Modify Registry",
          "display_name": "T1112 - Modify Registry"
        },
        {
          "id": "T1566",
          "name": "Phishing",
          "display_name": "T1566 - Phishing"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 37,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "scoreblue",
        "id": "254100",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 2060,
        "hostname": 3067,
        "CIDR": 4,
        "URL": 1300,
        "email": 29,
        "FileHash-MD5": 3181,
        "FileHash-SHA1": 1994,
        "FileHash-SHA256": 3228,
        "CVE": 2,
        "SSLCertFingerprint": 1
      },
      "indicator_count": 14866,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 233,
      "modified_text": "585 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "65536bc6301b7cdf7d04e095",
      "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20",
      "description": "backdoor,trojan downloaders, networm, phishing, tracking, spyware, device commands...",
      "modified": "2023-12-14T12:03:15.957000",
      "created": "2023-11-14T12:44:54.422000",
      "tags": [
        "passive dns",
        "urls",
        "t1604023287",
        "scan endpoints",
        "all search",
        "otx octoseek",
        "url http",
        "pulse pulses",
        "http",
        "ip address",
        "ssl certificate",
        "whois record",
        "resolutions",
        "referrer",
        "historical ssl",
        "communicating",
        "threat roundup",
        "whois whois",
        "apple",
        "stopransomware",
        "core",
        "discord",
        "metro",
        "blister",
        "cobalt strike",
        "hacktool",
        "june",
        "name verdict",
        "pattern match",
        "et tor",
        "known tor",
        "misc attack",
        "link",
        "woff2",
        "relayrouter",
        "exit",
        "node traffic",
        "ascii text",
        "date",
        "click",
        "unknown",
        "meta",
        "hybrid",
        "general",
        "local",
        "strings",
        "class",
        "generator",
        "critical",
        "error",
        "execution",
        "malware",
        "network",
        "roblox",
        "united",
        "as13335",
        "a domains",
        "status",
        "aaaa",
        "search",
        "script urls",
        "creation date",
        "showing",
        "pixel",
        "win32",
        "download",
        "t1507537243"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [
        {
          "id": "Roblox",
          "display_name": "Roblox",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 29,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "OctoSeek",
        "id": "243548",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 11333,
        "FileHash-MD5": 81,
        "FileHash-SHA1": 74,
        "FileHash-SHA256": 3269,
        "domain": 2748,
        "hostname": 3475,
        "email": 2,
        "CVE": 2
      },
      "indicator_count": 20984,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 224,
      "modified_text": "898 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "65536bdc3676a40633a619be",
      "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20",
      "description": "backdoor,trojan downloaders, networm, phishing, tracking, spyware, device commands...",
      "modified": "2023-12-14T12:03:15.957000",
      "created": "2023-11-14T12:45:16.667000",
      "tags": [
        "passive dns",
        "urls",
        "t1604023287",
        "scan endpoints",
        "all search",
        "otx octoseek",
        "url http",
        "pulse pulses",
        "http",
        "ip address",
        "ssl certificate",
        "whois record",
        "resolutions",
        "referrer",
        "historical ssl",
        "communicating",
        "threat roundup",
        "whois whois",
        "apple",
        "stopransomware",
        "core",
        "discord",
        "metro",
        "blister",
        "cobalt strike",
        "hacktool",
        "june",
        "name verdict",
        "pattern match",
        "et tor",
        "known tor",
        "misc attack",
        "link",
        "woff2",
        "relayrouter",
        "exit",
        "node traffic",
        "ascii text",
        "date",
        "click",
        "unknown",
        "meta",
        "hybrid",
        "general",
        "local",
        "strings",
        "class",
        "generator",
        "critical",
        "error",
        "execution",
        "malware",
        "network",
        "roblox",
        "united",
        "as13335",
        "a domains",
        "status",
        "aaaa",
        "search",
        "script urls",
        "creation date",
        "showing",
        "pixel",
        "win32",
        "download",
        "t1507537243"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [
        {
          "id": "Roblox",
          "display_name": "Roblox",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 35,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "OctoSeek",
        "id": "243548",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 11333,
        "FileHash-MD5": 81,
        "FileHash-SHA1": 74,
        "FileHash-SHA256": 3269,
        "domain": 2748,
        "hostname": 3475,
        "email": 2,
        "CVE": 2
      },
      "indicator_count": 20984,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 224,
      "modified_text": "898 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "65568d67bd96e06ab44b9b95",
      "name": "TrojanDownloader:Win32/Cutwail.BS/Win.Trojan.Pushdo-20",
      "description": "",
      "modified": "2023-12-14T12:03:15.957000",
      "created": "2023-11-16T21:45:11.721000",
      "tags": [
        "passive dns",
        "urls",
        "t1604023287",
        "scan endpoints",
        "all search",
        "otx octoseek",
        "url http",
        "pulse pulses",
        "http",
        "ip address",
        "ssl certificate",
        "whois record",
        "resolutions",
        "referrer",
        "historical ssl",
        "communicating",
        "threat roundup",
        "whois whois",
        "apple",
        "stopransomware",
        "core",
        "discord",
        "metro",
        "blister",
        "cobalt strike",
        "hacktool",
        "june",
        "name verdict",
        "pattern match",
        "et tor",
        "known tor",
        "misc attack",
        "link",
        "woff2",
        "relayrouter",
        "exit",
        "node traffic",
        "ascii text",
        "date",
        "click",
        "unknown",
        "meta",
        "hybrid",
        "general",
        "local",
        "strings",
        "class",
        "generator",
        "critical",
        "error",
        "execution",
        "malware",
        "network",
        "roblox",
        "united",
        "as13335",
        "a domains",
        "status",
        "aaaa",
        "search",
        "script urls",
        "creation date",
        "showing",
        "pixel",
        "win32",
        "download",
        "t1507537243"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [
        {
          "id": "Roblox",
          "display_name": "Roblox",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": "65536bdc3676a40633a619be",
      "export_count": 25,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "scoreblue",
        "id": "254100",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 11333,
        "FileHash-MD5": 81,
        "FileHash-SHA1": 74,
        "FileHash-SHA256": 3269,
        "domain": 2748,
        "hostname": 3475,
        "email": 2,
        "CVE": 2
      },
      "indicator_count": 20984,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 228,
      "modified_text": "898 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "6552d60aae6e1b3c22455088",
      "name": "Hive 0065",
      "description": "Hive 0065\nURL: https://applemusic-spotlight.myunidays.com/US/en-US?\n\nHive 0065\nHostname: applemusic-spotlight.myunidays.com",
      "modified": "2023-12-13T16:00:45.799000",
      "created": "2023-11-14T02:06:02.329000",
      "tags": [
        "united",
        "as8075",
        "creation date",
        "unknown",
        "search",
        "entries",
        "asnone country",
        "scan endpoints",
        "all search",
        "otx octoseek",
        "related domains",
        "show",
        "domain related",
        "xbox",
        "whois record",
        "contacted",
        "whois whois",
        "ssl certificate",
        "communicating",
        "referrer",
        "execution",
        "historical ssl",
        "bundled",
        "family",
        "lolkek",
        "formbook",
        "skynet",
        "lockbit",
        "ursnif",
        "attack",
        "core"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 29,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "OctoSeek",
        "id": "243548",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 4276,
        "email": 3,
        "hostname": 2288,
        "FileHash-MD5": 51,
        "FileHash-SHA1": 49,
        "FileHash-SHA256": 2756,
        "URL": 8696,
        "CVE": 1
      },
      "indicator_count": 18120,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 226,
      "modified_text": "899 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "6552d6f5f56d2e9cd9e18a30",
      "name": "Lolkek \u2022 FormBook \u2022 Lokbit \u2022 Skynet",
      "description": "Hive 0065\nURL: https://applemusic-spotlight.myunidays.com/US/en-US?\n\nHive 0065\nHostname: applemusic-spotlight.myunidays.com",
      "modified": "2023-12-13T16:00:45.799000",
      "created": "2023-11-14T02:09:57.370000",
      "tags": [
        "united",
        "as8075",
        "creation date",
        "unknown",
        "search",
        "entries",
        "asnone country",
        "scan endpoints",
        "all search",
        "otx octoseek",
        "related domains",
        "show",
        "domain related",
        "xbox",
        "whois record",
        "contacted",
        "whois whois",
        "ssl certificate",
        "communicating",
        "referrer",
        "execution",
        "historical ssl",
        "bundled",
        "family",
        "lolkek",
        "formbook",
        "skynet",
        "lockbit",
        "ursnif",
        "attack",
        "core"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 29,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "OctoSeek",
        "id": "243548",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 4276,
        "email": 3,
        "hostname": 2288,
        "FileHash-MD5": 51,
        "FileHash-SHA1": 49,
        "FileHash-SHA256": 2756,
        "URL": 8696,
        "CVE": 1
      },
      "indicator_count": 18120,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 225,
      "modified_text": "899 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    }
  ],
  "error": null,
  "vt": {
    "error": "VirusTotal rate limit reached. Try again shortly.",
    "indicator": "srcaccess.net",
    "type": "Domain"
  },
  "abuseipdb": null,
  "urlhaus": {
    "indicator": "srcaccess.net",
    "found": false,
    "verdict": "clean",
    "urls": [],
    "error": null
  },
  "from_cache": true,
  "_cached_at": 1780224452.0124676
}