{ "type": "Domain", "indicator": "umpdev.com.au", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/umpdev.com.au", "alexa": "http://www.alexa.com/siteinfo/umpdev.com.au", "indicator": "umpdev.com.au", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4148153078, "indicator": "umpdev.com.au", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69ded8198b25581a09b90824", "name": "BearShare \u2022 Solarwinds? \u2022 SearchSuite \u2022 Healthcare Administration", "description": "", "modified": "2026-04-15T00:13:13.981000", "created": "2026-04-15T00:13:13.981000", "tags": [ "Win32/SearchSuite", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 installer", "install system", "compiler", "NSIS", "code signing", "serial number", "db d2", "de d3", "f3 e1", "issuer thawte", "primary root", "ca valid", "valid", "valid usage", "client auth", "algorithm", "rticon english", "type type", "chi2", "ico rtgroupicon", "english us", "capa", "c2 antianalysis", "executable", "sample appears", "installer", "installers well", "results may", "be misleading", "or incomplete", "analyze created", "techniques", "info modify", "files", "modify registry", "directory permi", "techniques none", "info", "scripting inte", "shared modules", "Bear Share", "urls", "ip address", "asn as8075", "united", "flag united", "name servers", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "dnssec", "urlmailto", "urlhttps", "search", "urlhttp", "moved", "title", "encrypt", "certificate", "segoe ui", "otx logo", "url analysis", "tokyo", "msie", "chrome", "gmt content", "all ipv4", "zeppelin", "trojandropper", "cookie", "backdoor", "hash avast", "avg clamav", "msdefender feb", "k oct", "k may", "mtb feb", "mtb jan", "k aug", "windows nt", "dynamicloader", "unknown", "medium", "default", "as16509", "show", "powershell", "write", "xserver", "bearshar data", "passive dns", "pulse submit", "port", "destination", "high", "displayname", "windows", "win64", "tofsee", "stream", "malware", "push", "next", "asnone", "germany as8560", "russia as198610", "strings", "is__elf", "systembc_linux_variant", "khtml", "gecko", "acceptencoding", "get na", "macintosh", "intel mac", "accept", "france as16276", "yara detections", "contacted", "all filehash", "sha256", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "tls sni", "less see", "all ip", "Apple", "xordata", "United States" ], "references": [ "b9e4e47c3f96846c30581c08acf5bc56.virus", "BearShare Install File Version 12.0.0.135802", "Musiclab, LLC", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "africa.konnect.com", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "euw-serp-dev-testing19.duck.ai", "account-apple.com", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Yara Detections: Tofsee", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "ids-apple.com \u2022 itunes.org", "xn--cloud-4sa.com", "http://cab.applemarketingtools.com", "http://console.applemarketingtools.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Spain", "France", "United Kingdom of Great Britain and Northern Ireland", "Netherlands", "Japan", "Switzerland", "Madagascar", "Finland", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Win32/SearchSuite", "display_name": "Win32/SearchSuite", "target": null }, { "id": "Win32.Application.BearShare.A", "display_name": "Win32.Application.BearShare.A", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Government", "Healthcare", "Technology" ], "TLP": "green", "cloned_from": "69dab27a0493e0e80a0f35cd", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 138, "FileHash-SHA1": 119, "FileHash-SHA256": 3553, "IPv4": 633, "CVE": 2, "URL": 6134, "domain": 2439, "hostname": 2271, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 15300, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69db05f833d3d6d2231fb201", "name": "CREDIT: Q.Vashti's research: SearchSuite \u2022 Healthcare Administration CREATED 6 HOURS AGO by Q.Vashti", "description": "", "modified": "2026-04-12T02:39:52.993000", "created": "2026-04-12T02:39:52.993000", "tags": [ "Win32/SearchSuite", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 installer", "install system", "compiler", "NSIS", "code signing", "serial number", "db d2", "de d3", "f3 e1", "issuer thawte", "primary root", "ca valid", "valid", "valid usage", "client auth", "algorithm", "rticon english", "type type", "chi2", "ico rtgroupicon", "english us", "capa", "c2 antianalysis", "executable", "sample appears", "installer", "installers well", "results may", "be misleading", "or incomplete", "analyze created", "techniques", "info modify", "files", "modify registry", "directory permi", "techniques none", "info", "scripting inte", "shared modules", "Bear Share", "urls", "ip address", "asn as8075", "united", "flag united", "name servers", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "dnssec", "urlmailto", "urlhttps", "search", "urlhttp", "moved", "title", "encrypt", "certificate", "segoe ui", "otx logo", "url analysis", "tokyo", "msie", "chrome", "gmt content", "all ipv4", "zeppelin", "trojandropper", "cookie", "backdoor", "hash avast", "avg clamav", "msdefender feb", "k oct", "k may", "mtb feb", "mtb jan", "k aug", "windows nt", "dynamicloader", "unknown", "medium", "default", "as16509", "show", "powershell", "write", "xserver", "bearshar data", "passive dns", "pulse submit", "port", "destination", "high", "displayname", "windows", "win64", "tofsee", "stream", "malware", "push", "next", "asnone", "germany as8560", "russia as198610", "strings", "is__elf", "systembc_linux_variant", "khtml", "gecko", "acceptencoding", "get na", "macintosh", "intel mac", "accept", "france as16276", "yara detections", "contacted", "all filehash", "sha256", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "tls sni", "less see", "all ip", "Apple", "xordata", "United States" ], "references": [ "b9e4e47c3f96846c30581c08acf5bc56.virus", "BearShare Install File Version 12.0.0.135802", "Musiclab, LLC", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "africa.konnect.com", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "euw-serp-dev-testing19.duck.ai", "account-apple.com", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Yara Detections: Tofsee", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "ids-apple.com \u2022 itunes.org", "xn--cloud-4sa.com", "http://cab.applemarketingtools.com", "http://console.applemarketingtools.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Spain", "France", "United Kingdom of Great Britain and Northern Ireland", "Netherlands", "Japan", "Switzerland", "Madagascar", "Finland", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Win32/SearchSuite", "display_name": "Win32/SearchSuite", "target": null }, { "id": "Win32.Application.BearShare.A", "display_name": "Win32.Application.BearShare.A", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Government", "Healthcare", "Technology" ], "TLP": "green", "cloned_from": "69dab27a0493e0e80a0f35cd", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 138, "FileHash-SHA1": 119, "FileHash-SHA256": 3553, "IPv4": 633, "CVE": 2, "URL": 6134, "domain": 2439, "hostname": 2271, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 15300, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69dab27a0493e0e80a0f35cd", "name": "SearchSuite \u2022 Healthcare Administration", "description": "Embedded in communication between a healthcare system and a client. \n\nThis is just one of countless internal issues causing a gap in communication, malicious adware, spyware, system sweeps, injection, system modification, downloads , call failures.", "modified": "2026-04-11T20:43:38.695000", "created": "2026-04-11T20:43:38.695000", "tags": [ "Win32/SearchSuite", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 installer", "install system", "compiler", "NSIS", "code signing", "serial number", "db d2", "de d3", "f3 e1", "issuer thawte", "primary root", "ca valid", "valid", "valid usage", "client auth", "algorithm", "rticon english", "type type", "chi2", "ico rtgroupicon", "english us", "capa", "c2 antianalysis", "executable", "sample appears", "installer", "installers well", "results may", "be misleading", "or incomplete", "analyze created", "techniques", "info modify", "files", "modify registry", "directory permi", "techniques none", "info", "scripting inte", "shared modules", "Bear Share", "urls", "ip address", "asn as8075", "united", "flag united", "name servers", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "dnssec", "urlmailto", "urlhttps", "search", "urlhttp", "moved", "title", "encrypt", "certificate", "segoe ui", "otx logo", "url analysis", "tokyo", "msie", "chrome", "gmt content", "all ipv4", "zeppelin", "trojandropper", "cookie", "backdoor", "hash avast", "avg clamav", "msdefender feb", "k oct", "k may", "mtb feb", "mtb jan", "k aug", "windows nt", "dynamicloader", "unknown", "medium", "default", "as16509", "show", "powershell", "write", "xserver", "bearshar data", "passive dns", "pulse submit", "port", "destination", "high", "displayname", "windows", "win64", "tofsee", "stream", "malware", "push", "next", "asnone", "germany as8560", "russia as198610", "strings", "is__elf", "systembc_linux_variant", "khtml", "gecko", "acceptencoding", "get na", "macintosh", "intel mac", "accept", "france as16276", "yara detections", "contacted", "all filehash", "sha256", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "tls sni", "less see", "all ip", "Apple", "xordata", "United States" ], "references": [ "b9e4e47c3f96846c30581c08acf5bc56.virus", "BearShare Install File Version 12.0.0.135802", "Musiclab, LLC", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "africa.konnect.com", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "euw-serp-dev-testing19.duck.ai", "account-apple.com", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Yara Detections: Tofsee", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "ids-apple.com \u2022 itunes.org", "xn--cloud-4sa.com", "http://cab.applemarketingtools.com", "http://console.applemarketingtools.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Spain", "France", "United Kingdom of Great Britain and Northern Ireland", "Netherlands", "Japan", "Switzerland", "Madagascar", "Finland", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Win32/SearchSuite", "display_name": "Win32/SearchSuite", "target": null }, { "id": "Win32.Application.BearShare.A", "display_name": "Win32.Application.BearShare.A", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Government", "Healthcare", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 138, "FileHash-SHA1": 119, "FileHash-SHA256": 3553, "IPv4": 633, "CVE": 2, "URL": 6134, "domain": 2439, "hostname": 2271, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 15300, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691439014fa9d79406a83e8e", "name": "Mirai Botnet \u2022 Michael Crincoli - | Patient Fusion", "description": "I researched this doctor because of patient documentation of unethical practices , injury , blood toxicity and other very strange circumstances experienced by a monitored target. \nMD is based in Arizona, comes to Denver for certain cases. There weren\u2019t any follow ups or return calls after serious side affects that needed aggressive intervention.", "modified": "2025-12-12T05:04:18.490000", "created": "2025-11-12T07:36:33.673000", "tags": [ "practice fusion", "patient fusion", "ave suite", "denver", "help log", "physical", "medicine", "book", "friday", "united", "present aug", "present nov", "present oct", "present sep", "present jul", "present jun", "ip address", "url analysis", "msie", "chrome", "formbook cnc", "checkin", "win64", "next associated", "smokeloader", "twitter", "cookie", "ipv4", "hosting", "suite", "verdict", "present may", "domain add", "files show", "avast avg", "post", "http traffic", "high", "south korea", "taiwan as3462", "python", "agent", "malware", "russia asnone", "czechia as51420", "italy as47217", "belgium as5432", "serbia as15958", "germany as34011", "contacted", "file score", "detections elf", "eseries device", "rce attempt", "outbound python", "user agent", "p2p_cnc", "network_http_post", "network_http", "network_cnc_http", "dead_host", "network_icmp", "osquery_detection", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "signing defense", "tcp syn", "resolverror", "yara detections", "expl", "ddos", "icmp traffic", "copy", "mirai", "writes_to_stdout", "nolookup_communication", "tcp_syn_scan", "network_icmp", "host", "network_irc", "crincoli", "md", "mirai botnet", "brian sabey", "hall render", "michael crincoli", "palantir", "foundry" ], "references": [ "https://www.patientfusion.com/doctor/michael-crincoli-59108", "demos.palantirfoundry.com", "http://southwestphysiatry.com/", "IDS Detections: Linksys E-Series Device RCE Attempt Outbound", "IDS Detections: Python Requests Suspicious User Agent", "IDS Detections: HTTP traffic on port 443 (POST)", "IDS Detections : Mirai Variant Spreading", "Yara Detections : Mirai_Botnet_Malware , Mirai_2 , is__elf , Linux_Mirai", "Yara: Descriptive: Mirai_Botnet_Malware /dev/misc/watchdog \u2022 Mirai_2 /dev/watchdog", "Yara Descriptive: \u2022 is__elf \u007fELF \u2022 Linux_Mirai /dev/watchdog", "http://www.hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears", "http://www.hallrender.com/attorney/brian-sabey-anyxxxtube.net/search-porn/tsara-brashears", "click.marketing.hallrender.com \u2022 hallrender.com \u2022 autodiscover.hallrender.com", "https://click.marketing.hallrender.com/?qs=9f3b0a760973d5628ba046a192f7fe432889bb96dc51578763a9cf11358dcde635e137184c12a031617f00faa9d172d8", "hallrender.com \u2022 wwdancehall.com \u2022 hallplan.vm05.iveins.de\t \u2022 iveins.de \u2022 http://hallplan.vm05.iveins.de", "prosperhall.edsby.com \u2022 http://urlmail.hallrender.com \u2022 http://urlwww.hallrender.com \u2022 http://webdocs.hallrender.com", "http://elite.hallrender.com/TE_3E_PROD/web/ui/dashboard/ActionList_CCC", "https://hallrender.com/attorney/brian-sabey/Accept \u2022 https://hallrender.com/wp-content/uploads/vcards/", "http://hallrender.com/attorney/bsabey \u2022 http://hallrender.com/attorney/gregg-m-wallander", "http://hallrender.com/attorney/gregg-m-wallander/\u2022 http://hallrender.com/resources/ \u2022 http://hallrender.com/resources/blog/ \u2022 http://officemarketing.hallrender.com/ \u2022 http://urlmail.hallrender.com \u2022 http://urlwww.hallrender.com \u2022 http://webdocs.hallrender.com/", "The Hall Render Brian Sabey malicious media campaign was so unexpected.", "MD refused to disclose medication cocktail he was injecting into patient. Patient suffered long term harm." ], "public": 1, "adversary": "", "targeted_countries": [ "Italy", "Netherlands", "Russian Federation", "Belgium", "Germany", "Serbia", "United States of America" ], "malware_families": [ { "id": "Unix.Trojan.Gafgyt-6748839-0", "display_name": "Unix.Trojan.Gafgyt-6748839-0", "target": null }, { "id": "ELF:Hajime-R\\ [Trj]", "display_name": "ELF:Hajime-R\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Mirai Variant Spreading", "display_name": "Mirai Variant Spreading", "target": null }, { "id": "DDoS:Linux/Gafgyt", "display_name": "DDoS:Linux/Gafgyt", "target": "/malware/DDoS:Linux/Gafgyt" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5572, "domain": 788, "hostname": 1607, "email": 6, "FileHash-SHA256": 505, "FileHash-MD5": 132, "FileHash-SHA1": 128, "CVE": 2 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "hallrender.com \u2022 wwdancehall.com \u2022 hallplan.vm05.iveins.de\t \u2022 iveins.de \u2022 http://hallplan.vm05.iveins.de", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "http://www.hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears", "xn--cloud-4sa.com", "http://southwestphysiatry.com/", "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "click.marketing.hallrender.com \u2022 hallrender.com \u2022 autodiscover.hallrender.com", "Yara Detections : Mirai_Botnet_Malware , Mirai_2 , is__elf , Linux_Mirai", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "https://www.patientfusion.com/doctor/michael-crincoli-59108", "MD refused to disclose medication cocktail he was injecting into patient. Patient suffered long term harm.", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "Yara Descriptive: \u2022 is__elf \u007fELF \u2022 Linux_Mirai /dev/watchdog", "IDS Detections: Python Requests Suspicious User Agent", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "ids-apple.com \u2022 itunes.org", "prosperhall.edsby.com \u2022 http://urlmail.hallrender.com \u2022 http://urlwww.hallrender.com \u2022 http://webdocs.hallrender.com", "http://cab.applemarketingtools.com", "Yara Detections: Tofsee", "demos.palantirfoundry.com", "Musiclab, LLC", "http://hallrender.com/attorney/gregg-m-wallander/\u2022 http://hallrender.com/resources/ \u2022 http://hallrender.com/resources/blog/ \u2022 http://officemarketing.hallrender.com/ \u2022 http://urlmail.hallrender.com \u2022 http://urlwww.hallrender.com \u2022 http://webdocs.hallrender.com/", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "http://elite.hallrender.com/TE_3E_PROD/web/ui/dashboard/ActionList_CCC", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "Yara: Descriptive: Mirai_Botnet_Malware /dev/misc/watchdog \u2022 Mirai_2 /dev/watchdog", "BearShare Install File Version 12.0.0.135802", "IDS Detections : Mirai Variant Spreading", "IDS Detections: HTTP traffic on port 443 (POST)", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "b9e4e47c3f96846c30581c08acf5bc56.virus", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "http://www.hallrender.com/attorney/brian-sabey-anyxxxtube.net/search-porn/tsara-brashears", "https://click.marketing.hallrender.com/?qs=9f3b0a760973d5628ba046a192f7fe432889bb96dc51578763a9cf11358dcde635e137184c12a031617f00faa9d172d8", "The Hall Render Brian Sabey malicious media campaign was so unexpected.", "https://hallrender.com/attorney/brian-sabey/Accept \u2022 https://hallrender.com/wp-content/uploads/vcards/", "account-apple.com", "euw-serp-dev-testing19.duck.ai", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "http://hallrender.com/attorney/bsabey \u2022 http://hallrender.com/attorney/gregg-m-wallander", "http://console.applemarketingtools.com/", "IDS Detections: Linksys E-Series Device RCE Attempt Outbound", "africa.konnect.com", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Trojandownloader:win32/cutwail", "Win32.application.bearshare.a", "Backdoor:win32/tofsee.t", "Ddos:linux/gafgyt", "Mirai variant spreading", "Exploit:win32/cve-2017-0147", "Cve-2023-22518", "Elf:hajime-r\\ [trj]", "Win.packed.bandook-9882274-1", "Mirai", "Unix.trojan.gafgyt-6748839-0", "Win32/searchsuite", "Win.trojan.tofsee-7102058-0" ], "industries": [ "Technology", "Healthcare", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69ded8198b25581a09b90824", "name": "BearShare \u2022 Solarwinds? \u2022 SearchSuite \u2022 Healthcare Administration", "description": "", "modified": "2026-04-15T00:13:13.981000", "created": "2026-04-15T00:13:13.981000", "tags": [ "Win32/SearchSuite", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 installer", "install system", "compiler", "NSIS", "code signing", "serial number", "db d2", "de d3", "f3 e1", "issuer thawte", "primary root", "ca valid", "valid", "valid usage", "client auth", "algorithm", "rticon english", "type type", "chi2", "ico rtgroupicon", "english us", "capa", "c2 antianalysis", "executable", "sample appears", "installer", "installers well", "results may", "be misleading", "or incomplete", "analyze created", "techniques", "info modify", "files", "modify registry", "directory permi", "techniques none", "info", "scripting inte", "shared modules", "Bear Share", "urls", "ip address", "asn as8075", "united", "flag united", "name servers", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "dnssec", "urlmailto", "urlhttps", "search", "urlhttp", "moved", "title", "encrypt", "certificate", "segoe ui", "otx logo", "url analysis", "tokyo", "msie", "chrome", "gmt content", "all ipv4", "zeppelin", "trojandropper", "cookie", "backdoor", "hash avast", "avg clamav", "msdefender feb", "k oct", "k may", "mtb feb", "mtb jan", "k aug", "windows nt", "dynamicloader", "unknown", "medium", "default", "as16509", "show", "powershell", "write", "xserver", "bearshar data", "passive dns", "pulse submit", "port", "destination", "high", "displayname", "windows", "win64", "tofsee", "stream", "malware", "push", "next", "asnone", "germany as8560", "russia as198610", "strings", "is__elf", "systembc_linux_variant", "khtml", "gecko", "acceptencoding", "get na", "macintosh", "intel mac", "accept", "france as16276", "yara detections", "contacted", "all filehash", "sha256", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "tls sni", "less see", "all ip", "Apple", "xordata", "United States" ], "references": [ "b9e4e47c3f96846c30581c08acf5bc56.virus", "BearShare Install File Version 12.0.0.135802", "Musiclab, LLC", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "africa.konnect.com", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "euw-serp-dev-testing19.duck.ai", "account-apple.com", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Yara Detections: Tofsee", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "ids-apple.com \u2022 itunes.org", "xn--cloud-4sa.com", "http://cab.applemarketingtools.com", "http://console.applemarketingtools.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Spain", "France", "United Kingdom of Great Britain and Northern Ireland", "Netherlands", "Japan", "Switzerland", "Madagascar", "Finland", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Win32/SearchSuite", "display_name": "Win32/SearchSuite", "target": null }, { "id": "Win32.Application.BearShare.A", "display_name": "Win32.Application.BearShare.A", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Government", "Healthcare", "Technology" ], "TLP": "green", "cloned_from": "69dab27a0493e0e80a0f35cd", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 138, "FileHash-SHA1": 119, "FileHash-SHA256": 3553, "IPv4": 633, "CVE": 2, "URL": 6134, "domain": 2439, "hostname": 2271, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 15300, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "4 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69db05f833d3d6d2231fb201", "name": "CREDIT: Q.Vashti's research: SearchSuite \u2022 Healthcare Administration CREATED 6 HOURS AGO by Q.Vashti", "description": "", "modified": "2026-04-12T02:39:52.993000", "created": "2026-04-12T02:39:52.993000", "tags": [ "Win32/SearchSuite", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 installer", "install system", "compiler", "NSIS", "code signing", "serial number", "db d2", "de d3", "f3 e1", "issuer thawte", "primary root", "ca valid", "valid", "valid usage", "client auth", "algorithm", "rticon english", "type type", "chi2", "ico rtgroupicon", "english us", "capa", "c2 antianalysis", "executable", "sample appears", "installer", "installers well", "results may", "be misleading", "or incomplete", "analyze created", "techniques", "info modify", "files", "modify registry", "directory permi", "techniques none", "info", "scripting inte", "shared modules", "Bear Share", "urls", "ip address", "asn as8075", "united", "flag united", "name servers", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "dnssec", "urlmailto", "urlhttps", "search", "urlhttp", "moved", "title", "encrypt", "certificate", "segoe ui", "otx logo", "url analysis", "tokyo", "msie", "chrome", "gmt content", "all ipv4", "zeppelin", "trojandropper", "cookie", "backdoor", "hash avast", "avg clamav", "msdefender feb", "k oct", "k may", "mtb feb", "mtb jan", "k aug", "windows nt", "dynamicloader", "unknown", "medium", "default", "as16509", "show", "powershell", "write", "xserver", "bearshar data", "passive dns", "pulse submit", "port", "destination", "high", "displayname", "windows", "win64", "tofsee", "stream", "malware", "push", "next", "asnone", "germany as8560", "russia as198610", "strings", "is__elf", "systembc_linux_variant", "khtml", "gecko", "acceptencoding", "get na", "macintosh", "intel mac", "accept", "france as16276", "yara detections", "contacted", "all filehash", "sha256", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "tls sni", "less see", "all ip", "Apple", "xordata", "United States" ], "references": [ "b9e4e47c3f96846c30581c08acf5bc56.virus", "BearShare Install File Version 12.0.0.135802", "Musiclab, LLC", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "africa.konnect.com", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "euw-serp-dev-testing19.duck.ai", "account-apple.com", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Yara Detections: Tofsee", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "ids-apple.com \u2022 itunes.org", "xn--cloud-4sa.com", "http://cab.applemarketingtools.com", "http://console.applemarketingtools.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Spain", "France", "United Kingdom of Great Britain and Northern Ireland", "Netherlands", "Japan", "Switzerland", "Madagascar", "Finland", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Win32/SearchSuite", "display_name": "Win32/SearchSuite", "target": null }, { "id": "Win32.Application.BearShare.A", "display_name": "Win32.Application.BearShare.A", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Government", "Healthcare", "Technology" ], "TLP": "green", "cloned_from": "69dab27a0493e0e80a0f35cd", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 138, "FileHash-SHA1": 119, "FileHash-SHA256": 3553, "IPv4": 633, "CVE": 2, "URL": 6134, "domain": 2439, "hostname": 2271, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 15300, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69dab27a0493e0e80a0f35cd", "name": "SearchSuite \u2022 Healthcare Administration", "description": "Embedded in communication between a healthcare system and a client. \n\nThis is just one of countless internal issues causing a gap in communication, malicious adware, spyware, system sweeps, injection, system modification, downloads , call failures.", "modified": "2026-04-11T20:43:38.695000", "created": "2026-04-11T20:43:38.695000", "tags": [ "Win32/SearchSuite", "pe32", "intel", "ms windows", "ms visual", "win32 dynamic", "link library", "win16 ne", "pe32 installer", "install system", "compiler", "NSIS", "code signing", "serial number", "db d2", "de d3", "f3 e1", "issuer thawte", "primary root", "ca valid", "valid", "valid usage", "client auth", "algorithm", "rticon english", "type type", "chi2", "ico rtgroupicon", "english us", "capa", "c2 antianalysis", "executable", "sample appears", "installer", "installers well", "results may", "be misleading", "or incomplete", "analyze created", "techniques", "info modify", "files", "modify registry", "directory permi", "techniques none", "info", "scripting inte", "shared modules", "Bear Share", "urls", "ip address", "asn as8075", "united", "flag united", "name servers", "name domain", "org apple", "infinite loop", "city cupertino", "country us", "dnssec", "urlmailto", "urlhttps", "search", "urlhttp", "moved", "title", "encrypt", "certificate", "segoe ui", "otx logo", "url analysis", "tokyo", "msie", "chrome", "gmt content", "all ipv4", "zeppelin", "trojandropper", "cookie", "backdoor", "hash avast", "avg clamav", "msdefender feb", "k oct", "k may", "mtb feb", "mtb jan", "k aug", "windows nt", "dynamicloader", "unknown", "medium", "default", "as16509", "show", "powershell", "write", "xserver", "bearshar data", "passive dns", "pulse submit", "port", "destination", "high", "displayname", "windows", "win64", "tofsee", "stream", "malware", "push", "next", "asnone", "germany as8560", "russia as198610", "strings", "is__elf", "systembc_linux_variant", "khtml", "gecko", "acceptencoding", "get na", "macintosh", "intel mac", "accept", "france as16276", "yara detections", "contacted", "all filehash", "sha256", "pulse pulses", "av detections", "ids detections", "alerts", "analysis date", "tls sni", "less see", "all ip", "Apple", "xordata", "United States" ], "references": [ "b9e4e47c3f96846c30581c08acf5bc56.virus", "BearShare Install File Version 12.0.0.135802", "Musiclab, LLC", "msoid.applemanic.com \u2022 msoid.giftcardapple.shop \u2022 msoid.appleportconsulting.com", "gateway.fe.apple-dns.net \u2022 apple-dns.net", "africa.konnect.com", "http://scratch-mit-edu.027.cloudns.asia/users/alessandrito123", "euw-serp-dev-testing19.duck.ai", "account-apple.com", "Win.Trojan.Tofsee-7102058-0 , Backdoor:Win32/Tofsee.T", "IDS Detections Win32/Tofsee.AX google.com connectivity check Observed Telegram Domain (t .me in TLS SNI)", "Yara Detections: Tofsee", "Alerts: behavior_tofsee creates_largekey injection_write_exe_process network_bind", "Alerts: persistence_autorun persistence_autorun_tasks procmem_yara static_pe_anomaly", "Alerts: suricata_alert antivm_generic_services physical_drive_access deletes_executed_files", "Alerts: deletes_self injection_runpe persistence_ads suspicious_command_tools", "Alerts: anomalous_deletefile antisandbox_sleep dead_connect dynamic_function_loading", "IP\u2019s Contacted: 47.43.26.4 195.35.13.119 149.154.167.99 185.138.56.214 142.250.147.26 81.88.48.101", "IP\u2019s Contacted: 104.21.72.117 172.66.156.195 157.240.200.174 141.193.213.20", "Domains Contacted: microsoft.com microsoft-com.mail.protection.outlook.com vanaheim.cn yahoo.com mta6.am0.yahoodns.net 13.205.167.198.dnsbl.sorbs.net 13.205.167.198.bl.spamcop.net 13.205.167.198.zen.spamhaus.org 13.205.167.198.sbl-xbl.spamhaus.org 13.205.167.198.cbl.abuseat.org", "https://perigon-one.au.itglue.com/password_shared_links/52f082d3-d889-4db5-ae03-c7bfcbe5aa21", "https://identity.prd-cdc.jemena.com.au/pages/jemena-reset-password", "https://in2it.itglue.com/password_shared_links/9b0e2a1d-b554-4f0c-a333-390e41defe8e", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback&response_type=code&scope=openid+email+profile&state=uJZE80MW6TdJQjbI0RWXhnF3SpYZXckLkfafnEHgr_I:", "https://oauth2.admin.p4d-1.p4d.aks.lightops.cloud.slb-ds.com/lightops-auth/callback", "ids-apple.com \u2022 itunes.org", "xn--cloud-4sa.com", "http://cab.applemarketingtools.com", "http://console.applemarketingtools.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Spain", "France", "United Kingdom of Great Britain and Northern Ireland", "Netherlands", "Japan", "Switzerland", "Madagascar", "Finland", "Germany", "Russian Federation" ], "malware_families": [ { "id": "Win32/SearchSuite", "display_name": "Win32/SearchSuite", "target": null }, { "id": "Win32.Application.BearShare.A", "display_name": "Win32.Application.BearShare.A", "target": null }, { "id": "Exploit:Win32/CVE-2017-0147", "display_name": "Exploit:Win32/CVE-2017-0147", "target": "/malware/Exploit:Win32/CVE-2017-0147" }, { "id": "CVE-2023-22518", "display_name": "CVE-2023-22518", "target": null }, { "id": "Win.Packed.Bandook-9882274-1", "display_name": "Win.Packed.Bandook-9882274-1", "target": null }, { "id": "Win.Trojan.Tofsee-7102058-0", "display_name": "Win.Trojan.Tofsee-7102058-0", "target": null }, { "id": "Backdoor:Win32/Tofsee.T", "display_name": "Backdoor:Win32/Tofsee.T", "target": "/malware/Backdoor:Win32/Tofsee.T" }, { "id": "TrojanDownloader:Win32/Cutwail", "display_name": "TrojanDownloader:Win32/Cutwail", "target": "/malware/TrojanDownloader:Win32/Cutwail" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1222", "name": "File and Directory Permissions Modification", "display_name": "T1222 - File and Directory Permissions Modification" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [ "Government", "Healthcare", "Technology" ], "TLP": "green", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 138, "FileHash-SHA1": 119, "FileHash-SHA256": 3553, "IPv4": 633, "CVE": 2, "URL": 6134, "domain": 2439, "hostname": 2271, "email": 9, "SSLCertFingerprint": 2 }, "indicator_count": 15300, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "8 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "691439014fa9d79406a83e8e", "name": "Mirai Botnet \u2022 Michael Crincoli - | Patient Fusion", "description": "I researched this doctor because of patient documentation of unethical practices , injury , blood toxicity and other very strange circumstances experienced by a monitored target. \nMD is based in Arizona, comes to Denver for certain cases. There weren\u2019t any follow ups or return calls after serious side affects that needed aggressive intervention.", "modified": "2025-12-12T05:04:18.490000", "created": "2025-11-12T07:36:33.673000", "tags": [ "practice fusion", "patient fusion", "ave suite", "denver", "help log", "physical", "medicine", "book", "friday", "united", "present aug", "present nov", "present oct", "present sep", "present jul", "present jun", "ip address", "url analysis", "msie", "chrome", "formbook cnc", "checkin", "win64", "next associated", "smokeloader", "twitter", "cookie", "ipv4", "hosting", "suite", "verdict", "present may", "domain add", "files show", "avast avg", "post", "http traffic", "high", "south korea", "taiwan as3462", "python", "agent", "malware", "russia asnone", "czechia as51420", "italy as47217", "belgium as5432", "serbia as15958", "germany as34011", "contacted", "file score", "detections elf", "eseries device", "rce attempt", "outbound python", "user agent", "p2p_cnc", "network_http_post", "network_http", "network_cnc_http", "dead_host", "network_icmp", "osquery_detection", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "defense evasion", "t1480 execution", "signing defense", "tcp syn", "resolverror", "yara detections", "expl", "ddos", "icmp traffic", "copy", "mirai", "writes_to_stdout", "nolookup_communication", "tcp_syn_scan", "network_icmp", "host", "network_irc", "crincoli", "md", "mirai botnet", "brian sabey", "hall render", "michael crincoli", "palantir", "foundry" ], "references": [ "https://www.patientfusion.com/doctor/michael-crincoli-59108", "demos.palantirfoundry.com", "http://southwestphysiatry.com/", "IDS Detections: Linksys E-Series Device RCE Attempt Outbound", "IDS Detections: Python Requests Suspicious User Agent", "IDS Detections: HTTP traffic on port 443 (POST)", "IDS Detections : Mirai Variant Spreading", "Yara Detections : Mirai_Botnet_Malware , Mirai_2 , is__elf , Linux_Mirai", "Yara: Descriptive: Mirai_Botnet_Malware /dev/misc/watchdog \u2022 Mirai_2 /dev/watchdog", "Yara Descriptive: \u2022 is__elf \u007fELF \u2022 Linux_Mirai /dev/watchdog", "http://www.hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears", "http://www.hallrender.com/attorney/brian-sabey-anyxxxtube.net/search-porn/tsara-brashears", "click.marketing.hallrender.com \u2022 hallrender.com \u2022 autodiscover.hallrender.com", "https://click.marketing.hallrender.com/?qs=9f3b0a760973d5628ba046a192f7fe432889bb96dc51578763a9cf11358dcde635e137184c12a031617f00faa9d172d8", "hallrender.com \u2022 wwdancehall.com \u2022 hallplan.vm05.iveins.de\t \u2022 iveins.de \u2022 http://hallplan.vm05.iveins.de", "prosperhall.edsby.com \u2022 http://urlmail.hallrender.com \u2022 http://urlwww.hallrender.com \u2022 http://webdocs.hallrender.com", "http://elite.hallrender.com/TE_3E_PROD/web/ui/dashboard/ActionList_CCC", "https://hallrender.com/attorney/brian-sabey/Accept \u2022 https://hallrender.com/wp-content/uploads/vcards/", "http://hallrender.com/attorney/bsabey \u2022 http://hallrender.com/attorney/gregg-m-wallander", "http://hallrender.com/attorney/gregg-m-wallander/\u2022 http://hallrender.com/resources/ \u2022 http://hallrender.com/resources/blog/ \u2022 http://officemarketing.hallrender.com/ \u2022 http://urlmail.hallrender.com \u2022 http://urlwww.hallrender.com \u2022 http://webdocs.hallrender.com/", "The Hall Render Brian Sabey malicious media campaign was so unexpected.", "MD refused to disclose medication cocktail he was injecting into patient. Patient suffered long term harm." ], "public": 1, "adversary": "", "targeted_countries": [ "Italy", "Netherlands", "Russian Federation", "Belgium", "Germany", "Serbia", "United States of America" ], "malware_families": [ { "id": "Unix.Trojan.Gafgyt-6748839-0", "display_name": "Unix.Trojan.Gafgyt-6748839-0", "target": null }, { "id": "ELF:Hajime-R\\ [Trj]", "display_name": "ELF:Hajime-R\\ [Trj]", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null }, { "id": "Mirai Variant Spreading", "display_name": "Mirai Variant Spreading", "target": null }, { "id": "DDoS:Linux/Gafgyt", "display_name": "DDoS:Linux/Gafgyt", "target": "/malware/DDoS:Linux/Gafgyt" } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1564.005", "name": "Hidden File System", "display_name": "T1564.005 - Hidden File System" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5572, "domain": 788, "hostname": 1607, "email": 6, "FileHash-SHA256": 505, "FileHash-MD5": 132, "FileHash-SHA1": 128, "CVE": 2 }, "indicator_count": 8740, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "umpdev.com.au", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "umpdev.com.au", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776642444.283859 }