{
  "type": "Domain",
  "indicator": "aws.dev",
  "general": {
    "sections": [
      "general",
      "geo",
      "url_list",
      "passive_dns",
      "malware",
      "whois",
      "http_scans"
    ],
    "whois": "http://whois.domaintools.com/aws.dev",
    "alexa": "http://www.alexa.com/siteinfo/aws.dev",
    "indicator": "aws.dev",
    "type": "domain",
    "type_title": "Domain",
    "validation": [],
    "base_indicator": {
      "id": 3217463124,
      "indicator": "aws.dev",
      "type": "domain",
      "title": "",
      "description": "",
      "content": "",
      "access_type": "public",
      "access_reason": ""
    },
    "pulse_info": {
      "count": 13,
      "pulses": [
        {
          "id": "69fd98fba834ab33f7cfe50f",
          "name": "Telus Communications (Canadian ISP) clone Disable_Duck - relevant Ip shadows",
          "description": "",
          "modified": "2026-05-08T08:04:11.769000",
          "created": "2026-05-08T08:04:11.769000",
          "tags": [
            "Telus"
          ],
          "references": [
            "https://www.virustotal.com/gui/collection/9220d9375ebb4289fdbc4a7aac232b75a5c1b01e5e27edd965982bc6fe28f0e2/graph",
            "https://www.virustotal.com/gui/collection/9220d9375ebb4289fdbc4a7aac232b75a5c1b01e5e27edd965982bc6fe28f0e2/iocs",
            "https://tria.ge/240428-tjsmrsbf4t",
            "https://www.virustotal.com/graph/embed/ga06a03c71a1848adb8e47517af7d1803f6bc8aa5dd4a480f921a7e9528da34df?theme=dark",
            "https://intelx.io/?s=telus.com",
            "https://lab.dynamite.ai/pcaps/319ab9c1-044c-4791-98b8-a134918cae63",
            "https://lab.dynamite.ai/pcaps/8c720f26-cf1b-4aed-bad5-da87f7f17977",
            "https://lab.dynamite.ai/pcaps/5beb5211-b3ce-4c11-8fa7-44eee039113a",
            "https://www.virustotal.com/graph/embed/ga408d14b97e346d788613eab3a11c80af28a15dda5334f9a93221e82d25545bb?theme=dark",
            "https://urlhaus.abuse.ch/feeds/asn/852/"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "Canada",
            "United States of America"
          ],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            }
          ],
          "industries": [
            "Government",
            "Technology",
            "Telecommunications",
            "Education"
          ],
          "TLP": "green",
          "cloned_from": "662e72197adff2cced4acab5",
          "export_count": 1,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 283,
            "FileHash-SHA1": 283,
            "FileHash-SHA256": 366,
            "URL": 726,
            "domain": 564,
            "hostname": 523
          },
          "indicator_count": 2745,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "24 days ago ",
          "is_modified": false,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69c5b5cccffe6a5e0b756741",
          "name": "Unknown - Tracking",
          "description": "<HOSTNAME:MarkMonitor.comInc, a US-based company, has been added to Pulse.net, according to a report published by the Internet Service Authority (ICann).<pretext",
          "modified": "2026-04-25T23:14:19.460000",
          "created": "2026-03-26T22:40:12.417000",
          "tags": [
            "status",
            "creation date",
            "servers",
            "name servers",
            "pulse submit",
            "url analysis",
            "passive dns",
            "urls",
            "files",
            "ip address",
            "date",
            "whois show",
            "search",
            "record value",
            "emails",
            "name legal",
            "department name",
            "address po",
            "city seattle",
            "country us",
            "united",
            "unknown",
            "hostname",
            "location united",
            "algorithm",
            "key identifier",
            "x509v3 subject",
            "v3 serial",
            "number",
            "cus oamazon",
            "cnamazon rsa",
            "m01 validity",
            "subject public",
            "key info",
            "domain name",
            "domain",
            "expiry date",
            "update date",
            "thumbprint"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 23,
            "email": 10,
            "domain": 188,
            "hostname": 284,
            "URL": 399,
            "FileHash-SHA256": 440,
            "FileHash-SHA1": 55,
            "CVE": 2
          },
          "indicator_count": 1401,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 68,
          "modified_text": "36 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "693cdc5b8ebc10664439c2fb",
          "name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - Freeman Mathis & Gary for The State of Colorado",
          "description": "State of Colorado attackers use  DGA domains set up multiple Law Firms.. Christopher P.  \u2019Buzz\u2019  Ahmann  Is a legal consultant / attorney./ hacker \nWorks for the State of Colorado/ quasi. Is malicious and doesn\u2019t work alone. Continues to target \nState had relative contacted by a fake entity \u2018Goodness Health\u2019\nLeft vague VM for relative message \u201cWe work on the Medicare side of things.\u201d and? \nSocial engineering call , malicious domain. The State of Colorado has been on a relentless pursuit against target. Fully compromised targets relatives brand new phone. Hacked target since 10/2013.\nMultiple cyber and physical attacks carried out  against target and family members.. There are attacks make  to look like accidents or malfunctions. This harmful, silencing behavior is somehow illegal for anyone else.",
          "modified": "2026-02-10T06:05:39.764000",
          "created": "2025-12-13T03:24:11.414000",
          "tags": [
            "colorado state",
            "freeman mathis",
            "history",
            "cyber risk",
            "aspen insureds",
            "gaig insureds",
            "landy insureds",
            "nip group",
            "purm insureds",
            "overview core",
            "united",
            "ip address",
            "present nov",
            "present may",
            "moved",
            "encrypt",
            "unknown",
            "backdoor",
            "passive dns",
            "ransom",
            "checkin",
            "trojandropper",
            "mtb nov",
            "twitter",
            "trojan",
            "data upload",
            "extraction",
            "failed",
            "united states",
            "server response",
            "google safe",
            "results may",
            "lowfi",
            "virtool",
            "mtb alf",
            "mh alf",
            "port",
            "windows nt",
            "destination",
            "msie",
            "khtml",
            "gecko",
            "unknown aaaa",
            "a domains",
            "meta",
            "for privacy",
            "cop supply",
            "urls",
            "as139646 hong",
            "hostname",
            "files",
            "hong kong",
            "domain add",
            "ip related",
            "hash avast",
            "avg clamav",
            "msdefender may",
            "ddos",
            "as13335",
            "ipv4",
            "certificate",
            "hostname add",
            "url analysis",
            "files ip",
            "name strings",
            "category",
            "united states",
            "pulse indicator",
            "address",
            "error",
            "null",
            "object",
            "string",
            "number",
            "google maps",
            "promise",
            "javascript api",
            "dataset",
            "bigint",
            "dark",
            "android",
            "infinity",
            "internal",
            "roboto",
            "trident",
            "void",
            "small",
            "lightrail",
            "false",
            "span",
            "close",
            "light",
            "hybrid",
            "embed",
            "iframe",
            "keygen",
            "this",
            "february",
            "bounce",
            "drop",
            "inside",
            "outside",
            "marker",
            "present dec",
            "pulses otx",
            "aaaa",
            "asnone country",
            "record value",
            "title",
            "pulse pulses",
            "pulses",
            "showing",
            "unknown cname",
            "unknown soa",
            "next associated",
            "ipv4 add",
            "cycbot",
            "extract indic",
            "sneaker bots",
            "proxies data",
            "script script",
            "adult content",
            "nextimage",
            "porn site",
            "div div",
            "platform make",
            "cloudfront x",
            "hio52 p3",
            "unknown ns",
            "pulse submit",
            "title error",
            "reverse dns",
            "status",
            "servers",
            "name servers",
            "vashti hostname",
            "scan endpoints",
            "url http",
            "http",
            "files domain",
            "files related",
            "pulses none",
            "dnssec",
            "sec ch",
            "ch ua",
            "ua full",
            "ua platform",
            "ua bitness",
            "ua arch",
            "version sec",
            "mobile sec",
            "model sec",
            "version list",
            "domain",
            "emails",
            "cookie",
            "url https",
            "show",
            "filehash",
            "urls show",
            "date checked",
            "url hostname",
            "results nov",
            "win32",
            "type",
            "learn",
            "ck id",
            "name tactics",
            "suspicious",
            "informative",
            "command",
            "adversaries",
            "ssl certificate",
            "defense evasion",
            "spawns",
            "flag",
            "llc name",
            "server",
            "markmonitor",
            "name server",
            "windir",
            "openurl c",
            "prefetch2",
            "show technique",
            "mitre att",
            "ck matrix",
            "pattern match",
            "ascii text",
            "sha1",
            "href",
            "show process",
            "file",
            "general",
            "local",
            "path",
            "germany unknown",
            "date",
            "registrar",
            "ip whois",
            "dynamicloader",
            "high",
            "medium",
            "search",
            "displayname",
            "tofsee",
            "win64",
            "write",
            "stream",
            "malware",
            "push",
            "entries",
            "tls handshake",
            "failure",
            "forbidden",
            "tlsv1",
            "april",
            "next",
            "write c",
            "intel",
            "ms windows",
            "sha1 add",
            "av detections",
            "ids detections",
            "yara detections",
            "alerts",
            "analysis date",
            "file score",
            "sha256 add",
            "present jun",
            "present mar",
            "medelln",
            "colombia asn",
            "dns resolutions",
            "address domain",
            "related tags",
            "none google",
            "safe browsing",
            "external",
            "present sep",
            "present aug",
            "as54113",
            "present jul",
            "as8068",
            "gmt content",
            "total",
            "read",
            "delete",
            "top source",
            "quasi",
            "murderers",
            "christopher ahmann",
            "buzz ahmann",
            "wow64",
            "slcc2",
            "media center",
            "labor",
            "employment",
            "cdle",
            "dowc",
            "colorado",
            "workers",
            "coloradoif",
            "independent",
            "state",
            "company",
            "entity type",
            "authorized line",
            "analysis",
            "tor analysis",
            "process details",
            "network traffic",
            "t1071",
            "potential ip",
            "click",
            "found",
            "t1480 execution",
            "bad traffic",
            "et info",
            "ck techniques",
            "evasion att",
            "t1057",
            "refresh",
            "body",
            "strings",
            "tools",
            "look",
            "verify",
            "restart",
            "cname",
            "form",
            "pulse",
            "script domains",
            "script urls",
            "administrator",
            "services llc",
            "dns admin",
            "domain admin",
            "global llc",
            "domain manager",
            "computer system",
            "ltd domain",
            "network",
            "alibaba",
            "facebook",
            "phishme",
            "sogou",
            "present jan",
            "present feb",
            "present oct"
          ],
          "references": [
            "https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.",
            "Sneaker Bots Proxies Servers Cook Groups Cop Supply",
            "archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/",
            "https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/",
            "https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/",
            "dns.army \u2022 www.dcopr.dns.army  \u2022 www.glsyaiwjj.dns.army \u2022  www.wgmvk.dns.army",
            "https://maps.googleapis.com/maps/api/js?sensor=false",
            "cell-0.af-south-1.prod.telemetry.console.api.aws",
            "howtoworkacrickoutofyourneck2.pages.dev",
            "firebase-auth-eich0v.pages.dev",
            "http://ianswertomom.com/develop-wise-woman-within-yourself",
            "http://ianswertomom.com/bible-verses-struggling-contentment-mom/  I",
            "https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo",
            "makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make",
            "https://khmerpornvideo.signup0.y.id/",
            "https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html",
            "https://clear.ml/infrastructure-control-plane",
            "dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)",
            "https://amano.inboundtools.com/tpcontact  URL https://armg.inboundtools.com/  URL https://gaiax.inboundtools.com/internship  URL https://hmk.inboundtools.com/  URL https://hmk.inboundtools.com/form/assetview_siryo_sier",
            "https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.",
            "https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82",
            "https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored",
            "Everyone has simply asked you alll to stop. Target never asked anyone for money.",
            "Legal court documented  agreement to allow and pay target to hire cyber investigators",
            "Attacks are being carried out by The State of Colorado"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Japan",
            "France",
            "Ireland",
            "Spain",
            "Italy",
            "Aruba",
            "Australia",
            "Denmark",
            "United Kingdom of Great Britain and Northern Ireland",
            "Germany",
            "T\u00fcrkiye",
            "Indonesia"
          ],
          "malware_families": [
            {
              "id": "Win.Trojan.GravityRAT-6511862-0",
              "display_name": "Win.Trojan.GravityRAT-6511862-0",
              "target": null
            },
            {
              "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
              "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
              "target": null
            },
            {
              "id": "Unix.Trojan.Tsunami-6981155-0",
              "display_name": "Unix.Trojan.Tsunami-6981155-0",
              "target": null
            },
            {
              "id": "TrojanDropper:Win32/Systex.A",
              "display_name": "TrojanDropper:Win32/Systex.A",
              "target": "/malware/TrojanDropper:Win32/Systex.A"
            },
            {
              "id": "Win.Trojan.Tepfer-61",
              "display_name": "Win.Trojan.Tepfer-61",
              "target": null
            },
            {
              "id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
              "display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
              "target": null
            },
            {
              "id": "VirTool:Win32/VBInject.gen!MH",
              "display_name": "VirTool:Win32/VBInject.gen!MH",
              "target": "/malware/VirTool:Win32/VBInject.gen!MH"
            },
            {
              "id": "ALF:NID:Susp_NSIS_Stub.A",
              "display_name": "ALF:NID:Susp_NSIS_Stub.A",
              "target": null
            },
            {
              "id": "#LOWFI:HSTR:Criakl.B1",
              "display_name": "#LOWFI:HSTR:Criakl.B1",
              "target": null
            },
            {
              "id": "Backdoor:Win32/Arwobot.B",
              "display_name": "Backdoor:Win32/Arwobot.B",
              "target": "/malware/Backdoor:Win32/Arwobot.B"
            },
            {
              "id": "Win.Packed.Bandook-9882274-1",
              "display_name": "Win.Packed.Bandook-9882274-1",
              "target": null
            },
            {
              "id": "TrojanDownloader:Win32/Cutwail",
              "display_name": "TrojanDownloader:Win32/Cutwail",
              "target": "/malware/TrojanDownloader:Win32/Cutwail"
            },
            {
              "id": "Win.Downloader.Small-4507",
              "display_name": "Win.Downloader.Small-4507",
              "target": null
            },
            {
              "id": "Trojan:Win32/Qbot.R!MTB",
              "display_name": "Trojan:Win32/Qbot.R!MTB",
              "target": "/malware/Trojan:Win32/Qbot.R!MTB"
            },
            {
              "id": "Win.Malware.Mikey-9949492-0",
              "display_name": "Win.Malware.Mikey-9949492-0",
              "target": null
            },
            {
              "id": "Ransom:Win32/Crowti.A",
              "display_name": "Ransom:Win32/Crowti.A",
              "target": "/malware/Ransom:Win32/Crowti.A"
            },
            {
              "id": "Backdoor:Linux/DemonBot.Aa!MTB",
              "display_name": "Backdoor:Linux/DemonBot.Aa!MTB",
              "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB"
            },
            {
              "id": "Unix.Trojan.Gafgyt-6981154-0",
              "display_name": "Unix.Trojan.Gafgyt-6981154-0",
              "target": null
            },
            {
              "id": "DDOS:Linux/Gafgyt.YA!MTB",
              "display_name": "DDOS:Linux/Gafgyt.YA!MTB",
              "target": "/malware/DDOS:Linux/Gafgyt.YA!MTB"
            },
            {
              "id": "CVE-2017-11882",
              "display_name": "CVE-2017-11882",
              "target": null
            },
            {
              "id": "ALF:Exploit:O97M/CVE-2017-8977",
              "display_name": "ALF:Exploit:O97M/CVE-2017-8977",
              "target": null
            },
            {
              "id": "Cycbot",
              "display_name": "Cycbot",
              "target": null
            },
            {
              "id": "Win32:BotX-gen\\ [Trj]",
              "display_name": "Win32:BotX-gen\\ [Trj]",
              "target": null
            },
            {
              "id": "NIDS",
              "display_name": "NIDS",
              "target": null
            },
            {
              "id": "Mirai (ELF)",
              "display_name": "Mirai (ELF)",
              "target": null
            },
            {
              "id": "Worm",
              "display_name": "Worm",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1069",
              "name": "Permission Groups Discovery",
              "display_name": "T1069 - Permission Groups Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "T1590",
              "name": "Gather Victim Network Information",
              "display_name": "T1590 - Gather Victim Network Information"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1457",
              "name": "Malicious Media Content",
              "display_name": "T1457 - Malicious Media Content"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1155",
              "name": "AppleScript",
              "display_name": "T1155 - AppleScript"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1063",
              "name": "Security Software Discovery",
              "display_name": "T1063 - Security Software Discovery"
            },
            {
              "id": "T1113",
              "name": "Screen Capture",
              "display_name": "T1113 - Screen Capture"
            },
            {
              "id": "T1068",
              "name": "Exploitation for Privilege Escalation",
              "display_name": "T1068 - Exploitation for Privilege Escalation"
            },
            {
              "id": "T1210",
              "name": "Exploitation of Remote Services",
              "display_name": "T1210 - Exploitation of Remote Services"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "TA0037",
              "name": "Command and Control",
              "display_name": "TA0037 - Command and Control"
            },
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            },
            {
              "id": "T1583.005",
              "name": "Botnet",
              "display_name": "T1583.005 - Botnet"
            },
            {
              "id": "T1176",
              "name": "Browser Extensions",
              "display_name": "T1176 - Browser Extensions"
            },
            {
              "id": "T1185",
              "name": "Man in the Browser",
              "display_name": "T1185 - Man in the Browser"
            },
            {
              "id": "T1574.008",
              "name": "Path Interception by Search Order Hijacking",
              "display_name": "T1574.008 - Path Interception by Search Order Hijacking"
            },
            {
              "id": "T1410",
              "name": "Network Traffic Capture or Redirection",
              "display_name": "T1410 - Network Traffic Capture or Redirection"
            },
            {
              "id": "T1449",
              "name": "Exploit SS7 to Redirect Phone Calls/SMS",
              "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
            },
            {
              "id": "T1593.002",
              "name": "Search Engines",
              "display_name": "T1593.002 - Search Engines"
            }
          ],
          "industries": [
            "Insurance",
            "Construction"
          ],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 8,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 54118,
            "domain": 11153,
            "hostname": 18578,
            "email": 21,
            "FileHash-SHA256": 4905,
            "FileHash-MD5": 548,
            "FileHash-SHA1": 534,
            "CVE": 7,
            "SSLCertFingerprint": 20,
            "CIDR": 1
          },
          "indicator_count": 89885,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 146,
          "modified_text": "111 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6963596c4cd594b77b4675ec",
          "name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - PalantirFoundry | The State of Colorado | ",
          "description": "",
          "modified": "2026-02-10T06:05:39.764000",
          "created": "2026-01-11T08:03:56.534000",
          "tags": [
            "colorado state",
            "freeman mathis",
            "history",
            "cyber risk",
            "aspen insureds",
            "gaig insureds",
            "landy insureds",
            "nip group",
            "purm insureds",
            "overview core",
            "united",
            "ip address",
            "present nov",
            "present may",
            "moved",
            "encrypt",
            "unknown",
            "backdoor",
            "passive dns",
            "ransom",
            "checkin",
            "trojandropper",
            "mtb nov",
            "twitter",
            "trojan",
            "data upload",
            "extraction",
            "failed",
            "united states",
            "server response",
            "google safe",
            "results may",
            "lowfi",
            "virtool",
            "mtb alf",
            "mh alf",
            "port",
            "windows nt",
            "destination",
            "msie",
            "khtml",
            "gecko",
            "unknown aaaa",
            "a domains",
            "meta",
            "for privacy",
            "cop supply",
            "urls",
            "as139646 hong",
            "hostname",
            "files",
            "hong kong",
            "domain add",
            "ip related",
            "hash avast",
            "avg clamav",
            "msdefender may",
            "ddos",
            "as13335",
            "ipv4",
            "certificate",
            "hostname add",
            "url analysis",
            "files ip",
            "name strings",
            "category",
            "united states",
            "pulse indicator",
            "address",
            "error",
            "null",
            "object",
            "string",
            "number",
            "google maps",
            "promise",
            "javascript api",
            "dataset",
            "bigint",
            "dark",
            "android",
            "infinity",
            "internal",
            "roboto",
            "trident",
            "void",
            "small",
            "lightrail",
            "false",
            "span",
            "close",
            "light",
            "hybrid",
            "embed",
            "iframe",
            "keygen",
            "this",
            "february",
            "bounce",
            "drop",
            "inside",
            "outside",
            "marker",
            "present dec",
            "pulses otx",
            "aaaa",
            "asnone country",
            "record value",
            "title",
            "pulse pulses",
            "pulses",
            "showing",
            "unknown cname",
            "unknown soa",
            "next associated",
            "ipv4 add",
            "cycbot",
            "extract indic",
            "sneaker bots",
            "proxies data",
            "script script",
            "adult content",
            "nextimage",
            "porn site",
            "div div",
            "platform make",
            "cloudfront x",
            "hio52 p3",
            "unknown ns",
            "pulse submit",
            "title error",
            "reverse dns",
            "status",
            "servers",
            "name servers",
            "vashti hostname",
            "scan endpoints",
            "url http",
            "http",
            "files domain",
            "files related",
            "pulses none",
            "dnssec",
            "sec ch",
            "ch ua",
            "ua full",
            "ua platform",
            "ua bitness",
            "ua arch",
            "version sec",
            "mobile sec",
            "model sec",
            "version list",
            "domain",
            "emails",
            "cookie",
            "url https",
            "show",
            "filehash",
            "urls show",
            "date checked",
            "url hostname",
            "results nov",
            "win32",
            "type",
            "learn",
            "ck id",
            "name tactics",
            "suspicious",
            "informative",
            "command",
            "adversaries",
            "ssl certificate",
            "defense evasion",
            "spawns",
            "flag",
            "llc name",
            "server",
            "markmonitor",
            "name server",
            "windir",
            "openurl c",
            "prefetch2",
            "show technique",
            "mitre att",
            "ck matrix",
            "pattern match",
            "ascii text",
            "sha1",
            "href",
            "show process",
            "file",
            "general",
            "local",
            "path",
            "germany unknown",
            "date",
            "registrar",
            "ip whois",
            "dynamicloader",
            "high",
            "medium",
            "search",
            "displayname",
            "tofsee",
            "win64",
            "write",
            "stream",
            "malware",
            "push",
            "entries",
            "tls handshake",
            "failure",
            "forbidden",
            "tlsv1",
            "april",
            "next",
            "write c",
            "intel",
            "ms windows",
            "sha1 add",
            "av detections",
            "ids detections",
            "yara detections",
            "alerts",
            "analysis date",
            "file score",
            "sha256 add",
            "present jun",
            "present mar",
            "medelln",
            "colombia asn",
            "dns resolutions",
            "address domain",
            "related tags",
            "none google",
            "safe browsing",
            "external",
            "present sep",
            "present aug",
            "as54113",
            "present jul",
            "as8068",
            "gmt content",
            "total",
            "read",
            "delete",
            "top source",
            "quasi",
            "murderers",
            "christopher ahmann",
            "buzz ahmann",
            "wow64",
            "slcc2",
            "media center",
            "labor",
            "employment",
            "cdle",
            "dowc",
            "colorado",
            "workers",
            "coloradoif",
            "independent",
            "state",
            "company",
            "entity type",
            "authorized line",
            "analysis",
            "tor analysis",
            "process details",
            "network traffic",
            "t1071",
            "potential ip",
            "click",
            "found",
            "t1480 execution",
            "bad traffic",
            "et info",
            "ck techniques",
            "evasion att",
            "t1057",
            "refresh",
            "body",
            "strings",
            "tools",
            "look",
            "verify",
            "restart",
            "cname",
            "form",
            "pulse",
            "script domains",
            "script urls",
            "administrator",
            "services llc",
            "dns admin",
            "domain admin",
            "global llc",
            "domain manager",
            "computer system",
            "ltd domain",
            "network",
            "alibaba",
            "facebook",
            "phishme",
            "sogou",
            "present jan",
            "present feb",
            "present oct"
          ],
          "references": [
            "https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.",
            "Sneaker Bots Proxies Servers Cook Groups Cop Supply",
            "archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/",
            "https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/",
            "https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/",
            "dns.army \u2022 www.dcopr.dns.army  \u2022 www.glsyaiwjj.dns.army \u2022  www.wgmvk.dns.army",
            "https://maps.googleapis.com/maps/api/js?sensor=false",
            "cell-0.af-south-1.prod.telemetry.console.api.aws",
            "howtoworkacrickoutofyourneck2.pages.dev",
            "firebase-auth-eich0v.pages.dev",
            "http://ianswertomom.com/develop-wise-woman-within-yourself",
            "http://ianswertomom.com/bible-verses-struggling-contentment-mom/  I",
            "https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo",
            "makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make",
            "https://khmerpornvideo.signup0.y.id/",
            "https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html",
            "https://clear.ml/infrastructure-control-plane",
            "dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)",
            "https://amano.inboundtools.com/tpcontact  URL https://armg.inboundtools.com/  URL https://gaiax.inboundtools.com/internship  URL https://hmk.inboundtools.com/  URL https://hmk.inboundtools.com/form/assetview_siryo_sier",
            "https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.",
            "https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82",
            "https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored",
            "Everyone has simply asked you alll to stop. Target never asked anyone for money.",
            "Legal court documented  agreement to allow and pay target to hire cyber investigators",
            "Attacks are being carried out by The State of Colorado"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Japan",
            "France",
            "Ireland",
            "Spain",
            "Italy",
            "Aruba",
            "Australia",
            "Denmark",
            "United Kingdom of Great Britain and Northern Ireland",
            "Germany",
            "T\u00fcrkiye",
            "Indonesia"
          ],
          "malware_families": [
            {
              "id": "Win.Trojan.GravityRAT-6511862-0",
              "display_name": "Win.Trojan.GravityRAT-6511862-0",
              "target": null
            },
            {
              "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
              "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
              "target": null
            },
            {
              "id": "Unix.Trojan.Tsunami-6981155-0",
              "display_name": "Unix.Trojan.Tsunami-6981155-0",
              "target": null
            },
            {
              "id": "TrojanDropper:Win32/Systex.A",
              "display_name": "TrojanDropper:Win32/Systex.A",
              "target": "/malware/TrojanDropper:Win32/Systex.A"
            },
            {
              "id": "Win.Trojan.Tepfer-61",
              "display_name": "Win.Trojan.Tepfer-61",
              "target": null
            },
            {
              "id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
              "display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
              "target": null
            },
            {
              "id": "VirTool:Win32/VBInject.gen!MH",
              "display_name": "VirTool:Win32/VBInject.gen!MH",
              "target": "/malware/VirTool:Win32/VBInject.gen!MH"
            },
            {
              "id": "ALF:NID:Susp_NSIS_Stub.A",
              "display_name": "ALF:NID:Susp_NSIS_Stub.A",
              "target": null
            },
            {
              "id": "#LOWFI:HSTR:Criakl.B1",
              "display_name": "#LOWFI:HSTR:Criakl.B1",
              "target": null
            },
            {
              "id": "Backdoor:Win32/Arwobot.B",
              "display_name": "Backdoor:Win32/Arwobot.B",
              "target": "/malware/Backdoor:Win32/Arwobot.B"
            },
            {
              "id": "Win.Packed.Bandook-9882274-1",
              "display_name": "Win.Packed.Bandook-9882274-1",
              "target": null
            },
            {
              "id": "TrojanDownloader:Win32/Cutwail",
              "display_name": "TrojanDownloader:Win32/Cutwail",
              "target": "/malware/TrojanDownloader:Win32/Cutwail"
            },
            {
              "id": "Win.Downloader.Small-4507",
              "display_name": "Win.Downloader.Small-4507",
              "target": null
            },
            {
              "id": "Trojan:Win32/Qbot.R!MTB",
              "display_name": "Trojan:Win32/Qbot.R!MTB",
              "target": "/malware/Trojan:Win32/Qbot.R!MTB"
            },
            {
              "id": "Win.Malware.Mikey-9949492-0",
              "display_name": "Win.Malware.Mikey-9949492-0",
              "target": null
            },
            {
              "id": "Ransom:Win32/Crowti.A",
              "display_name": "Ransom:Win32/Crowti.A",
              "target": "/malware/Ransom:Win32/Crowti.A"
            },
            {
              "id": "Backdoor:Linux/DemonBot.Aa!MTB",
              "display_name": "Backdoor:Linux/DemonBot.Aa!MTB",
              "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB"
            },
            {
              "id": "Unix.Trojan.Gafgyt-6981154-0",
              "display_name": "Unix.Trojan.Gafgyt-6981154-0",
              "target": null
            },
            {
              "id": "DDOS:Linux/Gafgyt.YA!MTB",
              "display_name": "DDOS:Linux/Gafgyt.YA!MTB",
              "target": "/malware/DDOS:Linux/Gafgyt.YA!MTB"
            },
            {
              "id": "CVE-2017-11882",
              "display_name": "CVE-2017-11882",
              "target": null
            },
            {
              "id": "ALF:Exploit:O97M/CVE-2017-8977",
              "display_name": "ALF:Exploit:O97M/CVE-2017-8977",
              "target": null
            },
            {
              "id": "Cycbot",
              "display_name": "Cycbot",
              "target": null
            },
            {
              "id": "Win32:BotX-gen\\ [Trj]",
              "display_name": "Win32:BotX-gen\\ [Trj]",
              "target": null
            },
            {
              "id": "NIDS",
              "display_name": "NIDS",
              "target": null
            },
            {
              "id": "Mirai (ELF)",
              "display_name": "Mirai (ELF)",
              "target": null
            },
            {
              "id": "Worm",
              "display_name": "Worm",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1069",
              "name": "Permission Groups Discovery",
              "display_name": "T1069 - Permission Groups Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "T1590",
              "name": "Gather Victim Network Information",
              "display_name": "T1590 - Gather Victim Network Information"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1457",
              "name": "Malicious Media Content",
              "display_name": "T1457 - Malicious Media Content"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1155",
              "name": "AppleScript",
              "display_name": "T1155 - AppleScript"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1063",
              "name": "Security Software Discovery",
              "display_name": "T1063 - Security Software Discovery"
            },
            {
              "id": "T1113",
              "name": "Screen Capture",
              "display_name": "T1113 - Screen Capture"
            },
            {
              "id": "T1068",
              "name": "Exploitation for Privilege Escalation",
              "display_name": "T1068 - Exploitation for Privilege Escalation"
            },
            {
              "id": "T1210",
              "name": "Exploitation of Remote Services",
              "display_name": "T1210 - Exploitation of Remote Services"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "TA0037",
              "name": "Command and Control",
              "display_name": "TA0037 - Command and Control"
            },
            {
              "id": "T1031",
              "name": "Modify Existing Service",
              "display_name": "T1031 - Modify Existing Service"
            },
            {
              "id": "T1583.005",
              "name": "Botnet",
              "display_name": "T1583.005 - Botnet"
            },
            {
              "id": "T1176",
              "name": "Browser Extensions",
              "display_name": "T1176 - Browser Extensions"
            },
            {
              "id": "T1185",
              "name": "Man in the Browser",
              "display_name": "T1185 - Man in the Browser"
            },
            {
              "id": "T1574.008",
              "name": "Path Interception by Search Order Hijacking",
              "display_name": "T1574.008 - Path Interception by Search Order Hijacking"
            },
            {
              "id": "T1410",
              "name": "Network Traffic Capture or Redirection",
              "display_name": "T1410 - Network Traffic Capture or Redirection"
            },
            {
              "id": "T1449",
              "name": "Exploit SS7 to Redirect Phone Calls/SMS",
              "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
            },
            {
              "id": "T1593.002",
              "name": "Search Engines",
              "display_name": "T1593.002 - Search Engines"
            }
          ],
          "industries": [
            "Insurance",
            "Construction"
          ],
          "TLP": "green",
          "cloned_from": "693cdc5b8ebc10664439c2fb",
          "export_count": 14,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 54118,
            "domain": 11153,
            "hostname": 18578,
            "email": 21,
            "FileHash-SHA256": 4905,
            "FileHash-MD5": 548,
            "FileHash-SHA1": 534,
            "CVE": 7,
            "SSLCertFingerprint": 20,
            "CIDR": 1
          },
          "indicator_count": 89885,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 145,
          "modified_text": "111 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "692f23547b713b128b9c8156",
          "name": "Indicator Deletion Attack | Chris P. Ahmann Esq  still utilizes parking crews to execute cyber attacks",
          "description": "Unable to open malware indicators at this time. These attackers use Parking Crews for their exploits, leasing parked  domains for the amount of time needed to execute an attack. The attack last predate me ever using Level Blue. I have to review  indicators reports more closely but, I do see a the multitude of attacks against target TLB and an intersection of attacks concerning Disable_Duck (Alberta) Chris Ahmann , Colorado government indicated. \n\n[OTX auto populated - Adversaries may use techniques to evade detection in their malware or tools, as well as using techniques such as code signing, encryption, and other techniques for avoiding detection and monitoring of their activities.]",
          "modified": "2026-01-01T17:01:48.163000",
          "created": "2025-12-02T17:35:15.203000",
          "tags": [
            "data upload",
            "extraction",
            "failed",
            "learn",
            "ck id",
            "name tactics",
            "suspicious",
            "informative",
            "adversaries",
            "command",
            "defense evasion",
            "spawns",
            "development att",
            "united",
            "flag",
            "poland poland",
            "windir",
            "openurl c",
            "prefetch2",
            "analysis",
            "tor analysis",
            "dns requests",
            "domain address",
            "mitre att",
            "ck matrix",
            "pattern match",
            "ascii text",
            "show process",
            "network traffic",
            "t1057",
            "general",
            "local",
            "path",
            "encrypt",
            "hosts ip",
            "details",
            "ssl certificate",
            "sha256",
            "sha1",
            "size",
            "unicode text",
            "crlf",
            "utf8",
            "lf line",
            "server",
            "command decode",
            "markmonitor",
            "amazon",
            "ltd dba",
            "com laude",
            "organization",
            "click",
            "show technique",
            "brand",
            "microsoft edge",
            "windows nt",
            "win64",
            "khtml",
            "gecko",
            "submitted",
            "prefetch1",
            "name server",
            "misc attack",
            "et tor",
            "known tor",
            "relayrouter",
            "contacted hosts",
            "google",
            "pornhub",
            "ip address",
            "t1480 execution",
            "file defense",
            "passive dns",
            "related nids",
            "urls",
            "files location",
            "flag united"
          ],
          "references": [
            "deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev",
            "Amazon.com \u2022 Google.com \u2022YouTube.com, Apple.com ,  etc Exploited",
            "cloudendpointsapis.com \u2022 https://www.vgt.pl/style/style.css \u2022 ceidg.gov.pl",
            "pl.wikipedia.org \u2022  fontawesome.io \u2022  opensource.org \u2022 videojet.com",
            "https://discoverreceiver.gurus.vmicrosoft.com/ \u2022 account.live.com \u2022 acctcdn.msauth.net",
            "https://www.milehighmedia.com/legal/2257",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
            "https://twitter.com/PORNO_SEXYBABES",
            "http://www.anyxxxtube.net/search-porn/tsara-brashears",
            "https://wallpapers-nature.com/tsara-brashears/urlscan-io",
            "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
            "http://www.anyxxxtube.net/search-porn/tsara-brashears/",
            "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \u2022 wallpapers-nature.com",
            "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022",
            "https://wallpapers-nature.com/ tsara-brashears/urlscan-io",
            "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
            "http://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.Id=7a025cc6",
            "(Delete app that removed YoiTube views) www.youtube.com/watch?v=GyuMozsVyYs",
            "http://watchhers.net/index.php",
            "everesttech.net \u2022 aws.amazon.com \u2022  cm.everesttech.net \u2022 dpm.demdex.net \u2022 s3.amazonaws.com"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "CVE-2023-22518",
              "display_name": "CVE-2023-22518",
              "target": null
            },
            {
              "id": "Other Malware",
              "display_name": "Other Malware",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1069",
              "name": "Permission Groups Discovery",
              "display_name": "T1069 - Permission Groups Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1480",
              "name": "Execution Guardrails",
              "display_name": "T1480 - Execution Guardrails"
            },
            {
              "id": "T1539",
              "name": "Steal Web Session Cookie",
              "display_name": "T1539 - Steal Web Session Cookie"
            },
            {
              "id": "T1553",
              "name": "Subvert Trust Controls",
              "display_name": "T1553 - Subvert Trust Controls"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1568",
              "name": "Dynamic Resolution",
              "display_name": "T1568 - Dynamic Resolution"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 2,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 1358,
            "FileHash-MD5": 100,
            "FileHash-SHA1": 102,
            "FileHash-SHA256": 1682,
            "URL": 2497,
            "CVE": 2,
            "domain": 400,
            "SSLCertFingerprint": 6,
            "email": 3
          },
          "indicator_count": 6150,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 142,
          "modified_text": "150 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "68396d9ae8b96e90ff1848d5",
          "name": "AcK-U // unenriched - 05.30.25",
          "description": "Just a quick check",
          "modified": "2025-07-23T20:11:01.749000",
          "created": "2025-05-30T08:34:34.215000",
          "tags": [
            "amazon02",
            "cloudflarenet",
            "amazonaes",
            "fastly",
            "github",
            "google",
            "facebook",
            "namecheapnet",
            "service",
            "cdck",
            "level3",
            "cloud",
            "com laude",
            "ltd dba",
            "namecheap inc",
            "gandi sas",
            "gmbh",
            "cloudflare",
            "namecheap",
            "registrarsafe",
            "ascio",
            "tucows",
            "spaceship",
            "please",
            "javascript",
            "iocs",
            "threat",
            "malware unread",
            "collection",
            "crowdsourced",
            "acku new",
            "share",
            "updated",
            "first ioc",
            "seen",
            "premium",
            "entity"
          ],
          "references": [
            "https://www.virustotal.com/gui/collection/e03439bc07bcb1908764755571e127ec051193d4cc24cf842ec3179557f533cb/iocs",
            "https://www.virustotal.com/graph/embed/g36d8fc13d786418ab1d0a75cc331f0eb5bca28d4a4fe4666a84f23e25fb6600b?theme=dark",
            "https://www.virustotal.com/gui/collection/e03439bc07bcb1908764755571e127ec051193d4cc24cf842ec3179557f533cb/summary",
            "https://report.netcraft.com/submission/iduhE4oNTsMOSAeOeBjzZdIfCLtefF3P - 07.23.25 - see notes on references*"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "United States of America",
            "Canada"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 15,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "CIDR": 91,
            "domain": 204,
            "hostname": 192,
            "URL": 731,
            "FileHash-SHA256": 27,
            "email": 1
          },
          "indicator_count": 1246,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 131,
          "modified_text": "312 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "684c8fcde05dacb07f1a202e",
          "name": "Payment - Ref Id- H3426584.doc (aws.dev) Emotet",
          "description": "",
          "modified": "2025-07-13T20:04:30.723000",
          "created": "2025-06-13T20:53:33.231000",
          "tags": [
            "learn more",
            "added active",
            "related pulses",
            "emotet",
            "malware",
            "get http",
            "dns resolutions",
            "resolved ips",
            "post http",
            "ua71173394",
            "ip address",
            "status code",
            "body length",
            "kb body",
            "media sharing",
            "known infection source",
            "spyware",
            "real estate",
            "compromised websites",
            "malware sites",
            "huge domains",
            "parking crew",
            "business",
            "malware service",
            "mas",
            "aws",
            "dev",
            "false",
            "error",
            "url https",
            "url http",
            "indicator role",
            "title added",
            "active related",
            "pulses",
            "showing",
            "entries",
            "sha256",
            "ttl value",
            "first",
            "privacy admin",
            "domain status",
            "redacted for",
            "server",
            "admin city",
            "country",
            "organization",
            "postal code",
            "stateprovince",
            "date",
            "key identifier",
            "x509v3 subject",
            "data",
            "v3 serial",
            "number",
            "algorithm",
            "cus olet",
            "encrypt cnr11",
            "validity",
            "subject public",
            "dirtsearch",
            "dns"
          ],
          "references": [
            "Payment - Ref Id- H3426584.doc FileHash SHA256 ed2914efddb8e8f4c89abf95faa32572d35b3cfdfb202266993f6e7624a2048c",
            "The sandbox Zenbox flags this file as: EVADER",
            "The sandbox Dr.Web vxCube flags this file as: MALWARE EXPLOIT",
            "IDS: Matches rule SURICATA STREAM Packet with invalid ack",
            "IDS: Matches rule SURICATA STREAM SHUTDOWN RST invalid ack",
            "YARA: Office_Document_with_VBA_Project from ruleset Office_Document_with_VBA_Project by InQuest Labs",
            "YARA: Microsoft_Office_Documents_Excessive_Variables from ruleset Microsoft_Office_Documents_Excessive_Variables by InQuest Labs",
            "Dr. Web known infection source",
            "Emotet download site = dirt search.org / aws.dev and other related DGA\u2019s (active)",
            "Xcitium Verdict Cloud government & legal -  https://www.dirtsearch.org/data/TSARA/BRASHEARS/",
            "DirtSearch.org | BitDefender business | Forcepoint ThreatSeeker reference materials | Xcitium Verdict Cloud government & legal",
            "Verdict: Defense Law Firm | malicious tools / agitators"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [
            {
              "id": "Doc.Downloader.Emotet-7196349-0",
              "display_name": "Doc.Downloader.Emotet-7196349-0",
              "target": null
            },
            {
              "id": "vb:Trojan.Agent.EEZZ",
              "display_name": "vb:Trojan.Agent.EEZZ",
              "target": null
            },
            {
              "id": "trojan.w97m/emotetdldr",
              "display_name": "trojan.w97m/emotetdldr",
              "target": null
            },
            {
              "id": "Troj/DocDl-SOK",
              "display_name": "Troj/DocDl-SOK",
              "target": null
            },
            {
              "id": "Static AI - Malicious OLE",
              "display_name": "Static AI - Malicious OLE",
              "target": null
            },
            {
              "id": "Trojan.W97M.POWLOAD.SMRV08",
              "display_name": "Trojan.W97M.POWLOAD.SMRV08",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1588.001",
              "name": "Malware",
              "display_name": "T1588.001 - Malware"
            },
            {
              "id": "T1447",
              "name": "Delete Device Data",
              "display_name": "T1447 - Delete Device Data"
            },
            {
              "id": "T1578.003",
              "name": "Delete Cloud Instance",
              "display_name": "T1578.003 - Delete Cloud Instance"
            },
            {
              "id": "T1583.001",
              "name": "Domains",
              "display_name": "T1583.001 - Domains"
            },
            {
              "id": "T1102",
              "name": "Web Service",
              "display_name": "T1102 - Web Service"
            },
            {
              "id": "T1036.004",
              "name": "Masquerade Task or Service",
              "display_name": "T1036.004 - Masquerade Task or Service"
            },
            {
              "id": "T1114.001",
              "name": "Local Email Collection",
              "display_name": "T1114.001 - Local Email Collection"
            },
            {
              "id": "T1110.002",
              "name": "Password Cracking",
              "display_name": "T1110.002 - Password Cracking"
            },
            {
              "id": "T1512",
              "name": "Capture Camera",
              "display_name": "T1512 - Capture Camera"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1204.002",
              "name": "Malicious File",
              "display_name": "T1204.002 - Malicious File"
            },
            {
              "id": "T1457",
              "name": "Malicious Media Content",
              "display_name": "T1457 - Malicious Media Content"
            },
            {
              "id": "T1204.001",
              "name": "Malicious Link",
              "display_name": "T1204.001 - Malicious Link"
            },
            {
              "id": "T1204.003",
              "name": "Malicious Image",
              "display_name": "T1204.003 - Malicious Image"
            },
            {
              "id": "T1071.004",
              "name": "DNS",
              "display_name": "T1071.004 - DNS"
            },
            {
              "id": "T1185",
              "name": "Man in the Browser",
              "display_name": "T1185 - Man in the Browser"
            },
            {
              "id": "T1523",
              "name": "Evade Analysis Environment",
              "display_name": "T1523 - Evade Analysis Environment"
            },
            {
              "id": "T1610",
              "name": "Deploy Container",
              "display_name": "T1610 - Deploy Container"
            }
          ],
          "industries": [],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 29,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 37,
            "FileHash-SHA1": 44,
            "FileHash-SHA256": 117,
            "URL": 47,
            "domain": 41,
            "hostname": 43
          },
          "indicator_count": 329,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 144,
          "modified_text": "322 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "684c792c7a89d98470ecef31",
          "name": "aws.dev - Emotet - Hub for  malicious activity",
          "description": "\u2022 Domain Name: aws.dev |\n\u2022 (DGA) https://www.google.com/search?client=ms-google-coop&q=%22deploy-delete-app-eu-west-1-0.deploy-delete-test-eu-west-1-oigwi9v.us-east-1.forgeapps.ec2.aws.dev%22&cx=003414466004237966221:dgg7iftvryo | \n\u2022 34.226.76.55 |\n\u2022\u2019domains.amazon | \n\u2022 devilspen.com |\n\u2022 aisux.aws.dev |\t\t\n\u2022 alex.aws.dev  |\t\n\u2022 askjarvis.aws.dev |\n\u2022 atrium.aws.dev |\n\u2022 automated-runbooks.aws.dev |\nFalse 404 codes and Error pages - very active malicious behavior",
          "modified": "2025-07-13T18:02:18.648000",
          "created": "2025-06-13T19:17:00.818000",
          "tags": [
            "united",
            "creation date",
            "search",
            "entries",
            "passive dns",
            "urls",
            "showing",
            "pulse pulses",
            "files",
            "domain",
            "dnssec",
            "expiration date",
            "unknown cname",
            "hostname add",
            "date",
            "redacted for",
            "email",
            "code",
            "organization",
            "privacy billing",
            "privacy tech",
            "postal code",
            "privacy admin",
            "com laude",
            "ltd dba",
            "nomiq",
            "limited dba",
            "admin city",
            "country",
            "stateprovince",
            "city",
            "mtb oct",
            "win32",
            "next associated",
            "mtb mar",
            "ipv4 add",
            "trojan",
            "apanas",
            "ransom",
            "body"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 32,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "domain": 1111,
            "hostname": 1014,
            "URL": 2554,
            "FileHash-SHA256": 1461,
            "FileHash-MD5": 64,
            "email": 6,
            "FileHash-SHA1": 63
          },
          "indicator_count": 6273,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 144,
          "modified_text": "322 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66cec16f4b510d325dc923a1",
          "name": "192.70.175.110 - ELF:Hajime-Q _ Mirai Botnet Malware",
          "description": "Private IP 192.70.175.110 | Reverse DNS\ndns1.state.co.us showed Mirai Bonet Malware. Under same IP address is an 'alleged' unknown REGRU-RU Passive DNS ns1.ns2.www.madunixxx.ru with a password compromise \u00bb PSW.Generic12.WIO.  \nIt's unclear if a Frank Muccio Admin of Security Operations doesn't appear to work on premise in Colorado, There is a Frank Di Muccio SGT involved with RallyPoint, , described as a social group for military personal. Rally Point was seen in very early graphs featuring alleged Rallypoint Pornhub Devs, tied to Brian Sabey. I wasn't able to personally verify this employee in Colorado Possibly contracted OIT by state . The link was recently whitelisted.",
          "modified": "2024-09-27T03:03:09.340000",
          "created": "2024-08-28T06:19:27.154000",
          "tags": [
            "as36081 state",
            "location united",
            "america asn",
            "dns resolutions",
            "domains top",
            "level",
            "unique tlds",
            "mirai",
            "united states",
            "united",
            "ave suite",
            "purpose p5",
            "country united",
            "code us",
            "name security",
            "nexus category",
            "phone number",
            "postal code",
            "network",
            "number",
            "country us",
            "continent na",
            "algorithm",
            "data",
            "v3 serial",
            "cus oapple",
            "public ev",
            "server ecc",
            "g1 validity",
            "organization",
            "subject public",
            "rauschenberg",
            "apple computer",
            "applec1z",
            "mitre att",
            "evasion ta0005",
            "hashes",
            "msie",
            "windows nt",
            "wow64",
            "slcc2",
            "media center",
            "response",
            "request",
            "accept",
            "location https",
            "taiwan as3462",
            "south korea",
            "as4766 korea",
            "high",
            "japan as17676",
            "china as45090",
            "http",
            "search",
            "contacted",
            "malware",
            "copy",
            "as41231",
            "united kingdom",
            "status",
            "aaaa",
            "ddos",
            "whitelisted",
            "certificate",
            "moved",
            "trojan",
            "virtool",
            "encrypt",
            "software",
            "initial",
            "passive dns",
            "scan endpoints",
            "all scoreblue",
            "body",
            "a domains",
            "linux ubuntu",
            "creation date",
            "enterprise open",
            "ubuntu",
            "linux",
            "social",
            "window",
            "code",
            "ipv4",
            "urls",
            "files",
            "reverse dns",
            "trojan features",
            "file samples",
            "files matching",
            "date hash",
            "domain",
            "address",
            "name servers",
            "servers",
            "intel",
            "icmp traffic",
            "dead_host",
            "network_icmp",
            "osquery_detection",
            "nolookup_communication",
            "pulse pulses",
            "unknown",
            "as20940",
            "as15169 google",
            "dns show",
            "status hostname",
            "query type",
            "address first",
            "seen last",
            "seen asn",
            "country unknown",
            "province co",
            "error",
            "tr tr",
            "pulse submit",
            "url analysis",
            "hostname",
            "files ip",
            "asnone united",
            "ireland unknown",
            "brazil unknown",
            "next",
            "showing",
            "gmt content",
            "apache cache",
            "pragma",
            "record value",
            "trojanproxy",
            "win32",
            "title",
            "server",
            "alf features",
            "related pulses",
            "show",
            "ip address",
            "asn as16509",
            "china unknown",
            "hichina",
            "hong kong",
            "as133775 xiamen",
            "web server",
            "authentication",
            "tls web",
            "full name",
            "ca issuers",
            "as44273 host",
            "a nxdomain",
            "avast avg",
            "russia unknown",
            "germany unknown",
            "turkey unknown",
            "japan unknown",
            "as16276",
            "france unknown",
            "service",
            "ck ids",
            "t1082",
            "t1129",
            "modules",
            "t1045",
            "packing",
            "t1060",
            "run keys",
            "startup"
          ],
          "references": [
            "IP Private: 192.70.174.110 | Unix.Trojan.Mirai-6976991-0",
            "Unix.Trojan.Mirai-6976991-0  FileHash-SHA256 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9 ELF:Mirai-AHC\\ [Trj]",
            "192.70.175.110 | Mirai | Reverse DNS | State.CO.US | United States of America ASN AS36081 State of Colorado General Government Computer | ns1.ns2.www.madunixxx.ru",
            "Yara: Mirai_Botnet_Malware",
            "ELF:Mirai-AHC\\ [Trj] FileHash-SHA256 a282f250e59f8754335993293bfbfcc154cdb67ff0e234162f40a6cce5c4290c",
            "ELF:Mirai-AHC\\ [Trj] 1.101.117.25 Location: Korea, Republic Korea, Republic of ASN AS4766 Korea Telecom",
            "Admin Email: frank.muccio@state.co.us Admin Id: FRANMUC15 Admin of Security Operations Admin: Nexus Category: C21",
            "FRANMUC15 Phone Number: +1.3037646860 601 E 18th Ave Suite 250 80203 ,CO",
            "Not Resolving | www._courts.state.co.us | https://otx.alienvault.com/indicator/hostname/www._courts.state.co.us",
            "54.239.28.85 | Exploited CVE-2002-0013 Antivirus Detections: Trojan:Win32/FlyStudio Win.Malware.Snojan Win.Trojan.Tofsee [fld8.com unk/0auth]",
            "PSW.Generic12.WIO | [ns1.ns2.www.madunixxx.ru] FileHash-SHA256 84989bfe79becdea44a2290df3f52bfc2363b6c603aa2b7742dcdde5c7cba12a",
            "PSW.Generic12.WIO \u00bb FileHash-SHA256 84989bfe79becdea44a2290df3f52bfc2363b6c603aa2b7742dcdde5c7cba12a | ns1.ns2.www.madunixxx.ru",
            "192.70.175.110 [2016-07-10 10] 197.45.77.34 MADUNIXXX.RU 197.45.85.125 Registrar:REGRU-RU Status\u00bbREGISTERED, DELEGATED, VERIFIED Passive",
            "madunixxx.ru | 192.70.175.110 | AS36081 State of Colorado General Government Computer Name Servers: ns1.madunixxx.ru  Created: Jun 19, 2016",
            "privaterelay.appleid.com | http://certs.apple.com/apevsecc1g1.der | certs.apple.com | http://crl.apple.com/apevsecc1g1.crl | ocsp.apple.com",
            "images.apple.com | crl.apple.com | https://assets.ubuntu.com/v1/17b68252 |  ads-apple.com.cn | networking.apple | ads-apple.apple.com.cn |",
            "ip-geolocation.apple.com | http://ocsp.apple.com/ocsp03-apevsecc1g101 | docs-staging.swift.org | drauschenberg@apple.com | apple-noc@apple.com",
            "Yara Detections Mirai_Botnet_Malware",
            "Detections Executable and linking format (ELF) file download Over HTTP",
            "Yara Detections: UPXProtectorv10x2 , UPX , ELFHighEntropy , elf_empty_sections Alerts: dead_host | ELF:Mirai-AII\\ [Trj]",
            "Detections Executable and linking format (ELF) file download Over HTTP",
            "Frank Muccio - Serco Conroe, Texas, United States \u00b7 Serco 28+ Years of Information Technology (IT) experience. 20+ Years of leadership and\u2026 \u00b7 Experience: Serco \u00b7 Education: University of Maryland University College"
          ],
          "public": 1,
          "adversary": "Frank Di MuccioSGT",
          "targeted_countries": [
            "United States of America"
          ],
          "malware_families": [
            {
              "id": "Mirai",
              "display_name": "Mirai",
              "target": null
            },
            {
              "id": "DDoS:Linux/Lightaidra",
              "display_name": "DDoS:Linux/Lightaidra",
              "target": "/malware/DDoS:Linux/Lightaidra"
            },
            {
              "id": "Trojan:Win32/Skeeyah",
              "display_name": "Trojan:Win32/Skeeyah",
              "target": "/malware/Trojan:Win32/Skeeyah"
            },
            {
              "id": "ALF:Trojan:Win32/FlyStudio.PA!MTB",
              "display_name": "ALF:Trojan:Win32/FlyStudio.PA!MTB",
              "target": null
            },
            {
              "id": "Win.Trojan.Tofsee-6840338-0",
              "display_name": "Win.Trojan.Tofsee-6840338-0",
              "target": null
            },
            {
              "id": "Win.Malware.Snojan-6775202-0",
              "display_name": "Win.Malware.Snojan-6775202-0",
              "target": null
            },
            {
              "id": "#LowFiEnableDTContinueAfterUnpacking",
              "display_name": "#LowFiEnableDTContinueAfterUnpacking",
              "target": null
            },
            {
              "id": "PSW.Generic12.WIO",
              "display_name": "PSW.Generic12.WIO",
              "target": null
            },
            {
              "id": "ELF:Hajime-Q",
              "display_name": "ELF:Hajime-Q",
              "target": null
            },
            {
              "id": "Botnet",
              "display_name": "Botnet",
              "target": null
            }
          ],
          "attack_ids": [
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1410",
              "name": "Network Traffic Capture or Redirection",
              "display_name": "T1410 - Network Traffic Capture or Redirection"
            },
            {
              "id": "T1449",
              "name": "Exploit SS7 to Redirect Phone Calls/SMS",
              "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
            },
            {
              "id": "T1498",
              "name": "Network Denial of Service",
              "display_name": "T1498 - Network Denial of Service"
            },
            {
              "id": "T1499",
              "name": "Endpoint Denial of Service",
              "display_name": "T1499 - Endpoint Denial of Service"
            },
            {
              "id": "T1110.002",
              "name": "Password Cracking",
              "display_name": "T1110.002 - Password Cracking"
            },
            {
              "id": "T1003.008",
              "name": "/etc/passwd and /etc/shadow",
              "display_name": "T1003.008 - /etc/passwd and /etc/shadow"
            },
            {
              "id": "T1601",
              "name": "Modify System Image",
              "display_name": "T1601 - Modify System Image"
            },
            {
              "id": "T1155",
              "name": "AppleScript",
              "display_name": "T1155 - AppleScript"
            },
            {
              "id": "T1078.001",
              "name": "Default Accounts",
              "display_name": "T1078.001 - Default Accounts"
            },
            {
              "id": "TA0005",
              "name": "Defense Evasion",
              "display_name": "TA0005 - Defense Evasion"
            },
            {
              "id": "T1147",
              "name": "Hidden Users",
              "display_name": "T1147 - Hidden Users"
            },
            {
              "id": "T1583.005",
              "name": "Botnet",
              "display_name": "T1583.005 - Botnet"
            },
            {
              "id": "T1583.002",
              "name": "DNS Server",
              "display_name": "T1583.002 - DNS Server"
            }
          ],
          "industries": [
            "Telecommunications",
            "Government",
            "Civilian Society"
          ],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 17,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "scoreblue",
            "id": "254100",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-SHA256": 1108,
            "hostname": 627,
            "domain": 628,
            "URL": 534,
            "FileHash-MD5": 377,
            "FileHash-SHA1": 373,
            "email": 12,
            "CIDR": 2,
            "SSLCertFingerprint": 2
          },
          "indicator_count": 3663,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 231,
          "modified_text": "612 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66b0fa3624bf0384e427f2e7",
          "name": "Tracking Domains 4.2 - 08.19.24",
          "description": "Tracking Domains detected by Privacy Badger Ext. on Microsoft Edge Browser (W11 Device) using Telus ISP (ASN852)\n*Not-Enriched (08.05.24): ~50,000 suggests IOCs by AlienVault\nFrom VT: 2 IPs hosted by 45090 (Shenzhen Tencent Computer Systems Company Limited) & 4611 (CNNIC member) seem to be the problem here 118[.]89.204.198, 118[.]89.0.0/16 & 202[.]123.107.15, 202[.]123.107.0/24 (Respectively)",
          "modified": "2024-09-04T15:01:01.432000",
          "created": "2024-08-05T16:13:42.563000",
          "tags": [],
          "references": [
            "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/iocs",
            "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/summary",
            "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/graph",
            "https://www.virustotal.com/graph/embed/ge839428bb3e24a98aae8cbcc242ae4d8febdc0c46e49411ebb09d155e22b4bbc?theme=dark",
            "https://viz.greynoise.io/query/AS4611",
            "https://urlscan.io/asn/AS4611",
            "https://urlscan.io/search/#asn:%22AS4611%22",
            "https://urlscan.io/asn/AS45090",
            "https://urlscan.io/search/#asn%3A%22AS45090%22",
            "https://viz.greynoise.io/query/AS45090",
            "https://urlscan.io/result/aeb42615-79b7-465d-924e-c9bdde3eefd1/#transactions",
            "https://urlscan.io/result/d4bf08e4-88dc-4bf8-be34-6b352576882e/#behaviour",
            "Filescan[.]io report: bc47c757-0a4d-4659-98d4-5d0c86406462 (08.23.24)",
            "https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-be"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "Canada",
            "United States of America"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Technology"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 17,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 6180,
            "FileHash-MD5": 1,
            "domain": 24921,
            "URL": 10854
          },
          "indicator_count": 41956,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 140,
          "modified_text": "634 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "662e72197adff2cced4acab5",
          "name": "Telus Communications (Canadian ISP)",
          "description": "IOCs associated with and/or collected from Telus Communications ISP\nAlso, please refer to other collections (Relevant Pulses in Group Pulse)",
          "modified": "2024-09-03T00:02:13.980000",
          "created": "2024-04-28T15:58:17.777000",
          "tags": [
            "Telus"
          ],
          "references": [
            "https://www.virustotal.com/gui/collection/9220d9375ebb4289fdbc4a7aac232b75a5c1b01e5e27edd965982bc6fe28f0e2/graph",
            "https://www.virustotal.com/gui/collection/9220d9375ebb4289fdbc4a7aac232b75a5c1b01e5e27edd965982bc6fe28f0e2/iocs",
            "https://tria.ge/240428-tjsmrsbf4t",
            "https://www.virustotal.com/graph/embed/ga06a03c71a1848adb8e47517af7d1803f6bc8aa5dd4a480f921a7e9528da34df?theme=dark",
            "https://intelx.io/?s=telus.com",
            "https://lab.dynamite.ai/pcaps/319ab9c1-044c-4791-98b8-a134918cae63",
            "https://lab.dynamite.ai/pcaps/8c720f26-cf1b-4aed-bad5-da87f7f17977",
            "https://lab.dynamite.ai/pcaps/5beb5211-b3ce-4c11-8fa7-44eee039113a",
            "https://www.virustotal.com/graph/embed/ga408d14b97e346d788613eab3a11c80af28a15dda5334f9a93221e82d25545bb?theme=dark",
            "https://urlhaus.abuse.ch/feeds/asn/852/"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "Canada",
            "United States of America"
          ],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            }
          ],
          "industries": [
            "Government",
            "Technology",
            "Telecommunications",
            "Education"
          ],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 27,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 3,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 283,
            "FileHash-SHA1": 283,
            "FileHash-SHA256": 366,
            "URL": 726,
            "domain": 564,
            "hostname": 523
          },
          "indicator_count": 2745,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 132,
          "modified_text": "636 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66269b1f33258a8e26033b17",
          "name": "Tracking Domains - Part 4.1",
          "description": "More Tracking Domains",
          "modified": "2024-08-30T13:02:28.335000",
          "created": "2024-04-22T17:15:11.398000",
          "tags": [
            "Tracking Domains"
          ],
          "references": [
            "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs",
            "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark",
            "https://viz.greynoise.io/analysis/02a64dd4-d7e0-451c-8384-13cf23298551"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "Canada",
            "United States of America"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Technology",
            "Telecommunications"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 16,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 94496,
            "FileHash-MD5": 63,
            "domain": 112327,
            "URL": 166918,
            "FileHash-SHA1": 33,
            "FileHash-SHA256": 103,
            "CIDR": 216
          },
          "indicator_count": 374156,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 142,
          "modified_text": "640 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "66269b204ecfba63974dc1d8",
          "name": "Tracking Domains - Part 4",
          "description": "More Tracking Domains",
          "modified": "2024-05-22T17:04:45.215000",
          "created": "2024-04-22T17:15:12.353000",
          "tags": [
            "Tracking Domains"
          ],
          "references": [
            "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs",
            "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark"
          ],
          "public": 1,
          "adversary": "",
          "targeted_countries": [
            "Canada",
            "United States of America"
          ],
          "malware_families": [],
          "attack_ids": [],
          "industries": [
            "Technology",
            "Telecommunications"
          ],
          "TLP": "white",
          "cloned_from": null,
          "export_count": 16,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Disable_Duck",
            "id": "244325",
            "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "hostname": 792,
            "FileHash-MD5": 1,
            "domain": 5803,
            "URL": 2
          },
          "indicator_count": 6598,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 136,
          "modified_text": "739 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        }
      ],
      "references": [
        "https://urlscan.io/result/d4bf08e4-88dc-4bf8-be34-6b352576882e/#behaviour",
        "deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev",
        "The sandbox Zenbox flags this file as: EVADER",
        "https://clear.ml/infrastructure-control-plane",
        "Yara: Mirai_Botnet_Malware",
        "https://discoverreceiver.gurus.vmicrosoft.com/ \u2022 account.live.com \u2022 acctcdn.msauth.net",
        "https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.",
        "Verdict: Defense Law Firm | malicious tools / agitators",
        "http://www.anyxxxtube.net/search-porn/tsara-brashears",
        "http://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.Id=7a025cc6",
        "dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)",
        "IDS: Matches rule SURICATA STREAM SHUTDOWN RST invalid ack",
        "https://lab.dynamite.ai/pcaps/319ab9c1-044c-4791-98b8-a134918cae63",
        "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
        "IDS: Matches rule SURICATA STREAM Packet with invalid ack",
        "https://urlscan.io/search/#asn%3A%22AS45090%22",
        "Everyone has simply asked you alll to stop. Target never asked anyone for money.",
        "https://www.milehighmedia.com/legal/2257",
        "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/iocs",
        "https://amano.inboundtools.com/tpcontact  URL https://armg.inboundtools.com/  URL https://gaiax.inboundtools.com/internship  URL https://hmk.inboundtools.com/  URL https://hmk.inboundtools.com/form/assetview_siryo_sier",
        "https://www.virustotal.com/graph/embed/g0844b0f8d48c4bfab3ae40a376456055e267e54952fe40e0a79f63cc17550863?theme=dark",
        "https://www.virustotal.com/gui/collection/ee0928d5289165511398be0144460ff4c8663292be0a99a05ac955de2728a078/iocs",
        "https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-be",
        "https://www.virustotal.com/gui/collection/9220d9375ebb4289fdbc4a7aac232b75a5c1b01e5e27edd965982bc6fe28f0e2/iocs",
        "Yara Detections Mirai_Botnet_Malware",
        "https://lab.dynamite.ai/pcaps/5beb5211-b3ce-4c11-8fa7-44eee039113a",
        "Emotet download site = dirt search.org / aws.dev and other related DGA\u2019s (active)",
        "FRANMUC15 Phone Number: +1.3037646860 601 E 18th Ave Suite 250 80203 ,CO",
        "Payment - Ref Id- H3426584.doc FileHash SHA256 ed2914efddb8e8f4c89abf95faa32572d35b3cfdfb202266993f6e7624a2048c",
        "images.apple.com | crl.apple.com | https://assets.ubuntu.com/v1/17b68252 |  ads-apple.com.cn | networking.apple | ads-apple.apple.com.cn |",
        "howtoworkacrickoutofyourneck2.pages.dev",
        "Unix.Trojan.Mirai-6976991-0  FileHash-SHA256 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9 ELF:Mirai-AHC\\ [Trj]",
        "https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/",
        "madunixxx.ru | 192.70.175.110 | AS36081 State of Colorado General Government Computer Name Servers: ns1.madunixxx.ru  Created: Jun 19, 2016",
        "https://wallpapers-nature.com/tsara-brashears/urlscan-io",
        "firebase-auth-eich0v.pages.dev",
        "192.70.175.110 [2016-07-10 10] 197.45.77.34 MADUNIXXX.RU 197.45.85.125 Registrar:REGRU-RU Status\u00bbREGISTERED, DELEGATED, VERIFIED Passive",
        "Yara Detections: UPXProtectorv10x2 , UPX , ELFHighEntropy , elf_empty_sections Alerts: dead_host | ELF:Mirai-AII\\ [Trj]",
        "PSW.Generic12.WIO | [ns1.ns2.www.madunixxx.ru] FileHash-SHA256 84989bfe79becdea44a2290df3f52bfc2363b6c603aa2b7742dcdde5c7cba12a",
        "https://urlhaus.abuse.ch/feeds/asn/852/",
        "Not Resolving | www._courts.state.co.us | https://otx.alienvault.com/indicator/hostname/www._courts.state.co.us",
        "https://urlscan.io/result/aeb42615-79b7-465d-924e-c9bdde3eefd1/#transactions",
        "Filescan[.]io report: bc47c757-0a4d-4659-98d4-5d0c86406462 (08.23.24)",
        "https://twitter.com/PORNO_SEXYBABES",
        "https://khmerpornvideo.signup0.y.id/",
        "https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82",
        "ip-geolocation.apple.com | http://ocsp.apple.com/ocsp03-apevsecc1g101 | docs-staging.swift.org | drauschenberg@apple.com | apple-noc@apple.com",
        "Attacks are being carried out by The State of Colorado",
        "https://viz.greynoise.io/query/AS45090",
        "https://wallpapers-nature.com/ tsara-brashears/urlscan-io",
        "makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make",
        "privaterelay.appleid.com | http://certs.apple.com/apevsecc1g1.der | certs.apple.com | http://crl.apple.com/apevsecc1g1.crl | ocsp.apple.com",
        "http://watchhers.net/index.php",
        "https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo",
        "https://viz.greynoise.io/analysis/02a64dd4-d7e0-451c-8384-13cf23298551",
        "https://intelx.io/?s=telus.com",
        "https://www.virustotal.com/graph/embed/ga06a03c71a1848adb8e47517af7d1803f6bc8aa5dd4a480f921a7e9528da34df?theme=dark",
        "https://www.virustotal.com/graph/embed/ga408d14b97e346d788613eab3a11c80af28a15dda5334f9a93221e82d25545bb?theme=dark",
        "(Delete app that removed YoiTube views) www.youtube.com/watch?v=GyuMozsVyYs",
        "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/graph",
        "https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/",
        "Sneaker Bots Proxies Servers Cook Groups Cop Supply",
        "https://www.virustotal.com/gui/collection/e03439bc07bcb1908764755571e127ec051193d4cc24cf842ec3179557f533cb/summary",
        "cloudendpointsapis.com \u2022 https://www.vgt.pl/style/style.css \u2022 ceidg.gov.pl",
        "ELF:Mirai-AHC\\ [Trj] FileHash-SHA256 a282f250e59f8754335993293bfbfcc154cdb67ff0e234162f40a6cce5c4290c",
        "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
        "Admin Email: frank.muccio@state.co.us Admin Id: FRANMUC15 Admin of Security Operations Admin: Nexus Category: C21",
        "dns.army \u2022 www.dcopr.dns.army  \u2022 www.glsyaiwjj.dns.army \u2022  www.wgmvk.dns.army",
        "http://ianswertomom.com/develop-wise-woman-within-yourself",
        "https://urlscan.io/asn/AS45090",
        "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \u2022 wallpapers-nature.com",
        "https://www.virustotal.com/graph/embed/g36d8fc13d786418ab1d0a75cc331f0eb5bca28d4a4fe4666a84f23e25fb6600b?theme=dark",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022",
        "https://lab.dynamite.ai/pcaps/8c720f26-cf1b-4aed-bad5-da87f7f17977",
        "https://urlscan.io/asn/AS4611",
        "https://report.netcraft.com/submission/iduhE4oNTsMOSAeOeBjzZdIfCLtefF3P - 07.23.25 - see notes on references*",
        "https://maps.googleapis.com/maps/api/js?sensor=false",
        "https://viz.greynoise.io/query/AS4611",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
        "archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/",
        "PSW.Generic12.WIO \u00bb FileHash-SHA256 84989bfe79becdea44a2290df3f52bfc2363b6c603aa2b7742dcdde5c7cba12a | ns1.ns2.www.madunixxx.ru",
        "https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored",
        "Amazon.com \u2022 Google.com \u2022YouTube.com, Apple.com ,  etc Exploited",
        "https://urlscan.io/search/#asn:%22AS4611%22",
        "pl.wikipedia.org \u2022  fontawesome.io \u2022  opensource.org \u2022 videojet.com",
        "54.239.28.85 | Exploited CVE-2002-0013 Antivirus Detections: Trojan:Win32/FlyStudio Win.Malware.Snojan Win.Trojan.Tofsee [fld8.com unk/0auth]",
        "YARA: Microsoft_Office_Documents_Excessive_Variables from ruleset Microsoft_Office_Documents_Excessive_Variables by InQuest Labs",
        "Legal court documented  agreement to allow and pay target to hire cyber investigators",
        "IP Private: 192.70.174.110 | Unix.Trojan.Mirai-6976991-0",
        "http://www.anyxxxtube.net/search-porn/tsara-brashears/",
        "Xcitium Verdict Cloud government & legal -  https://www.dirtsearch.org/data/TSARA/BRASHEARS/",
        "https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html",
        "https://www.virustotal.com/gui/collection/e03439bc07bcb1908764755571e127ec051193d4cc24cf842ec3179557f533cb/iocs",
        "The sandbox Dr.Web vxCube flags this file as: MALWARE EXPLOIT",
        "ELF:Mirai-AHC\\ [Trj] 1.101.117.25 Location: Korea, Republic Korea, Republic of ASN AS4766 Korea Telecom",
        "192.70.175.110 | Mirai | Reverse DNS | State.CO.US | United States of America ASN AS36081 State of Colorado General Government Computer | ns1.ns2.www.madunixxx.ru",
        "http://ianswertomom.com/bible-verses-struggling-contentment-mom/  I",
        "everesttech.net \u2022 aws.amazon.com \u2022  cm.everesttech.net \u2022 dpm.demdex.net \u2022 s3.amazonaws.com",
        "https://www.virustotal.com/graph/embed/ge839428bb3e24a98aae8cbcc242ae4d8febdc0c46e49411ebb09d155e22b4bbc?theme=dark",
        "DirtSearch.org | BitDefender business | Forcepoint ThreatSeeker reference materials | Xcitium Verdict Cloud government & legal",
        "Detections Executable and linking format (ELF) file download Over HTTP",
        "cell-0.af-south-1.prod.telemetry.console.api.aws",
        "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/summary",
        "Dr. Web known infection source",
        "https://tria.ge/240428-tjsmrsbf4t",
        "https://www.virustotal.com/gui/collection/9220d9375ebb4289fdbc4a7aac232b75a5c1b01e5e27edd965982bc6fe28f0e2/graph",
        "Frank Muccio - Serco Conroe, Texas, United States \u00b7 Serco 28+ Years of Information Technology (IT) experience. 20+ Years of leadership and\u2026 \u00b7 Experience: Serco \u00b7 Education: University of Maryland University College",
        "YARA: Office_Document_with_VBA_Project from ruleset Office_Document_with_VBA_Project by InQuest Labs",
        "https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse."
      ],
      "related": {
        "alienvault": {
          "adversary": [],
          "malware_families": [],
          "industries": []
        },
        "other": {
          "adversary": [
            "Frank Di MuccioSGT"
          ],
          "malware_families": [
            "Alf:nid:susp_nsis_stub.a",
            "Psw.generic12.wio",
            "Ddos:linux/gafgyt.ya!mtb",
            "Cve-2023-22518",
            "Trojandownloader:win32/cutwail",
            "Win.packed.bandook-9882274-1",
            "Botnet",
            "Ransom:win32/crowti.a",
            "Vb:trojan.agent.eezz",
            "Cve-2017-11882",
            "Other malware",
            "Win.malware.mikey-9949492-0",
            "Win.malware.snojan-6775202-0",
            "Unix.trojan.tsunami-6981155-0",
            "Trojandownloader:win32/cutwailransom:win32/crowti.a",
            "Win32:botx-gen\\ [trj]",
            "Cycbot",
            "#lowfienabledtcontinueafterunpacking",
            "Alf:trojan:win32/flystudio.pa!mtb",
            "Trojan:win32/qbot.r!mtb",
            "Trojan.w97m/emotetdldr",
            "Trojandropper:win32/systex.a",
            "Trojan.w97m.powload.smrv08",
            "Doc.downloader.emotet-7196349-0",
            "Alf:heraklezeval:trojan:msil/gravityrat!rfn",
            "Alf:exploit:o97m/cve-2017-8977",
            "Win.downloader.small-4507",
            "Mirai",
            "Elf:hajime-q",
            "Unix.trojan.gafgyt-6981154-0",
            "Nids",
            "Win.trojan.gravityrat-6511862-0",
            "Worm",
            "Static ai - malicious ole",
            "Trojan:win32/skeeyah",
            "Win.trojan.tofsee-6840338-0",
            "#lowfi:hstr:criakl.b1",
            "Virtool:win32/vbinject.gen!mh",
            "Backdoor:win32/arwobot.b",
            "Win.trojan.tepfer-61",
            "Backdoor:linux/demonbot.aa!mtb",
            "Troj/docdl-sok",
            "Ddos:linux/lightaidra",
            "Mirai (elf)"
          ],
          "industries": [
            "Education",
            "Civilian society",
            "Technology",
            "Construction",
            "Insurance",
            "Telecommunications",
            "Government"
          ]
        }
      }
    },
    "false_positive": []
  },
  "geo": {},
  "geo_ipapicom": {},
  "pulse_count": 13,
  "pulses": [
    {
      "id": "69fd98fba834ab33f7cfe50f",
      "name": "Telus Communications (Canadian ISP) clone Disable_Duck - relevant Ip shadows",
      "description": "",
      "modified": "2026-05-08T08:04:11.769000",
      "created": "2026-05-08T08:04:11.769000",
      "tags": [
        "Telus"
      ],
      "references": [
        "https://www.virustotal.com/gui/collection/9220d9375ebb4289fdbc4a7aac232b75a5c1b01e5e27edd965982bc6fe28f0e2/graph",
        "https://www.virustotal.com/gui/collection/9220d9375ebb4289fdbc4a7aac232b75a5c1b01e5e27edd965982bc6fe28f0e2/iocs",
        "https://tria.ge/240428-tjsmrsbf4t",
        "https://www.virustotal.com/graph/embed/ga06a03c71a1848adb8e47517af7d1803f6bc8aa5dd4a480f921a7e9528da34df?theme=dark",
        "https://intelx.io/?s=telus.com",
        "https://lab.dynamite.ai/pcaps/319ab9c1-044c-4791-98b8-a134918cae63",
        "https://lab.dynamite.ai/pcaps/8c720f26-cf1b-4aed-bad5-da87f7f17977",
        "https://lab.dynamite.ai/pcaps/5beb5211-b3ce-4c11-8fa7-44eee039113a",
        "https://www.virustotal.com/graph/embed/ga408d14b97e346d788613eab3a11c80af28a15dda5334f9a93221e82d25545bb?theme=dark",
        "https://urlhaus.abuse.ch/feeds/asn/852/"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "Canada",
        "United States of America"
      ],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1106",
          "name": "Native API",
          "display_name": "T1106 - Native API"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        }
      ],
      "industries": [
        "Government",
        "Technology",
        "Telecommunications",
        "Education"
      ],
      "TLP": "green",
      "cloned_from": "662e72197adff2cced4acab5",
      "export_count": 1,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 283,
        "FileHash-SHA1": 283,
        "FileHash-SHA256": 366,
        "URL": 726,
        "domain": 564,
        "hostname": 523
      },
      "indicator_count": 2745,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 66,
      "modified_text": "24 days ago ",
      "is_modified": false,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69c5b5cccffe6a5e0b756741",
      "name": "Unknown - Tracking",
      "description": "<HOSTNAME:MarkMonitor.comInc, a US-based company, has been added to Pulse.net, according to a report published by the Internet Service Authority (ICann).<pretext",
      "modified": "2026-04-25T23:14:19.460000",
      "created": "2026-03-26T22:40:12.417000",
      "tags": [
        "status",
        "creation date",
        "servers",
        "name servers",
        "pulse submit",
        "url analysis",
        "passive dns",
        "urls",
        "files",
        "ip address",
        "date",
        "whois show",
        "search",
        "record value",
        "emails",
        "name legal",
        "department name",
        "address po",
        "city seattle",
        "country us",
        "united",
        "unknown",
        "hostname",
        "location united",
        "algorithm",
        "key identifier",
        "x509v3 subject",
        "v3 serial",
        "number",
        "cus oamazon",
        "cnamazon rsa",
        "m01 validity",
        "subject public",
        "key info",
        "domain name",
        "domain",
        "expiry date",
        "update date",
        "thumbprint"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 23,
        "email": 10,
        "domain": 188,
        "hostname": 284,
        "URL": 399,
        "FileHash-SHA256": 440,
        "FileHash-SHA1": 55,
        "CVE": 2
      },
      "indicator_count": 1401,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 68,
      "modified_text": "36 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "693cdc5b8ebc10664439c2fb",
      "name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - Freeman Mathis & Gary for The State of Colorado",
      "description": "State of Colorado attackers use  DGA domains set up multiple Law Firms.. Christopher P.  \u2019Buzz\u2019  Ahmann  Is a legal consultant / attorney./ hacker \nWorks for the State of Colorado/ quasi. Is malicious and doesn\u2019t work alone. Continues to target \nState had relative contacted by a fake entity \u2018Goodness Health\u2019\nLeft vague VM for relative message \u201cWe work on the Medicare side of things.\u201d and? \nSocial engineering call , malicious domain. The State of Colorado has been on a relentless pursuit against target. Fully compromised targets relatives brand new phone. Hacked target since 10/2013.\nMultiple cyber and physical attacks carried out  against target and family members.. There are attacks make  to look like accidents or malfunctions. This harmful, silencing behavior is somehow illegal for anyone else.",
      "modified": "2026-02-10T06:05:39.764000",
      "created": "2025-12-13T03:24:11.414000",
      "tags": [
        "colorado state",
        "freeman mathis",
        "history",
        "cyber risk",
        "aspen insureds",
        "gaig insureds",
        "landy insureds",
        "nip group",
        "purm insureds",
        "overview core",
        "united",
        "ip address",
        "present nov",
        "present may",
        "moved",
        "encrypt",
        "unknown",
        "backdoor",
        "passive dns",
        "ransom",
        "checkin",
        "trojandropper",
        "mtb nov",
        "twitter",
        "trojan",
        "data upload",
        "extraction",
        "failed",
        "united states",
        "server response",
        "google safe",
        "results may",
        "lowfi",
        "virtool",
        "mtb alf",
        "mh alf",
        "port",
        "windows nt",
        "destination",
        "msie",
        "khtml",
        "gecko",
        "unknown aaaa",
        "a domains",
        "meta",
        "for privacy",
        "cop supply",
        "urls",
        "as139646 hong",
        "hostname",
        "files",
        "hong kong",
        "domain add",
        "ip related",
        "hash avast",
        "avg clamav",
        "msdefender may",
        "ddos",
        "as13335",
        "ipv4",
        "certificate",
        "hostname add",
        "url analysis",
        "files ip",
        "name strings",
        "category",
        "united states",
        "pulse indicator",
        "address",
        "error",
        "null",
        "object",
        "string",
        "number",
        "google maps",
        "promise",
        "javascript api",
        "dataset",
        "bigint",
        "dark",
        "android",
        "infinity",
        "internal",
        "roboto",
        "trident",
        "void",
        "small",
        "lightrail",
        "false",
        "span",
        "close",
        "light",
        "hybrid",
        "embed",
        "iframe",
        "keygen",
        "this",
        "february",
        "bounce",
        "drop",
        "inside",
        "outside",
        "marker",
        "present dec",
        "pulses otx",
        "aaaa",
        "asnone country",
        "record value",
        "title",
        "pulse pulses",
        "pulses",
        "showing",
        "unknown cname",
        "unknown soa",
        "next associated",
        "ipv4 add",
        "cycbot",
        "extract indic",
        "sneaker bots",
        "proxies data",
        "script script",
        "adult content",
        "nextimage",
        "porn site",
        "div div",
        "platform make",
        "cloudfront x",
        "hio52 p3",
        "unknown ns",
        "pulse submit",
        "title error",
        "reverse dns",
        "status",
        "servers",
        "name servers",
        "vashti hostname",
        "scan endpoints",
        "url http",
        "http",
        "files domain",
        "files related",
        "pulses none",
        "dnssec",
        "sec ch",
        "ch ua",
        "ua full",
        "ua platform",
        "ua bitness",
        "ua arch",
        "version sec",
        "mobile sec",
        "model sec",
        "version list",
        "domain",
        "emails",
        "cookie",
        "url https",
        "show",
        "filehash",
        "urls show",
        "date checked",
        "url hostname",
        "results nov",
        "win32",
        "type",
        "learn",
        "ck id",
        "name tactics",
        "suspicious",
        "informative",
        "command",
        "adversaries",
        "ssl certificate",
        "defense evasion",
        "spawns",
        "flag",
        "llc name",
        "server",
        "markmonitor",
        "name server",
        "windir",
        "openurl c",
        "prefetch2",
        "show technique",
        "mitre att",
        "ck matrix",
        "pattern match",
        "ascii text",
        "sha1",
        "href",
        "show process",
        "file",
        "general",
        "local",
        "path",
        "germany unknown",
        "date",
        "registrar",
        "ip whois",
        "dynamicloader",
        "high",
        "medium",
        "search",
        "displayname",
        "tofsee",
        "win64",
        "write",
        "stream",
        "malware",
        "push",
        "entries",
        "tls handshake",
        "failure",
        "forbidden",
        "tlsv1",
        "april",
        "next",
        "write c",
        "intel",
        "ms windows",
        "sha1 add",
        "av detections",
        "ids detections",
        "yara detections",
        "alerts",
        "analysis date",
        "file score",
        "sha256 add",
        "present jun",
        "present mar",
        "medelln",
        "colombia asn",
        "dns resolutions",
        "address domain",
        "related tags",
        "none google",
        "safe browsing",
        "external",
        "present sep",
        "present aug",
        "as54113",
        "present jul",
        "as8068",
        "gmt content",
        "total",
        "read",
        "delete",
        "top source",
        "quasi",
        "murderers",
        "christopher ahmann",
        "buzz ahmann",
        "wow64",
        "slcc2",
        "media center",
        "labor",
        "employment",
        "cdle",
        "dowc",
        "colorado",
        "workers",
        "coloradoif",
        "independent",
        "state",
        "company",
        "entity type",
        "authorized line",
        "analysis",
        "tor analysis",
        "process details",
        "network traffic",
        "t1071",
        "potential ip",
        "click",
        "found",
        "t1480 execution",
        "bad traffic",
        "et info",
        "ck techniques",
        "evasion att",
        "t1057",
        "refresh",
        "body",
        "strings",
        "tools",
        "look",
        "verify",
        "restart",
        "cname",
        "form",
        "pulse",
        "script domains",
        "script urls",
        "administrator",
        "services llc",
        "dns admin",
        "domain admin",
        "global llc",
        "domain manager",
        "computer system",
        "ltd domain",
        "network",
        "alibaba",
        "facebook",
        "phishme",
        "sogou",
        "present jan",
        "present feb",
        "present oct"
      ],
      "references": [
        "https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.",
        "Sneaker Bots Proxies Servers Cook Groups Cop Supply",
        "archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/",
        "https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/",
        "https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/",
        "dns.army \u2022 www.dcopr.dns.army  \u2022 www.glsyaiwjj.dns.army \u2022  www.wgmvk.dns.army",
        "https://maps.googleapis.com/maps/api/js?sensor=false",
        "cell-0.af-south-1.prod.telemetry.console.api.aws",
        "howtoworkacrickoutofyourneck2.pages.dev",
        "firebase-auth-eich0v.pages.dev",
        "http://ianswertomom.com/develop-wise-woman-within-yourself",
        "http://ianswertomom.com/bible-verses-struggling-contentment-mom/  I",
        "https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo",
        "makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make",
        "https://khmerpornvideo.signup0.y.id/",
        "https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html",
        "https://clear.ml/infrastructure-control-plane",
        "dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)",
        "https://amano.inboundtools.com/tpcontact  URL https://armg.inboundtools.com/  URL https://gaiax.inboundtools.com/internship  URL https://hmk.inboundtools.com/  URL https://hmk.inboundtools.com/form/assetview_siryo_sier",
        "https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.",
        "https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82",
        "https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored",
        "Everyone has simply asked you alll to stop. Target never asked anyone for money.",
        "Legal court documented  agreement to allow and pay target to hire cyber investigators",
        "Attacks are being carried out by The State of Colorado"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America",
        "Japan",
        "France",
        "Ireland",
        "Spain",
        "Italy",
        "Aruba",
        "Australia",
        "Denmark",
        "United Kingdom of Great Britain and Northern Ireland",
        "Germany",
        "T\u00fcrkiye",
        "Indonesia"
      ],
      "malware_families": [
        {
          "id": "Win.Trojan.GravityRAT-6511862-0",
          "display_name": "Win.Trojan.GravityRAT-6511862-0",
          "target": null
        },
        {
          "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
          "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
          "target": null
        },
        {
          "id": "Unix.Trojan.Tsunami-6981155-0",
          "display_name": "Unix.Trojan.Tsunami-6981155-0",
          "target": null
        },
        {
          "id": "TrojanDropper:Win32/Systex.A",
          "display_name": "TrojanDropper:Win32/Systex.A",
          "target": "/malware/TrojanDropper:Win32/Systex.A"
        },
        {
          "id": "Win.Trojan.Tepfer-61",
          "display_name": "Win.Trojan.Tepfer-61",
          "target": null
        },
        {
          "id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
          "display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
          "target": null
        },
        {
          "id": "VirTool:Win32/VBInject.gen!MH",
          "display_name": "VirTool:Win32/VBInject.gen!MH",
          "target": "/malware/VirTool:Win32/VBInject.gen!MH"
        },
        {
          "id": "ALF:NID:Susp_NSIS_Stub.A",
          "display_name": "ALF:NID:Susp_NSIS_Stub.A",
          "target": null
        },
        {
          "id": "#LOWFI:HSTR:Criakl.B1",
          "display_name": "#LOWFI:HSTR:Criakl.B1",
          "target": null
        },
        {
          "id": "Backdoor:Win32/Arwobot.B",
          "display_name": "Backdoor:Win32/Arwobot.B",
          "target": "/malware/Backdoor:Win32/Arwobot.B"
        },
        {
          "id": "Win.Packed.Bandook-9882274-1",
          "display_name": "Win.Packed.Bandook-9882274-1",
          "target": null
        },
        {
          "id": "TrojanDownloader:Win32/Cutwail",
          "display_name": "TrojanDownloader:Win32/Cutwail",
          "target": "/malware/TrojanDownloader:Win32/Cutwail"
        },
        {
          "id": "Win.Downloader.Small-4507",
          "display_name": "Win.Downloader.Small-4507",
          "target": null
        },
        {
          "id": "Trojan:Win32/Qbot.R!MTB",
          "display_name": "Trojan:Win32/Qbot.R!MTB",
          "target": "/malware/Trojan:Win32/Qbot.R!MTB"
        },
        {
          "id": "Win.Malware.Mikey-9949492-0",
          "display_name": "Win.Malware.Mikey-9949492-0",
          "target": null
        },
        {
          "id": "Ransom:Win32/Crowti.A",
          "display_name": "Ransom:Win32/Crowti.A",
          "target": "/malware/Ransom:Win32/Crowti.A"
        },
        {
          "id": "Backdoor:Linux/DemonBot.Aa!MTB",
          "display_name": "Backdoor:Linux/DemonBot.Aa!MTB",
          "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB"
        },
        {
          "id": "Unix.Trojan.Gafgyt-6981154-0",
          "display_name": "Unix.Trojan.Gafgyt-6981154-0",
          "target": null
        },
        {
          "id": "DDOS:Linux/Gafgyt.YA!MTB",
          "display_name": "DDOS:Linux/Gafgyt.YA!MTB",
          "target": "/malware/DDOS:Linux/Gafgyt.YA!MTB"
        },
        {
          "id": "CVE-2017-11882",
          "display_name": "CVE-2017-11882",
          "target": null
        },
        {
          "id": "ALF:Exploit:O97M/CVE-2017-8977",
          "display_name": "ALF:Exploit:O97M/CVE-2017-8977",
          "target": null
        },
        {
          "id": "Cycbot",
          "display_name": "Cycbot",
          "target": null
        },
        {
          "id": "Win32:BotX-gen\\ [Trj]",
          "display_name": "Win32:BotX-gen\\ [Trj]",
          "target": null
        },
        {
          "id": "NIDS",
          "display_name": "NIDS",
          "target": null
        },
        {
          "id": "Mirai (ELF)",
          "display_name": "Mirai (ELF)",
          "target": null
        },
        {
          "id": "Worm",
          "display_name": "Worm",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1069",
          "name": "Permission Groups Discovery",
          "display_name": "T1069 - Permission Groups Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        },
        {
          "id": "T1590",
          "name": "Gather Victim Network Information",
          "display_name": "T1590 - Gather Victim Network Information"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1457",
          "name": "Malicious Media Content",
          "display_name": "T1457 - Malicious Media Content"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1155",
          "name": "AppleScript",
          "display_name": "T1155 - AppleScript"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1063",
          "name": "Security Software Discovery",
          "display_name": "T1063 - Security Software Discovery"
        },
        {
          "id": "T1113",
          "name": "Screen Capture",
          "display_name": "T1113 - Screen Capture"
        },
        {
          "id": "T1068",
          "name": "Exploitation for Privilege Escalation",
          "display_name": "T1068 - Exploitation for Privilege Escalation"
        },
        {
          "id": "T1210",
          "name": "Exploitation of Remote Services",
          "display_name": "T1210 - Exploitation of Remote Services"
        },
        {
          "id": "T1566",
          "name": "Phishing",
          "display_name": "T1566 - Phishing"
        },
        {
          "id": "TA0037",
          "name": "Command and Control",
          "display_name": "TA0037 - Command and Control"
        },
        {
          "id": "T1031",
          "name": "Modify Existing Service",
          "display_name": "T1031 - Modify Existing Service"
        },
        {
          "id": "T1583.005",
          "name": "Botnet",
          "display_name": "T1583.005 - Botnet"
        },
        {
          "id": "T1176",
          "name": "Browser Extensions",
          "display_name": "T1176 - Browser Extensions"
        },
        {
          "id": "T1185",
          "name": "Man in the Browser",
          "display_name": "T1185 - Man in the Browser"
        },
        {
          "id": "T1574.008",
          "name": "Path Interception by Search Order Hijacking",
          "display_name": "T1574.008 - Path Interception by Search Order Hijacking"
        },
        {
          "id": "T1410",
          "name": "Network Traffic Capture or Redirection",
          "display_name": "T1410 - Network Traffic Capture or Redirection"
        },
        {
          "id": "T1449",
          "name": "Exploit SS7 to Redirect Phone Calls/SMS",
          "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
        },
        {
          "id": "T1593.002",
          "name": "Search Engines",
          "display_name": "T1593.002 - Search Engines"
        }
      ],
      "industries": [
        "Insurance",
        "Construction"
      ],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 8,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 54118,
        "domain": 11153,
        "hostname": 18578,
        "email": 21,
        "FileHash-SHA256": 4905,
        "FileHash-MD5": 548,
        "FileHash-SHA1": 534,
        "CVE": 7,
        "SSLCertFingerprint": 20,
        "CIDR": 1
      },
      "indicator_count": 89885,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 146,
      "modified_text": "111 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "6963596c4cd594b77b4675ec",
      "name": "Project Cicada-.Christopher \u201cBuzz\u201d Ahmann - PalantirFoundry | The State of Colorado | ",
      "description": "",
      "modified": "2026-02-10T06:05:39.764000",
      "created": "2026-01-11T08:03:56.534000",
      "tags": [
        "colorado state",
        "freeman mathis",
        "history",
        "cyber risk",
        "aspen insureds",
        "gaig insureds",
        "landy insureds",
        "nip group",
        "purm insureds",
        "overview core",
        "united",
        "ip address",
        "present nov",
        "present may",
        "moved",
        "encrypt",
        "unknown",
        "backdoor",
        "passive dns",
        "ransom",
        "checkin",
        "trojandropper",
        "mtb nov",
        "twitter",
        "trojan",
        "data upload",
        "extraction",
        "failed",
        "united states",
        "server response",
        "google safe",
        "results may",
        "lowfi",
        "virtool",
        "mtb alf",
        "mh alf",
        "port",
        "windows nt",
        "destination",
        "msie",
        "khtml",
        "gecko",
        "unknown aaaa",
        "a domains",
        "meta",
        "for privacy",
        "cop supply",
        "urls",
        "as139646 hong",
        "hostname",
        "files",
        "hong kong",
        "domain add",
        "ip related",
        "hash avast",
        "avg clamav",
        "msdefender may",
        "ddos",
        "as13335",
        "ipv4",
        "certificate",
        "hostname add",
        "url analysis",
        "files ip",
        "name strings",
        "category",
        "united states",
        "pulse indicator",
        "address",
        "error",
        "null",
        "object",
        "string",
        "number",
        "google maps",
        "promise",
        "javascript api",
        "dataset",
        "bigint",
        "dark",
        "android",
        "infinity",
        "internal",
        "roboto",
        "trident",
        "void",
        "small",
        "lightrail",
        "false",
        "span",
        "close",
        "light",
        "hybrid",
        "embed",
        "iframe",
        "keygen",
        "this",
        "february",
        "bounce",
        "drop",
        "inside",
        "outside",
        "marker",
        "present dec",
        "pulses otx",
        "aaaa",
        "asnone country",
        "record value",
        "title",
        "pulse pulses",
        "pulses",
        "showing",
        "unknown cname",
        "unknown soa",
        "next associated",
        "ipv4 add",
        "cycbot",
        "extract indic",
        "sneaker bots",
        "proxies data",
        "script script",
        "adult content",
        "nextimage",
        "porn site",
        "div div",
        "platform make",
        "cloudfront x",
        "hio52 p3",
        "unknown ns",
        "pulse submit",
        "title error",
        "reverse dns",
        "status",
        "servers",
        "name servers",
        "vashti hostname",
        "scan endpoints",
        "url http",
        "http",
        "files domain",
        "files related",
        "pulses none",
        "dnssec",
        "sec ch",
        "ch ua",
        "ua full",
        "ua platform",
        "ua bitness",
        "ua arch",
        "version sec",
        "mobile sec",
        "model sec",
        "version list",
        "domain",
        "emails",
        "cookie",
        "url https",
        "show",
        "filehash",
        "urls show",
        "date checked",
        "url hostname",
        "results nov",
        "win32",
        "type",
        "learn",
        "ck id",
        "name tactics",
        "suspicious",
        "informative",
        "command",
        "adversaries",
        "ssl certificate",
        "defense evasion",
        "spawns",
        "flag",
        "llc name",
        "server",
        "markmonitor",
        "name server",
        "windir",
        "openurl c",
        "prefetch2",
        "show technique",
        "mitre att",
        "ck matrix",
        "pattern match",
        "ascii text",
        "sha1",
        "href",
        "show process",
        "file",
        "general",
        "local",
        "path",
        "germany unknown",
        "date",
        "registrar",
        "ip whois",
        "dynamicloader",
        "high",
        "medium",
        "search",
        "displayname",
        "tofsee",
        "win64",
        "write",
        "stream",
        "malware",
        "push",
        "entries",
        "tls handshake",
        "failure",
        "forbidden",
        "tlsv1",
        "april",
        "next",
        "write c",
        "intel",
        "ms windows",
        "sha1 add",
        "av detections",
        "ids detections",
        "yara detections",
        "alerts",
        "analysis date",
        "file score",
        "sha256 add",
        "present jun",
        "present mar",
        "medelln",
        "colombia asn",
        "dns resolutions",
        "address domain",
        "related tags",
        "none google",
        "safe browsing",
        "external",
        "present sep",
        "present aug",
        "as54113",
        "present jul",
        "as8068",
        "gmt content",
        "total",
        "read",
        "delete",
        "top source",
        "quasi",
        "murderers",
        "christopher ahmann",
        "buzz ahmann",
        "wow64",
        "slcc2",
        "media center",
        "labor",
        "employment",
        "cdle",
        "dowc",
        "colorado",
        "workers",
        "coloradoif",
        "independent",
        "state",
        "company",
        "entity type",
        "authorized line",
        "analysis",
        "tor analysis",
        "process details",
        "network traffic",
        "t1071",
        "potential ip",
        "click",
        "found",
        "t1480 execution",
        "bad traffic",
        "et info",
        "ck techniques",
        "evasion att",
        "t1057",
        "refresh",
        "body",
        "strings",
        "tools",
        "look",
        "verify",
        "restart",
        "cname",
        "form",
        "pulse",
        "script domains",
        "script urls",
        "administrator",
        "services llc",
        "dns admin",
        "domain admin",
        "global llc",
        "domain manager",
        "computer system",
        "ltd domain",
        "network",
        "alibaba",
        "facebook",
        "phishme",
        "sogou",
        "present jan",
        "present feb",
        "present oct"
      ],
      "references": [
        "https://www.fmglaw.com/lawyers/christopher-ahmann - found in adult content pulse.",
        "Sneaker Bots Proxies Servers Cook Groups Cop Supply",
        "archive.cop.supply \u2022 dev.cop.supply \u2022 https://cop.supply/ \u2022 https://cop.supply/bot-lists/",
        "https://cop.supply/supreme-bots/\u2022 https://cop.supply/useful-tools/",
        "https://cop.supply/proxies-lists/ \u2022 https://cop.supply/shopify-bots/",
        "dns.army \u2022 www.dcopr.dns.army  \u2022 www.glsyaiwjj.dns.army \u2022  www.wgmvk.dns.army",
        "https://maps.googleapis.com/maps/api/js?sensor=false",
        "cell-0.af-south-1.prod.telemetry.console.api.aws",
        "howtoworkacrickoutofyourneck2.pages.dev",
        "firebase-auth-eich0v.pages.dev",
        "http://ianswertomom.com/develop-wise-woman-within-yourself",
        "http://ianswertomom.com/bible-verses-struggling-contentment-mom/  I",
        "https://i-want-to-start-an-onlyfans.pages.dev/favicon.ico| I bet you do boo boo",
        "makeapornsite.com \u2022 https://pornhighschool.com/ \u2022 https://ethnicerotic.com \u2022 https://twitter.com/Make",
        "https://khmerpornvideo.signup0.y.id/",
        "https://lordseriala.life/6337-zvezdnye-vojny-opornaja-komanda.html",
        "https://clear.ml/infrastructure-control-plane",
        "dev-app.project-cicada.com \u2022 http://dev-app.project-cicada.com \u2022 https://dev-app.project-cicada.com (2014 report predates 2016 reports)",
        "https://amano.inboundtools.com/tpcontact  URL https://armg.inboundtools.com/  URL https://gaiax.inboundtools.com/internship  URL https://hmk.inboundtools.com/  URL https://hmk.inboundtools.com/form/assetview_siryo_sier",
        "https://download.clear.ml/cpython_builds/releases/ \u2022 https://download.clear.",
        "https://links.mail.samsara.com/s/c/P9R6gGlExR4nfCwqwJXUmr7NmKcMNde4ZBhCFprlVtsFNgh-4tuTWla0aXN9rIWCjrWtn0Vln7x-hexxVBlY3xxvnEevR8qJU5G5xV3__wo-X7kkpSOhJVfejac-Xk8qu6zs5Z-tILwWYRkNScZNGlAqfwQuJuRw5M-n_ZKI6tuY5XGCZAqWoQepi1NnJiW4wZJkzZlOwGtNkusbuKDcMsLVrrhji2eKh4kYgrJp_SeycJRhasLFCQ3c2bPu4sahEWpcHZrQBaxvdfQgTEno8kV-RJdTDO0zK5MyWDJLeds7mnaDrxlb0O2zmhebUdlHE0R0xHi25dympBUpMlLsQV8bx1WUTOfgK4k0ci9o_2Gbfe22-jLxsJN-msV6pxWYQMaxRNFd4iZRC9J9Z1SC5MBqbvNzqdt98kFdpibnv_QIHdhFyHOR_Ip_LX67Dncc8V8OvAi-H5phfeSyDzwdzf2FQIi82",
        "https://voidpet.io/invite/scaredscared/1rpzxWXa61 \u2022 https://sex-doggy.net/tag/censored",
        "Everyone has simply asked you alll to stop. Target never asked anyone for money.",
        "Legal court documented  agreement to allow and pay target to hire cyber investigators",
        "Attacks are being carried out by The State of Colorado"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America",
        "Japan",
        "France",
        "Ireland",
        "Spain",
        "Italy",
        "Aruba",
        "Australia",
        "Denmark",
        "United Kingdom of Great Britain and Northern Ireland",
        "Germany",
        "T\u00fcrkiye",
        "Indonesia"
      ],
      "malware_families": [
        {
          "id": "Win.Trojan.GravityRAT-6511862-0",
          "display_name": "Win.Trojan.GravityRAT-6511862-0",
          "target": null
        },
        {
          "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
          "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat!rfn",
          "target": null
        },
        {
          "id": "Unix.Trojan.Tsunami-6981155-0",
          "display_name": "Unix.Trojan.Tsunami-6981155-0",
          "target": null
        },
        {
          "id": "TrojanDropper:Win32/Systex.A",
          "display_name": "TrojanDropper:Win32/Systex.A",
          "target": "/malware/TrojanDropper:Win32/Systex.A"
        },
        {
          "id": "Win.Trojan.Tepfer-61",
          "display_name": "Win.Trojan.Tepfer-61",
          "target": null
        },
        {
          "id": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
          "display_name": "TrojanDownloader:Win32/CutwailRansom:Win32/Crowti.A",
          "target": null
        },
        {
          "id": "VirTool:Win32/VBInject.gen!MH",
          "display_name": "VirTool:Win32/VBInject.gen!MH",
          "target": "/malware/VirTool:Win32/VBInject.gen!MH"
        },
        {
          "id": "ALF:NID:Susp_NSIS_Stub.A",
          "display_name": "ALF:NID:Susp_NSIS_Stub.A",
          "target": null
        },
        {
          "id": "#LOWFI:HSTR:Criakl.B1",
          "display_name": "#LOWFI:HSTR:Criakl.B1",
          "target": null
        },
        {
          "id": "Backdoor:Win32/Arwobot.B",
          "display_name": "Backdoor:Win32/Arwobot.B",
          "target": "/malware/Backdoor:Win32/Arwobot.B"
        },
        {
          "id": "Win.Packed.Bandook-9882274-1",
          "display_name": "Win.Packed.Bandook-9882274-1",
          "target": null
        },
        {
          "id": "TrojanDownloader:Win32/Cutwail",
          "display_name": "TrojanDownloader:Win32/Cutwail",
          "target": "/malware/TrojanDownloader:Win32/Cutwail"
        },
        {
          "id": "Win.Downloader.Small-4507",
          "display_name": "Win.Downloader.Small-4507",
          "target": null
        },
        {
          "id": "Trojan:Win32/Qbot.R!MTB",
          "display_name": "Trojan:Win32/Qbot.R!MTB",
          "target": "/malware/Trojan:Win32/Qbot.R!MTB"
        },
        {
          "id": "Win.Malware.Mikey-9949492-0",
          "display_name": "Win.Malware.Mikey-9949492-0",
          "target": null
        },
        {
          "id": "Ransom:Win32/Crowti.A",
          "display_name": "Ransom:Win32/Crowti.A",
          "target": "/malware/Ransom:Win32/Crowti.A"
        },
        {
          "id": "Backdoor:Linux/DemonBot.Aa!MTB",
          "display_name": "Backdoor:Linux/DemonBot.Aa!MTB",
          "target": "/malware/Backdoor:Linux/DemonBot.Aa!MTB"
        },
        {
          "id": "Unix.Trojan.Gafgyt-6981154-0",
          "display_name": "Unix.Trojan.Gafgyt-6981154-0",
          "target": null
        },
        {
          "id": "DDOS:Linux/Gafgyt.YA!MTB",
          "display_name": "DDOS:Linux/Gafgyt.YA!MTB",
          "target": "/malware/DDOS:Linux/Gafgyt.YA!MTB"
        },
        {
          "id": "CVE-2017-11882",
          "display_name": "CVE-2017-11882",
          "target": null
        },
        {
          "id": "ALF:Exploit:O97M/CVE-2017-8977",
          "display_name": "ALF:Exploit:O97M/CVE-2017-8977",
          "target": null
        },
        {
          "id": "Cycbot",
          "display_name": "Cycbot",
          "target": null
        },
        {
          "id": "Win32:BotX-gen\\ [Trj]",
          "display_name": "Win32:BotX-gen\\ [Trj]",
          "target": null
        },
        {
          "id": "NIDS",
          "display_name": "NIDS",
          "target": null
        },
        {
          "id": "Mirai (ELF)",
          "display_name": "Mirai (ELF)",
          "target": null
        },
        {
          "id": "Worm",
          "display_name": "Worm",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1069",
          "name": "Permission Groups Discovery",
          "display_name": "T1069 - Permission Groups Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        },
        {
          "id": "T1590",
          "name": "Gather Victim Network Information",
          "display_name": "T1590 - Gather Victim Network Information"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1457",
          "name": "Malicious Media Content",
          "display_name": "T1457 - Malicious Media Content"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1155",
          "name": "AppleScript",
          "display_name": "T1155 - AppleScript"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1063",
          "name": "Security Software Discovery",
          "display_name": "T1063 - Security Software Discovery"
        },
        {
          "id": "T1113",
          "name": "Screen Capture",
          "display_name": "T1113 - Screen Capture"
        },
        {
          "id": "T1068",
          "name": "Exploitation for Privilege Escalation",
          "display_name": "T1068 - Exploitation for Privilege Escalation"
        },
        {
          "id": "T1210",
          "name": "Exploitation of Remote Services",
          "display_name": "T1210 - Exploitation of Remote Services"
        },
        {
          "id": "T1566",
          "name": "Phishing",
          "display_name": "T1566 - Phishing"
        },
        {
          "id": "TA0037",
          "name": "Command and Control",
          "display_name": "TA0037 - Command and Control"
        },
        {
          "id": "T1031",
          "name": "Modify Existing Service",
          "display_name": "T1031 - Modify Existing Service"
        },
        {
          "id": "T1583.005",
          "name": "Botnet",
          "display_name": "T1583.005 - Botnet"
        },
        {
          "id": "T1176",
          "name": "Browser Extensions",
          "display_name": "T1176 - Browser Extensions"
        },
        {
          "id": "T1185",
          "name": "Man in the Browser",
          "display_name": "T1185 - Man in the Browser"
        },
        {
          "id": "T1574.008",
          "name": "Path Interception by Search Order Hijacking",
          "display_name": "T1574.008 - Path Interception by Search Order Hijacking"
        },
        {
          "id": "T1410",
          "name": "Network Traffic Capture or Redirection",
          "display_name": "T1410 - Network Traffic Capture or Redirection"
        },
        {
          "id": "T1449",
          "name": "Exploit SS7 to Redirect Phone Calls/SMS",
          "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
        },
        {
          "id": "T1593.002",
          "name": "Search Engines",
          "display_name": "T1593.002 - Search Engines"
        }
      ],
      "industries": [
        "Insurance",
        "Construction"
      ],
      "TLP": "green",
      "cloned_from": "693cdc5b8ebc10664439c2fb",
      "export_count": 14,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 54118,
        "domain": 11153,
        "hostname": 18578,
        "email": 21,
        "FileHash-SHA256": 4905,
        "FileHash-MD5": 548,
        "FileHash-SHA1": 534,
        "CVE": 7,
        "SSLCertFingerprint": 20,
        "CIDR": 1
      },
      "indicator_count": 89885,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 145,
      "modified_text": "111 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "692f23547b713b128b9c8156",
      "name": "Indicator Deletion Attack | Chris P. Ahmann Esq  still utilizes parking crews to execute cyber attacks",
      "description": "Unable to open malware indicators at this time. These attackers use Parking Crews for their exploits, leasing parked  domains for the amount of time needed to execute an attack. The attack last predate me ever using Level Blue. I have to review  indicators reports more closely but, I do see a the multitude of attacks against target TLB and an intersection of attacks concerning Disable_Duck (Alberta) Chris Ahmann , Colorado government indicated. \n\n[OTX auto populated - Adversaries may use techniques to evade detection in their malware or tools, as well as using techniques such as code signing, encryption, and other techniques for avoiding detection and monitoring of their activities.]",
      "modified": "2026-01-01T17:01:48.163000",
      "created": "2025-12-02T17:35:15.203000",
      "tags": [
        "data upload",
        "extraction",
        "failed",
        "learn",
        "ck id",
        "name tactics",
        "suspicious",
        "informative",
        "adversaries",
        "command",
        "defense evasion",
        "spawns",
        "development att",
        "united",
        "flag",
        "poland poland",
        "windir",
        "openurl c",
        "prefetch2",
        "analysis",
        "tor analysis",
        "dns requests",
        "domain address",
        "mitre att",
        "ck matrix",
        "pattern match",
        "ascii text",
        "show process",
        "network traffic",
        "t1057",
        "general",
        "local",
        "path",
        "encrypt",
        "hosts ip",
        "details",
        "ssl certificate",
        "sha256",
        "sha1",
        "size",
        "unicode text",
        "crlf",
        "utf8",
        "lf line",
        "server",
        "command decode",
        "markmonitor",
        "amazon",
        "ltd dba",
        "com laude",
        "organization",
        "click",
        "show technique",
        "brand",
        "microsoft edge",
        "windows nt",
        "win64",
        "khtml",
        "gecko",
        "submitted",
        "prefetch1",
        "name server",
        "misc attack",
        "et tor",
        "known tor",
        "relayrouter",
        "contacted hosts",
        "google",
        "pornhub",
        "ip address",
        "t1480 execution",
        "file defense",
        "passive dns",
        "related nids",
        "urls",
        "files location",
        "flag united"
      ],
      "references": [
        "deploy-delete-app-us-east-2-1.deploy-delete-test-us-east-2-1mtsufd.us-east-2.gamma.forgeapps.ec2.aws.dev",
        "Amazon.com \u2022 Google.com \u2022YouTube.com, Apple.com ,  etc Exploited",
        "cloudendpointsapis.com \u2022 https://www.vgt.pl/style/style.css \u2022 ceidg.gov.pl",
        "pl.wikipedia.org \u2022  fontawesome.io \u2022  opensource.org \u2022 videojet.com",
        "https://discoverreceiver.gurus.vmicrosoft.com/ \u2022 account.live.com \u2022 acctcdn.msauth.net",
        "https://www.milehighmedia.com/legal/2257",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian",
        "https://twitter.com/PORNO_SEXYBABES",
        "http://www.anyxxxtube.net/search-porn/tsara-brashears",
        "https://wallpapers-nature.com/tsara-brashears/urlscan-io",
        "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
        "http://www.anyxxxtube.net/search-porn/tsara-brashears/",
        "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net \u2022 wallpapers-nature.com",
        "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022",
        "https://wallpapers-nature.com/ tsara-brashears/urlscan-io",
        "https://wallpapers-nature.com/%20tsara-brashears/urlscan-io",
        "http://aplikacja.ceidg.gov.pl/CEIDG/CEIDG.Public.UI/EntryChangeHistory.Id=7a025cc6",
        "(Delete app that removed YoiTube views) www.youtube.com/watch?v=GyuMozsVyYs",
        "http://watchhers.net/index.php",
        "everesttech.net \u2022 aws.amazon.com \u2022  cm.everesttech.net \u2022 dpm.demdex.net \u2022 s3.amazonaws.com"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [
        {
          "id": "CVE-2023-22518",
          "display_name": "CVE-2023-22518",
          "target": null
        },
        {
          "id": "Other Malware",
          "display_name": "Other Malware",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1069",
          "name": "Permission Groups Discovery",
          "display_name": "T1069 - Permission Groups Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1480",
          "name": "Execution Guardrails",
          "display_name": "T1480 - Execution Guardrails"
        },
        {
          "id": "T1539",
          "name": "Steal Web Session Cookie",
          "display_name": "T1539 - Steal Web Session Cookie"
        },
        {
          "id": "T1553",
          "name": "Subvert Trust Controls",
          "display_name": "T1553 - Subvert Trust Controls"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1568",
          "name": "Dynamic Resolution",
          "display_name": "T1568 - Dynamic Resolution"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 2,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "hostname": 1358,
        "FileHash-MD5": 100,
        "FileHash-SHA1": 102,
        "FileHash-SHA256": 1682,
        "URL": 2497,
        "CVE": 2,
        "domain": 400,
        "SSLCertFingerprint": 6,
        "email": 3
      },
      "indicator_count": 6150,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 142,
      "modified_text": "150 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "68396d9ae8b96e90ff1848d5",
      "name": "AcK-U // unenriched - 05.30.25",
      "description": "Just a quick check",
      "modified": "2025-07-23T20:11:01.749000",
      "created": "2025-05-30T08:34:34.215000",
      "tags": [
        "amazon02",
        "cloudflarenet",
        "amazonaes",
        "fastly",
        "github",
        "google",
        "facebook",
        "namecheapnet",
        "service",
        "cdck",
        "level3",
        "cloud",
        "com laude",
        "ltd dba",
        "namecheap inc",
        "gandi sas",
        "gmbh",
        "cloudflare",
        "namecheap",
        "registrarsafe",
        "ascio",
        "tucows",
        "spaceship",
        "please",
        "javascript",
        "iocs",
        "threat",
        "malware unread",
        "collection",
        "crowdsourced",
        "acku new",
        "share",
        "updated",
        "first ioc",
        "seen",
        "premium",
        "entity"
      ],
      "references": [
        "https://www.virustotal.com/gui/collection/e03439bc07bcb1908764755571e127ec051193d4cc24cf842ec3179557f533cb/iocs",
        "https://www.virustotal.com/graph/embed/g36d8fc13d786418ab1d0a75cc331f0eb5bca28d4a4fe4666a84f23e25fb6600b?theme=dark",
        "https://www.virustotal.com/gui/collection/e03439bc07bcb1908764755571e127ec051193d4cc24cf842ec3179557f533cb/summary",
        "https://report.netcraft.com/submission/iduhE4oNTsMOSAeOeBjzZdIfCLtefF3P - 07.23.25 - see notes on references*"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "United States of America",
        "Canada"
      ],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 15,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 1,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Disable_Duck",
        "id": "244325",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "CIDR": 91,
        "domain": 204,
        "hostname": 192,
        "URL": 731,
        "FileHash-SHA256": 27,
        "email": 1
      },
      "indicator_count": 1246,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 131,
      "modified_text": "312 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "684c8fcde05dacb07f1a202e",
      "name": "Payment - Ref Id- H3426584.doc (aws.dev) Emotet",
      "description": "",
      "modified": "2025-07-13T20:04:30.723000",
      "created": "2025-06-13T20:53:33.231000",
      "tags": [
        "learn more",
        "added active",
        "related pulses",
        "emotet",
        "malware",
        "get http",
        "dns resolutions",
        "resolved ips",
        "post http",
        "ua71173394",
        "ip address",
        "status code",
        "body length",
        "kb body",
        "media sharing",
        "known infection source",
        "spyware",
        "real estate",
        "compromised websites",
        "malware sites",
        "huge domains",
        "parking crew",
        "business",
        "malware service",
        "mas",
        "aws",
        "dev",
        "false",
        "error",
        "url https",
        "url http",
        "indicator role",
        "title added",
        "active related",
        "pulses",
        "showing",
        "entries",
        "sha256",
        "ttl value",
        "first",
        "privacy admin",
        "domain status",
        "redacted for",
        "server",
        "admin city",
        "country",
        "organization",
        "postal code",
        "stateprovince",
        "date",
        "key identifier",
        "x509v3 subject",
        "data",
        "v3 serial",
        "number",
        "algorithm",
        "cus olet",
        "encrypt cnr11",
        "validity",
        "subject public",
        "dirtsearch",
        "dns"
      ],
      "references": [
        "Payment - Ref Id- H3426584.doc FileHash SHA256 ed2914efddb8e8f4c89abf95faa32572d35b3cfdfb202266993f6e7624a2048c",
        "The sandbox Zenbox flags this file as: EVADER",
        "The sandbox Dr.Web vxCube flags this file as: MALWARE EXPLOIT",
        "IDS: Matches rule SURICATA STREAM Packet with invalid ack",
        "IDS: Matches rule SURICATA STREAM SHUTDOWN RST invalid ack",
        "YARA: Office_Document_with_VBA_Project from ruleset Office_Document_with_VBA_Project by InQuest Labs",
        "YARA: Microsoft_Office_Documents_Excessive_Variables from ruleset Microsoft_Office_Documents_Excessive_Variables by InQuest Labs",
        "Dr. Web known infection source",
        "Emotet download site = dirt search.org / aws.dev and other related DGA\u2019s (active)",
        "Xcitium Verdict Cloud government & legal -  https://www.dirtsearch.org/data/TSARA/BRASHEARS/",
        "DirtSearch.org | BitDefender business | Forcepoint ThreatSeeker reference materials | Xcitium Verdict Cloud government & legal",
        "Verdict: Defense Law Firm | malicious tools / agitators"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [
        {
          "id": "Doc.Downloader.Emotet-7196349-0",
          "display_name": "Doc.Downloader.Emotet-7196349-0",
          "target": null
        },
        {
          "id": "vb:Trojan.Agent.EEZZ",
          "display_name": "vb:Trojan.Agent.EEZZ",
          "target": null
        },
        {
          "id": "trojan.w97m/emotetdldr",
          "display_name": "trojan.w97m/emotetdldr",
          "target": null
        },
        {
          "id": "Troj/DocDl-SOK",
          "display_name": "Troj/DocDl-SOK",
          "target": null
        },
        {
          "id": "Static AI - Malicious OLE",
          "display_name": "Static AI - Malicious OLE",
          "target": null
        },
        {
          "id": "Trojan.W97M.POWLOAD.SMRV08",
          "display_name": "Trojan.W97M.POWLOAD.SMRV08",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1588.001",
          "name": "Malware",
          "display_name": "T1588.001 - Malware"
        },
        {
          "id": "T1447",
          "name": "Delete Device Data",
          "display_name": "T1447 - Delete Device Data"
        },
        {
          "id": "T1578.003",
          "name": "Delete Cloud Instance",
          "display_name": "T1578.003 - Delete Cloud Instance"
        },
        {
          "id": "T1583.001",
          "name": "Domains",
          "display_name": "T1583.001 - Domains"
        },
        {
          "id": "T1102",
          "name": "Web Service",
          "display_name": "T1102 - Web Service"
        },
        {
          "id": "T1036.004",
          "name": "Masquerade Task or Service",
          "display_name": "T1036.004 - Masquerade Task or Service"
        },
        {
          "id": "T1114.001",
          "name": "Local Email Collection",
          "display_name": "T1114.001 - Local Email Collection"
        },
        {
          "id": "T1110.002",
          "name": "Password Cracking",
          "display_name": "T1110.002 - Password Cracking"
        },
        {
          "id": "T1512",
          "name": "Capture Camera",
          "display_name": "T1512 - Capture Camera"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1204.002",
          "name": "Malicious File",
          "display_name": "T1204.002 - Malicious File"
        },
        {
          "id": "T1457",
          "name": "Malicious Media Content",
          "display_name": "T1457 - Malicious Media Content"
        },
        {
          "id": "T1204.001",
          "name": "Malicious Link",
          "display_name": "T1204.001 - Malicious Link"
        },
        {
          "id": "T1204.003",
          "name": "Malicious Image",
          "display_name": "T1204.003 - Malicious Image"
        },
        {
          "id": "T1071.004",
          "name": "DNS",
          "display_name": "T1071.004 - DNS"
        },
        {
          "id": "T1185",
          "name": "Man in the Browser",
          "display_name": "T1185 - Man in the Browser"
        },
        {
          "id": "T1523",
          "name": "Evade Analysis Environment",
          "display_name": "T1523 - Evade Analysis Environment"
        },
        {
          "id": "T1610",
          "name": "Deploy Container",
          "display_name": "T1610 - Deploy Container"
        }
      ],
      "industries": [],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 29,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 37,
        "FileHash-SHA1": 44,
        "FileHash-SHA256": 117,
        "URL": 47,
        "domain": 41,
        "hostname": 43
      },
      "indicator_count": 329,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 144,
      "modified_text": "322 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "684c792c7a89d98470ecef31",
      "name": "aws.dev - Emotet - Hub for  malicious activity",
      "description": "\u2022 Domain Name: aws.dev |\n\u2022 (DGA) https://www.google.com/search?client=ms-google-coop&q=%22deploy-delete-app-eu-west-1-0.deploy-delete-test-eu-west-1-oigwi9v.us-east-1.forgeapps.ec2.aws.dev%22&cx=003414466004237966221:dgg7iftvryo | \n\u2022 34.226.76.55 |\n\u2022\u2019domains.amazon | \n\u2022 devilspen.com |\n\u2022 aisux.aws.dev |\t\t\n\u2022 alex.aws.dev  |\t\n\u2022 askjarvis.aws.dev |\n\u2022 atrium.aws.dev |\n\u2022 automated-runbooks.aws.dev |\nFalse 404 codes and Error pages - very active malicious behavior",
      "modified": "2025-07-13T18:02:18.648000",
      "created": "2025-06-13T19:17:00.818000",
      "tags": [
        "united",
        "creation date",
        "search",
        "entries",
        "passive dns",
        "urls",
        "showing",
        "pulse pulses",
        "files",
        "domain",
        "dnssec",
        "expiration date",
        "unknown cname",
        "hostname add",
        "date",
        "redacted for",
        "email",
        "code",
        "organization",
        "privacy billing",
        "privacy tech",
        "postal code",
        "privacy admin",
        "com laude",
        "ltd dba",
        "nomiq",
        "limited dba",
        "admin city",
        "country",
        "stateprovince",
        "city",
        "mtb oct",
        "win32",
        "next associated",
        "mtb mar",
        "ipv4 add",
        "trojan",
        "apanas",
        "ransom",
        "body"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 32,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "domain": 1111,
        "hostname": 1014,
        "URL": 2554,
        "FileHash-SHA256": 1461,
        "FileHash-MD5": 64,
        "email": 6,
        "FileHash-SHA1": 63
      },
      "indicator_count": 6273,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 144,
      "modified_text": "322 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "66cec16f4b510d325dc923a1",
      "name": "192.70.175.110 - ELF:Hajime-Q _ Mirai Botnet Malware",
      "description": "Private IP 192.70.175.110 | Reverse DNS\ndns1.state.co.us showed Mirai Bonet Malware. Under same IP address is an 'alleged' unknown REGRU-RU Passive DNS ns1.ns2.www.madunixxx.ru with a password compromise \u00bb PSW.Generic12.WIO.  \nIt's unclear if a Frank Muccio Admin of Security Operations doesn't appear to work on premise in Colorado, There is a Frank Di Muccio SGT involved with RallyPoint, , described as a social group for military personal. Rally Point was seen in very early graphs featuring alleged Rallypoint Pornhub Devs, tied to Brian Sabey. I wasn't able to personally verify this employee in Colorado Possibly contracted OIT by state . The link was recently whitelisted.",
      "modified": "2024-09-27T03:03:09.340000",
      "created": "2024-08-28T06:19:27.154000",
      "tags": [
        "as36081 state",
        "location united",
        "america asn",
        "dns resolutions",
        "domains top",
        "level",
        "unique tlds",
        "mirai",
        "united states",
        "united",
        "ave suite",
        "purpose p5",
        "country united",
        "code us",
        "name security",
        "nexus category",
        "phone number",
        "postal code",
        "network",
        "number",
        "country us",
        "continent na",
        "algorithm",
        "data",
        "v3 serial",
        "cus oapple",
        "public ev",
        "server ecc",
        "g1 validity",
        "organization",
        "subject public",
        "rauschenberg",
        "apple computer",
        "applec1z",
        "mitre att",
        "evasion ta0005",
        "hashes",
        "msie",
        "windows nt",
        "wow64",
        "slcc2",
        "media center",
        "response",
        "request",
        "accept",
        "location https",
        "taiwan as3462",
        "south korea",
        "as4766 korea",
        "high",
        "japan as17676",
        "china as45090",
        "http",
        "search",
        "contacted",
        "malware",
        "copy",
        "as41231",
        "united kingdom",
        "status",
        "aaaa",
        "ddos",
        "whitelisted",
        "certificate",
        "moved",
        "trojan",
        "virtool",
        "encrypt",
        "software",
        "initial",
        "passive dns",
        "scan endpoints",
        "all scoreblue",
        "body",
        "a domains",
        "linux ubuntu",
        "creation date",
        "enterprise open",
        "ubuntu",
        "linux",
        "social",
        "window",
        "code",
        "ipv4",
        "urls",
        "files",
        "reverse dns",
        "trojan features",
        "file samples",
        "files matching",
        "date hash",
        "domain",
        "address",
        "name servers",
        "servers",
        "intel",
        "icmp traffic",
        "dead_host",
        "network_icmp",
        "osquery_detection",
        "nolookup_communication",
        "pulse pulses",
        "unknown",
        "as20940",
        "as15169 google",
        "dns show",
        "status hostname",
        "query type",
        "address first",
        "seen last",
        "seen asn",
        "country unknown",
        "province co",
        "error",
        "tr tr",
        "pulse submit",
        "url analysis",
        "hostname",
        "files ip",
        "asnone united",
        "ireland unknown",
        "brazil unknown",
        "next",
        "showing",
        "gmt content",
        "apache cache",
        "pragma",
        "record value",
        "trojanproxy",
        "win32",
        "title",
        "server",
        "alf features",
        "related pulses",
        "show",
        "ip address",
        "asn as16509",
        "china unknown",
        "hichina",
        "hong kong",
        "as133775 xiamen",
        "web server",
        "authentication",
        "tls web",
        "full name",
        "ca issuers",
        "as44273 host",
        "a nxdomain",
        "avast avg",
        "russia unknown",
        "germany unknown",
        "turkey unknown",
        "japan unknown",
        "as16276",
        "france unknown",
        "service",
        "ck ids",
        "t1082",
        "t1129",
        "modules",
        "t1045",
        "packing",
        "t1060",
        "run keys",
        "startup"
      ],
      "references": [
        "IP Private: 192.70.174.110 | Unix.Trojan.Mirai-6976991-0",
        "Unix.Trojan.Mirai-6976991-0  FileHash-SHA256 760a17dea7794ebbfb5c54e7e74d0b53fd9e079e43be0b9b6e3df7eb14a47be9 ELF:Mirai-AHC\\ [Trj]",
        "192.70.175.110 | Mirai | Reverse DNS | State.CO.US | United States of America ASN AS36081 State of Colorado General Government Computer | ns1.ns2.www.madunixxx.ru",
        "Yara: Mirai_Botnet_Malware",
        "ELF:Mirai-AHC\\ [Trj] FileHash-SHA256 a282f250e59f8754335993293bfbfcc154cdb67ff0e234162f40a6cce5c4290c",
        "ELF:Mirai-AHC\\ [Trj] 1.101.117.25 Location: Korea, Republic Korea, Republic of ASN AS4766 Korea Telecom",
        "Admin Email: frank.muccio@state.co.us Admin Id: FRANMUC15 Admin of Security Operations Admin: Nexus Category: C21",
        "FRANMUC15 Phone Number: +1.3037646860 601 E 18th Ave Suite 250 80203 ,CO",
        "Not Resolving | www._courts.state.co.us | https://otx.alienvault.com/indicator/hostname/www._courts.state.co.us",
        "54.239.28.85 | Exploited CVE-2002-0013 Antivirus Detections: Trojan:Win32/FlyStudio Win.Malware.Snojan Win.Trojan.Tofsee [fld8.com unk/0auth]",
        "PSW.Generic12.WIO | [ns1.ns2.www.madunixxx.ru] FileHash-SHA256 84989bfe79becdea44a2290df3f52bfc2363b6c603aa2b7742dcdde5c7cba12a",
        "PSW.Generic12.WIO \u00bb FileHash-SHA256 84989bfe79becdea44a2290df3f52bfc2363b6c603aa2b7742dcdde5c7cba12a | ns1.ns2.www.madunixxx.ru",
        "192.70.175.110 [2016-07-10 10] 197.45.77.34 MADUNIXXX.RU 197.45.85.125 Registrar:REGRU-RU Status\u00bbREGISTERED, DELEGATED, VERIFIED Passive",
        "madunixxx.ru | 192.70.175.110 | AS36081 State of Colorado General Government Computer Name Servers: ns1.madunixxx.ru  Created: Jun 19, 2016",
        "privaterelay.appleid.com | http://certs.apple.com/apevsecc1g1.der | certs.apple.com | http://crl.apple.com/apevsecc1g1.crl | ocsp.apple.com",
        "images.apple.com | crl.apple.com | https://assets.ubuntu.com/v1/17b68252 |  ads-apple.com.cn | networking.apple | ads-apple.apple.com.cn |",
        "ip-geolocation.apple.com | http://ocsp.apple.com/ocsp03-apevsecc1g101 | docs-staging.swift.org | drauschenberg@apple.com | apple-noc@apple.com",
        "Yara Detections Mirai_Botnet_Malware",
        "Detections Executable and linking format (ELF) file download Over HTTP",
        "Yara Detections: UPXProtectorv10x2 , UPX , ELFHighEntropy , elf_empty_sections Alerts: dead_host | ELF:Mirai-AII\\ [Trj]",
        "Detections Executable and linking format (ELF) file download Over HTTP",
        "Frank Muccio - Serco Conroe, Texas, United States \u00b7 Serco 28+ Years of Information Technology (IT) experience. 20+ Years of leadership and\u2026 \u00b7 Experience: Serco \u00b7 Education: University of Maryland University College"
      ],
      "public": 1,
      "adversary": "Frank Di MuccioSGT",
      "targeted_countries": [
        "United States of America"
      ],
      "malware_families": [
        {
          "id": "Mirai",
          "display_name": "Mirai",
          "target": null
        },
        {
          "id": "DDoS:Linux/Lightaidra",
          "display_name": "DDoS:Linux/Lightaidra",
          "target": "/malware/DDoS:Linux/Lightaidra"
        },
        {
          "id": "Trojan:Win32/Skeeyah",
          "display_name": "Trojan:Win32/Skeeyah",
          "target": "/malware/Trojan:Win32/Skeeyah"
        },
        {
          "id": "ALF:Trojan:Win32/FlyStudio.PA!MTB",
          "display_name": "ALF:Trojan:Win32/FlyStudio.PA!MTB",
          "target": null
        },
        {
          "id": "Win.Trojan.Tofsee-6840338-0",
          "display_name": "Win.Trojan.Tofsee-6840338-0",
          "target": null
        },
        {
          "id": "Win.Malware.Snojan-6775202-0",
          "display_name": "Win.Malware.Snojan-6775202-0",
          "target": null
        },
        {
          "id": "#LowFiEnableDTContinueAfterUnpacking",
          "display_name": "#LowFiEnableDTContinueAfterUnpacking",
          "target": null
        },
        {
          "id": "PSW.Generic12.WIO",
          "display_name": "PSW.Generic12.WIO",
          "target": null
        },
        {
          "id": "ELF:Hajime-Q",
          "display_name": "ELF:Hajime-Q",
          "target": null
        },
        {
          "id": "Botnet",
          "display_name": "Botnet",
          "target": null
        }
      ],
      "attack_ids": [
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1410",
          "name": "Network Traffic Capture or Redirection",
          "display_name": "T1410 - Network Traffic Capture or Redirection"
        },
        {
          "id": "T1449",
          "name": "Exploit SS7 to Redirect Phone Calls/SMS",
          "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
        },
        {
          "id": "T1498",
          "name": "Network Denial of Service",
          "display_name": "T1498 - Network Denial of Service"
        },
        {
          "id": "T1499",
          "name": "Endpoint Denial of Service",
          "display_name": "T1499 - Endpoint Denial of Service"
        },
        {
          "id": "T1110.002",
          "name": "Password Cracking",
          "display_name": "T1110.002 - Password Cracking"
        },
        {
          "id": "T1003.008",
          "name": "/etc/passwd and /etc/shadow",
          "display_name": "T1003.008 - /etc/passwd and /etc/shadow"
        },
        {
          "id": "T1601",
          "name": "Modify System Image",
          "display_name": "T1601 - Modify System Image"
        },
        {
          "id": "T1155",
          "name": "AppleScript",
          "display_name": "T1155 - AppleScript"
        },
        {
          "id": "T1078.001",
          "name": "Default Accounts",
          "display_name": "T1078.001 - Default Accounts"
        },
        {
          "id": "TA0005",
          "name": "Defense Evasion",
          "display_name": "TA0005 - Defense Evasion"
        },
        {
          "id": "T1147",
          "name": "Hidden Users",
          "display_name": "T1147 - Hidden Users"
        },
        {
          "id": "T1583.005",
          "name": "Botnet",
          "display_name": "T1583.005 - Botnet"
        },
        {
          "id": "T1583.002",
          "name": "DNS Server",
          "display_name": "T1583.002 - DNS Server"
        }
      ],
      "industries": [
        "Telecommunications",
        "Government",
        "Civilian Society"
      ],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 17,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "scoreblue",
        "id": "254100",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-SHA256": 1108,
        "hostname": 627,
        "domain": 628,
        "URL": 534,
        "FileHash-MD5": 377,
        "FileHash-SHA1": 373,
        "email": 12,
        "CIDR": 2,
        "SSLCertFingerprint": 2
      },
      "indicator_count": 3663,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 231,
      "modified_text": "612 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "66b0fa3624bf0384e427f2e7",
      "name": "Tracking Domains 4.2 - 08.19.24",
      "description": "Tracking Domains detected by Privacy Badger Ext. on Microsoft Edge Browser (W11 Device) using Telus ISP (ASN852)\n*Not-Enriched (08.05.24): ~50,000 suggests IOCs by AlienVault\nFrom VT: 2 IPs hosted by 45090 (Shenzhen Tencent Computer Systems Company Limited) & 4611 (CNNIC member) seem to be the problem here 118[.]89.204.198, 118[.]89.0.0/16 & 202[.]123.107.15, 202[.]123.107.0/24 (Respectively)",
      "modified": "2024-09-04T15:01:01.432000",
      "created": "2024-08-05T16:13:42.563000",
      "tags": [],
      "references": [
        "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/iocs",
        "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/summary",
        "https://www.virustotal.com/gui/collection/21cbd369ea901f41d51b666439aa41070c76eafb66dbbc6e56c86e0923b1569f/graph",
        "https://www.virustotal.com/graph/embed/ge839428bb3e24a98aae8cbcc242ae4d8febdc0c46e49411ebb09d155e22b4bbc?theme=dark",
        "https://viz.greynoise.io/query/AS4611",
        "https://urlscan.io/asn/AS4611",
        "https://urlscan.io/search/#asn:%22AS4611%22",
        "https://urlscan.io/asn/AS45090",
        "https://urlscan.io/search/#asn%3A%22AS45090%22",
        "https://viz.greynoise.io/query/AS45090",
        "https://urlscan.io/result/aeb42615-79b7-465d-924e-c9bdde3eefd1/#transactions",
        "https://urlscan.io/result/d4bf08e4-88dc-4bf8-be34-6b352576882e/#behaviour",
        "Filescan[.]io report: bc47c757-0a4d-4659-98d4-5d0c86406462 (08.23.24)",
        "https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-be"
      ],
      "public": 1,
      "adversary": "",
      "targeted_countries": [
        "Canada",
        "United States of America"
      ],
      "malware_families": [],
      "attack_ids": [],
      "industries": [
        "Technology"
      ],
      "TLP": "white",
      "cloned_from": null,
      "export_count": 17,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Disable_Duck",
        "id": "244325",
        "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "hostname": 6180,
        "FileHash-MD5": 1,
        "domain": 24921,
        "URL": 10854
      },
      "indicator_count": 41956,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 140,
      "modified_text": "634 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    }
  ],
  "error": null,
  "vt": {
    "error": "VirusTotal rate limit reached. Try again shortly.",
    "indicator": "aws.dev",
    "type": "Domain"
  },
  "abuseipdb": null,
  "urlhaus": {
    "indicator": "aws.dev",
    "found": false,
    "verdict": "clean",
    "urls": [],
    "error": null
  },
  "from_cache": true,
  "_cached_at": 1780325275.1187966
}