{ "type": "Domain", "indicator": "coinbase.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/coinbase.com", "alexa": "http://www.alexa.com/siteinfo/coinbase.com", "indicator": "coinbase.com", "type": "domain", "type_title": "Domain", "validation": [ { "source": "akamai", "message": "Akamai rank: #3347", "name": "Akamai Popular Domain" }, { "source": "majestic", "message": "Whitelisted domain coinbase.com", "name": "Whitelisted domain" }, { "source": "mining", "message": "Whitelisted mining domain coinbase.com", "name": "Whitelisted mining domain" }, { "source": "whitelist", "message": "Whitelisted domain coinbase.com", "name": "Whitelisted domain" } ], "base_indicator": { "id": 2117132831, "indicator": "coinbase.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 15, "pulses": [ { "id": "695089cbedad5c86f39b1363", "name": "Tracking Domains 03.03.26 (Updated Test)", "description": "Privacy Badger - Update on 01.09.26\nTracking domains on a hybrid (mobile laptop) clone of an AHS/Covenant Health, UAlberta (University of Alberta), and Government of Alberta Laptop.\nHealthcare: No Cybersecurity, EDU: No Cybersecurity / Remote only, GoA = Informed & don't quite know what to do or to whom this should be brought up with.", "modified": "2026-04-05T06:35:43.679000", "created": "2025-12-28T01:37:15.993000", "tags": [ "privacy badger", "sites general", "settings widget", "domains manage", "data privacy", "badger", "hide" ], "references": [ "https://hybrid-analysis.com/sample/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "https://yaraify.abuse.ch/scan/results/32bfc760-1757-11f1-b47f-42010aa4000b", "https://polyswarm.network/scan/results/file/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "https://app.threat.zone/submission/c8b0b1e4-0c9b-4210-b5ce-1dc2303445df/overview", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/summary", "https://www.virustotal.com/graph/embed/g6d4bce6162064ac09cd20411c1947e69d7d5a1d475f0447da023ac933d338fce?theme=dark", "https://viz.greynoise.io/ip/analysis/6356f330-63a7-4ce3-91fa-7ab355a1dc1a" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 50404, "hostname": 10879, "URL": 715, "FileHash-MD5": 1 }, "indicator_count": 61999, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cf461ebc1a9bcfbffa2aad", "name": "VirusTotal Droidy Android Sandbox", "description": "Here is the full list of results from the second day of the 2016 Android World Championship, held at 22:00 BST on Tuesday, 1 July.. . and \u00c2\u00a31.\n\ni cant add this one - legacy - http://100tosdefotos.com/", "modified": "2026-04-03T05:08:23.191000", "created": "2026-04-03T04:46:22.211000", "tags": [ "process", "current object", "android sandbox", "europemadrid", "windows sandbox", "clear filters", "has permission", "file type", "apks", "accesses", "sim provider", "name", "may check", "mitre attack", "network info", "malicious", "persistence", "cloud", "chrome cache", "png image", "cache entry", "rgba", "entry", "web open", "font format", "version", "truetype", "next", "detail info", "text", "classname", "window", "static", "behaviour", "filename", "offset", "class", "button", "mozilla", "shell", "nsis", "find", "back", "state", "connecting", "connected", "suspended", "disconnected", "unknown", "shell folders", "default", "inprocserver32", "new roman", "registry keys", "nothing", "shell dlg", "roman baltic186", "roman cyr204", "roman tur162", "xffxfea xffxfea", "xffu xffu", "xffxfcs xffxfcs", "x8af x8af", "xb6p xb6p", "xb6y xb6y", "x88g x88g", "xb6xf2 xb6xf2", "xfft", "xc1xe7 xc1xe7", "axec", "programfiles", "allusersprofile", "windir", "protocol level", "application", "previous", "next connection", "address", "full path", "behavior", "bits", "dump", "path", "calls clear", "eandroidruntime", "pufwifi", "flag", "networkinfo", "action", "extras", "start", "componentname", "write", "calls process", "cname", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "address virtual", "path c", "sha256", "accept", "shutdown", "error", "sandbox", "stack", "win32 exe", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "processes extra", "performs dns", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "android", "zip archive", "xapk android", "android package", "java archive", "sweet home", "design", "html document", "unicode text", "utf8 text", "crlf", "lf line", "language", "date mon", "gmt contenttype", "connection", "link", "json", "xlitespeedcache", "reportto", "server", "contentencoding", "cfray", "king88", "ch cng", "c thit", "c bit", "iu hp", "trang ch", "king88 com", "ci ng", "cp s", "c vit", "object", "string", "number", "null", "function", "g5wmgjr5qk4", "cssselector", "regexp", "date", "void", "trident", "mini", "meta", "please", "javascript", "members", "staff", "inspection", "abip", "local broadcast", "newsletter fcc", "resource center", "marshfield high", "school", "localism join", "facebook", "contact", "summer", "grave", "email", "photo", "strong", "peter deftos", "sign", "learn", "memorial", "leave", "problem", "done", "already", "close", "verify", "twitter", "details", "full", "persist", "editorimpl" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189779&Signature=KfMCCyf96T3bMlo9SpmV1KGK0zKBbkhhSc6Ig5Hvwfx%2FTKTqEVBDXB28XNeWzWbCRTwCNnYlHV3Ed%2BMjcd%2B1aCTDYi5GH9Qw3msxqk5iKwRhzDIhfpM98SwOLC%2B7xZUAC60ecDmVDsjA9OOwOkJe87q3Rrx2lrU9%2BjuSJ1EdwI16qoJyd29sLcX7STTqAMHuzCjIixIOre64HAjpH4lt%2F8tSgE1A5Rs2V7PRHSX6ibKLD", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189811&Signature=O96heM5BVAaltXSZInHXgIgK35KjLrLg%2FfKtFXVS%2BoRHTlfpZtn4LpFvolATpK7dED66Ms7SXpn8nX0i7j1IpuDOXOXSm112TOKIKVVPZJH5ppCD6uFYvhkfNcQGa%2FXK%2BDixyM%2BuqwGoJSFD6QzP8J2Iz1GyU4RYYWuB2C7ZD7LOWKlvxF%2F9LTAX8jFDLgFVsE3Og3cU8y3jK%2BenDPthRM6YFu3qewxpti7KVNwKeMJ", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189872&Signature=P%2Fa2KXhuVwj4RO8cyfIpkYofLKzsLiKRPHuVAi7hjApskLh84OqCfKuK51z7bTKZd8lCCiQ7XuIaxWQDR7qzDFvuCWutobNhKDdHSDLrTMtqqX3o5RmBpSzMUw3jQJcbxsYWqaOMHy8ZeWEVRuB9orvLwMZbJMMIJM8GhUVHZ6%2BwciVIoj0lYTCb%2FEEkQWTV4g3hs9l8KRzbEfvJGja6ANuv1OtdFLk8pejrraAJMB7ThsjINOXbJb", "https://vtbehaviour.commondatastorage.googleapis.com/5dae281deccea2c5229861b4f2ff8c386da1726a836839961311896a6c9f5a69_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189913&Signature=KduKv0QQf8IKhUUAV%2F0zpzpUmIU%2BEctpJKxUJlyu0Myu11iCQCXfXPprtMBAv5ifc4GLTHDiIuEAJwg%2B%2BHGWjun5ZKLKzoz8Ot2udHqFxvy6ZToPEC4Iui9vdRDHqosVaT77R1Tm1TGuyKVmwYTcow4klVAcpzEWanzWx1jHS42ARepJVrS3AFXHMaaBdTgr23jXcbmly1t3b8lwVilcsk2itdoprPpClQTzwYr1y7YV1%2FbYTDGocHnDwCYy", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189954&Signature=2gy%2BsyEM78P6orDGWKQU%2FFPSIdVK9X7o8Nkcwb%2BY4r%2FCb%2Bo9JmA9T%2Bfonw9IqbojQSIK%2BNShZUJJ9GV4wWT5l1QfkYfZP0MJ91%2BkDw39PLOc4VVgmBApIQJRTIlgSlI020YfOeIPoIYH8yuCF2dJ32zKg87g0dDFkg4zbExGDJB3%2BGDxX5MJ6hHuzVrwxm7E1L%2F%2FffKQ%2B9rXqoT0hRHEdPSaXSydmnqfMfnjCv", "https://vtbehaviour.commondatastorage.googleapis.com/970fdc4da66bc8fff977698c150fc6ebdf9488356ed41ded52d2659830ec5353_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189984&Signature=f%2FZZkKTu5zUihkCuCj%2F0pEGmBjWWBiZRDmREgGkkkKvTyR7M5iC0oLGYfaL6WibiUB6pQirxgBtEcS2JtupD291Or3j7%2BKoyngW7R9uf%2FjjWQwfC5YHKjNutT6K5TYuEmzySVs9onhIBSjj4U%2Bi2q%2FMJmQFiDtFZHfcyy00LYqbAbBwEAUnVJZUdH6FvNBu4ArU26VDLDwv1nMSgEjxUWBCwiP4HXlwL5%2BxU6y0eTc2", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190004&Signature=Nzt9YHY3Ji2VsLO1kvr7%2FyWWwOgo%2BCIoXyjtyshhzTGRxGzhcNdyKU9byPqyv%2F5YAzj%2BmNnDego3ImYeToBCbgyY%2BJJMmUKX6ZrUT1a2O4gv9eMyysIFgYhJ7ZpzyGIvHR5VSJlzPX0AWS81Ml7syDCjTGHikZ9G%2B%2B0cfDA0dhp%2FR7zhAp7yxB2jsDhz1kDY3nncYpjeVtj2o02Nt4JxPa5ML%2FvKBF%2FBHtOtBCqh%2", "https://vtbehaviour.commondatastorage.googleapis.com/1256f3aa5f091ac40a573113fcc1a4d0e320af5ee363b0eca79618602cb7dc66_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190083&Signature=a1bnyt5OUcTN8ONeNVqbY%2Fe%2FDVJ2N3olQ9r59dijMLLegF84xQDghj0r6VPdFB8fc%2B3QTcJqhpm6vag1pK9us%2F3UqDJ3Yubf%2FukjL4GMKXDdMSggljB7d%2FpkTraQysnttspVal56LzXitjgIEGYZTidKcIv5LM6YH4zCAXn%2BVueaBNIgpcDS0RuX8fVAQYOeftW9AiEz2TZzx1BT6KUgoj0Tzetn4k541357bb58K1w9n9QV1", "https://vtbehaviour.commondatastorage.googleapis.com/1256f3aa5f091ac40a573113fcc1a4d0e320af5ee363b0eca79618602cb7dc66_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190146&Signature=3XpRLUQ3g712Vw0Gv1aflVxZs7RKpzIhEK8giO9ydwOrOGjLnAK89Y%2BmEf4g2U2YbO04EE%2BcdR5xPgcch1%2B1Gf4thYCgBcbKEEIfNK5UrJwBpAkYRm3D9xsnD%2FVxZt26yLC6aQy87D%2FKNC9aLvViRHGxuFgOp4zkcU%2BRD6mmpIB8SpX5%2BDpocWc4s9R%2BywRPXZ2U2E49g81i%2B5io3Ycqe8ikdjbPlZo9R0KEFLaDQtH", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190199&Signature=RiO2p%2BBvc38TqeTuiMJNxoT6Jr3JfHvTQFQIk94ZaRY%2FPP5yEPSH45GncMCh4GqP1%2F%2BNLR2IVm5Z2svEWojLwxq%2Fl0eIAWy1chUQmg2GcEg5YoaEEnXpWjb1er08EIYwV0ZC8parFwVrr194MKeUmZYo5NLYk4%2BCim9ipnxYse12eROsMSXZtyS4daGivzQzihRqTUU9iEn%2FxAKEOI%2F3V8JRrqNy3nDqmo1mdoVr", "https://vtbehaviour.commondatastorage.googleapis.com/bc20f137a2281fae2ee13f698e613e72c37f6b4eb6784653f284f11f4d83ba77_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190236&Signature=Fg7jPZWmHQO%2BH8GRQx%2FxSMq5Na7Oo9cN0HR99DHFY8svYTkPoerGELKx7Sf906aTDq2Rer45ajXeYPzzHTiab9NKqWR1JGHbaq0WapVqsRzvXz2QLuBhHoz50tIoVKnx8ZrN9HqHBQweg8nfN%2FWEoaHVlSgav3jhoNTnZAC%2Fa%2BsTLexjXFBIP2v4jpISAl82ESU%2FGZH64BtZpgIJz7RZXdDqZ3LF7JTgwG2JX94%2BOOSn3G14", "https://vtbehaviour.commondatastorage.googleapis.com/5dae281deccea2c5229861b4f2ff8c386da1726a836839961311896a6c9f5a69_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190298&Signature=eEF6m7QHRnKk%2FYB374HxqU2TE0p8gXC9CWwIHPT7M6fEZKjeFUEmUEbqdupsD2hQQbkW%2Fmijo2rSEQ30q3EAyR9aQO3m6L91A6osc3kDipeyZqFrIqoj6wIe8MJGuRf4OC9cVAWipGYXPG5bqc3v6RUHir9MeLOggoGjalexCwBgs3SsGyhqU1uWZdJ%2Fs4nUbHyIJGc3FB9OrnhDRuGPdkfPSOA09hfujcul91zQNws4dznvmM", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190345&Signature=33%2BM36uNOvEfi8bNtJvnbxcTgcnoIlIO2vBglXpCJFNwC8HAewGOF91Q26TOAsw4sbmtTxQ2F5Q2jv2V3ULV8MAxxgYVptJ69SusRt7qZeBDUpMY%2BOdTYqjkdBuYUqYiCvM756aQheS1KvDepeD64x8e%2FivWkpm%2BZ9yDaKUc7w2143zYkc8kpyBSsO8rJI9vyoHYvbr4sfZOowoUWK7yMjQD9SN5bL%2FFABbMrPEOMyobApm", "https://vtbehaviour.commondatastorage.googleapis.com/06b6d62477011fa63fdb44046351fbe574391916a4f3ea0486b3e3498145a7d7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190407&Signature=Y3EAa%2Fwo4ligJHfBUxkzWLjU9FPLyNmsxeNdcPCIPQBYTTGUIaFddrFIYHFhawxMDvixd7uA0qGc0zVDWgbStf2qhTOU1D0aF%2F%2BSLSXEY3VB8oWRXZCEI12zrSd5P4lHInxRS3CJKbNnJP4GvYx20ctpNSo4u%2FvVMLM%2B92TiYCunAVTquDVrFNNim6LJTEz2ucjhcgF2gKn%2FF0f9ALEheC1lk4omwpcYEPQLNX0wNsxNC%2BWQ", "https://vtbehaviour.commondatastorage.googleapis.com/bb46c18b5b2c98937c8fdfb7acd3e0fa4d0534cfc44d4b41ccd6db9198266fbf_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190605&Signature=Rcvj5v%2By7yAX52ap8q3zDGTMjVRQm1LkjuWyhDQUaO6QXR1Ld%2F1dD2QjluOGOuXNiW%2FMNP%2Bqj%2Bx6KtYCvttE847keFo1Em2Bm%2F8bv4vK%2FJL0nGIiz%2FatgO7O78LZZ1wkYwcfG5JZAj8VdjDlHQbuOIUz8Nahqt2JUyQ84z3OeH5d3%2BjV8NKW5SjGWQw4mcmjPQXUznoCsysLbjCd5sgZTpyLUdeFJcNKQPiNBURsJeiyCI5llz0j", "https://www.googletagmanager.com/gtag/js?id=GT-NNS2QH6C", "https://www.googletagmanager.com/ns.html?id=GTM-PHWTRTJ", "https://www.virustotal.com/gui/url/f6db0235760bd467ca822ad515a8410121fde4713501b3e718b8fb127dfa259c?nocache=1", "https://www.massbroadcasters.org/eeo-organizations/marshfield-high-school", "https://www.findagrave.com/memorial/139047900/peter-deftos", "https://vtbehaviour.commondatastorage.googleapis.com/a041cbdeb64c802bde90e06f25213524b2eac500d6000da7e4caeb96e5de1991_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775191439&Signature=evxsL1kaOuLe5KziYCSqZ56H%2FqXRQgEN0tkJo0j5G7JQ3mmO0Kav5K9LCz%2FUEzi%2BdtB%2B3%2B7VM6r9pC%2BMh7nHxT%2Bs8UAYuVXPE%2FUbBdHWMjvZQuqrZ0hHqIR2xHVB132HiYQWLo%2FgS1QATOfAcHci3X4FqmqvUp7A%2FmNsE1aVFbLc971RHQOuTapOGhiDZlVUyA9KvpMDKw0DzdeHFSlayBSrDDsWL7xW06XOf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1413", "name": "Access Sensitive Data in Device Logs", "display_name": "T1413 - Access Sensitive Data in Device Logs" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1507", "name": "Network Information Discovery", "display_name": "T1507 - Network Information Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 70, "FileHash-SHA1": 40, "FileHash-SHA256": 549, "URL": 344, "domain": 292, "hostname": 443, "IPv4": 127 }, "indicator_count": 1865, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cf461ceb2e58f5e3c0a44d", "name": "VirusTotal Droidy Android Sandbox", "description": "Here is the full list of results from the second day of the 2016 Android World Championship, held at 22:00 BST on Tuesday, 1 July.. . and \u00c2\u00a31.\n\ni cant add this one - legacy - http://100tosdefotos.com/", "modified": "2026-04-03T04:48:04.475000", "created": "2026-04-03T04:46:20.102000", "tags": [ "process", "current object", "android sandbox", "europemadrid", "windows sandbox", "clear filters", "has permission", "file type", "apks", "accesses", "sim provider", "name", "may check", "mitre attack", "network info", "malicious", "persistence", "cloud", "chrome cache", "png image", "cache entry", "rgba", "entry", "web open", "font format", "version", "truetype", "next", "detail info", "text", "classname", "window", "static", "behaviour", "filename", "offset", "class", "button", "mozilla", "shell", "nsis", "find", "back", "state", "connecting", "connected", "suspended", "disconnected", "unknown", "shell folders", "default", "inprocserver32", "new roman", "registry keys", "nothing", "shell dlg", "roman baltic186", "roman cyr204", "roman tur162", "xffxfea xffxfea", "xffu xffu", "xffxfcs xffxfcs", "x8af x8af", "xb6p xb6p", "xb6y xb6y", "x88g x88g", "xb6xf2 xb6xf2", "xfft", "xc1xe7 xc1xe7", "axec", "programfiles", "allusersprofile", "windir", "protocol level", "application", "previous", "next connection", "address", "full path", "behavior", "bits", "dump", "path", "calls clear", "eandroidruntime", "pufwifi", "flag", "networkinfo", "action", "extras", "start", "componentname", "write", "calls process", "cname", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "address virtual", "path c", "sha256", "accept", "shutdown", "error", "sandbox", "stack", "win32 exe", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "processes extra", "performs dns", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "android", "zip archive", "xapk android", "android package", "java archive", "sweet home", "design", "html document", "unicode text", "utf8 text", "crlf", "lf line", "language", "date mon", "gmt contenttype", "connection", "link", "json", "xlitespeedcache", "reportto", "server", "contentencoding", "cfray", "king88", "ch cng", "c thit", "c bit", "iu hp", "trang ch", "king88 com", "ci ng", "cp s", "c vit", "object", "string", "number", "null", "function", "g5wmgjr5qk4", "cssselector", "regexp", "date", "void", "trident", "mini", "meta", "please", "javascript", "members", "staff", "inspection", "abip", "local broadcast", "newsletter fcc", "resource center", "marshfield high", "school", "localism join", "facebook", "contact", "summer", "grave", "email", "photo", "strong", "peter deftos", "sign", "learn", "memorial", "leave", "problem", "done", "already", "close", "verify", "twitter", "details", "full", "persist", "editorimpl" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189779&Signature=KfMCCyf96T3bMlo9SpmV1KGK0zKBbkhhSc6Ig5Hvwfx%2FTKTqEVBDXB28XNeWzWbCRTwCNnYlHV3Ed%2BMjcd%2B1aCTDYi5GH9Qw3msxqk5iKwRhzDIhfpM98SwOLC%2B7xZUAC60ecDmVDsjA9OOwOkJe87q3Rrx2lrU9%2BjuSJ1EdwI16qoJyd29sLcX7STTqAMHuzCjIixIOre64HAjpH4lt%2F8tSgE1A5Rs2V7PRHSX6ibKLD", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189811&Signature=O96heM5BVAaltXSZInHXgIgK35KjLrLg%2FfKtFXVS%2BoRHTlfpZtn4LpFvolATpK7dED66Ms7SXpn8nX0i7j1IpuDOXOXSm112TOKIKVVPZJH5ppCD6uFYvhkfNcQGa%2FXK%2BDixyM%2BuqwGoJSFD6QzP8J2Iz1GyU4RYYWuB2C7ZD7LOWKlvxF%2F9LTAX8jFDLgFVsE3Og3cU8y3jK%2BenDPthRM6YFu3qewxpti7KVNwKeMJ", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189872&Signature=P%2Fa2KXhuVwj4RO8cyfIpkYofLKzsLiKRPHuVAi7hjApskLh84OqCfKuK51z7bTKZd8lCCiQ7XuIaxWQDR7qzDFvuCWutobNhKDdHSDLrTMtqqX3o5RmBpSzMUw3jQJcbxsYWqaOMHy8ZeWEVRuB9orvLwMZbJMMIJM8GhUVHZ6%2BwciVIoj0lYTCb%2FEEkQWTV4g3hs9l8KRzbEfvJGja6ANuv1OtdFLk8pejrraAJMB7ThsjINOXbJb", "https://vtbehaviour.commondatastorage.googleapis.com/5dae281deccea2c5229861b4f2ff8c386da1726a836839961311896a6c9f5a69_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189913&Signature=KduKv0QQf8IKhUUAV%2F0zpzpUmIU%2BEctpJKxUJlyu0Myu11iCQCXfXPprtMBAv5ifc4GLTHDiIuEAJwg%2B%2BHGWjun5ZKLKzoz8Ot2udHqFxvy6ZToPEC4Iui9vdRDHqosVaT77R1Tm1TGuyKVmwYTcow4klVAcpzEWanzWx1jHS42ARepJVrS3AFXHMaaBdTgr23jXcbmly1t3b8lwVilcsk2itdoprPpClQTzwYr1y7YV1%2FbYTDGocHnDwCYy", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189954&Signature=2gy%2BsyEM78P6orDGWKQU%2FFPSIdVK9X7o8Nkcwb%2BY4r%2FCb%2Bo9JmA9T%2Bfonw9IqbojQSIK%2BNShZUJJ9GV4wWT5l1QfkYfZP0MJ91%2BkDw39PLOc4VVgmBApIQJRTIlgSlI020YfOeIPoIYH8yuCF2dJ32zKg87g0dDFkg4zbExGDJB3%2BGDxX5MJ6hHuzVrwxm7E1L%2F%2FffKQ%2B9rXqoT0hRHEdPSaXSydmnqfMfnjCv", "https://vtbehaviour.commondatastorage.googleapis.com/970fdc4da66bc8fff977698c150fc6ebdf9488356ed41ded52d2659830ec5353_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189984&Signature=f%2FZZkKTu5zUihkCuCj%2F0pEGmBjWWBiZRDmREgGkkkKvTyR7M5iC0oLGYfaL6WibiUB6pQirxgBtEcS2JtupD291Or3j7%2BKoyngW7R9uf%2FjjWQwfC5YHKjNutT6K5TYuEmzySVs9onhIBSjj4U%2Bi2q%2FMJmQFiDtFZHfcyy00LYqbAbBwEAUnVJZUdH6FvNBu4ArU26VDLDwv1nMSgEjxUWBCwiP4HXlwL5%2BxU6y0eTc2", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190004&Signature=Nzt9YHY3Ji2VsLO1kvr7%2FyWWwOgo%2BCIoXyjtyshhzTGRxGzhcNdyKU9byPqyv%2F5YAzj%2BmNnDego3ImYeToBCbgyY%2BJJMmUKX6ZrUT1a2O4gv9eMyysIFgYhJ7ZpzyGIvHR5VSJlzPX0AWS81Ml7syDCjTGHikZ9G%2B%2B0cfDA0dhp%2FR7zhAp7yxB2jsDhz1kDY3nncYpjeVtj2o02Nt4JxPa5ML%2FvKBF%2FBHtOtBCqh%2", "https://vtbehaviour.commondatastorage.googleapis.com/1256f3aa5f091ac40a573113fcc1a4d0e320af5ee363b0eca79618602cb7dc66_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190083&Signature=a1bnyt5OUcTN8ONeNVqbY%2Fe%2FDVJ2N3olQ9r59dijMLLegF84xQDghj0r6VPdFB8fc%2B3QTcJqhpm6vag1pK9us%2F3UqDJ3Yubf%2FukjL4GMKXDdMSggljB7d%2FpkTraQysnttspVal56LzXitjgIEGYZTidKcIv5LM6YH4zCAXn%2BVueaBNIgpcDS0RuX8fVAQYOeftW9AiEz2TZzx1BT6KUgoj0Tzetn4k541357bb58K1w9n9QV1", "https://vtbehaviour.commondatastorage.googleapis.com/1256f3aa5f091ac40a573113fcc1a4d0e320af5ee363b0eca79618602cb7dc66_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190146&Signature=3XpRLUQ3g712Vw0Gv1aflVxZs7RKpzIhEK8giO9ydwOrOGjLnAK89Y%2BmEf4g2U2YbO04EE%2BcdR5xPgcch1%2B1Gf4thYCgBcbKEEIfNK5UrJwBpAkYRm3D9xsnD%2FVxZt26yLC6aQy87D%2FKNC9aLvViRHGxuFgOp4zkcU%2BRD6mmpIB8SpX5%2BDpocWc4s9R%2BywRPXZ2U2E49g81i%2B5io3Ycqe8ikdjbPlZo9R0KEFLaDQtH", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190199&Signature=RiO2p%2BBvc38TqeTuiMJNxoT6Jr3JfHvTQFQIk94ZaRY%2FPP5yEPSH45GncMCh4GqP1%2F%2BNLR2IVm5Z2svEWojLwxq%2Fl0eIAWy1chUQmg2GcEg5YoaEEnXpWjb1er08EIYwV0ZC8parFwVrr194MKeUmZYo5NLYk4%2BCim9ipnxYse12eROsMSXZtyS4daGivzQzihRqTUU9iEn%2FxAKEOI%2F3V8JRrqNy3nDqmo1mdoVr", "https://vtbehaviour.commondatastorage.googleapis.com/bc20f137a2281fae2ee13f698e613e72c37f6b4eb6784653f284f11f4d83ba77_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190236&Signature=Fg7jPZWmHQO%2BH8GRQx%2FxSMq5Na7Oo9cN0HR99DHFY8svYTkPoerGELKx7Sf906aTDq2Rer45ajXeYPzzHTiab9NKqWR1JGHbaq0WapVqsRzvXz2QLuBhHoz50tIoVKnx8ZrN9HqHBQweg8nfN%2FWEoaHVlSgav3jhoNTnZAC%2Fa%2BsTLexjXFBIP2v4jpISAl82ESU%2FGZH64BtZpgIJz7RZXdDqZ3LF7JTgwG2JX94%2BOOSn3G14", "https://vtbehaviour.commondatastorage.googleapis.com/5dae281deccea2c5229861b4f2ff8c386da1726a836839961311896a6c9f5a69_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190298&Signature=eEF6m7QHRnKk%2FYB374HxqU2TE0p8gXC9CWwIHPT7M6fEZKjeFUEmUEbqdupsD2hQQbkW%2Fmijo2rSEQ30q3EAyR9aQO3m6L91A6osc3kDipeyZqFrIqoj6wIe8MJGuRf4OC9cVAWipGYXPG5bqc3v6RUHir9MeLOggoGjalexCwBgs3SsGyhqU1uWZdJ%2Fs4nUbHyIJGc3FB9OrnhDRuGPdkfPSOA09hfujcul91zQNws4dznvmM", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190345&Signature=33%2BM36uNOvEfi8bNtJvnbxcTgcnoIlIO2vBglXpCJFNwC8HAewGOF91Q26TOAsw4sbmtTxQ2F5Q2jv2V3ULV8MAxxgYVptJ69SusRt7qZeBDUpMY%2BOdTYqjkdBuYUqYiCvM756aQheS1KvDepeD64x8e%2FivWkpm%2BZ9yDaKUc7w2143zYkc8kpyBSsO8rJI9vyoHYvbr4sfZOowoUWK7yMjQD9SN5bL%2FFABbMrPEOMyobApm", "https://vtbehaviour.commondatastorage.googleapis.com/06b6d62477011fa63fdb44046351fbe574391916a4f3ea0486b3e3498145a7d7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190407&Signature=Y3EAa%2Fwo4ligJHfBUxkzWLjU9FPLyNmsxeNdcPCIPQBYTTGUIaFddrFIYHFhawxMDvixd7uA0qGc0zVDWgbStf2qhTOU1D0aF%2F%2BSLSXEY3VB8oWRXZCEI12zrSd5P4lHInxRS3CJKbNnJP4GvYx20ctpNSo4u%2FvVMLM%2B92TiYCunAVTquDVrFNNim6LJTEz2ucjhcgF2gKn%2FF0f9ALEheC1lk4omwpcYEPQLNX0wNsxNC%2BWQ", "https://vtbehaviour.commondatastorage.googleapis.com/bb46c18b5b2c98937c8fdfb7acd3e0fa4d0534cfc44d4b41ccd6db9198266fbf_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190605&Signature=Rcvj5v%2By7yAX52ap8q3zDGTMjVRQm1LkjuWyhDQUaO6QXR1Ld%2F1dD2QjluOGOuXNiW%2FMNP%2Bqj%2Bx6KtYCvttE847keFo1Em2Bm%2F8bv4vK%2FJL0nGIiz%2FatgO7O78LZZ1wkYwcfG5JZAj8VdjDlHQbuOIUz8Nahqt2JUyQ84z3OeH5d3%2BjV8NKW5SjGWQw4mcmjPQXUznoCsysLbjCd5sgZTpyLUdeFJcNKQPiNBURsJeiyCI5llz0j", "https://www.googletagmanager.com/gtag/js?id=GT-NNS2QH6C", "https://www.googletagmanager.com/ns.html?id=GTM-PHWTRTJ", "https://www.virustotal.com/gui/url/f6db0235760bd467ca822ad515a8410121fde4713501b3e718b8fb127dfa259c?nocache=1", "https://www.massbroadcasters.org/eeo-organizations/marshfield-high-school", "https://www.findagrave.com/memorial/139047900/peter-deftos", "https://vtbehaviour.commondatastorage.googleapis.com/a041cbdeb64c802bde90e06f25213524b2eac500d6000da7e4caeb96e5de1991_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775191439&Signature=evxsL1kaOuLe5KziYCSqZ56H%2FqXRQgEN0tkJo0j5G7JQ3mmO0Kav5K9LCz%2FUEzi%2BdtB%2B3%2B7VM6r9pC%2BMh7nHxT%2Bs8UAYuVXPE%2FUbBdHWMjvZQuqrZ0hHqIR2xHVB132HiYQWLo%2FgS1QATOfAcHci3X4FqmqvUp7A%2FmNsE1aVFbLc971RHQOuTapOGhiDZlVUyA9KvpMDKw0DzdeHFSlayBSrDDsWL7xW06XOf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1413", "name": "Access Sensitive Data in Device Logs", "display_name": "T1413 - Access Sensitive Data in Device Logs" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1507", "name": "Network Information Discovery", "display_name": "T1507 - Network Information Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 70, "FileHash-SHA1": 40, "FileHash-SHA256": 549, "URL": 344, "domain": 293, "hostname": 443, "IPv4": 127 }, "indicator_count": 1866, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6910cafb096eae0dcb39a800", "name": "Lawyers & Lazarus | Apple Spy : Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious", "description": "Chronicles of how quasi government , a State owned criminal defense attorney , protects sexual assaulter Jeffrey Reimer DPT. victim Palantir harassed, withheld healthcare , diagnoses, justice, monetary award for injured, stole insurance policies, hacked Denver artists, sold music her to artists whom profited, hacked Denver music studios, hired stalkers, human, controlled phone , car and everything in targets life including , doctors, attorneys, hospitals. It\u2019s always been clear to coming us that Anonymous and Lazarus are the police, judge , lawyer, ransom racist.\nThis group alone has cost the US billions! Responsible for 2014 Sony hack , FMOE.\nDirect Link. by phone , email in person contact , forced settlement hearing,. Adversarial Christopher P. Ahmann , relationship w / Lazarus group, hitmen , cyber crime and other crimes against persons.\n #rip #christopher_ahmann #palantir #lazarus #target_tsara_brashears", "modified": "2025-12-09T17:03:48.645000", "created": "2025-11-09T17:10:19.498000", "tags": [ "url http", "apple", "california", "apple public", "server rsa", "organization", "stateprovince", "ocsp", "nids united", "files", "united", "unknown ns", "ip address", "domain", "urls files", "passive dns", "found title", "sf hello", "myriad set", "pro myriad", "set lucida", "grande arial", "sf mono", "ipv4", "location united", "america flag", "america asn", "verdict", "files ip", "address", "as42 woodynet", "domain add", "ipv4 add", "reverse dns", "trojan", "name servers", "emails", "for privacy", "ltd dba", "com laude", "servers", "expiration date", "urls", "meta", "a domains", "country code", "store home", "title", "accept", "espaol", "english", "evil corp", "see all", "cyber hack", "republic", "canada", "season", "joe tidy", "sarah rainsford", "podcast", "bank", "ukraine", "dead", "indonesia", "police", "premium", "napoleon", "revolution", "michelangelo", "mozart", "global", "solid", "lazarus", "jabber zeus", "harrods", "ta markmonitor", "markmonitor", "search", "present aug", "unknown aaaa", "unknown soa", "win32", "invalid url", "trojanspy", "mtb apr", "backdoor", "next associated", "win64", "trojandropper", "twitter", "virtool", "ransom", "worm", "dynamicloader", "tlsv1", "high", "globalc", "medium", "windows", "cmd c", "delete c", "stream", "write", "next", "process32nextw", "http host", "dns query", "likely gandcrab", "et trojan", "windows nt", "wow64", "malware", "ms windows", "as16509", "as54113", "yara rule", "pe32 executable", "as15169", "powershell", "unknown", "response ip", "address google", "safe browsing", "hostname add", "port", "destination", "pe32", "intel", "error", "show", "delphi", "dcom", "form", "canvas", "united kingdom", "content type", "security", "moved", "great britain", "unknown a", "body doctype", "html public", "ietfdtd html", "showing", "packing t1045", "bytes", "read", "default", "christoper p ahmann", "target", "victims", "tsara brashears", "url https", "type indicator", "role title", "added active", "related pulses", "p1377925676", "gaz1", "sid1696503456", "present nov", "present oct", "date", "tcpmemhit", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "mitre att", "pattern match", "show technique", "ck matrix", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "palantir", "foundry", "hitmen", "quasi", "government contracts", "jeffrey reimer", "hallrender", "workers compensation", "record value", "certificate" ], "references": [ "apple-dns.net , http://www.pestcontrol-appleton.com/ multiple Apple IoC", "https://podcasts.apple.com/us/podcast/the-lazarus-heist/id1561990291", "https://tamlegal.com/attorneys/christopher-p-ahmann/", "bpc-old.palantirfoundry.com", "OTX auto populated targeted groups.", "You have no idea where artists get their music or how the 5 main songwriters harvest songs from independent artists", "Target had endured hired hitman , physical attacks, vehicle attacks, gunpoint", "Assaulter Jeffrey Scott Reimer DPT isn\u2019t worth his monthly salary let alone all of this support", "Using Palantir Foundry tools have created a new false background for Brashears. Should be illegal.", "They blatantly steal from citizens , blame foreign entities.", "This is truly \u2019waste, fraud and abuse\u2019 usually a phrase used by insurance agents." ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "Bangladesh", "Japan", "United States of America" ], "malware_families": [ { "id": "ALF:SpikeAexR.PEVPSZL", "display_name": "ALF:SpikeAexR.PEVPSZL", "target": null }, { "id": "Ransom:MSIL/GandCrab", "display_name": "Ransom:MSIL/GandCrab", "target": "/malware/Ransom:MSIL/GandCrab" }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Ransom:Win32/Gandcrab.H!MTB", "display_name": "Ransom:Win32/Gandcrab.H!MTB", "target": "/malware/Ransom:Win32/Gandcrab.H!MTB" }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [ "Banks", "Crypto", "Entertainment", "Bank" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4572, "FileHash-MD5": 196, "domain": 1523, "hostname": 1393, "FileHash-SHA256": 2400, "FileHash-SHA1": 175, "email": 18, "SSLCertFingerprint": 8 }, "indicator_count": 10285, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "130 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69138a8144a8bf8040a92711", "name": "Lawyers & Lazarus | Apple Spy : Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Counsel for egregious criminal acts \u2022 Christopher P. Ahmann attorney at Large", "description": "", "modified": "2025-12-09T17:03:48.645000", "created": "2025-11-11T19:12:01.843000", "tags": [ "url http", "apple", "california", "apple public", "server rsa", "organization", "stateprovince", "ocsp", "nids united", "files", "united", "unknown ns", "ip address", "domain", "urls files", "passive dns", "found title", "sf hello", "myriad set", "pro myriad", "set lucida", "grande arial", "sf mono", "ipv4", "location united", "america flag", "america asn", "verdict", "files ip", "address", "as42 woodynet", "domain add", "ipv4 add", "reverse dns", "trojan", "name servers", "emails", "for privacy", "ltd dba", "com laude", "servers", "expiration date", "urls", "meta", "a domains", "country code", "store home", "title", "accept", "espaol", "english", "evil corp", "see all", "cyber hack", "republic", "canada", "season", "joe tidy", "sarah rainsford", "podcast", "bank", "ukraine", "dead", "indonesia", "police", "premium", "napoleon", "revolution", "michelangelo", "mozart", "global", "solid", "lazarus", "jabber zeus", "harrods", "ta markmonitor", "markmonitor", "search", "present aug", "unknown aaaa", "unknown soa", "win32", "invalid url", "trojanspy", "mtb apr", "backdoor", "next associated", "win64", "trojandropper", "twitter", "virtool", "ransom", "worm", "dynamicloader", "tlsv1", "high", "globalc", "medium", "windows", "cmd c", "delete c", "stream", "write", "next", "process32nextw", "http host", "dns query", "likely gandcrab", "et trojan", "windows nt", "wow64", "malware", "ms windows", "as16509", "as54113", "yara rule", "pe32 executable", "as15169", "powershell", "unknown", "response ip", "address google", "safe browsing", "hostname add", "port", "destination", "pe32", "intel", "error", "show", "delphi", "dcom", "form", "canvas", "united kingdom", "content type", "security", "moved", "great britain", "unknown a", "body doctype", "html public", "ietfdtd html", "showing", "packing t1045", "bytes", "read", "default", "christoper p ahmann", "target", "victims", "tsara brashears", "url https", "type indicator", "role title", "added active", "related pulses", "p1377925676", "gaz1", "sid1696503456", "present nov", "present oct", "date", "tcpmemhit", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "mitre att", "pattern match", "show technique", "ck matrix", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "palantir", "foundry", "hitmen", "quasi", "government contracts", "jeffrey reimer", "hallrender", "workers compensation", "record value", "certificate" ], "references": [ "apple-dns.net , http://www.pestcontrol-appleton.com/ multiple Apple IoC", "https://podcasts.apple.com/us/podcast/the-lazarus-heist/id1561990291", "https://tamlegal.com/attorneys/christopher-p-ahmann/", "bpc-old.palantirfoundry.com", "OTX auto populated targeted groups.", "You have no idea where artists get their music or how the 5 main songwriters harvest songs from independent artists", "Target had endured hired hitman , physical attacks, vehicle attacks, gunpoint", "Assaulter Jeffrey Scott Reimer DPT isn\u2019t worth his monthly salary let alone all of this support", "Using Palantir Foundry tools have created a new false background for Brashears. Should be illegal.", "They blatantly steal from citizens , blame foreign entities.", "This is truly \u2019waste, fraud and abuse\u2019 usually a phrase used by insurance agents." ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "Bangladesh", "Japan", "United States of America" ], "malware_families": [ { "id": "ALF:SpikeAexR.PEVPSZL", "display_name": "ALF:SpikeAexR.PEVPSZL", "target": null }, { "id": "Ransom:MSIL/GandCrab", "display_name": "Ransom:MSIL/GandCrab", "target": "/malware/Ransom:MSIL/GandCrab" }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Ransom:Win32/Gandcrab.H!MTB", "display_name": "Ransom:Win32/Gandcrab.H!MTB", "target": "/malware/Ransom:Win32/Gandcrab.H!MTB" }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [ "Banks", "Crypto", "Entertainment", "Bank" ], "TLP": "white", "cloned_from": "6910cafb096eae0dcb39a800", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4572, "FileHash-MD5": 196, "domain": 1523, "hostname": 1393, "FileHash-SHA256": 2400, "FileHash-SHA1": 175, "email": 18, "SSLCertFingerprint": 8 }, "indicator_count": 10285, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "130 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f6c635cb8c3c8b256b6dba", "name": "sdfzsdf.ele fac1ec40eea5a4fc05f17e019328e287", "description": "SHA1- 33008f85428a83996083c3da92a8f00595071403\nSHA256\ncdab1c3196887d4f749d82f014786a966c87f35a7189f0f3d078558b957847bf\nhttps://sandbox.ti.qianxin.com/sandbox/page/detail?type=file&id=7b6726e20c513baebf7fd387a3dd1b7d67a4c7c4\nhttps://ti.qianxin.com/v2/search?type=file&value=fac1ec40eea5a4fc05f17e019328e287\nhttps://www.virustotal.com/gui/file/cdab1c3196887d4f749d82f014786a966c87f35a7189f0f3d078558b957847bf/relations", "modified": "2025-09-01T08:05:17.675000", "created": "2025-04-09T19:10:45.337000", "tags": [ "sha1", "rozmiar", "typ pliku", "win32", "numer wersji", "wersja", "nieznany", "sha512", "crc32", "ssd gboki", "win64", "security", "license v2", "f6 d9", "windows nt", "detects", "gecko", "khtml", "msie", "wow64", "stealer", "error", "userprofile", "hunt", "keylogger", "encrypt", "antivm", "span", "main", "grabber", "hello", "android", "dcrat", "kill", "revengerat", "sandbox", "pass", "chat", "first", "asyncrat", "crypto", "injector", "dropper", "infostealer", "lockfile", "worldwind", "stealerium", "toxiceye", "avemaria", "fast", "persistence", "trojan", "restart", "snakekeylogger", "snake", "accept", "cookie", "code", "killproc", "lazarus", "dearcry", "njrat", "cyrus", "powershell", "info", "body", "floodfix", "downloader", "ransomware", "core", "loki", "fpspy", "klogexe", "firebird", "patch", "explorer", "avkiller", "masslogger", "baldr", "modi rat", "helpme", "osno", "import", "keylog", "screencapture", "ransom", "crypted", "silent", "xorddos", "stormkitty", "ordinal", "locker", "hyperbro", "lamepyre", "parallaxrat", "null", "shurk steal", "arkeistealer", "strongpity", "desktop", "myagent", "bypass", "fatduke", "miniduke", "polyglotduke", "guildma", "spyeye", "corebot", "killmbr", "ooops", "lcpdot", "torisma", "codec", "prometheus", "spook", "crypt", "logger", "zegost", "poshkeylogger", "systembc", "hdlocker", "cryptolocker", "fivehands", "kitty", "goldmax", "rents", "maurigo", "done", "hidewindow", "bokbot", "bladabindi", "darktrack", "darksky", "alien", "karkoff", "inject", "windigo", "rest", "softcnapp", "elysiumstealer", "leivion", "banload", "ultrareach", "ultrasurf", "buterat", "tools", "beasty", "shut", "gravityrat", "fatalrat", "discord", "deadwood", "turian", "markirat", "mark", "klingonrat", "path", "reverserat", "grab", "meta", "voidcrypt", "darkvnc", "ryzerlo", "hiddentear", "boxcaon", "stream", "crimsonrat", "delfi", "infinity", "stealthworker", "gasket", "spoolss", "lu0bot", "target", "attack", "cobaltstrike", "bits", "chaos", "bitcoin", "wiper", "delphi", "slackbot", "neshta", "belarus", "apanas", "runner", "darkcomet", "macoute", "iframe", "vanillarat", "sectoprat", "melt", "tomiris", "apostle", "blackbyte", "kutaki", "override", "windealer", "mkdir", "brbbot", "config", "babylon rat", "spynet", "bazarloader", "clipper", "banker", "gh0st", "piratestealer", "witch", "killme", "vulturi", "tofsee", "slow", "owowa", "flagpro", "write", "dazzlespy", "decryptor", "bandit stealer", "bandit", "darkeye", "recordbreaker", "truebot", "svchost", "clipbanker", "service", "koivm", "arrowrat", "ducktail", "confuser", "gobrat", "modiloader", "chilelocker", "noclose", "strelastealer", "comfoo", "babar", "blankgrabber", "solarmarker", "darkgate", "stub", "banned", "globeimposter", "rhysida", "janelarat", "kraken", "recon", "quiterat", "venomrat", "venom rat", "sapphirestealer", "ntospy", "raccoon", "shifu", "mediapi", "poolrat", "cicada3301", "remoteexec", "babylockerkz", "new service", "creation id", "nextron" ], "references": [ "Windows_Trojan_Tofsee.yar", "Suspicious New Service Creation (1).yml" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 353, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 28, "FileHash-SHA1": 27, "FileHash-SHA256": 1077, "domain": 282, "hostname": 316, "URL": 1092, "YARA": 535, "email": 4 }, "indicator_count": 3361, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "230 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66246ff49ed29ea9bb2bf122", "name": "S\u0105d Rejonowy w Jeleniej Gorze POLAND", "description": "Przechowywania lub dost\u0119pu do plik\u00f3w cookies w Twojej przegl\u0105darce\nhttps://www.virustotal.com/gui/domain/jelenia-gora.sr.gov.pl/relations", "modified": "2025-05-14T21:18:36.989000", "created": "2024-04-21T01:46:28.554000", "tags": [ "jeleniej grze", "aktualnoci", "informacje", "jednostka", "rejonowy", "konkurs", "najczciej", "sd rejonowy", "przejd", "czytaj", "click", "sdzia jarosaw", "wydziau", "sdzia grzegorz", "katarzyna", "rudnicka dane", "kontaktowe sd", "jelenia gra", "mickiewicza", "zawarto", "html", "nazwa meta", "robotw", "telefon", "brak", "skala", "ua zgodna", "head body", "zasb", "cname", "kod odpowiedzi", "kodowanie treci", "wygasa", "gmt serwer", "pragma", "kontrola pamici", "podrcznej", "data", "gmt kontrola", "dostpuzezwl na", "czytaj wicej", "sd okrgowy", "jednostki", "okrgowy", "ogoszenia", "sha256", "vhash", "ssdeep", "https odcisk", "palca jarma", "https dane", "v3 numer", "odcisk palca", "tworzy katalog", "tworzy pliki", "typ pliku", "json", "ascii", "windows", "sqlite", "foxpro fpt", "links typ", "mapa", "152 x", "sqlite w", "sha1", "sha512", "file size", "b file", "testing", "komornik sdowy", "sdzie rejonowym", "tomasz rodacki", "obwieszczenie", "komornicze", "tumacza migam", "tumacz czynny", "zamknite", "wiadczenia", "schedule", "error", "javascript", "bakers hall", "ixaction", "script", "ixchatlauncher", "compatibility", "com dla", "t1055 pewno", "unikanie obrony", "t1036 maskarada", "t1082 pewno", "informacje o", "nazwa pliku", "dokument pdf", "rozmiar pliku", "zapowied", "type", "iii dbt", "utf8", "dziennik" ], "references": [ "S?d Rejonowy w Jeleniej G\u00f3rze.htm", "II Wydzia? Karny - S?d Rejonowy w Jeleniej G\u00f3rze 1.htm", "http://www.jelenia-gora.so.gov.pl/", "https://www.jelenia-gora.so.gov.pl/", "http://www.jelenia-gora.sr.gov.pl/ogloszenia-komornicze", "https://tlumacz.migam.org/sad_rejonowy_jelenia_gora", "https://www.jelenia-gora.sr.gov.pl/spacer", "https://waf.intelix.pl/957476/Chat/Script/Compatibility" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null }, { "id": "serwer", "display_name": "serwer", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 71, "domain": 7651, "hostname": 7680, "IPv4": 331, "FileHash-SHA256": 16168, "URL": 10399, "FileHash-MD5": 3639, "FileHash-SHA1": 3468, "CIDR": 4, "CVE": 89, "YARA": 521, "SSLCertFingerprint": 25, "JA3": 1, "IPv6": 5813 }, "indicator_count": 55860, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "674afb83c67ff4443e9f953a", "name": "PolymodXT.exe", "description": "", "modified": "2025-05-14T21:18:19.590000", "created": "2024-11-30T11:48:19.052000", "tags": [ "file", "flagi", "process sha256", "process disc", "pathway z", "identyfikator", "zawiera moliwo", "klucz", "zawiera", "wybierz", "nie mona", "przechowywanie", "haso", "obiekt", "cig uid", "zilla", "enumerate", "defender", "pragma", "security", "license v2", "ff ff", "fc e8", "f8 ff", "fc ff", "c9 c3", "e4 f8", "cc cc", "fc eb", "confuserex mod", "aspirecrypt", "detects", "reactor", "beds protector", "ps2exe", "bsjb", "boxedapp", "cyaxsharp", "cyaxpng", "smartassembly", "koivm", "confuserex", "obfuscator", "aspack", "titan", "enigma", "vmprotect", "strings", "rlpack", "antiem", "antisb", "themida", "loader", "sality", "dnguard", "windows nt", "gecko", "khtml", "msie", "wow64", "stealer", "win64", "error", "userprofile", "keylogger", "encrypt", "antivm", "span", "main", "grabber", "hello", "android", "dcrat", "win32", "kill", "revengerat", "sandbox", "pass", "chat", "first", "asyncrat", "crypto", "injector", "dropper", "infostealer", "lockfile", "worldwind", "stealerium", "toxiceye", "avemaria", "fast", "persistence", "trojan", "restart", "snakekeylogger", "snake", "accept", "cookie", "code", "killproc", "lazarus", "dearcry", "njrat", "cyrus", "powershell", "info", "body", "floodfix", "downloader", "ransomware", "core", "loki", "fpspy", "klogexe", "firebird", "patch", "explorer", "avkiller", "masslogger", "baldr", "modi rat", "helpme", "osno", "import", "keylog", "screencapture", "ransom", "crypted", "silent", "xorddos", "stormkitty", "ordinal", "locker", "hyperbro", "lamepyre", "parallaxrat", "null", "shurk steal", "arkeistealer", "strongpity", "desktop", "myagent", "bypass", "fatduke", "miniduke", "polyglotduke", "guildma", "spyeye", "corebot", "killmbr", "ooops", "lcpdot", "torisma", "codec", "prometheus", "spook", "crypt", "logger", "zegost", "poshkeylogger", "systembc", "hdlocker", "cryptolocker", "fivehands", "kitty", "goldmax", "rents", "maurigo", "done", "hidewindow", "bokbot", "bladabindi", "darktrack", "darksky", "alien", "karkoff", "inject", "windigo", "rest", "softcnapp", "elysiumstealer", "leivion", "banload", "ultrareach", "ultrasurf", "buterat", "tools", "beasty", "shut", "gravityrat", "fatalrat", "discord", "deadwood", "turian", "markirat", "mark", "klingonrat", "path", "reverserat", "grab", "meta", "voidcrypt", "darkvnc", "ryzerlo", "hiddentear", "boxcaon", "stream", "crimsonrat", "delfi", "infinity", "stealthworker", "gasket", "spoolss", "lu0bot", "target", "attack", "cobaltstrike", "bits", "chaos", "bitcoin", "wiper", "delphi", "slackbot", "neshta", "belarus", "apanas", "runner", "darkcomet", "macoute", "iframe", "vanillarat", "sectoprat", "melt", "tomiris", "apostle", "blackbyte", "kutaki", "override", "windealer", "mkdir", "brbbot", "config", "babylon rat", "spynet", "bazarloader", "clipper", "banker", "gh0st", "piratestealer", "witch", "killme", "vulturi", "tofsee", "slow", "owowa", "flagpro", "write", "dazzlespy", "decryptor", "bandit stealer", "bandit", "darkeye", "recordbreaker", "truebot", "svchost", "clipbanker", "service", "arrowrat", "ducktail", "confuser", "gobrat", "modiloader", "chilelocker", "noclose", "strelastealer", "comfoo", "babar", "blankgrabber", "solarmarker", "darkgate", "stub", "banned", "globeimposter", "rhysida", "janelarat", "kraken", "recon", "quiterat", "venomrat", "venom rat", "sapphirestealer", "ntospy", "raccoon", "shifu", "mediapi", "poolrat", "cicada3301", "remoteexec" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 528, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 414, "FileHash-SHA1": 410, "FileHash-SHA256": 1940, "URL": 171, "hostname": 56, "domain": 134, "YARA": 759, "email": 4 }, "indicator_count": 3888, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cb982432751ed32fd0404b", "name": "Svchost id: 16c37b52-b141-42a5-a3ea-bbe098444397", "description": "The following rules for the Windows.Trojan.Tofsee malware have been revealed by the BBC's Panorama programme and are subject to a review by BBC Newsnight and BBC Radio 5 live.", "modified": "2025-05-14T21:10:44.900000", "created": "2025-03-08T01:06:44.421000", "tags": [ "vhash", "authentihash", "ssdeep", "rticon serbian", "arabic libya", "ico rtgroupicon", "serbian arabic", "libya", "windows nt", "detects", "gecko", "khtml", "msie", "wow64", "stealer", "win64", "error", "userprofile", "hunt", "keylogger", "encrypt", "antivm", "span", "main", "grabber", "hello", "android", "dcrat", "win32", "kill", "revengerat", "sandbox", "pass", "chat", "first", "asyncrat", "crypto", "injector", "dropper", "infostealer", "lockfile", "worldwind", "stealerium", "toxiceye", "avemaria", "fast", "persistence", "trojan", "restart", "snakekeylogger", "snake", "accept", "cookie", "code", "killproc", "lazarus", "dearcry", "njrat", "cyrus", "powershell", "info", "body", "floodfix", "downloader", "ransomware", "core", "loki", "fpspy", "klogexe", "firebird", "patch", "explorer", "avkiller", "masslogger", "baldr", "modi rat", "helpme", "osno", "import", "keylog", "screencapture", "ransom", "crypted", "silent", "xorddos", "stormkitty", "ordinal", "locker", "hyperbro", "lamepyre", "parallaxrat", "null", "shurk steal", "arkeistealer", "strongpity", "desktop", "myagent", "bypass", "fatduke", "miniduke", "polyglotduke", "guildma", "spyeye", "corebot", "killmbr", "ooops", "lcpdot", "torisma", "codec", "prometheus", "spook", "crypt", "logger", "zegost", "poshkeylogger", "systembc", "hdlocker", "cryptolocker", "fivehands", "kitty", "goldmax", "rents", "maurigo", "done", "hidewindow", "bokbot", "bladabindi", "darktrack", "darksky", "alien", "karkoff", "inject", "windigo", "rest", "softcnapp", "elysiumstealer", "leivion", "banload", "ultrareach", "ultrasurf", "buterat", "tools", "beasty", "shut", "gravityrat", "fatalrat", "discord", "deadwood", "turian", "markirat", "mark", "klingonrat", "path", "reverserat", "grab", "meta", "voidcrypt", "darkvnc", "ryzerlo", "hiddentear", "boxcaon", "stream", "crimsonrat", "delfi", "infinity", "stealthworker", "gasket", "spoolss", "lu0bot", "target", "attack", "cobaltstrike", "bits", "chaos", "bitcoin", "wiper", "delphi", "slackbot", "neshta", "belarus", "apanas", "runner", "darkcomet", "macoute", "iframe", "vanillarat", "sectoprat", "melt", "tomiris", "apostle", "blackbyte", "kutaki", "override", "windealer", "mkdir", "brbbot", "config", "babylon rat", "spynet", "bazarloader", "clipper", "banker", "gh0st", "piratestealer", "witch", "killme", "vulturi", "tofsee", "slow", "owowa", "flagpro", "write", "dazzlespy", "decryptor", "bandit stealer", "bandit", "darkeye", "recordbreaker", "truebot", "svchost", "clipbanker", "service", "koivm", "arrowrat", "ducktail", "confuser", "gobrat", "modiloader", "chilelocker", "noclose", "strelastealer", "comfoo", "babar", "blankgrabber", "solarmarker", "darkgate", "stub", "banned", "globeimposter", "rhysida", "janelarat", "kraken", "recon", "quiterat", "venomrat", "venom rat", "sapphirestealer", "ntospy", "raccoon", "shifu", "mediapi", "poolrat", "cicada3301", "remoteexec", "security", "license v2", "f6 d9", "sha256", "imphasz", "externalnet", "homenet", "unreachable", "imageendswith", "example", "imagestartswith", "files", "sandbox author", "securityuserid", "windows upgrade", "k netsvcs", "defender", "update", "code integrity", "checks id", "detects code", "thomas patzke", "filessophos", "outbound smtp", "connections id", "smtp", "david burkett", "signalblur", "commandline", "svchost parent", "process id", "roth", "nextron", "service binary", "system", "automatic", "manual", "filter fp", "avast software", "new service", "creation id" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 168, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 39, "FileHash-SHA1": 28, "FileHash-SHA256": 1065, "URL": 984, "YARA": 535, "domain": 262, "email": 4, "hostname": 316 }, "indicator_count": 3233, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66be22943d7192063b953f75", "name": "Unsupported Browser - WordPress.com Brian Sabey Pornography Injection via thebrotherssabey[.]com for Jeffrey Scott Reimer DPT - Lazarus Group related", "description": "Brian Sabey Pornography via thebrotherssabey WordPress. Mark Brian Sabey, M. Brian Sabey, Brian Sabey, The Brothers Sabey is the the said name of relentless cyber attacker. Lazarus Group related. Tsara Brashears has been a victim of his abuse for a decade. He and whoever he works for have been responsible for relentless cyber warfare of a critical nature, in person stalking, violence, countless property damage, theft, cameras installation, hitmen attacks and an assault within 6 week span. Brian Sabey Social engineered target by email, phone, check scam, cyber attacks on music studios, and business, lawsuit representing Jeffrey Reimer and more likely Eva Lisa Reimer. An alleged judge dismissed his case. Reimer & Sabey settled for a pittance as Brashears needed spine surgery, This is crazy.", "modified": "2024-10-14T18:03:35.631000", "created": "2024-08-15T15:45:24.143000", "tags": [ "browser", "helaas", "bekijk", "url https", "all scoreblue", "report spam", "output", "tsara brashears", "minutes ago", "amber a", "continue", "view", "unsupported", "browser", "javascript", "next", "download", "videos maps", "images news", "please", "google search", "watch", "tsara", "any", "quality", "any source", "videos", "dynamicloader", "yara rule", "ids detections", "yara detections", "contacted", "high", "pyinstaller", "dynamic", "medium", "data", "powershell", "tofsee", "windows", "sha256", "less see", "stream", "copy", "grum", "m417", "lazarus", "elisa", "brian sabey", "thebrotherssabey", "e lisa", "installs", "windows startup", "google", "yandex", "microsoft", "baidu", "baidu spider", "yandex spider", "apple", "android", "meta", "facebook", "cybercrime", "cyber warfare", "hitmen", "malware", "malvertising", "pornography", "pornhub" ], "references": [ "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/", "Injected: https://www.google.com/search?q=tsara+brashears&prmd=vni&source=lnms&tbm=vid&sa=X&ved=2ahUKEwimqvSyxKrpAhUHTt8KHReZC7wQ_AUoAXoECAsQAQ&biw=375&bih=544&dpr=3/Malicious-Google-Search-Results-False", "Antivirus Detections: Win.Packer.pkr_ce1a-9980177-0", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun injection_process_hollowing", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat deletes_executed_files suricata_alert", "Alerts: antivm_generic_disk antivm_generic_services suspicious_command_tools anomalous_deletefile", "Alerts: deletes_self injection_runpe persistence_ads antisandbox_sleep dead_connect", "Brian Sabey Jeffrey Scott Reimer DPT Eva Lisa Reimer RN & Quasi Government Insurance companies unwilling to pay for critical assault injuries SCI", "http://schemas.microsoft.com/SMI/2016/WindowsSettings" ], "public": 1, "adversary": "Lazarus Group Brian Sabey", "targeted_countries": [ "United States of America", "Finland", "France", "Croatia", "United Kingdom of Great Britain and Northern Ireland", "Spain" ], "malware_families": [ { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 289, "hostname": 70, "FileHash-MD5": 125, "FileHash-SHA1": 124, "FileHash-SHA256": 242, "domain": 59, "FilePath": 1 }, "indicator_count": 910, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "551 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66be27ab9c5385b10cbd25cd", "name": "Google Search injection| Tofsee | Brian Sabey Campaign - Lazarus related | thebrotherssabey.com -Source of entire cyber attack against Sex Assault victim ", "description": "", "modified": "2024-09-14T18:25:01.247000", "created": "2024-08-15T16:07:07.541000", "tags": [ "browser", "helaas", "bekijk", "url https", "all scoreblue", "report spam", "output", "tsara brashears", "minutes ago", "amber a", "continue", "view", "unsupported", "browser", "javascript", "next", "download", "videos maps", "images news", "please", "google search", "watch", "tsara", "any", "quality", "any source", "videos", "dynamicloader", "yara rule", "ids detections", "yara detections", "contacted", "high", "pyinstaller", "dynamic", "medium", "data", "powershell", "tofsee", "windows", "sha256", "less see", "stream", "copy", "grum", "m417", "lazarus", "elisa", "brian sabey", "thebrotherssabey", "e lisa", "installs", "windows startup", "google", "yandex", "microsoft", "baidu", "baidu spider", "yandex spider", "apple", "android", "meta", "facebook", "cybercrime", "cyber warfare", "hitmen", "malware", "malvertising", "pornography", "pornhub" ], "references": [ "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/", "Injected: https://www.google.com/search?q=tsara+brashears&prmd=vni&source=lnms&tbm=vid&sa=X&ved=2ahUKEwimqvSyxKrpAhUHTt8KHReZC7wQ_AUoAXoECAsQAQ&biw=375&bih=544&dpr=3/Malicious-Google-Search-Results-False", "Antivirus Detections: Win.Packer.pkr_ce1a-9980177-0", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun injection_process_hollowing", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat deletes_executed_files suricata_alert", "Alerts: antivm_generic_disk antivm_generic_services suspicious_command_tools anomalous_deletefile", "Alerts: deletes_self injection_runpe persistence_ads antisandbox_sleep dead_connect", "Brian Sabey Jeffrey Scott Reimer DPT Eva Lisa Reimer RN & Quasi Government Insurance companies unwilling to pay for critical assault injuries SCI", "http://schemas.microsoft.com/SMI/2016/WindowsSettings" ], "public": 1, "adversary": "Lazarus Group Brian Sabey", "targeted_countries": [ "United States of America", "Finland", "France", "Croatia", "United Kingdom of Great Britain and Northern Ireland", "Spain" ], "malware_families": [ { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" } ], "industries": [], "TLP": "green", "cloned_from": "66be22943d7192063b953f75", "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 74, "hostname": 49, "FileHash-MD5": 125, "FileHash-SHA1": 124, "FileHash-SHA256": 178, "domain": 31, "FilePath": 1 }, "indicator_count": 582, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "581 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65c7b86fa120d19bbc88f367", "name": "Hijacker", "description": "Hackers hired to humiliate, threaten,steal data, evidence, recordings , spy and intimidate.", "modified": "2024-03-11T17:01:59.026000", "created": "2024-02-10T17:54:55.243000", "tags": [ "ssl certificate", "whois record", "contacted", "tsara brashears", "referrer", "communicating", "resolutions", "historical ssl", "high level", "hackers", "hacktool", "download", "malware", "crypto", "hijacker", "monitoring", "installer", "tofsee", "domains domains", "domains files", "files files", "script", "kgs0", "kls0", "relic", "iframe", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "rticon neutral", "info compiler", "products id", "header intel", "name md5", "contained", "type", "language", "ico rtgroupicon", "neutral", "first", "utc submissions", "submitters", "company limited", "computer", "amazonaes", "china telecom", "group", "csc corporate", "domains", "malware spreading evader", "cnc", "malvertizing", "milehighmedia", "trojandropper", "moved", "passive dns", "urls", "as14576", "backdoor", "scan endpoints", "all octoseek", "ipv4", "pulse pulses", "trojan", "encrypt", "body", "date", "date hash", "avast avg", "mtb may", "kratona", "threat", "paste", "iocs", "analyze", "hostnames", "urls https", "script urls", "united", "meta", "unknown", "emails", "name servers", "search", "as62597 nsone", "a domains", "as397241", "media", "next", "december", "unlocker", "threat round", "apple ios", "apple phone", "project", "blister", "agent tesla", "open", "execution", "videos", "strong", "porn videos", "watch", "daddy", "free", "top rated", "most viewed", "cancel anytime", "views", "play", "black", "enjoy", "czech", "hunk", "virtool", "cryp", "creation date", "otx telemetry", "expiration date", "servers", "status", "win32", "showing", "domain", "nxdomain", "as8075", "shell code", "threat", "cyber espionage", "cyber stalking", "danger", "critical", "attack", "treats", "as15169 google", "aaaa", "record value", "error", "entries", "hostname", "url http", "http", "files domain", "files related", "shinjiru msc", "sdn bhd", "dnssec", "protect", "as54455 madeit", "phishing", "backdoor", "contextualizing", "elevated exposure", "malvertizing", "ransom", "msil", "hackers for hire", "hashes", "http method", "get http", "http requests", "get dns", "ip traffic", "memory pattern", "pattern ips", "@emreimer", "iextract2", "cp cyber", "denver", "security", "siem compliance", "skip", "cybersecurity", "larimer st", "suite", "resources cyber", "risk assessment", "bill", "mind", "delaware", "pa", "arizona", "colorado", "stalkers", "deuteronomy 28:7", "hitmen" ], "references": [ "honey.exe", "0001c8afa9ca148752e1439140fadb6571b27f455ad1474d85625bcddfb63550", "CS Sigma Rules: Suspicious Remote Thread Created by Perez Diego (@darkquassar), oscd.community", "CS Sigma Rules: Python Initiated Connection by frack113", "CS Sigma Rules: Use Remove-Item to Delete File by frack113", "CS Sigma Rules: Suspicious Userinit Child Process by Florian Roth (rule), Samir Bousseaden (idea)", "Relationship: http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "api.login.live.com", "http://appleid.icloud.com-website33.org/", "https://www.milehighmedia.com/legal/2257 [phishing \u2022 Brazzers porn]", "FileHash-SHA256 c030b0a1be8745d192f45.159.189.105743b3c4f4094f33507a5904c184c8db0bde1a91efccb5 [tracking]", "http://45.159.189.105/bot/regex [Tracking Tsara Brashears involves in person following and or harassment as well]", "message.htm.com", "http://pornhub.com/gay/video/search", "CnC IP's: 206.189.61.126 \u2022 217.74.65.23 \u2022 46.8.8.100 \u2022 64.190.63.111", "stop following, stalking, hacking, talking, modifying, hijacking, threatening, contacting, sending people to harass target, threats", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "W32.Sality.PE", "display_name": "W32.Sality.PE", "target": null }, { "id": "HackTool", "display_name": "HackTool", "target": null }, { "id": "Relic", "display_name": "Relic", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null }, { "id": "Virus.Win32.Virut.q", "display_name": "Virus.Win32.Virut.q", "target": null }, { "id": "VirTool", "display_name": "VirTool", "target": null }, { "id": "TrojanDropper:Win32", "display_name": "TrojanDropper:Win32", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "TA0001", "name": "Initial Access", "display_name": "TA0001 - Initial Access" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "TA0002", "name": "Execution", "display_name": "TA0002 - Execution" }, { "id": "TA0004", "name": "Privilege Escalation", "display_name": "TA0004 - Privilege Escalation" }, { "id": "TA0005", "name": "Defense Evasion", "display_name": "TA0005 - Defense Evasion" }, { "id": "TA0006", "name": "Credential Access", "display_name": "TA0006 - Credential Access" }, { "id": "TA0007", "name": "Discovery", "display_name": "TA0007 - Discovery" }, { "id": "TA0008", "name": "Lateral Movement", "display_name": "TA0008 - Lateral Movement" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0010", "name": "Exfiltration", "display_name": "TA0010 - Exfiltration" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0034", "name": "Impact", "display_name": "TA0034 - Impact" }, { "id": "TA0040", "name": "Impact", "display_name": "TA0040 - Impact" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 54, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6303, "FileHash-MD5": 215, "FileHash-SHA1": 192, "FileHash-SHA256": 2663, "domain": 2673, "hostname": 2686, "CVE": 2, "email": 16 }, "indicator_count": 14750, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "768 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "63b6134c3bd27b32ac51d147", "name": "Twitter Feed - silentpush_labs - 04-01-2023", "description": "", "modified": "2023-01-05T00:01:16.454000", "created": "2023-01-05T00:01:16.454000", "tags": [ "phishing" ], "references": [ "https://twitter.com/silentpush_labs/status/1610712796777283584" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 2 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 1600, "modified_text": "1200 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6231ba5a96572fb746c07098", "name": "apps.apple.com:us:app:coinbase-bitcoin-wallet:id886427730? utm_campaign=campaign_2737332&utm_medium=email&utm_source=Iterable%22,.pdf", "description": "", "modified": "2022-04-15T00:03:47.669000", "created": "2022-03-16T10:22:18.503000", "tags": [], "references": [ "apps.apple.com:us:app:coinbase-bitcoin-wallet:id886427730? utm_campaign=campaign_2737332&utm_medium=email&utm_source=Iterable%22,.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 26, "FileHash-SHA256": 392, "URL": 344, "hostname": 150, "email": 2, "FileHash-MD5": 65, "FileHash-SHA1": 1 }, "indicator_count": 980, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1465 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6230e4b93ec6538564d13b89", "name": "apps.apple.com:us:app:coinbase-bitcoin-wallet:id886427730? utm_campaign=campaign_2595260&utm_medium=email&utm_source=Iterable%22", "description": "", "modified": "2022-04-14T00:01:40.805000", "created": "2022-03-15T19:10:49.675000", "tags": [], "references": [ "apps.apple.com:us:app:coinbase-bitcoin-wallet:id886427730? utm_campaign=campaign_2595260&utm_medium=email&utm_source=Iterable%22,.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 365, "domain": 27, "FileHash-SHA256": 391, "hostname": 174, "email": 2, "CIDR": 5, "FileHash-MD5": 65, "FileHash-SHA1": 1 }, "indicator_count": 1030, "is_author": false, "is_subscribing": null, "subscriber_count": 406, "modified_text": "1466 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://podcasts.apple.com/us/podcast/the-lazarus-heist/id1561990291", "https://vtbehaviour.commondatastorage.googleapis.com/5dae281deccea2c5229861b4f2ff8c386da1726a836839961311896a6c9f5a69_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190298&Signature=eEF6m7QHRnKk%2FYB374HxqU2TE0p8gXC9CWwIHPT7M6fEZKjeFUEmUEbqdupsD2hQQbkW%2Fmijo2rSEQ30q3EAyR9aQO3m6L91A6osc3kDipeyZqFrIqoj6wIe8MJGuRf4OC9cVAWipGYXPG5bqc3v6RUHir9MeLOggoGjalexCwBgs3SsGyhqU1uWZdJ%2Fs4nUbHyIJGc3FB9OrnhDRuGPdkfPSOA09hfujcul91zQNws4dznvmM", "http://pornhub.com/gay/video/search", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs", "https://yaraify.abuse.ch/scan/results/32bfc760-1757-11f1-b47f-42010aa4000b", "CS Sigma Rules: Use Remove-Item to Delete File by frack113", "https://viz.greynoise.io/ip/analysis/6356f330-63a7-4ce3-91fa-7ab355a1dc1a", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190199&Signature=RiO2p%2BBvc38TqeTuiMJNxoT6Jr3JfHvTQFQIk94ZaRY%2FPP5yEPSH45GncMCh4GqP1%2F%2BNLR2IVm5Z2svEWojLwxq%2Fl0eIAWy1chUQmg2GcEg5YoaEEnXpWjb1er08EIYwV0ZC8parFwVrr194MKeUmZYo5NLYk4%2BCim9ipnxYse12eROsMSXZtyS4daGivzQzihRqTUU9iEn%2FxAKEOI%2F3V8JRrqNy3nDqmo1mdoVr", "honey.exe", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189872&Signature=P%2Fa2KXhuVwj4RO8cyfIpkYofLKzsLiKRPHuVAi7hjApskLh84OqCfKuK51z7bTKZd8lCCiQ7XuIaxWQDR7qzDFvuCWutobNhKDdHSDLrTMtqqX3o5RmBpSzMUw3jQJcbxsYWqaOMHy8ZeWEVRuB9orvLwMZbJMMIJM8GhUVHZ6%2BwciVIoj0lYTCb%2FEEkQWTV4g3hs9l8KRzbEfvJGja6ANuv1OtdFLk8pejrraAJMB7ThsjINOXbJb", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189811&Signature=O96heM5BVAaltXSZInHXgIgK35KjLrLg%2FfKtFXVS%2BoRHTlfpZtn4LpFvolATpK7dED66Ms7SXpn8nX0i7j1IpuDOXOXSm112TOKIKVVPZJH5ppCD6uFYvhkfNcQGa%2FXK%2BDixyM%2BuqwGoJSFD6QzP8J2Iz1GyU4RYYWuB2C7ZD7LOWKlvxF%2F9LTAX8jFDLgFVsE3Og3cU8y3jK%2BenDPthRM6YFu3qewxpti7KVNwKeMJ", "apps.apple.com:us:app:coinbase-bitcoin-wallet:id886427730? utm_campaign=campaign_2595260&utm_medium=email&utm_source=Iterable%22,.pdf", "S?d Rejonowy w Jeleniej G\u00f3rze.htm", "http://schemas.microsoft.com/SMI/2016/WindowsSettings", "https://www.massbroadcasters.org/eeo-organizations/marshfield-high-school", "https://www.milehighmedia.com/legal/2257 [phishing \u2022 Brazzers porn]", "Assaulter Jeffrey Scott Reimer DPT isn\u2019t worth his monthly salary let alone all of this support", "https://www.jelenia-gora.sr.gov.pl/spacer", "https://vtbehaviour.commondatastorage.googleapis.com/06b6d62477011fa63fdb44046351fbe574391916a4f3ea0486b3e3498145a7d7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190407&Signature=Y3EAa%2Fwo4ligJHfBUxkzWLjU9FPLyNmsxeNdcPCIPQBYTTGUIaFddrFIYHFhawxMDvixd7uA0qGc0zVDWgbStf2qhTOU1D0aF%2F%2BSLSXEY3VB8oWRXZCEI12zrSd5P4lHInxRS3CJKbNnJP4GvYx20ctpNSo4u%2FvVMLM%2B92TiYCunAVTquDVrFNNim6LJTEz2ucjhcgF2gKn%2FF0f9ALEheC1lk4omwpcYEPQLNX0wNsxNC%2BWQ", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189779&Signature=KfMCCyf96T3bMlo9SpmV1KGK0zKBbkhhSc6Ig5Hvwfx%2FTKTqEVBDXB28XNeWzWbCRTwCNnYlHV3Ed%2BMjcd%2B1aCTDYi5GH9Qw3msxqk5iKwRhzDIhfpM98SwOLC%2B7xZUAC60ecDmVDsjA9OOwOkJe87q3Rrx2lrU9%2BjuSJ1EdwI16qoJyd29sLcX7STTqAMHuzCjIixIOre64HAjpH4lt%2F8tSgE1A5Rs2V7PRHSX6ibKLD", "https://www.googletagmanager.com/ns.html?id=GTM-PHWTRTJ", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://tlumacz.migam.org/sad_rejonowy_jelenia_gora", "http://www.jelenia-gora.so.gov.pl/", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "They blatantly steal from citizens , blame foreign entities.", "Windows_Trojan_Tofsee.yar", "CS Sigma Rules: Suspicious Userinit Child Process by Florian Roth (rule), Samir Bousseaden (idea)", "FileHash-SHA256 c030b0a1be8745d192f45.159.189.105743b3c4f4094f33507a5904c184c8db0bde1a91efccb5 [tracking]", "Antivirus Detections: Win.Packer.pkr_ce1a-9980177-0", "message.htm.com", "Relationship: http://www.cpmfun.com/go.php?i=Zml0sXNlQhR0gRzjdXpLNlz4&p=71408&s=1&m=1&ua=mozilla/5.0+(linux;+android+4.4.2;+ast21+build/kvt49l)+", "apps.apple.com:us:app:coinbase-bitcoin-wallet:id886427730? utm_campaign=campaign_2737332&utm_medium=email&utm_source=Iterable%22,.pdf", "Brian Sabey Jeffrey Scott Reimer DPT Eva Lisa Reimer RN & Quasi Government Insurance companies unwilling to pay for critical assault injuries SCI", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190345&Signature=33%2BM36uNOvEfi8bNtJvnbxcTgcnoIlIO2vBglXpCJFNwC8HAewGOF91Q26TOAsw4sbmtTxQ2F5Q2jv2V3ULV8MAxxgYVptJ69SusRt7qZeBDUpMY%2BOdTYqjkdBuYUqYiCvM756aQheS1KvDepeD64x8e%2FivWkpm%2BZ9yDaKUc7w2143zYkc8kpyBSsO8rJI9vyoHYvbr4sfZOowoUWK7yMjQD9SN5bL%2FFABbMrPEOMyobApm", "bpc-old.palantirfoundry.com", "http://45.159.189.105/bot/regex [Tracking Tsara Brashears involves in person following and or harassment as well]", "https://app.threat.zone/submission/c8b0b1e4-0c9b-4210-b5ce-1dc2303445df/overview", "https://www.jelenia-gora.so.gov.pl/", "https://vtbehaviour.commondatastorage.googleapis.com/1256f3aa5f091ac40a573113fcc1a4d0e320af5ee363b0eca79618602cb7dc66_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190146&Signature=3XpRLUQ3g712Vw0Gv1aflVxZs7RKpzIhEK8giO9ydwOrOGjLnAK89Y%2BmEf4g2U2YbO04EE%2BcdR5xPgcch1%2B1Gf4thYCgBcbKEEIfNK5UrJwBpAkYRm3D9xsnD%2FVxZt26yLC6aQy87D%2FKNC9aLvViRHGxuFgOp4zkcU%2BRD6mmpIB8SpX5%2BDpocWc4s9R%2BywRPXZ2U2E49g81i%2B5io3Ycqe8ikdjbPlZo9R0KEFLaDQtH", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189954&Signature=2gy%2BsyEM78P6orDGWKQU%2FFPSIdVK9X7o8Nkcwb%2BY4r%2FCb%2Bo9JmA9T%2Bfonw9IqbojQSIK%2BNShZUJJ9GV4wWT5l1QfkYfZP0MJ91%2BkDw39PLOc4VVgmBApIQJRTIlgSlI020YfOeIPoIYH8yuCF2dJ32zKg87g0dDFkg4zbExGDJB3%2BGDxX5MJ6hHuzVrwxm7E1L%2F%2FffKQ%2B9rXqoT0hRHEdPSaXSydmnqfMfnjCv", "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/", "https://vtbehaviour.commondatastorage.googleapis.com/5dae281deccea2c5229861b4f2ff8c386da1726a836839961311896a6c9f5a69_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189913&Signature=KduKv0QQf8IKhUUAV%2F0zpzpUmIU%2BEctpJKxUJlyu0Myu11iCQCXfXPprtMBAv5ifc4GLTHDiIuEAJwg%2B%2BHGWjun5ZKLKzoz8Ot2udHqFxvy6ZToPEC4Iui9vdRDHqosVaT77R1Tm1TGuyKVmwYTcow4klVAcpzEWanzWx1jHS42ARepJVrS3AFXHMaaBdTgr23jXcbmly1t3b8lwVilcsk2itdoprPpClQTzwYr1y7YV1%2FbYTDGocHnDwCYy", "https://waf.intelix.pl/957476/Chat/Script/Compatibility", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat deletes_executed_files suricata_alert", "https://tamlegal.com/attorneys/christopher-p-ahmann/", "https://www.virustotal.com/graph/embed/g6d4bce6162064ac09cd20411c1947e69d7d5a1d475f0447da023ac933d338fce?theme=dark", "https://vtbehaviour.commondatastorage.googleapis.com/970fdc4da66bc8fff977698c150fc6ebdf9488356ed41ded52d2659830ec5353_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189984&Signature=f%2FZZkKTu5zUihkCuCj%2F0pEGmBjWWBiZRDmREgGkkkKvTyR7M5iC0oLGYfaL6WibiUB6pQirxgBtEcS2JtupD291Or3j7%2BKoyngW7R9uf%2FjjWQwfC5YHKjNutT6K5TYuEmzySVs9onhIBSjj4U%2Bi2q%2FMJmQFiDtFZHfcyy00LYqbAbBwEAUnVJZUdH6FvNBu4ArU26VDLDwv1nMSgEjxUWBCwiP4HXlwL5%2BxU6y0eTc2", "This is truly \u2019waste, fraud and abuse\u2019 usually a phrase used by insurance agents.", "https://twitter.com/silentpush_labs/status/1610712796777283584", "https://vtbehaviour.commondatastorage.googleapis.com/bb46c18b5b2c98937c8fdfb7acd3e0fa4d0534cfc44d4b41ccd6db9198266fbf_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190605&Signature=Rcvj5v%2By7yAX52ap8q3zDGTMjVRQm1LkjuWyhDQUaO6QXR1Ld%2F1dD2QjluOGOuXNiW%2FMNP%2Bqj%2Bx6KtYCvttE847keFo1Em2Bm%2F8bv4vK%2FJL0nGIiz%2FatgO7O78LZZ1wkYwcfG5JZAj8VdjDlHQbuOIUz8Nahqt2JUyQ84z3OeH5d3%2BjV8NKW5SjGWQw4mcmjPQXUznoCsysLbjCd5sgZTpyLUdeFJcNKQPiNBURsJeiyCI5llz0j", "api.login.live.com", "https://hybrid-analysis.com/sample/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "Target had endured hired hitman , physical attacks, vehicle attacks, gunpoint", "CnC IP's: 206.189.61.126 \u2022 217.74.65.23 \u2022 46.8.8.100 \u2022 64.190.63.111", "OTX auto populated targeted groups.", "II Wydzia? Karny - S?d Rejonowy w Jeleniej G\u00f3rze 1.htm", "You have no idea where artists get their music or how the 5 main songwriters harvest songs from independent artists", "https://www.googletagmanager.com/gtag/js?id=GT-NNS2QH6C", "https://www.virustotal.com/gui/url/f6db0235760bd467ca822ad515a8410121fde4713501b3e718b8fb127dfa259c?nocache=1", "https://www.findagrave.com/memorial/139047900/peter-deftos", "Using Palantir Foundry tools have created a new false background for Brashears. Should be illegal.", "CS Sigma Rules: Python Initiated Connection by frack113", "apple-dns.net , http://www.pestcontrol-appleton.com/ multiple Apple IoC", "Suspicious New Service Creation (1).yml", "CS Sigma Rules: Suspicious Remote Thread Created by Perez Diego (@darkquassar), oscd.community", "https://vtbehaviour.commondatastorage.googleapis.com/a041cbdeb64c802bde90e06f25213524b2eac500d6000da7e4caeb96e5de1991_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775191439&Signature=evxsL1kaOuLe5KziYCSqZ56H%2FqXRQgEN0tkJo0j5G7JQ3mmO0Kav5K9LCz%2FUEzi%2BdtB%2B3%2B7VM6r9pC%2BMh7nHxT%2Bs8UAYuVXPE%2FUbBdHWMjvZQuqrZ0hHqIR2xHVB132HiYQWLo%2FgS1QATOfAcHci3X4FqmqvUp7A%2FmNsE1aVFbLc971RHQOuTapOGhiDZlVUyA9KvpMDKw0DzdeHFSlayBSrDDsWL7xW06XOf", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun injection_process_hollowing", "https://polyswarm.network/scan/results/file/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "stop following, stalking, hacking, talking, modifying, hijacking, threatening, contacting, sending people to harass target, threats", "Alerts: antivm_generic_disk antivm_generic_services suspicious_command_tools anomalous_deletefile", "https://vtbehaviour.commondatastorage.googleapis.com/bc20f137a2281fae2ee13f698e613e72c37f6b4eb6784653f284f11f4d83ba77_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190236&Signature=Fg7jPZWmHQO%2BH8GRQx%2FxSMq5Na7Oo9cN0HR99DHFY8svYTkPoerGELKx7Sf906aTDq2Rer45ajXeYPzzHTiab9NKqWR1JGHbaq0WapVqsRzvXz2QLuBhHoz50tIoVKnx8ZrN9HqHBQweg8nfN%2FWEoaHVlSgav3jhoNTnZAC%2Fa%2BsTLexjXFBIP2v4jpISAl82ESU%2FGZH64BtZpgIJz7RZXdDqZ3LF7JTgwG2JX94%2BOOSn3G14", "0001c8afa9ca148752e1439140fadb6571b27f455ad1474d85625bcddfb63550", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190004&Signature=Nzt9YHY3Ji2VsLO1kvr7%2FyWWwOgo%2BCIoXyjtyshhzTGRxGzhcNdyKU9byPqyv%2F5YAzj%2BmNnDego3ImYeToBCbgyY%2BJJMmUKX6ZrUT1a2O4gv9eMyysIFgYhJ7ZpzyGIvHR5VSJlzPX0AWS81Ml7syDCjTGHikZ9G%2B%2B0cfDA0dhp%2FR7zhAp7yxB2jsDhz1kDY3nncYpjeVtj2o02Nt4JxPa5ML%2FvKBF%2FBHtOtBCqh%2", "Injected: https://www.google.com/search?q=tsara+brashears&prmd=vni&source=lnms&tbm=vid&sa=X&ved=2ahUKEwimqvSyxKrpAhUHTt8KHReZC7wQ_AUoAXoECAsQAQ&biw=375&bih=544&dpr=3/Malicious-Google-Search-Results-False", "http://www.jelenia-gora.sr.gov.pl/ogloszenia-komornicze", "https://vtbehaviour.commondatastorage.googleapis.com/1256f3aa5f091ac40a573113fcc1a4d0e320af5ee363b0eca79618602cb7dc66_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190083&Signature=a1bnyt5OUcTN8ONeNVqbY%2Fe%2FDVJ2N3olQ9r59dijMLLegF84xQDghj0r6VPdFB8fc%2B3QTcJqhpm6vag1pK9us%2F3UqDJ3Yubf%2FukjL4GMKXDdMSggljB7d%2FpkTraQysnttspVal56LzXitjgIEGYZTidKcIv5LM6YH4zCAXn%2BVueaBNIgpcDS0RuX8fVAQYOeftW9AiEz2TZzx1BT6KUgoj0Tzetn4k541357bb58K1w9n9QV1", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/summary", "http://appleid.icloud.com-website33.org/", "Alerts: deletes_self injection_runpe persistence_ads antisandbox_sleep dead_connect", "https://www.anyxxxtube.net/search-porn/tsara-brashears/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Lazarus Group Brian Sabey", "Lazarus" ], "malware_families": [ "", "W32.sality.pe", "Relic", "Serwer", "Hacktool", "Alf:spikeaexr.pevpszl", "Ransom:win32/gandcrab.h!mtb", "Trojandropper:win32", "Ransom:msil/gandcrab", "Trojanspy", "Tofsee", "Other malware", "Win.packer.pkr_ce1a-9980177-0", "Virus.win32.virut.q", "Zeus", "Virtool" ], "industries": [ "Technology", "Telecommunications", "Bank", "Government", "Banks", "Entertainment", "Healthcare", "Education", "Crypto" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 15, "pulses": [ { "id": "695089cbedad5c86f39b1363", "name": "Tracking Domains 03.03.26 (Updated Test)", "description": "Privacy Badger - Update on 01.09.26\nTracking domains on a hybrid (mobile laptop) clone of an AHS/Covenant Health, UAlberta (University of Alberta), and Government of Alberta Laptop.\nHealthcare: No Cybersecurity, EDU: No Cybersecurity / Remote only, GoA = Informed & don't quite know what to do or to whom this should be brought up with.", "modified": "2026-04-05T06:35:43.679000", "created": "2025-12-28T01:37:15.993000", "tags": [ "privacy badger", "sites general", "settings widget", "domains manage", "data privacy", "badger", "hide" ], "references": [ "https://hybrid-analysis.com/sample/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "https://yaraify.abuse.ch/scan/results/32bfc760-1757-11f1-b47f-42010aa4000b", "https://polyswarm.network/scan/results/file/6a8efb46a1811fab955b629b37b5c483a812cc66519436acd726ff2a854f7a86", "https://app.threat.zone/submission/c8b0b1e4-0c9b-4210-b5ce-1dc2303445df/overview", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/iocs", "https://www.virustotal.com/gui/collection/18b52f4087178dedfee577ab7e53c5a86e84c2a7f901fa796240247f4be76f32/summary", "https://www.virustotal.com/graph/embed/g6d4bce6162064ac09cd20411c1947e69d7d5a1d475f0447da023ac933d338fce?theme=dark", "https://viz.greynoise.io/ip/analysis/6356f330-63a7-4ce3-91fa-7ab355a1dc1a" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada", "United States of America", "Netherlands" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Healthcare", "Government", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 50404, "hostname": 10879, "URL": 715, "FileHash-MD5": 1 }, "indicator_count": 61999, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "14 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cf461ebc1a9bcfbffa2aad", "name": "VirusTotal Droidy Android Sandbox", "description": "Here is the full list of results from the second day of the 2016 Android World Championship, held at 22:00 BST on Tuesday, 1 July.. . and \u00c2\u00a31.\n\ni cant add this one - legacy - http://100tosdefotos.com/", "modified": "2026-04-03T05:08:23.191000", "created": "2026-04-03T04:46:22.211000", "tags": [ "process", "current object", "android sandbox", "europemadrid", "windows sandbox", "clear filters", "has permission", "file type", "apks", "accesses", "sim provider", "name", "may check", "mitre attack", "network info", "malicious", "persistence", "cloud", "chrome cache", "png image", "cache entry", "rgba", "entry", "web open", "font format", "version", "truetype", "next", "detail info", "text", "classname", "window", "static", "behaviour", "filename", "offset", "class", "button", "mozilla", "shell", "nsis", "find", "back", "state", "connecting", "connected", "suspended", "disconnected", "unknown", "shell folders", "default", "inprocserver32", "new roman", "registry keys", "nothing", "shell dlg", "roman baltic186", "roman cyr204", "roman tur162", "xffxfea xffxfea", "xffu xffu", "xffxfcs xffxfcs", "x8af x8af", "xb6p xb6p", "xb6y xb6y", "x88g x88g", "xb6xf2 xb6xf2", "xfft", "xc1xe7 xc1xe7", "axec", "programfiles", "allusersprofile", "windir", "protocol level", "application", "previous", "next connection", "address", "full path", "behavior", "bits", "dump", "path", "calls clear", "eandroidruntime", "pufwifi", "flag", "networkinfo", "action", "extras", "start", "componentname", "write", "calls process", "cname", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "address virtual", "path c", "sha256", "accept", "shutdown", "error", "sandbox", "stack", "win32 exe", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "processes extra", "performs dns", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "android", "zip archive", "xapk android", "android package", "java archive", "sweet home", "design", "html document", "unicode text", "utf8 text", "crlf", "lf line", "language", "date mon", "gmt contenttype", "connection", "link", "json", "xlitespeedcache", "reportto", "server", "contentencoding", "cfray", "king88", "ch cng", "c thit", "c bit", "iu hp", "trang ch", "king88 com", "ci ng", "cp s", "c vit", "object", "string", "number", "null", "function", "g5wmgjr5qk4", "cssselector", "regexp", "date", "void", "trident", "mini", "meta", "please", "javascript", "members", "staff", "inspection", "abip", "local broadcast", "newsletter fcc", "resource center", "marshfield high", "school", "localism join", "facebook", "contact", "summer", "grave", "email", "photo", "strong", "peter deftos", "sign", "learn", "memorial", "leave", "problem", "done", "already", "close", "verify", "twitter", "details", "full", "persist", "editorimpl" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189779&Signature=KfMCCyf96T3bMlo9SpmV1KGK0zKBbkhhSc6Ig5Hvwfx%2FTKTqEVBDXB28XNeWzWbCRTwCNnYlHV3Ed%2BMjcd%2B1aCTDYi5GH9Qw3msxqk5iKwRhzDIhfpM98SwOLC%2B7xZUAC60ecDmVDsjA9OOwOkJe87q3Rrx2lrU9%2BjuSJ1EdwI16qoJyd29sLcX7STTqAMHuzCjIixIOre64HAjpH4lt%2F8tSgE1A5Rs2V7PRHSX6ibKLD", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189811&Signature=O96heM5BVAaltXSZInHXgIgK35KjLrLg%2FfKtFXVS%2BoRHTlfpZtn4LpFvolATpK7dED66Ms7SXpn8nX0i7j1IpuDOXOXSm112TOKIKVVPZJH5ppCD6uFYvhkfNcQGa%2FXK%2BDixyM%2BuqwGoJSFD6QzP8J2Iz1GyU4RYYWuB2C7ZD7LOWKlvxF%2F9LTAX8jFDLgFVsE3Og3cU8y3jK%2BenDPthRM6YFu3qewxpti7KVNwKeMJ", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189872&Signature=P%2Fa2KXhuVwj4RO8cyfIpkYofLKzsLiKRPHuVAi7hjApskLh84OqCfKuK51z7bTKZd8lCCiQ7XuIaxWQDR7qzDFvuCWutobNhKDdHSDLrTMtqqX3o5RmBpSzMUw3jQJcbxsYWqaOMHy8ZeWEVRuB9orvLwMZbJMMIJM8GhUVHZ6%2BwciVIoj0lYTCb%2FEEkQWTV4g3hs9l8KRzbEfvJGja6ANuv1OtdFLk8pejrraAJMB7ThsjINOXbJb", "https://vtbehaviour.commondatastorage.googleapis.com/5dae281deccea2c5229861b4f2ff8c386da1726a836839961311896a6c9f5a69_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189913&Signature=KduKv0QQf8IKhUUAV%2F0zpzpUmIU%2BEctpJKxUJlyu0Myu11iCQCXfXPprtMBAv5ifc4GLTHDiIuEAJwg%2B%2BHGWjun5ZKLKzoz8Ot2udHqFxvy6ZToPEC4Iui9vdRDHqosVaT77R1Tm1TGuyKVmwYTcow4klVAcpzEWanzWx1jHS42ARepJVrS3AFXHMaaBdTgr23jXcbmly1t3b8lwVilcsk2itdoprPpClQTzwYr1y7YV1%2FbYTDGocHnDwCYy", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189954&Signature=2gy%2BsyEM78P6orDGWKQU%2FFPSIdVK9X7o8Nkcwb%2BY4r%2FCb%2Bo9JmA9T%2Bfonw9IqbojQSIK%2BNShZUJJ9GV4wWT5l1QfkYfZP0MJ91%2BkDw39PLOc4VVgmBApIQJRTIlgSlI020YfOeIPoIYH8yuCF2dJ32zKg87g0dDFkg4zbExGDJB3%2BGDxX5MJ6hHuzVrwxm7E1L%2F%2FffKQ%2B9rXqoT0hRHEdPSaXSydmnqfMfnjCv", "https://vtbehaviour.commondatastorage.googleapis.com/970fdc4da66bc8fff977698c150fc6ebdf9488356ed41ded52d2659830ec5353_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189984&Signature=f%2FZZkKTu5zUihkCuCj%2F0pEGmBjWWBiZRDmREgGkkkKvTyR7M5iC0oLGYfaL6WibiUB6pQirxgBtEcS2JtupD291Or3j7%2BKoyngW7R9uf%2FjjWQwfC5YHKjNutT6K5TYuEmzySVs9onhIBSjj4U%2Bi2q%2FMJmQFiDtFZHfcyy00LYqbAbBwEAUnVJZUdH6FvNBu4ArU26VDLDwv1nMSgEjxUWBCwiP4HXlwL5%2BxU6y0eTc2", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190004&Signature=Nzt9YHY3Ji2VsLO1kvr7%2FyWWwOgo%2BCIoXyjtyshhzTGRxGzhcNdyKU9byPqyv%2F5YAzj%2BmNnDego3ImYeToBCbgyY%2BJJMmUKX6ZrUT1a2O4gv9eMyysIFgYhJ7ZpzyGIvHR5VSJlzPX0AWS81Ml7syDCjTGHikZ9G%2B%2B0cfDA0dhp%2FR7zhAp7yxB2jsDhz1kDY3nncYpjeVtj2o02Nt4JxPa5ML%2FvKBF%2FBHtOtBCqh%2", "https://vtbehaviour.commondatastorage.googleapis.com/1256f3aa5f091ac40a573113fcc1a4d0e320af5ee363b0eca79618602cb7dc66_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190083&Signature=a1bnyt5OUcTN8ONeNVqbY%2Fe%2FDVJ2N3olQ9r59dijMLLegF84xQDghj0r6VPdFB8fc%2B3QTcJqhpm6vag1pK9us%2F3UqDJ3Yubf%2FukjL4GMKXDdMSggljB7d%2FpkTraQysnttspVal56LzXitjgIEGYZTidKcIv5LM6YH4zCAXn%2BVueaBNIgpcDS0RuX8fVAQYOeftW9AiEz2TZzx1BT6KUgoj0Tzetn4k541357bb58K1w9n9QV1", "https://vtbehaviour.commondatastorage.googleapis.com/1256f3aa5f091ac40a573113fcc1a4d0e320af5ee363b0eca79618602cb7dc66_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190146&Signature=3XpRLUQ3g712Vw0Gv1aflVxZs7RKpzIhEK8giO9ydwOrOGjLnAK89Y%2BmEf4g2U2YbO04EE%2BcdR5xPgcch1%2B1Gf4thYCgBcbKEEIfNK5UrJwBpAkYRm3D9xsnD%2FVxZt26yLC6aQy87D%2FKNC9aLvViRHGxuFgOp4zkcU%2BRD6mmpIB8SpX5%2BDpocWc4s9R%2BywRPXZ2U2E49g81i%2B5io3Ycqe8ikdjbPlZo9R0KEFLaDQtH", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190199&Signature=RiO2p%2BBvc38TqeTuiMJNxoT6Jr3JfHvTQFQIk94ZaRY%2FPP5yEPSH45GncMCh4GqP1%2F%2BNLR2IVm5Z2svEWojLwxq%2Fl0eIAWy1chUQmg2GcEg5YoaEEnXpWjb1er08EIYwV0ZC8parFwVrr194MKeUmZYo5NLYk4%2BCim9ipnxYse12eROsMSXZtyS4daGivzQzihRqTUU9iEn%2FxAKEOI%2F3V8JRrqNy3nDqmo1mdoVr", "https://vtbehaviour.commondatastorage.googleapis.com/bc20f137a2281fae2ee13f698e613e72c37f6b4eb6784653f284f11f4d83ba77_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190236&Signature=Fg7jPZWmHQO%2BH8GRQx%2FxSMq5Na7Oo9cN0HR99DHFY8svYTkPoerGELKx7Sf906aTDq2Rer45ajXeYPzzHTiab9NKqWR1JGHbaq0WapVqsRzvXz2QLuBhHoz50tIoVKnx8ZrN9HqHBQweg8nfN%2FWEoaHVlSgav3jhoNTnZAC%2Fa%2BsTLexjXFBIP2v4jpISAl82ESU%2FGZH64BtZpgIJz7RZXdDqZ3LF7JTgwG2JX94%2BOOSn3G14", "https://vtbehaviour.commondatastorage.googleapis.com/5dae281deccea2c5229861b4f2ff8c386da1726a836839961311896a6c9f5a69_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190298&Signature=eEF6m7QHRnKk%2FYB374HxqU2TE0p8gXC9CWwIHPT7M6fEZKjeFUEmUEbqdupsD2hQQbkW%2Fmijo2rSEQ30q3EAyR9aQO3m6L91A6osc3kDipeyZqFrIqoj6wIe8MJGuRf4OC9cVAWipGYXPG5bqc3v6RUHir9MeLOggoGjalexCwBgs3SsGyhqU1uWZdJ%2Fs4nUbHyIJGc3FB9OrnhDRuGPdkfPSOA09hfujcul91zQNws4dznvmM", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190345&Signature=33%2BM36uNOvEfi8bNtJvnbxcTgcnoIlIO2vBglXpCJFNwC8HAewGOF91Q26TOAsw4sbmtTxQ2F5Q2jv2V3ULV8MAxxgYVptJ69SusRt7qZeBDUpMY%2BOdTYqjkdBuYUqYiCvM756aQheS1KvDepeD64x8e%2FivWkpm%2BZ9yDaKUc7w2143zYkc8kpyBSsO8rJI9vyoHYvbr4sfZOowoUWK7yMjQD9SN5bL%2FFABbMrPEOMyobApm", "https://vtbehaviour.commondatastorage.googleapis.com/06b6d62477011fa63fdb44046351fbe574391916a4f3ea0486b3e3498145a7d7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190407&Signature=Y3EAa%2Fwo4ligJHfBUxkzWLjU9FPLyNmsxeNdcPCIPQBYTTGUIaFddrFIYHFhawxMDvixd7uA0qGc0zVDWgbStf2qhTOU1D0aF%2F%2BSLSXEY3VB8oWRXZCEI12zrSd5P4lHInxRS3CJKbNnJP4GvYx20ctpNSo4u%2FvVMLM%2B92TiYCunAVTquDVrFNNim6LJTEz2ucjhcgF2gKn%2FF0f9ALEheC1lk4omwpcYEPQLNX0wNsxNC%2BWQ", "https://vtbehaviour.commondatastorage.googleapis.com/bb46c18b5b2c98937c8fdfb7acd3e0fa4d0534cfc44d4b41ccd6db9198266fbf_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190605&Signature=Rcvj5v%2By7yAX52ap8q3zDGTMjVRQm1LkjuWyhDQUaO6QXR1Ld%2F1dD2QjluOGOuXNiW%2FMNP%2Bqj%2Bx6KtYCvttE847keFo1Em2Bm%2F8bv4vK%2FJL0nGIiz%2FatgO7O78LZZ1wkYwcfG5JZAj8VdjDlHQbuOIUz8Nahqt2JUyQ84z3OeH5d3%2BjV8NKW5SjGWQw4mcmjPQXUznoCsysLbjCd5sgZTpyLUdeFJcNKQPiNBURsJeiyCI5llz0j", "https://www.googletagmanager.com/gtag/js?id=GT-NNS2QH6C", "https://www.googletagmanager.com/ns.html?id=GTM-PHWTRTJ", "https://www.virustotal.com/gui/url/f6db0235760bd467ca822ad515a8410121fde4713501b3e718b8fb127dfa259c?nocache=1", "https://www.massbroadcasters.org/eeo-organizations/marshfield-high-school", "https://www.findagrave.com/memorial/139047900/peter-deftos", "https://vtbehaviour.commondatastorage.googleapis.com/a041cbdeb64c802bde90e06f25213524b2eac500d6000da7e4caeb96e5de1991_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775191439&Signature=evxsL1kaOuLe5KziYCSqZ56H%2FqXRQgEN0tkJo0j5G7JQ3mmO0Kav5K9LCz%2FUEzi%2BdtB%2B3%2B7VM6r9pC%2BMh7nHxT%2Bs8UAYuVXPE%2FUbBdHWMjvZQuqrZ0hHqIR2xHVB132HiYQWLo%2FgS1QATOfAcHci3X4FqmqvUp7A%2FmNsE1aVFbLc971RHQOuTapOGhiDZlVUyA9KvpMDKw0DzdeHFSlayBSrDDsWL7xW06XOf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1413", "name": "Access Sensitive Data in Device Logs", "display_name": "T1413 - Access Sensitive Data in Device Logs" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1507", "name": "Network Information Discovery", "display_name": "T1507 - Network Information Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 70, "FileHash-SHA1": 40, "FileHash-SHA256": 549, "URL": 344, "domain": 292, "hostname": 443, "IPv4": 127 }, "indicator_count": 1865, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "16 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cf461ceb2e58f5e3c0a44d", "name": "VirusTotal Droidy Android Sandbox", "description": "Here is the full list of results from the second day of the 2016 Android World Championship, held at 22:00 BST on Tuesday, 1 July.. . and \u00c2\u00a31.\n\ni cant add this one - legacy - http://100tosdefotos.com/", "modified": "2026-04-03T04:48:04.475000", "created": "2026-04-03T04:46:20.102000", "tags": [ "process", "current object", "android sandbox", "europemadrid", "windows sandbox", "clear filters", "has permission", "file type", "apks", "accesses", "sim provider", "name", "may check", "mitre attack", "network info", "malicious", "persistence", "cloud", "chrome cache", "png image", "cache entry", "rgba", "entry", "web open", "font format", "version", "truetype", "next", "detail info", "text", "classname", "window", "static", "behaviour", "filename", "offset", "class", "button", "mozilla", "shell", "nsis", "find", "back", "state", "connecting", "connected", "suspended", "disconnected", "unknown", "shell folders", "default", "inprocserver32", "new roman", "registry keys", "nothing", "shell dlg", "roman baltic186", "roman cyr204", "roman tur162", "xffxfea xffxfea", "xffu xffu", "xffxfcs xffxfcs", "x8af x8af", "xb6p xb6p", "xb6y xb6y", "x88g x88g", "xb6xf2 xb6xf2", "xfft", "xc1xe7 xc1xe7", "axec", "programfiles", "allusersprofile", "windir", "protocol level", "application", "previous", "next connection", "address", "full path", "behavior", "bits", "dump", "path", "calls clear", "eandroidruntime", "pufwifi", "flag", "networkinfo", "action", "extras", "start", "componentname", "write", "calls process", "cname", "file size", "mwdb", "bazaar", "sha3384", "ssdeep", "address virtual", "path c", "sha256", "accept", "shutdown", "error", "sandbox", "stack", "win32 exe", "pe32", "intel", "ms windows", "win16 ne", "os2 executable", "generic windos", "executable", "dos executable", "generic", "processes extra", "performs dns", "t1055 process", "overview", "overview zenbox", "verdict", "guest system", "ultimate file", "android", "zip archive", "xapk android", "android package", "java archive", "sweet home", "design", "html document", "unicode text", "utf8 text", "crlf", "lf line", "language", "date mon", "gmt contenttype", "connection", "link", "json", "xlitespeedcache", "reportto", "server", "contentencoding", "cfray", "king88", "ch cng", "c thit", "c bit", "iu hp", "trang ch", "king88 com", "ci ng", "cp s", "c vit", "object", "string", "number", "null", "function", "g5wmgjr5qk4", "cssselector", "regexp", "date", "void", "trident", "mini", "meta", "please", "javascript", "members", "staff", "inspection", "abip", "local broadcast", "newsletter fcc", "resource center", "marshfield high", "school", "localism join", "facebook", "contact", "summer", "grave", "email", "photo", "strong", "peter deftos", "sign", "learn", "memorial", "leave", "problem", "done", "already", "close", "verify", "twitter", "details", "full", "persist", "editorimpl" ], "references": [ "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189779&Signature=KfMCCyf96T3bMlo9SpmV1KGK0zKBbkhhSc6Ig5Hvwfx%2FTKTqEVBDXB28XNeWzWbCRTwCNnYlHV3Ed%2BMjcd%2B1aCTDYi5GH9Qw3msxqk5iKwRhzDIhfpM98SwOLC%2B7xZUAC60ecDmVDsjA9OOwOkJe87q3Rrx2lrU9%2BjuSJ1EdwI16qoJyd29sLcX7STTqAMHuzCjIixIOre64HAjpH4lt%2F8tSgE1A5Rs2V7PRHSX6ibKLD", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20R2DBox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189811&Signature=O96heM5BVAaltXSZInHXgIgK35KjLrLg%2FfKtFXVS%2BoRHTlfpZtn4LpFvolATpK7dED66Ms7SXpn8nX0i7j1IpuDOXOXSm112TOKIKVVPZJH5ppCD6uFYvhkfNcQGa%2FXK%2BDixyM%2BuqwGoJSFD6QzP8J2Iz1GyU4RYYWuB2C7ZD7LOWKlvxF%2F9LTAX8jFDLgFVsE3Og3cU8y3jK%2BenDPthRM6YFu3qewxpti7KVNwKeMJ", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_Zenbox%20android.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189872&Signature=P%2Fa2KXhuVwj4RO8cyfIpkYofLKzsLiKRPHuVAi7hjApskLh84OqCfKuK51z7bTKZd8lCCiQ7XuIaxWQDR7qzDFvuCWutobNhKDdHSDLrTMtqqX3o5RmBpSzMUw3jQJcbxsYWqaOMHy8ZeWEVRuB9orvLwMZbJMMIJM8GhUVHZ6%2BwciVIoj0lYTCb%2FEEkQWTV4g3hs9l8KRzbEfvJGja6ANuv1OtdFLk8pejrraAJMB7ThsjINOXbJb", "https://vtbehaviour.commondatastorage.googleapis.com/5dae281deccea2c5229861b4f2ff8c386da1726a836839961311896a6c9f5a69_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189913&Signature=KduKv0QQf8IKhUUAV%2F0zpzpUmIU%2BEctpJKxUJlyu0Myu11iCQCXfXPprtMBAv5ifc4GLTHDiIuEAJwg%2B%2BHGWjun5ZKLKzoz8Ot2udHqFxvy6ZToPEC4Iui9vdRDHqosVaT77R1Tm1TGuyKVmwYTcow4klVAcpzEWanzWx1jHS42ARepJVrS3AFXHMaaBdTgr23jXcbmly1t3b8lwVilcsk2itdoprPpClQTzwYr1y7YV1%2FbYTDGocHnDwCYy", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189954&Signature=2gy%2BsyEM78P6orDGWKQU%2FFPSIdVK9X7o8Nkcwb%2BY4r%2FCb%2Bo9JmA9T%2Bfonw9IqbojQSIK%2BNShZUJJ9GV4wWT5l1QfkYfZP0MJ91%2BkDw39PLOc4VVgmBApIQJRTIlgSlI020YfOeIPoIYH8yuCF2dJ32zKg87g0dDFkg4zbExGDJB3%2BGDxX5MJ6hHuzVrwxm7E1L%2F%2FffKQ%2B9rXqoT0hRHEdPSaXSydmnqfMfnjCv", "https://vtbehaviour.commondatastorage.googleapis.com/970fdc4da66bc8fff977698c150fc6ebdf9488356ed41ded52d2659830ec5353_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775189984&Signature=f%2FZZkKTu5zUihkCuCj%2F0pEGmBjWWBiZRDmREgGkkkKvTyR7M5iC0oLGYfaL6WibiUB6pQirxgBtEcS2JtupD291Or3j7%2BKoyngW7R9uf%2FjjWQwfC5YHKjNutT6K5TYuEmzySVs9onhIBSjj4U%2Bi2q%2FMJmQFiDtFZHfcyy00LYqbAbBwEAUnVJZUdH6FvNBu4ArU26VDLDwv1nMSgEjxUWBCwiP4HXlwL5%2BxU6y0eTc2", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190004&Signature=Nzt9YHY3Ji2VsLO1kvr7%2FyWWwOgo%2BCIoXyjtyshhzTGRxGzhcNdyKU9byPqyv%2F5YAzj%2BmNnDego3ImYeToBCbgyY%2BJJMmUKX6ZrUT1a2O4gv9eMyysIFgYhJ7ZpzyGIvHR5VSJlzPX0AWS81Ml7syDCjTGHikZ9G%2B%2B0cfDA0dhp%2FR7zhAp7yxB2jsDhz1kDY3nncYpjeVtj2o02Nt4JxPa5ML%2FvKBF%2FBHtOtBCqh%2", "https://vtbehaviour.commondatastorage.googleapis.com/1256f3aa5f091ac40a573113fcc1a4d0e320af5ee363b0eca79618602cb7dc66_Yomi%20Hunter.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190083&Signature=a1bnyt5OUcTN8ONeNVqbY%2Fe%2FDVJ2N3olQ9r59dijMLLegF84xQDghj0r6VPdFB8fc%2B3QTcJqhpm6vag1pK9us%2F3UqDJ3Yubf%2FukjL4GMKXDdMSggljB7d%2FpkTraQysnttspVal56LzXitjgIEGYZTidKcIv5LM6YH4zCAXn%2BVueaBNIgpcDS0RuX8fVAQYOeftW9AiEz2TZzx1BT6KUgoj0Tzetn4k541357bb58K1w9n9QV1", "https://vtbehaviour.commondatastorage.googleapis.com/1256f3aa5f091ac40a573113fcc1a4d0e320af5ee363b0eca79618602cb7dc66_Dr.Web%20vxCube.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190146&Signature=3XpRLUQ3g712Vw0Gv1aflVxZs7RKpzIhEK8giO9ydwOrOGjLnAK89Y%2BmEf4g2U2YbO04EE%2BcdR5xPgcch1%2B1Gf4thYCgBcbKEEIfNK5UrJwBpAkYRm3D9xsnD%2FVxZt26yLC6aQy87D%2FKNC9aLvViRHGxuFgOp4zkcU%2BRD6mmpIB8SpX5%2BDpocWc4s9R%2BywRPXZ2U2E49g81i%2B5io3Ycqe8ikdjbPlZo9R0KEFLaDQtH", "https://vtbehaviour.commondatastorage.googleapis.com/37efacb8411234dd9882d8d3a8709f492eb2ed252132da099a11be07c0b4ccb0_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190199&Signature=RiO2p%2BBvc38TqeTuiMJNxoT6Jr3JfHvTQFQIk94ZaRY%2FPP5yEPSH45GncMCh4GqP1%2F%2BNLR2IVm5Z2svEWojLwxq%2Fl0eIAWy1chUQmg2GcEg5YoaEEnXpWjb1er08EIYwV0ZC8parFwVrr194MKeUmZYo5NLYk4%2BCim9ipnxYse12eROsMSXZtyS4daGivzQzihRqTUU9iEn%2FxAKEOI%2F3V8JRrqNy3nDqmo1mdoVr", "https://vtbehaviour.commondatastorage.googleapis.com/bc20f137a2281fae2ee13f698e613e72c37f6b4eb6784653f284f11f4d83ba77_Tencent%20HABO.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190236&Signature=Fg7jPZWmHQO%2BH8GRQx%2FxSMq5Na7Oo9cN0HR99DHFY8svYTkPoerGELKx7Sf906aTDq2Rer45ajXeYPzzHTiab9NKqWR1JGHbaq0WapVqsRzvXz2QLuBhHoz50tIoVKnx8ZrN9HqHBQweg8nfN%2FWEoaHVlSgav3jhoNTnZAC%2Fa%2BsTLexjXFBIP2v4jpISAl82ESU%2FGZH64BtZpgIJz7RZXdDqZ3LF7JTgwG2JX94%2BOOSn3G14", "https://vtbehaviour.commondatastorage.googleapis.com/5dae281deccea2c5229861b4f2ff8c386da1726a836839961311896a6c9f5a69_VirusTotal%20Jujubox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190298&Signature=eEF6m7QHRnKk%2FYB374HxqU2TE0p8gXC9CWwIHPT7M6fEZKjeFUEmUEbqdupsD2hQQbkW%2Fmijo2rSEQ30q3EAyR9aQO3m6L91A6osc3kDipeyZqFrIqoj6wIe8MJGuRf4OC9cVAWipGYXPG5bqc3v6RUHir9MeLOggoGjalexCwBgs3SsGyhqU1uWZdJ%2Fs4nUbHyIJGc3FB9OrnhDRuGPdkfPSOA09hfujcul91zQNws4dznvmM", "https://vtbehaviour.commondatastorage.googleapis.com/a0fb314babd51dbc460ab126b615da4c6f9481f5d1225d0ac189da9d99923bb3_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190345&Signature=33%2BM36uNOvEfi8bNtJvnbxcTgcnoIlIO2vBglXpCJFNwC8HAewGOF91Q26TOAsw4sbmtTxQ2F5Q2jv2V3ULV8MAxxgYVptJ69SusRt7qZeBDUpMY%2BOdTYqjkdBuYUqYiCvM756aQheS1KvDepeD64x8e%2FivWkpm%2BZ9yDaKUc7w2143zYkc8kpyBSsO8rJI9vyoHYvbr4sfZOowoUWK7yMjQD9SN5bL%2FFABbMrPEOMyobApm", "https://vtbehaviour.commondatastorage.googleapis.com/06b6d62477011fa63fdb44046351fbe574391916a4f3ea0486b3e3498145a7d7_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190407&Signature=Y3EAa%2Fwo4ligJHfBUxkzWLjU9FPLyNmsxeNdcPCIPQBYTTGUIaFddrFIYHFhawxMDvixd7uA0qGc0zVDWgbStf2qhTOU1D0aF%2F%2BSLSXEY3VB8oWRXZCEI12zrSd5P4lHInxRS3CJKbNnJP4GvYx20ctpNSo4u%2FvVMLM%2B92TiYCunAVTquDVrFNNim6LJTEz2ucjhcgF2gKn%2FF0f9ALEheC1lk4omwpcYEPQLNX0wNsxNC%2BWQ", "https://vtbehaviour.commondatastorage.googleapis.com/bb46c18b5b2c98937c8fdfb7acd3e0fa4d0534cfc44d4b41ccd6db9198266fbf_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775190605&Signature=Rcvj5v%2By7yAX52ap8q3zDGTMjVRQm1LkjuWyhDQUaO6QXR1Ld%2F1dD2QjluOGOuXNiW%2FMNP%2Bqj%2Bx6KtYCvttE847keFo1Em2Bm%2F8bv4vK%2FJL0nGIiz%2FatgO7O78LZZ1wkYwcfG5JZAj8VdjDlHQbuOIUz8Nahqt2JUyQ84z3OeH5d3%2BjV8NKW5SjGWQw4mcmjPQXUznoCsysLbjCd5sgZTpyLUdeFJcNKQPiNBURsJeiyCI5llz0j", "https://www.googletagmanager.com/gtag/js?id=GT-NNS2QH6C", "https://www.googletagmanager.com/ns.html?id=GTM-PHWTRTJ", "https://www.virustotal.com/gui/url/f6db0235760bd467ca822ad515a8410121fde4713501b3e718b8fb127dfa259c?nocache=1", "https://www.massbroadcasters.org/eeo-organizations/marshfield-high-school", "https://www.findagrave.com/memorial/139047900/peter-deftos", "https://vtbehaviour.commondatastorage.googleapis.com/a041cbdeb64c802bde90e06f25213524b2eac500d6000da7e4caeb96e5de1991_VirusTotal%20Droidy.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1775191439&Signature=evxsL1kaOuLe5KziYCSqZ56H%2FqXRQgEN0tkJo0j5G7JQ3mmO0Kav5K9LCz%2FUEzi%2BdtB%2B3%2B7VM6r9pC%2BMh7nHxT%2Bs8UAYuVXPE%2FUbBdHWMjvZQuqrZ0hHqIR2xHVB132HiYQWLo%2FgS1QATOfAcHci3X4FqmqvUp7A%2FmNsE1aVFbLc971RHQOuTapOGhiDZlVUyA9KvpMDKw0DzdeHFSlayBSrDDsWL7xW06XOf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1406", "name": "Obfuscated Files or Information", "display_name": "T1406 - Obfuscated Files or Information" }, { "id": "T1409", "name": "Access Stored Application Data", "display_name": "T1409 - Access Stored Application Data" }, { "id": "T1412", "name": "Capture SMS Messages", "display_name": "T1412 - Capture SMS Messages" }, { "id": "T1413", "name": "Access Sensitive Data in Device Logs", "display_name": "T1413 - Access Sensitive Data in Device Logs" }, { "id": "T1414", "name": "Capture Clipboard Data", "display_name": "T1414 - Capture Clipboard Data" }, { "id": "T1418", "name": "Application Discovery", "display_name": "T1418 - Application Discovery" }, { "id": "T1421", "name": "System Network Connections Discovery", "display_name": "T1421 - System Network Connections Discovery" }, { "id": "T1422", "name": "System Network Configuration Discovery", "display_name": "T1422 - System Network Configuration Discovery" }, { "id": "T1424", "name": "Process Discovery", "display_name": "T1424 - Process Discovery" }, { "id": "T1426", "name": "System Information Discovery", "display_name": "T1426 - System Information Discovery" }, { "id": "T1429", "name": "Capture Audio", "display_name": "T1429 - Capture Audio" }, { "id": "T1430", "name": "Location Tracking", "display_name": "T1430 - Location Tracking" }, { "id": "T1432", "name": "Access Contact List", "display_name": "T1432 - Access Contact List" }, { "id": "T1439", "name": "Eavesdrop on Insecure Network Communication", "display_name": "T1439 - Eavesdrop on Insecure Network Communication" }, { "id": "T1447", "name": "Delete Device Data", "display_name": "T1447 - Delete Device Data" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1507", "name": "Network Information Discovery", "display_name": "T1507 - Network Information Discovery" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1523", "name": "Evade Analysis Environment", "display_name": "T1523 - Evade Analysis Environment" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 70, "FileHash-SHA1": 40, "FileHash-SHA256": 549, "URL": 344, "domain": 293, "hostname": 443, "IPv4": 127 }, "indicator_count": 1866, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6910cafb096eae0dcb39a800", "name": "Lawyers & Lazarus | Apple Spy : Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Cousel for egregious", "description": "Chronicles of how quasi government , a State owned criminal defense attorney , protects sexual assaulter Jeffrey Reimer DPT. victim Palantir harassed, withheld healthcare , diagnoses, justice, monetary award for injured, stole insurance policies, hacked Denver artists, sold music her to artists whom profited, hacked Denver music studios, hired stalkers, human, controlled phone , car and everything in targets life including , doctors, attorneys, hospitals. It\u2019s always been clear to coming us that Anonymous and Lazarus are the police, judge , lawyer, ransom racist.\nThis group alone has cost the US billions! Responsible for 2014 Sony hack , FMOE.\nDirect Link. by phone , email in person contact , forced settlement hearing,. Adversarial Christopher P. Ahmann , relationship w / Lazarus group, hitmen , cyber crime and other crimes against persons.\n #rip #christopher_ahmann #palantir #lazarus #target_tsara_brashears", "modified": "2025-12-09T17:03:48.645000", "created": "2025-11-09T17:10:19.498000", "tags": [ "url http", "apple", "california", "apple public", "server rsa", "organization", "stateprovince", "ocsp", "nids united", "files", "united", "unknown ns", "ip address", "domain", "urls files", "passive dns", "found title", "sf hello", "myriad set", "pro myriad", "set lucida", "grande arial", "sf mono", "ipv4", "location united", "america flag", "america asn", "verdict", "files ip", "address", "as42 woodynet", "domain add", "ipv4 add", "reverse dns", "trojan", "name servers", "emails", "for privacy", "ltd dba", "com laude", "servers", "expiration date", "urls", "meta", "a domains", "country code", "store home", "title", "accept", "espaol", "english", "evil corp", "see all", "cyber hack", "republic", "canada", "season", "joe tidy", "sarah rainsford", "podcast", "bank", "ukraine", "dead", "indonesia", "police", "premium", "napoleon", "revolution", "michelangelo", "mozart", "global", "solid", "lazarus", "jabber zeus", "harrods", "ta markmonitor", "markmonitor", "search", "present aug", "unknown aaaa", "unknown soa", "win32", "invalid url", "trojanspy", "mtb apr", "backdoor", "next associated", "win64", "trojandropper", "twitter", "virtool", "ransom", "worm", "dynamicloader", "tlsv1", "high", "globalc", "medium", "windows", "cmd c", "delete c", "stream", "write", "next", "process32nextw", "http host", "dns query", "likely gandcrab", "et trojan", "windows nt", "wow64", "malware", "ms windows", "as16509", "as54113", "yara rule", "pe32 executable", "as15169", "powershell", "unknown", "response ip", "address google", "safe browsing", "hostname add", "port", "destination", "pe32", "intel", "error", "show", "delphi", "dcom", "form", "canvas", "united kingdom", "content type", "security", "moved", "great britain", "unknown a", "body doctype", "html public", "ietfdtd html", "showing", "packing t1045", "bytes", "read", "default", "christoper p ahmann", "target", "victims", "tsara brashears", "url https", "type indicator", "role title", "added active", "related pulses", "p1377925676", "gaz1", "sid1696503456", "present nov", "present oct", "date", "tcpmemhit", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "mitre att", "pattern match", "show technique", "ck matrix", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "palantir", "foundry", "hitmen", "quasi", "government contracts", "jeffrey reimer", "hallrender", "workers compensation", "record value", "certificate" ], "references": [ "apple-dns.net , http://www.pestcontrol-appleton.com/ multiple Apple IoC", "https://podcasts.apple.com/us/podcast/the-lazarus-heist/id1561990291", "https://tamlegal.com/attorneys/christopher-p-ahmann/", "bpc-old.palantirfoundry.com", "OTX auto populated targeted groups.", "You have no idea where artists get their music or how the 5 main songwriters harvest songs from independent artists", "Target had endured hired hitman , physical attacks, vehicle attacks, gunpoint", "Assaulter Jeffrey Scott Reimer DPT isn\u2019t worth his monthly salary let alone all of this support", "Using Palantir Foundry tools have created a new false background for Brashears. Should be illegal.", "They blatantly steal from citizens , blame foreign entities.", "This is truly \u2019waste, fraud and abuse\u2019 usually a phrase used by insurance agents." ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "Bangladesh", "Japan", "United States of America" ], "malware_families": [ { "id": "ALF:SpikeAexR.PEVPSZL", "display_name": "ALF:SpikeAexR.PEVPSZL", "target": null }, { "id": "Ransom:MSIL/GandCrab", "display_name": "Ransom:MSIL/GandCrab", "target": "/malware/Ransom:MSIL/GandCrab" }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Ransom:Win32/Gandcrab.H!MTB", "display_name": "Ransom:Win32/Gandcrab.H!MTB", "target": "/malware/Ransom:Win32/Gandcrab.H!MTB" }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [ "Banks", "Crypto", "Entertainment", "Bank" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4572, "FileHash-MD5": 196, "domain": 1523, "hostname": 1393, "FileHash-SHA256": 2400, "FileHash-SHA1": 175, "email": 18, "SSLCertFingerprint": 8 }, "indicator_count": 10285, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "130 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69138a8144a8bf8040a92711", "name": "Lawyers & Lazarus | Apple Spy : Treece Alfrey Musat P.C., Chris P. Ahmann Colorado State \u2022 Tam Legal Special Counsel for egregious criminal acts \u2022 Christopher P. Ahmann attorney at Large", "description": "", "modified": "2025-12-09T17:03:48.645000", "created": "2025-11-11T19:12:01.843000", "tags": [ "url http", "apple", "california", "apple public", "server rsa", "organization", "stateprovince", "ocsp", "nids united", "files", "united", "unknown ns", "ip address", "domain", "urls files", "passive dns", "found title", "sf hello", "myriad set", "pro myriad", "set lucida", "grande arial", "sf mono", "ipv4", "location united", "america flag", "america asn", "verdict", "files ip", "address", "as42 woodynet", "domain add", "ipv4 add", "reverse dns", "trojan", "name servers", "emails", "for privacy", "ltd dba", "com laude", "servers", "expiration date", "urls", "meta", "a domains", "country code", "store home", "title", "accept", "espaol", "english", "evil corp", "see all", "cyber hack", "republic", "canada", "season", "joe tidy", "sarah rainsford", "podcast", "bank", "ukraine", "dead", "indonesia", "police", "premium", "napoleon", "revolution", "michelangelo", "mozart", "global", "solid", "lazarus", "jabber zeus", "harrods", "ta markmonitor", "markmonitor", "search", "present aug", "unknown aaaa", "unknown soa", "win32", "invalid url", "trojanspy", "mtb apr", "backdoor", "next associated", "win64", "trojandropper", "twitter", "virtool", "ransom", "worm", "dynamicloader", "tlsv1", "high", "globalc", "medium", "windows", "cmd c", "delete c", "stream", "write", "next", "process32nextw", "http host", "dns query", "likely gandcrab", "et trojan", "windows nt", "wow64", "malware", "ms windows", "as16509", "as54113", "yara rule", "pe32 executable", "as15169", "powershell", "unknown", "response ip", "address google", "safe browsing", "hostname add", "port", "destination", "pe32", "intel", "error", "show", "delphi", "dcom", "form", "canvas", "united kingdom", "content type", "security", "moved", "great britain", "unknown a", "body doctype", "html public", "ietfdtd html", "showing", "packing t1045", "bytes", "read", "default", "christoper p ahmann", "target", "victims", "tsara brashears", "url https", "type indicator", "role title", "added active", "related pulses", "p1377925676", "gaz1", "sid1696503456", "present nov", "present oct", "date", "tcpmemhit", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "adversaries", "spawns", "defense evasion", "t1480 execution", "sha256", "sha1", "mitre att", "pattern match", "show technique", "ck matrix", "null", "refresh", "span", "hybrid", "general", "local", "path", "click", "strings", "tools", "look", "verify", "restart", "palantir", "foundry", "hitmen", "quasi", "government contracts", "jeffrey reimer", "hallrender", "workers compensation", "record value", "certificate" ], "references": [ "apple-dns.net , http://www.pestcontrol-appleton.com/ multiple Apple IoC", "https://podcasts.apple.com/us/podcast/the-lazarus-heist/id1561990291", "https://tamlegal.com/attorneys/christopher-p-ahmann/", "bpc-old.palantirfoundry.com", "OTX auto populated targeted groups.", "You have no idea where artists get their music or how the 5 main songwriters harvest songs from independent artists", "Target had endured hired hitman , physical attacks, vehicle attacks, gunpoint", "Assaulter Jeffrey Scott Reimer DPT isn\u2019t worth his monthly salary let alone all of this support", "Using Palantir Foundry tools have created a new false background for Brashears. Should be illegal.", "They blatantly steal from citizens , blame foreign entities.", "This is truly \u2019waste, fraud and abuse\u2019 usually a phrase used by insurance agents." ], "public": 1, "adversary": "Lazarus", "targeted_countries": [ "Bangladesh", "Japan", "United States of America" ], "malware_families": [ { "id": "ALF:SpikeAexR.PEVPSZL", "display_name": "ALF:SpikeAexR.PEVPSZL", "target": null }, { "id": "Ransom:MSIL/GandCrab", "display_name": "Ransom:MSIL/GandCrab", "target": "/malware/Ransom:MSIL/GandCrab" }, { "id": "Zeus", "display_name": "Zeus", "target": null }, { "id": "Ransom:Win32/Gandcrab.H!MTB", "display_name": "Ransom:Win32/Gandcrab.H!MTB", "target": "/malware/Ransom:Win32/Gandcrab.H!MTB" }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" } ], "industries": [ "Banks", "Crypto", "Entertainment", "Bank" ], "TLP": "white", "cloned_from": "6910cafb096eae0dcb39a800", "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4572, "FileHash-MD5": 196, "domain": 1523, "hostname": 1393, "FileHash-SHA256": 2400, "FileHash-SHA1": 175, "email": 18, "SSLCertFingerprint": 8 }, "indicator_count": 10285, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "130 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67f6c635cb8c3c8b256b6dba", "name": "sdfzsdf.ele fac1ec40eea5a4fc05f17e019328e287", "description": "SHA1- 33008f85428a83996083c3da92a8f00595071403\nSHA256\ncdab1c3196887d4f749d82f014786a966c87f35a7189f0f3d078558b957847bf\nhttps://sandbox.ti.qianxin.com/sandbox/page/detail?type=file&id=7b6726e20c513baebf7fd387a3dd1b7d67a4c7c4\nhttps://ti.qianxin.com/v2/search?type=file&value=fac1ec40eea5a4fc05f17e019328e287\nhttps://www.virustotal.com/gui/file/cdab1c3196887d4f749d82f014786a966c87f35a7189f0f3d078558b957847bf/relations", "modified": "2025-09-01T08:05:17.675000", "created": "2025-04-09T19:10:45.337000", "tags": [ "sha1", "rozmiar", "typ pliku", "win32", "numer wersji", "wersja", "nieznany", "sha512", "crc32", "ssd gboki", "win64", "security", "license v2", "f6 d9", "windows nt", "detects", "gecko", "khtml", "msie", "wow64", "stealer", "error", "userprofile", "hunt", "keylogger", "encrypt", "antivm", "span", "main", "grabber", "hello", "android", "dcrat", "kill", "revengerat", "sandbox", "pass", "chat", "first", "asyncrat", "crypto", "injector", "dropper", "infostealer", "lockfile", "worldwind", "stealerium", "toxiceye", "avemaria", "fast", "persistence", "trojan", "restart", "snakekeylogger", "snake", "accept", "cookie", "code", "killproc", "lazarus", "dearcry", "njrat", "cyrus", "powershell", "info", "body", "floodfix", "downloader", "ransomware", "core", "loki", "fpspy", "klogexe", "firebird", "patch", "explorer", "avkiller", "masslogger", "baldr", "modi rat", "helpme", "osno", "import", "keylog", "screencapture", "ransom", "crypted", "silent", "xorddos", "stormkitty", "ordinal", "locker", "hyperbro", "lamepyre", "parallaxrat", "null", "shurk steal", "arkeistealer", "strongpity", "desktop", "myagent", "bypass", "fatduke", "miniduke", "polyglotduke", "guildma", "spyeye", "corebot", "killmbr", "ooops", "lcpdot", "torisma", "codec", "prometheus", "spook", "crypt", "logger", "zegost", "poshkeylogger", "systembc", "hdlocker", "cryptolocker", "fivehands", "kitty", "goldmax", "rents", "maurigo", "done", "hidewindow", "bokbot", "bladabindi", "darktrack", "darksky", "alien", "karkoff", "inject", "windigo", "rest", "softcnapp", "elysiumstealer", "leivion", "banload", "ultrareach", "ultrasurf", "buterat", "tools", "beasty", "shut", "gravityrat", "fatalrat", "discord", "deadwood", "turian", "markirat", "mark", "klingonrat", "path", "reverserat", "grab", "meta", "voidcrypt", "darkvnc", "ryzerlo", "hiddentear", "boxcaon", "stream", "crimsonrat", "delfi", "infinity", "stealthworker", "gasket", "spoolss", "lu0bot", "target", "attack", "cobaltstrike", "bits", "chaos", "bitcoin", "wiper", "delphi", "slackbot", "neshta", "belarus", "apanas", "runner", "darkcomet", "macoute", "iframe", "vanillarat", "sectoprat", "melt", "tomiris", "apostle", "blackbyte", "kutaki", "override", "windealer", "mkdir", "brbbot", "config", "babylon rat", "spynet", "bazarloader", "clipper", "banker", "gh0st", "piratestealer", "witch", "killme", "vulturi", "tofsee", "slow", "owowa", "flagpro", "write", "dazzlespy", "decryptor", "bandit stealer", "bandit", "darkeye", "recordbreaker", "truebot", "svchost", "clipbanker", "service", "koivm", "arrowrat", "ducktail", "confuser", "gobrat", "modiloader", "chilelocker", "noclose", "strelastealer", "comfoo", "babar", "blankgrabber", "solarmarker", "darkgate", "stub", "banned", "globeimposter", "rhysida", "janelarat", "kraken", "recon", "quiterat", "venomrat", "venom rat", "sapphirestealer", "ntospy", "raccoon", "shifu", "mediapi", "poolrat", "cicada3301", "remoteexec", "babylockerkz", "new service", "creation id", "nextron" ], "references": [ "Windows_Trojan_Tofsee.yar", "Suspicious New Service Creation (1).yml" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 353, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 28, "FileHash-SHA1": 27, "FileHash-SHA256": 1077, "domain": 282, "hostname": 316, "URL": 1092, "YARA": 535, "email": 4 }, "indicator_count": 3361, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "230 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66246ff49ed29ea9bb2bf122", "name": "S\u0105d Rejonowy w Jeleniej Gorze POLAND", "description": "Przechowywania lub dost\u0119pu do plik\u00f3w cookies w Twojej przegl\u0105darce\nhttps://www.virustotal.com/gui/domain/jelenia-gora.sr.gov.pl/relations", "modified": "2025-05-14T21:18:36.989000", "created": "2024-04-21T01:46:28.554000", "tags": [ "jeleniej grze", "aktualnoci", "informacje", "jednostka", "rejonowy", "konkurs", "najczciej", "sd rejonowy", "przejd", "czytaj", "click", "sdzia jarosaw", "wydziau", "sdzia grzegorz", "katarzyna", "rudnicka dane", "kontaktowe sd", "jelenia gra", "mickiewicza", "zawarto", "html", "nazwa meta", "robotw", "telefon", "brak", "skala", "ua zgodna", "head body", "zasb", "cname", "kod odpowiedzi", "kodowanie treci", "wygasa", "gmt serwer", "pragma", "kontrola pamici", "podrcznej", "data", "gmt kontrola", "dostpuzezwl na", "czytaj wicej", "sd okrgowy", "jednostki", "okrgowy", "ogoszenia", "sha256", "vhash", "ssdeep", "https odcisk", "palca jarma", "https dane", "v3 numer", "odcisk palca", "tworzy katalog", "tworzy pliki", "typ pliku", "json", "ascii", "windows", "sqlite", "foxpro fpt", "links typ", "mapa", "152 x", "sqlite w", "sha1", "sha512", "file size", "b file", "testing", "komornik sdowy", "sdzie rejonowym", "tomasz rodacki", "obwieszczenie", "komornicze", "tumacza migam", "tumacz czynny", "zamknite", "wiadczenia", "schedule", "error", "javascript", "bakers hall", "ixaction", "script", "ixchatlauncher", "compatibility", "com dla", "t1055 pewno", "unikanie obrony", "t1036 maskarada", "t1082 pewno", "informacje o", "nazwa pliku", "dokument pdf", "rozmiar pliku", "zapowied", "type", "iii dbt", "utf8", "dziennik" ], "references": [ "S?d Rejonowy w Jeleniej G\u00f3rze.htm", "II Wydzia? Karny - S?d Rejonowy w Jeleniej G\u00f3rze 1.htm", "http://www.jelenia-gora.so.gov.pl/", "https://www.jelenia-gora.so.gov.pl/", "http://www.jelenia-gora.sr.gov.pl/ogloszenia-komornicze", "https://tlumacz.migam.org/sad_rejonowy_jelenia_gora", "https://www.jelenia-gora.sr.gov.pl/spacer", "https://waf.intelix.pl/957476/Chat/Script/Compatibility" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "", "display_name": "", "target": null }, { "id": "serwer", "display_name": "serwer", "target": null } ], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "email": 71, "domain": 7651, "hostname": 7680, "IPv4": 331, "FileHash-SHA256": 16168, "URL": 10399, "FileHash-MD5": 3639, "FileHash-SHA1": 3468, "CIDR": 4, "CVE": 89, "YARA": 521, "SSLCertFingerprint": 25, "JA3": 1, "IPv6": 5813 }, "indicator_count": 55860, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "674afb83c67ff4443e9f953a", "name": "PolymodXT.exe", "description": "", "modified": "2025-05-14T21:18:19.590000", "created": "2024-11-30T11:48:19.052000", "tags": [ "file", "flagi", "process sha256", "process disc", "pathway z", "identyfikator", "zawiera moliwo", "klucz", "zawiera", "wybierz", "nie mona", "przechowywanie", "haso", "obiekt", "cig uid", "zilla", "enumerate", "defender", "pragma", "security", "license v2", "ff ff", "fc e8", "f8 ff", "fc ff", "c9 c3", "e4 f8", "cc cc", "fc eb", "confuserex mod", "aspirecrypt", "detects", "reactor", "beds protector", "ps2exe", "bsjb", "boxedapp", "cyaxsharp", "cyaxpng", "smartassembly", "koivm", "confuserex", "obfuscator", "aspack", "titan", "enigma", "vmprotect", "strings", "rlpack", "antiem", "antisb", "themida", "loader", "sality", "dnguard", "windows nt", "gecko", "khtml", "msie", "wow64", "stealer", "win64", "error", "userprofile", "keylogger", "encrypt", "antivm", "span", "main", "grabber", "hello", "android", "dcrat", "win32", "kill", "revengerat", "sandbox", "pass", "chat", "first", "asyncrat", "crypto", "injector", "dropper", "infostealer", "lockfile", "worldwind", "stealerium", "toxiceye", "avemaria", "fast", "persistence", "trojan", "restart", "snakekeylogger", "snake", "accept", "cookie", "code", "killproc", "lazarus", "dearcry", "njrat", "cyrus", "powershell", "info", "body", "floodfix", "downloader", "ransomware", "core", "loki", "fpspy", "klogexe", "firebird", "patch", "explorer", "avkiller", "masslogger", "baldr", "modi rat", "helpme", "osno", "import", "keylog", "screencapture", "ransom", "crypted", "silent", "xorddos", "stormkitty", "ordinal", "locker", "hyperbro", "lamepyre", "parallaxrat", "null", "shurk steal", "arkeistealer", "strongpity", "desktop", "myagent", "bypass", "fatduke", "miniduke", "polyglotduke", "guildma", "spyeye", "corebot", "killmbr", "ooops", "lcpdot", "torisma", "codec", "prometheus", "spook", "crypt", "logger", "zegost", "poshkeylogger", "systembc", "hdlocker", "cryptolocker", "fivehands", "kitty", "goldmax", "rents", "maurigo", "done", "hidewindow", "bokbot", "bladabindi", "darktrack", "darksky", "alien", "karkoff", "inject", "windigo", "rest", "softcnapp", "elysiumstealer", "leivion", "banload", "ultrareach", "ultrasurf", "buterat", "tools", "beasty", "shut", "gravityrat", "fatalrat", "discord", "deadwood", "turian", "markirat", "mark", "klingonrat", "path", "reverserat", "grab", "meta", "voidcrypt", "darkvnc", "ryzerlo", "hiddentear", "boxcaon", "stream", "crimsonrat", "delfi", "infinity", "stealthworker", "gasket", "spoolss", "lu0bot", "target", "attack", "cobaltstrike", "bits", "chaos", "bitcoin", "wiper", "delphi", "slackbot", "neshta", "belarus", "apanas", "runner", "darkcomet", "macoute", "iframe", "vanillarat", "sectoprat", "melt", "tomiris", "apostle", "blackbyte", "kutaki", "override", "windealer", "mkdir", "brbbot", "config", "babylon rat", "spynet", "bazarloader", "clipper", "banker", "gh0st", "piratestealer", "witch", "killme", "vulturi", "tofsee", "slow", "owowa", "flagpro", "write", "dazzlespy", "decryptor", "bandit stealer", "bandit", "darkeye", "recordbreaker", "truebot", "svchost", "clipbanker", "service", "arrowrat", "ducktail", "confuser", "gobrat", "modiloader", "chilelocker", "noclose", "strelastealer", "comfoo", "babar", "blankgrabber", "solarmarker", "darkgate", "stub", "banned", "globeimposter", "rhysida", "janelarat", "kraken", "recon", "quiterat", "venomrat", "venom rat", "sapphirestealer", "ntospy", "raccoon", "shifu", "mediapi", "poolrat", "cicada3301", "remoteexec" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 528, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 414, "FileHash-SHA1": 410, "FileHash-SHA256": 1940, "URL": 171, "hostname": 56, "domain": 134, "YARA": 759, "email": 4 }, "indicator_count": 3888, "is_author": false, "is_subscribing": null, "subscriber_count": 122, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67cb982432751ed32fd0404b", "name": "Svchost id: 16c37b52-b141-42a5-a3ea-bbe098444397", "description": "The following rules for the Windows.Trojan.Tofsee malware have been revealed by the BBC's Panorama programme and are subject to a review by BBC Newsnight and BBC Radio 5 live.", "modified": "2025-05-14T21:10:44.900000", "created": "2025-03-08T01:06:44.421000", "tags": [ "vhash", "authentihash", "ssdeep", "rticon serbian", "arabic libya", "ico rtgroupicon", "serbian arabic", "libya", "windows nt", "detects", "gecko", "khtml", "msie", "wow64", "stealer", "win64", "error", "userprofile", "hunt", "keylogger", "encrypt", "antivm", "span", "main", "grabber", "hello", "android", "dcrat", "win32", "kill", "revengerat", "sandbox", "pass", "chat", "first", "asyncrat", "crypto", "injector", "dropper", "infostealer", "lockfile", "worldwind", "stealerium", "toxiceye", "avemaria", "fast", "persistence", "trojan", "restart", "snakekeylogger", "snake", "accept", "cookie", "code", "killproc", "lazarus", "dearcry", "njrat", "cyrus", "powershell", "info", "body", "floodfix", "downloader", "ransomware", "core", "loki", "fpspy", "klogexe", "firebird", "patch", "explorer", "avkiller", "masslogger", "baldr", "modi rat", "helpme", "osno", "import", "keylog", "screencapture", "ransom", "crypted", "silent", "xorddos", "stormkitty", "ordinal", "locker", "hyperbro", "lamepyre", "parallaxrat", "null", "shurk steal", "arkeistealer", "strongpity", "desktop", "myagent", "bypass", "fatduke", "miniduke", "polyglotduke", "guildma", "spyeye", "corebot", "killmbr", "ooops", "lcpdot", "torisma", "codec", "prometheus", "spook", "crypt", "logger", "zegost", "poshkeylogger", "systembc", "hdlocker", "cryptolocker", "fivehands", "kitty", "goldmax", "rents", "maurigo", "done", "hidewindow", "bokbot", "bladabindi", "darktrack", "darksky", "alien", "karkoff", "inject", "windigo", "rest", "softcnapp", "elysiumstealer", "leivion", "banload", "ultrareach", "ultrasurf", "buterat", "tools", "beasty", "shut", "gravityrat", "fatalrat", "discord", "deadwood", "turian", "markirat", "mark", "klingonrat", "path", "reverserat", "grab", "meta", "voidcrypt", "darkvnc", "ryzerlo", "hiddentear", "boxcaon", "stream", "crimsonrat", "delfi", "infinity", "stealthworker", "gasket", "spoolss", "lu0bot", "target", "attack", "cobaltstrike", "bits", "chaos", "bitcoin", "wiper", "delphi", "slackbot", "neshta", "belarus", "apanas", "runner", "darkcomet", "macoute", "iframe", "vanillarat", "sectoprat", "melt", "tomiris", "apostle", "blackbyte", "kutaki", "override", "windealer", "mkdir", "brbbot", "config", "babylon rat", "spynet", "bazarloader", "clipper", "banker", "gh0st", "piratestealer", "witch", "killme", "vulturi", "tofsee", "slow", "owowa", "flagpro", "write", "dazzlespy", "decryptor", "bandit stealer", "bandit", "darkeye", "recordbreaker", "truebot", "svchost", "clipbanker", "service", "koivm", "arrowrat", "ducktail", "confuser", "gobrat", "modiloader", "chilelocker", "noclose", "strelastealer", "comfoo", "babar", "blankgrabber", "solarmarker", "darkgate", "stub", "banned", "globeimposter", "rhysida", "janelarat", "kraken", "recon", "quiterat", "venomrat", "venom rat", "sapphirestealer", "ntospy", "raccoon", "shifu", "mediapi", "poolrat", "cicada3301", "remoteexec", "security", "license v2", "f6 d9", "sha256", "imphasz", "externalnet", "homenet", "unreachable", "imageendswith", "example", "imagestartswith", "files", "sandbox author", "securityuserid", "windows upgrade", "k netsvcs", "defender", "update", "code integrity", "checks id", "detects code", "thomas patzke", "filessophos", "outbound smtp", "connections id", "smtp", "david burkett", "signalblur", "commandline", "svchost parent", "process id", "roth", "nextron", "service binary", "system", "automatic", "manual", "filter fp", "avast software", "new service", "creation id" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 168, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Arek-BTC", "id": "212764", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 39, "FileHash-SHA1": 28, "FileHash-SHA256": 1065, "URL": 984, "YARA": 535, "domain": 262, "email": 4, "hostname": 316 }, "indicator_count": 3233, "is_author": false, "is_subscribing": null, "subscriber_count": 124, "modified_text": "339 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "66be22943d7192063b953f75", "name": "Unsupported Browser - WordPress.com Brian Sabey Pornography Injection via thebrotherssabey[.]com for Jeffrey Scott Reimer DPT - Lazarus Group related", "description": "Brian Sabey Pornography via thebrotherssabey WordPress. Mark Brian Sabey, M. Brian Sabey, Brian Sabey, The Brothers Sabey is the the said name of relentless cyber attacker. Lazarus Group related. Tsara Brashears has been a victim of his abuse for a decade. He and whoever he works for have been responsible for relentless cyber warfare of a critical nature, in person stalking, violence, countless property damage, theft, cameras installation, hitmen attacks and an assault within 6 week span. Brian Sabey Social engineered target by email, phone, check scam, cyber attacks on music studios, and business, lawsuit representing Jeffrey Reimer and more likely Eva Lisa Reimer. An alleged judge dismissed his case. Reimer & Sabey settled for a pittance as Brashears needed spine surgery, This is crazy.", "modified": "2024-10-14T18:03:35.631000", "created": "2024-08-15T15:45:24.143000", "tags": [ "browser", "helaas", "bekijk", "url https", "all scoreblue", "report spam", "output", "tsara brashears", "minutes ago", "amber a", "continue", "view", "unsupported", "browser", "javascript", "next", "download", "videos maps", "images news", "please", "google search", "watch", "tsara", "any", "quality", "any source", "videos", "dynamicloader", "yara rule", "ids detections", "yara detections", "contacted", "high", "pyinstaller", "dynamic", "medium", "data", "powershell", "tofsee", "windows", "sha256", "less see", "stream", "copy", "grum", "m417", "lazarus", "elisa", "brian sabey", "thebrotherssabey", "e lisa", "installs", "windows startup", "google", "yandex", "microsoft", "baidu", "baidu spider", "yandex spider", "apple", "android", "meta", "facebook", "cybercrime", "cyber warfare", "hitmen", "malware", "malvertising", "pornography", "pornhub" ], "references": [ "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/", "Injected: https://www.google.com/search?q=tsara+brashears&prmd=vni&source=lnms&tbm=vid&sa=X&ved=2ahUKEwimqvSyxKrpAhUHTt8KHReZC7wQ_AUoAXoECAsQAQ&biw=375&bih=544&dpr=3/Malicious-Google-Search-Results-False", "Antivirus Detections: Win.Packer.pkr_ce1a-9980177-0", "IDS Detections: Win32/Tofsee.AX google.com connectivity check", "Alerts: procmem_yara injection_inter_process creates_largekey network_bind persistence_autorun injection_process_hollowing", "Alerts: persistence_autorun_tasks spawns_dev_util cape_detected_threat deletes_executed_files suricata_alert", "Alerts: antivm_generic_disk antivm_generic_services suspicious_command_tools anomalous_deletefile", "Alerts: deletes_self injection_runpe persistence_ads antisandbox_sleep dead_connect", "Brian Sabey Jeffrey Scott Reimer DPT Eva Lisa Reimer RN & Quasi Government Insurance companies unwilling to pay for critical assault injuries SCI", "http://schemas.microsoft.com/SMI/2016/WindowsSettings" ], "public": 1, "adversary": "Lazarus Group Brian Sabey", "targeted_countries": [ "United States of America", "Finland", "France", "Croatia", "United Kingdom of Great Britain and Northern Ireland", "Spain" ], "malware_families": [ { "id": "Win.Packer.pkr_ce1a-9980177-0", "display_name": "Win.Packer.pkr_ce1a-9980177-0", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" }, { "id": "T1055.003", "name": "Thread Execution Hijacking", "display_name": "T1055.003 - Thread Execution Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1428", "name": "Exploit Enterprise Resources", "display_name": "T1428 - Exploit Enterprise Resources" }, { "id": "T1445", "name": "Abuse of iOS Enterprise App Signing Key", "display_name": "T1445 - Abuse of iOS Enterprise App Signing Key" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 289, "hostname": 70, "FileHash-MD5": 125, "FileHash-SHA1": 124, "FileHash-SHA256": 242, "domain": 59, "FilePath": 1 }, "indicator_count": 910, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "551 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "coinbase.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "coinbase.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776611781.6624444 }