{
  "type": "Domain",
  "indicator": "foundry.com",
  "general": {
    "sections": [
      "general",
      "geo",
      "url_list",
      "passive_dns",
      "malware",
      "whois",
      "http_scans"
    ],
    "whois": "http://whois.domaintools.com/foundry.com",
    "alexa": "http://www.alexa.com/siteinfo/foundry.com",
    "indicator": "foundry.com",
    "type": "domain",
    "type_title": "Domain",
    "validation": [
      {
        "source": "majestic",
        "message": "Whitelisted domain foundry.com",
        "name": "Whitelisted domain"
      }
    ],
    "base_indicator": {
      "id": 4086503801,
      "indicator": "foundry.com",
      "type": "domain",
      "title": "",
      "description": "",
      "content": "",
      "access_type": "public",
      "access_reason": ""
    },
    "pulse_info": {
      "count": 5,
      "pulses": [
        {
          "id": "69f3dd264e217e3724abedd7",
          "name": "CAPE Sandbox - powershell unsigned trust bypass affects arpa and msedge update",
          "description": "File is not signed-Microsoft Corporation. All rights reserved.\nProduct\nMicrosoft\u00ae Windows\u00ae Operating System\nDescription\nWindows PowerShell\nOriginal Name\nPowerShell.EXE\nInternal Name\nPOWERSHELL\nFile Version\n10.0.19041.546 (WinBuild.160101.0800)\nrefer to belasco chain or broken seal\nclient does not have windows included is others windows [exe] that appear to have a false flag origin with US wordpress roots.",
          "modified": "2026-05-01T07:12:00.987000",
          "created": "2026-04-30T22:52:22.813000",
          "tags": [
            "31community",
            "35business",
            "cid1",
            "youtube https",
            "cohasset",
            "meta tags",
            "home category0",
            "home themecolor",
            "script tags"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1010",
              "name": "Application Window Discovery",
              "display_name": "T1010 - Application Window Discovery"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1070",
              "name": "Indicator Removal on Host",
              "display_name": "T1070 - Indicator Removal on Host"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            },
            {
              "id": "T1574",
              "name": "Hijack Execution Flow",
              "display_name": "T1574 - Hijack Execution Flow"
            },
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1012",
              "name": "Query Registry",
              "display_name": "T1012 - Query Registry"
            },
            {
              "id": "T1014",
              "name": "Rootkit",
              "display_name": "T1014 - Rootkit"
            },
            {
              "id": "T1047",
              "name": "Windows Management Instrumentation",
              "display_name": "T1047 - Windows Management Instrumentation"
            },
            {
              "id": "T1203",
              "name": "Exploitation for Client Execution",
              "display_name": "T1203 - Exploitation for Client Execution"
            },
            {
              "id": "T1485",
              "name": "Data Destruction",
              "display_name": "T1485 - Data Destruction"
            },
            {
              "id": "T1496",
              "name": "Resource Hijacking",
              "display_name": "T1496 - Resource Hijacking"
            },
            {
              "id": "T1542",
              "name": "Pre-OS Boot",
              "display_name": "T1542 - Pre-OS Boot"
            },
            {
              "id": "T1564",
              "name": "Hide Artifacts",
              "display_name": "T1564 - Hide Artifacts"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 1,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "IPv4": 104,
            "FileHash-MD5": 237,
            "FileHash-SHA1": 226,
            "FileHash-SHA256": 940,
            "URL": 213,
            "hostname": 197,
            "domain": 139
          },
          "indicator_count": 2056,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 65,
          "modified_text": "28 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69f3dd29978345cc0033cdec",
          "name": "CAPE Sandbox - powershell unsigned trust bypass affects arpa and msedge update",
          "description": "File is not signed-Microsoft Corporation. All rights reserved.\nProduct\nMicrosoft\u00ae Windows\u00ae Operating System\nDescription\nWindows PowerShell\nOriginal Name\nPowerShell.EXE\nInternal Name\nPOWERSHELL\nFile Version\n10.0.19041.546 (WinBuild.160101.0800)\nrefer to belasco chain or broken seal\nclient does not have windows",
          "modified": "2026-05-01T02:00:55.943000",
          "created": "2026-04-30T22:52:25.691000",
          "tags": [
            "31community",
            "35business",
            "cid1",
            "youtube https",
            "cohasset",
            "meta tags",
            "home category0",
            "home themecolor",
            "script tags"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1010",
              "name": "Application Window Discovery",
              "display_name": "T1010 - Application Window Discovery"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1070",
              "name": "Indicator Removal on Host",
              "display_name": "T1070 - Indicator Removal on Host"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            },
            {
              "id": "T1573",
              "name": "Encrypted Channel",
              "display_name": "T1573 - Encrypted Channel"
            },
            {
              "id": "T1574",
              "name": "Hijack Execution Flow",
              "display_name": "T1574 - Hijack Execution Flow"
            },
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1012",
              "name": "Query Registry",
              "display_name": "T1012 - Query Registry"
            },
            {
              "id": "T1014",
              "name": "Rootkit",
              "display_name": "T1014 - Rootkit"
            },
            {
              "id": "T1047",
              "name": "Windows Management Instrumentation",
              "display_name": "T1047 - Windows Management Instrumentation"
            },
            {
              "id": "T1203",
              "name": "Exploitation for Client Execution",
              "display_name": "T1203 - Exploitation for Client Execution"
            },
            {
              "id": "T1485",
              "name": "Data Destruction",
              "display_name": "T1485 - Data Destruction"
            },
            {
              "id": "T1496",
              "name": "Resource Hijacking",
              "display_name": "T1496 - Resource Hijacking"
            },
            {
              "id": "T1542",
              "name": "Pre-OS Boot",
              "display_name": "T1542 - Pre-OS Boot"
            },
            {
              "id": "T1564",
              "name": "Hide Artifacts",
              "display_name": "T1564 - Hide Artifacts"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "IPv4": 189,
            "FileHash-MD5": 718,
            "FileHash-SHA1": 428,
            "FileHash-SHA256": 1579,
            "URL": 720,
            "hostname": 612,
            "domain": 210,
            "email": 4
          },
          "indicator_count": 4460,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 65,
          "modified_text": "28 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "69f30ef4033560d49d39ac55",
          "name": "VirusTotal report\n                    for executable.exe",
          "description": "[security firm has developed a tool that can automatically identify a Wi-Fi password and make it easy to access it via the net. and use it to create a secure log-in system.] <remote, .net, failed cryptographic validation chains cause this.",
          "modified": "2026-05-01T00:23:53.383000",
          "created": "2026-04-30T08:12:36.771000",
          "tags": [
            "wifi password",
            "joe security",
            "nextron",
            "new run",
            "key pointing",
            "run key",
            "roth",
            "markus neis",
            "sander wiebing",
            "poudel",
            "public",
            "appdata"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1003",
              "name": "OS Credential Dumping",
              "display_name": "T1003 - OS Credential Dumping"
            },
            {
              "id": "T1005",
              "name": "Data from Local System",
              "display_name": "T1005 - Data from Local System"
            },
            {
              "id": "T1010",
              "name": "Application Window Discovery",
              "display_name": "T1010 - Application Window Discovery"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1095",
              "name": "Non-Application Layer Protocol",
              "display_name": "T1095 - Non-Application Layer Protocol"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1218",
              "name": "Signed Binary Proxy Execution",
              "display_name": "T1218 - Signed Binary Proxy Execution"
            },
            {
              "id": "T1497",
              "name": "Virtualization/Sandbox Evasion",
              "display_name": "T1497 - Virtualization/Sandbox Evasion"
            },
            {
              "id": "T1518",
              "name": "Software Discovery",
              "display_name": "T1518 - Software Discovery"
            },
            {
              "id": "T1552",
              "name": "Unsecured Credentials",
              "display_name": "T1552 - Unsecured Credentials"
            },
            {
              "id": "T1562",
              "name": "Impair Defenses",
              "display_name": "T1562 - Impair Defenses"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 0,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "msudosos",
            "id": "381696",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 1069,
            "FileHash-SHA1": 868,
            "FileHash-SHA256": 2783,
            "IPv4": 588,
            "URL": 764,
            "hostname": 756,
            "domain": 293,
            "IPv6": 58,
            "email": 44,
            "CVE": 44
          },
          "indicator_count": 7267,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 66,
          "modified_text": "28 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "6872f4c510c590b7cdc5ff6a",
          "name": "Crowdsourced Collection of PayPal Mafia Monster - Foundry\u2019s Palantair",
          "description": "Americans are investing in what Edward Snowden foretold of\u2026 your future from beginning to end will  predict how you will be treated. Preemptively policing people even if you have to make up a past.. |\n\nThe New York Times\nMay 30, 2025 \u2014 The Trump administration has expanded Palantir's work with the government, spreading the company's technology \u2014 which could easily merge data on ...\nFormer Palantir workers condemn company's work with ...\n\nNPR\nMay 5, 2025 \u2014 Thirteen former employees of influential data-mining firm Palantir are condemning the company's work with the Trump administration.\nWyden AOC Palantir Letter 061725\n\nSenate Finance (.gov)\nJun 17, 2025 \u2014 The Trump Administration has spent taxpayer dollars on Palantir software at numerous other government agencies and paid it billions of dollars ...\n#foundry #rip #palantir #jeffreyreimerdpt #lawenforcement #twitter #tsarabrashearsblessed #apple #privacynow #fightforprivacy #sabey #hallrender",
          "modified": "2025-08-11T23:02:24.583000",
          "created": "2025-07-12T23:50:29.847000",
          "tags": [
            "url https",
            "url http",
            "type indicator",
            "role title",
            "added active",
            "related pulses",
            "entries",
            "indicator role",
            "title added",
            "active related",
            "pulses",
            "enter source",
            "urior exirag",
            "diri type",
            "data upload",
            "extraction",
            "failed",
            "included iocs",
            "review iocs",
            "find sugge",
            "extr extract",
            "in data",
            "extract",
            "type",
            "u extractio",
            "extra",
            "review ic",
            "ipv4",
            "pulses hostname",
            "accountunlock",
            "united",
            "ireland",
            "canada",
            "brazil",
            "sweden",
            "australia",
            "search",
            "scan",
            "iocs",
            "learn more",
            "filehashsha1",
            "filehashmd5",
            "types of",
            "extra data",
            "included review",
            "china",
            "colombia",
            "filepath https",
            "enter sc",
            "extr data",
            "include review",
            "exclude sugges",
            "filehashsha256",
            "hostname",
            "dicators japan",
            "url tor",
            "extrac data",
            "ic excluded",
            "suggeste",
            "stop",
            "type no",
            "no entrie",
            "included",
            "review locc",
            "excluded data",
            "sc data",
            "extri data",
            "includec review",
            "exclude data",
            "suggested",
            "se extra",
            "suggest",
            "manaiv add",
            "indicator",
            "review lace",
            "extri",
            "find s",
            "typ no",
            "no entdi",
            "ous u",
            "dron aew",
            "avtrat",
            "extre data",
            "manually",
            "add indicator",
            "pulses url",
            "url url",
            "typ host",
            "host url",
            "include",
            "z6911541",
            "extraction fail",
            "enter souf",
            "s type",
            "ur extraction",
            "extraction data",
            "jul all",
            "pulse data",
            "report external",
            "review",
            "extre please",
            "se extraction",
            "report spam",
            "all t8",
            "firmip",
            "bofa",
            "wikileaks",
            "tmobile",
            "dish",
            "capture",
            "cookie",
            "enter s",
            "please sub",
            "include outroov",
            "excludel sugges",
            "extra please",
            "high priority",
            "alerts ids",
            "priority alerts",
            "cnc beacon",
            "winver",
            "digitalmistica",
            "november",
            "pulse",
            "palantir",
            "foundry twitter",
            "arkei stealer",
            "config",
            "install",
            "downloader",
            "cidr",
            "domain",
            "indicators hong",
            "kong",
            "ukraine",
            "status no",
            "object",
            "unruy",
            "http",
            "remote",
            "keylogger",
            "foundry created",
            "days ago",
            "white keylogger",
            "apple",
            "foundry tech",
            "mafia",
            "t1045",
            "packing",
            "t1060",
            "run keys",
            "startup",
            "folder",
            "t1457",
            "showing",
            "types",
            "indicators show",
            "dicator role",
            "tsara brashears",
            "tsara",
            "porn",
            "porn videos",
            "pornhub https",
            "searchtsar",
            "watch tsara",
            "most relevant",
            "open threat",
            "green",
            "love",
            "daily",
            "videos",
            "free porn",
            "hybrid analysis",
            "falcon sandbox",
            "top tsara",
            "brashears porn",
            "stream",
            "spice",
            "download",
            "hybrid",
            "njrat",
            "threat network",
            "https",
            "created",
            "years ago",
            "modified",
            "months ago",
            "tinynote",
            "douglas county",
            "co sheriff",
            "office",
            "pegasus attacks",
            "sa victim",
            "octoseek public",
            "white",
            "excludedocs",
            "sugges",
            "stop data",
            "tsara lynn",
            "brashears les",
            "lynn brashears",
            "translate",
            "pornhub page",
            "emotet",
            "se review",
            "typ url",
            "dom hos",
            "hostname data",
            "harmful",
            "octoseekpulse",
            "attacks sa",
            "bandit stealer",
            "flubot",
            "agent tesla",
            "qbot",
            "qakbot",
            "ursnif",
            "azorult",
            "djvu",
            "hacktool",
            "maze",
            "dark",
            "linux",
            "android10",
            "khtml",
            "costcpc",
            "userosandroid",
            "bannerid2738231",
            "india",
            "enter so",
            "please subr",
            "suggest data",
            "netherlands",
            "russia",
            "america malware",
            "families",
            "sc type",
            "please",
            "show",
            "url data",
            "fanec",
            "include failed",
            "review exclude",
            "extre",
            "includea",
            "exclude toosrou",
            "sugges data",
            "typ data",
            "information",
            "cobalt strike",
            "ransomexx",
            "quackbot",
            "comspec",
            "span",
            "idn1",
            "sendimage0",
            "refts0",
            "include data",
            "uny inuuue",
            "fileh fileh",
            "exclude suggest",
            "uniy",
            "type fileh",
            "extr please",
            "ineluderc\u0660",
            "review data",
            "excludedlocs"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [
            {
              "id": "T1036",
              "name": "Masquerading",
              "display_name": "T1036 - Masquerading"
            },
            {
              "id": "T1043",
              "name": "Commonly Used Port",
              "display_name": "T1043 - Commonly Used Port"
            },
            {
              "id": "T1051",
              "name": "Shared Webroot",
              "display_name": "T1051 - Shared Webroot"
            },
            {
              "id": "T1053",
              "name": "Scheduled Task/Job",
              "display_name": "T1053 - Scheduled Task/Job"
            },
            {
              "id": "T1055",
              "name": "Process Injection",
              "display_name": "T1055 - Process Injection"
            },
            {
              "id": "T1056",
              "name": "Input Capture",
              "display_name": "T1056 - Input Capture"
            },
            {
              "id": "T1060",
              "name": "Registry Run Keys / Startup Folder",
              "display_name": "T1060 - Registry Run Keys / Startup Folder"
            },
            {
              "id": "T1068",
              "name": "Exploitation for Privilege Escalation",
              "display_name": "T1068 - Exploitation for Privilege Escalation"
            },
            {
              "id": "T1071",
              "name": "Application Layer Protocol",
              "display_name": "T1071 - Application Layer Protocol"
            },
            {
              "id": "T1080",
              "name": "Taint Shared Content",
              "display_name": "T1080 - Taint Shared Content"
            },
            {
              "id": "T1082",
              "name": "System Information Discovery",
              "display_name": "T1082 - System Information Discovery"
            },
            {
              "id": "T1085",
              "name": "Rundll32",
              "display_name": "T1085 - Rundll32"
            },
            {
              "id": "T1105",
              "name": "Ingress Tool Transfer",
              "display_name": "T1105 - Ingress Tool Transfer"
            },
            {
              "id": "T1114",
              "name": "Email Collection",
              "display_name": "T1114 - Email Collection"
            },
            {
              "id": "T1119",
              "name": "Automated Collection",
              "display_name": "T1119 - Automated Collection"
            },
            {
              "id": "T1123",
              "name": "Audio Capture",
              "display_name": "T1123 - Audio Capture"
            },
            {
              "id": "T1125",
              "name": "Video Capture",
              "display_name": "T1125 - Video Capture"
            },
            {
              "id": "T1129",
              "name": "Shared Modules",
              "display_name": "T1129 - Shared Modules"
            },
            {
              "id": "T1140",
              "name": "Deobfuscate/Decode Files or Information",
              "display_name": "T1140 - Deobfuscate/Decode Files or Information"
            },
            {
              "id": "T1143",
              "name": "Hidden Window",
              "display_name": "T1143 - Hidden Window"
            },
            {
              "id": "T1155",
              "name": "AppleScript",
              "display_name": "T1155 - AppleScript"
            },
            {
              "id": "T1179",
              "name": "Hooking",
              "display_name": "T1179 - Hooking"
            },
            {
              "id": "T1190",
              "name": "Exploit Public-Facing Application",
              "display_name": "T1190 - Exploit Public-Facing Application"
            },
            {
              "id": "T1210",
              "name": "Exploitation of Remote Services",
              "display_name": "T1210 - Exploitation of Remote Services"
            },
            {
              "id": "T1449",
              "name": "Exploit SS7 to Redirect Phone Calls/SMS",
              "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
            },
            {
              "id": "T1457",
              "name": "Malicious Media Content",
              "display_name": "T1457 - Malicious Media Content"
            },
            {
              "id": "T1472",
              "name": "Generate Fraudulent Advertising Revenue",
              "display_name": "T1472 - Generate Fraudulent Advertising Revenue"
            },
            {
              "id": "T1506",
              "name": "Web Session Cookie",
              "display_name": "T1506 - Web Session Cookie"
            },
            {
              "id": "T1512",
              "name": "Capture Camera",
              "display_name": "T1512 - Capture Camera"
            },
            {
              "id": "T1566",
              "name": "Phishing",
              "display_name": "T1566 - Phishing"
            },
            {
              "id": "T1583",
              "name": "Acquire Infrastructure",
              "display_name": "T1583 - Acquire Infrastructure"
            },
            {
              "id": "T1586",
              "name": "Compromise Accounts",
              "display_name": "T1586 - Compromise Accounts"
            },
            {
              "id": "T1598",
              "name": "Phishing for Information",
              "display_name": "T1598 - Phishing for Information"
            },
            {
              "id": "T1045",
              "name": "Software Packing",
              "display_name": "T1045 - Software Packing"
            },
            {
              "id": "T1110",
              "name": "Brute Force",
              "display_name": "T1110 - Brute Force"
            },
            {
              "id": "T1133",
              "name": "External Remote Services",
              "display_name": "T1133 - External Remote Services"
            },
            {
              "id": "T1005",
              "name": "Data from Local System",
              "display_name": "T1005 - Data from Local System"
            },
            {
              "id": "T1035",
              "name": "Service Execution",
              "display_name": "T1035 - Service Execution"
            },
            {
              "id": "T1065",
              "name": "Uncommonly Used Port",
              "display_name": "T1065 - Uncommonly Used Port"
            },
            {
              "id": "T1027",
              "name": "Obfuscated Files or Information",
              "display_name": "T1027 - Obfuscated Files or Information"
            },
            {
              "id": "T1041",
              "name": "Exfiltration Over C2 Channel",
              "display_name": "T1041 - Exfiltration Over C2 Channel"
            },
            {
              "id": "T1057",
              "name": "Process Discovery",
              "display_name": "T1057 - Process Discovery"
            },
            {
              "id": "T1059",
              "name": "Command and Scripting Interpreter",
              "display_name": "T1059 - Command and Scripting Interpreter"
            },
            {
              "id": "T1083",
              "name": "File and Directory Discovery",
              "display_name": "T1083 - File and Directory Discovery"
            },
            {
              "id": "T1106",
              "name": "Native API",
              "display_name": "T1106 - Native API"
            },
            {
              "id": "T1546",
              "name": "Event Triggered Execution",
              "display_name": "T1546 - Event Triggered Execution"
            },
            {
              "id": "T1588",
              "name": "Obtain Capabilities",
              "display_name": "T1588 - Obtain Capabilities"
            }
          ],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 58,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "URL": 12679,
            "domain": 1134,
            "hostname": 3543,
            "FileHash-MD5": 251,
            "email": 7,
            "FileHash-SHA256": 1927,
            "FileHash-SHA1": 232,
            "CVE": 1,
            "CIDR": 1,
            "URI": 1
          },
          "indicator_count": 19776,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 144,
          "modified_text": "290 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        },
        {
          "id": "686e17b1ac7253ec7e12f1e8",
          "name": "FT Adviser | Foundry - platform.twitter.com + Apple + T-Mobile",
          "description": "FT Adviser | Foundry - platform.twitter.com + Apple + T-Mobile | ImFurther investigation of familiar IoC\u2019s  in Tethering T-mobile to iOS research. \n\nPalantir is the the Cyber Defense Firm that provides the weapons, man force, military, false arrest records ,reputation damage, the man who drove her off the road, constant stalking and the marketing of her music in other media.\n Realize this hot stock you\u2019re investing is a domestic and international terrorist organization.  There are several\nPeople here being 24/7/365 monitored.\nThey have fulfillment centers from Amazon and can provide food to medicine, they have the entire military, all\ngovernment contracts and their own physicians. \n\n#malware #foundry #rip #palantir # twitter #paypalmafia  #quasi #government # workerscompensation #law_enforcement # #jeffreyreimer #sabey #tsarabrashearslivesinourhearts",
          "modified": "2025-08-08T06:00:40.325000",
          "created": "2025-07-09T07:18:09.062000",
          "tags": [
            "present jun",
            "united",
            "status",
            "present may",
            "present sep",
            "search",
            "date",
            "entries",
            "trojan",
            "name servers",
            "ransom",
            "twitter",
            "redacted for",
            "showing",
            "passive dns",
            "urls",
            "softlayer",
            "internet",
            "encrypt",
            "record value",
            "body",
            "service",
            "russia",
            "spain",
            "germany",
            "netherlands",
            "aaaa",
            "france",
            "virtool",
            "creation date",
            "expiration date",
            "servers",
            "hostname add",
            "pulse pulses",
            "files",
            "present aug",
            "ip address",
            "applenoc",
            "unknown ns",
            "next associated",
            "urls show",
            "date checked",
            "url hostname",
            "server response",
            "unknown aaaa",
            "secure server",
            "msie",
            "chrome",
            "moved",
            "title",
            "gmt content",
            "type",
            "pulse submit",
            "http",
            "hostname",
            "files domain",
            "files related",
            "pulses otx",
            "pulses",
            "related tags",
            "google safe",
            "indicator role",
            "title added",
            "active related",
            "url https",
            "dynamicloader",
            "write c",
            "windows nt",
            "wow64",
            "slcc2",
            "media center",
            "html",
            "as15169",
            "write",
            "xport",
            "copy",
            "guard",
            "malware",
            "suspicious",
            "next",
            "extraction",
            "data upload",
            "failed",
            "extri data",
            "include review",
            "exclude",
            "sugges",
            "stop x",
            "s data",
            "extr data",
            "extraction data",
            "enter soudcetdi",
            "ad tevdag",
            "cadad ad",
            "draie",
            "extri include",
            "review",
            "done",
            "levelblue",
            "exclude sugges",
            "uny inuuue",
            "find s",
            "typ hos",
            "script urls",
            "canada unknown",
            "script domains",
            "a domains"
          ],
          "references": [],
          "public": 1,
          "adversary": "",
          "targeted_countries": [],
          "malware_families": [],
          "attack_ids": [],
          "industries": [],
          "TLP": "green",
          "cloned_from": null,
          "export_count": 12,
          "upvotes_count": 0,
          "downvotes_count": 0,
          "votes_count": 0,
          "locked": false,
          "pulse_source": "web",
          "validator_count": 0,
          "comment_count": 0,
          "follower_count": 0,
          "vote": 0,
          "author": {
            "username": "Q.Vashti",
            "id": "337942",
            "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
            "is_subscribed": false,
            "is_following": false
          },
          "indicator_type_counts": {
            "FileHash-MD5": 181,
            "FileHash-SHA1": 154,
            "FileHash-SHA256": 1857,
            "domain": 1424,
            "email": 13,
            "hostname": 1304,
            "URL": 4168,
            "CVE": 1,
            "SSLCertFingerprint": 4
          },
          "indicator_count": 9106,
          "is_author": false,
          "is_subscribing": null,
          "subscriber_count": 143,
          "modified_text": "294 days ago ",
          "is_modified": true,
          "groups": [],
          "in_group": false,
          "threat_hunter_scannable": true,
          "threat_hunter_has_agents": 1,
          "related_indicator_type": "domain",
          "related_indicator_is_active": 1
        }
      ],
      "references": [],
      "related": {
        "alienvault": {
          "adversary": [],
          "malware_families": [],
          "industries": []
        },
        "other": {
          "adversary": [],
          "malware_families": [],
          "industries": []
        }
      }
    },
    "false_positive": []
  },
  "geo": {},
  "geo_ipapicom": {},
  "pulse_count": 5,
  "pulses": [
    {
      "id": "69f3dd264e217e3724abedd7",
      "name": "CAPE Sandbox - powershell unsigned trust bypass affects arpa and msedge update",
      "description": "File is not signed-Microsoft Corporation. All rights reserved.\nProduct\nMicrosoft\u00ae Windows\u00ae Operating System\nDescription\nWindows PowerShell\nOriginal Name\nPowerShell.EXE\nInternal Name\nPOWERSHELL\nFile Version\n10.0.19041.546 (WinBuild.160101.0800)\nrefer to belasco chain or broken seal\nclient does not have windows included is others windows [exe] that appear to have a false flag origin with US wordpress roots.",
      "modified": "2026-05-01T07:12:00.987000",
      "created": "2026-04-30T22:52:22.813000",
      "tags": [
        "31community",
        "35business",
        "cid1",
        "youtube https",
        "cohasset",
        "meta tags",
        "home category0",
        "home themecolor",
        "script tags"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1010",
          "name": "Application Window Discovery",
          "display_name": "T1010 - Application Window Discovery"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1070",
          "name": "Indicator Removal on Host",
          "display_name": "T1070 - Indicator Removal on Host"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1095",
          "name": "Non-Application Layer Protocol",
          "display_name": "T1095 - Non-Application Layer Protocol"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1573",
          "name": "Encrypted Channel",
          "display_name": "T1573 - Encrypted Channel"
        },
        {
          "id": "T1574",
          "name": "Hijack Execution Flow",
          "display_name": "T1574 - Hijack Execution Flow"
        },
        {
          "id": "T1003",
          "name": "OS Credential Dumping",
          "display_name": "T1003 - OS Credential Dumping"
        },
        {
          "id": "T1012",
          "name": "Query Registry",
          "display_name": "T1012 - Query Registry"
        },
        {
          "id": "T1014",
          "name": "Rootkit",
          "display_name": "T1014 - Rootkit"
        },
        {
          "id": "T1047",
          "name": "Windows Management Instrumentation",
          "display_name": "T1047 - Windows Management Instrumentation"
        },
        {
          "id": "T1203",
          "name": "Exploitation for Client Execution",
          "display_name": "T1203 - Exploitation for Client Execution"
        },
        {
          "id": "T1485",
          "name": "Data Destruction",
          "display_name": "T1485 - Data Destruction"
        },
        {
          "id": "T1496",
          "name": "Resource Hijacking",
          "display_name": "T1496 - Resource Hijacking"
        },
        {
          "id": "T1542",
          "name": "Pre-OS Boot",
          "display_name": "T1542 - Pre-OS Boot"
        },
        {
          "id": "T1564",
          "name": "Hide Artifacts",
          "display_name": "T1564 - Hide Artifacts"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 1,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "IPv4": 104,
        "FileHash-MD5": 237,
        "FileHash-SHA1": 226,
        "FileHash-SHA256": 940,
        "URL": 213,
        "hostname": 197,
        "domain": 139
      },
      "indicator_count": 2056,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 65,
      "modified_text": "28 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69f3dd29978345cc0033cdec",
      "name": "CAPE Sandbox - powershell unsigned trust bypass affects arpa and msedge update",
      "description": "File is not signed-Microsoft Corporation. All rights reserved.\nProduct\nMicrosoft\u00ae Windows\u00ae Operating System\nDescription\nWindows PowerShell\nOriginal Name\nPowerShell.EXE\nInternal Name\nPOWERSHELL\nFile Version\n10.0.19041.546 (WinBuild.160101.0800)\nrefer to belasco chain or broken seal\nclient does not have windows",
      "modified": "2026-05-01T02:00:55.943000",
      "created": "2026-04-30T22:52:25.691000",
      "tags": [
        "31community",
        "35business",
        "cid1",
        "youtube https",
        "cohasset",
        "meta tags",
        "home category0",
        "home themecolor",
        "script tags"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1010",
          "name": "Application Window Discovery",
          "display_name": "T1010 - Application Window Discovery"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1070",
          "name": "Indicator Removal on Host",
          "display_name": "T1070 - Indicator Removal on Host"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1095",
          "name": "Non-Application Layer Protocol",
          "display_name": "T1095 - Non-Application Layer Protocol"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        },
        {
          "id": "T1573",
          "name": "Encrypted Channel",
          "display_name": "T1573 - Encrypted Channel"
        },
        {
          "id": "T1574",
          "name": "Hijack Execution Flow",
          "display_name": "T1574 - Hijack Execution Flow"
        },
        {
          "id": "T1003",
          "name": "OS Credential Dumping",
          "display_name": "T1003 - OS Credential Dumping"
        },
        {
          "id": "T1012",
          "name": "Query Registry",
          "display_name": "T1012 - Query Registry"
        },
        {
          "id": "T1014",
          "name": "Rootkit",
          "display_name": "T1014 - Rootkit"
        },
        {
          "id": "T1047",
          "name": "Windows Management Instrumentation",
          "display_name": "T1047 - Windows Management Instrumentation"
        },
        {
          "id": "T1203",
          "name": "Exploitation for Client Execution",
          "display_name": "T1203 - Exploitation for Client Execution"
        },
        {
          "id": "T1485",
          "name": "Data Destruction",
          "display_name": "T1485 - Data Destruction"
        },
        {
          "id": "T1496",
          "name": "Resource Hijacking",
          "display_name": "T1496 - Resource Hijacking"
        },
        {
          "id": "T1542",
          "name": "Pre-OS Boot",
          "display_name": "T1542 - Pre-OS Boot"
        },
        {
          "id": "T1564",
          "name": "Hide Artifacts",
          "display_name": "T1564 - Hide Artifacts"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "IPv4": 189,
        "FileHash-MD5": 718,
        "FileHash-SHA1": 428,
        "FileHash-SHA256": 1579,
        "URL": 720,
        "hostname": 612,
        "domain": 210,
        "email": 4
      },
      "indicator_count": 4460,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 65,
      "modified_text": "28 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "69f30ef4033560d49d39ac55",
      "name": "VirusTotal report\n                    for executable.exe",
      "description": "[security firm has developed a tool that can automatically identify a Wi-Fi password and make it easy to access it via the net. and use it to create a secure log-in system.] <remote, .net, failed cryptographic validation chains cause this.",
      "modified": "2026-05-01T00:23:53.383000",
      "created": "2026-04-30T08:12:36.771000",
      "tags": [
        "wifi password",
        "joe security",
        "nextron",
        "new run",
        "key pointing",
        "run key",
        "roth",
        "markus neis",
        "sander wiebing",
        "poudel",
        "public",
        "appdata"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1003",
          "name": "OS Credential Dumping",
          "display_name": "T1003 - OS Credential Dumping"
        },
        {
          "id": "T1005",
          "name": "Data from Local System",
          "display_name": "T1005 - Data from Local System"
        },
        {
          "id": "T1010",
          "name": "Application Window Discovery",
          "display_name": "T1010 - Application Window Discovery"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1095",
          "name": "Non-Application Layer Protocol",
          "display_name": "T1095 - Non-Application Layer Protocol"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1218",
          "name": "Signed Binary Proxy Execution",
          "display_name": "T1218 - Signed Binary Proxy Execution"
        },
        {
          "id": "T1497",
          "name": "Virtualization/Sandbox Evasion",
          "display_name": "T1497 - Virtualization/Sandbox Evasion"
        },
        {
          "id": "T1518",
          "name": "Software Discovery",
          "display_name": "T1518 - Software Discovery"
        },
        {
          "id": "T1552",
          "name": "Unsecured Credentials",
          "display_name": "T1552 - Unsecured Credentials"
        },
        {
          "id": "T1562",
          "name": "Impair Defenses",
          "display_name": "T1562 - Impair Defenses"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 0,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "msudosos",
        "id": "381696",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 1069,
        "FileHash-SHA1": 868,
        "FileHash-SHA256": 2783,
        "IPv4": 588,
        "URL": 764,
        "hostname": 756,
        "domain": 293,
        "IPv6": 58,
        "email": 44,
        "CVE": 44
      },
      "indicator_count": 7267,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 66,
      "modified_text": "28 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "6872f4c510c590b7cdc5ff6a",
      "name": "Crowdsourced Collection of PayPal Mafia Monster - Foundry\u2019s Palantair",
      "description": "Americans are investing in what Edward Snowden foretold of\u2026 your future from beginning to end will  predict how you will be treated. Preemptively policing people even if you have to make up a past.. |\n\nThe New York Times\nMay 30, 2025 \u2014 The Trump administration has expanded Palantir's work with the government, spreading the company's technology \u2014 which could easily merge data on ...\nFormer Palantir workers condemn company's work with ...\n\nNPR\nMay 5, 2025 \u2014 Thirteen former employees of influential data-mining firm Palantir are condemning the company's work with the Trump administration.\nWyden AOC Palantir Letter 061725\n\nSenate Finance (.gov)\nJun 17, 2025 \u2014 The Trump Administration has spent taxpayer dollars on Palantir software at numerous other government agencies and paid it billions of dollars ...\n#foundry #rip #palantir #jeffreyreimerdpt #lawenforcement #twitter #tsarabrashearsblessed #apple #privacynow #fightforprivacy #sabey #hallrender",
      "modified": "2025-08-11T23:02:24.583000",
      "created": "2025-07-12T23:50:29.847000",
      "tags": [
        "url https",
        "url http",
        "type indicator",
        "role title",
        "added active",
        "related pulses",
        "entries",
        "indicator role",
        "title added",
        "active related",
        "pulses",
        "enter source",
        "urior exirag",
        "diri type",
        "data upload",
        "extraction",
        "failed",
        "included iocs",
        "review iocs",
        "find sugge",
        "extr extract",
        "in data",
        "extract",
        "type",
        "u extractio",
        "extra",
        "review ic",
        "ipv4",
        "pulses hostname",
        "accountunlock",
        "united",
        "ireland",
        "canada",
        "brazil",
        "sweden",
        "australia",
        "search",
        "scan",
        "iocs",
        "learn more",
        "filehashsha1",
        "filehashmd5",
        "types of",
        "extra data",
        "included review",
        "china",
        "colombia",
        "filepath https",
        "enter sc",
        "extr data",
        "include review",
        "exclude sugges",
        "filehashsha256",
        "hostname",
        "dicators japan",
        "url tor",
        "extrac data",
        "ic excluded",
        "suggeste",
        "stop",
        "type no",
        "no entrie",
        "included",
        "review locc",
        "excluded data",
        "sc data",
        "extri data",
        "includec review",
        "exclude data",
        "suggested",
        "se extra",
        "suggest",
        "manaiv add",
        "indicator",
        "review lace",
        "extri",
        "find s",
        "typ no",
        "no entdi",
        "ous u",
        "dron aew",
        "avtrat",
        "extre data",
        "manually",
        "add indicator",
        "pulses url",
        "url url",
        "typ host",
        "host url",
        "include",
        "z6911541",
        "extraction fail",
        "enter souf",
        "s type",
        "ur extraction",
        "extraction data",
        "jul all",
        "pulse data",
        "report external",
        "review",
        "extre please",
        "se extraction",
        "report spam",
        "all t8",
        "firmip",
        "bofa",
        "wikileaks",
        "tmobile",
        "dish",
        "capture",
        "cookie",
        "enter s",
        "please sub",
        "include outroov",
        "excludel sugges",
        "extra please",
        "high priority",
        "alerts ids",
        "priority alerts",
        "cnc beacon",
        "winver",
        "digitalmistica",
        "november",
        "pulse",
        "palantir",
        "foundry twitter",
        "arkei stealer",
        "config",
        "install",
        "downloader",
        "cidr",
        "domain",
        "indicators hong",
        "kong",
        "ukraine",
        "status no",
        "object",
        "unruy",
        "http",
        "remote",
        "keylogger",
        "foundry created",
        "days ago",
        "white keylogger",
        "apple",
        "foundry tech",
        "mafia",
        "t1045",
        "packing",
        "t1060",
        "run keys",
        "startup",
        "folder",
        "t1457",
        "showing",
        "types",
        "indicators show",
        "dicator role",
        "tsara brashears",
        "tsara",
        "porn",
        "porn videos",
        "pornhub https",
        "searchtsar",
        "watch tsara",
        "most relevant",
        "open threat",
        "green",
        "love",
        "daily",
        "videos",
        "free porn",
        "hybrid analysis",
        "falcon sandbox",
        "top tsara",
        "brashears porn",
        "stream",
        "spice",
        "download",
        "hybrid",
        "njrat",
        "threat network",
        "https",
        "created",
        "years ago",
        "modified",
        "months ago",
        "tinynote",
        "douglas county",
        "co sheriff",
        "office",
        "pegasus attacks",
        "sa victim",
        "octoseek public",
        "white",
        "excludedocs",
        "sugges",
        "stop data",
        "tsara lynn",
        "brashears les",
        "lynn brashears",
        "translate",
        "pornhub page",
        "emotet",
        "se review",
        "typ url",
        "dom hos",
        "hostname data",
        "harmful",
        "octoseekpulse",
        "attacks sa",
        "bandit stealer",
        "flubot",
        "agent tesla",
        "qbot",
        "qakbot",
        "ursnif",
        "azorult",
        "djvu",
        "hacktool",
        "maze",
        "dark",
        "linux",
        "android10",
        "khtml",
        "costcpc",
        "userosandroid",
        "bannerid2738231",
        "india",
        "enter so",
        "please subr",
        "suggest data",
        "netherlands",
        "russia",
        "america malware",
        "families",
        "sc type",
        "please",
        "show",
        "url data",
        "fanec",
        "include failed",
        "review exclude",
        "extre",
        "includea",
        "exclude toosrou",
        "sugges data",
        "typ data",
        "information",
        "cobalt strike",
        "ransomexx",
        "quackbot",
        "comspec",
        "span",
        "idn1",
        "sendimage0",
        "refts0",
        "include data",
        "uny inuuue",
        "fileh fileh",
        "exclude suggest",
        "uniy",
        "type fileh",
        "extr please",
        "ineluderc\u0660",
        "review data",
        "excludedlocs"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [
        {
          "id": "T1036",
          "name": "Masquerading",
          "display_name": "T1036 - Masquerading"
        },
        {
          "id": "T1043",
          "name": "Commonly Used Port",
          "display_name": "T1043 - Commonly Used Port"
        },
        {
          "id": "T1051",
          "name": "Shared Webroot",
          "display_name": "T1051 - Shared Webroot"
        },
        {
          "id": "T1053",
          "name": "Scheduled Task/Job",
          "display_name": "T1053 - Scheduled Task/Job"
        },
        {
          "id": "T1055",
          "name": "Process Injection",
          "display_name": "T1055 - Process Injection"
        },
        {
          "id": "T1056",
          "name": "Input Capture",
          "display_name": "T1056 - Input Capture"
        },
        {
          "id": "T1060",
          "name": "Registry Run Keys / Startup Folder",
          "display_name": "T1060 - Registry Run Keys / Startup Folder"
        },
        {
          "id": "T1068",
          "name": "Exploitation for Privilege Escalation",
          "display_name": "T1068 - Exploitation for Privilege Escalation"
        },
        {
          "id": "T1071",
          "name": "Application Layer Protocol",
          "display_name": "T1071 - Application Layer Protocol"
        },
        {
          "id": "T1080",
          "name": "Taint Shared Content",
          "display_name": "T1080 - Taint Shared Content"
        },
        {
          "id": "T1082",
          "name": "System Information Discovery",
          "display_name": "T1082 - System Information Discovery"
        },
        {
          "id": "T1085",
          "name": "Rundll32",
          "display_name": "T1085 - Rundll32"
        },
        {
          "id": "T1105",
          "name": "Ingress Tool Transfer",
          "display_name": "T1105 - Ingress Tool Transfer"
        },
        {
          "id": "T1114",
          "name": "Email Collection",
          "display_name": "T1114 - Email Collection"
        },
        {
          "id": "T1119",
          "name": "Automated Collection",
          "display_name": "T1119 - Automated Collection"
        },
        {
          "id": "T1123",
          "name": "Audio Capture",
          "display_name": "T1123 - Audio Capture"
        },
        {
          "id": "T1125",
          "name": "Video Capture",
          "display_name": "T1125 - Video Capture"
        },
        {
          "id": "T1129",
          "name": "Shared Modules",
          "display_name": "T1129 - Shared Modules"
        },
        {
          "id": "T1140",
          "name": "Deobfuscate/Decode Files or Information",
          "display_name": "T1140 - Deobfuscate/Decode Files or Information"
        },
        {
          "id": "T1143",
          "name": "Hidden Window",
          "display_name": "T1143 - Hidden Window"
        },
        {
          "id": "T1155",
          "name": "AppleScript",
          "display_name": "T1155 - AppleScript"
        },
        {
          "id": "T1179",
          "name": "Hooking",
          "display_name": "T1179 - Hooking"
        },
        {
          "id": "T1190",
          "name": "Exploit Public-Facing Application",
          "display_name": "T1190 - Exploit Public-Facing Application"
        },
        {
          "id": "T1210",
          "name": "Exploitation of Remote Services",
          "display_name": "T1210 - Exploitation of Remote Services"
        },
        {
          "id": "T1449",
          "name": "Exploit SS7 to Redirect Phone Calls/SMS",
          "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
        },
        {
          "id": "T1457",
          "name": "Malicious Media Content",
          "display_name": "T1457 - Malicious Media Content"
        },
        {
          "id": "T1472",
          "name": "Generate Fraudulent Advertising Revenue",
          "display_name": "T1472 - Generate Fraudulent Advertising Revenue"
        },
        {
          "id": "T1506",
          "name": "Web Session Cookie",
          "display_name": "T1506 - Web Session Cookie"
        },
        {
          "id": "T1512",
          "name": "Capture Camera",
          "display_name": "T1512 - Capture Camera"
        },
        {
          "id": "T1566",
          "name": "Phishing",
          "display_name": "T1566 - Phishing"
        },
        {
          "id": "T1583",
          "name": "Acquire Infrastructure",
          "display_name": "T1583 - Acquire Infrastructure"
        },
        {
          "id": "T1586",
          "name": "Compromise Accounts",
          "display_name": "T1586 - Compromise Accounts"
        },
        {
          "id": "T1598",
          "name": "Phishing for Information",
          "display_name": "T1598 - Phishing for Information"
        },
        {
          "id": "T1045",
          "name": "Software Packing",
          "display_name": "T1045 - Software Packing"
        },
        {
          "id": "T1110",
          "name": "Brute Force",
          "display_name": "T1110 - Brute Force"
        },
        {
          "id": "T1133",
          "name": "External Remote Services",
          "display_name": "T1133 - External Remote Services"
        },
        {
          "id": "T1005",
          "name": "Data from Local System",
          "display_name": "T1005 - Data from Local System"
        },
        {
          "id": "T1035",
          "name": "Service Execution",
          "display_name": "T1035 - Service Execution"
        },
        {
          "id": "T1065",
          "name": "Uncommonly Used Port",
          "display_name": "T1065 - Uncommonly Used Port"
        },
        {
          "id": "T1027",
          "name": "Obfuscated Files or Information",
          "display_name": "T1027 - Obfuscated Files or Information"
        },
        {
          "id": "T1041",
          "name": "Exfiltration Over C2 Channel",
          "display_name": "T1041 - Exfiltration Over C2 Channel"
        },
        {
          "id": "T1057",
          "name": "Process Discovery",
          "display_name": "T1057 - Process Discovery"
        },
        {
          "id": "T1059",
          "name": "Command and Scripting Interpreter",
          "display_name": "T1059 - Command and Scripting Interpreter"
        },
        {
          "id": "T1083",
          "name": "File and Directory Discovery",
          "display_name": "T1083 - File and Directory Discovery"
        },
        {
          "id": "T1106",
          "name": "Native API",
          "display_name": "T1106 - Native API"
        },
        {
          "id": "T1546",
          "name": "Event Triggered Execution",
          "display_name": "T1546 - Event Triggered Execution"
        },
        {
          "id": "T1588",
          "name": "Obtain Capabilities",
          "display_name": "T1588 - Obtain Capabilities"
        }
      ],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 58,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "URL": 12679,
        "domain": 1134,
        "hostname": 3543,
        "FileHash-MD5": 251,
        "email": 7,
        "FileHash-SHA256": 1927,
        "FileHash-SHA1": 232,
        "CVE": 1,
        "CIDR": 1,
        "URI": 1
      },
      "indicator_count": 19776,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 144,
      "modified_text": "290 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    },
    {
      "id": "686e17b1ac7253ec7e12f1e8",
      "name": "FT Adviser | Foundry - platform.twitter.com + Apple + T-Mobile",
      "description": "FT Adviser | Foundry - platform.twitter.com + Apple + T-Mobile | ImFurther investigation of familiar IoC\u2019s  in Tethering T-mobile to iOS research. \n\nPalantir is the the Cyber Defense Firm that provides the weapons, man force, military, false arrest records ,reputation damage, the man who drove her off the road, constant stalking and the marketing of her music in other media.\n Realize this hot stock you\u2019re investing is a domestic and international terrorist organization.  There are several\nPeople here being 24/7/365 monitored.\nThey have fulfillment centers from Amazon and can provide food to medicine, they have the entire military, all\ngovernment contracts and their own physicians. \n\n#malware #foundry #rip #palantir # twitter #paypalmafia  #quasi #government # workerscompensation #law_enforcement # #jeffreyreimer #sabey #tsarabrashearslivesinourhearts",
      "modified": "2025-08-08T06:00:40.325000",
      "created": "2025-07-09T07:18:09.062000",
      "tags": [
        "present jun",
        "united",
        "status",
        "present may",
        "present sep",
        "search",
        "date",
        "entries",
        "trojan",
        "name servers",
        "ransom",
        "twitter",
        "redacted for",
        "showing",
        "passive dns",
        "urls",
        "softlayer",
        "internet",
        "encrypt",
        "record value",
        "body",
        "service",
        "russia",
        "spain",
        "germany",
        "netherlands",
        "aaaa",
        "france",
        "virtool",
        "creation date",
        "expiration date",
        "servers",
        "hostname add",
        "pulse pulses",
        "files",
        "present aug",
        "ip address",
        "applenoc",
        "unknown ns",
        "next associated",
        "urls show",
        "date checked",
        "url hostname",
        "server response",
        "unknown aaaa",
        "secure server",
        "msie",
        "chrome",
        "moved",
        "title",
        "gmt content",
        "type",
        "pulse submit",
        "http",
        "hostname",
        "files domain",
        "files related",
        "pulses otx",
        "pulses",
        "related tags",
        "google safe",
        "indicator role",
        "title added",
        "active related",
        "url https",
        "dynamicloader",
        "write c",
        "windows nt",
        "wow64",
        "slcc2",
        "media center",
        "html",
        "as15169",
        "write",
        "xport",
        "copy",
        "guard",
        "malware",
        "suspicious",
        "next",
        "extraction",
        "data upload",
        "failed",
        "extri data",
        "include review",
        "exclude",
        "sugges",
        "stop x",
        "s data",
        "extr data",
        "extraction data",
        "enter soudcetdi",
        "ad tevdag",
        "cadad ad",
        "draie",
        "extri include",
        "review",
        "done",
        "levelblue",
        "exclude sugges",
        "uny inuuue",
        "find s",
        "typ hos",
        "script urls",
        "canada unknown",
        "script domains",
        "a domains"
      ],
      "references": [],
      "public": 1,
      "adversary": "",
      "targeted_countries": [],
      "malware_families": [],
      "attack_ids": [],
      "industries": [],
      "TLP": "green",
      "cloned_from": null,
      "export_count": 12,
      "upvotes_count": 0,
      "downvotes_count": 0,
      "votes_count": 0,
      "locked": false,
      "pulse_source": "web",
      "validator_count": 0,
      "comment_count": 0,
      "follower_count": 0,
      "vote": 0,
      "author": {
        "username": "Q.Vashti",
        "id": "337942",
        "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
        "is_subscribed": false,
        "is_following": false
      },
      "indicator_type_counts": {
        "FileHash-MD5": 181,
        "FileHash-SHA1": 154,
        "FileHash-SHA256": 1857,
        "domain": 1424,
        "email": 13,
        "hostname": 1304,
        "URL": 4168,
        "CVE": 1,
        "SSLCertFingerprint": 4
      },
      "indicator_count": 9106,
      "is_author": false,
      "is_subscribing": null,
      "subscriber_count": 143,
      "modified_text": "294 days ago ",
      "is_modified": true,
      "groups": [],
      "in_group": false,
      "threat_hunter_scannable": true,
      "threat_hunter_has_agents": 1,
      "related_indicator_type": "domain",
      "related_indicator_is_active": 1
    }
  ],
  "error": null,
  "vt": {
    "error": "VirusTotal rate limit reached. Try again shortly.",
    "indicator": "foundry.com",
    "type": "Domain"
  },
  "abuseipdb": null,
  "urlhaus": {
    "indicator": "foundry.com",
    "found": false,
    "verdict": "clean",
    "urls": [],
    "error": null
  },
  "from_cache": true,
  "_cached_at": 1780092896.5743322
}