{ "type": "Domain", "indicator": "funfetty.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/funfetty.com", "alexa": "http://www.alexa.com/siteinfo/funfetty.com", "indicator": "funfetty.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4152424702, "indicator": "funfetty.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "695ea667a062ed6688b104ab", "name": "Frost Security | Attorneys | Government | Crazy | Stop Tampering ", "description": "", "modified": "2026-01-07T18:31:03.104000", "created": "2026-01-07T18:31:03.104000", "tags": [ "active", "type win32", "exe size", "first seen", "malicious avg", "win32", "gdata", "dynamicloader", "fe ff", "high", "write c", "data", "x00bx00", "uswv", "write", "redline", "stream", "guard", "malware", "push", "local", "crazyfrost", "adversarial", "hacker", "extraction", "enter sc", "data upload", "extre data", "included iocs", "url http", "url https", "include review", "exclude sugges", "frost security", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "ip address", "process details", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "defense evasion", "t1480 execution", "signing defense", "united", "flag", "contacted", "http traffic", "file defense", "mitre att", "ck techniques", "evasion att", "belize", "div div", "passive dns", "link", "ipv4 add", "url analysis", "urls", "files", "meta", "ddos", "indicators show", "search", "type indicator", "role title", "added active", "related pulses", "hostname", "types", "hosanna", "x show", "ck ids", "t1060", "run keys", "startup", "folder", "t1036", "capture", "cookie", "palantir", "indicator role", "active related", "description", "trump supporter", "types of", "germany", "china", "netherlands", "https", "notice", "billions", "stop", "boobs130432 no", "expiration", "location poland", "asn as29522", "learn more", "domain", "foundry", "hallrender", "brian sabey", "tam legal", "christopher p ahmann", "palantir", "quasi government", "pentagon" ], "references": [ "http://www.crazyfrost.com/wp-content/uploads/2011/01/%D0%BA%D0%BE%D0%BB%D0%BB%D0%B0%D0%B68.jpg\t URL", "http://frostsecurity.net/frost/driver/ \u2022 http://frostsecurity.net/frost/frostupdater/", "https://tamlegal.com/attorneys/christopher-p-ahmann/", "https://www.hallrender.com/attorney/brian-sabey/Accept", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family", "http://vtwctr.org/explore/tsara-brashears-defeats-jeffrey-reimer/ phishing", "http://alohatube.xyz/search/tsara-brashears No Expiration\t278\t URL http://alohatube.xyz/search/tsara-brashears/ No Expiration\t62\t URL http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears No Expiration\t49\t URL http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us No Expiration\t27\t URL http://browntubeporn.com/tsara-brashears.html No Expiration\t40\t URL http://flexporn.net/tsara-brashears.html", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge phishing", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "http://advocate-smyslova.ru/tsara-brashears/", "http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn/;0.48692189815948833", "http://orangeporntube.net/tsara-brashears.html", "http://onlyindianporn2.com/videos/tsara-brashears/", "http://videolal.com/tsara-brashears-dead.html", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language", "http://www.bukaporn.net/trend/tsara-brashears/ No Expiration\t41\t URL http://www.gdsl-pallemoebler.info/seach/tsara-brashears/", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html No Expiration\t41\t URL http://www.sweetheartvideo.com/tsara-brashears No Expiration\t81\t URL http://www.tryporn.net/seach/tsara-brashears/ No Expiration\t41\t URL http://www.tryporno.net/movies/tsara-brashears/ No Expiration\t42\t URL https://alohatube.xyz/search/tsara-brashears No Expiration\t211\t URL https://alohatube.xyz/search/tsara-brashears+ No Expiration\t51\t URL https://browntubeporn.com/tsara-brashearsAccept-Language No Expiratio", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html", "https://browntubeporn.com/tsara-brashearsAccept-Language", "http://www.tryporn.net/seach/tsara-brashears/", "https://alohatube.xyz/search/tsara-brashearsL", "http://onlyindianporn2.com/videos/tsara-brashears/", "http://orangeporntube.net/tsara-brashears.html", "https://www.dirtsearch.org/data/TSARA/BRASHEARS/", "https://youjizz.sex/tsara-brashears.html", "https://www.feestzalenvanvlaanderen.be/seach/tsara-brashears/", "https://www.xvxx.me/search/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.sweetheartvideo.com/tsara-brashear", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.gdsl-pallemoebler.info/seach/tsara-brashears/", "http://www.bukaporn.net/trend/tsara-brashears/", "tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://mom2fuck.mobi/tsara-brashears.html", "http://vtwctr.org/explore/tsara- brashears-defeats-jeffrey-reimer/", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "www.palantir.com \u2022 palantir.io \u2022 http://datafoundry.com/", "http://watchhers.net/index.php \u2022 foundry2sdbl.dvr.dn2.n-helix.com", "https://steam.exacg.cc/ \u2022 http://tesgm.ru/_ld/5/584_steam_apidll_Th.rar", "Targeting Tsara Brasheras and associated", "Targeting Candace Owens" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [ "Government", "Defense", "Healthcare" ], "TLP": "green", "cloned_from": "692897a64c0e255409b5a67e", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3709, "hostname": 1109, "FileHash-SHA256": 2872, "FileHash-MD5": 214, "FileHash-SHA1": 203, "domain": 557 }, "indicator_count": 8664, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "145 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "695ea6590a50f71a156c9a7f", "name": "Frost Security | Attorneys | Government | Crazy | Stop Tampering ", "description": "", "modified": "2026-01-07T18:30:49.442000", "created": "2026-01-07T18:30:49.442000", "tags": [ "active", "type win32", "exe size", "first seen", "malicious avg", "win32", "gdata", "dynamicloader", "fe ff", "high", "write c", "data", "x00bx00", "uswv", "write", "redline", "stream", "guard", "malware", "push", "local", "crazyfrost", "adversarial", "hacker", "extraction", "enter sc", "data upload", "extre data", "included iocs", "url http", "url https", "include review", "exclude sugges", "frost security", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "ip address", "process details", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "defense evasion", "t1480 execution", "signing defense", "united", "flag", "contacted", "http traffic", "file defense", "mitre att", "ck techniques", "evasion att", "belize", "div div", "passive dns", "link", "ipv4 add", "url analysis", "urls", "files", "meta", "ddos", "indicators show", "search", "type indicator", "role title", "added active", "related pulses", "hostname", "types", "hosanna", "x show", "ck ids", "t1060", "run keys", "startup", "folder", "t1036", "capture", "cookie", "palantir", "indicator role", "active related", "description", "trump supporter", "types of", "germany", "china", "netherlands", "https", "notice", "billions", "stop", "boobs130432 no", "expiration", "location poland", "asn as29522", "learn more", "domain", "foundry", "hallrender", "brian sabey", "tam legal", "christopher p ahmann", "palantir", "quasi government", "pentagon" ], "references": [ "http://www.crazyfrost.com/wp-content/uploads/2011/01/%D0%BA%D0%BE%D0%BB%D0%BB%D0%B0%D0%B68.jpg\t URL", "http://frostsecurity.net/frost/driver/ \u2022 http://frostsecurity.net/frost/frostupdater/", "https://tamlegal.com/attorneys/christopher-p-ahmann/", "https://www.hallrender.com/attorney/brian-sabey/Accept", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family", "http://vtwctr.org/explore/tsara-brashears-defeats-jeffrey-reimer/ phishing", "http://alohatube.xyz/search/tsara-brashears No Expiration\t278\t URL http://alohatube.xyz/search/tsara-brashears/ No Expiration\t62\t URL http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears No Expiration\t49\t URL http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us No Expiration\t27\t URL http://browntubeporn.com/tsara-brashears.html No Expiration\t40\t URL http://flexporn.net/tsara-brashears.html", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge phishing", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "http://advocate-smyslova.ru/tsara-brashears/", "http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn/;0.48692189815948833", "http://orangeporntube.net/tsara-brashears.html", "http://onlyindianporn2.com/videos/tsara-brashears/", "http://videolal.com/tsara-brashears-dead.html", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language", "http://www.bukaporn.net/trend/tsara-brashears/ No Expiration\t41\t URL http://www.gdsl-pallemoebler.info/seach/tsara-brashears/", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html No Expiration\t41\t URL http://www.sweetheartvideo.com/tsara-brashears No Expiration\t81\t URL http://www.tryporn.net/seach/tsara-brashears/ No Expiration\t41\t URL http://www.tryporno.net/movies/tsara-brashears/ No Expiration\t42\t URL https://alohatube.xyz/search/tsara-brashears No Expiration\t211\t URL https://alohatube.xyz/search/tsara-brashears+ No Expiration\t51\t URL https://browntubeporn.com/tsara-brashearsAccept-Language No Expiratio", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html", "https://browntubeporn.com/tsara-brashearsAccept-Language", "http://www.tryporn.net/seach/tsara-brashears/", "https://alohatube.xyz/search/tsara-brashearsL", "http://onlyindianporn2.com/videos/tsara-brashears/", "http://orangeporntube.net/tsara-brashears.html", "https://www.dirtsearch.org/data/TSARA/BRASHEARS/", "https://youjizz.sex/tsara-brashears.html", "https://www.feestzalenvanvlaanderen.be/seach/tsara-brashears/", "https://www.xvxx.me/search/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.sweetheartvideo.com/tsara-brashear", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.gdsl-pallemoebler.info/seach/tsara-brashears/", "http://www.bukaporn.net/trend/tsara-brashears/", "tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://mom2fuck.mobi/tsara-brashears.html", "http://vtwctr.org/explore/tsara- brashears-defeats-jeffrey-reimer/", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "www.palantir.com \u2022 palantir.io \u2022 http://datafoundry.com/", "http://watchhers.net/index.php \u2022 foundry2sdbl.dvr.dn2.n-helix.com", "https://steam.exacg.cc/ \u2022 http://tesgm.ru/_ld/5/584_steam_apidll_Th.rar", "Targeting Tsara Brasheras and associated", "Targeting Candace Owens" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [ "Government", "Defense", "Healthcare" ], "TLP": "green", "cloned_from": "692897a64c0e255409b5a67e", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3709, "hostname": 1109, "FileHash-SHA256": 2872, "FileHash-MD5": 214, "FileHash-SHA1": 203, "domain": 557 }, "indicator_count": 8664, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "145 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6928f8d9e4222a6a219d785e", "name": "ClipBanker Spy & Information stealer | Crazy Frost | MaaS | Chrome & Cloudflare attacks", "description": "It appears that entity CrazyFrost provides MasS among other things that include major smear campaigns.| Likely quasi government , and Law Firm contractors.. Domestic terrorizing isn\u2019t a stretch.\nClipBanker: A form of banking trojan information stealer and spy that specifically monitors and steals information, likely by modifying the clipboard contents to redirect financial transactions (e.g., changing a copied bank account number to the attacker's).\n\n[OTX populated - HOSTNAME: CloudFlare.com.., a company owned by the US government, has been added to Pulse, an anti-virus database. (Pulses) created by users.]", "modified": "2025-12-28T00:04:06.179000", "created": "2025-11-28T01:20:25.401000", "tags": [ "dynamicloader", "json", "ascii text", "high", "data", "x90uxa4xf8", "cape", "stream", "guard", "write", "trojan", "redline", "malware", "push", "local", "injection_inter_process", "recon_fingerprint", "persistence_ads", "process_creation_suspicious_location", "infostealer_browser", "infostealer_cookies", "stealth_file", "cape_detected_threat", "antivm_generic_bios", "cape_extracted_content", "united", "mtb jul", "a domains", "aaaa", "443 ma86400", "servers", "win32upatre jul", "virtool", "b778b1", "div div", "d9e4f4", "edf2f8", "present mar", "fastest privacy", "first dns", "win32", "trojandropper", "passive dns", "mtb nov", "ipv4 add", "asn as13335", "dns resolutions", "domain", "data upload", "extraction", "yara", "troja yara", "trojar data", "virto", "worn data", "included iocs", "manually add", "resolved ips", "ta0002", "evasion ta0005", "tr shared", "modules", "files", "infor", "t1027", "process t1057", "community score", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "defense evasion", "spawns", "flag", "name server", "date", "cloudflare", "data protected", "misc activity", "et info", "dns requests", "domain address", "gmt flag", "techtarget", "server", "et policy", "prefetch2", "t1179 hooking", "access windows", "installs", "mitre att", "ck techniques", "click", "windir", "country", "contacted hosts", "ip address", "process details", "contacted", "http traffic", "suricata alerts", "event category", "found" ], "references": [ "Malware : ClipBanker Entity: Crazy Frost", "www.crazyfrost.com FileDescription :JF_CF_MiniZM FileVersion: 1.1.0.0 InternalName: jf_cf_frostovip.exe LegalCopyright Copyright \u00a9 CrazyFrost", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Services : GoogleChromeElevationService = Delete", "Yara: RansomWin32SintaCry CodeOverlap TrojanClickerWin32Zeriest CodeOverlap", "Yara: TrojanDownloaderMSILBalamid CodeOverlap TrojanDropperWin32Popsenong CodeOverlap", "Yara: TrojanPythonKaazar CodeOverlap TrojanSpyWin32Chekafev CodeOverlap", "Yara: TrojanWin32Kredbegg CodeOverlap TrojanWin32Motve CodeOverlap TrojanWin32Pitroj", "Yara : VirToolMSILLuxod CodeOverlap WormMSILVonriamt CodeOverlap TrojanWin32Depriz CodeOverlap", "Yara: WormWin32Rombrast CodeOverlap Jorgen,Ibsen PECompact_2xx VZX Jeremy,Collake", "Sigma: Matches rule Suspicious desktop.ini Action by Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)", "CS IDS: Matches rule (http_inspect) invalid status line", "CS IDS: Matches rule INDICATOR-COMPROMISE png file attachment without matching file magic Unique rule identifier: This rule belongs to a private collection.", "jf_cf_frostovip.exe FILEHASH SHA256 4b9d6c5de40bfc4da8cb8b3ab9408dc574346b97268983f10bef8810e3f6bed8", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\t URL\thttp://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t\u2022 http://www.anyxxxtube", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube/" ], "public": 1, "adversary": "Crazy Frost", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Trojan.Disfa/downloader10", "display_name": "Trojan.Disfa/downloader10", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Trojan:Win32/Zusy", "display_name": "Trojan:Win32/Zusy", "target": "/malware/Trojan:Win32/Zusy" }, { "id": "Rozena", "display_name": "Rozena", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1464", "name": "Jamming or Denial of Service", "display_name": "T1464 - Jamming or Denial of Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 295, "FileHash-SHA1": 217, "FileHash-SHA256": 1887, "URL": 3263, "domain": 597, "hostname": 1085, "email": 2, "CVE": 1 }, "indicator_count": 7347, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "155 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692897a64c0e255409b5a67e", "name": "Frost Security | Attorneys | Government | Crazy", "description": "Dangerous. Being abused by the usual quasi government suspects. Affecting many targets including Candace Owens. Who can you turn to when your own government is 100% corrupt. \n\nCall me crazy. Idk. DJT was likely shot with a High Velocity Paint Ball. Why isn\u2019t anyone interviewing the families of the 3 \u2018allegedly\u2019 successfully assassinated. \n\nIs Charlie Kirk Dead or in hiding, an alien that doesn\u2019t bleed? \n\nLook it up. High Velocity Paint Ball is a very intensely underrated, nharsky spoken about sport enjoyed by gun enthusiast , snipers , military, civilians. Something weird is going on and it\u2019s actually obvious because they just want results.\n There\u2019s more disturbing things to come. I think more people are being taken out this way than we know.\nBy now I\u2019m under too much surveillance to just leave out casually. \nTerrifying for sure. I know Hos of the Bible is bigger.", "modified": "2025-12-27T17:01:06.155000", "created": "2025-11-27T18:25:42.570000", "tags": [ "active", "type win32", "exe size", "first seen", "malicious avg", "win32", "gdata", "dynamicloader", "fe ff", "high", "write c", "data", "x00bx00", "uswv", "write", "redline", "stream", "guard", "malware", "push", "local", "crazyfrost", "adversarial", "hacker", "extraction", "enter sc", "data upload", "extre data", "included iocs", "url http", "url https", "include review", "exclude sugges", "frost security", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "ip address", "process details", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "defense evasion", "t1480 execution", "signing defense", "united", "flag", "contacted", "http traffic", "file defense", "mitre att", "ck techniques", "evasion att", "belize", "div div", "passive dns", "link", "ipv4 add", "url analysis", "urls", "files", "meta", "ddos", "indicators show", "search", "type indicator", "role title", "added active", "related pulses", "hostname", "types", "hosanna", "x show", "ck ids", "t1060", "run keys", "startup", "folder", "t1036", "capture", "cookie", "palantir", "indicator role", "active related", "description", "trump supporter", "types of", "germany", "china", "netherlands", "https", "notice", "billions", "stop", "boobs130432 no", "expiration", "location poland", "asn as29522", "learn more", "domain", "foundry", "hallrender", "brian sabey", "tam legal", "christopher p ahmann", "palantir", "quasi government", "pentagon" ], "references": [ "http://www.crazyfrost.com/wp-content/uploads/2011/01/%D0%BA%D0%BE%D0%BB%D0%BB%D0%B0%D0%B68.jpg\t URL", "http://frostsecurity.net/frost/driver/ \u2022 http://frostsecurity.net/frost/frostupdater/", "https://tamlegal.com/attorneys/christopher-p-ahmann/", "https://www.hallrender.com/attorney/brian-sabey/Accept", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family", "http://vtwctr.org/explore/tsara-brashears-defeats-jeffrey-reimer/ phishing", "http://alohatube.xyz/search/tsara-brashears No Expiration\t278\t URL http://alohatube.xyz/search/tsara-brashears/ No Expiration\t62\t URL http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears No Expiration\t49\t URL http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us No Expiration\t27\t URL http://browntubeporn.com/tsara-brashears.html No Expiration\t40\t URL http://flexporn.net/tsara-brashears.html", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge phishing", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "http://advocate-smyslova.ru/tsara-brashears/", "http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn/;0.48692189815948833", "http://orangeporntube.net/tsara-brashears.html", "http://onlyindianporn2.com/videos/tsara-brashears/", "http://videolal.com/tsara-brashears-dead.html", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language", "http://www.bukaporn.net/trend/tsara-brashears/ No Expiration\t41\t URL http://www.gdsl-pallemoebler.info/seach/tsara-brashears/", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html No Expiration\t41\t URL http://www.sweetheartvideo.com/tsara-brashears No Expiration\t81\t URL http://www.tryporn.net/seach/tsara-brashears/ No Expiration\t41\t URL http://www.tryporno.net/movies/tsara-brashears/ No Expiration\t42\t URL https://alohatube.xyz/search/tsara-brashears No Expiration\t211\t URL https://alohatube.xyz/search/tsara-brashears+ No Expiration\t51\t URL https://browntubeporn.com/tsara-brashearsAccept-Language No Expiratio", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html", "https://browntubeporn.com/tsara-brashearsAccept-Language", "http://www.tryporn.net/seach/tsara-brashears/", "https://alohatube.xyz/search/tsara-brashearsL", "http://onlyindianporn2.com/videos/tsara-brashears/", "http://orangeporntube.net/tsara-brashears.html", "https://www.dirtsearch.org/data/TSARA/BRASHEARS/", "https://youjizz.sex/tsara-brashears.html", "https://www.feestzalenvanvlaanderen.be/seach/tsara-brashears/", "https://www.xvxx.me/search/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.sweetheartvideo.com/tsara-brashear", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.gdsl-pallemoebler.info/seach/tsara-brashears/", "http://www.bukaporn.net/trend/tsara-brashears/", "tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://mom2fuck.mobi/tsara-brashears.html", "http://vtwctr.org/explore/tsara- brashears-defeats-jeffrey-reimer/", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "www.palantir.com \u2022 palantir.io \u2022 http://datafoundry.com/", "http://watchhers.net/index.php \u2022 foundry2sdbl.dvr.dn2.n-helix.com", "https://steam.exacg.cc/ \u2022 http://tesgm.ru/_ld/5/584_steam_apidll_Th.rar", "Targeting Tsara Brasheras and associated", "Targeting Candace Owens" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [ "Government", "Defense", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3709, "hostname": 1109, "FileHash-SHA256": 2872, "FileHash-MD5": 214, "FileHash-SHA1": 203, "domain": 557 }, "indicator_count": 8664, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "156 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6920c43c3772bb24f26f70cc", "name": "Xred_Malware \u2022 Dark Comet \u2022 Darkgate \u2022 Elex \u2022 Glassworm | AutoRun", "description": "Attack originates from government contractors/ quasi governmental entities. Criminal Defense and Government contracted Law firms commonly abuse these tactics. Targeting. Found in data of a target. Focused on (1) FILE HASH and (1) IP address .[referenced] *XRed _Mal\n* EXE Infection | OTX auto populated - Adversaries may be able to gain access to victim systems using a variety of techniques to evade detection and conceal their actions. and their intentions, as well as using other techniques, to avoid detection.", "modified": "2025-12-21T18:01:07.268000", "created": "2025-11-21T19:57:48.145000", "tags": [ "dynamicloader", "write c", "write", "high", "yara rule", "myapp", "delphi", "worm", "win32", "error", "code", "malware", "defender", "medium", "binary file", "heavensgate", "bochs", "dynamic", "td td", "td tr", "united", "a td", "a domains", "dynamic dns", "static dns", "dd wrt", "twitter", "trojan", "trojandropper", "null", "enough", "simple", "click", "easy", "premium", "associated urls", "server response", "google safe", "results nov", "avast avg", "11.21.2025", "11.20.2025", "borland delphi", "pe32", "intel", "ms windows", "inno setup", "win32 exe", "pecompact", "delphi generic", "pe32 compiler", "dark comet", "dark gate", "glassworm", "md5 code", "data", "porkbun llc", "windows match", "getprocaddress", "peb idrdata", "match peb", "t1547", "t1059 t1112", "shared modules", "t1129", "boot", "logon autostart", "execu", "t1134 boot", "encoding", "capture e1113", "file attributes", "analysis ob0001", "b0001 software", "virtual machine", "detection b0009", "analysis ob0002", "ob0003 screen", "windows get", "check", "encode", "check internet", "wininet set", "clear file", "enumerate gui", "get hostname", "get keyboard", "set registry", "find", "capture", "url http", "consolefoundry", "console foundry", "foundry", "malware catalog tree", "autorun keys", "modification", "alexander karp", "peter theil", "christoper ahmann", "christopher pool", "mercedes", "apple", "palantir", "adversarial", "adversaries", "hostile", "quasi", "empty hash", "denver", "mal_xred_backdoor", "backdoor", "xred", "brian sabey", "first-send-petikvx", "stop", "glassworm", "elex", "darkgate", "dark-comet", "search", "entries", "show", "yara detections", "icmp traffic", "rtf file", "top source", "top destination", "format", "host", "copy", "next", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "access att", "font", "copy md5", "copy sha1", "copy sha256", "sha1", "ascii text", "pattern match", "sha256", "mitre att", "title", "meta", "hybrid", "local", "path", "strings", "body", "contact", "trace", "form", "bitcoin", "core", "jeffrey reimer", "exe infection", "cve", "porn" ], "references": [ "FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0", "Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop", "Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,", "Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi", "Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns", "Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert", "Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep", "Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading", "Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn", "Alerts: packer_unknown", "Malicious IP Contacted: 69.42.215.252", "Abused Domains Contacted: xred.mooo.com freedns.afraid.org", "IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org", "IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com", "IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com", "Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access", "consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry", "Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below", "by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "http://freedns.afraid.org/images/apple.gif", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://www.mumuplayer.com/redirect/customerservice/_wig", "https://www.mumuplayer.com/redirect/customerservice/fB)y", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth", "https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "http://consolefoundry.date/one/gate.php", "https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453", "display_name": "Win.Trojan.Emotet-9850453", "target": null }, { "id": "Win.Trojan.BlackNetRAT-7838854-0", "display_name": "Win.Trojan.BlackNetRAT-7838854-0", "target": null }, { "id": "Win.Dropper.Nanocore-10021490-0", "display_name": "Win.Dropper.Nanocore-10021490-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Win.Packed.Remcos-10024510-0", "display_name": "Win.Packed.Remcos-10024510-0", "target": null }, { "id": "Code Overlap", "display_name": "Code Overlap", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "PSW:Win32/VB.CU", "display_name": "PSW:Win32/VB.CU", "target": "/malware/PSW:Win32/VB.CU" } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1541", "name": "Foreground Persistence", "display_name": "T1541 - Foreground Persistence" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 460, "FileHash-SHA1": 437, "FileHash-SHA256": 4483, "SSLCertFingerprint": 2, "URL": 6487, "hostname": 1772, "domain": 652, "CVE": 3, "email": 5 }, "indicator_count": 14301, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "162 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.nextron-systems.com/notes-on-virustotal-matches/", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge phishing", "Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn", "Targeting Tsara Brasheras and associated", "Malicious IP Contacted: 69.42.215.252", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "https://mom2fuck.mobi/tsara-brashears.html", "IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org", "https://browntubeporn.com/tsara-brashearsAccept-Language", "http://orangeporntube.net/tsara-brashears.html", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns", "by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "Sigma: Matches rule Suspicious desktop.ini Action by Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)", "Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,", "http://onlyindianporn2.com/videos/tsara-brashears/", "https://alohatube.xyz/search/tsara-brashearsL", "http://consolefoundry.date/one/gate.php", "https://www.mumuplayer.com/redirect/customerservice/fB)y", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth", "tsara-brashears-deadspin-twitter-suspended-account-help.ht", "Targeting Candace Owens", "http://advocate-smyslova.ru/tsara-brashears/", "https://www.dirtsearch.org/data/TSARA/BRASHEARS/", "Abused Domains Contacted: xred.mooo.com freedns.afraid.org", "Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert", "https://www.mumuplayer.com/redirect/customerservice/_wig", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop", "https://tamlegal.com/attorneys/christopher-p-ahmann/", "Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language", "CS IDS: Matches rule (http_inspect) invalid status line", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/", "Services : GoogleChromeElevationService = Delete", "www.palantir.com \u2022 palantir.io \u2022 http://datafoundry.com/", "http://www.crazyfrost.com/wp-content/uploads/2011/01/%D0%BA%D0%BE%D0%BB%D0%BB%D0%B0%D0%B68.jpg\t URL", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html No Expiration\t41\t URL http://www.sweetheartvideo.com/tsara-brashears No Expiration\t81\t URL http://www.tryporn.net/seach/tsara-brashears/ No Expiration\t41\t URL http://www.tryporno.net/movies/tsara-brashears/ No Expiration\t42\t URL https://alohatube.xyz/search/tsara-brashears No Expiration\t211\t URL https://alohatube.xyz/search/tsara-brashears+ No Expiration\t51\t URL https://browntubeporn.com/tsara-brashearsAccept-Language No Expiratio", "http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family", "http://www.bukaporn.net/trend/tsara-brashears/ No Expiration\t41\t URL http://www.gdsl-pallemoebler.info/seach/tsara-brashears/", "Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\t URL\thttp://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t\u2022 http://www.anyxxxtube", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html", "jf_cf_frostovip.exe FILEHASH SHA256 4b9d6c5de40bfc4da8cb8b3ab9408dc574346b97268983f10bef8810e3f6bed8", "http://watchhers.net/index.php \u2022 foundry2sdbl.dvr.dn2.n-helix.com", "Yara: WormWin32Rombrast CodeOverlap Jorgen,Ibsen PECompact_2xx VZX Jeremy,Collake", "http://frostsecurity.net/frost/driver/ \u2022 http://frostsecurity.net/frost/frostupdater/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.hallrender.com/attorney/brian-sabey/Accept", "Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep", "https://steam.exacg.cc/ \u2022 http://tesgm.ru/_ld/5/584_steam_apidll_Th.rar", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354", "http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html", "https://youjizz.sex/tsara-brashears.html", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "http://alohatube.xyz/search/tsara-brashears No Expiration\t278\t URL http://alohatube.xyz/search/tsara-brashears/ No Expiration\t62\t URL http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears No Expiration\t49\t URL http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us No Expiration\t27\t URL http://browntubeporn.com/tsara-brashears.html No Expiration\t40\t URL http://flexporn.net/tsara-brashears.html", "Malware : ClipBanker Entity: Crazy Frost", "https://www.sweetheartvideo.com/tsara-brashear", "Yara : VirToolMSILLuxod CodeOverlap WormMSILVonriamt CodeOverlap TrojanWin32Depriz CodeOverlap", "http://freedns.afraid.org/images/apple.gif", "Yara: RansomWin32SintaCry CodeOverlap TrojanClickerWin32Zeriest CodeOverlap", "https://www.feestzalenvanvlaanderen.be/seach/tsara-brashears/", "Yara: TrojanPythonKaazar CodeOverlap TrojanSpyWin32Chekafev CodeOverlap", "www.crazyfrost.com FileDescription :JF_CF_MiniZM FileVersion: 1.1.0.0 InternalName: jf_cf_frostovip.exe LegalCopyright Copyright \u00a9 CrazyFrost", "https://www.xvxx.me/search/tsara-brashears/", "consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry", "CS IDS: Matches rule INDICATOR-COMPROMISE png file attachment without matching file magic Unique rule identifier: This rule belongs to a private collection.", "http://vtwctr.org/explore/tsara-brashears-defeats-jeffrey-reimer/ phishing", "http://videolal.com/tsara-brashears-dead.html", "IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com", "http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn/;0.48692189815948833", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "Alerts: packer_unknown", "FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0", "IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com", "Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading", "http://www.anyxxxtube/", "http://vtwctr.org/explore/tsara- brashears-defeats-jeffrey-reimer/", "Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below", "Yara: TrojanDownloaderMSILBalamid CodeOverlap TrojanDropperWin32Popsenong CodeOverlap", "Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]", "http://www.bukaporn.net/trend/tsara-brashears/", "http://www.gdsl-pallemoebler.info/seach/tsara-brashears/", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.tryporn.net/seach/tsara-brashears/", "Yara: TrojanWin32Kredbegg CodeOverlap TrojanWin32Motve CodeOverlap TrojanWin32Pitroj", "https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Crazy Frost" ], "malware_families": [ "Win.packed.remcos-10024510-0", "Alf:heraklezeval:trojan:win32/clipbanker", "Trojan.disfa/downloader10", "Code overlap", "Win.trojan.blacknetrat-7838854-0", "Ms defender\talf:heraklezeval:trojan:win32/clipbanker", "Rozena", "Other malware", "Trojan:win32/zusy", "Psw:win32/vb.cu", "Win.dropper.nanocore-10021490-0", "Win.trojan.emotet-9850453", "Worm:win32/autorun!atmn" ], "industries": [ "Government", "Defense", "Healthcare" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "695ea667a062ed6688b104ab", "name": "Frost Security | Attorneys | Government | Crazy | Stop Tampering ", "description": "", "modified": "2026-01-07T18:31:03.104000", "created": "2026-01-07T18:31:03.104000", "tags": [ "active", "type win32", "exe size", "first seen", "malicious avg", "win32", "gdata", "dynamicloader", "fe ff", "high", "write c", "data", "x00bx00", "uswv", "write", "redline", "stream", "guard", "malware", "push", "local", "crazyfrost", "adversarial", "hacker", "extraction", "enter sc", "data upload", "extre data", "included iocs", "url http", "url https", "include review", "exclude sugges", "frost security", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "ip address", "process details", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "defense evasion", "t1480 execution", "signing defense", "united", "flag", "contacted", "http traffic", "file defense", "mitre att", "ck techniques", "evasion att", "belize", "div div", "passive dns", "link", "ipv4 add", "url analysis", "urls", "files", "meta", "ddos", "indicators show", "search", "type indicator", "role title", "added active", "related pulses", "hostname", "types", "hosanna", "x show", "ck ids", "t1060", "run keys", "startup", "folder", "t1036", "capture", "cookie", "palantir", "indicator role", "active related", "description", "trump supporter", "types of", "germany", "china", "netherlands", "https", "notice", "billions", "stop", "boobs130432 no", "expiration", "location poland", "asn as29522", "learn more", "domain", "foundry", "hallrender", "brian sabey", "tam legal", "christopher p ahmann", "palantir", "quasi government", "pentagon" ], "references": [ "http://www.crazyfrost.com/wp-content/uploads/2011/01/%D0%BA%D0%BE%D0%BB%D0%BB%D0%B0%D0%B68.jpg\t URL", "http://frostsecurity.net/frost/driver/ \u2022 http://frostsecurity.net/frost/frostupdater/", "https://tamlegal.com/attorneys/christopher-p-ahmann/", "https://www.hallrender.com/attorney/brian-sabey/Accept", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family", "http://vtwctr.org/explore/tsara-brashears-defeats-jeffrey-reimer/ phishing", "http://alohatube.xyz/search/tsara-brashears No Expiration\t278\t URL http://alohatube.xyz/search/tsara-brashears/ No Expiration\t62\t URL http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears No Expiration\t49\t URL http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us No Expiration\t27\t URL http://browntubeporn.com/tsara-brashears.html No Expiration\t40\t URL http://flexporn.net/tsara-brashears.html", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge phishing", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "http://advocate-smyslova.ru/tsara-brashears/", "http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn/;0.48692189815948833", "http://orangeporntube.net/tsara-brashears.html", "http://onlyindianporn2.com/videos/tsara-brashears/", "http://videolal.com/tsara-brashears-dead.html", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language", "http://www.bukaporn.net/trend/tsara-brashears/ No Expiration\t41\t URL http://www.gdsl-pallemoebler.info/seach/tsara-brashears/", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html No Expiration\t41\t URL http://www.sweetheartvideo.com/tsara-brashears No Expiration\t81\t URL http://www.tryporn.net/seach/tsara-brashears/ No Expiration\t41\t URL http://www.tryporno.net/movies/tsara-brashears/ No Expiration\t42\t URL https://alohatube.xyz/search/tsara-brashears No Expiration\t211\t URL https://alohatube.xyz/search/tsara-brashears+ No Expiration\t51\t URL https://browntubeporn.com/tsara-brashearsAccept-Language No Expiratio", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html", "https://browntubeporn.com/tsara-brashearsAccept-Language", "http://www.tryporn.net/seach/tsara-brashears/", "https://alohatube.xyz/search/tsara-brashearsL", "http://onlyindianporn2.com/videos/tsara-brashears/", "http://orangeporntube.net/tsara-brashears.html", "https://www.dirtsearch.org/data/TSARA/BRASHEARS/", "https://youjizz.sex/tsara-brashears.html", "https://www.feestzalenvanvlaanderen.be/seach/tsara-brashears/", "https://www.xvxx.me/search/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.sweetheartvideo.com/tsara-brashear", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.gdsl-pallemoebler.info/seach/tsara-brashears/", "http://www.bukaporn.net/trend/tsara-brashears/", "tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://mom2fuck.mobi/tsara-brashears.html", "http://vtwctr.org/explore/tsara- brashears-defeats-jeffrey-reimer/", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "www.palantir.com \u2022 palantir.io \u2022 http://datafoundry.com/", "http://watchhers.net/index.php \u2022 foundry2sdbl.dvr.dn2.n-helix.com", "https://steam.exacg.cc/ \u2022 http://tesgm.ru/_ld/5/584_steam_apidll_Th.rar", "Targeting Tsara Brasheras and associated", "Targeting Candace Owens" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [ "Government", "Defense", "Healthcare" ], "TLP": "green", "cloned_from": "692897a64c0e255409b5a67e", "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3709, "hostname": 1109, "FileHash-SHA256": 2872, "FileHash-MD5": 214, "FileHash-SHA1": 203, "domain": 557 }, "indicator_count": 8664, "is_author": false, "is_subscribing": null, "subscriber_count": 144, "modified_text": "145 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "695ea6590a50f71a156c9a7f", "name": "Frost Security | Attorneys | Government | Crazy | Stop Tampering ", "description": "", "modified": "2026-01-07T18:30:49.442000", "created": "2026-01-07T18:30:49.442000", "tags": [ "active", "type win32", "exe size", "first seen", "malicious avg", "win32", "gdata", "dynamicloader", "fe ff", "high", "write c", "data", "x00bx00", "uswv", "write", "redline", "stream", "guard", "malware", "push", "local", "crazyfrost", "adversarial", "hacker", "extraction", "enter sc", "data upload", "extre data", "included iocs", "url http", "url https", "include review", "exclude sugges", "frost security", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "ip address", "process details", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "defense evasion", "t1480 execution", "signing defense", "united", "flag", "contacted", "http traffic", "file defense", "mitre att", "ck techniques", "evasion att", "belize", "div div", "passive dns", "link", "ipv4 add", "url analysis", "urls", "files", "meta", "ddos", "indicators show", "search", "type indicator", "role title", "added active", "related pulses", "hostname", "types", "hosanna", "x show", "ck ids", "t1060", "run keys", "startup", "folder", "t1036", "capture", "cookie", "palantir", "indicator role", "active related", "description", "trump supporter", "types of", "germany", "china", "netherlands", "https", "notice", "billions", "stop", "boobs130432 no", "expiration", "location poland", "asn as29522", "learn more", "domain", "foundry", "hallrender", "brian sabey", "tam legal", "christopher p ahmann", "palantir", "quasi government", "pentagon" ], "references": [ "http://www.crazyfrost.com/wp-content/uploads/2011/01/%D0%BA%D0%BE%D0%BB%D0%BB%D0%B0%D0%B68.jpg\t URL", "http://frostsecurity.net/frost/driver/ \u2022 http://frostsecurity.net/frost/frostupdater/", "https://tamlegal.com/attorneys/christopher-p-ahmann/", "https://www.hallrender.com/attorney/brian-sabey/Accept", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family", "http://vtwctr.org/explore/tsara-brashears-defeats-jeffrey-reimer/ phishing", "http://alohatube.xyz/search/tsara-brashears No Expiration\t278\t URL http://alohatube.xyz/search/tsara-brashears/ No Expiration\t62\t URL http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears No Expiration\t49\t URL http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us No Expiration\t27\t URL http://browntubeporn.com/tsara-brashears.html No Expiration\t40\t URL http://flexporn.net/tsara-brashears.html", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge phishing", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "http://advocate-smyslova.ru/tsara-brashears/", "http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn/;0.48692189815948833", "http://orangeporntube.net/tsara-brashears.html", "http://onlyindianporn2.com/videos/tsara-brashears/", "http://videolal.com/tsara-brashears-dead.html", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language", "http://www.bukaporn.net/trend/tsara-brashears/ No Expiration\t41\t URL http://www.gdsl-pallemoebler.info/seach/tsara-brashears/", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html No Expiration\t41\t URL http://www.sweetheartvideo.com/tsara-brashears No Expiration\t81\t URL http://www.tryporn.net/seach/tsara-brashears/ No Expiration\t41\t URL http://www.tryporno.net/movies/tsara-brashears/ No Expiration\t42\t URL https://alohatube.xyz/search/tsara-brashears No Expiration\t211\t URL https://alohatube.xyz/search/tsara-brashears+ No Expiration\t51\t URL https://browntubeporn.com/tsara-brashearsAccept-Language No Expiratio", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html", "https://browntubeporn.com/tsara-brashearsAccept-Language", "http://www.tryporn.net/seach/tsara-brashears/", "https://alohatube.xyz/search/tsara-brashearsL", "http://onlyindianporn2.com/videos/tsara-brashears/", "http://orangeporntube.net/tsara-brashears.html", "https://www.dirtsearch.org/data/TSARA/BRASHEARS/", "https://youjizz.sex/tsara-brashears.html", "https://www.feestzalenvanvlaanderen.be/seach/tsara-brashears/", "https://www.xvxx.me/search/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.sweetheartvideo.com/tsara-brashear", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.gdsl-pallemoebler.info/seach/tsara-brashears/", "http://www.bukaporn.net/trend/tsara-brashears/", "tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://mom2fuck.mobi/tsara-brashears.html", "http://vtwctr.org/explore/tsara- brashears-defeats-jeffrey-reimer/", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "www.palantir.com \u2022 palantir.io \u2022 http://datafoundry.com/", "http://watchhers.net/index.php \u2022 foundry2sdbl.dvr.dn2.n-helix.com", "https://steam.exacg.cc/ \u2022 http://tesgm.ru/_ld/5/584_steam_apidll_Th.rar", "Targeting Tsara Brasheras and associated", "Targeting Candace Owens" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [ "Government", "Defense", "Healthcare" ], "TLP": "green", "cloned_from": "692897a64c0e255409b5a67e", "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3709, "hostname": 1109, "FileHash-SHA256": 2872, "FileHash-MD5": 214, "FileHash-SHA1": 203, "domain": 557 }, "indicator_count": 8664, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "145 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6928f8d9e4222a6a219d785e", "name": "ClipBanker Spy & Information stealer | Crazy Frost | MaaS | Chrome & Cloudflare attacks", "description": "It appears that entity CrazyFrost provides MasS among other things that include major smear campaigns.| Likely quasi government , and Law Firm contractors.. Domestic terrorizing isn\u2019t a stretch.\nClipBanker: A form of banking trojan information stealer and spy that specifically monitors and steals information, likely by modifying the clipboard contents to redirect financial transactions (e.g., changing a copied bank account number to the attacker's).\n\n[OTX populated - HOSTNAME: CloudFlare.com.., a company owned by the US government, has been added to Pulse, an anti-virus database. (Pulses) created by users.]", "modified": "2025-12-28T00:04:06.179000", "created": "2025-11-28T01:20:25.401000", "tags": [ "dynamicloader", "json", "ascii text", "high", "data", "x90uxa4xf8", "cape", "stream", "guard", "write", "trojan", "redline", "malware", "push", "local", "injection_inter_process", "recon_fingerprint", "persistence_ads", "process_creation_suspicious_location", "infostealer_browser", "infostealer_cookies", "stealth_file", "cape_detected_threat", "antivm_generic_bios", "cape_extracted_content", "united", "mtb jul", "a domains", "aaaa", "443 ma86400", "servers", "win32upatre jul", "virtool", "b778b1", "div div", "d9e4f4", "edf2f8", "present mar", "fastest privacy", "first dns", "win32", "trojandropper", "passive dns", "mtb nov", "ipv4 add", "asn as13335", "dns resolutions", "domain", "data upload", "extraction", "yara", "troja yara", "trojar data", "virto", "worn data", "included iocs", "manually add", "resolved ips", "ta0002", "evasion ta0005", "tr shared", "modules", "files", "infor", "t1027", "process t1057", "community score", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "ssl certificate", "defense evasion", "spawns", "flag", "name server", "date", "cloudflare", "data protected", "misc activity", "et info", "dns requests", "domain address", "gmt flag", "techtarget", "server", "et policy", "prefetch2", "t1179 hooking", "access windows", "installs", "mitre att", "ck techniques", "click", "windir", "country", "contacted hosts", "ip address", "process details", "contacted", "http traffic", "suricata alerts", "event category", "found" ], "references": [ "Malware : ClipBanker Entity: Crazy Frost", "www.crazyfrost.com FileDescription :JF_CF_MiniZM FileVersion: 1.1.0.0 InternalName: jf_cf_frostovip.exe LegalCopyright Copyright \u00a9 CrazyFrost", "IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)", "Services : GoogleChromeElevationService = Delete", "Yara: RansomWin32SintaCry CodeOverlap TrojanClickerWin32Zeriest CodeOverlap", "Yara: TrojanDownloaderMSILBalamid CodeOverlap TrojanDropperWin32Popsenong CodeOverlap", "Yara: TrojanPythonKaazar CodeOverlap TrojanSpyWin32Chekafev CodeOverlap", "Yara: TrojanWin32Kredbegg CodeOverlap TrojanWin32Motve CodeOverlap TrojanWin32Pitroj", "Yara : VirToolMSILLuxod CodeOverlap WormMSILVonriamt CodeOverlap TrojanWin32Depriz CodeOverlap", "Yara: WormWin32Rombrast CodeOverlap Jorgen,Ibsen PECompact_2xx VZX Jeremy,Collake", "Sigma: Matches rule Suspicious desktop.ini Action by Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)", "CS IDS: Matches rule (http_inspect) invalid status line", "CS IDS: Matches rule INDICATOR-COMPROMISE png file attachment without matching file magic Unique rule identifier: This rule belongs to a private collection.", "jf_cf_frostovip.exe FILEHASH SHA256 4b9d6c5de40bfc4da8cb8b3ab9408dc574346b97268983f10bef8810e3f6bed8", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\t URL\thttp://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t\u2022 http://www.anyxxxtube", "https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube/" ], "public": 1, "adversary": "Crazy Frost", "targeted_countries": [], "malware_families": [ { "id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Trojan.Disfa/downloader10", "display_name": "Trojan.Disfa/downloader10", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "Trojan:Win32/Zusy", "display_name": "Trojan:Win32/Zusy", "target": "/malware/Trojan:Win32/Zusy" }, { "id": "Rozena", "display_name": "Rozena", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "T1498", "name": "Network Denial of Service", "display_name": "T1498 - Network Denial of Service" }, { "id": "T1464", "name": "Jamming or Denial of Service", "display_name": "T1464 - Jamming or Denial of Service" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 295, "FileHash-SHA1": 217, "FileHash-SHA256": 1887, "URL": 3263, "domain": 597, "hostname": 1085, "email": 2, "CVE": 1 }, "indicator_count": 7347, "is_author": false, "is_subscribing": null, "subscriber_count": 145, "modified_text": "155 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692897a64c0e255409b5a67e", "name": "Frost Security | Attorneys | Government | Crazy", "description": "Dangerous. Being abused by the usual quasi government suspects. Affecting many targets including Candace Owens. Who can you turn to when your own government is 100% corrupt. \n\nCall me crazy. Idk. DJT was likely shot with a High Velocity Paint Ball. Why isn\u2019t anyone interviewing the families of the 3 \u2018allegedly\u2019 successfully assassinated. \n\nIs Charlie Kirk Dead or in hiding, an alien that doesn\u2019t bleed? \n\nLook it up. High Velocity Paint Ball is a very intensely underrated, nharsky spoken about sport enjoyed by gun enthusiast , snipers , military, civilians. Something weird is going on and it\u2019s actually obvious because they just want results.\n There\u2019s more disturbing things to come. I think more people are being taken out this way than we know.\nBy now I\u2019m under too much surveillance to just leave out casually. \nTerrifying for sure. I know Hos of the Bible is bigger.", "modified": "2025-12-27T17:01:06.155000", "created": "2025-11-27T18:25:42.570000", "tags": [ "active", "type win32", "exe size", "first seen", "malicious avg", "win32", "gdata", "dynamicloader", "fe ff", "high", "write c", "data", "x00bx00", "uswv", "write", "redline", "stream", "guard", "malware", "push", "local", "crazyfrost", "adversarial", "hacker", "extraction", "enter sc", "data upload", "extre data", "included iocs", "url http", "url https", "include review", "exclude sugges", "frost security", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "contacted hosts", "ip address", "process details", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "spawns", "defense evasion", "t1480 execution", "signing defense", "united", "flag", "contacted", "http traffic", "file defense", "mitre att", "ck techniques", "evasion att", "belize", "div div", "passive dns", "link", "ipv4 add", "url analysis", "urls", "files", "meta", "ddos", "indicators show", "search", "type indicator", "role title", "added active", "related pulses", "hostname", "types", "hosanna", "x show", "ck ids", "t1060", "run keys", "startup", "folder", "t1036", "capture", "cookie", "palantir", "indicator role", "active related", "description", "trump supporter", "types of", "germany", "china", "netherlands", "https", "notice", "billions", "stop", "boobs130432 no", "expiration", "location poland", "asn as29522", "learn more", "domain", "foundry", "hallrender", "brian sabey", "tam legal", "christopher p ahmann", "palantir", "quasi government", "pentagon" ], "references": [ "http://www.crazyfrost.com/wp-content/uploads/2011/01/%D0%BA%D0%BE%D0%BB%D0%BB%D0%B0%D0%B68.jpg\t URL", "http://frostsecurity.net/frost/driver/ \u2022 http://frostsecurity.net/frost/frostupdater/", "https://tamlegal.com/attorneys/christopher-p-ahmann/", "https://www.hallrender.com/attorney/brian-sabey/Accept", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family", "http://vtwctr.org/explore/tsara-brashears-defeats-jeffrey-reimer/ phishing", "http://alohatube.xyz/search/tsara-brashears No Expiration\t278\t URL http://alohatube.xyz/search/tsara-brashears/ No Expiration\t62\t URL http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears No Expiration\t49\t URL http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us No Expiration\t27\t URL http://browntubeporn.com/tsara-brashears.html No Expiration\t40\t URL http://flexporn.net/tsara-brashears.html", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge phishing", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing", "http://advocate-smyslova.ru/tsara-brashears/", "http://pixelrz.com/lists/keywords/tsara-brashears-jeffrey-reimer-porn/;0.48692189815948833", "http://orangeporntube.net/tsara-brashears.html", "http://onlyindianporn2.com/videos/tsara-brashears/", "http://videolal.com/tsara-brashears-dead.html", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/", "http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language", "http://www.bukaporn.net/trend/tsara-brashears/ No Expiration\t41\t URL http://www.gdsl-pallemoebler.info/seach/tsara-brashears/", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html No Expiration\t41\t URL http://www.sweetheartvideo.com/tsara-brashears No Expiration\t81\t URL http://www.tryporn.net/seach/tsara-brashears/ No Expiration\t41\t URL http://www.tryporno.net/movies/tsara-brashears/ No Expiration\t42\t URL https://alohatube.xyz/search/tsara-brashears No Expiration\t211\t URL https://alohatube.xyz/search/tsara-brashears+ No Expiration\t51\t URL https://browntubeporn.com/tsara-brashearsAccept-Language No Expiratio", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html", "https://browntubeporn.com/tsara-brashearsAccept-Language", "http://www.tryporn.net/seach/tsara-brashears/", "https://alohatube.xyz/search/tsara-brashearsL", "http://onlyindianporn2.com/videos/tsara-brashears/", "http://orangeporntube.net/tsara-brashears.html", "https://www.dirtsearch.org/data/TSARA/BRASHEARS/", "https://youjizz.sex/tsara-brashears.html", "https://www.feestzalenvanvlaanderen.be/seach/tsara-brashears/", "https://www.xvxx.me/search/tsara-brashears/", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net", "https://www.sweetheartvideo.com/tsara-brashear", "https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://www.gdsl-pallemoebler.info/seach/tsara-brashears/", "http://www.bukaporn.net/trend/tsara-brashears/", "tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://mom2fuck.mobi/tsara-brashears.html", "http://vtwctr.org/explore/tsara- brashears-defeats-jeffrey-reimer/", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "www.palantir.com \u2022 palantir.io \u2022 http://datafoundry.com/", "http://watchhers.net/index.php \u2022 foundry2sdbl.dvr.dn2.n-helix.com", "https://steam.exacg.cc/ \u2022 http://tesgm.ru/_ld/5/584_steam_apidll_Th.rar", "Targeting Tsara Brasheras and associated", "Targeting Candace Owens" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker", "display_name": "Ms Defender\tALF:HeraklezEval:Trojan:Win32/ClipBanker", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null } ], "attack_ids": [ { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1116", "name": "Code Signing", "display_name": "T1116 - Code Signing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" } ], "industries": [ "Government", "Defense", "Healthcare" ], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3709, "hostname": 1109, "FileHash-SHA256": 2872, "FileHash-MD5": 214, "FileHash-SHA1": 203, "domain": 557 }, "indicator_count": 8664, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "156 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6920c43c3772bb24f26f70cc", "name": "Xred_Malware \u2022 Dark Comet \u2022 Darkgate \u2022 Elex \u2022 Glassworm | AutoRun", "description": "Attack originates from government contractors/ quasi governmental entities. Criminal Defense and Government contracted Law firms commonly abuse these tactics. Targeting. Found in data of a target. Focused on (1) FILE HASH and (1) IP address .[referenced] *XRed _Mal\n* EXE Infection | OTX auto populated - Adversaries may be able to gain access to victim systems using a variety of techniques to evade detection and conceal their actions. and their intentions, as well as using other techniques, to avoid detection.", "modified": "2025-12-21T18:01:07.268000", "created": "2025-11-21T19:57:48.145000", "tags": [ "dynamicloader", "write c", "write", "high", "yara rule", "myapp", "delphi", "worm", "win32", "error", "code", "malware", "defender", "medium", "binary file", "heavensgate", "bochs", "dynamic", "td td", "td tr", "united", "a td", "a domains", "dynamic dns", "static dns", "dd wrt", "twitter", "trojan", "trojandropper", "null", "enough", "simple", "click", "easy", "premium", "associated urls", "server response", "google safe", "results nov", "avast avg", "11.21.2025", "11.20.2025", "borland delphi", "pe32", "intel", "ms windows", "inno setup", "win32 exe", "pecompact", "delphi generic", "pe32 compiler", "dark comet", "dark gate", "glassworm", "md5 code", "data", "porkbun llc", "windows match", "getprocaddress", "peb idrdata", "match peb", "t1547", "t1059 t1112", "shared modules", "t1129", "boot", "logon autostart", "execu", "t1134 boot", "encoding", "capture e1113", "file attributes", "analysis ob0001", "b0001 software", "virtual machine", "detection b0009", "analysis ob0002", "ob0003 screen", "windows get", "check", "encode", "check internet", "wininet set", "clear file", "enumerate gui", "get hostname", "get keyboard", "set registry", "find", "capture", "url http", "consolefoundry", "console foundry", "foundry", "malware catalog tree", "autorun keys", "modification", "alexander karp", "peter theil", "christoper ahmann", "christopher pool", "mercedes", "apple", "palantir", "adversarial", "adversaries", "hostile", "quasi", "empty hash", "denver", "mal_xred_backdoor", "backdoor", "xred", "brian sabey", "first-send-petikvx", "stop", "glassworm", "elex", "darkgate", "dark-comet", "search", "entries", "show", "yara detections", "icmp traffic", "rtf file", "top source", "top destination", "format", "host", "copy", "next", "learn", "ck id", "name tactics", "suspicious", "informative", "command", "adversaries", "spawns", "found", "access att", "font", "copy md5", "copy sha1", "copy sha256", "sha1", "ascii text", "pattern match", "sha256", "mitre att", "title", "meta", "hybrid", "local", "path", "strings", "body", "contact", "trace", "form", "bitcoin", "core", "jeffrey reimer", "exe infection", "cve", "porn" ], "references": [ "FILEHASH-SHA256 d0ce79b3e0f4798423871dd66c14172b1a0eac34131c1b92d210a7b5c31a8aa0", "Name 2025-11-19_b627882129bf281be5a3df318fff678b_dark-comet_darkgate_elex_glassworm_stop", "Antivirus Detection: Worm:Win32/AutoRun!atmn [Win.Trojan.Emotet relationship]", "IDS Detections: W32.Bloat-A Checkin DYNAMIC_DNS Query to Abused Domain *.mooo.com", "IDS Detections: Suspicious Dynamic DNS Update Request Suspicious User-Agent (MyApp)", "Yara : Zeppelin_30 , compromised_site_redirector_fromcharcode ,", "Yara : BobSoft Mini Delphi -> BoB / BobSoft , Delphi", "Alerts : suspicious_iocontrol_codes process_creation_suspicious_location network_dyndns", "Alerts: multiple_useragents persistence_autorun binary_yara procmem_yara suricata_alert", "Alerts: antivm_bochs_keys antivm_generic_disk enumerates_physical_drives antisandbox_sleep", "Alerts: physical_drive_access mouse_movement_detect dynamic_function_loading", "Alerts: http_request resumethread_remote_process antianalysis_tls_section network_httpn", "Alerts: packer_unknown", "Malicious IP Contacted: 69.42.215.252", "Abused Domains Contacted: xred.mooo.com freedns.afraid.org", "IP 69.42.215.252: http://nginx.com/ \u2022nginx.com\t\u2022 http://nginx.org/ \u2022 nginx.org \u2022 afraid.org \u2022 afraid.org", "IP 69.42.215.252: nginx.com\u2022 vb.cu \u2022 vb.il \u2022 yourdomain.com \u2022 yourdomain.com", "IP 69.42.215.252: theirname.yourdomain.com \u2022 www.freebsd.org freebsd.org \u2022 your.domain.com", "Windows Match api: GetProcAddress fs access *access PEB Idr_data Match PEB access fs access", "consolefoundry.date \u2022 http://consolefoundry.date \u2022 http://consolefoundry", "Matches rule Wow6432Node CurrentVersion Autorun Keys Modification - Credits (split) below", "by Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)", "http://freedns.afraid.org/images/apple.gif", "https://www.nextron-systems.com/notes-on-virustotal-matches/", "https://www.mumuplayer.com/redirect/customerservice/_wig", "https://www.mumuplayer.com/redirect/customerservice/fB)y", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ \u2022 http://www.anyxxxtube/", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t| Truth", "https://www.semena.cz/exoticke-okrasne/78-plumerie-havajska-kvetina-semena-3-ks.html", "http://www.anyxxxtube.net/search-porn/tsara-brashears", "http://consolefoundry.date/one/gate.php", "https://hybrid-analysis.com/sample/ba5890ad431b894b0dfd6c9d3f3d6cbd7fedae1bd5a51483f54b22ba0209e3b8/6920be8a548209db740dd354" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Trojan.Emotet-9850453", "display_name": "Win.Trojan.Emotet-9850453", "target": null }, { "id": "Win.Trojan.BlackNetRAT-7838854-0", "display_name": "Win.Trojan.BlackNetRAT-7838854-0", "target": null }, { "id": "Win.Dropper.Nanocore-10021490-0", "display_name": "Win.Dropper.Nanocore-10021490-0", "target": null }, { "id": "Worm:Win32/AutoRun!atmn", "display_name": "Worm:Win32/AutoRun!atmn", "target": "/malware/Worm:Win32/AutoRun!atmn" }, { "id": "Win.Packed.Remcos-10024510-0", "display_name": "Win.Packed.Remcos-10024510-0", "target": null }, { "id": "Code Overlap", "display_name": "Code Overlap", "target": null }, { "id": "Other Malware", "display_name": "Other Malware", "target": null }, { "id": "PSW:Win32/VB.CU", "display_name": "PSW:Win32/VB.CU", "target": "/malware/PSW:Win32/VB.CU" } ], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1541", "name": "Foreground Persistence", "display_name": "T1541 - Foreground Persistence" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1592", "name": "Gather Victim Host Information", "display_name": "T1592 - Gather Victim Host Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1470", "name": "Obtain Device Cloud Backups", "display_name": "T1470 - Obtain Device Cloud Backups" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 460, "FileHash-SHA1": 437, "FileHash-SHA256": 4483, "SSLCertFingerprint": 2, "URL": 6487, "hostname": 1772, "domain": 652, "CVE": 3, "email": 5 }, "indicator_count": 14301, "is_author": false, "is_subscribing": null, "subscriber_count": 142, "modified_text": "162 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "funfetty.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "funfetty.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780350043.6721165 }