{
"type": "URL",
"indicator": "https://almavision.almavision.com/",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://almavision.almavision.com/",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 3840113676,
"indicator": "https://almavision.almavision.com/",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 8,
"pulses": [
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "97 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "103 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6952fbca42c1b0da7431e6a7",
"name": "Pegasus / Pegacloud - Infiltration (10-2013 or 2014 to Current/ Ongoing) ",
"description": "",
"modified": "2025-12-29T22:08:10.280000",
"created": "2025-12-29T22:08:10.280000",
"tags": [
"backdoor",
"cyprus",
"trojan",
"mtb sep",
"passive dns",
"ddos",
"mtb oct",
"mtb aug",
"ipv4 add",
"smokeloader",
"trojandropper",
"extraction",
"se extraction",
"failed",
"data upload",
"enter s",
"enter sc",
"data u",
"extrac please",
"prop",
"extre data",
"type",
"extr data",
"include review",
"exclude",
"find s",
"typ data",
"source tir",
"extri",
"exclude sugges",
"se type",
"extra",
"include data",
"exclude review",
"show",
"showinil tvnes",
"dom dom",
"sc cat959",
"drop",
"pulse pulses",
"worm",
"files show",
"date hash",
"avast avg",
"win32",
"susp",
"cyprus showing",
"entries",
"next associated",
"urls show",
"date checked",
"url hostname",
"server response",
"ip address",
"google safe",
"server",
"registrar abuse",
"iana id",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"registrar",
"se cre",
"pul use",
"url list",
"status http",
"linkid182227",
"linkid151642",
"first",
"domain list",
"ii llc",
"sc data",
"ukl extract",
"hiloti style",
"msle",
"win3 data",
"onio",
"observea",
"data data",
"stop data",
"monitored target",
"tsara",
"pegasus",
"social engineering"
],
"references": [
"http://fakejuko.site40/",
"pegacloud.net",
"IDS: Hiloti Style GET to PHP with invalid terse MSIE headers",
"IDS: Win32/Ibashade CnC Beacon",
"IDS: Win32.Scar.hhrw POST",
"IDS: Trojan.Win32.Cosmu.cdqg Checkin",
"IDS: OnionDuke CnC Beacon 1",
"IDS: Observed Suspicious UA (Mozilla/5.0)",
"IDS: Data POST to an image file (jpg)",
"cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win32:WormX-gen [Wrm]",
"display_name": "Win32:WormX-gen [Wrm]",
"target": null
},
{
"id": "Worm:Win32:Drolnux",
"display_name": "Worm:Win32:Drolnux",
"target": null
},
{
"id": "Pegasus - MOB-S0005",
"display_name": "Pegasus - MOB-S0005",
"target": null
}
],
"attack_ids": [],
"industries": [
"Technology",
"Telecommunications",
"Government"
],
"TLP": "white",
"cloned_from": "6877422df67773a07ef450c2",
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1630,
"URL": 4078,
"FileHash-MD5": 245,
"FileHash-SHA1": 246,
"FileHash-SHA256": 2561,
"CVE": 2,
"domain": 1307,
"email": 1
},
"indicator_count": 10070,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "112 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6928f8d9e4222a6a219d785e",
"name": "ClipBanker Spy & Information stealer | Crazy Frost | MaaS | Chrome & Cloudflare attacks",
"description": "It appears that entity CrazyFrost provides MasS among other things that include major smear campaigns.| Likely quasi government , and Law Firm contractors.. Domestic terrorizing isn\u2019t a stretch.\nClipBanker: A form of banking trojan information stealer and spy that specifically monitors and steals information, likely by modifying the clipboard contents to redirect financial transactions (e.g., changing a copied bank account number to the attacker's).\n\n[OTX populated - HOSTNAME: CloudFlare.com.., a company owned by the US government, has been added to Pulse, an anti-virus database. (Pulses) created by users.]",
"modified": "2025-12-28T00:04:06.179000",
"created": "2025-11-28T01:20:25.401000",
"tags": [
"dynamicloader",
"json",
"ascii text",
"high",
"data",
"x90uxa4xf8",
"cape",
"stream",
"guard",
"write",
"trojan",
"redline",
"malware",
"push",
"local",
"injection_inter_process",
"recon_fingerprint",
"persistence_ads",
"process_creation_suspicious_location",
"infostealer_browser",
"infostealer_cookies",
"stealth_file",
"cape_detected_threat",
"antivm_generic_bios",
"cape_extracted_content",
"united",
"mtb jul",
"a domains",
"aaaa",
"443 ma86400",
"servers",
"win32upatre jul",
"virtool",
"b778b1",
"div div",
"d9e4f4",
"edf2f8",
"present mar",
"fastest privacy",
"first dns",
"win32",
"trojandropper",
"passive dns",
"mtb nov",
"ipv4 add",
"asn as13335",
"dns resolutions",
"domain",
"data upload",
"extraction",
"yara",
"troja yara",
"trojar data",
"virto",
"worn data",
"included iocs",
"manually add",
"resolved ips",
"ta0002",
"evasion ta0005",
"tr shared",
"modules",
"files",
"infor",
"t1027",
"process t1057",
"community score",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"ssl certificate",
"defense evasion",
"spawns",
"flag",
"name server",
"date",
"cloudflare",
"data protected",
"misc activity",
"et info",
"dns requests",
"domain address",
"gmt flag",
"techtarget",
"server",
"et policy",
"prefetch2",
"t1179 hooking",
"access windows",
"installs",
"mitre att",
"ck techniques",
"click",
"windir",
"country",
"contacted hosts",
"ip address",
"process details",
"contacted",
"http traffic",
"suricata alerts",
"event category",
"found"
],
"references": [
"Malware : ClipBanker Entity: Crazy Frost",
"www.crazyfrost.com FileDescription :JF_CF_MiniZM FileVersion: 1.1.0.0 InternalName: jf_cf_frostovip.exe LegalCopyright Copyright \u00a9 CrazyFrost",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"Services : GoogleChromeElevationService = Delete",
"Yara: RansomWin32SintaCry CodeOverlap TrojanClickerWin32Zeriest CodeOverlap",
"Yara: TrojanDownloaderMSILBalamid CodeOverlap TrojanDropperWin32Popsenong CodeOverlap",
"Yara: TrojanPythonKaazar CodeOverlap TrojanSpyWin32Chekafev CodeOverlap",
"Yara: TrojanWin32Kredbegg CodeOverlap TrojanWin32Motve CodeOverlap TrojanWin32Pitroj",
"Yara : VirToolMSILLuxod CodeOverlap WormMSILVonriamt CodeOverlap TrojanWin32Depriz CodeOverlap",
"Yara: WormWin32Rombrast CodeOverlap Jorgen,Ibsen PECompact_2xx VZX Jeremy,Collake",
"Sigma: Matches rule Suspicious desktop.ini Action by Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)",
"CS IDS: Matches rule (http_inspect) invalid status line",
"CS IDS: Matches rule INDICATOR-COMPROMISE png file attachment without matching file magic Unique rule identifier: This rule belongs to a private collection.",
"jf_cf_frostovip.exe FILEHASH SHA256 4b9d6c5de40bfc4da8cb8b3ab9408dc574346b97268983f10bef8810e3f6bed8",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\t\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\t URL\thttp://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t\u2022 http://www.anyxxxtube",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube/"
],
"public": 1,
"adversary": "Crazy Frost",
"targeted_countries": [],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Trojan.Disfa/downloader10",
"display_name": "Trojan.Disfa/downloader10",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Trojan:Win32/Zusy",
"display_name": "Trojan:Win32/Zusy",
"target": "/malware/Trojan:Win32/Zusy"
},
{
"id": "Rozena",
"display_name": "Rozena",
"target": null
}
],
"attack_ids": [
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1498",
"name": "Network Denial of Service",
"display_name": "T1498 - Network Denial of Service"
},
{
"id": "T1464",
"name": "Jamming or Denial of Service",
"display_name": "T1464 - Jamming or Denial of Service"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 295,
"FileHash-SHA1": 217,
"FileHash-SHA256": 1887,
"URL": 3263,
"domain": 597,
"hostname": 1085,
"email": 2,
"CVE": 1
},
"indicator_count": 7347,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "113 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6877422df67773a07ef450c2",
"name": "Pegasus / Pegacloud - Infiltration",
"description": "Pegasus IoC\u2019s found in the periphery of research. Appears target contacted a \u2018fake host\u2019 after finding name in multiple highly malicious domains. May have appeared between 12/2013 - 11-2014. Target was contacted by telephone and asked \u2018 have you checked Googled yourself\u2019, to which target answered \u2018Not really\u2019. Target was told \u2018you really should Google yourself\u2019. Target, upset about content clicked and began a takedown effort with host.\n\nThis seems to be at the start of many malicious campaigns. Requires further investigation.",
"modified": "2025-08-15T05:01:22.570000",
"created": "2025-07-16T06:09:49.704000",
"tags": [
"backdoor",
"cyprus",
"trojan",
"mtb sep",
"passive dns",
"ddos",
"mtb oct",
"mtb aug",
"ipv4 add",
"smokeloader",
"trojandropper",
"extraction",
"se extraction",
"failed",
"data upload",
"enter s",
"enter sc",
"data u",
"extrac please",
"prop",
"extre data",
"type",
"extr data",
"include review",
"exclude",
"find s",
"typ data",
"source tir",
"extri",
"exclude sugges",
"se type",
"extra",
"include data",
"exclude review",
"show",
"showinil tvnes",
"dom dom",
"sc cat959",
"drop",
"pulse pulses",
"worm",
"files show",
"date hash",
"avast avg",
"win32",
"susp",
"cyprus showing",
"entries",
"next associated",
"urls show",
"date checked",
"url hostname",
"server response",
"ip address",
"google safe",
"server",
"registrar abuse",
"iana id",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"registrar",
"se cre",
"pul use",
"url list",
"status http",
"linkid182227",
"linkid151642",
"first",
"domain list",
"ii llc",
"sc data",
"ukl extract",
"hiloti style",
"msle",
"win3 data",
"onio",
"observea",
"data data",
"stop data",
"monitored target",
"tsara",
"pegasus",
"social engineering"
],
"references": [
"http://fakejuko.site40/",
"pegacloud.net",
"IDS: Hiloti Style GET to PHP with invalid terse MSIE headers",
"IDS: Win32/Ibashade CnC Beacon",
"IDS: Win32.Scar.hhrw POST",
"IDS: Trojan.Win32.Cosmu.cdqg Checkin",
"IDS: OnionDuke CnC Beacon 1",
"IDS: Observed Suspicious UA (Mozilla/5.0)",
"IDS: Data POST to an image file (jpg)",
"cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win32:WormX-gen [Wrm]",
"display_name": "Win32:WormX-gen [Wrm]",
"target": null
},
{
"id": "Worm:Win32:Drolnux",
"display_name": "Worm:Win32:Drolnux",
"target": null
},
{
"id": "Pegasus - MOB-S0005",
"display_name": "Pegasus - MOB-S0005",
"target": null
}
],
"attack_ids": [],
"industries": [
"Technology",
"Telecommunications",
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 20,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1630,
"URL": 4078,
"FileHash-MD5": 245,
"FileHash-SHA1": 246,
"FileHash-SHA256": 2561,
"CVE": 2,
"domain": 1307,
"email": 1
},
"indicator_count": 10070,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "248 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65cd05cd3c9d0cc0b9ed215f",
"name": "Emotet - https://www.gambinospizza.com | Brian Sabey \u2022 HallRender",
"description": "\u2022Emotet botnets were observed dropping Trickbot to deliver ransomware payloads against some victims and Qakbot Trojans to steal banking credentials and data from other targets.\n\n\u2022Scammer 'Attorney' Brian Sabey | HallRender associated ; utilizes every form of social engineering to gain full access to phone numbers, email, banking, network, relatives, contacts, PHI, PII, modifies services.\n.",
"modified": "2024-04-15T08:03:32.381000",
"created": "2024-02-14T18:26:21.427000",
"tags": [
"united",
"unknown",
"status",
"sec ch",
"as44273 host",
"search",
"aaaa",
"showing",
"ch ua",
"record value",
"ssl certificate",
"threat roundup",
"contacted",
"communicating",
"historical ssl",
"referrer",
"resolutions",
"http",
"execution",
"gopher",
"pattern match",
"breakpoint",
"command decode",
"desktop",
"base",
"gambino",
"pizza",
"suricata ipv4",
"mitre att",
"date",
"meta",
"footer",
"february",
"general",
"model",
"comspec",
"click",
"strings",
"main",
"brian sabey",
"hallrender",
"trojan",
"worm",
"frankfurt",
"germany",
"asn15169",
"google",
"asn16509",
"amazon02",
"asn396982",
"kansas city",
"franchise url",
"gmbh version",
"status page",
"service privacy",
"legal",
"impressum",
"reverse dns",
"general full",
"url https",
"resource",
"hash",
"protocol h2",
"asn13335",
"cloudflarenet",
"software",
"domains",
"hashes",
"learn",
"issues tab",
"value",
"variables",
"typeof function",
"topropertykey",
"bricksintersect",
"bricksfunction",
"domainpath name",
"request chain",
"chain",
"nl page",
"url history",
"javascript",
"page url",
"redirected",
"poweshell",
"bruschettab",
"mobsterstageda",
"calzonec",
"threat analyzer",
"threat",
"paste",
"iocs",
"hostnames",
"beefpizzac",
"superitaliansub",
"cname",
"msie",
"chrome",
"asnone united",
"as6336 turn",
"nxdomain",
"whitelisted",
"creation date",
"turn",
"body",
"algorithm",
"v3 serial",
"number",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"x509v3 extended",
"info",
"first",
"server",
"registrar abuse",
"iana id",
"registrar url",
"registrar whois",
"contact email",
"registry domain",
"contact phone",
"dnssec",
"code",
"type name",
"win32 exe",
"recreation",
"whois record",
"infected",
"page dow",
"poser",
"scammer",
"security",
"malvertizing",
"betting",
"illegal activity",
"linux",
"teen porn",
"child exploitation",
"script urls",
"a domains",
"as10796 charter",
"find your",
"next franchise",
"x content",
"backend",
"as13768 aptum",
"moved",
"passive dns",
"urls",
"as2635",
"as14061",
"scan endpoints",
"all octoseek",
"url http",
"pulse pulses",
"ip address",
"related nids",
"files location",
"date hash",
"avast avg",
"nastya",
"entries",
"emotet",
"windows nt",
"show",
"etpro trojan",
"channel",
"artemis",
"medium",
"delete",
"copy",
"virustotal",
"trojan",
"write",
"trojanproxy",
"vipre",
"panda",
"malware",
"malware infection",
"dga",
"algorithm generated domains",
"command and control",
"pe32 executable",
"tag",
"tagging",
"porn tagging",
"as3356 level",
"tahoma arial",
"servers",
"as1136 kpn",
"next",
"et",
"remote",
"confirm http",
"sectrack",
"openssl",
"fulldisc",
"secunia",
"confirm https",
"openssl tls",
"multiple",
"remote",
"misc https",
"impact",
"heartbleed",
"external source",
"name hyperlink",
"hp hpsbmu02998",
"hp hpsbmu03019",
"hp hpsbmu03030",
"hp hpsbmu03018",
"title",
"lowfi",
"title error",
"body doctype",
"html public",
"w3cdtd html",
"html head",
"mozilla",
"720.282.2025",
"masquerading",
"ninite feb",
"mtb feb",
"telper",
"trojandropper",
"ninite",
"create c",
"read c",
"default",
"create",
"unicode",
"dock",
"xport"
],
"references": [
"www.gambinospizza.com",
"0qMrDxlbqY9THmtdz56XQ2fTe-p9H49lftTmBXmn1WY9Z16q1vJdZdjO5Wnq_Pn3gEAAP__hu8yPQ",
"https://apps.apple.com/us/app/gambinos-pizza/id1500338496 \u2022 apps.apple.com",
"https://play.google.com/store/apps/details?id=com.e9117073d4e0.www",
"targeting.unrulymedia.com \u2022 http://theteenhealthdoc.com",
"https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&",
"https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg \u2022 https://www.hallrender.com/xmlrpc.php?rsd",
"https://teenlist.toplistcreator.eu/in.php?nr=15170//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu",
"http://fboomporn.com/teens/51826-gloryholeswallow-flora-floras-1st-gloryhole-visit-fullhd-1080p.html \u2022 teenystar18.toplistcreator.eu",
"theteenhealthdoc.com \u2022 http://jailbait.toplistcreator.eu/link.php?link=teenystar18.toplistcreator.eu&nr=522 \u2022 franchisefifteen.com",
"https://fboomporn.com/engine/opensearch.php \u2022 http://porn.hub-accessories.site/ \u2022 https://pic.porn.hub-accessories.site",
"http://porn.toplistcreator.eu/in.php",
"ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t\t\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.63",
"Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.10",
"https://tag.1rx.io/rmp/215626/0/mvo?z=1r&hbv=8.16,2.1\ttag.1rx.io \u2022 192.208.222.110",
"http://email.acm.mg.hydrantid.com/c/eJxUyTGygyAQBuDTQMksPyhYULzGe-C6LzCKOoYmt88kXdrvWxPlEJ3TkmygcbQBHrokFk-R4WwexpBl-J8Ce8uygBdeJqtrAsGTdWQB8jA0yQDEL0qMrD",
"CVE-2014-0160 \u2022 CVE-2017-11882",
"a17-250-248-150.www.bing.com \u2022 appledirectory.www.bing.com",
"animate-citadel-t3gbc9x3gzd7invrzh8w00zm.herokudns.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/Comspec",
"display_name": "Trojan:Win32/Comspec",
"target": "/malware/Trojan:Win32/Comspec"
},
{
"id": "XLS:Nastya\\ [Trj]",
"display_name": "XLS:Nastya\\ [Trj]",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Crypt4.YGM",
"display_name": "Crypt4.YGM",
"target": null
},
{
"id": "ZBot",
"display_name": "ZBot",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Heartbleed Bug",
"display_name": "Heartbleed Bug",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 59,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 118,
"FileHash-SHA1": 106,
"domain": 3271,
"hostname": 2451,
"URL": 8652,
"email": 8,
"FileHash-SHA256": 3153,
"CVE": 4
},
"indicator_count": 17763,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "735 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65e576d419524d75af35a36e",
"name": "FormBook",
"description": "FormBook is an infostealer malware (malicious spyware). malicious code uses various hooks to gain access to keystrokes, screenshots, and other functions. The malware can also receive commands from its operator to steal information from browsers or download and execute other malware. As a MaaS offering, FormBook malware may be deployed by various threat actors. It's currently being use by a ,legal teams masquerading as government (might be \nlegitimate attorneys) law firm modifying and deleting front facing threats on various platforms. One firm has very poor reviews Corrupt. Others initiate malicious prosecution law suits. Social; engineering , intertwining malicious behavior.in every aspect of targets life from business banking, ancestry to aggressive match making attempts.",
"modified": "2024-04-03T05:03:03.527000",
"created": "2024-03-04T07:23:00.177000",
"tags": [
"resolutions",
"referrer",
"siblings",
"asn owner",
"historical ssl",
"contacted",
"high level",
"hackers",
"formbook",
"name verdict",
"falcon sandbox",
"report",
"united",
"registrar",
"creation date",
"search",
"emails",
"name",
"name servers",
"showing",
"unknown",
"scan endpoints",
"date",
"next",
"root ca",
"pattern match",
"authority",
"beginstring",
"class",
"mitre att",
"global root",
"ck id",
"show technique",
"ck matrix",
"null",
"accept",
"refresh",
"span",
"error",
"tools",
"body",
"look",
"verify",
"restart",
"hybrid",
"local",
"click",
"strings",
"files files",
"ssl certificate",
"tsara brashears",
"highly targeted",
"ransomware",
"dark power",
"play ransomware",
"malware",
"core",
"installer",
"awful",
"snatch",
"metro",
"service",
"critical",
"copy",
"execution",
"location united",
"asn as15169",
"less whois",
"as15169 google",
"status",
"entries",
"record value",
"servers",
"trojan",
"win32",
"aaaa",
"worm",
"passive dns",
"gmt cache",
"sameorigin",
"all scoreblue",
"ipv4",
"lowfi",
"domain related",
"urls",
"domain",
"nxdomain",
"hostname",
"users",
"yara detections",
"alerts",
"high",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"musicmaid",
"reader",
"office standard",
"high process",
"injection t1055",
"t1055",
"x00x00",
"icmp traffic",
"injection",
"hijacker",
"password",
"stealer",
"corruption",
"targeting",
"172.31.13.249"
],
"references": [
"gstatic.com",
"Unsupported/Fake Windows NT Version 5.0",
"Login privileges",
"172.31.13.249"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Trojan:Win32/Dorv.B!rfn",
"display_name": "Trojan:Win32/Dorv.B!rfn",
"target": "/malware/Trojan:Win32/Dorv.B!rfn"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Trojan:Win32/QQpass",
"display_name": "Trojan:Win32/QQpass",
"target": "/malware/Trojan:Win32/QQpass"
},
{
"id": "Trojan:Win32/Antavmu.D",
"display_name": "Trojan:Win32/Antavmu.D",
"target": "/malware/Trojan:Win32/Antavmu.D"
},
{
"id": "PWS:MSIL/Dcstl.GD!MTB",
"display_name": "PWS:MSIL/Dcstl.GD!MTB",
"target": "/malware/PWS:MSIL/Dcstl.GD!MTB"
},
{
"id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"target": null
},
{
"id": "Win32:MalwareX-gen\\ [Trj]",
"display_name": "Win32:MalwareX-gen\\ [Trj]",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1107",
"name": "File Deletion",
"display_name": "T1107 - File Deletion"
},
{
"id": "T1447",
"name": "Delete Device Data",
"display_name": "T1447 - Delete Device Data"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1002",
"name": "Data Compressed",
"display_name": "T1002 - Data Compressed"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 45,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3117,
"FileHash-MD5": 280,
"FileHash-SHA1": 286,
"FileHash-SHA256": 3773,
"domain": 1264,
"hostname": 1595,
"email": 6,
"CVE": 5
},
"indicator_count": 10326,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "747 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65e57f32581a900dfb272d05",
"name": "FormBook | 172.31.13.249",
"description": "",
"modified": "2024-04-03T05:03:03.527000",
"created": "2024-03-04T07:58:42.074000",
"tags": [
"resolutions",
"referrer",
"siblings",
"asn owner",
"historical ssl",
"contacted",
"high level",
"hackers",
"formbook",
"name verdict",
"falcon sandbox",
"report",
"united",
"registrar",
"creation date",
"search",
"emails",
"name",
"name servers",
"showing",
"unknown",
"scan endpoints",
"date",
"next",
"root ca",
"pattern match",
"authority",
"beginstring",
"class",
"mitre att",
"global root",
"ck id",
"show technique",
"ck matrix",
"null",
"accept",
"refresh",
"span",
"error",
"tools",
"body",
"look",
"verify",
"restart",
"hybrid",
"local",
"click",
"strings",
"files files",
"ssl certificate",
"tsara brashears",
"highly targeted",
"ransomware",
"dark power",
"play ransomware",
"malware",
"core",
"installer",
"awful",
"snatch",
"metro",
"service",
"critical",
"copy",
"execution",
"location united",
"asn as15169",
"less whois",
"as15169 google",
"status",
"entries",
"record value",
"servers",
"trojan",
"win32",
"aaaa",
"worm",
"passive dns",
"gmt cache",
"sameorigin",
"all scoreblue",
"ipv4",
"lowfi",
"domain related",
"urls",
"domain",
"nxdomain",
"hostname",
"users",
"yara detections",
"alerts",
"high",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"musicmaid",
"reader",
"office standard",
"high process",
"injection t1055",
"t1055",
"x00x00",
"icmp traffic",
"injection",
"hijacker",
"password",
"stealer",
"corruption",
"targeting",
"172.31.13.249"
],
"references": [
"gstatic.com",
"Unsupported/Fake Windows NT Version 5.0",
"Login privileges",
"172.31.13.249"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Trojan:Win32/Dorv.B!rfn",
"display_name": "Trojan:Win32/Dorv.B!rfn",
"target": "/malware/Trojan:Win32/Dorv.B!rfn"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Trojan:Win32/QQpass",
"display_name": "Trojan:Win32/QQpass",
"target": "/malware/Trojan:Win32/QQpass"
},
{
"id": "Trojan:Win32/Antavmu.D",
"display_name": "Trojan:Win32/Antavmu.D",
"target": "/malware/Trojan:Win32/Antavmu.D"
},
{
"id": "PWS:MSIL/Dcstl.GD!MTB",
"display_name": "PWS:MSIL/Dcstl.GD!MTB",
"target": "/malware/PWS:MSIL/Dcstl.GD!MTB"
},
{
"id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"target": null
},
{
"id": "Win32:MalwareX-gen\\ [Trj]",
"display_name": "Win32:MalwareX-gen\\ [Trj]",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1107",
"name": "File Deletion",
"display_name": "T1107 - File Deletion"
},
{
"id": "T1447",
"name": "Delete Device Data",
"display_name": "T1447 - Delete Device Data"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1002",
"name": "Data Compressed",
"display_name": "T1002 - Data Compressed"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "65e576d419524d75af35a36e",
"export_count": 45,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3117,
"FileHash-MD5": 280,
"FileHash-SHA1": 286,
"FileHash-SHA256": 3773,
"domain": 1264,
"hostname": 1595,
"email": 6,
"CVE": 5
},
"indicator_count": 10326,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "747 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"IDS: Data POST to an image file (jpg)",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"theteenhealthdoc.com \u2022 http://jailbait.toplistcreator.eu/link.php?link=teenystar18.toplistcreator.eu&nr=522 \u2022 franchisefifteen.com",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"Yara: TrojanDownloaderMSILBalamid CodeOverlap TrojanDropperWin32Popsenong CodeOverlap",
"CVE-2014-0160 \u2022 CVE-2017-11882",
"IDS: Hiloti Style GET to PHP with invalid terse MSIE headers",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"IDS: OnionDuke CnC Beacon 1",
"Malware : ClipBanker Entity: Crazy Frost",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"If someone is believed to be a threat they have right to due process.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"www.gambinospizza.com",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"jf_cf_frostovip.exe FILEHASH SHA256 4b9d6c5de40bfc4da8cb8b3ab9408dc574346b97268983f10bef8810e3f6bed8",
"IDS: Observed Suspicious UA (Mozilla/5.0)",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"172.31.13.249",
"https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&",
"IDS: Win32/Ibashade CnC Beacon",
"There is fear in silence or speaking out",
"http://fboomporn.com/teens/51826-gloryholeswallow-flora-floras-1st-gloryhole-visit-fullhd-1080p.html \u2022 teenystar18.toplistcreator.eu",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://teenlist.toplistcreator.eu/in.php?nr=15170//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"Yara: WormWin32Rombrast CodeOverlap Jorgen,Ibsen PECompact_2xx VZX Jeremy,Collake",
"Target agreed and complied with all lie detector measures.",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"Yara: TrojanPythonKaazar CodeOverlap TrojanSpyWin32Chekafev CodeOverlap",
"a17-250-248-150.www.bing.com \u2022 appledirectory.www.bing.com",
"gstatic.com",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"pegacloud.net",
"https://apps.apple.com/us/app/gambinos-pizza/id1500338496 \u2022 apps.apple.com",
"www.crazyfrost.com FileDescription :JF_CF_MiniZM FileVersion: 1.1.0.0 InternalName: jf_cf_frostovip.exe LegalCopyright Copyright \u00a9 CrazyFrost",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"Login privileges",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"Unsupported/Fake Windows NT Version 5.0",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\t\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\t URL\thttp://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t\u2022 http://www.anyxxxtube",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"https://es.pornhat.com/models/the-sex-creator/",
"https://fboomporn.com/engine/opensearch.php \u2022 http://porn.hub-accessories.site/ \u2022 https://pic.porn.hub-accessories.site",
"https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg \u2022 https://www.hallrender.com/xmlrpc.php?rsd",
"http://www.anyxxxtube/",
"Services : GoogleChromeElevationService = Delete",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"Can the DoD no questions asked target a SA victim",
"Yara: TrojanWin32Kredbegg CodeOverlap TrojanWin32Motve CodeOverlap TrojanWin32Pitroj",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"iamrobert.com Y.A.S.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"IDS: Win32.Scar.hhrw POST",
"CS IDS: Matches rule (http_inspect) invalid status line",
"Sigma: Matches rule Suspicious desktop.ini Action by Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"IDS: Trojan.Win32.Cosmu.cdqg Checkin",
"http://email.acm.mg.hydrantid.com/c/eJxUyTGygyAQBuDTQMksPyhYULzGe-C6LzCKOoYmt88kXdrvWxPlEJ3TkmygcbQBHrokFk-R4WwexpBl-J8Ce8uygBdeJqtrAsGTdWQB8jA0yQDEL0qMrD",
"http://fakejuko.site40/",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://tag.1rx.io/rmp/215626/0/mvo?z=1r&hbv=8.16,2.1\ttag.1rx.io \u2022 192.208.222.110",
"targeting.unrulymedia.com \u2022 http://theteenhealthdoc.com",
"animate-citadel-t3gbc9x3gzd7invrzh8w00zm.herokudns.com",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"CS IDS: Matches rule INDICATOR-COMPROMISE png file attachment without matching file magic Unique rule identifier: This rule belongs to a private collection.",
"cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214",
"https://play.google.com/store/apps/details?id=com.e9117073d4e0.www",
"http://porn.toplistcreator.eu/in.php",
"I am very upset. Whoever is doing this is sick.",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"0qMrDxlbqY9THmtdz56XQ2fTe-p9H49lftTmBXmn1WY9Z16q1vJdZdjO5Wnq_Pn3gEAAP__hu8yPQ",
"Yara: RansomWin32SintaCry CodeOverlap TrojanClickerWin32Zeriest CodeOverlap",
"https://meumundogay-com.sexogratis.page/locker",
"Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.10",
"ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t\t\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.63",
"Yara : VirToolMSILLuxod CodeOverlap WormMSILVonriamt CodeOverlap TrojanWin32Depriz CodeOverlap"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [
"Crazy Frost"
],
"malware_families": [
"Trojan.disfa/downloader10",
"Malware",
"Trojan:win32/dorv.b!rfn",
"Worm:win32/mofksys.rnd!mtb",
"Apnic",
"Formbook",
"Xls:nastya\\ [trj]",
"Trojan:win32/qqpass",
"Trojan:win32/comspec",
"Trojan:win32/zusy",
"Crypt4.ygm",
"Et",
"Win32:wormx-gen [wrm]",
"Zbot",
"Alf:heraklezeval:trojan:win32/clipbanker",
"#lowfi:hstr:msil/possibledownloader.s01",
"Rozena",
"Worm:win32:drolnux",
"Win32:malwarex-gen\\ [trj]",
"Heartbleed bug",
"Other malware",
"Trojan:win32/antavmu.d",
"Emotet",
"Pegasus - mob-s0005",
"Pws:msil/dcstl.gd!mtb",
"Trojan:win32/zombie.a"
],
"industries": [
"Technology",
"Government",
"Telecommunications"
],
"unique_indicators": 63067
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/almavision.com",
"whois": "http://whois.domaintools.com/almavision.com",
"domain": "almavision.com",
"hostname": "almavision.almavision.com"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 8,
"pulses": [
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "97 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 139,
"modified_text": "103 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6952fbca42c1b0da7431e6a7",
"name": "Pegasus / Pegacloud - Infiltration (10-2013 or 2014 to Current/ Ongoing) ",
"description": "",
"modified": "2025-12-29T22:08:10.280000",
"created": "2025-12-29T22:08:10.280000",
"tags": [
"backdoor",
"cyprus",
"trojan",
"mtb sep",
"passive dns",
"ddos",
"mtb oct",
"mtb aug",
"ipv4 add",
"smokeloader",
"trojandropper",
"extraction",
"se extraction",
"failed",
"data upload",
"enter s",
"enter sc",
"data u",
"extrac please",
"prop",
"extre data",
"type",
"extr data",
"include review",
"exclude",
"find s",
"typ data",
"source tir",
"extri",
"exclude sugges",
"se type",
"extra",
"include data",
"exclude review",
"show",
"showinil tvnes",
"dom dom",
"sc cat959",
"drop",
"pulse pulses",
"worm",
"files show",
"date hash",
"avast avg",
"win32",
"susp",
"cyprus showing",
"entries",
"next associated",
"urls show",
"date checked",
"url hostname",
"server response",
"ip address",
"google safe",
"server",
"registrar abuse",
"iana id",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"registrar",
"se cre",
"pul use",
"url list",
"status http",
"linkid182227",
"linkid151642",
"first",
"domain list",
"ii llc",
"sc data",
"ukl extract",
"hiloti style",
"msle",
"win3 data",
"onio",
"observea",
"data data",
"stop data",
"monitored target",
"tsara",
"pegasus",
"social engineering"
],
"references": [
"http://fakejuko.site40/",
"pegacloud.net",
"IDS: Hiloti Style GET to PHP with invalid terse MSIE headers",
"IDS: Win32/Ibashade CnC Beacon",
"IDS: Win32.Scar.hhrw POST",
"IDS: Trojan.Win32.Cosmu.cdqg Checkin",
"IDS: OnionDuke CnC Beacon 1",
"IDS: Observed Suspicious UA (Mozilla/5.0)",
"IDS: Data POST to an image file (jpg)",
"cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win32:WormX-gen [Wrm]",
"display_name": "Win32:WormX-gen [Wrm]",
"target": null
},
{
"id": "Worm:Win32:Drolnux",
"display_name": "Worm:Win32:Drolnux",
"target": null
},
{
"id": "Pegasus - MOB-S0005",
"display_name": "Pegasus - MOB-S0005",
"target": null
}
],
"attack_ids": [],
"industries": [
"Technology",
"Telecommunications",
"Government"
],
"TLP": "white",
"cloned_from": "6877422df67773a07ef450c2",
"export_count": 6,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1630,
"URL": 4078,
"FileHash-MD5": 245,
"FileHash-SHA1": 246,
"FileHash-SHA256": 2561,
"CVE": 2,
"domain": 1307,
"email": 1
},
"indicator_count": 10070,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 140,
"modified_text": "112 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6928f8d9e4222a6a219d785e",
"name": "ClipBanker Spy & Information stealer | Crazy Frost | MaaS | Chrome & Cloudflare attacks",
"description": "It appears that entity CrazyFrost provides MasS among other things that include major smear campaigns.| Likely quasi government , and Law Firm contractors.. Domestic terrorizing isn\u2019t a stretch.\nClipBanker: A form of banking trojan information stealer and spy that specifically monitors and steals information, likely by modifying the clipboard contents to redirect financial transactions (e.g., changing a copied bank account number to the attacker's).\n\n[OTX populated - HOSTNAME: CloudFlare.com.., a company owned by the US government, has been added to Pulse, an anti-virus database. (Pulses) created by users.]",
"modified": "2025-12-28T00:04:06.179000",
"created": "2025-11-28T01:20:25.401000",
"tags": [
"dynamicloader",
"json",
"ascii text",
"high",
"data",
"x90uxa4xf8",
"cape",
"stream",
"guard",
"write",
"trojan",
"redline",
"malware",
"push",
"local",
"injection_inter_process",
"recon_fingerprint",
"persistence_ads",
"process_creation_suspicious_location",
"infostealer_browser",
"infostealer_cookies",
"stealth_file",
"cape_detected_threat",
"antivm_generic_bios",
"cape_extracted_content",
"united",
"mtb jul",
"a domains",
"aaaa",
"443 ma86400",
"servers",
"win32upatre jul",
"virtool",
"b778b1",
"div div",
"d9e4f4",
"edf2f8",
"present mar",
"fastest privacy",
"first dns",
"win32",
"trojandropper",
"passive dns",
"mtb nov",
"ipv4 add",
"asn as13335",
"dns resolutions",
"domain",
"data upload",
"extraction",
"yara",
"troja yara",
"trojar data",
"virto",
"worn data",
"included iocs",
"manually add",
"resolved ips",
"ta0002",
"evasion ta0005",
"tr shared",
"modules",
"files",
"infor",
"t1027",
"process t1057",
"community score",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"ssl certificate",
"defense evasion",
"spawns",
"flag",
"name server",
"date",
"cloudflare",
"data protected",
"misc activity",
"et info",
"dns requests",
"domain address",
"gmt flag",
"techtarget",
"server",
"et policy",
"prefetch2",
"t1179 hooking",
"access windows",
"installs",
"mitre att",
"ck techniques",
"click",
"windir",
"country",
"contacted hosts",
"ip address",
"process details",
"contacted",
"http traffic",
"suricata alerts",
"event category",
"found"
],
"references": [
"Malware : ClipBanker Entity: Crazy Frost",
"www.crazyfrost.com FileDescription :JF_CF_MiniZM FileVersion: 1.1.0.0 InternalName: jf_cf_frostovip.exe LegalCopyright Copyright \u00a9 CrazyFrost",
"IDS Detections: Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)",
"Services : GoogleChromeElevationService = Delete",
"Yara: RansomWin32SintaCry CodeOverlap TrojanClickerWin32Zeriest CodeOverlap",
"Yara: TrojanDownloaderMSILBalamid CodeOverlap TrojanDropperWin32Popsenong CodeOverlap",
"Yara: TrojanPythonKaazar CodeOverlap TrojanSpyWin32Chekafev CodeOverlap",
"Yara: TrojanWin32Kredbegg CodeOverlap TrojanWin32Motve CodeOverlap TrojanWin32Pitroj",
"Yara : VirToolMSILLuxod CodeOverlap WormMSILVonriamt CodeOverlap TrojanWin32Depriz CodeOverlap",
"Yara: WormWin32Rombrast CodeOverlap Jorgen,Ibsen PECompact_2xx VZX Jeremy,Collake",
"Sigma: Matches rule Suspicious desktop.ini Action by Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO)",
"CS IDS: Matches rule (http_inspect) invalid status line",
"CS IDS: Matches rule INDICATOR-COMPROMISE png file attachment without matching file magic Unique rule identifier: This rule belongs to a private collection.",
"jf_cf_frostovip.exe FILEHASH SHA256 4b9d6c5de40bfc4da8cb8b3ab9408dc574346b97268983f10bef8810e3f6bed8",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\t\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian\t URL\thttp://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex\t\u2022 http://www.anyxxxtube",
"https://www.anyxxxtube.net/search-porn/tsara-brashears/\t URL\thttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears \u2022 http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex",
"http://www.anyxxxtube/"
],
"public": 1,
"adversary": "Crazy Frost",
"targeted_countries": [],
"malware_families": [
{
"id": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"display_name": "ALF:HeraklezEval:Trojan:Win32/ClipBanker",
"target": null
},
{
"id": "Trojan.Disfa/downloader10",
"display_name": "Trojan.Disfa/downloader10",
"target": null
},
{
"id": "Other Malware",
"display_name": "Other Malware",
"target": null
},
{
"id": "Trojan:Win32/Zusy",
"display_name": "Trojan:Win32/Zusy",
"target": "/malware/Trojan:Win32/Zusy"
},
{
"id": "Rozena",
"display_name": "Rozena",
"target": null
}
],
"attack_ids": [
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1035",
"name": "Service Execution",
"display_name": "T1035 - Service Execution"
},
{
"id": "T1043",
"name": "Commonly Used Port",
"display_name": "T1043 - Commonly Used Port"
},
{
"id": "T1179",
"name": "Hooking",
"display_name": "T1179 - Hooking"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1498",
"name": "Network Denial of Service",
"display_name": "T1498 - Network Denial of Service"
},
{
"id": "T1464",
"name": "Jamming or Denial of Service",
"display_name": "T1464 - Jamming or Denial of Service"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 295,
"FileHash-SHA1": 217,
"FileHash-SHA256": 1887,
"URL": 3263,
"domain": 597,
"hostname": 1085,
"email": 2,
"CVE": 1
},
"indicator_count": 7347,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "113 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6877422df67773a07ef450c2",
"name": "Pegasus / Pegacloud - Infiltration",
"description": "Pegasus IoC\u2019s found in the periphery of research. Appears target contacted a \u2018fake host\u2019 after finding name in multiple highly malicious domains. May have appeared between 12/2013 - 11-2014. Target was contacted by telephone and asked \u2018 have you checked Googled yourself\u2019, to which target answered \u2018Not really\u2019. Target was told \u2018you really should Google yourself\u2019. Target, upset about content clicked and began a takedown effort with host.\n\nThis seems to be at the start of many malicious campaigns. Requires further investigation.",
"modified": "2025-08-15T05:01:22.570000",
"created": "2025-07-16T06:09:49.704000",
"tags": [
"backdoor",
"cyprus",
"trojan",
"mtb sep",
"passive dns",
"ddos",
"mtb oct",
"mtb aug",
"ipv4 add",
"smokeloader",
"trojandropper",
"extraction",
"se extraction",
"failed",
"data upload",
"enter s",
"enter sc",
"data u",
"extrac please",
"prop",
"extre data",
"type",
"extr data",
"include review",
"exclude",
"find s",
"typ data",
"source tir",
"extri",
"exclude sugges",
"se type",
"extra",
"include data",
"exclude review",
"show",
"showinil tvnes",
"dom dom",
"sc cat959",
"drop",
"pulse pulses",
"worm",
"files show",
"date hash",
"avast avg",
"win32",
"susp",
"cyprus showing",
"entries",
"next associated",
"urls show",
"date checked",
"url hostname",
"server response",
"ip address",
"google safe",
"server",
"registrar abuse",
"iana id",
"contact phone",
"dnssec",
"domain status",
"registrar url",
"registrar whois",
"date",
"registrar",
"se cre",
"pul use",
"url list",
"status http",
"linkid182227",
"linkid151642",
"first",
"domain list",
"ii llc",
"sc data",
"ukl extract",
"hiloti style",
"msle",
"win3 data",
"onio",
"observea",
"data data",
"stop data",
"monitored target",
"tsara",
"pegasus",
"social engineering"
],
"references": [
"http://fakejuko.site40/",
"pegacloud.net",
"IDS: Hiloti Style GET to PHP with invalid terse MSIE headers",
"IDS: Win32/Ibashade CnC Beacon",
"IDS: Win32.Scar.hhrw POST",
"IDS: Trojan.Win32.Cosmu.cdqg Checkin",
"IDS: OnionDuke CnC Beacon 1",
"IDS: Observed Suspicious UA (Mozilla/5.0)",
"IDS: Data POST to an image file (jpg)",
"cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [
{
"id": "Win32:WormX-gen [Wrm]",
"display_name": "Win32:WormX-gen [Wrm]",
"target": null
},
{
"id": "Worm:Win32:Drolnux",
"display_name": "Worm:Win32:Drolnux",
"target": null
},
{
"id": "Pegasus - MOB-S0005",
"display_name": "Pegasus - MOB-S0005",
"target": null
}
],
"attack_ids": [],
"industries": [
"Technology",
"Telecommunications",
"Government"
],
"TLP": "white",
"cloned_from": null,
"export_count": 20,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"hostname": 1630,
"URL": 4078,
"FileHash-MD5": 245,
"FileHash-SHA1": 246,
"FileHash-SHA256": 2561,
"CVE": 2,
"domain": 1307,
"email": 1
},
"indicator_count": 10070,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 141,
"modified_text": "248 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65cd05cd3c9d0cc0b9ed215f",
"name": "Emotet - https://www.gambinospizza.com | Brian Sabey \u2022 HallRender",
"description": "\u2022Emotet botnets were observed dropping Trickbot to deliver ransomware payloads against some victims and Qakbot Trojans to steal banking credentials and data from other targets.\n\n\u2022Scammer 'Attorney' Brian Sabey | HallRender associated ; utilizes every form of social engineering to gain full access to phone numbers, email, banking, network, relatives, contacts, PHI, PII, modifies services.\n.",
"modified": "2024-04-15T08:03:32.381000",
"created": "2024-02-14T18:26:21.427000",
"tags": [
"united",
"unknown",
"status",
"sec ch",
"as44273 host",
"search",
"aaaa",
"showing",
"ch ua",
"record value",
"ssl certificate",
"threat roundup",
"contacted",
"communicating",
"historical ssl",
"referrer",
"resolutions",
"http",
"execution",
"gopher",
"pattern match",
"breakpoint",
"command decode",
"desktop",
"base",
"gambino",
"pizza",
"suricata ipv4",
"mitre att",
"date",
"meta",
"footer",
"february",
"general",
"model",
"comspec",
"click",
"strings",
"main",
"brian sabey",
"hallrender",
"trojan",
"worm",
"frankfurt",
"germany",
"asn15169",
"google",
"asn16509",
"amazon02",
"asn396982",
"kansas city",
"franchise url",
"gmbh version",
"status page",
"service privacy",
"legal",
"impressum",
"reverse dns",
"general full",
"url https",
"resource",
"hash",
"protocol h2",
"asn13335",
"cloudflarenet",
"software",
"domains",
"hashes",
"learn",
"issues tab",
"value",
"variables",
"typeof function",
"topropertykey",
"bricksintersect",
"bricksfunction",
"domainpath name",
"request chain",
"chain",
"nl page",
"url history",
"javascript",
"page url",
"redirected",
"poweshell",
"bruschettab",
"mobsterstageda",
"calzonec",
"threat analyzer",
"threat",
"paste",
"iocs",
"hostnames",
"beefpizzac",
"superitaliansub",
"cname",
"msie",
"chrome",
"asnone united",
"as6336 turn",
"nxdomain",
"whitelisted",
"creation date",
"turn",
"body",
"algorithm",
"v3 serial",
"number",
"key algorithm",
"key identifier",
"subject key",
"identifier",
"x509v3 key",
"usage",
"x509v3 extended",
"info",
"first",
"server",
"registrar abuse",
"iana id",
"registrar url",
"registrar whois",
"contact email",
"registry domain",
"contact phone",
"dnssec",
"code",
"type name",
"win32 exe",
"recreation",
"whois record",
"infected",
"page dow",
"poser",
"scammer",
"security",
"malvertizing",
"betting",
"illegal activity",
"linux",
"teen porn",
"child exploitation",
"script urls",
"a domains",
"as10796 charter",
"find your",
"next franchise",
"x content",
"backend",
"as13768 aptum",
"moved",
"passive dns",
"urls",
"as2635",
"as14061",
"scan endpoints",
"all octoseek",
"url http",
"pulse pulses",
"ip address",
"related nids",
"files location",
"date hash",
"avast avg",
"nastya",
"entries",
"emotet",
"windows nt",
"show",
"etpro trojan",
"channel",
"artemis",
"medium",
"delete",
"copy",
"virustotal",
"trojan",
"write",
"trojanproxy",
"vipre",
"panda",
"malware",
"malware infection",
"dga",
"algorithm generated domains",
"command and control",
"pe32 executable",
"tag",
"tagging",
"porn tagging",
"as3356 level",
"tahoma arial",
"servers",
"as1136 kpn",
"next",
"et",
"remote",
"confirm http",
"sectrack",
"openssl",
"fulldisc",
"secunia",
"confirm https",
"openssl tls",
"multiple",
"remote",
"misc https",
"impact",
"heartbleed",
"external source",
"name hyperlink",
"hp hpsbmu02998",
"hp hpsbmu03019",
"hp hpsbmu03030",
"hp hpsbmu03018",
"title",
"lowfi",
"title error",
"body doctype",
"html public",
"w3cdtd html",
"html head",
"mozilla",
"720.282.2025",
"masquerading",
"ninite feb",
"mtb feb",
"telper",
"trojandropper",
"ninite",
"create c",
"read c",
"default",
"create",
"unicode",
"dock",
"xport"
],
"references": [
"www.gambinospizza.com",
"0qMrDxlbqY9THmtdz56XQ2fTe-p9H49lftTmBXmn1WY9Z16q1vJdZdjO5Wnq_Pn3gEAAP__hu8yPQ",
"https://apps.apple.com/us/app/gambinos-pizza/id1500338496 \u2022 apps.apple.com",
"https://play.google.com/store/apps/details?id=com.e9117073d4e0.www",
"targeting.unrulymedia.com \u2022 http://theteenhealthdoc.com",
"https://www.hallrender.com/attorney/brian-sabey/ \u2022 www.hallrender.com \u2022 https://www.hallrender.com/wp-json/oembed/1.0/embed?url=https://www.hallrender.com/attorney/brian-sabey/&",
"https://www.hallrender.com/wp-content/uploads/2016/02/Denver-150x150.jpg \u2022 https://www.hallrender.com/xmlrpc.php?rsd",
"https://teenlist.toplistcreator.eu/in.php?nr=15170//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu//www.toplistcreator.eu",
"http://fboomporn.com/teens/51826-gloryholeswallow-flora-floras-1st-gloryhole-visit-fullhd-1080p.html \u2022 teenystar18.toplistcreator.eu",
"theteenhealthdoc.com \u2022 http://jailbait.toplistcreator.eu/link.php?link=teenystar18.toplistcreator.eu&nr=522 \u2022 franchisefifteen.com",
"https://fboomporn.com/engine/opensearch.php \u2022 http://porn.hub-accessories.site/ \u2022 https://pic.porn.hub-accessories.site",
"http://porn.toplistcreator.eu/in.php",
"ETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t85.17.142.7\t\t\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.\t\t 2807561\tETPRO TROJAN Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.103\t95.169.186.63",
"Trojan/Win32.Zbot Covert Channel 2 port 53\t192.168.56.10",
"https://tag.1rx.io/rmp/215626/0/mvo?z=1r&hbv=8.16,2.1\ttag.1rx.io \u2022 192.208.222.110",
"http://email.acm.mg.hydrantid.com/c/eJxUyTGygyAQBuDTQMksPyhYULzGe-C6LzCKOoYmt88kXdrvWxPlEJ3TkmygcbQBHrokFk-R4WwexpBl-J8Ce8uygBdeJqtrAsGTdWQB8jA0yQDEL0qMrD",
"CVE-2014-0160 \u2022 CVE-2017-11882",
"a17-250-248-150.www.bing.com \u2022 appledirectory.www.bing.com",
"animate-citadel-t3gbc9x3gzd7invrzh8w00zm.herokudns.com"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Trojan:Win32/Comspec",
"display_name": "Trojan:Win32/Comspec",
"target": "/malware/Trojan:Win32/Comspec"
},
{
"id": "XLS:Nastya\\ [Trj]",
"display_name": "XLS:Nastya\\ [Trj]",
"target": null
},
{
"id": "Emotet",
"display_name": "Emotet",
"target": null
},
{
"id": "Crypt4.YGM",
"display_name": "Crypt4.YGM",
"target": null
},
{
"id": "ZBot",
"display_name": "ZBot",
"target": null
},
{
"id": "ET",
"display_name": "ET",
"target": null
},
{
"id": "Heartbleed Bug",
"display_name": "Heartbleed Bug",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1059.007",
"name": "JavaScript",
"display_name": "T1059.007 - JavaScript"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1045",
"name": "Software Packing",
"display_name": "T1045 - Software Packing"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1119",
"name": "Automated Collection",
"display_name": "T1119 - Automated Collection"
},
{
"id": "T1143",
"name": "Hidden Window",
"display_name": "T1143 - Hidden Window"
},
{
"id": "T1583.005",
"name": "Botnet",
"display_name": "T1583.005 - Botnet"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 59,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 118,
"FileHash-SHA1": 106,
"domain": 3271,
"hostname": 2451,
"URL": 8652,
"email": 8,
"FileHash-SHA256": 3153,
"CVE": 4
},
"indicator_count": 17763,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "735 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65e576d419524d75af35a36e",
"name": "FormBook",
"description": "FormBook is an infostealer malware (malicious spyware). malicious code uses various hooks to gain access to keystrokes, screenshots, and other functions. The malware can also receive commands from its operator to steal information from browsers or download and execute other malware. As a MaaS offering, FormBook malware may be deployed by various threat actors. It's currently being use by a ,legal teams masquerading as government (might be \nlegitimate attorneys) law firm modifying and deleting front facing threats on various platforms. One firm has very poor reviews Corrupt. Others initiate malicious prosecution law suits. Social; engineering , intertwining malicious behavior.in every aspect of targets life from business banking, ancestry to aggressive match making attempts.",
"modified": "2024-04-03T05:03:03.527000",
"created": "2024-03-04T07:23:00.177000",
"tags": [
"resolutions",
"referrer",
"siblings",
"asn owner",
"historical ssl",
"contacted",
"high level",
"hackers",
"formbook",
"name verdict",
"falcon sandbox",
"report",
"united",
"registrar",
"creation date",
"search",
"emails",
"name",
"name servers",
"showing",
"unknown",
"scan endpoints",
"date",
"next",
"root ca",
"pattern match",
"authority",
"beginstring",
"class",
"mitre att",
"global root",
"ck id",
"show technique",
"ck matrix",
"null",
"accept",
"refresh",
"span",
"error",
"tools",
"body",
"look",
"verify",
"restart",
"hybrid",
"local",
"click",
"strings",
"files files",
"ssl certificate",
"tsara brashears",
"highly targeted",
"ransomware",
"dark power",
"play ransomware",
"malware",
"core",
"installer",
"awful",
"snatch",
"metro",
"service",
"critical",
"copy",
"execution",
"location united",
"asn as15169",
"less whois",
"as15169 google",
"status",
"entries",
"record value",
"servers",
"trojan",
"win32",
"aaaa",
"worm",
"passive dns",
"gmt cache",
"sameorigin",
"all scoreblue",
"ipv4",
"lowfi",
"domain related",
"urls",
"domain",
"nxdomain",
"hostname",
"users",
"yara detections",
"alerts",
"high",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"musicmaid",
"reader",
"office standard",
"high process",
"injection t1055",
"t1055",
"x00x00",
"icmp traffic",
"injection",
"hijacker",
"password",
"stealer",
"corruption",
"targeting",
"172.31.13.249"
],
"references": [
"gstatic.com",
"Unsupported/Fake Windows NT Version 5.0",
"Login privileges",
"172.31.13.249"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Trojan:Win32/Dorv.B!rfn",
"display_name": "Trojan:Win32/Dorv.B!rfn",
"target": "/malware/Trojan:Win32/Dorv.B!rfn"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Trojan:Win32/QQpass",
"display_name": "Trojan:Win32/QQpass",
"target": "/malware/Trojan:Win32/QQpass"
},
{
"id": "Trojan:Win32/Antavmu.D",
"display_name": "Trojan:Win32/Antavmu.D",
"target": "/malware/Trojan:Win32/Antavmu.D"
},
{
"id": "PWS:MSIL/Dcstl.GD!MTB",
"display_name": "PWS:MSIL/Dcstl.GD!MTB",
"target": "/malware/PWS:MSIL/Dcstl.GD!MTB"
},
{
"id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"target": null
},
{
"id": "Win32:MalwareX-gen\\ [Trj]",
"display_name": "Win32:MalwareX-gen\\ [Trj]",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1107",
"name": "File Deletion",
"display_name": "T1107 - File Deletion"
},
{
"id": "T1447",
"name": "Delete Device Data",
"display_name": "T1447 - Delete Device Data"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1002",
"name": "Data Compressed",
"display_name": "T1002 - Data Compressed"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 45,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3117,
"FileHash-MD5": 280,
"FileHash-SHA1": 286,
"FileHash-SHA256": 3773,
"domain": 1264,
"hostname": 1595,
"email": 6,
"CVE": 5
},
"indicator_count": 10326,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 229,
"modified_text": "747 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "65e57f32581a900dfb272d05",
"name": "FormBook | 172.31.13.249",
"description": "",
"modified": "2024-04-03T05:03:03.527000",
"created": "2024-03-04T07:58:42.074000",
"tags": [
"resolutions",
"referrer",
"siblings",
"asn owner",
"historical ssl",
"contacted",
"high level",
"hackers",
"formbook",
"name verdict",
"falcon sandbox",
"report",
"united",
"registrar",
"creation date",
"search",
"emails",
"name",
"name servers",
"showing",
"unknown",
"scan endpoints",
"date",
"next",
"root ca",
"pattern match",
"authority",
"beginstring",
"class",
"mitre att",
"global root",
"ck id",
"show technique",
"ck matrix",
"null",
"accept",
"refresh",
"span",
"error",
"tools",
"body",
"look",
"verify",
"restart",
"hybrid",
"local",
"click",
"strings",
"files files",
"ssl certificate",
"tsara brashears",
"highly targeted",
"ransomware",
"dark power",
"play ransomware",
"malware",
"core",
"installer",
"awful",
"snatch",
"metro",
"service",
"critical",
"copy",
"execution",
"location united",
"asn as15169",
"less whois",
"as15169 google",
"status",
"entries",
"record value",
"servers",
"trojan",
"win32",
"aaaa",
"worm",
"passive dns",
"gmt cache",
"sameorigin",
"all scoreblue",
"ipv4",
"lowfi",
"domain related",
"urls",
"domain",
"nxdomain",
"hostname",
"users",
"yara detections",
"alerts",
"high",
"filehash",
"pulse pulses",
"av detections",
"ids detections",
"musicmaid",
"reader",
"office standard",
"high process",
"injection t1055",
"t1055",
"x00x00",
"icmp traffic",
"injection",
"hijacker",
"password",
"stealer",
"corruption",
"targeting",
"172.31.13.249"
],
"references": [
"gstatic.com",
"Unsupported/Fake Windows NT Version 5.0",
"Login privileges",
"172.31.13.249"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "FormBook",
"display_name": "FormBook",
"target": null
},
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Trojan:Win32/Dorv.B!rfn",
"display_name": "Trojan:Win32/Dorv.B!rfn",
"target": "/malware/Trojan:Win32/Dorv.B!rfn"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Trojan:Win32/QQpass",
"display_name": "Trojan:Win32/QQpass",
"target": "/malware/Trojan:Win32/QQpass"
},
{
"id": "Trojan:Win32/Antavmu.D",
"display_name": "Trojan:Win32/Antavmu.D",
"target": "/malware/Trojan:Win32/Antavmu.D"
},
{
"id": "PWS:MSIL/Dcstl.GD!MTB",
"display_name": "PWS:MSIL/Dcstl.GD!MTB",
"target": "/malware/PWS:MSIL/Dcstl.GD!MTB"
},
{
"id": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"display_name": "#Lowfi:HSTR:MSIL/PossibleDownloader.S01",
"target": null
},
{
"id": "Win32:MalwareX-gen\\ [Trj]",
"display_name": "Win32:MalwareX-gen\\ [Trj]",
"target": null
}
],
"attack_ids": [
{
"id": "T1059",
"name": "Command and Scripting Interpreter",
"display_name": "T1059 - Command and Scripting Interpreter"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1100",
"name": "Web Shell",
"display_name": "T1100 - Web Shell"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1114",
"name": "Email Collection",
"display_name": "T1114 - Email Collection"
},
{
"id": "T1560",
"name": "Archive Collected Data",
"display_name": "T1560 - Archive Collected Data"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1053",
"name": "Scheduled Task/Job",
"display_name": "T1053 - Scheduled Task/Job"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1110.002",
"name": "Password Cracking",
"display_name": "T1110.002 - Password Cracking"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "TA0011",
"name": "Command and Control",
"display_name": "TA0011 - Command and Control"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1070.004",
"name": "File Deletion",
"display_name": "T1070.004 - File Deletion"
},
{
"id": "T1107",
"name": "File Deletion",
"display_name": "T1107 - File Deletion"
},
{
"id": "T1447",
"name": "Delete Device Data",
"display_name": "T1447 - Delete Device Data"
},
{
"id": "T1114.002",
"name": "Remote Email Collection",
"display_name": "T1114.002 - Remote Email Collection"
},
{
"id": "T1002",
"name": "Data Compressed",
"display_name": "T1002 - Data Compressed"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "65e576d419524d75af35a36e",
"export_count": 45,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "OctoSeek",
"id": "243548",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3117,
"FileHash-MD5": 280,
"FileHash-SHA1": 286,
"FileHash-SHA256": 3773,
"domain": 1264,
"hostname": 1595,
"email": 6,
"CVE": 5
},
"indicator_count": 10326,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 223,
"modified_text": "747 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://almavision.almavision.com/",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://almavision.almavision.com/",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1776726401.9805598
}