{ "type": "URL", "indicator": "https://bighand.hallrender.com/", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://bighand.hallrender.com/", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4151792256, "indicator": "https://bighand.hallrender.com/", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 4, "pulses": [ { "id": "69bea5d2987c3d14aeb2b0c9", "name": "Delete service Deleted over 1200 Brian Sabeys Porn Revenge Campaign \u2022 LevelBlue? Dopple AI | Poem Hunter: Poems ", "description": "", "modified": "2026-03-21T14:06:10.007000", "created": "2026-03-21T14:06:10.007000", "tags": [ "active related", "search filter", "time tsara", "x show", "cidr", "email", "learn more", "information", "t1027", "t1036", "t1057", "discovery", "t1059", "t1071", "title added", "poem", "the day", "wild eyesand", "unknown power", "shakespeare", "repeats", "ere man", "dowell oreilly", "read poem", "snit", "website", "loading", "rl https", "y0 nov", "vj96", "uyebaaeabaaaaac", "jid442122029", "active", "url http", "url https", "types", "indicators show", "type indicator", "added active", "tbmvid", "sourcelnms", "zx1724209326040", "read c", "module load", "showing", "delphi", "delete", "rgba", "unicode", "malware", "write", "win32", "execution", "next", "extraction", "data upload", "extre", "include data", "sc type", "url tot", "role title", "tsara brashears", "live sex", "porn video", "levelblue", "porn", "pornhub", "porn videos", "watch tsara", "most relevant", "q estimation", "green", "tsara", "online chat", "spicychat ai", "visa", "sex chat", "miss stella", "january", "philadelphia", "dopple ai", "b1 dec", "videos", "red porn", "free porn", "sunny leone", "hardcore porn", "jeffrey reimer", "puts", "love", "super", "download", "top tsara", "google search", "la iniciacin", "xxx hd", "bdsm scene", "nsfw experience", "ck ids", "open threat", "filepath https", "foundry", "palantir", "brian sabey", "yas", "tiny penis", "slander", "indicator role", "pulses url", "search" ], "references": [ "OTX must have an issue. A delete app seen before has deleted a majority of malicious IoCs. Im", "I don\u2019t appreciate OTX populated Malware suggestion \u2018SNIT\u2019 \u2018 Dopple AI\u2019 NOT malware", "OTX description for SNIT- I love to compose letters of resignation; now and then I send one in", "and leave in a lemon- hued Huff da Country or a Snit with four on the MALWARE fOORILIES", "OTX description for Dopple AI - There\u2019s someone for everyone out there in the BDSM scene, you can enjoy the", "free NSFW experience offered by Dopple AI.MALWARE", "Makes zero sense. Malicious. I don\u2019t get it. I have a Malware gift for you too!", "Y.A.S:1Byte/TinyRod SeeDescription @ Y.A.S. OFFICIAL MUSIC VIDEO" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Snit", "display_name": "Snit", "target": null }, { "id": "Dopple AI", "display_name": "Dopple AI", "target": null }, { "id": "Y.A.S:1Byte/TinyRod", "display_name": "Y.A.S:1Byte/TinyRod", "target": "/malware/Y.A.S:1Byte/TinyRod" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" } ], "industries": [], "TLP": "green", "cloned_from": "691ead29f61101bfa3700998", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2497, "hostname": 742, "FileHash-SHA256": 523, "domain": 223, "FileHash-MD5": 85, "FileHash-SHA1": 56, "email": 4 }, "indicator_count": 4130, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "71 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697488f095f69d392afd00fb", "name": "Fidelity Investments \u2022\u2019 EternalRocks | Financial Crimes", "description": "Fidelity Life and Guarantee defaults to Fidelity Investments. Long standing issue. Possible phishing email interception. Multiple accounts stolen at the time a man who presents himself as M. Brian Sabey Esq. Elder/Estate attorney unable to\nsettle life claim more action was requested. Attorney repeatedly redirected to an investment team. We decided to use targets phone to\ntest results , payout is overdue. Illegal tactics were used to defraud victim/s.. Fraud operators ask for SSN and later state they cannot help. L of Fraud phone , \u2018team\u2019 cannot complete internal phone transfers.,can conference you in to other people who act confused , disheveled who also\nask for SSN. \n\nSince victims experiences less\nthan covert interactions, I\u2019m unclear as to why there is a strong FBI, CIA , Palantir Foundry presence. It\u2019s rattling . \nReiterating : Entity steals financial products, health , life insurance policies, investment accounts, credit card frauds , bank accounts,intellectual property anything of value.", "modified": "2026-02-23T07:04:04.285000", "created": "2026-01-24T08:55:12.845000", "tags": [ "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "ck techniques", "evasion att", "t1480 execution", "href", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "form", "click", "strings", "error", "tools", "look", "verify", "restart", "active related", "url https", "related pulses", "url http", "united", "czechia", "hong kong", "ipv4", "indicators hong", "kong", "south korea", "netherlands", "germany", "ireland", "denmark", "sweden", "active", "government", "finance", "security", "type indicator", "yara detections", "av detections", "ids detections", "alerts", "analysis date", "mcsf", "microsoft", "yara", "insurance", "fidelity investments", "description", "fidelity international", "ms windows", "pe32", "writeconsolew", "read c", "pe32 executable", "t1045", "susp", "write", "win64", "malware", "modified", "ck ids", "t1040", "sniffing", "packing", "t1112", "packing t1045", "icmp traffic", "memcommit", "pe section", "low software", "pe resource", "win32", "trojan", "april", "sara ligorria", "tramp advert", "black paper", "createdate", "subject laser", "title laser", "format", "types of", "japan", "regsetvalueexa", "regdword", "regbinary", "module download", "tls handshake", "high", "defense evasion", "discovery att", "adversaries", "title", "role", "flag", "name server", "server", "domain address", "markmonitor", "clicktale ltd", "enom", "whoisguard", "medium", "unicode", "rgba", "delete", "crlf line", "next", "dock", "execution", "date", "users", "tls sni", "total", "cnc domain", "search", "oamazon", "cnamazon rsa", "push", "failure yara", "contacted", "hours ago", "created", "cia", "fbi", "telegram", "tulach", "sabey", "state", "gov", "ahmann", "financial fraud", "t-mobile", "walmartmobile", "life insurance", "fidelity life", "guarantee", "team", "role title", "added active", "scan", "iocs", "learn more", "filehashsha1", "filehashmd5", "kw3recepten", "domainname0", "searchbox0", "kw1brinta", "kw2muesli", "indicator role", "title added", "pulses url", "cve cve20170147", "apple", "apple id" ], "references": [ "https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226", "https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com", "http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com", "https://bhive.nectar.social/rKvoMY", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe", "ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,", "TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161", "Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.", "EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS", "Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad", "Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name", "Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.", "Domains Contacted api.nuget.org", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png", "https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.fidelity.com/ https://www.fidelity.com/", "cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99", "cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl", "https://www.anyxxxtube.net/search-porn/", "https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears", "fidelity-account.com e http://fidelity-account.com/fidelity/code.html", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex", "http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022", "\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:", "https://bhive.nectar.social/rKvoMY", "apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co", "http://appleid.app", "https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win64:Trojan-gen", "display_name": "Win64:Trojan-gen", "target": null }, { "id": "Trojan:MSIL/Ursu.KP", "display_name": "Trojan:MSIL/Ursu.KP", "target": "/malware/Trojan:MSIL/Ursu.KP" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F", "display_name": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F", "target": null }, { "id": "Trojan:PDF/Phish.RR!MTB", "display_name": "Trojan:PDF/Phish.RR!MTB", "target": "/malware/Trojan:PDF/Phish.RR!MTB" }, { "id": "Win32:TrojanX-gen\\ [Trj]", "display_name": "Win32:TrojanX-gen\\ [Trj]", "target": null }, { "id": ": ALF:Trojan:MSIL/Azorult.AC!", "display_name": ": ALF:Trojan:MSIL/Azorult.AC!", "target": null }, { "id": "ALF:Trojan:Win32/CryptWrapper.RT!MTB", "display_name": "ALF:Trojan:Win32/CryptWrapper.RT!MTB", "target": null }, { "id": "Trojan:Win32/Conbea!rfn", "display_name": "Trojan:Win32/Conbea!rfn", "target": "/malware/Trojan:Win32/Conbea!rfn" }, { "id": "Trojan:Win32/Ausiv!rfn", "display_name": "Trojan:Win32/Ausiv!rfn", "target": "/malware/Trojan:Win32/Ausiv!rfn" }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat", "target": null }, { "id": "Trojan:BAT/Musecador", "display_name": "Trojan:BAT/Musecador", "target": "/malware/Trojan:BAT/Musecador" }, { "id": "TrojanDropper:Win32/Qhost", "display_name": "TrojanDropper:Win32/Qhost", "target": "/malware/TrojanDropper:Win32/Qhost" }, { "id": "Trojan:Win32/Miner.KA!MTB", "display_name": "Trojan:Win32/Miner.KA!MTB", "target": "/malware/Trojan:Win32/Miner.KA!MTB" }, { "id": "DNSTrojan", "display_name": "DNSTrojan", "target": null }, { "id": "EternalRocks", "display_name": "EternalRocks", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Finance", "Insurance" ], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2793, "URL": 6639, "FileHash-SHA256": 2462, "domain": 1070, "FileHash-MD5": 307, "FileHash-SHA1": 186, "SSLCertFingerprint": 1, "email": 1, "CVE": 3 }, "indicator_count": 13462, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "98 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6907cc66855b7dfe1306b0d8", "name": "Inject : Defense Counsel attaches to Apple Notebooks - Targeting", "description": "TAM Legal attacking Tsara Brashears and associated. Christopher P. Ahmann Esq Is the Special Counsel assigned to pester , smear, tamper with, terrorize, arrange murders, dispatch stalkers, deny care, swatting , botnets, attach to devices , deflect award for life ending injuries to you and your Mafia, choose malicious media companies (Hall Render) to smear Jeffrey Scott Reimers assault victim. This is silencing. Not everyone has someone to speak. Back off. You\u2019re sick. Enjoying that money, while Tsara slept on air mattress during a couch tour. Demyelinating, from denied disclosed of cord compression; like George Floyd. You should turn yourself in, write a HUGA check , shut down this criminal operation , find Jesus , self exit to a place out away from you targets , go to your bunker forever. You are a God Forsaken terrorist hitman! You\u2019re all SO sick!\nEnd Game Now.", "modified": "2026-01-01T07:03:18.851000", "created": "2025-11-02T21:25:58.814000", "tags": [ "present nov", "unknown aaaa", "ip address", "win32", "america asn", "twitter", "united states", "america", "ipv4", "united", "a domains", "443 ma86400", "super", "read c", "memcommit", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "regsetvalueexa", "hack", "write", "february", "local", "unknown", "persistence", "execution", "xport", "kb body", "present aug", "present sep", "present oct", "for privacy", "false", "expirestue", "path", "p2404", "accept", "p11762282638", "host", "gmt range", "gmt ifnonematch", "p11762466264", "p11762417453", "nothing", "shutdown", "process32nextw", "langturkish", "sublangdefault", "regdword", "rtrcdata", "microsoft excel", "delphi", "worm", "malware", "error", "next", "format", "suspicious", "less see", "contacted", "all ip", "domains", "all related", "pulses otx", "related tags", "file type", "pexe", "christopher ahmann", "tam legal", "treece", "hacking", "highjacking", "modified", "quasi government", "ai google", "inject", "adversaries", "government", "insurance", "apple" ], "references": [ "External Apple Connection: Notepad.pw", "Sex Tools: m.pornsexer.xxx.3.1.adiosfil.roksit.net |", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t h", "takedown-communication-api.prod-c15a-awsuse.ppops.net", "L\u00b0\u00b0k @ You, okay Chris\u2026abgubdf.apple.cloudns.biz \u2022 cloudns.biz \u2022 https://abgubdf.apple.cloudns", "http://www.mof.gov.cn.lxcvc.com/ \u2022 https://r//www.csrc.gov.cn.lxcvc.com/", "http://www.mohurd.gov.cn.lxcvc.com/", "config.uca.cloud.unity3d.com", "0.0.iphone.8dyf8rf5k3.fr.mobiletrend.rtl2.adsenseformobileapps.com", "http://mp7tf.best-cell-phone-plans-for-seniors.cfd/", "sipphone.com", "uk5seki2ygz3kyfgliqe37477miq6jsf.nlsexolehxry4opotgpq" ], "public": 1, "adversary": "TAM Legal Christopher P. Ahmann Chief Terrorist", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.004bf-6866449-0", "display_name": "Win.Malware.004bf-6866449-0", "target": null }, { "id": "Custom Malware", "display_name": "Custom Malware", "target": null }, { "id": "Worn:Win32/AutoRun.XXY!bit", "display_name": "Worn:Win32/AutoRun.XXY!bit", "target": "/malware/Worn:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2615, "URL": 7521, "hostname": 1775, "domain": 689, "FileHash-MD5": 448, "FileHash-SHA1": 295, "SSLCertFingerprint": 12, "email": 1 }, "indicator_count": 13356, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "691ead29f61101bfa3700998", "name": "Dopple AI | Poem Hunter: Poems - Poets - Poetry", "description": "Online terms that sexulize SA victim : Tsara brashears slander red porn videos ,\nHardcore porn, is pornography that features detailed depictions of sexual organs or sexual acts such as vaginal, anal or oral intercourse, fingering, brashears , Red Porn Videos , Tsara brashears slandered red porn\nyoujizz sex\n, Tsara brashears submission on august 27 via manual free , College fuck fest Super japanese hd compilation , \none kinky student fucks tsara brashears porn xxx porn , the best internet porn site\n, tsara brashears slandered, porn video uploaded to hardcore ,\nxxxxxxxxxx sex videos\nsearch , xxxxxxxxxx hd porn. tsara brashears\u09ac\u09b2\u09a6\u09b6\u09b0 \u09a8\u09a4\u09a8 \u09ad\u09acfrench retro gangbang in the hotel room, You will Tsara brashears porn ,\nChunky babe loves to be on top Hot Milf , xxx Movies, updates hourly.\n tsara brashears slandered,\nfrench retro gangbang in the hotel room , free porn videos. You will Tsara brashears porn jeffrey reimer puts his love on top tsara brashears brother", "modified": "2025-12-20T03:00:41.407000", "created": "2025-11-20T05:54:49.968000", "tags": [ "active related", "search filter", "time tsara", "x show", "cidr", "email", "learn more", "information", "t1027", "t1036", "t1057", "discovery", "t1059", "t1071", "title added", "poem", "the day", "wild eyesand", "unknown power", "shakespeare", "repeats", "ere man", "dowell oreilly", "read poem", "snit", "website", "loading", "rl https", "y0 nov", "vj96", "uyebaaeabaaaaac", "jid442122029", "active", "url http", "url https", "types", "indicators show", "type indicator", "added active", "tbmvid", "sourcelnms", "zx1724209326040", "read c", "module load", "showing", "delphi", "delete", "rgba", "unicode", "malware", "write", "win32", "execution", "next", "extraction", "data upload", "extre", "include data", "sc type", "url tot", "role title", "tsara brashears", "live sex", "porn video", "levelblue", "porn", "pornhub", "porn videos", "watch tsara", "most relevant", "q estimation", "green", "tsara", "online chat", "spicychat ai", "visa", "sex chat", "miss stella", "january", "philadelphia", "dopple ai", "b1 dec", "videos", "red porn", "free porn", "sunny leone", "hardcore porn", "jeffrey reimer", "puts", "love", "super", "download", "top tsara", "google search", "la iniciacin", "xxx hd", "bdsm scene", "nsfw experience", "ck ids", "open threat", "filepath https", "foundry", "palantir", "brian sabey", "yas", "tiny penis", "slander", "indicator role", "pulses url", "search" ], "references": [ "OTX must have an issue. A delete app seen before has deleted a majority of malicious IoCs. Im", "I don\u2019t appreciate OTX populated Malware suggestion \u2018SNIT\u2019 \u2018 Dopple AI\u2019 NOT malware", "OTX description for SNIT- I love to compose letters of resignation; now and then I send one in", "and leave in a lemon- hued Huff da Country or a Snit with four on the MALWARE fOORILIES", "OTX description for Dopple AI - There\u2019s someone for everyone out there in the BDSM scene, you can enjoy the", "free NSFW experience offered by Dopple AI.MALWARE", "Makes zero sense. Malicious. I don\u2019t get it. I have a Malware gift for you too!", "Y.A.S:1Byte/TinyRod SeeDescription @ Y.A.S. OFFICIAL MUSIC VIDEO" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Snit", "display_name": "Snit", "target": null }, { "id": "Dopple AI", "display_name": "Dopple AI", "target": null }, { "id": "Y.A.S:1Byte/TinyRod", "display_name": "Y.A.S:1Byte/TinyRod", "target": "/malware/Y.A.S:1Byte/TinyRod" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2497, "hostname": 742, "FileHash-SHA256": 523, "domain": 223, "FileHash-MD5": 85, "FileHash-SHA1": 56, "email": 4 }, "indicator_count": 4130, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "163 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "sipphone.com", "apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co", "ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,", "free NSFW experience offered by Dopple AI.MALWARE", "OTX description for SNIT- I love to compose letters of resignation; now and then I send one in", "https://www.anyxxxtube.net/search-porn/", "takedown-communication-api.prod-c15a-awsuse.ppops.net", "config.uca.cloud.unity3d.com", "Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe", "https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226", "https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d", "Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad", "http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html", "http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com", "External Apple Connection: Notepad.pw", "TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161", "uk5seki2ygz3kyfgliqe37477miq6jsf.nlsexolehxry4opotgpq", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram", "Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.", "and leave in a lemon- hued Huff da Country or a Snit with four on the MALWARE fOORILIES", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "Sex Tools: m.pornsexer.xxx.3.1.adiosfil.roksit.net |", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "L\u00b0\u00b0k @ You, okay Chris\u2026abgubdf.apple.cloudns.biz \u2022 cloudns.biz \u2022 https://abgubdf.apple.cloudns", "http://www.mohurd.gov.cn.lxcvc.com/", "cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t h", "hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann", "http://appleid.app", "https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears", "OTX must have an issue. A delete app seen before has deleted a majority of malicious IoCs. Im", "http://www.mof.gov.cn.lxcvc.com/ \u2022 https://r//www.csrc.gov.cn.lxcvc.com/", "fidelity-account.com e http://fidelity-account.com/fidelity/code.html", "cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl", "I don\u2019t appreciate OTX populated Malware suggestion \u2018SNIT\u2019 \u2018 Dopple AI\u2019 NOT malware", "Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name", "\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.", "http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e", "OTX description for Dopple AI - There\u2019s someone for everyone out there in the BDSM scene, you can enjoy the", "Makes zero sense. Malicious. I don\u2019t get it. I have a Malware gift for you too!", "Domains Contacted api.nuget.org", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:", "Y.A.S:1Byte/TinyRod SeeDescription @ Y.A.S. OFFICIAL MUSIC VIDEO", "https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com", "0.0.iphone.8dyf8rf5k3.fr.mobiletrend.rtl2.adsenseformobileapps.com", "https://www.fidelity.com/ https://www.fidelity.com/", "https://bhive.nectar.social/rKvoMY", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex", "EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png", "http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022", "http://mp7tf.best-cell-phone-plans-for-seniors.cfd/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "TAM Legal Christopher P. Ahmann Chief Terrorist" ], "malware_families": [ "Trojan:win32/miner.ka!mtb", "Snit", "Dopple ai", "Trojan:win32/ausiv!rfn", "Trojandropper:win32/qhost", "Win32:trojanx-gen\\ [trj]", "Dnstrojan", "Trojan:bat/musecador", "Trojan:msil/ursu.kp", "Win.malware.004bf-6866449-0", ": alf:trojan:msil/azorult.ac!", "Trojan:pdf/phish.rr!mtb", "Custom malware", "Y.a.s:1byte/tinyrod", "Worn:win32/autorun.xxy!bit", "Eternalrocks", "Trojan:win32/conbea!rfn", "Win64:trojan-gen", "Tofsee", "Alf:heraklezeval:trojan:win32/eqtonex.f", "Alf:trojan:win32/cryptwrapper.rt!mtb", "Alf:heraklezeval:trojan:msil/gravityrat" ], "industries": [ "Insurance", "Technology", "Finance", "Government", "Telecommunications", "Legal", "Healthcare" ], "unique_indicators": 23139 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/hallrender.com", "whois": "http://whois.domaintools.com/hallrender.com", "domain": "hallrender.com", "hostname": "bighand.hallrender.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 4, "pulses": [ { "id": "69bea5d2987c3d14aeb2b0c9", "name": "Delete service Deleted over 1200 Brian Sabeys Porn Revenge Campaign \u2022 LevelBlue? Dopple AI | Poem Hunter: Poems ", "description": "", "modified": "2026-03-21T14:06:10.007000", "created": "2026-03-21T14:06:10.007000", "tags": [ "active related", "search filter", "time tsara", "x show", "cidr", "email", "learn more", "information", "t1027", "t1036", "t1057", "discovery", "t1059", "t1071", "title added", "poem", "the day", "wild eyesand", "unknown power", "shakespeare", "repeats", "ere man", "dowell oreilly", "read poem", "snit", "website", "loading", "rl https", "y0 nov", "vj96", "uyebaaeabaaaaac", "jid442122029", "active", "url http", "url https", "types", "indicators show", "type indicator", "added active", "tbmvid", "sourcelnms", "zx1724209326040", "read c", "module load", "showing", "delphi", "delete", "rgba", "unicode", "malware", "write", "win32", "execution", "next", "extraction", "data upload", "extre", "include data", "sc type", "url tot", "role title", "tsara brashears", "live sex", "porn video", "levelblue", "porn", "pornhub", "porn videos", "watch tsara", "most relevant", "q estimation", "green", "tsara", "online chat", "spicychat ai", "visa", "sex chat", "miss stella", "january", "philadelphia", "dopple ai", "b1 dec", "videos", "red porn", "free porn", "sunny leone", "hardcore porn", "jeffrey reimer", "puts", "love", "super", "download", "top tsara", "google search", "la iniciacin", "xxx hd", "bdsm scene", "nsfw experience", "ck ids", "open threat", "filepath https", "foundry", "palantir", "brian sabey", "yas", "tiny penis", "slander", "indicator role", "pulses url", "search" ], "references": [ "OTX must have an issue. A delete app seen before has deleted a majority of malicious IoCs. Im", "I don\u2019t appreciate OTX populated Malware suggestion \u2018SNIT\u2019 \u2018 Dopple AI\u2019 NOT malware", "OTX description for SNIT- I love to compose letters of resignation; now and then I send one in", "and leave in a lemon- hued Huff da Country or a Snit with four on the MALWARE fOORILIES", "OTX description for Dopple AI - There\u2019s someone for everyone out there in the BDSM scene, you can enjoy the", "free NSFW experience offered by Dopple AI.MALWARE", "Makes zero sense. Malicious. I don\u2019t get it. I have a Malware gift for you too!", "Y.A.S:1Byte/TinyRod SeeDescription @ Y.A.S. OFFICIAL MUSIC VIDEO" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Snit", "display_name": "Snit", "target": null }, { "id": "Dopple AI", "display_name": "Dopple AI", "target": null }, { "id": "Y.A.S:1Byte/TinyRod", "display_name": "Y.A.S:1Byte/TinyRod", "target": "/malware/Y.A.S:1Byte/TinyRod" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" } ], "industries": [], "TLP": "green", "cloned_from": "691ead29f61101bfa3700998", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2497, "hostname": 742, "FileHash-SHA256": 523, "domain": 223, "FileHash-MD5": 85, "FileHash-SHA1": 56, "email": 4 }, "indicator_count": 4130, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "71 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697488f095f69d392afd00fb", "name": "Fidelity Investments \u2022\u2019 EternalRocks | Financial Crimes", "description": "Fidelity Life and Guarantee defaults to Fidelity Investments. Long standing issue. Possible phishing email interception. Multiple accounts stolen at the time a man who presents himself as M. Brian Sabey Esq. Elder/Estate attorney unable to\nsettle life claim more action was requested. Attorney repeatedly redirected to an investment team. We decided to use targets phone to\ntest results , payout is overdue. Illegal tactics were used to defraud victim/s.. Fraud operators ask for SSN and later state they cannot help. L of Fraud phone , \u2018team\u2019 cannot complete internal phone transfers.,can conference you in to other people who act confused , disheveled who also\nask for SSN. \n\nSince victims experiences less\nthan covert interactions, I\u2019m unclear as to why there is a strong FBI, CIA , Palantir Foundry presence. It\u2019s rattling . \nReiterating : Entity steals financial products, health , life insurance policies, investment accounts, credit card frauds , bank accounts,intellectual property anything of value.", "modified": "2026-02-23T07:04:04.285000", "created": "2026-01-24T08:55:12.845000", "tags": [ "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "ck techniques", "evasion att", "t1480 execution", "href", "ascii text", "pattern match", "mitre att", "null", "refresh", "span", "hybrid", "general", "local", "path", "form", "click", "strings", "error", "tools", "look", "verify", "restart", "active related", "url https", "related pulses", "url http", "united", "czechia", "hong kong", "ipv4", "indicators hong", "kong", "south korea", "netherlands", "germany", "ireland", "denmark", "sweden", "active", "government", "finance", "security", "type indicator", "yara detections", "av detections", "ids detections", "alerts", "analysis date", "mcsf", "microsoft", "yara", "insurance", "fidelity investments", "description", "fidelity international", "ms windows", "pe32", "writeconsolew", "read c", "pe32 executable", "t1045", "susp", "write", "win64", "malware", "modified", "ck ids", "t1040", "sniffing", "packing", "t1112", "packing t1045", "icmp traffic", "memcommit", "pe section", "low software", "pe resource", "win32", "trojan", "april", "sara ligorria", "tramp advert", "black paper", "createdate", "subject laser", "title laser", "format", "types of", "japan", "regsetvalueexa", "regdword", "regbinary", "module download", "tls handshake", "high", "defense evasion", "discovery att", "adversaries", "title", "role", "flag", "name server", "server", "domain address", "markmonitor", "clicktale ltd", "enom", "whoisguard", "medium", "unicode", "rgba", "delete", "crlf line", "next", "dock", "execution", "date", "users", "tls sni", "total", "cnc domain", "search", "oamazon", "cnamazon rsa", "push", "failure yara", "contacted", "hours ago", "created", "cia", "fbi", "telegram", "tulach", "sabey", "state", "gov", "ahmann", "financial fraud", "t-mobile", "walmartmobile", "life insurance", "fidelity life", "guarantee", "team", "role title", "added active", "scan", "iocs", "learn more", "filehashsha1", "filehashmd5", "kw3recepten", "domainname0", "searchbox0", "kw1brinta", "kw2muesli", "indicator role", "title added", "pulses url", "cve cve20170147", "apple", "apple id" ], "references": [ "https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226", "https://www.fidelity.com/ www.fidelity.com https://www.fidelity.com/ \u2022 www.fidelity.com", "http://neurosky.jp/ \u2022 https://tulach.cc/ \u2022 blackrock.com \u2022 vanguard-account.com", "https://bhive.nectar.social/rKvoMY", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe", "ETERNALROCKS Detections: Win32:EternalRocks-B\\ [Trj] , Win.Trojan.EternalRocks1-6319293-0 ,", "TrojanDownloader:Win32/Eterock.A IDS Detections Possible ETERNALROCKS .Net161", "Module Download TLS Handshake Failure Yara Detections SUSP_NET_NAME_ConfuserEx , EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad network_http protection_rx antivm_network_adapters pe_unknown_resource_name raises_exception IP\u2019s Contacted 152.199.4.184 208.111.179.129 3.131.2.", "EternalRocks_svchost , EternalRocks_UpdateInstaller , ProtectSharewareV11eCompservCMS", "Alerts dead_host network_icmp nolookup_communication modifies_proxy_wpad", "Alerts: networki_http protectionk_rx antivm_network_adapters pe_unknown_resource_name", "Alerts: raises_exception IP\u2019s Contacted: 152.199.4.184 208.111.179.129 3.131.2.", "Domains Contacted api.nuget.org", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.exe", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram", "https://cdn-cms-s-8-4.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png", "https://cdn-cms-s.f-static.net/files/icons/socialNetworksBrands/telegram-icon.png?v=r82934", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.fidelity.com/ https://www.fidelity.com/", "cia.gov FileHash-SHA256 3b55307785bdd903bc9183642bdfd8b5a8ee15b90a05b25acbcd477432d26d99", "cia.gov FileHash-SHA256 f0a2d463a40c5b02e4bf61fdd76892b8ed5a1dd7d4a305849e4ff8fba00735bf", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://www.anyxxxtube.net/search-porn/tsara-brashears-denies-jeffrey-scott-reimer-sex", "http://www.anyxxxtube.net/search-porn/tsara-brashears/ hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl https://www.anyxxxtube.net/search-porn/ https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears fidelity-account.com MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e", "http://www.anyxxxtube.net/search-porn/tsara-brashears/", "hallrender.com/attorney/brian-sabey hallrender.com/attorney/b-sabey Christopher Ahmann", "https://www.anyxxxtube.net/search-porn/a-m-c-ate-xxx-videos/ pornokind.vgt.pl. vgt.pl", "https://www.anyxxxtube.net/search-porn/", "https://hallrender.com/attorney/brian-sabey/anyxxxtube.net/search-porn/tsara-brashears", "fidelity-account.com e http://fidelity-account.com/fidelity/code.html", "MC nosnoop.exe: a44812b44591121f3e711223db099043d4d72288e4f436dba2fb935b6d888d40.ex", "http://shared-work.com/fidelity2/login.html \u2022 https://fidelity-account.com/fidelity/otp.html", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "https://www.fidelity-account.com/ https://www.fidelity-account.com/ \u2022 http://fidelity-account.com/cgi-sys https://fidelity-account.com/fidelity/login.html \u2022 https://www.fidelity.com/ https://www.fidelity.com/branches/investor-center-denver-west-s-teller-colorado-80226 https://www.fidelity.com/ \u2022 www.fidelity.com https://bhive.nectar.social/rKvoMY https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai :", "http://www.fidelity-account.com/ https://fidelity-account.com/fidelity/code.html \u2022", "\"CIA\" most commonly refers to the Central Intelligence Agency, a premier U.S. government agency responsible for gathering and analyzing foreign intelligence.", "https://booking.nmc.ae/en-ae/doctor/physician/abu-dhabi/sreehari-karunakaran-pillai:", "https://bhive.nectar.social/rKvoMY", "apple.com \u2022 appleid.apple.com-elasticbeanstalk.ttfcuupdateaccount-loginpage.works.co", "http://appleid.app", "https://bounceme.netakamaipofcassandrvodd-krdddddddddddgaliapplepaysupplieseway.devrvodio-kr.zomato.tw\t d" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win64:Trojan-gen", "display_name": "Win64:Trojan-gen", "target": null }, { "id": "Trojan:MSIL/Ursu.KP", "display_name": "Trojan:MSIL/Ursu.KP", "target": "/malware/Trojan:MSIL/Ursu.KP" }, { "id": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F", "display_name": "ALF:HeraklezEval:Trojan:Win32/Eqtonex.F", "target": null }, { "id": "Trojan:PDF/Phish.RR!MTB", "display_name": "Trojan:PDF/Phish.RR!MTB", "target": "/malware/Trojan:PDF/Phish.RR!MTB" }, { "id": "Win32:TrojanX-gen\\ [Trj]", "display_name": "Win32:TrojanX-gen\\ [Trj]", "target": null }, { "id": ": ALF:Trojan:MSIL/Azorult.AC!", "display_name": ": ALF:Trojan:MSIL/Azorult.AC!", "target": null }, { "id": "ALF:Trojan:Win32/CryptWrapper.RT!MTB", "display_name": "ALF:Trojan:Win32/CryptWrapper.RT!MTB", "target": null }, { "id": "Trojan:Win32/Conbea!rfn", "display_name": "Trojan:Win32/Conbea!rfn", "target": "/malware/Trojan:Win32/Conbea!rfn" }, { "id": "Trojan:Win32/Ausiv!rfn", "display_name": "Trojan:Win32/Ausiv!rfn", "target": "/malware/Trojan:Win32/Ausiv!rfn" }, { "id": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat", "display_name": "ALF:HeraklezEval:Trojan:MSIL/Gravityrat", "target": null }, { "id": "Trojan:BAT/Musecador", "display_name": "Trojan:BAT/Musecador", "target": "/malware/Trojan:BAT/Musecador" }, { "id": "TrojanDropper:Win32/Qhost", "display_name": "TrojanDropper:Win32/Qhost", "target": "/malware/TrojanDropper:Win32/Qhost" }, { "id": "Trojan:Win32/Miner.KA!MTB", "display_name": "Trojan:Win32/Miner.KA!MTB", "target": "/malware/Trojan:Win32/Miner.KA!MTB" }, { "id": "DNSTrojan", "display_name": "DNSTrojan", "target": null }, { "id": "EternalRocks", "display_name": "EternalRocks", "target": null }, { "id": "Tofsee", "display_name": "Tofsee", "target": null } ], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1069.002", "name": "Domain Groups", "display_name": "T1069.002 - Domain Groups" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1071.002", "name": "File Transfer Protocols", "display_name": "T1071.002 - File Transfer Protocols" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.005", "name": "Botnet", "display_name": "T1583.005 - Botnet" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" } ], "industries": [ "Government", "Finance", "Insurance" ], "TLP": "green", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 2793, "URL": 6639, "FileHash-SHA256": 2462, "domain": 1070, "FileHash-MD5": 307, "FileHash-SHA1": 186, "SSLCertFingerprint": 1, "email": 1, "CVE": 3 }, "indicator_count": 13462, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "98 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6907cc66855b7dfe1306b0d8", "name": "Inject : Defense Counsel attaches to Apple Notebooks - Targeting", "description": "TAM Legal attacking Tsara Brashears and associated. Christopher P. Ahmann Esq Is the Special Counsel assigned to pester , smear, tamper with, terrorize, arrange murders, dispatch stalkers, deny care, swatting , botnets, attach to devices , deflect award for life ending injuries to you and your Mafia, choose malicious media companies (Hall Render) to smear Jeffrey Scott Reimers assault victim. This is silencing. Not everyone has someone to speak. Back off. You\u2019re sick. Enjoying that money, while Tsara slept on air mattress during a couch tour. Demyelinating, from denied disclosed of cord compression; like George Floyd. You should turn yourself in, write a HUGA check , shut down this criminal operation , find Jesus , self exit to a place out away from you targets , go to your bunker forever. You are a God Forsaken terrorist hitman! You\u2019re all SO sick!\nEnd Game Now.", "modified": "2026-01-01T07:03:18.851000", "created": "2025-11-02T21:25:58.814000", "tags": [ "present nov", "unknown aaaa", "ip address", "win32", "america asn", "twitter", "united states", "america", "ipv4", "united", "a domains", "443 ma86400", "super", "read c", "memcommit", "msie", "windows nt", "wow64", "slcc2", "media center", "tlsv1", "regsetvalueexa", "hack", "write", "february", "local", "unknown", "persistence", "execution", "xport", "kb body", "present aug", "present sep", "present oct", "for privacy", "false", "expirestue", "path", "p2404", "accept", "p11762282638", "host", "gmt range", "gmt ifnonematch", "p11762466264", "p11762417453", "nothing", "shutdown", "process32nextw", "langturkish", "sublangdefault", "regdword", "rtrcdata", "microsoft excel", "delphi", "worm", "malware", "error", "next", "format", "suspicious", "less see", "contacted", "all ip", "domains", "all related", "pulses otx", "related tags", "file type", "pexe", "christopher ahmann", "tam legal", "treece", "hacking", "highjacking", "modified", "quasi government", "ai google", "inject", "adversaries", "government", "insurance", "apple" ], "references": [ "External Apple Connection: Notepad.pw", "Sex Tools: m.pornsexer.xxx.3.1.adiosfil.roksit.net |", "www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process\t h", "takedown-communication-api.prod-c15a-awsuse.ppops.net", "L\u00b0\u00b0k @ You, okay Chris\u2026abgubdf.apple.cloudns.biz \u2022 cloudns.biz \u2022 https://abgubdf.apple.cloudns", "http://www.mof.gov.cn.lxcvc.com/ \u2022 https://r//www.csrc.gov.cn.lxcvc.com/", "http://www.mohurd.gov.cn.lxcvc.com/", "config.uca.cloud.unity3d.com", "0.0.iphone.8dyf8rf5k3.fr.mobiletrend.rtl2.adsenseformobileapps.com", "http://mp7tf.best-cell-phone-plans-for-seniors.cfd/", "sipphone.com", "uk5seki2ygz3kyfgliqe37477miq6jsf.nlsexolehxry4opotgpq" ], "public": 1, "adversary": "TAM Legal Christopher P. Ahmann Chief Terrorist", "targeted_countries": [], "malware_families": [ { "id": "Win.Malware.004bf-6866449-0", "display_name": "Win.Malware.004bf-6866449-0", "target": null }, { "id": "Custom Malware", "display_name": "Custom Malware", "target": null }, { "id": "Worn:Win32/AutoRun.XXY!bit", "display_name": "Worn:Win32/AutoRun.XXY!bit", "target": "/malware/Worn:Win32/AutoRun.XXY!bit" } ], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1094", "name": "Custom Command and Control Protocol", "display_name": "T1094 - Custom Command and Control Protocol" }, { "id": "TA0003", "name": "Persistence", "display_name": "TA0003 - Persistence" }, { "id": "T1055.001", "name": "Dynamic-link Library Injection", "display_name": "T1055.001 - Dynamic-link Library Injection" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1415", "name": "URL Scheme Hijacking", "display_name": "T1415 - URL Scheme Hijacking" }, { "id": "T1184", "name": "SSH Hijacking", "display_name": "T1184 - SSH Hijacking" }, { "id": "T1122", "name": "Component Object Model Hijacking", "display_name": "T1122 - Component Object Model Hijacking" } ], "industries": [ "Legal", "Government", "Healthcare", "Technology", "Telecommunications" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2615, "URL": 7521, "hostname": 1775, "domain": 689, "FileHash-MD5": 448, "FileHash-SHA1": 295, "SSLCertFingerprint": 12, "email": 1 }, "indicator_count": 13356, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "151 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "691ead29f61101bfa3700998", "name": "Dopple AI | Poem Hunter: Poems - Poets - Poetry", "description": "Online terms that sexulize SA victim : Tsara brashears slander red porn videos ,\nHardcore porn, is pornography that features detailed depictions of sexual organs or sexual acts such as vaginal, anal or oral intercourse, fingering, brashears , Red Porn Videos , Tsara brashears slandered red porn\nyoujizz sex\n, Tsara brashears submission on august 27 via manual free , College fuck fest Super japanese hd compilation , \none kinky student fucks tsara brashears porn xxx porn , the best internet porn site\n, tsara brashears slandered, porn video uploaded to hardcore ,\nxxxxxxxxxx sex videos\nsearch , xxxxxxxxxx hd porn. tsara brashears\u09ac\u09b2\u09a6\u09b6\u09b0 \u09a8\u09a4\u09a8 \u09ad\u09acfrench retro gangbang in the hotel room, You will Tsara brashears porn ,\nChunky babe loves to be on top Hot Milf , xxx Movies, updates hourly.\n tsara brashears slandered,\nfrench retro gangbang in the hotel room , free porn videos. You will Tsara brashears porn jeffrey reimer puts his love on top tsara brashears brother", "modified": "2025-12-20T03:00:41.407000", "created": "2025-11-20T05:54:49.968000", "tags": [ "active related", "search filter", "time tsara", "x show", "cidr", "email", "learn more", "information", "t1027", "t1036", "t1057", "discovery", "t1059", "t1071", "title added", "poem", "the day", "wild eyesand", "unknown power", "shakespeare", "repeats", "ere man", "dowell oreilly", "read poem", "snit", "website", "loading", "rl https", "y0 nov", "vj96", "uyebaaeabaaaaac", "jid442122029", "active", "url http", "url https", "types", "indicators show", "type indicator", "added active", "tbmvid", "sourcelnms", "zx1724209326040", "read c", "module load", "showing", "delphi", "delete", "rgba", "unicode", "malware", "write", "win32", "execution", "next", "extraction", "data upload", "extre", "include data", "sc type", "url tot", "role title", "tsara brashears", "live sex", "porn video", "levelblue", "porn", "pornhub", "porn videos", "watch tsara", "most relevant", "q estimation", "green", "tsara", "online chat", "spicychat ai", "visa", "sex chat", "miss stella", "january", "philadelphia", "dopple ai", "b1 dec", "videos", "red porn", "free porn", "sunny leone", "hardcore porn", "jeffrey reimer", "puts", "love", "super", "download", "top tsara", "google search", "la iniciacin", "xxx hd", "bdsm scene", "nsfw experience", "ck ids", "open threat", "filepath https", "foundry", "palantir", "brian sabey", "yas", "tiny penis", "slander", "indicator role", "pulses url", "search" ], "references": [ "OTX must have an issue. A delete app seen before has deleted a majority of malicious IoCs. Im", "I don\u2019t appreciate OTX populated Malware suggestion \u2018SNIT\u2019 \u2018 Dopple AI\u2019 NOT malware", "OTX description for SNIT- I love to compose letters of resignation; now and then I send one in", "and leave in a lemon- hued Huff da Country or a Snit with four on the MALWARE fOORILIES", "OTX description for Dopple AI - There\u2019s someone for everyone out there in the BDSM scene, you can enjoy the", "free NSFW experience offered by Dopple AI.MALWARE", "Makes zero sense. Malicious. I don\u2019t get it. I have a Malware gift for you too!", "Y.A.S:1Byte/TinyRod SeeDescription @ Y.A.S. OFFICIAL MUSIC VIDEO" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Snit", "display_name": "Snit", "target": null }, { "id": "Dopple AI", "display_name": "Dopple AI", "target": null }, { "id": "Y.A.S:1Byte/TinyRod", "display_name": "Y.A.S:1Byte/TinyRod", "target": "/malware/Y.A.S:1Byte/TinyRod" } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1495", "name": "Firmware Corruption", "display_name": "T1495 - Firmware Corruption" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2497, "hostname": 742, "FileHash-SHA256": 523, "domain": 223, "FileHash-MD5": 85, "FileHash-SHA1": 56, "email": 4 }, "indicator_count": 4130, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "163 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://bighand.hallrender.com/", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://bighand.hallrender.com/", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780308612.4763227 }