{
"type": "URL",
"indicator": "https://blog.amblyopiadoctor.com",
"general": {
"sections": [
"general",
"url_list",
"http_scans",
"screenshot"
],
"indicator": "https://blog.amblyopiadoctor.com",
"type": "url",
"type_title": "URL",
"validation": [],
"base_indicator": {
"id": 3876620896,
"indicator": "https://blog.amblyopiadoctor.com",
"type": "URL",
"title": "",
"description": "",
"content": "",
"access_type": "public",
"access_reason": ""
},
"pulse_info": {
"count": 8,
"pulses": [
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "138 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "144 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "687605f986433ebf2673f0b8",
"name": "Win.Malware.Downloadguide-6803841-0 | Patient Monitoring",
"description": "Part of an elaborate, unrelenting espionage campaign , multiple compromises, targeting.\n> alf:PUA:Win32/DownloadGuide \nLink below found in previous Pulse -[http://s0.patient.media/res/f91b97f6b547405cb4370cbb003dfea2-jquery-1.11.1.min.js.gzip]\n\u2022 Win.Malware.Downloadguide-6803841-0\nYara:\nresearch_pe_signed_outside_timestamp\n\u2022\nkernel32_dll_xor_exe_key_51_key_byte_encoded \u2022\nxor_0x33_kernel32_dll \u2022 \nConcerning: {Domain\tAddress\tRegistrar\tCountry\ns0.patient.media\n-\tGoDaddy.com, LLC\nOrganization: Egton Medical Information Systems Limited\nName Server: ns34.domaincontrol.com\nCreation Date: 2015-01-12T16:20:56}\n\n{https://www.anyxxxtube.net/search-porn/tsara-brashears/}\n{https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net}\n{wallpapers-nature.com}\n{https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian}",
"modified": "2025-08-14T07:05:00.239000",
"created": "2025-07-15T07:40:41.180000",
"tags": [
"url http",
"url https",
"indicator role",
"title added",
"active related",
"pulses hostname",
"entries",
"gmt etag",
"server",
"ecacc",
"serving ip",
"address",
"dom dom",
"data upload",
"extraction",
"pdf report",
"enter",
"failed",
"extraction data",
"enter sc",
"type",
"extra data",
"extri please",
"review data",
"excluded tous",
"tui sugges",
"find",
"show",
"at filer",
"iocs",
"levelbluelabs",
"please",
"included iocs",
"excluded io",
"find suggested",
"types",
"domain data",
"search",
"o please",
"manually add",
"c data",
"o suggesteo",
"include data",
"review uus",
"u exclude",
"find s",
"indicaok data",
"dom doman",
"filehash",
"md5 add",
"pulse pulses",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"copy",
"push",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"pattern match",
"ascii text",
"size",
"mitre att",
"utf8",
"null",
"refresh",
"body",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"date",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"evasion att",
"t1480 execution",
"discovery att"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3597,
"FileHash-MD5": 343,
"domain": 547,
"hostname": 1222,
"FileHash-SHA1": 343,
"FileHash-SHA256": 4464,
"CVE": 1,
"email": 1
},
"indicator_count": 10518,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "290 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6875e98438889e51b3fdd18f",
"name": "Critical \u2022 Schedule system process - Mirai | Foundry Overwatch",
"description": "",
"modified": "2025-08-14T05:04:16.839000",
"created": "2025-07-15T05:39:16.652000",
"tags": [
"win32 exe",
"country",
"include review",
"exclude",
"defense evasion",
"access ta0006",
"command",
"control ta0011",
"impact ta0040",
"impact ob0008",
"file system",
"system oc0008",
"match unknown",
"adversaries",
"match info",
"info",
"execution flow",
"t1574 dll",
"tries",
"registry",
"modify system",
"process t1543",
"unknown",
"window",
"ob0009 install",
"ob0012 install",
"insecure",
"b0047 modify",
"registry e1112",
"hidden files",
"registry run",
"keys",
"startup folder",
"f0012 file",
"critical",
"united",
"as15169",
"delete c",
"as16509",
"show",
"search",
"intel",
"ms windows",
"entries",
"medium",
"worm",
"copy",
"write",
"explorer",
"malware",
"next",
"present jul",
"status",
"date",
"ip address",
"domain",
"servers",
"showing",
"unknown ns",
"related pulses",
"pulses",
"tags",
"related tags",
"more file",
"type",
"date april",
"am size",
"sha1 sha256",
"as14618",
"united kingdom",
"as54113",
"as15133 verizon",
"top source",
"top destination",
"status domain",
"ip whitelisted",
"whitelisted",
"tcp include",
"source source",
"oamazon",
"cnamazon rsa",
"odigicert inc",
"sweden as20940",
"as20940",
"entries tls",
"ip destination",
"encrypt",
"aaaa",
"found",
"certificate",
"next associated",
"urls show",
"date checked",
"error",
"windows",
"high",
"yara detections",
"installs",
"checks",
"filehash",
"sha256 add",
"themida",
"data upload",
"extraction",
"md5 add",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"win32",
"ddos",
"passive dns",
"activity",
"checkin",
"win64",
"mtb jan",
"lowfi",
"trojan",
"ransom",
"trojandropper",
"yara",
"nsis",
"nss bv",
"su data",
"windo alerts",
"andariel",
"malware traffic",
"nids",
"icmp traffic",
"dns query",
"id deadhost",
"connects",
"andariel high",
"richhash",
"external",
"virustotal api",
"screenshots",
"failed",
"auurtonany data",
"themida andarie",
"present may",
"japan unknown",
"unknown cname",
"domain add",
"urls",
"files",
"http headers",
"msie",
"windows nt",
"tcp syn",
"resolverror",
"externalport",
"internalport",
"wget command",
"devices home",
"execution",
"foundry",
"home networks",
"mirai",
"x.com",
"porn",
"monitored target",
"d link",
"targets"
],
"references": [
"TJprojMain.exe {79c7303a1a49b85569245a8ca1c1a26be720387845af9391fa1e4677308bd6b6}",
"Crowdsourced Signa: Schedule system process by Joe Security",
"Sigma \u2022 Suspicious Process Masquerading As SvcHost.EXE by Swachchhanda Shrawan Poudel",
"Sigma \u2022 System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)",
"Yara \u2022 NSIS from ruleset NSIS by kevoreilly",
"Yara \u2022 rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)",
"Yara \u2022 Windows_Generic_Threat_7526f106 from ruleset Windows_Generic_Threat by Elastic Security",
"Alerts: persistence_autorun \u2022 persistence_autorun_tasks stealth_hiddenreg \u2022 suspicious_command",
"IDS : Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI",
"Mirai - ]1.0.0.0 - Unix.Trojan.Mirai-6981169-0",
"*Themida_2xx. Oreans,Technologies",
"*Andariel Backdoor Activity (Checkin)",
"Alert: dead_host nids_malware_alert network_icmp nolookup_communication",
"IDS: WGET Command Specifying Output in HTTP Headers",
"IDS: D-Link Devices Home Network Administration Protocol Command Execution",
"foundry2-lbl.dvr.dn2.n-helix.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://foundry2sdbl",
"https://xn--72c9abh1f8ad1lzc.com/video_tag/pornthai/ \u2022 https://ro.theskinnyfoodco.com/en-fr/blogs/recipes/pornstar-martini-recipe \u2022 m.pornsexer.xxx.3.1.adiosfil.roksit.net",
"x.com \u2022 nr-data.net \u2022 apple.k8s.joewa.com",
"http://apple.cc.lvlid.com/ \u2022 http://apple.cc.lvlid.com/ios/ \u2022 http://www.apple.cc.lvlid.com/ios",
"Devices remotely connected, tracked , monitored"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Unix.Trojan.Mirai-6981169-0",
"display_name": "Unix.Trojan.Mirai-6981169-0",
"target": null
},
{
"id": "Win.Malware.Ursu-9856871-0",
"display_name": "Win.Malware.Ursu-9856871-0",
"target": null
},
{
"id": "ELF:DDoS-Y\\ [Trj]",
"display_name": "ELF:DDoS-Y\\ [Trj]",
"target": null
}
],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [
"Healthcare",
"Technology"
],
"TLP": "white",
"cloned_from": null,
"export_count": 23,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 448,
"FileHash-SHA1": 435,
"FileHash-SHA256": 5851,
"hostname": 2580,
"domain": 1176,
"URL": 7133,
"SSLCertFingerprint": 30,
"email": 3,
"CVE": 3
},
"indicator_count": 17659,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "290 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "66d0a996b288ca46ab7e63ae",
"name": "CEIDG (www.pitprojekt.pl , pitprojekt.pl) jak otworzy\u0107 firm\u0119, jak rozpocz\u0105\u0107 biznes, dzia\u0142alno\u015b\u0107 gospodarcza zak\u0142adanie, jak rozpocz\u0105\u0107 dzia\u0142alno\u015b\u0107 gospodarcz\u0105",
"description": "Zawarte zasoby wed\u0142ug j\u0119zyka \u00c2\u00a31.1bn, a total of 7.4bn euros ($9.6bn; \u00a36.3bn)",
"modified": "2024-12-05T21:16:06.820000",
"created": "2024-08-29T17:02:13.392000",
"tags": [
"admin",
"asset",
"dufur",
"jnswj",
"3px center",
"saxla",
"zjloj",
"whasz htm",
"oszczdno",
"png ikona",
"rt angielski",
"angielski usa",
"wersja rt",
"narzuta chi2",
"plik",
"whasz",
"bogaty hash",
"sha256",
"ssdeep",
"schema",
"strings",
"guid",
"blob",
"sha256 file",
"type type",
"vhash",
"imphash",
"bvgquf",
"cblrxf",
"coqbmf",
"efq78c",
"gkrikb",
"hdvrde",
"hlo3ef",
"izt63",
"jnoxi",
"kg2exe",
"pejzasz",
"rticon english",
"english us",
"chi2",
"png rticon",
"ico rtgroupicon",
"code signing",
"algorithm",
"serial number",
"sectigo public",
"thumbprint",
"rsa time",
"valid from",
"name sectigo",
"valid",
"valid usage",
"ascii text",
"neutral",
"data rtcursor",
"data rtdialog",
"default",
"rticon maori",
"ceidg",
"informacja o",
"usugi",
"z wniosek",
"sprawd",
"zarejestruj spk",
"centralna",
"ewidencja",
"strona gwna",
"formularze i",
"sha1",
"pehash",
"richhash",
"authentihash",
"skrt",
"system",
"podaj",
"windows z",
"kreator",
"dostawca",
"wifi",
"nazwa typ",
"md5 nazwa",
"imphasz",
"kropelka",
"smyczki",
"zasb manifestu",
"neutralny",
"ikona rt",
"zawarte zasoby",
"md5 chi2",
"ikonagrupyrt",
"rtmanifest",
"zawarte",
"sha256 typ"
],
"references": [
"https://aplikacja.ceidg.gov.pl/ceidg.cms.engine/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 16,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4501,
"URL": 4559,
"hostname": 1957,
"domain": 729,
"FileHash-MD5": 903,
"FileHash-SHA1": 849,
"IPv4": 180,
"email": 3,
"IPv6": 2,
"CVE": 1
},
"indicator_count": 13684,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 125,
"modified_text": "541 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "670c5ff728e6e5b891e26e45",
"name": "IOC",
"description": "",
"modified": "2024-10-14T00:04:07.913000",
"created": "2024-10-14T00:04:07.913000",
"tags": [
"admin",
"asset",
"dufur",
"jnswj",
"3px center",
"saxla",
"zjloj",
"whasz htm",
"oszczdno",
"png ikona",
"rt angielski",
"angielski usa",
"wersja rt",
"narzuta chi2",
"plik",
"whasz",
"bogaty hash",
"sha256",
"ssdeep",
"schema",
"strings",
"guid",
"blob",
"sha256 file",
"type type",
"vhash",
"imphash",
"bvgquf",
"cblrxf",
"coqbmf",
"efq78c",
"gkrikb",
"hdvrde",
"hlo3ef",
"izt63",
"jnoxi",
"kg2exe",
"pejzasz",
"rticon english",
"english us",
"chi2",
"png rticon",
"ico rtgroupicon",
"code signing",
"algorithm",
"serial number",
"sectigo public",
"thumbprint",
"rsa time",
"valid from",
"name sectigo",
"valid",
"valid usage",
"ascii text",
"neutral",
"data rtcursor",
"data rtdialog",
"default",
"rticon maori",
"ceidg",
"informacja o",
"usugi",
"z wniosek",
"sprawd",
"zarejestruj spk",
"centralna",
"ewidencja",
"strona gwna",
"formularze i",
"sha1",
"pehash",
"richhash",
"authentihash",
"skrt",
"system",
"podaj",
"windows z",
"kreator",
"dostawca",
"wifi",
"nazwa typ",
"md5 nazwa",
"imphasz",
"kropelka",
"smyczki",
"zasb manifestu",
"neutralny",
"ikona rt",
"zawarte zasoby",
"md5 chi2",
"ikonagrupyrt",
"rtmanifest",
"zawarte",
"sha256 typ"
],
"references": [
"https://aplikacja.ceidg.gov.pl/ceidg.cms.engine/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "66d0a996b288ca46ab7e63ae",
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "WayneState",
"id": "296756",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4243,
"URL": 4550,
"hostname": 1957,
"domain": 729,
"FileHash-MD5": 801,
"FileHash-SHA1": 747,
"IPv4": 180,
"email": 3,
"IPv6": 2
},
"indicator_count": 13212,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 4,
"modified_text": "594 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "669ac41b3186b8cc8c40e9e3",
"name": "Powershell",
"description": "Matches rule PowerShell Module File Created By Non-PowerShell Process by Nasreddine Bencherchali\nDetects creation of a new PowerShell module \".psm1\", \".psd1\", \".dll\", \".ps1\", etc. by a non-PowerShell process\n\nFilescan.io\nWindowsPowerShell.zip\napplication/zip\nMD5:\n07d37fc575e373f878ae3c7cca2bfc25\nSHA1:\na2fc89aba12f8739184d44d0fffbe6323d9654eb\nSHA256:\ne75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832\nSHA512:\n36dc7349d052cd474818a6ae3149eda469d829cf2e4d9a0e55252468cdf9e9704d5293b8b4f73b4a25b07f8c8dd8eeab2ed18bbb1ff7d76958b51eb555562339\n\nTriage:\nhttps://tria.ge/240719-taxv5aydlj\nhttps://tria.ge/240719-tfpfyasdqh\nhttps://tria.ge/240719-tj9laasfke\nhttps://tria.ge/240719-tnb6kssgmc\nhttps://tria.ge/240719-trwpdsshqh\nhttps://tria.ge/240719-tv84wstbkg\nhttps://tria.ge/240719-t1hh5atcpd\nhttps://tria.ge/240719-t7wpbszgkl\n\nMalcore: https://app.malcore.io/share/652553f6aec33d70a1dbbd25/669993193506cdb760b3f36a\n\nKaspersky: E75FF18EE5C7226E225AA9959DF439F1488DF8CD3D43F5471361ED0426700832",
"modified": "2024-09-01T17:02:12.379000",
"created": "2024-07-19T19:52:59.626000",
"tags": [],
"references": [
"https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/summary",
"https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/iocs",
"https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/graph",
"https://www.virustotal.com/graph/embed/g4d28c765e54941129dbbf8d4a8dc25bb3b5452f14e0a4886a0af0c2991188611?theme=dark",
"https://www.virustotal.com/gui/file/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832/relations",
"https://vtbehaviour.commondatastorage.googleapis.com/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721578339&Signature=fTYUE3KoGSnr2%2BSrv9dZpgk3uXJc2rf%2BQeCyhAVDWiuiHGaYqhFHfgzQD2KheomXUSHne5MCvS9XH1LGW7Xhrg7CIG0gEe5cVjxrkmumne%2B%2Fd%2FBQagomnCKzfbwdExaO45sfA9rz4eQtyfLzFifYoRXDRtJK7P%2BNmISkv0Qz9FGIgXrrPDvmwJevgry%2FaMfiTEa2%2BxSDdWf9e6kdZW5YBVuxEdpGowcPsPEkpbdiSG12pG",
"https://vtbehaviour.commondatastorage.googleapis.com/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721578437&Signature=HM1ThjLEyrQmeLst3eY3osRWxC6ETs2RVbR4uKhN5emP%2Fe3Jbf6OsLPvmoAyaPTh%2B9RLyjIrqyR3f4rwg%2B4kkyiEZCyCkGKSRvQK4zC8eMuq80kOGYcvFLPwtvcH20xe7%2FPhGk2au3z4GfauzR1s8meGtQYRDlmXZARLTB2G0tno%2FJOq8rNm7NLHvVH1MpMBoQ47RRIwE0ecUUSYXmQGMAOQVAgmigrpydiFzFYN2wYJDkmfVTmEc9kylTmQ",
"https://vtbehaviour.commondatastorage.googleapis.com/460264c62a85a79d25424920b7b80763354151146da5cba933c198ebbe9a0588_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583501&Signature=igubOWmez%2BKPjBiU2Af7vHhJ5SwgwsKaafuyzobymmqUDs%2F8vkuh1A%2BbsMADWo0B%2FBEZht3BD%2B1%2FvItWrcfBgja57sMCBln9vBXfK7nCclcy9%2BeujGu7wlQLlhyfAeGNd8suRdK8x4WrJJ5bdqfAh7Ns0mOjPliF9uu3UJ9I7qH6N5IAd%2Bkb8h7Xce%2F%2BavnF8jLmHHwwCP5ILzgNRc94rmrWFp5eXzxQ3aHd9btY2D",
"https://vtbehaviour.commondatastorage.googleapis.com/e6f203e988e7aa801739359c6222dcb181d290fc10de5f61d354d43f8557daa0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583905&Signature=QPgFBr8MN1iCe8SwxWZ4BgTfkaViEC4PHLzUrGQ3Jdndo8Z44osVc0CIRcnkJJtNDFU03AM82A8wJ2jMjaFYoEbthsaxPWWufSulM8nS%2BU8RoCr04jUq5GnAWPVNjxukSTbgD0F7pUSf0pVaFwwvpSWCQ6hedQEwF52DQyViV8u9UDOeLii4rkmRlMfMlGIsxIP4CEwy0Gy8Q7Lw6FX8cxG%2FehoJatyiwaFdwwbbLbnu2lQHDaZuwZ38Oy",
"https://vtbehaviour.commondatastorage.googleapis.com/460264c62a85a79d25424920b7b80763354151146da5cba933c198ebbe9a0588_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583790&Signature=K2lWpuyPxZ8FgvBVeyB6hsfMbuIBkRXd522JtGonUcHxxtwoomV2fuuFbXC5edVAoGPuZJ24D%2Fv7rEHOHYCS2347F4Mq0VQr0PQt68rfbA8DBHTGs1XBS3QFLveflOjIkNzmhJWg23fuvM%2F1Ci0jSxKnR5XeURTArrkbf5eYA72p4QUFMKDgYO6kRpNXHLuDocJdXWjM7AiQ7ZBQdx%2F%2FeNZgb7k7s%2FPTzGuZ%2FTgEvxiGAiaV6PghFIIPSj",
"https://vtbehaviour.commondatastorage.googleapis.com/3a498e611cdc305e0ce67b68971ebc9e8b8aa575e9de08ae4bb081e1f6b87945_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583388&Signature=L5dgUL09kvWOiINZMa%2FvgcDAW5AFV%2Fqie184iaXQKGccuTzwDYsyx0%2BhI%2FxOXIkON%2Bw0RoRuoasFag44WeapuTjlnv8di%2FZ8iWJdeRGqWOdJ8P4EAPZIICsU%2BxjXP%2BzOSNTz5tcekdSceS%2BkTyDYMO%2F9QxZVwsIV1WnvZaGiR%2BOKIfs4YFXgeGWc23ktkKxbRfeKQY1kFyHTh8Re3lBLC%2Fkq%2FExvl7kqxKIebqquWmo%",
"https://vtbehaviour.commondatastorage.googleapis.com/d2cb7cca87c98c4d7a7eb9a40e0f00a231390cfe2f4786e161471a5ca4397a41_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583872&Signature=cfVN9vaAZ5UXUaFiEoATwrbKG2RNxzOu3wiH5KMlXdPxTgtpQ920ONEqOhhUb8MNxJwW3AVsCAahYTLdN3FigRPmjIClNTYz%2BoS%2BDl354Z4ZxefdKjl0HJ4%2FmGuzVTBNtc6pftGk4VMAvjgoerYhBf6Olu3ajrMT3h89lKsdBSGc6ra20Btzd%2BzY3Uh1J2gPZ%2BzZPHkTbR0OUTh3oorvIq9Fue8rDbL6PzZLxfPFEZ%2FFCRUnFo",
"https://vtbehaviour.commondatastorage.googleapis.com/d2cb7cca87c98c4d7a7eb9a40e0f00a231390cfe2f4786e161471a5ca4397a41_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583838&Signature=dw6B7oYQHQ1CxhfF67YE3TZfvqWvO%2FgErgu9Ms4R462ssOAuET7%2F9guBVvhETqvO7ClziwNXLV%2F31SM7aYXjXEUOmfJtHqf5vpFUCub63bX6a1GILj%2BtbX8EmURT4JftAGT%2BwDdgQnHX3y5MvnWd9NpYE8TTYStcf%2BQOWZLWiMNe%2BSxjpsMyOG2ryZdsm7iCyH%2BWdXrvG%2Bh9ccwxPOnUOwoOxUV3hp1ifVzCkbUtYySGTom29VJ8",
"https://vtbehaviour.commondatastorage.googleapis.com/3a498e611cdc305e0ce67b68971ebc9e8b8aa575e9de08ae4bb081e1f6b87945_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583383&Signature=N7snLsiqkPikwYU0zKl8QxasbcLXiGFXIFaIVT%2FEvzaLWUbnPEkuvuuOAxz9la0bmVndAimDsaexUgrGErDmDbBZ46apRuUnYH3GwBNvZ3YaBIVII4IfP8kDN%2Bi2b3meTPaoyhnWR4UIuYord2Ejg5nAYQ3FJxv4KKyrm8NTlU1cEHTpiBToFL3AVBUOHvCUQ4T1wRMpgO6%2FmyokYYZl8GZa4tjpI%2BncAIOTAfOZePVQ7sAnKHmckU",
"https://viz.greynoise.io/analysis/b5c2d562-eee0-46cb-8696-0585e3ce27b8"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1574.002",
"name": "DLL Side-Loading",
"display_name": "T1574.002 - DLL Side-Loading"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1070.006",
"name": "Timestomp",
"display_name": "T1070.006 - Timestomp"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
}
],
"industries": [
"Education",
"Government",
"Healthcare",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4402,
"URL": 1463,
"domain": 621,
"hostname": 1159,
"FileHash-MD5": 423,
"FileHash-SHA1": 423
},
"indicator_count": 8491,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 135,
"modified_text": "637 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6695e27f356a22d97fba5ca8",
"name": "Critical attack/s continues to affect YouTube Creator/s account/s",
"description": "Related to YouTube creator/s attack/s. Found as part of Jays Youtube Bot.exe and YouTube bots.\nFull CnC, access and id devices. Redirects views, resells. spoofs, binds and/or accounts. FRAUD! \nReference: YARA Signature Match - THOR APT Scanner\nRULE: SUSP_Wextract_Anomaly_Unsigned_May23\nRULE_SET: Livehunt - Suspicious290 Indicators \ud83c\udff9\nRULE_TYPE: THOR APT Scanner's rule set only \ud83d\udd28\nRULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_Wextract_Anomaly_Unsigned_May23\nDESCRIPTION: Detects an anomalous unsigned wextract that contains additional code and has been seen abused to deliver malware\nREFERENCE: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/deconstructing-amadeys-latest-multi-stage-attack-and-malware-distribution/\nRULE_AUTHOR: X__Junior\nThor for details #susp_wextract_anomaly_unsigned_may23",
"modified": "2024-08-15T02:00:24.886000",
"created": "2024-07-16T03:01:17.316000",
"tags": [
"win32 exe",
"wextract",
"kb file",
"files",
"file type",
"javascript",
"graph",
"ip detections",
"country",
"userprofile",
"runtime modules",
"samplepath",
"delnoderundll32",
"mpgph131 hr",
"hourly rl",
"highest c",
"mpgph131 lg",
"onlogon rl",
"highest",
"process",
"registrya",
"registry keys",
"registry",
"windows policy",
"shell folders",
"file execution",
"binary data",
"security center",
"text c",
"peexe c",
"xml c",
"zip c",
"file system",
"written c",
"dropped",
"hashes",
"windows nt",
"wow64",
"referer https",
"date thu",
"get https",
"request",
"gecko response",
"gmt connection",
"gmt vary",
"etag",
"accept",
"win64",
"query",
"windows get",
"internal",
"set file",
"create",
"create process",
"windows read",
"shutdown system",
"modify access",
"delete registry",
"enumerate",
"behavior tags",
"k0pmbc",
"spsfsb",
"ctsu",
"efq78c",
"egw7od",
"en3i8d",
"i6ydgd",
"iz1fbc",
"izt63",
"kum7z",
"vs2003",
"sp1 build",
"contained",
"info compiler",
"products",
"header intel",
"name md5",
"type",
"language",
"simplified",
"army",
"variant sides",
"with russia",
"ramnit",
"netsupport rat",
"sneaky server",
"replacement",
"unauthorized",
"sim unlock",
"emotet",
"chaos",
"malicious",
"critical",
"copy",
"life",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 compiler",
"cc linker",
"urls",
"gandi sas",
"domains",
"cloudflare",
"ii llc",
"psiusa",
"domain robot",
"ltd dba",
"com laude",
"ascio",
"contacted",
"ms word",
"document",
"b file",
"html",
"javascript jac",
"html iu3",
"executed by usa",
"#wextract",
"#unsigned",
"thor",
"stealer",
"evader",
"systemroot",
"grum",
"high",
"delete c",
"cape",
"write",
"103 read",
"clsid read",
"date read",
"trojan",
"united",
"unknown",
"status",
"cname",
"creation date",
"search",
"as1921",
"austria unknown",
"emails",
"expiration date",
"date",
"pragma",
"next",
"passive dns",
"backdoor",
"win32",
"scan endpoints",
"all scoreblue",
"ipv4",
"usa",
"co",
"teams",
"cybercrime",
"spoof",
"benjamin",
"dynamicloader",
"write c",
"pe32 executable",
"show",
"yara rule",
"windows",
"recon",
"worm",
"powershell",
"june",
"delphi",
"malware",
"malice",
"retaliation",
"through the nights",
"apple",
"lenovo",
"ios",
"hackers",
"move",
"moved"
],
"references": [
"WEXTRACT.EXE .MUI: FileHash-SHA256 00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4",
"MALWARE STEALER TROJAN EVADER | WEXTRACT.EXE .MUI | TXTRESSE | via https://www.virustotal.com/gui/domain/www.youtube.com",
"CS Sigma: Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke",
"Critical CS Sigma: Matches rule Suspicious Double Extension File Execution by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)",
"^ by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) ^",
"CS Sigma: Matches rule Disable Windows Defender Functionalities Via Registry Keys by AlertIQ, J\u00e1n Tren\u010dansk\u00fd, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan",
"CS Sigma: Matches rule Chromium Browser Instance Executed With Custom Extension by Aedan Russell, frack113, X__Junior (Nextron Systems)",
"CS Sigma: Matches rule Suspicious Add Scheduled Task Parent by Florian Roth (Nextron Systems)",
"CS Sigma: Matches rule Suspicious Schtasks Schedule Type With High Privileges by Nasreddine Bencherchali (Nextron Systems)",
"CS Sigma: Matches rule Scheduled Task Creation by Florian Roth (Nextron Systems)",
"CS IDS: Matches rule (stream_tcp) data sent on stream not accepting data",
"CS IDS: Matches rule (http_inspect) HTTP response has UTF character set that failed to normalize",
"CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)",
"CS IDS: Matches rule ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)",
"CS IDS: Matches rule ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)",
"CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)",
"CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)",
"CS IDS: Matches rule ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent",
"CS IDS: Matches rule ET MALWARE Suspected RisePro TCP Heartbeat Packet",
"CS IDS: Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)",
"CS IDS: Matches rule ET MALWARE Win32/Ramnit Checkin Matches rule MALWARE-CNC Win.Trojan.Ramnit variant outbound detected",
"TXTRESSE: FileHash-SHA256 00001dd58b69582cc30a16b000bce3d96d369487444385489084719676afba4d",
"Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly",
"Crowdsourced YARA rules: Matches rule win_ramnit_auto from ruleset win.ramnit_auto by Felix Bilstein - yara-signator at cocacoding dot com",
"Crowdsourced YARA rules: Matches rule MAL_Ramnit_May19_1 from ruleset crime_nansh0u by Florian Roth (Nextron Systems)",
"Crowdsourced IDS rules: Matches rule: MALWARE-CNC Win.Trojan.Ramnit variant outbound detected",
"Crowdsourced IDS rules: Matches rule: (port_scan) UDP filtered",
"Crowdsourced IDS rules: Matches rule: ET MALWARE Win32/Ramnit Checkin | Matches rule ET DNS Query for .cc TLD",
"https://www.nextron-systems.com/notes-on-virustotal-matches/",
"TrojanDownloader:Win32/Upatre , Virus:Win32/Sality.AT , Win.Downloader.Small-1645",
"Antivirus Detections: Backdoor:Win32/Likseput.B , PWS:Win32/QQpass.B!MTB , Trojan:Win32/Scrarev.C , Trojan:Win32/Speesipro.A , Trojan:Win32/Zombie.A , TrojanDownloader:Win32/Cutwail.BS , TrojanDownloader:Win32/Nemucod ,",
"IDS Detections: Backdoor.Win32.Pushdo.s Checkin Backdoor.Win32.Pushdo.s Checkin Suspicious csrss.exe in URI",
"https://www.virustotal.com/gui/file/00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4/detection",
"Jays Youtube Bot.exe > FileHash-SHA256 00514527e00ee001d042",
"https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2",
"https://www.youtube.com/watch?v=GyuMozsVyYs",
"Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\"",
"https://otx.alienvault.com/pulse/6694bb9be1b61bf820500004",
"http://193.233.132.62/hera/amadka.exe | https://www.info-only-men.com/landing/mlp88g?subPublisher=popunder:eu-adsrv.rtbsuperhub.com&zone=popunder:eu-adsrv.rtbsuperhub.com&",
"https://software-free-phone-2018.win/62ae8f9b-d0cb-4b4c-8318-dd7900e1d092/e29481e9-a792-46a8-bbf0-188ed2a816ae/?brand=Apple&browser=Safari&btd=dHJr",
"nr-data.net [Apple Private Data Collection]",
"https://rector-fitiology.icu/99c8d3a6-be16-421a-87a8-40701eae8149?zoneid=6543079&bannerid=18710758&browser=chrome&os=ios&devic",
"https://software-free-phone-2018.win/7a7c1101-0538-49de-925f-4f4675a5fd1f/3b0669f6-a07e-4eb8-8e2b-d0282d482c1a/?brand=Lenovo&browser=Chr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "WAT:Blacked-E",
"display_name": "WAT:Blacked-E",
"target": null
},
{
"id": "Win32:RmnDrp [Inf]",
"display_name": "Win32:RmnDrp [Inf]",
"target": null
},
{
"id": "AI:FileInfector.EAEEA7850C",
"display_name": "AI:FileInfector.EAEEA7850C",
"target": null
},
{
"id": "Virus.Ramnit/Nimnul",
"display_name": "Virus.Ramnit/Nimnul",
"target": null
},
{
"id": "Trojan.Crifi.1",
"display_name": "Trojan.Crifi.1",
"target": null
},
{
"id": "Trojan.MSIL.Injurer.cbd",
"display_name": "Trojan.MSIL.Injurer.cbd",
"target": null
},
{
"id": "Win.Downloader.Small-1645",
"display_name": "Win.Downloader.Small-1645",
"target": null
},
{
"id": "Trojan:Win32/Scrarev.C",
"display_name": "Trojan:Win32/Scrarev.C",
"target": "/malware/Trojan:Win32/Scrarev.C"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Trojan:Win32/Speesipro.A",
"display_name": "Trojan:Win32/Speesipro.A",
"target": "/malware/Trojan:Win32/Speesipro.A"
},
{
"id": "Virus:Win32/Sality.AT",
"display_name": "Virus:Win32/Sality.AT",
"target": "/malware/Virus:Win32/Sality.AT"
},
{
"id": "TrojanDownloader:Win32/Upatre",
"display_name": "TrojanDownloader:Win32/Upatre",
"target": "/malware/TrojanDownloader:Win32/Upatre"
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "TrojanDownloader:Win32/Nemucod",
"display_name": "TrojanDownloader:Win32/Nemucod",
"target": "/malware/TrojanDownloader:Win32/Nemucod"
},
{
"id": "PWS:Win32/QQpass.B!MTB",
"display_name": "PWS:Win32/QQpass.B!MTB",
"target": "/malware/PWS:Win32/QQpass.B!MTB"
},
{
"id": "Backdoor:Win32/Likseput.B",
"display_name": "Backdoor:Win32/Likseput.B",
"target": "/malware/Backdoor:Win32/Likseput.B"
},
{
"id": "Worm:Win32/Benjamin",
"display_name": "Worm:Win32/Benjamin",
"target": "/malware/Worm:Win32/Benjamin"
},
{
"id": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer",
"display_name": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1588",
"name": "Obtain Capabilities",
"display_name": "T1588 - Obtain Capabilities"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1134.004",
"name": "Parent PID Spoofing",
"display_name": "T1134.004 - Parent PID Spoofing"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1003.007",
"name": "Proc Filesystem",
"display_name": "T1003.007 - Proc Filesystem"
},
{
"id": "T1042",
"name": "Change Default File Association",
"display_name": "T1042 - Change Default File Association"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [
"Media",
"Technology",
"Civil Society",
"Crime Victims"
],
"TLP": "green",
"cloned_from": null,
"export_count": 30,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4312,
"domain": 1056,
"hostname": 1818,
"URL": 5125,
"FileHash-MD5": 310,
"FileHash-SHA1": 221,
"email": 3
},
"indicator_count": 12845,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 231,
"modified_text": "654 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"references": [
"I am very upset. Whoever is doing this is sick.",
"https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/summary",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"CS Sigma: Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke",
"^ by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) ^",
"https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/iocs",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"https://vtbehaviour.commondatastorage.googleapis.com/460264c62a85a79d25424920b7b80763354151146da5cba933c198ebbe9a0588_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583501&Signature=igubOWmez%2BKPjBiU2Af7vHhJ5SwgwsKaafuyzobymmqUDs%2F8vkuh1A%2BbsMADWo0B%2FBEZht3BD%2B1%2FvItWrcfBgja57sMCBln9vBXfK7nCclcy9%2BeujGu7wlQLlhyfAeGNd8suRdK8x4WrJJ5bdqfAh7Ns0mOjPliF9uu3UJ9I7qH6N5IAd%2Bkb8h7Xce%2F%2BavnF8jLmHHwwCP5ILzgNRc94rmrWFp5eXzxQ3aHd9btY2D",
"Antivirus Detections: Backdoor:Win32/Likseput.B , PWS:Win32/QQpass.B!MTB , Trojan:Win32/Scrarev.C , Trojan:Win32/Speesipro.A , Trojan:Win32/Zombie.A , TrojanDownloader:Win32/Cutwail.BS , TrojanDownloader:Win32/Nemucod ,",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://www.virustotal.com/gui/file/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832/relations",
"http://apple.cc.lvlid.com/ \u2022 http://apple.cc.lvlid.com/ios/ \u2022 http://www.apple.cc.lvlid.com/ios",
"x.com \u2022 nr-data.net \u2022 apple.k8s.joewa.com",
"CS Sigma: Matches rule Suspicious Schtasks Schedule Type With High Privileges by Nasreddine Bencherchali (Nextron Systems)",
"IDS : Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI",
"foundry2-lbl.dvr.dn2.n-helix.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://foundry2sdbl",
"CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)",
"Crowdsourced IDS rules: Matches rule: ET MALWARE Win32/Ramnit Checkin | Matches rule ET DNS Query for .cc TLD",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"IDS Detections: Backdoor.Win32.Pushdo.s Checkin Backdoor.Win32.Pushdo.s Checkin Suspicious csrss.exe in URI",
"*Themida_2xx. Oreans,Technologies",
"Yara \u2022 NSIS from ruleset NSIS by kevoreilly",
"CS Sigma: Matches rule Disable Windows Defender Functionalities Via Registry Keys by AlertIQ, J\u00e1n Tren\u010dansk\u00fd, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"https://www.virustotal.com/gui/file/00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4/detection",
"https://meumundogay-com.sexogratis.page/locker",
"https://software-free-phone-2018.win/62ae8f9b-d0cb-4b4c-8318-dd7900e1d092/e29481e9-a792-46a8-bbf0-188ed2a816ae/?brand=Apple&browser=Safari&btd=dHJr",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"CS IDS: Matches rule (http_inspect) HTTP response has UTF character set that failed to normalize",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"iamrobert.com Y.A.S.",
"IDS: WGET Command Specifying Output in HTTP Headers",
"Target agreed and complied with all lie detector measures.",
"Crowdsourced IDS rules: Matches rule: MALWARE-CNC Win.Trojan.Ramnit variant outbound detected",
"TJprojMain.exe {79c7303a1a49b85569245a8ca1c1a26be720387845af9391fa1e4677308bd6b6}",
"WEXTRACT.EXE .MUI: FileHash-SHA256 00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4",
"http://193.233.132.62/hera/amadka.exe | https://www.info-only-men.com/landing/mlp88g?subPublisher=popunder:eu-adsrv.rtbsuperhub.com&zone=popunder:eu-adsrv.rtbsuperhub.com&",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"https://vtbehaviour.commondatastorage.googleapis.com/3a498e611cdc305e0ce67b68971ebc9e8b8aa575e9de08ae4bb081e1f6b87945_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583383&Signature=N7snLsiqkPikwYU0zKl8QxasbcLXiGFXIFaIVT%2FEvzaLWUbnPEkuvuuOAxz9la0bmVndAimDsaexUgrGErDmDbBZ46apRuUnYH3GwBNvZ3YaBIVII4IfP8kDN%2Bi2b3meTPaoyhnWR4UIuYord2Ejg5nAYQ3FJxv4KKyrm8NTlU1cEHTpiBToFL3AVBUOHvCUQ4T1wRMpgO6%2FmyokYYZl8GZa4tjpI%2BncAIOTAfOZePVQ7sAnKHmckU",
"IDS: D-Link Devices Home Network Administration Protocol Command Execution",
"https://xn--72c9abh1f8ad1lzc.com/video_tag/pornthai/ \u2022 https://ro.theskinnyfoodco.com/en-fr/blogs/recipes/pornstar-martini-recipe \u2022 m.pornsexer.xxx.3.1.adiosfil.roksit.net",
"There is fear in silence or speaking out",
"https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2",
"Yara \u2022 rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)",
"https://www.youtube.com/watch?v=GyuMozsVyYs",
"https://vtbehaviour.commondatastorage.googleapis.com/3a498e611cdc305e0ce67b68971ebc9e8b8aa575e9de08ae4bb081e1f6b87945_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583388&Signature=L5dgUL09kvWOiINZMa%2FvgcDAW5AFV%2Fqie184iaXQKGccuTzwDYsyx0%2BhI%2FxOXIkON%2Bw0RoRuoasFag44WeapuTjlnv8di%2FZ8iWJdeRGqWOdJ8P4EAPZIICsU%2BxjXP%2BzOSNTz5tcekdSceS%2BkTyDYMO%2F9QxZVwsIV1WnvZaGiR%2BOKIfs4YFXgeGWc23ktkKxbRfeKQY1kFyHTh8Re3lBLC%2Fkq%2FExvl7kqxKIebqquWmo%",
"https://rector-fitiology.icu/99c8d3a6-be16-421a-87a8-40701eae8149?zoneid=6543079&bannerid=18710758&browser=chrome&os=ios&devic",
"CS Sigma: Matches rule Scheduled Task Creation by Florian Roth (Nextron Systems)",
"https://www.nextron-systems.com/notes-on-virustotal-matches/",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"CS IDS: Matches rule ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent",
"https://vtbehaviour.commondatastorage.googleapis.com/460264c62a85a79d25424920b7b80763354151146da5cba933c198ebbe9a0588_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583790&Signature=K2lWpuyPxZ8FgvBVeyB6hsfMbuIBkRXd522JtGonUcHxxtwoomV2fuuFbXC5edVAoGPuZJ24D%2Fv7rEHOHYCS2347F4Mq0VQr0PQt68rfbA8DBHTGs1XBS3QFLveflOjIkNzmhJWg23fuvM%2F1Ci0jSxKnR5XeURTArrkbf5eYA72p4QUFMKDgYO6kRpNXHLuDocJdXWjM7AiQ7ZBQdx%2F%2FeNZgb7k7s%2FPTzGuZ%2FTgEvxiGAiaV6PghFIIPSj",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"CS Sigma: Matches rule Suspicious Add Scheduled Task Parent by Florian Roth (Nextron Systems)",
"https://www.virustotal.com/graph/embed/g4d28c765e54941129dbbf8d4a8dc25bb3b5452f14e0a4886a0af0c2991188611?theme=dark",
"Critical CS Sigma: Matches rule Suspicious Double Extension File Execution by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)",
"Jays Youtube Bot.exe > FileHash-SHA256 00514527e00ee001d042",
"*Andariel Backdoor Activity (Checkin)",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"Crowdsourced IDS rules: Matches rule: (port_scan) UDP filtered",
"nr-data.net [Apple Private Data Collection]",
"Sigma \u2022 System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"https://viz.greynoise.io/analysis/b5c2d562-eee0-46cb-8696-0585e3ce27b8",
"TrojanDownloader:Win32/Upatre , Virus:Win32/Sality.AT , Win.Downloader.Small-1645",
"CS Sigma: Matches rule Chromium Browser Instance Executed With Custom Extension by Aedan Russell, frack113, X__Junior (Nextron Systems)",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Can the DoD no questions asked target a SA victim",
"If someone is believed to be a threat they have right to due process.",
"CS IDS: Matches rule ET MALWARE Win32/Ramnit Checkin Matches rule MALWARE-CNC Win.Trojan.Ramnit variant outbound detected",
"Yara \u2022 Windows_Generic_Threat_7526f106 from ruleset Windows_Generic_Threat by Elastic Security",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"CS IDS: Matches rule (stream_tcp) data sent on stream not accepting data",
"Alerts: persistence_autorun \u2022 persistence_autorun_tasks stealth_hiddenreg \u2022 suspicious_command",
"https://vtbehaviour.commondatastorage.googleapis.com/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721578339&Signature=fTYUE3KoGSnr2%2BSrv9dZpgk3uXJc2rf%2BQeCyhAVDWiuiHGaYqhFHfgzQD2KheomXUSHne5MCvS9XH1LGW7Xhrg7CIG0gEe5cVjxrkmumne%2B%2Fd%2FBQagomnCKzfbwdExaO45sfA9rz4eQtyfLzFifYoRXDRtJK7P%2BNmISkv0Qz9FGIgXrrPDvmwJevgry%2FaMfiTEa2%2BxSDdWf9e6kdZW5YBVuxEdpGowcPsPEkpbdiSG12pG",
"https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/graph",
"CS IDS: Matches rule ET MALWARE Suspected RisePro TCP Heartbeat Packet",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"CS IDS: Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"https://vtbehaviour.commondatastorage.googleapis.com/e6f203e988e7aa801739359c6222dcb181d290fc10de5f61d354d43f8557daa0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583905&Signature=QPgFBr8MN1iCe8SwxWZ4BgTfkaViEC4PHLzUrGQ3Jdndo8Z44osVc0CIRcnkJJtNDFU03AM82A8wJ2jMjaFYoEbthsaxPWWufSulM8nS%2BU8RoCr04jUq5GnAWPVNjxukSTbgD0F7pUSf0pVaFwwvpSWCQ6hedQEwF52DQyViV8u9UDOeLii4rkmRlMfMlGIsxIP4CEwy0Gy8Q7Lw6FX8cxG%2FehoJatyiwaFdwwbbLbnu2lQHDaZuwZ38Oy",
"Devices remotely connected, tracked , monitored",
"https://software-free-phone-2018.win/7a7c1101-0538-49de-925f-4f4675a5fd1f/3b0669f6-a07e-4eb8-8e2b-d0282d482c1a/?brand=Lenovo&browser=Chr",
"https://aplikacja.ceidg.gov.pl/ceidg.cms.engine/",
"https://vtbehaviour.commondatastorage.googleapis.com/d2cb7cca87c98c4d7a7eb9a40e0f00a231390cfe2f4786e161471a5ca4397a41_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583872&Signature=cfVN9vaAZ5UXUaFiEoATwrbKG2RNxzOu3wiH5KMlXdPxTgtpQ920ONEqOhhUb8MNxJwW3AVsCAahYTLdN3FigRPmjIClNTYz%2BoS%2BDl354Z4ZxefdKjl0HJ4%2FmGuzVTBNtc6pftGk4VMAvjgoerYhBf6Olu3ajrMT3h89lKsdBSGc6ra20Btzd%2BzY3Uh1J2gPZ%2BzZPHkTbR0OUTh3oorvIq9Fue8rDbL6PzZLxfPFEZ%2FFCRUnFo",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"Mirai - ]1.0.0.0 - Unix.Trojan.Mirai-6981169-0",
"Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\"",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"MALWARE STEALER TROJAN EVADER | WEXTRACT.EXE .MUI | TXTRESSE | via https://www.virustotal.com/gui/domain/www.youtube.com",
"https://otx.alienvault.com/pulse/6694bb9be1b61bf820500004",
"CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"https://vtbehaviour.commondatastorage.googleapis.com/d2cb7cca87c98c4d7a7eb9a40e0f00a231390cfe2f4786e161471a5ca4397a41_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583838&Signature=dw6B7oYQHQ1CxhfF67YE3TZfvqWvO%2FgErgu9Ms4R462ssOAuET7%2F9guBVvhETqvO7ClziwNXLV%2F31SM7aYXjXEUOmfJtHqf5vpFUCub63bX6a1GILj%2BtbX8EmURT4JftAGT%2BwDdgQnHX3y5MvnWd9NpYE8TTYStcf%2BQOWZLWiMNe%2BSxjpsMyOG2ryZdsm7iCyH%2BWdXrvG%2Bh9ccwxPOnUOwoOxUV3hp1ifVzCkbUtYySGTom29VJ8",
"Alert: dead_host nids_malware_alert network_icmp nolookup_communication",
"https://es.pornhat.com/models/the-sex-creator/",
"Sigma \u2022 Suspicious Process Masquerading As SvcHost.EXE by Swachchhanda Shrawan Poudel",
"TXTRESSE: FileHash-SHA256 00001dd58b69582cc30a16b000bce3d96d369487444385489084719676afba4d",
"Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly",
"Crowdsourced Signa: Schedule system process by Joe Security",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"CS IDS: Matches rule ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)",
"CS IDS: Matches rule ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)",
"Crowdsourced YARA rules: Matches rule MAL_Ramnit_May19_1 from ruleset crime_nansh0u by Florian Roth (Nextron Systems)",
"https://vtbehaviour.commondatastorage.googleapis.com/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721578437&Signature=HM1ThjLEyrQmeLst3eY3osRWxC6ETs2RVbR4uKhN5emP%2Fe3Jbf6OsLPvmoAyaPTh%2B9RLyjIrqyR3f4rwg%2B4kkyiEZCyCkGKSRvQK4zC8eMuq80kOGYcvFLPwtvcH20xe7%2FPhGk2au3z4GfauzR1s8meGtQYRDlmXZARLTB2G0tno%2FJOq8rNm7NLHvVH1MpMBoQ47RRIwE0ecUUSYXmQGMAOQVAgmigrpydiFzFYN2wYJDkmfVTmEc9kylTmQ",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)",
"Crowdsourced YARA rules: Matches rule win_ramnit_auto from ruleset win.ramnit_auto by Felix Bilstein - yara-signator at cocacoding dot com"
],
"related": {
"alienvault": {
"adversary": [],
"malware_families": [],
"industries": [],
"unique_indicators": 0
},
"other": {
"adversary": [],
"malware_families": [
"Worm:win32/benjamin",
"Win.downloader.small-1645",
"Trojandownloader:win32/upatre",
"Win.malware.ursu-9856871-0",
"Ai:fileinfector.eaeea7850c",
"Trojan:win32/speesipro.a",
"Alf:heraklezeval:trojanspy:win32/socstealer",
"Trojandownloader:win32/cutwail.bs",
"Malware",
"Backdoor:win32/likseput.b",
"Apnic",
"Elf:ddos-y\\ [trj]",
"Trojandownloader:win32/nemucod",
"Trojan.msil.injurer.cbd",
"Pws:win32/qqpass.b!mtb",
"Win32:rmndrp [inf]",
"Trojan.crifi.1",
"Virus.ramnit/nimnul",
"Worm:win32/mofksys.rnd!mtb",
"Unix.trojan.mirai-6981169-0",
"Trojan:win32/scrarev.c",
"Wat:blacked-e",
"Trojan:win32/zombie.a",
"Virus:win32/sality.at"
],
"industries": [
"Civil society",
"Crime victims",
"Telecommunications",
"Technology",
"Media",
"Healthcare",
"Education",
"Government"
],
"unique_indicators": 71561
}
}
},
"false_positive": [],
"alexa": "http://www.alexa.com/siteinfo/amblyopiadoctor.com",
"whois": "http://whois.domaintools.com/amblyopiadoctor.com",
"domain": "amblyopiadoctor.com",
"hostname": "blog.amblyopiadoctor.com"
},
"geo": {},
"geo_ipapicom": {},
"pulse_count": 8,
"pulses": [
{
"id": "68e2bb5d9ee8577ab5519f2c",
"name": "Meritshealth with DoD links? ",
"description": "",
"modified": "2026-01-13T00:05:56.401000",
"created": "2025-10-05T18:39:25.286000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "68e2b14d83bb63502feac65e",
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1365,
"URL": 11172,
"hostname": 2780,
"FileHash-MD5": 381,
"FileHash-SHA256": 4420,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 20486,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "138 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "68e2b14d83bb63502feac65e",
"name": "Did the \u2018real\u2019 DoD kill Targets wheelchair as promised? It\u2019s alive again.",
"description": "I\u2019d never think the DoD would be found when researching a wheelchair company NO ONE has ever heard of in this region. \n\nA wheelchair was ordered for target early spring, it was received in early summer. \n\nSettings became a crazy mess. Suspicion was immediate as a toothless tech tried to identify if dealing w/target by birth year , quizzing, fear tactics (doomsday wheelchair) , familiar Then warns about EMP attacks against wheelchair? His son is a hacker (gamer) + software engineer. He left not knowing if target status after quizzing tech knowledge? I intentionally verbalized the truth , target was a very early adopter of Ruby & Ruby on Rails & everything tech, he dropped his tools & left breaking the arm of wheelchair. New tech needed. Later denies ever being a mobility technician. They killed a new wheelchair. Why?. You\u2019re allowed to donate your equipment Vets & uninsured NEED mobility equipment. Stop the craziness. Is it possible gamer hackers are riding the DoD w/o their knowledge?",
"modified": "2026-01-07T00:00:30.717000",
"created": "2025-10-05T17:56:29.109000",
"tags": [
"gtmk5nxqc6",
"utc amazon",
"utc na",
"acceptencoding",
"gmt contenttype",
"connection",
"true pragma",
"gmt setcookie",
"httponly",
"gmt vary",
"nc000000 up",
"html document",
"unicode text",
"utf8 text",
"oc0006 http",
"http traffic",
"https http",
"mitre att",
"control ta0011",
"protocol t1071",
"match info",
"t1573 severity",
"info",
"number",
"ja3s",
"algorithm",
"azure rsa",
"tls issuing",
"cus subject",
"stwa lredmond",
"cnmicrosoft ecc",
"update secure",
"server ca",
"omicrosoft cus",
"get http",
"dns resolutions",
"registrar",
"markmonitor inc",
"country",
"resolver domain",
"type name",
"html",
"apnic",
"apnic whois",
"please",
"rirs",
"cidr",
"learn",
"ck id",
"name tactics",
"suspicious",
"informative",
"command",
"adversaries",
"development att",
"name tactics",
"binary file",
"ck matrix",
"wheelchair",
"iamrobert",
"pattern match",
"ascii text",
"href",
"united",
"general",
"local",
"path",
"encrypt",
"click",
"passive dns",
"urls",
"files",
"reverse dns",
"netherlands",
"present aug",
"a domains",
"moved",
"first pqc",
"ip address",
"unknown ns",
"unknown aaaa",
"title",
"body",
"meta",
"window",
"accept",
"body doctype",
"welcome",
"ok server",
"gmt content",
"present jul",
"present sep",
"aaaa",
"hostname",
"error",
"defense evasion",
"windows nt",
"response",
"vary",
"strings",
"core",
"t1027.013 encrypted/encoded",
"michelin lazy k",
"prefetch8",
"flag",
"date",
"starfield",
"hybrid",
"mobility cr",
"extraction",
"data upload",
"include",
"o url",
"url url",
"included i0",
"review ioc",
"excluded ic",
"suggested",
"find sugi",
"failed",
"cre pul",
"enter",
"enter sc",
"type",
"enric",
"extra",
"type opaste",
"data u",
"included",
"copy md5",
"copy sha1",
"copy sha256",
"null",
"refresh",
"tools",
"look",
"verify",
"restart",
"t1480 execution",
"expiration",
"url https",
"no expiration",
"iocs",
"ipv4",
"text drag",
"drop or",
"browse to",
"select file",
"redacted for",
"server",
"privacy tech",
"privacy admin",
"postal code",
"stateprovince",
"organization",
"email",
"code",
"quantum rooms",
"sam somalia",
"emp",
"porn",
"media defense",
"gov porn",
"suck my nips",
"reimer suspect",
"jeffrey reimer",
"dod",
"department of defense",
"show",
"date checked",
"url hostname",
"server response",
"google safe",
"results may",
"entries http",
"scans record",
"value status",
"sabey type",
"merits fake",
"y.a.s.",
"pornography",
"ramsom"
],
"references": [
"https://www.meritshealth.com/ Defense.Gov Mobility Co? ",
"zeroeyes.host \u2022 media.defense.gov \u2022 defense.gov \u2022 23.222.155.67",
"https://media.defense.gov/2022/Mar/17/2002958406/-1/-1/1/SUMMARY-OF-THE-JOINT-ALL-DOMAIN-COMMAND-AND-CONTROL-STRATEGY.pdf",
"https://media.defense.gov/2020/jun/09/2002313081/-1/-1/0/csi-detect-and-prevent-web-shell-malware-20200422.pdf",
"https://rto.bappam.eu/ai-n2cdl/mirai-2025-ven5k-telugu-movie-watch-online.html",
"https://pornokind.vgt.pl \u2022 https://cdn2.video.itsyourporn.com",
"https://webcams.itsyourporn.com/ \u2022 https://members.itsyourporn.com/",
"https://pics-storage-1.pornhat.com/contents/albums/main/1920x1080/135000/135855/9537375.jp",
"https://static.pornhat.com/contents/videos_screenshots/642000/642793/640x360/1.jpg",
"https://d1rozh26tys225.cloudfront.net/robot-suspicion.svg (mobility company no one has heard of)",
"https://www2.itsyourporn.com/license.php \u2022 https://www.lovephoto.tw/members",
"https://members.engine.com/login \u2022 https://members.engine.com/payment-details/220210",
"https://www-pornocarioca-com.sexogratis.page/videos/bbb/ex",
"https://media.defense.gov/2024/sep/18/2003547016/-1/-1/0/csa-prc-linked-actors-botnet.pdf",
"https://maisexo-com.putaria.info/casting \u2022 https://contosadultos-club.sexogratis.page/tudo",
"https://meumundogay-com.sexogratis.page/locker",
"https://es.pornhat.com/models/the-sex-creator/",
"Dear US Government, the man who assaulted targets name is Jeffrey Scott Reimer of Chester Springs, PA",
"Can the DoD no questions asked target a SA victim",
"Red Team Abuse? Starfield ? DoD? You need a real criminal Jeffrey Reimer.",
"There\u2019s a problem with terrorizing victims, relatives of, associates of and stealing their property intellectual or otherwise",
"socialmedia \u2022 socialmedia.defense.gov \u2022 static.defense.gov",
"There is fear in silence or speaking out",
"Target left unattended by anyone in a hospital except a security guard. Hospital refused care. Ignored rare brain incident from high cervical & brain assault injuries aggravated by car accident.",
"3-4 Police presence. 25 + hospital employees prepped radiology room. No one left room so was it for her?",
"If someone is believed to be a threat they have right to due process.",
"Infectious Disease UC Health denied target medication they said she needed as questionable liquid seeped into her brain.",
"She was a researcher not a hacker. A mother not a criminal. Most talented and least impressed person I have ever known.",
"Remarks online \u2018 T\u2019*#^^ is not a runner\u2019 a size 00 broke two track records at a major universities.",
"Honestly, you\u2019ve never seen or met her no many how many people you\u2019ve sent out. That\u2019s why you quiz.",
"ftp.iamrobert.com ? \u2022 https://www.meritshealth.com/templates/iamrobert/fonts/Graphik-Regular.eot",
"iamrobert.com Y.A.S.",
"1.2016 M.Brian Sabey filed a complaint about? Jeffrey Reimer refused Lie detector test and False memory exam",
"Target agreed and complied with all lie detector measures.",
"Is the family allowed to have a funeral for Tsara or print an obituary",
"No, they put Tsara in her mom\u2019s obituary, she couldn\u2019t grieve, she had to take it down.",
"I am very upset. Whoever is doing this is sick."
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "APNIC",
"display_name": "APNIC",
"target": null
},
{
"id": "Malware",
"display_name": "Malware",
"target": null
}
],
"attack_ids": [
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1573",
"name": "Encrypted Channel",
"display_name": "T1573 - Encrypted Channel"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1069",
"name": "Permission Groups Discovery",
"display_name": "T1069 - Permission Groups Discovery"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
},
{
"id": "T1553",
"name": "Subvert Trust Controls",
"display_name": "T1553 - Subvert Trust Controls"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1568",
"name": "Dynamic Resolution",
"display_name": "T1568 - Dynamic Resolution"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1069.002",
"name": "Domain Groups",
"display_name": "T1069.002 - Domain Groups"
},
{
"id": "T1071.001",
"name": "Web Protocols",
"display_name": "T1071.001 - Web Protocols"
},
{
"id": "T1583.001",
"name": "Domains",
"display_name": "T1583.001 - Domains"
},
{
"id": "TA0042",
"name": "Resource Development",
"display_name": "TA0042 - Resource Development"
},
{
"id": "TA0005",
"name": "Defense Evasion",
"display_name": "TA0005 - Defense Evasion"
},
{
"id": "T1553.002",
"name": "Code Signing",
"display_name": "T1553.002 - Code Signing"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1071.004",
"name": "DNS",
"display_name": "T1071.004 - DNS"
},
{
"id": "T1113",
"name": "Screen Capture",
"display_name": "T1113 - Screen Capture"
},
{
"id": "T1590",
"name": "Gather Victim Network Information",
"display_name": "T1590 - Gather Victim Network Information"
},
{
"id": "T1591",
"name": "Gather Victim Org Information",
"display_name": "T1591 - Gather Victim Org Information"
},
{
"id": "T1132",
"name": "Data Encoding",
"display_name": "T1132 - Data Encoding"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1457",
"name": "Malicious Media Content",
"display_name": "T1457 - Malicious Media Content"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1562.004",
"name": "Disable or Modify System Firewall",
"display_name": "T1562.004 - Disable or Modify System Firewall"
},
{
"id": "T1089",
"name": "Disabling Security Tools",
"display_name": "T1089 - Disabling Security Tools"
},
{
"id": "T1562.008",
"name": "Disable Cloud Logs",
"display_name": "T1562.008 - Disable Cloud Logs"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1056.003",
"name": "Web Portal Capture",
"display_name": "T1056.003 - Web Portal Capture"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1180",
"name": "Screensaver",
"display_name": "T1180 - Screensaver"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 11,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"domain": 1328,
"URL": 9931,
"hostname": 2621,
"FileHash-MD5": 381,
"FileHash-SHA256": 4360,
"FileHash-SHA1": 338,
"CIDR": 4,
"SSLCertFingerprint": 24,
"CVE": 1,
"email": 1
},
"indicator_count": 18989,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "144 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "687605f986433ebf2673f0b8",
"name": "Win.Malware.Downloadguide-6803841-0 | Patient Monitoring",
"description": "Part of an elaborate, unrelenting espionage campaign , multiple compromises, targeting.\n> alf:PUA:Win32/DownloadGuide \nLink below found in previous Pulse -[http://s0.patient.media/res/f91b97f6b547405cb4370cbb003dfea2-jquery-1.11.1.min.js.gzip]\n\u2022 Win.Malware.Downloadguide-6803841-0\nYara:\nresearch_pe_signed_outside_timestamp\n\u2022\nkernel32_dll_xor_exe_key_51_key_byte_encoded \u2022\nxor_0x33_kernel32_dll \u2022 \nConcerning: {Domain\tAddress\tRegistrar\tCountry\ns0.patient.media\n-\tGoDaddy.com, LLC\nOrganization: Egton Medical Information Systems Limited\nName Server: ns34.domaincontrol.com\nCreation Date: 2015-01-12T16:20:56}\n\n{https://www.anyxxxtube.net/search-porn/tsara-brashears/}\n{https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net}\n{wallpapers-nature.com}\n{https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian}",
"modified": "2025-08-14T07:05:00.239000",
"created": "2025-07-15T07:40:41.180000",
"tags": [
"url http",
"url https",
"indicator role",
"title added",
"active related",
"pulses hostname",
"entries",
"gmt etag",
"server",
"ecacc",
"serving ip",
"address",
"dom dom",
"data upload",
"extraction",
"pdf report",
"enter",
"failed",
"extraction data",
"enter sc",
"type",
"extra data",
"extri please",
"review data",
"excluded tous",
"tui sugges",
"find",
"show",
"at filer",
"iocs",
"levelbluelabs",
"please",
"included iocs",
"excluded io",
"find suggested",
"types",
"domain data",
"search",
"o please",
"manually add",
"c data",
"o suggesteo",
"include data",
"review uus",
"u exclude",
"find s",
"indicaok data",
"dom doman",
"filehash",
"md5 add",
"pulse pulses",
"av detections",
"ids detections",
"yara detections",
"alerts",
"analysis date",
"file score",
"copy",
"push",
"copy md5",
"copy sha1",
"copy sha256",
"sha1",
"sha256",
"pattern match",
"ascii text",
"size",
"mitre att",
"utf8",
"null",
"refresh",
"body",
"span",
"hybrid",
"general",
"local",
"path",
"click",
"date",
"strings",
"error",
"tools",
"look",
"verify",
"restart",
"learn",
"command",
"ck id",
"name tactics",
"suspicious",
"informative",
"spawns",
"evasion att",
"t1480 execution",
"discovery att"
],
"references": [],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1105",
"name": "Ingress Tool Transfer",
"display_name": "T1105 - Ingress Tool Transfer"
},
{
"id": "T1480",
"name": "Execution Guardrails",
"display_name": "T1480 - Execution Guardrails"
}
],
"industries": [],
"TLP": "green",
"cloned_from": null,
"export_count": 17,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"URL": 3597,
"FileHash-MD5": 343,
"domain": 547,
"hostname": 1222,
"FileHash-SHA1": 343,
"FileHash-SHA256": 4464,
"CVE": 1,
"email": 1
},
"indicator_count": 10518,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 143,
"modified_text": "290 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6875e98438889e51b3fdd18f",
"name": "Critical \u2022 Schedule system process - Mirai | Foundry Overwatch",
"description": "",
"modified": "2025-08-14T05:04:16.839000",
"created": "2025-07-15T05:39:16.652000",
"tags": [
"win32 exe",
"country",
"include review",
"exclude",
"defense evasion",
"access ta0006",
"command",
"control ta0011",
"impact ta0040",
"impact ob0008",
"file system",
"system oc0008",
"match unknown",
"adversaries",
"match info",
"info",
"execution flow",
"t1574 dll",
"tries",
"registry",
"modify system",
"process t1543",
"unknown",
"window",
"ob0009 install",
"ob0012 install",
"insecure",
"b0047 modify",
"registry e1112",
"hidden files",
"registry run",
"keys",
"startup folder",
"f0012 file",
"critical",
"united",
"as15169",
"delete c",
"as16509",
"show",
"search",
"intel",
"ms windows",
"entries",
"medium",
"worm",
"copy",
"write",
"explorer",
"malware",
"next",
"present jul",
"status",
"date",
"ip address",
"domain",
"servers",
"showing",
"unknown ns",
"related pulses",
"pulses",
"tags",
"related tags",
"more file",
"type",
"date april",
"am size",
"sha1 sha256",
"as14618",
"united kingdom",
"as54113",
"as15133 verizon",
"top source",
"top destination",
"status domain",
"ip whitelisted",
"whitelisted",
"tcp include",
"source source",
"oamazon",
"cnamazon rsa",
"odigicert inc",
"sweden as20940",
"as20940",
"entries tls",
"ip destination",
"encrypt",
"aaaa",
"found",
"certificate",
"next associated",
"urls show",
"date checked",
"error",
"windows",
"high",
"yara detections",
"installs",
"checks",
"filehash",
"sha256 add",
"themida",
"data upload",
"extraction",
"md5 add",
"av detections",
"ids detections",
"alerts",
"analysis date",
"file score",
"win32",
"ddos",
"passive dns",
"activity",
"checkin",
"win64",
"mtb jan",
"lowfi",
"trojan",
"ransom",
"trojandropper",
"yara",
"nsis",
"nss bv",
"su data",
"windo alerts",
"andariel",
"malware traffic",
"nids",
"icmp traffic",
"dns query",
"id deadhost",
"connects",
"andariel high",
"richhash",
"external",
"virustotal api",
"screenshots",
"failed",
"auurtonany data",
"themida andarie",
"present may",
"japan unknown",
"unknown cname",
"domain add",
"urls",
"files",
"http headers",
"msie",
"windows nt",
"tcp syn",
"resolverror",
"externalport",
"internalport",
"wget command",
"devices home",
"execution",
"foundry",
"home networks",
"mirai",
"x.com",
"porn",
"monitored target",
"d link",
"targets"
],
"references": [
"TJprojMain.exe {79c7303a1a49b85569245a8ca1c1a26be720387845af9391fa1e4677308bd6b6}",
"Crowdsourced Signa: Schedule system process by Joe Security",
"Sigma \u2022 Suspicious Process Masquerading As SvcHost.EXE by Swachchhanda Shrawan Poudel",
"Sigma \u2022 System File Execution Location Anomaly by Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali (Nextron Systems)",
"Yara \u2022 NSIS from ruleset NSIS by kevoreilly",
"Yara \u2022 rule SUSP_Imphash_Mar23_2 from ruleset gen_imphash_detection by Arnim Rupp (https://github.com/ruppde)",
"Yara \u2022 Windows_Generic_Threat_7526f106 from ruleset Windows_Generic_Threat by Elastic Security",
"Alerts: persistence_autorun \u2022 persistence_autorun_tasks stealth_hiddenreg \u2022 suspicious_command",
"IDS : Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI",
"Mirai - ]1.0.0.0 - Unix.Trojan.Mirai-6981169-0",
"*Themida_2xx. Oreans,Technologies",
"*Andariel Backdoor Activity (Checkin)",
"Alert: dead_host nids_malware_alert network_icmp nolookup_communication",
"IDS: WGET Command Specifying Output in HTTP Headers",
"IDS: D-Link Devices Home Network Administration Protocol Command Execution",
"foundry2-lbl.dvr.dn2.n-helix.com \u2022 http://foundry2sdbl.dvr.dn2.n-helix.com \u2022 https://foundry2sdbl",
"https://xn--72c9abh1f8ad1lzc.com/video_tag/pornthai/ \u2022 https://ro.theskinnyfoodco.com/en-fr/blogs/recipes/pornstar-martini-recipe \u2022 m.pornsexer.xxx.3.1.adiosfil.roksit.net",
"x.com \u2022 nr-data.net \u2022 apple.k8s.joewa.com",
"http://apple.cc.lvlid.com/ \u2022 http://apple.cc.lvlid.com/ios/ \u2022 http://www.apple.cc.lvlid.com/ios",
"Devices remotely connected, tracked , monitored"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "Worm:Win32/Mofksys.RND!MTB",
"display_name": "Worm:Win32/Mofksys.RND!MTB",
"target": "/malware/Worm:Win32/Mofksys.RND!MTB"
},
{
"id": "Unix.Trojan.Mirai-6981169-0",
"display_name": "Unix.Trojan.Mirai-6981169-0",
"target": null
},
{
"id": "Win.Malware.Ursu-9856871-0",
"display_name": "Win.Malware.Ursu-9856871-0",
"target": null
},
{
"id": "ELF:DDoS-Y\\ [Trj]",
"display_name": "ELF:DDoS-Y\\ [Trj]",
"target": null
}
],
"attack_ids": [
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "T1036",
"name": "Masquerading",
"display_name": "T1036 - Masquerading"
},
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
},
{
"id": "T1057",
"name": "Process Discovery",
"display_name": "T1057 - Process Discovery"
},
{
"id": "T1070",
"name": "Indicator Removal on Host",
"display_name": "T1070 - Indicator Removal on Host"
},
{
"id": "T1071",
"name": "Application Layer Protocol",
"display_name": "T1071 - Application Layer Protocol"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1083",
"name": "File and Directory Discovery",
"display_name": "T1083 - File and Directory Discovery"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1129",
"name": "Shared Modules",
"display_name": "T1129 - Shared Modules"
},
{
"id": "T1134",
"name": "Access Token Manipulation",
"display_name": "T1134 - Access Token Manipulation"
},
{
"id": "T1485",
"name": "Data Destruction",
"display_name": "T1485 - Data Destruction"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1543",
"name": "Create or Modify System Process",
"display_name": "T1543 - Create or Modify System Process"
},
{
"id": "T1547",
"name": "Boot or Logon Autostart Execution",
"display_name": "T1547 - Boot or Logon Autostart Execution"
},
{
"id": "T1562",
"name": "Impair Defenses",
"display_name": "T1562 - Impair Defenses"
},
{
"id": "T1564",
"name": "Hide Artifacts",
"display_name": "T1564 - Hide Artifacts"
},
{
"id": "T1574",
"name": "Hijack Execution Flow",
"display_name": "T1574 - Hijack Execution Flow"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
},
{
"id": "T1512",
"name": "Capture Camera",
"display_name": "T1512 - Capture Camera"
},
{
"id": "T1125",
"name": "Video Capture",
"display_name": "T1125 - Video Capture"
},
{
"id": "T1449",
"name": "Exploit SS7 to Redirect Phone Calls/SMS",
"display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS"
}
],
"industries": [
"Healthcare",
"Technology"
],
"TLP": "white",
"cloned_from": null,
"export_count": 23,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Q.Vashti",
"id": "337942",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-MD5": 448,
"FileHash-SHA1": 435,
"FileHash-SHA256": 5851,
"hostname": 2580,
"domain": 1176,
"URL": 7133,
"SSLCertFingerprint": 30,
"email": 3,
"CVE": 3
},
"indicator_count": 17659,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 144,
"modified_text": "290 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "66d0a996b288ca46ab7e63ae",
"name": "CEIDG (www.pitprojekt.pl , pitprojekt.pl) jak otworzy\u0107 firm\u0119, jak rozpocz\u0105\u0107 biznes, dzia\u0142alno\u015b\u0107 gospodarcza zak\u0142adanie, jak rozpocz\u0105\u0107 dzia\u0142alno\u015b\u0107 gospodarcz\u0105",
"description": "Zawarte zasoby wed\u0142ug j\u0119zyka \u00c2\u00a31.1bn, a total of 7.4bn euros ($9.6bn; \u00a36.3bn)",
"modified": "2024-12-05T21:16:06.820000",
"created": "2024-08-29T17:02:13.392000",
"tags": [
"admin",
"asset",
"dufur",
"jnswj",
"3px center",
"saxla",
"zjloj",
"whasz htm",
"oszczdno",
"png ikona",
"rt angielski",
"angielski usa",
"wersja rt",
"narzuta chi2",
"plik",
"whasz",
"bogaty hash",
"sha256",
"ssdeep",
"schema",
"strings",
"guid",
"blob",
"sha256 file",
"type type",
"vhash",
"imphash",
"bvgquf",
"cblrxf",
"coqbmf",
"efq78c",
"gkrikb",
"hdvrde",
"hlo3ef",
"izt63",
"jnoxi",
"kg2exe",
"pejzasz",
"rticon english",
"english us",
"chi2",
"png rticon",
"ico rtgroupicon",
"code signing",
"algorithm",
"serial number",
"sectigo public",
"thumbprint",
"rsa time",
"valid from",
"name sectigo",
"valid",
"valid usage",
"ascii text",
"neutral",
"data rtcursor",
"data rtdialog",
"default",
"rticon maori",
"ceidg",
"informacja o",
"usugi",
"z wniosek",
"sprawd",
"zarejestruj spk",
"centralna",
"ewidencja",
"strona gwna",
"formularze i",
"sha1",
"pehash",
"richhash",
"authentihash",
"skrt",
"system",
"podaj",
"windows z",
"kreator",
"dostawca",
"wifi",
"nazwa typ",
"md5 nazwa",
"imphasz",
"kropelka",
"smyczki",
"zasb manifestu",
"neutralny",
"ikona rt",
"zawarte zasoby",
"md5 chi2",
"ikonagrupyrt",
"rtmanifest",
"zawarte",
"sha256 typ"
],
"references": [
"https://aplikacja.ceidg.gov.pl/ceidg.cms.engine/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": null,
"export_count": 16,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Arek-BTC",
"id": "212764",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_212764/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4501,
"URL": 4559,
"hostname": 1957,
"domain": 729,
"FileHash-MD5": 903,
"FileHash-SHA1": 849,
"IPv4": 180,
"email": 3,
"IPv6": 2,
"CVE": 1
},
"indicator_count": 13684,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 125,
"modified_text": "541 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "670c5ff728e6e5b891e26e45",
"name": "IOC",
"description": "",
"modified": "2024-10-14T00:04:07.913000",
"created": "2024-10-14T00:04:07.913000",
"tags": [
"admin",
"asset",
"dufur",
"jnswj",
"3px center",
"saxla",
"zjloj",
"whasz htm",
"oszczdno",
"png ikona",
"rt angielski",
"angielski usa",
"wersja rt",
"narzuta chi2",
"plik",
"whasz",
"bogaty hash",
"sha256",
"ssdeep",
"schema",
"strings",
"guid",
"blob",
"sha256 file",
"type type",
"vhash",
"imphash",
"bvgquf",
"cblrxf",
"coqbmf",
"efq78c",
"gkrikb",
"hdvrde",
"hlo3ef",
"izt63",
"jnoxi",
"kg2exe",
"pejzasz",
"rticon english",
"english us",
"chi2",
"png rticon",
"ico rtgroupicon",
"code signing",
"algorithm",
"serial number",
"sectigo public",
"thumbprint",
"rsa time",
"valid from",
"name sectigo",
"valid",
"valid usage",
"ascii text",
"neutral",
"data rtcursor",
"data rtdialog",
"default",
"rticon maori",
"ceidg",
"informacja o",
"usugi",
"z wniosek",
"sprawd",
"zarejestruj spk",
"centralna",
"ewidencja",
"strona gwna",
"formularze i",
"sha1",
"pehash",
"richhash",
"authentihash",
"skrt",
"system",
"podaj",
"windows z",
"kreator",
"dostawca",
"wifi",
"nazwa typ",
"md5 nazwa",
"imphasz",
"kropelka",
"smyczki",
"zasb manifestu",
"neutralny",
"ikona rt",
"zawarte zasoby",
"md5 chi2",
"ikonagrupyrt",
"rtmanifest",
"zawarte",
"sha256 typ"
],
"references": [
"https://aplikacja.ceidg.gov.pl/ceidg.cms.engine/"
],
"public": 1,
"adversary": "",
"targeted_countries": [],
"malware_families": [],
"attack_ids": [
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
}
],
"industries": [],
"TLP": "white",
"cloned_from": "66d0a996b288ca46ab7e63ae",
"export_count": 15,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "WayneState",
"id": "296756",
"avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4243,
"URL": 4550,
"hostname": 1957,
"domain": 729,
"FileHash-MD5": 801,
"FileHash-SHA1": 747,
"IPv4": 180,
"email": 3,
"IPv6": 2
},
"indicator_count": 13212,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 4,
"modified_text": "594 days ago ",
"is_modified": false,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "669ac41b3186b8cc8c40e9e3",
"name": "Powershell",
"description": "Matches rule PowerShell Module File Created By Non-PowerShell Process by Nasreddine Bencherchali\nDetects creation of a new PowerShell module \".psm1\", \".psd1\", \".dll\", \".ps1\", etc. by a non-PowerShell process\n\nFilescan.io\nWindowsPowerShell.zip\napplication/zip\nMD5:\n07d37fc575e373f878ae3c7cca2bfc25\nSHA1:\na2fc89aba12f8739184d44d0fffbe6323d9654eb\nSHA256:\ne75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832\nSHA512:\n36dc7349d052cd474818a6ae3149eda469d829cf2e4d9a0e55252468cdf9e9704d5293b8b4f73b4a25b07f8c8dd8eeab2ed18bbb1ff7d76958b51eb555562339\n\nTriage:\nhttps://tria.ge/240719-taxv5aydlj\nhttps://tria.ge/240719-tfpfyasdqh\nhttps://tria.ge/240719-tj9laasfke\nhttps://tria.ge/240719-tnb6kssgmc\nhttps://tria.ge/240719-trwpdsshqh\nhttps://tria.ge/240719-tv84wstbkg\nhttps://tria.ge/240719-t1hh5atcpd\nhttps://tria.ge/240719-t7wpbszgkl\n\nMalcore: https://app.malcore.io/share/652553f6aec33d70a1dbbd25/669993193506cdb760b3f36a\n\nKaspersky: E75FF18EE5C7226E225AA9959DF439F1488DF8CD3D43F5471361ED0426700832",
"modified": "2024-09-01T17:02:12.379000",
"created": "2024-07-19T19:52:59.626000",
"tags": [],
"references": [
"https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/summary",
"https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/iocs",
"https://www.virustotal.com/gui/collection/9d356233d4019b57b09902b22067bcbc11c1b5df759daaf494d859f540aaa399/graph",
"https://www.virustotal.com/graph/embed/g4d28c765e54941129dbbf8d4a8dc25bb3b5452f14e0a4886a0af0c2991188611?theme=dark",
"https://www.virustotal.com/gui/file/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832/relations",
"https://vtbehaviour.commondatastorage.googleapis.com/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721578339&Signature=fTYUE3KoGSnr2%2BSrv9dZpgk3uXJc2rf%2BQeCyhAVDWiuiHGaYqhFHfgzQD2KheomXUSHne5MCvS9XH1LGW7Xhrg7CIG0gEe5cVjxrkmumne%2B%2Fd%2FBQagomnCKzfbwdExaO45sfA9rz4eQtyfLzFifYoRXDRtJK7P%2BNmISkv0Qz9FGIgXrrPDvmwJevgry%2FaMfiTEa2%2BxSDdWf9e6kdZW5YBVuxEdpGowcPsPEkpbdiSG12pG",
"https://vtbehaviour.commondatastorage.googleapis.com/e75ff18ee5c7226e225aa9959df439f1488df8cd3d43f5471361ed0426700832_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721578437&Signature=HM1ThjLEyrQmeLst3eY3osRWxC6ETs2RVbR4uKhN5emP%2Fe3Jbf6OsLPvmoAyaPTh%2B9RLyjIrqyR3f4rwg%2B4kkyiEZCyCkGKSRvQK4zC8eMuq80kOGYcvFLPwtvcH20xe7%2FPhGk2au3z4GfauzR1s8meGtQYRDlmXZARLTB2G0tno%2FJOq8rNm7NLHvVH1MpMBoQ47RRIwE0ecUUSYXmQGMAOQVAgmigrpydiFzFYN2wYJDkmfVTmEc9kylTmQ",
"https://vtbehaviour.commondatastorage.googleapis.com/460264c62a85a79d25424920b7b80763354151146da5cba933c198ebbe9a0588_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583501&Signature=igubOWmez%2BKPjBiU2Af7vHhJ5SwgwsKaafuyzobymmqUDs%2F8vkuh1A%2BbsMADWo0B%2FBEZht3BD%2B1%2FvItWrcfBgja57sMCBln9vBXfK7nCclcy9%2BeujGu7wlQLlhyfAeGNd8suRdK8x4WrJJ5bdqfAh7Ns0mOjPliF9uu3UJ9I7qH6N5IAd%2Bkb8h7Xce%2F%2BavnF8jLmHHwwCP5ILzgNRc94rmrWFp5eXzxQ3aHd9btY2D",
"https://vtbehaviour.commondatastorage.googleapis.com/e6f203e988e7aa801739359c6222dcb181d290fc10de5f61d354d43f8557daa0_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583905&Signature=QPgFBr8MN1iCe8SwxWZ4BgTfkaViEC4PHLzUrGQ3Jdndo8Z44osVc0CIRcnkJJtNDFU03AM82A8wJ2jMjaFYoEbthsaxPWWufSulM8nS%2BU8RoCr04jUq5GnAWPVNjxukSTbgD0F7pUSf0pVaFwwvpSWCQ6hedQEwF52DQyViV8u9UDOeLii4rkmRlMfMlGIsxIP4CEwy0Gy8Q7Lw6FX8cxG%2FehoJatyiwaFdwwbbLbnu2lQHDaZuwZ38Oy",
"https://vtbehaviour.commondatastorage.googleapis.com/460264c62a85a79d25424920b7b80763354151146da5cba933c198ebbe9a0588_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583790&Signature=K2lWpuyPxZ8FgvBVeyB6hsfMbuIBkRXd522JtGonUcHxxtwoomV2fuuFbXC5edVAoGPuZJ24D%2Fv7rEHOHYCS2347F4Mq0VQr0PQt68rfbA8DBHTGs1XBS3QFLveflOjIkNzmhJWg23fuvM%2F1Ci0jSxKnR5XeURTArrkbf5eYA72p4QUFMKDgYO6kRpNXHLuDocJdXWjM7AiQ7ZBQdx%2F%2FeNZgb7k7s%2FPTzGuZ%2FTgEvxiGAiaV6PghFIIPSj",
"https://vtbehaviour.commondatastorage.googleapis.com/3a498e611cdc305e0ce67b68971ebc9e8b8aa575e9de08ae4bb081e1f6b87945_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583388&Signature=L5dgUL09kvWOiINZMa%2FvgcDAW5AFV%2Fqie184iaXQKGccuTzwDYsyx0%2BhI%2FxOXIkON%2Bw0RoRuoasFag44WeapuTjlnv8di%2FZ8iWJdeRGqWOdJ8P4EAPZIICsU%2BxjXP%2BzOSNTz5tcekdSceS%2BkTyDYMO%2F9QxZVwsIV1WnvZaGiR%2BOKIfs4YFXgeGWc23ktkKxbRfeKQY1kFyHTh8Re3lBLC%2Fkq%2FExvl7kqxKIebqquWmo%",
"https://vtbehaviour.commondatastorage.googleapis.com/d2cb7cca87c98c4d7a7eb9a40e0f00a231390cfe2f4786e161471a5ca4397a41_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583872&Signature=cfVN9vaAZ5UXUaFiEoATwrbKG2RNxzOu3wiH5KMlXdPxTgtpQ920ONEqOhhUb8MNxJwW3AVsCAahYTLdN3FigRPmjIClNTYz%2BoS%2BDl354Z4ZxefdKjl0HJ4%2FmGuzVTBNtc6pftGk4VMAvjgoerYhBf6Olu3ajrMT3h89lKsdBSGc6ra20Btzd%2BzY3Uh1J2gPZ%2BzZPHkTbR0OUTh3oorvIq9Fue8rDbL6PzZLxfPFEZ%2FFCRUnFo",
"https://vtbehaviour.commondatastorage.googleapis.com/d2cb7cca87c98c4d7a7eb9a40e0f00a231390cfe2f4786e161471a5ca4397a41_Zenbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583838&Signature=dw6B7oYQHQ1CxhfF67YE3TZfvqWvO%2FgErgu9Ms4R462ssOAuET7%2F9guBVvhETqvO7ClziwNXLV%2F31SM7aYXjXEUOmfJtHqf5vpFUCub63bX6a1GILj%2BtbX8EmURT4JftAGT%2BwDdgQnHX3y5MvnWd9NpYE8TTYStcf%2BQOWZLWiMNe%2BSxjpsMyOG2ryZdsm7iCyH%2BWdXrvG%2Bh9ccwxPOnUOwoOxUV3hp1ifVzCkbUtYySGTom29VJ8",
"https://vtbehaviour.commondatastorage.googleapis.com/3a498e611cdc305e0ce67b68971ebc9e8b8aa575e9de08ae4bb081e1f6b87945_CAPE%20Sandbox.html?GoogleAccessId=758681729565-rc7fgq07icj8c9dm2gi34a4cckv235v1@developer.gserviceaccount.com&Expires=1721583383&Signature=N7snLsiqkPikwYU0zKl8QxasbcLXiGFXIFaIVT%2FEvzaLWUbnPEkuvuuOAxz9la0bmVndAimDsaexUgrGErDmDbBZ46apRuUnYH3GwBNvZ3YaBIVII4IfP8kDN%2Bi2b3meTPaoyhnWR4UIuYord2Ejg5nAYQ3FJxv4KKyrm8NTlU1cEHTpiBToFL3AVBUOHvCUQ4T1wRMpgO6%2FmyokYYZl8GZa4tjpI%2BncAIOTAfOZePVQ7sAnKHmckU",
"https://viz.greynoise.io/analysis/b5c2d562-eee0-46cb-8696-0585e3ce27b8"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America",
"Canada"
],
"malware_families": [],
"attack_ids": [
{
"id": "T1055",
"name": "Process Injection",
"display_name": "T1055 - Process Injection"
},
{
"id": "T1574.002",
"name": "DLL Side-Loading",
"display_name": "T1574.002 - DLL Side-Loading"
},
{
"id": "T1082",
"name": "System Information Discovery",
"display_name": "T1082 - System Information Discovery"
},
{
"id": "T1497",
"name": "Virtualization/Sandbox Evasion",
"display_name": "T1497 - Virtualization/Sandbox Evasion"
},
{
"id": "T1518.001",
"name": "Security Software Discovery",
"display_name": "T1518.001 - Security Software Discovery"
},
{
"id": "T1010",
"name": "Application Window Discovery",
"display_name": "T1010 - Application Window Discovery"
},
{
"id": "T1070.006",
"name": "Timestomp",
"display_name": "T1070.006 - Timestomp"
},
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"display_name": "T1562.001 - Disable or Modify Tools"
},
{
"id": "T1056",
"name": "Input Capture",
"display_name": "T1056 - Input Capture"
}
],
"industries": [
"Education",
"Government",
"Healthcare",
"Telecommunications"
],
"TLP": "white",
"cloned_from": null,
"export_count": 14,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 1,
"follower_count": 0,
"vote": 0,
"author": {
"username": "Disable_Duck",
"id": "244325",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4402,
"URL": 1463,
"domain": 621,
"hostname": 1159,
"FileHash-MD5": 423,
"FileHash-SHA1": 423
},
"indicator_count": 8491,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 135,
"modified_text": "637 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
},
{
"id": "6695e27f356a22d97fba5ca8",
"name": "Critical attack/s continues to affect YouTube Creator/s account/s",
"description": "Related to YouTube creator/s attack/s. Found as part of Jays Youtube Bot.exe and YouTube bots.\nFull CnC, access and id devices. Redirects views, resells. spoofs, binds and/or accounts. FRAUD! \nReference: YARA Signature Match - THOR APT Scanner\nRULE: SUSP_Wextract_Anomaly_Unsigned_May23\nRULE_SET: Livehunt - Suspicious290 Indicators \ud83c\udff9\nRULE_TYPE: THOR APT Scanner's rule set only \ud83d\udd28\nRULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_Wextract_Anomaly_Unsigned_May23\nDESCRIPTION: Detects an anomalous unsigned wextract that contains additional code and has been seen abused to deliver malware\nREFERENCE: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/deconstructing-amadeys-latest-multi-stage-attack-and-malware-distribution/\nRULE_AUTHOR: X__Junior\nThor for details #susp_wextract_anomaly_unsigned_may23",
"modified": "2024-08-15T02:00:24.886000",
"created": "2024-07-16T03:01:17.316000",
"tags": [
"win32 exe",
"wextract",
"kb file",
"files",
"file type",
"javascript",
"graph",
"ip detections",
"country",
"userprofile",
"runtime modules",
"samplepath",
"delnoderundll32",
"mpgph131 hr",
"hourly rl",
"highest c",
"mpgph131 lg",
"onlogon rl",
"highest",
"process",
"registrya",
"registry keys",
"registry",
"windows policy",
"shell folders",
"file execution",
"binary data",
"security center",
"text c",
"peexe c",
"xml c",
"zip c",
"file system",
"written c",
"dropped",
"hashes",
"windows nt",
"wow64",
"referer https",
"date thu",
"get https",
"request",
"gecko response",
"gmt connection",
"gmt vary",
"etag",
"accept",
"win64",
"query",
"windows get",
"internal",
"set file",
"create",
"create process",
"windows read",
"shutdown system",
"modify access",
"delete registry",
"enumerate",
"behavior tags",
"k0pmbc",
"spsfsb",
"ctsu",
"efq78c",
"egw7od",
"en3i8d",
"i6ydgd",
"iz1fbc",
"izt63",
"kum7z",
"vs2003",
"sp1 build",
"contained",
"info compiler",
"products",
"header intel",
"name md5",
"type",
"language",
"simplified",
"army",
"variant sides",
"with russia",
"ramnit",
"netsupport rat",
"sneaky server",
"replacement",
"unauthorized",
"sim unlock",
"emotet",
"chaos",
"malicious",
"critical",
"copy",
"life",
"pe32",
"intel",
"ms windows",
"ms visual",
"win32 dynamic",
"link library",
"win16 ne",
"pe32 compiler",
"cc linker",
"urls",
"gandi sas",
"domains",
"cloudflare",
"ii llc",
"psiusa",
"domain robot",
"ltd dba",
"com laude",
"ascio",
"contacted",
"ms word",
"document",
"b file",
"html",
"javascript jac",
"html iu3",
"executed by usa",
"#wextract",
"#unsigned",
"thor",
"stealer",
"evader",
"systemroot",
"grum",
"high",
"delete c",
"cape",
"write",
"103 read",
"clsid read",
"date read",
"trojan",
"united",
"unknown",
"status",
"cname",
"creation date",
"search",
"as1921",
"austria unknown",
"emails",
"expiration date",
"date",
"pragma",
"next",
"passive dns",
"backdoor",
"win32",
"scan endpoints",
"all scoreblue",
"ipv4",
"usa",
"co",
"teams",
"cybercrime",
"spoof",
"benjamin",
"dynamicloader",
"write c",
"pe32 executable",
"show",
"yara rule",
"windows",
"recon",
"worm",
"powershell",
"june",
"delphi",
"malware",
"malice",
"retaliation",
"through the nights",
"apple",
"lenovo",
"ios",
"hackers",
"move",
"moved"
],
"references": [
"WEXTRACT.EXE .MUI: FileHash-SHA256 00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4",
"MALWARE STEALER TROJAN EVADER | WEXTRACT.EXE .MUI | TXTRESSE | via https://www.virustotal.com/gui/domain/www.youtube.com",
"CS Sigma: Matches rule Suspicious DNS Query for IP Lookup Service APIs by Brandon George (blog post), Thomas Patzke",
"Critical CS Sigma: Matches rule Suspicious Double Extension File Execution by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)",
"^ by Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) ^",
"CS Sigma: Matches rule Disable Windows Defender Functionalities Via Registry Keys by AlertIQ, J\u00e1n Tren\u010dansk\u00fd, frack113, Nasreddine Bencherchali, Swachchhanda Shrawan",
"CS Sigma: Matches rule Chromium Browser Instance Executed With Custom Extension by Aedan Russell, frack113, X__Junior (Nextron Systems)",
"CS Sigma: Matches rule Suspicious Add Scheduled Task Parent by Florian Roth (Nextron Systems)",
"CS Sigma: Matches rule Suspicious Schtasks Schedule Type With High Privileges by Nasreddine Bencherchali (Nextron Systems)",
"CS Sigma: Matches rule Scheduled Task Creation by Florian Roth (Nextron Systems)",
"CS IDS: Matches rule (stream_tcp) data sent on stream not accepting data",
"CS IDS: Matches rule (http_inspect) HTTP response has UTF character set that failed to normalize",
"CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Exfiltration)",
"CS IDS: Matches rule ET INFO Session Traversal Utilities for NAT (STUN Binding Request On Non-Standard High Port)",
"CS IDS: Matches rule ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)",
"CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Token) Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (External IP)",
"CS IDS: Matches rule ET MALWARE [ANY.RUN] RisePro TCP v.0.x (Activity)",
"CS IDS: Matches rule ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent",
"CS IDS: Matches rule ET MALWARE Suspected RisePro TCP Heartbeat Packet",
"CS IDS: Matches rule ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)",
"CS IDS: Matches rule ET MALWARE Win32/Ramnit Checkin Matches rule MALWARE-CNC Win.Trojan.Ramnit variant outbound detected",
"TXTRESSE: FileHash-SHA256 00001dd58b69582cc30a16b000bce3d96d369487444385489084719676afba4d",
"Crowdsourced YARA rules: Matches rule UPX from ruleset UPX by kevoreilly",
"Crowdsourced YARA rules: Matches rule win_ramnit_auto from ruleset win.ramnit_auto by Felix Bilstein - yara-signator at cocacoding dot com",
"Crowdsourced YARA rules: Matches rule MAL_Ramnit_May19_1 from ruleset crime_nansh0u by Florian Roth (Nextron Systems)",
"Crowdsourced IDS rules: Matches rule: MALWARE-CNC Win.Trojan.Ramnit variant outbound detected",
"Crowdsourced IDS rules: Matches rule: (port_scan) UDP filtered",
"Crowdsourced IDS rules: Matches rule: ET MALWARE Win32/Ramnit Checkin | Matches rule ET DNS Query for .cc TLD",
"https://www.nextron-systems.com/notes-on-virustotal-matches/",
"TrojanDownloader:Win32/Upatre , Virus:Win32/Sality.AT , Win.Downloader.Small-1645",
"Antivirus Detections: Backdoor:Win32/Likseput.B , PWS:Win32/QQpass.B!MTB , Trojan:Win32/Scrarev.C , Trojan:Win32/Speesipro.A , Trojan:Win32/Zombie.A , TrojanDownloader:Win32/Cutwail.BS , TrojanDownloader:Win32/Nemucod ,",
"IDS Detections: Backdoor.Win32.Pushdo.s Checkin Backdoor.Win32.Pushdo.s Checkin Suspicious csrss.exe in URI",
"https://www.virustotal.com/gui/file/00e5aefb5ffd357e995d1a4ee30735a692780b203cd58e6239637471047d51a4/detection",
"Jays Youtube Bot.exe > FileHash-SHA256 00514527e00ee001d042",
"https://www.youtube.com/watch?v=ucEkWcFuH0Y&list=TLPQMDgwNjIwMjKO_xApd0GzPQ&index=2",
"https://www.youtube.com/watch?v=GyuMozsVyYs",
"Emotet | YouTube \u2022 Darklivity Podcast \"Unhinged Horror\"",
"https://otx.alienvault.com/pulse/6694bb9be1b61bf820500004",
"http://193.233.132.62/hera/amadka.exe | https://www.info-only-men.com/landing/mlp88g?subPublisher=popunder:eu-adsrv.rtbsuperhub.com&zone=popunder:eu-adsrv.rtbsuperhub.com&",
"https://software-free-phone-2018.win/62ae8f9b-d0cb-4b4c-8318-dd7900e1d092/e29481e9-a792-46a8-bbf0-188ed2a816ae/?brand=Apple&browser=Safari&btd=dHJr",
"nr-data.net [Apple Private Data Collection]",
"https://rector-fitiology.icu/99c8d3a6-be16-421a-87a8-40701eae8149?zoneid=6543079&bannerid=18710758&browser=chrome&os=ios&devic",
"https://software-free-phone-2018.win/7a7c1101-0538-49de-925f-4f4675a5fd1f/3b0669f6-a07e-4eb8-8e2b-d0282d482c1a/?brand=Lenovo&browser=Chr"
],
"public": 1,
"adversary": "",
"targeted_countries": [
"United States of America"
],
"malware_families": [
{
"id": "WAT:Blacked-E",
"display_name": "WAT:Blacked-E",
"target": null
},
{
"id": "Win32:RmnDrp [Inf]",
"display_name": "Win32:RmnDrp [Inf]",
"target": null
},
{
"id": "AI:FileInfector.EAEEA7850C",
"display_name": "AI:FileInfector.EAEEA7850C",
"target": null
},
{
"id": "Virus.Ramnit/Nimnul",
"display_name": "Virus.Ramnit/Nimnul",
"target": null
},
{
"id": "Trojan.Crifi.1",
"display_name": "Trojan.Crifi.1",
"target": null
},
{
"id": "Trojan.MSIL.Injurer.cbd",
"display_name": "Trojan.MSIL.Injurer.cbd",
"target": null
},
{
"id": "Win.Downloader.Small-1645",
"display_name": "Win.Downloader.Small-1645",
"target": null
},
{
"id": "Trojan:Win32/Scrarev.C",
"display_name": "Trojan:Win32/Scrarev.C",
"target": "/malware/Trojan:Win32/Scrarev.C"
},
{
"id": "Trojan:Win32/Zombie.A",
"display_name": "Trojan:Win32/Zombie.A",
"target": "/malware/Trojan:Win32/Zombie.A"
},
{
"id": "Trojan:Win32/Speesipro.A",
"display_name": "Trojan:Win32/Speesipro.A",
"target": "/malware/Trojan:Win32/Speesipro.A"
},
{
"id": "Virus:Win32/Sality.AT",
"display_name": "Virus:Win32/Sality.AT",
"target": "/malware/Virus:Win32/Sality.AT"
},
{
"id": "TrojanDownloader:Win32/Upatre",
"display_name": "TrojanDownloader:Win32/Upatre",
"target": "/malware/TrojanDownloader:Win32/Upatre"
},
{
"id": "TrojanDownloader:Win32/Cutwail.BS",
"display_name": "TrojanDownloader:Win32/Cutwail.BS",
"target": "/malware/TrojanDownloader:Win32/Cutwail.BS"
},
{
"id": "TrojanDownloader:Win32/Nemucod",
"display_name": "TrojanDownloader:Win32/Nemucod",
"target": "/malware/TrojanDownloader:Win32/Nemucod"
},
{
"id": "PWS:Win32/QQpass.B!MTB",
"display_name": "PWS:Win32/QQpass.B!MTB",
"target": "/malware/PWS:Win32/QQpass.B!MTB"
},
{
"id": "Backdoor:Win32/Likseput.B",
"display_name": "Backdoor:Win32/Likseput.B",
"target": "/malware/Backdoor:Win32/Likseput.B"
},
{
"id": "Worm:Win32/Benjamin",
"display_name": "Worm:Win32/Benjamin",
"target": "/malware/Worm:Win32/Benjamin"
},
{
"id": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer",
"display_name": "ALF:HeraklezEval:TrojanSpy:Win32/SocStealer",
"target": null
}
],
"attack_ids": [
{
"id": "T1027",
"name": "Obfuscated Files or Information",
"display_name": "T1027 - Obfuscated Files or Information"
},
{
"id": "TA0037",
"name": "Command and Control",
"display_name": "TA0037 - Command and Control"
},
{
"id": "T1588",
"name": "Obtain Capabilities",
"display_name": "T1588 - Obtain Capabilities"
},
{
"id": "T1583",
"name": "Acquire Infrastructure",
"display_name": "T1583 - Acquire Infrastructure"
},
{
"id": "T1031",
"name": "Modify Existing Service",
"display_name": "T1031 - Modify Existing Service"
},
{
"id": "T1112",
"name": "Modify Registry",
"display_name": "T1112 - Modify Registry"
},
{
"id": "T1472",
"name": "Generate Fraudulent Advertising Revenue",
"display_name": "T1472 - Generate Fraudulent Advertising Revenue"
},
{
"id": "T1566",
"name": "Phishing",
"display_name": "T1566 - Phishing"
},
{
"id": "T1598",
"name": "Phishing for Information",
"display_name": "T1598 - Phishing for Information"
},
{
"id": "T1528",
"name": "Steal Application Access Token",
"display_name": "T1528 - Steal Application Access Token"
},
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"display_name": "T1539 - Steal Web Session Cookie"
},
{
"id": "T1068",
"name": "Exploitation for Privilege Escalation",
"display_name": "T1068 - Exploitation for Privilege Escalation"
},
{
"id": "T1134.004",
"name": "Parent PID Spoofing",
"display_name": "T1134.004 - Parent PID Spoofing"
},
{
"id": "T1140",
"name": "Deobfuscate/Decode Files or Information",
"display_name": "T1140 - Deobfuscate/Decode Files or Information"
},
{
"id": "T1003.007",
"name": "Proc Filesystem",
"display_name": "T1003.007 - Proc Filesystem"
},
{
"id": "T1042",
"name": "Change Default File Association",
"display_name": "T1042 - Change Default File Association"
},
{
"id": "T1060",
"name": "Registry Run Keys / Startup Folder",
"display_name": "T1060 - Registry Run Keys / Startup Folder"
}
],
"industries": [
"Media",
"Technology",
"Civil Society",
"Crime Victims"
],
"TLP": "green",
"cloned_from": null,
"export_count": 30,
"upvotes_count": 0,
"downvotes_count": 0,
"votes_count": 0,
"locked": false,
"pulse_source": "web",
"validator_count": 0,
"comment_count": 0,
"follower_count": 0,
"vote": 0,
"author": {
"username": "scoreblue",
"id": "254100",
"avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png",
"is_subscribed": false,
"is_following": false
},
"indicator_type_counts": {
"FileHash-SHA256": 4312,
"domain": 1056,
"hostname": 1818,
"URL": 5125,
"FileHash-MD5": 310,
"FileHash-SHA1": 221,
"email": 3
},
"indicator_count": 12845,
"is_author": false,
"is_subscribing": null,
"subscriber_count": 231,
"modified_text": "654 days ago ",
"is_modified": true,
"groups": [],
"in_group": false,
"threat_hunter_scannable": true,
"threat_hunter_has_agents": 1,
"related_indicator_type": "URL",
"related_indicator_is_active": 1
}
],
"error": null,
"vt": {
"error": "VirusTotal rate limit reached. Try again shortly.",
"indicator": "https://blog.amblyopiadoctor.com",
"type": "URL"
},
"abuseipdb": null,
"urlhaus": {
"indicator": "https://blog.amblyopiadoctor.com",
"type": "URL",
"found": false,
"verdict": "clean",
"error": null
},
"from_cache": true,
"_cached_at": 1780258024.8415928
}