{ "type": "URL", "indicator": "https://develop.payper.pt", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://develop.payper.pt", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 3363691948, "indicator": "https://develop.payper.pt", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 34, "pulses": [ { "id": "69a9cd444aa144401d0c4988", "name": "Pools Open", "description": "", "modified": "2026-04-15T19:21:28.851000", "created": "2026-03-05T18:36:52.014000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": "5fa57698ac0f6638b7b9a8ba", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8098, "URL": 23428, "hostname": 9592, "domain": 4727, "SSLCertFingerprint": 22, "FileHash-MD5": 696, "FileHash-SHA1": 457, "CIDR": 78, "email": 3, "CVE": 2 }, "indicator_count": 47103, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693adba47b2cce69440c726a", "name": "TESLA HACKERS | Login Google", "description": "Attackers target victims Google account, Google browser, Google homepage.\n\nTesla Hackers in the job. Tesla hackers are very young , angry, kids who chased target around mercilessly in their vehicles, photographed target, drive threateningly. Nothing sophisticated about the stalker crewl. This is intentional. Finding troubled individuals who are desperate for power is pretty easy. \n\nThe hit men range from gang members, white , black , Hispanic to the highly educated, Hit man who attempted to take target out was a spoiled, angry , aggressive, sneering POC. He walked in Denver. The next morning , the area target was driven if roadway was closed off and filled with a rather large road crew, work continues to work on this area. (Charlie Kirk like). Alleged traffic officer claims cameras pointed in different directions that night. He was identified as a computer science major by a PI. This feels so dangerous.", "modified": "2026-01-10T13:01:53.320000", "created": "2025-12-11T14:56:36.874000", "tags": [ "tlsv1", "united", "oamazon", "cnamazon rsa", "jfif", "ogoogle trust", "cngts ca", "exif standard", "tiff image", "xresolution74", "execution", "dock", "write", "persistence", "malware", "encrypt", "ca https", "no expiration", "iocs", "url https", "enter source", "url or", "text drag", "drop or", "browse to", "select file", "ipv4", "url http", "type indicator", "sec ch", "ch ua", "unknown", "ua full", "ua platform", "as44273 host", "ua bitness", "msie", "chrome", "backdoor", "trojandropper", "passive dns", "forbidden", "body", "twitter", "trojan", "cookie", "title", "windows nt", "wow64", "slcc2", "media center", "read c", "port", "destination", "local", "moved", "integration all", "urls", "files", "reverse dns", "location united", "america flag", "name servers", "hostname", "unique", "expires wed", "gmt date", "server", "date wed", "connection", "use linux", "cybersecurity", "http", "ip address", "files location", "flag united", "win32", "urls show", "date checked", "url hostname", "server response", "virtool", "date hash", "avast avg", "heur", "lowfi", "k sep", "contacted", "related tags", "none file", "type", "present dec", "present nov", "mtb mar", "aaaa", "hacktool", "indicator role", "domain", "url add", "as20940", "as16625 akamai", "present mar", "present may", "as54113", "present apr", "ipv4 add", "url analysis", "servers", "emails", "hostname add", "present aug", "present sep", "present oct", "status", "present jul", "data upload", "extraction", "as208722 yandex", "russia unknown", "a domains", "expirestue", "path", "certificate", "medium", "alerts show", "ck technique", "technique id", "installs", "pe32", "intel", "ms windows", "high", "icmp traffic", "dns query", "packing t1045", "t1045", "screenshots", "file type", "date february", "pm size", "imphash pehash", "guard", "syst", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "spawns", "t1590 gather", "flag", "united kingdom", "command decode", "belgium belgium", "federation", "france france", "ireland ireland", "canada canada", "suricata ipv4", "click", "tesla hackers", "elon musk", "show", "richhash", "external", "virustotal api", "comments", "vendor finding", "notes clamav", "ms defender", "files matching", "copy", "found", "ssl certificate", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "yara rule", "reads", "number", "sample analysis", "hide samples", "entries", "samples show", "next yara", "detections name", "devcv5 ujrb", "ujrb", "uja1t", "show technique", "mitre att", "ck matrix", "ascii text", "pattern match", "sha1", "network traffic", "show process", "general" ], "references": [ "https://www.teslarati.com/spacex", "https://omodeling.wpenginepowered.com/wp-content/uploads/2020/07/modelhub-pornhub-sell-nudes-1024x57", "https://cdn.teslarati.com \u2022 https://forums.teslarati.com/", "https://forums.teslarati.com/data/avatars/m/5/5998.jpg?1504431665 \u2022 https://forums.teslarati.com/forums/model-3.4/", "https://forums.teslarati.com/threads/humanlike-ai-robot-sophia-calls-out-elon-musk-during-live-interview.4970/", "https://www.teslarati.com/tesla-model-s-hitch-torklift-ecohitch-3-year-update/", "https://www.teslarati.com/tesla-tsla-monster-investment-rise-alaska-dept-of-revenue/", "https://www.teslarati.com/wp-content/themes/teslarati-mag/map/", "https://www.teslarati.com/tesla-model-3-crash-insight-60mph-collision/", "https://www.teslarati.com/", "https://www.teslarati.com/spacex", "https://www.teslarati.com/tesla-lands-87-million-megapack-belgium/", "https://www.teslarati.com/tesla-giga-shanghai-builds-5-millionth-battery-pack/", "https://www.teslarati.com/TESLA-DEBUTS-GROK-AI-UPDATE-2025-26-WHAT-YOU-NEED-TO-KNOW/", "https://www.teslarati.com/tesla-robotaxi-vs-new-york-taxi-why-the-yellow-cab-a-lot-to-lose/", "pornlynx.com \u2022 https://pornlynx.com \u2022 https://www.pornlynx", "http://www.aiupnow.com/2023/04/pakistani-hackers-use-linux-malware.html\\", "http://pickyhot.disqus.com/ \u2022 https://www.teslarati.com/tesla-hackers \u2022 https://pickyhot.disqus.com/tsara-brashears", "http://dev.browserweb.yandex.kg/ \u2022 https://api.messenger.yandex.az/ \u2022 https://yandex.uz/maps/-/CLWNeAKm", "HTML contains suspicious external redirect patterns details Suspicious redirect patterns detected: Redirect Types: Delayed Redirect Redirects to: /doodles/ Suspicious", "Redirect (Delayed Redirect): setTimeout(function(){location.href= source Binary File relevance 10/10 ATT&CK ID T1189", "External resources linked to high-risk commonly abused domains detected: mc.yandex.ru | script | src snd.click | src |", "Source : Binary File ATT&CK ID T1566.002", "Domain match: \"media-mbst-pub-ue1.s3.amazonaws.com\" possible high risk indicator. Commonly abused for malicious purposes. .", "Domain: \"snd.click\" possible high risk indicator. Domain uses TLD that is commonly abused for malicious purposes", "Detected Non-Google domain serving Google homepage details", "Detected Google homepage HTML served from suspicious domain Matched required Google homepage markers", "Source: Binary File relevance 10/10 ATT&CK ID T1204.001 | Target contacted CBI re: Suspicious looking Google Homepage.", "CBI (Colorado) - target believes she was redirected to malicious actors. Staffers not found in directory.", "Female states title as \u2018intern\u2019 dropped false information at front desk of CBI. Claims target ID theft victim. True", "Alleged CBI staffer refuses to provide evidence of identity theft resolution. Target unaware of. what\u2019s true", "CBI - asked target to enter Gmail in a resource. Targets Gmail account disappeared" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Japan" ], "malware_families": [ { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Ms Defender\tTrojan:Win32/Qbot.KVD!MTB", "display_name": "Ms Defender\tTrojan:Win32/Qbot.KVD!MTB", "target": "/malware/Ms Defender\tTrojan:Win32/Qbot.KVD!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Malware.Jaik-9940406-0", "display_name": "Win.Malware.Jaik-9940406-0", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/Genmaldown!atmn", "display_name": "ALF:JASYP:Trojan:Win32/Genmaldown!atmn", "target": null }, { "id": "Win.Malware.Snojan-6775202-0", "display_name": "Win.Malware.Snojan-6775202-0", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1136.002", "name": "Domain Account", "display_name": "T1136.002 - Domain Account" }, { "id": "T1003.005", "name": "Cached Domain Credentials", "display_name": "T1003.005 - Cached Domain Credentials" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5894, "FileHash-MD5": 458, "FileHash-SHA1": 305, "FileHash-SHA256": 2481, "SSLCertFingerprint": 26, "hostname": 2406, "domain": 966, "email": 16, "CVE": 1 }, "indicator_count": 12553, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "5fa57698ac0f6638b7b9a8ba", "name": "Pool's Closed", "description": "Two paupers from the meadow spring forth an upheaval of nasty sites on the world wide web.", "modified": "2025-12-27T05:02:34.910000", "created": "2020-11-06T16:15:20.139000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": null, "export_count": 61, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 4, "follower_count": 0, "vote": 0, "author": { "username": "scnrscnr", "id": "126475", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8098, "URL": 23426, "hostname": 9590, "domain": 4727, "SSLCertFingerprint": 22, "FileHash-MD5": 696, "FileHash-SHA1": 457, "CIDR": 78, "email": 3, "CVE": 2 }, "indicator_count": 47099, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "113 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687605f986433ebf2673f0b8", "name": "Win.Malware.Downloadguide-6803841-0 | Patient Monitoring", "description": "Part of an elaborate, unrelenting espionage campaign , multiple compromises, targeting.\n> alf:PUA:Win32/DownloadGuide \nLink below found in previous Pulse -[http://s0.patient.media/res/f91b97f6b547405cb4370cbb003dfea2-jquery-1.11.1.min.js.gzip]\n\u2022 Win.Malware.Downloadguide-6803841-0\nYara:\nresearch_pe_signed_outside_timestamp\n\u2022\nkernel32_dll_xor_exe_key_51_key_byte_encoded \u2022\nxor_0x33_kernel32_dll \u2022 \nConcerning: {Domain\tAddress\tRegistrar\tCountry\ns0.patient.media\n-\tGoDaddy.com, LLC\nOrganization: Egton Medical Information Systems Limited\nName Server: ns34.domaincontrol.com\nCreation Date: 2015-01-12T16:20:56}\n\n{https://www.anyxxxtube.net/search-porn/tsara-brashears/}\n{https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net}\n{wallpapers-nature.com}\n{https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian}", "modified": "2025-08-14T07:05:00.239000", "created": "2025-07-15T07:40:41.180000", "tags": [ "url http", "url https", "indicator role", "title added", "active related", "pulses hostname", "entries", "gmt etag", "server", "ecacc", "serving ip", "address", "dom dom", "data upload", "extraction", "pdf report", "enter", "failed", "extraction data", "enter sc", "type", "extra data", "extri please", "review data", "excluded tous", "tui sugges", "find", "show", "at filer", "iocs", "levelbluelabs", "please", "included iocs", "excluded io", "find suggested", "types", "domain data", "search", "o please", "manually add", "c data", "o suggesteo", "include data", "review uus", "u exclude", "find s", "indicaok data", "dom doman", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "copy", "push", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "ascii text", "size", "mitre att", "utf8", "null", "refresh", "body", "span", "hybrid", "general", "local", "path", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "evasion att", "t1480 execution", "discovery att" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3597, "FileHash-MD5": 343, "domain": 547, "hostname": 1222, "FileHash-SHA1": 343, "FileHash-SHA256": 4464, "CVE": 1, "email": 1 }, "indicator_count": 10518, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "248 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "686c676bcc053e0fc51f01b2", "name": "ALL T8 research led to Firm_IP\u2019s = BoFa , WikiLeaks, United Healthcare, HCA, T-Mobile, Dish , AT&T, Apple,+ Breaches despite other speculations with 0 relations", "description": "", "modified": "2025-08-05T15:03:36.451000", "created": "2025-07-08T00:33:47.021000", "tags": [ "url https", "type indicator", "role title", "added active", "related pulses", "url http", "showing", "entries", "indicator role", "title added", "active related", "pulses url", "ipv4", "filehashmd5", "filehashsha1", "filehashsha256", "indicators show", "search", "reputation", "et att", "ck id", "t1060", "run keys", "startup", "folder", "scan", "iocs", "learn more", "hostname", "types of", "pagehrsappjbpst", "actionu", "focusapplicant", "siteid1", "postingseq1", "t1036", "t1043", "port", "t1085", "rundll32", "t1114", "t1179", "fbi flash", "cu000163mw", "compromise", "found", "uunet", "code", "reverse domain", "lookup", "ragnar", "locker", "ragnar locker", "cidr", "pulses", "types", "windows", "linux", "united", "trojandropper", "mtb jun", "trojan", "win32upatre aug", "mtb may", "gmt server", "ecacc", "files", "suspicious", "body", "data upload", "extraction", "cve cve20170147", "cve cve20178570", "cve cve20178977", "url feb", "pulses hostname", "a1sticas", "next associated", "present mar", "present jun", "present may", "france", "date", "ip address", "present apr", "virtool", "name servers", "value emails", "name john", "shipton", "dynadot privacy", "po box", "city san", "mateo country", "us creation", "news videos", "maps assist", "search settings", "safe search", "date more", "images bae", "systems defense", "bae systems", "london", "britain", "akamai rank", "script urls", "status", "a domains", "accept encoding", "unknown ns", "meta", "encrypt", "https", "report spam", "created", "year ago", "modified", "octoseek public", "cyber attack", "pegasus", "westlaw", "hallrender", "front", "sabey", "enter s", "include review", "exclude sugges", "failed", "sc type", "extr included", "manually add", "puls", "excludedocs", "sugges data", "phishing", "apple pegasus", "detections", "references", "stranger things", "http", "yara", "upx alerts", "fort collins", "help4u", "communications", "orgtechhandle", "domain", "no entries", "cchk asnas26658", "vj92", "search filter", "time sabey", "x show", "indicator type", "email", "filehashimphash", "filehashpehash", "backdoor", "ransom", "checkin", "alphacrypt cnc", "beacon", "jeffrey scott", "terse http", "possible", "accept", "xorddos", "ck ids", "t1512", "camera", "t1071", "protocol", "ta0001", "access", "ta0002", "ta0003", "ta0004", "cookie", "show", "ally", "melika", "part1", "trojanclicker", "bayrob", "android", "ransomware", "sakula rat", "t1125", "video capture", "t1566", "t1068", "t1190", "application", "t1472", "t1457", "media content", "social media", "doppelgnging", "t1080", "shared content", "t1449", "exploit ss7", "phone callssms", "enter sc", "type", "no expiration", "expiration", "months ago", "expiration http", "reimer dpt", "r role", "sa victim", "daisy coleman", "source", "weeks ago", "tbmvid", "sourcelnms", "zx1724209326040", "ahtrnaah typ", "url url", "url domain", "pulse sthow", "ah types", "ind indicator", "data uptoad", "extrachttp", "dulce sphown", "aho data", "typ url", "url dom", "hos hostname", "hos host", "dom dom" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "686adf91f725a8b7f9850192", "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8149, "domain": 1067, "hostname": 2103, "FileHash-SHA256": 1617, "URI": 1, "FilePath": 1, "FileHash-MD5": 412, "FileHash-SHA1": 368, "CIDR": 4, "CVE": 6, "email": 10 }, "indicator_count": 13738, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "257 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "686adf91f725a8b7f9850192", "name": "Dystopian Life & Death of an American Crime Victim | Boldy predicted how she will die", "description": "Palantir - a data analytics company, known as a military intelligence tool. co-founded by billionaire investor , Trump supporter and Republican mega donor Musk aligned; Peter Thiel, as per New York. \n\nFounded in 2003, known for its data analytics platforms - Palantir Gotham & Palantir Foundry are used by government & private sectors for various applications, including defense & healthcare. The company faces criticism for its role in government surveillance & data privacy concerns.\nPalantir can be linked to malicious, malware packed , compromised malvertisements about victim allegedly SA\u2019d by her physical therapist Jeffrey Scott Reimer DPT. Apparently target was paid a small settlement via lengthy phone battle by a man representing himself as Brian Sabey ,Esq of Hall Render. \n Palantir, admittedly designs cyber weapon that \u2018kills people\u2019. Are governments abusing to terrorize, silence & even harm/kill American citizens. Is this an elaborate hoax?\nTeam 8 \n#rip #plantantir #Hosanna #dystopian #targeted", "modified": "2025-08-05T15:03:36.451000", "created": "2025-07-06T20:41:53.748000", "tags": [ "url https", "type indicator", "role title", "added active", "related pulses", "url http", "showing", "entries", "indicator role", "title added", "active related", "pulses url", "ipv4", "filehashmd5", "filehashsha1", "filehashsha256", "indicators show", "search", "reputation", "et att", "ck id", "t1060", "run keys", "startup", "folder", "scan", "iocs", "learn more", "hostname", "types of", "pagehrsappjbpst", "actionu", "focusapplicant", "siteid1", "postingseq1", "t1036", "t1043", "port", "t1085", "rundll32", "t1114", "t1179", "fbi flash", "cu000163mw", "compromise", "found", "uunet", "code", "reverse domain", "lookup", "ragnar", "locker", "ragnar locker", "cidr", "pulses", "types", "windows", "linux", "united", "trojandropper", "mtb jun", "trojan", "win32upatre aug", "mtb may", "gmt server", "ecacc", "files", "suspicious", "body", "data upload", "extraction", "cve cve20170147", "cve cve20178570", "cve cve20178977", "url feb", "pulses hostname", "a1sticas", "next associated", "present mar", "present jun", "present may", "france", "date", "ip address", "present apr", "virtool", "name servers", "value emails", "name john", "shipton", "dynadot privacy", "po box", "city san", "mateo country", "us creation", "news videos", "maps assist", "search settings", "safe search", "date more", "images bae", "systems defense", "bae systems", "london", "britain", "akamai rank", "script urls", "status", "a domains", "accept encoding", "unknown ns", "meta", "encrypt", "https", "report spam", "created", "year ago", "modified", "octoseek public", "cyber attack", "pegasus", "westlaw", "hallrender", "front", "sabey", "enter s", "include review", "exclude sugges", "failed", "sc type", "extr included", "manually add", "puls", "excludedocs", "sugges data", "phishing", "apple pegasus", "detections", "references", "stranger things", "http", "yara", "upx alerts", "fort collins", "help4u", "communications", "orgtechhandle", "domain", "no entries", "cchk asnas26658", "vj92", "search filter", "time sabey", "x show", "indicator type", "email", "filehashimphash", "filehashpehash", "backdoor", "ransom", "checkin", "alphacrypt cnc", "beacon", "jeffrey scott", "terse http", "possible", "accept", "xorddos", "ck ids", "t1512", "camera", "t1071", "protocol", "ta0001", "access", "ta0002", "ta0003", "ta0004", "cookie", "show", "ally", "melika", "part1", "trojanclicker", "bayrob", "android", "ransomware", "sakula rat", "t1125", "video capture", "t1566", "t1068", "t1190", "application", "t1472", "t1457", "media content", "social media", "doppelgnging", "t1080", "shared content", "t1449", "exploit ss7", "phone callssms", "enter sc", "type", "no expiration", "expiration", "months ago", "expiration http", "reimer dpt", "r role", "sa victim", "daisy coleman", "source", "weeks ago", "tbmvid", "sourcelnms", "zx1724209326040", "ahtrnaah typ", "url url", "url domain", "pulse sthow", "ah types", "ind indicator", "data uptoad", "extrachttp", "dulce sphown", "aho data", "typ url", "url dom", "hos hostname", "hos host", "dom dom" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8149, "domain": 1067, "hostname": 2103, "FileHash-SHA256": 1617, "URI": 1, "FilePath": 1, "FileHash-MD5": 412, "FileHash-SHA1": 368, "CIDR": 4, "CVE": 6, "email": 10 }, "indicator_count": 13738, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "257 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d4916fa7338286448118a1", "name": "Jeffrey Scott Reimer DPT | Brian Sabey, SWIPPER -X.Com migration to Twitter ", "description": "", "modified": "2024-10-19T18:02:34.237000", "created": "2024-09-01T16:08:15.260000", "tags": [ "url https", "filehashsha256", "browse scan", "report spam", "author", "output", "tsara brashears", "created", "days ago", "showing", "trojan", "win32", "msil", "trojanspy", "virtool", "scan endpoints", "all search", "otx scoreblue", "author avatar", "fraud", "june", "worm", "search", "tsara type", "indicator role", "title added", "active related", "pulses url", "url http", "ipv6", "type indicator", "role title", "added active", "related pulses", "sort", "least", "researched", "f https", "scan", "iocs", "learn more", "filehashmd5", "hostname", "domain", "indicators show", "browser", "unsupported", "view", "continue", "watch tsara", "searchtsa", "brashears", "most relevant", "porn videos", "download", "google search", "open threat", "babe", "green", "daily", "play", "fullscreen", "tsara", "videos", "love", "top tsara", "xxx videos", "hardcore porn", "jeffrey reimer", "puts", "porn", "javascript", "body", "creation date", "record value", "united", "gmt content", "gmt max", "age900", "httponly x", "date", "unknown", "pragma", "levelblue", "exchange open", "threat exchange", "indicator", "safebae", "get involved", "anyone else", "press", "data reports", "teen students", "become", "chapter lead", "become a", "certified peer", "district", "brian sabey", "sabey data", "hallrender", "sabey data centers", "swipper", "mark b sabey", "m brian sabey", "2beeg", "thebrotherssabey", "urls", "show", "cloudflarenet", "us urlscan", "skip", "accessibility", "all images", "videos shopping", "forums news", "web more", "tools", "service", "malicious", "size", "recent", "off blur", "find", "summary", "securitytrails", "urlscan https", "tryporn", "icann whois", "data problem", "disclaimer", "judaporn", "kompoz", "blur filter", "search results", "xxxvideohd", "hacker news", "item", "url", "website", "web", "scanner", "analyze", "analyzer", "september", "domains", "sale worldwide", "street", "gate parkway", "stateprovince", "postal code", "route", "open", "watch", "links", "footer", "delete see", "delete c", "tofsee", "grum", "entries", "cape", "high", "total", "copy", "write", "malware", "patched", "next", "please" ], "references": [ "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "thebrotherssabey.wordpress.com | https://hallrender.com/attorney/brian-sabey", "https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/", "https://SafeBae.org | https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "http://sexiezpics.com/tsara-brashears-hardcore-porn | https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "https://urlscan.io/domain/cdn2e-videos2.yjcontentdelivery.com | http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html", "https://www.google.com/search?client=ms-android-tcl-rvo2b&sca_esv=677ff2260c38da6a&sca_upv=1&q=tsara%20brashears&tbm=vid&source=lnms&fbs=AEQNm0Aa4sjWe7Rqy32pFwRj0UkWd8nbOJfsBGGB5IQQO6L3J5MIFhvnvU242yFxzEEp3BfRFWcyM5BvpTgNzM3vKj4sz-C2iLdc_0v0iAkScdtYjVPIGyVlvwujMCY6xcQ3LIupWIQPyPPfztGwIqpQ9H2EXqXXY4GBGq8hpekXoFuduDqktZzSriMQxAlKPjQviXaDVnUYcgWw9ejzcyECyIGanCUinw&sa=X&biw=1128&bih=1971&dpr=2&no_sw_cr=1&zx=1724209326040&sssc=1", "bfxxxhindi.to | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://billpay.stcu.org/csp/ws/ALKAMI-S5M/html/PC_Remote_Role_Due_XP_Help/role1_faq_email_notifications.html billpay.stcu.org", "bfxxxhindi.to www.bfxxxhindi.to https://www.bfxxxhindi.to tsara brashears bfxxxhindi.to https://www.bfxxxhindi.to/trend/eaUvPMTg3NzMytY07Q/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/. http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://alohatube.xyz/search/tsara-brashears http://alohatube.xyz/search/tsara-brashears/", "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct-miscinception.html", "http://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concentra-medic", "http://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concentra-medical-center", "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html", "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-medical.html", "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html", "http://videolal.com/tsara-brashears-assaulted-by-jeffrey-reimer.html http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html", "http://videolal.com/tsara-brashears-pueblo.html , http://videolal.com/tsara-brashears.html", "http://pornbitter.com/storage/tsara-brashears/ http://www.gdsl-pallemoebler.info/seach/tsara-brashears/ advocate-smyslova.ru", "http://browntubeporn.com/tsara-brashears.html browntubeporn.com http://pornvideoj.com/tsara-brashears.htm", "pornhub.com/gay/video/search?search=tsara%2Blynn%2Bbrashears%2Blesbian", "feestzalenvanvlaanderen.be www.gdsl-pallemoebler.info http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us", "http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us www.tryporn.net", "http://www.gdsl-pallemoebler.info/seach/tsara-brashears/ advocate-smyslova.ru feestzalenvanvlaanderen.be www.gdsl-pallemoebler.info", "http://www.tryporn.net/seach/tsara-brashears/ hicksandchicks.org redpornvideos.net http://advocate-smyslova.ru/tsara-brashears/", "http://flexporn.net/tsara-brashears.html http://onlyindianporn.net/videos/tsara-brashears/ http://pornbitter.com/storage/tsara-brashears/", "http://pornpx.com/trends/tsara-brashears-submission-on-august-27-via-manual/1/ http://www.potnhub.org/tsara-brashears.html", "http://www.bukaporn.net/trend/tsara-brashears/ http://onlyindianporn.tv/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concentra", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html", "www.sexpornimages.com http://hicksandchicks.org/ju/tsara-brashears/ hlebo.mobi pornpx.com www.potnhub.org", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language http://www.music-forum.", "http://kompoz.me/find/tsara-brashears-submission-on-august-27-via-manual/ http://redpornvideos.net/tsara-brashears.html", "https://wallpapers-nature.com/ https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://wallpapers-nature.com/tsara-brashears/urlscan-io https://www.sweetheartvideo.com/tsara-brashears", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net https://www.sweetheartvideo.com/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/ | https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language | https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "https://xlxx.mobi phishing\thttps://2beeg.me https://2beeg.net https://www.redporn.video https://youjizz.sex 2beeg.me xlxx.mobi ladys.one", "tsara-brashears-deadspin-twitter-suspended-account-help.ht videolal.com wallpapers-nature.com www.sweetheartvideo.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ Domain mom2fuck.mobi https://youjizz.sex/tsara-brashears.html https://youjizz.sex", "http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer http://pixelrz.com/lists/keywords/brashears-tsara-buzz-news", "http://pixelrz.com/lists/keywords/%20dr-jeffrey-reimer-dpt-funds-tsara-brashears/ https://xlxx.mobi", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ orangeporntube.net www.tryporno.net", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception http://pixelrz.com/lists/keywords/tsara-brashears-dead/ http://orangeporntube.net/tsara-brashears.html", "http://www.tryporno.net/movies/tsara-brashears/ http://www.pixelrz.com/lists/keywords/tsara-brashears/", "https://kompoz.me/find/tsara-brashears-submission-on-august-27-via-manual/ sexiezpics.com", "http://sexiezpics.com/tsara-brashears-hardcore-porn http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-at-concentra/ http://pornohata.com/mov/tsara-brashears/", "http://onlyindianporn2.com/videos/tsara-brashears/ onlyindianporn2.com-porn.html aninditaannisa.blogspot.com porno-trash.net", "myhotzpic.com pornohata.com pornstarsporno.net aninditaannisa.blogspot.com/2019/02/tsara-brashears", "http://pornstarsporno.net/tsara-brashears.html http://vtwctr.org/explore/inmate-tsara-brashears/", "https://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara%20-brashears-massage-nearby.html", "Hostname aninditaannisa.blogspot.com No Expiration\t0\t URL aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html billpay.stcu.org", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/", "thebrotherssabey.wordpress.com http://www.sabey.com | http://resources.sabeydatacenters.com | http://root.sabeydatacenters.com", "http://go.sabey.com http://vpn2.sabey.com | http://resources.sabeydatacenters.com | http://root.sabeydatacenters.com |", "http://itsupport.sabey.com http://www.sabey.com | http://root.sabeydatacenters.com/ | http://server1.sabeydatacenters.com | http://smtp1.sabeydatacenters.com No Expiration\t http://smtps.sabeydatacenters.com | http://smtpseguro.sabeydatacenters.com", "http://sabey.com/construction/ | https://tulach.cc/ | sabeydatacenters.com | https://thebrotherssabey.com | http://root.sabeydatacenters.com/ No Expiration\t0\t URL http://server1.sabeydatacenters.com No Expiration\t0\t URL http://smtp1.sabeydatacenters.com No Expiration\t http://smtps.sabeydatacenters.com | http://smtpseguro.sabeydatacenters.com | http://staging.sabeydatacenters.com", "https://info.sabeydatacenters.com/webmail/404532/1590752290/6c9ed1e0b6b364689835e8c6bd51ed2198f99ee8ec7fa1924787e4e9b6382872", "forceusercontent.com | sabey.com | tulach.cc | http://thebrotherssabey.com/2018m.sabeydatacenters.com | https://www.vpn.sabey.com/", "root.sabeydatacenters.com | server1.sabeydatacenters.com | smtps.sabeydatacenters.com | smtpseguro.sabeydatacenters.com", "https://thebrotherssabey.com | https://thebrotherssabey.com/2015/08/24/why | staging.sabeydatacenters.com |", "authsmtp.sabeydatacenters.com | go.sabey.com | thebrotherssabey.com | mx5.sabeydatacenters.com | posta.sabeydatacenters.com", "remote.files.downloadnow-1.com | remote.sabeydatacenters.com | poczta.sabeydatacenters.com | pop.sabeydatacenters.com", "https://thebrotherssabey.com/2018/12/05/nature | https://thebrotherssabey.com/2019/01/20/miracle/ | https://thebrotherssabey.com/20", "https://thebrotherssabey.com/2015/08/24/why | https://thebrotherssabey.com/2016/03/12/how | https://thebrotherssabey.com/2017/04/17/truth", "https://thebrotherssabey.com/2016/01/18/ballroom | resources.sabeydatacenters.com | https://thebrotherssabey.com/feed/", "https://thebrotherssabey.com/comments/feed/ | mail2.sabeydatacenters.com | mails.sabeydatacenters.com | newmail.sabeydatacenters.com", "http://staging.sabeydatacenters.com | https://sabey.com/careers/ | https://vpn2.sabey.com | https://www.sabey.com | https://www.vpn.sabey.com |", "https://info.sabeydatacenters.com/emailPreference/epc/404532/EcSDdxFsTp4vgdAzwbcD5rWn7oROwp5s8Buq0L48dF0/732bdcab2311714bb73d4d507e6508d215afb4dbc511", "1a8fc49a4265fe146976/1523680312 | https://thebrotherssabey.com/2018/04/22/the | https://thebrotherssabey.com/2019/07/08/suffering", "https://info.sabeydatacenters.com/listUnsubscribeHeader/u/404532/732bdcab2311714bb73d4d507e6508d215afb4dbc5111a8fc49a4265fe14697", "https://info.sabeydatacenters.com/r/404532/1/1523680312/open/1 | http://onlyindianporn2.com/videos/dia-sabey/?p=13", "https://thebrotherssabey.com/category/pregnancy | https://thebrotherssabey.com/discourse | onlyindianporn2.com", "https://thebrotherssabey.com/2019/01/20/miracle/?share=twitter | https://thebrotherssabey.com/author/dbsabey/", "https://thebrotherssabey.com/author/thebrotherssabey/ | https://thebrotherssabey.com/category/homosexuality", "https://thebrotherssabey.com/2018/12/05/nature-of-scripture-part-5-conclusions/ | https://thebrotherssabey.com/2019/08/01/why", "mypornvid.fun | porn100.tv | amp.mypornvid.fun | cdn10.mypornvid.fun | cdn11.mypornvid.fun | cdn5.mypornvid.fun | cdn8.mypornvid.fun", "www.anyxxxtube.net | sv2.mypornvid.fun | www.porn100.tv | www.redporn.video | https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing |", "http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears", "anybunny.tv | http://anybunny.tv/search/eva-lisa | http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us", "https://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-nearby.html. |", "http://onlyindianporn.tv/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concent | http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge", "onlyindianporn.tv | sexpornimages.com | http://www.sexpornimages.com/hillary/hillary-clinton", "https://mypornvid.fun/videos/3/o00vnGgcVx0/dude-sex-fuck-a-deer-wapporn-video-com/fuck-deer", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/ | http://videolal.com/tsara-brashears-dead-by-daylight.html", "http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html | http://videolal.com/tsara-brashears-dead.html |", "https://thebrotherssabey.com/comments/feed/ | https://thebrotherssabey.com/2019/01/20/miracle/", "https://videolal.com/videos/tsara-brashears-dead-by-daylight.html | tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://thebrotherssabey.com/2018/12/05/nature | https://thebrotherssabey.com/2017/04/17/truth", "https://thebrotherssabey.com/2016/03/12/how | https://thebrotherssabey.com/2016/01/18/ballroom", "https://thebrotherssabey.com/comments/feed/ | https://thebrotherssabey.com/category/pregnancy", "https://thebrotherssabey.com/feed/ | https://thebrotherssabey.com/discourse | https://thebrotherssabey.com/comments/feed/", "https://thebrotherssabey.com/2015/08/24/why | https://thebrotherssabey.com/20 | https://thebrotherssabey.com | https://thebrotherssabey.com", "http://thebrotherssabey.com/2018 | https://thebrotherssabey.com/2019/01/20/miracle/ | https://thebrotherssabey.com/2019/07/08/suffering", "https://thebrotherssabey.com/category/pregnancy | https://thebrotherssabey.com/category/homosexuality", "https://thebrotherssabey.com/author/thebrotherssabey/ | https://thebrotherssabey.com/author/dbsabey/", "http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/ | https://www.applefilmaker.com | https://www.applefilmaker.com/1odbU3D", "www.wwwgitlab.gitlab.git.git.gitlab.git.128-199-7-137.cprapid.com", "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/", "https://hallrender.com/attorney/brian-sabey | https://thebrotherssabey.com/2019/01/20/miracle/?share=twitter", "storage.ladys.one ladys.one: | http://photos.ladys.one ladys.one: | http://porno.ladys.one ladys.one: | http://storage.ladys.one ladys.one: | http://xxx-videos.ladys.one ladys.one:", "http://www.xvxx.me/clips/nadia-ali-hardcore/199530/", "https://kompoz2.com/tv/454575/blonde-slut-sara-jay-with-big-ass-is-fucked-in-doggy-style.html", "http://onlyindianporn2.com/videos/vichatter-young-11//title/0.7292669771257236" ], "public": 1, "adversary": "Brian Sabey | Tulach | Sabey Data Centers", "targeted_countries": [ "United States of America", "Netherlands", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Win32/Tofsee.AX", "display_name": "Win32/Tofsee.AX", "target": null }, { "id": "Trojan:Win32/Muldrop", "display_name": "Trojan:Win32/Muldrop", "target": "/malware/Trojan:Win32/Muldrop" } ], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1586.001", "name": "Social Media Accounts", "display_name": "T1586.001 - Social Media Accounts" }, { "id": "T1055.013", "name": "Process Doppelg\u00e4nging", "display_name": "T1055.013 - Process Doppelg\u00e4nging" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": "66ccbd92f716bb0ca0fda93d", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 121, "FileHash-SHA1": 116, "FileHash-SHA256": 935, "URL": 5882, "domain": 571, "hostname": 1418, "email": 9, "CIDR": 1, "SSLCertFingerprint": 1 }, "indicator_count": 9054, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "547 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66c08b488620dac7697026c7", "name": "Fakefolder | Ransom:Win32/CVE affecting HCA Healthcare cloud", "description": "Cloud computing - User Acceptance Testing (UAT)\napparently used by HCA one of the nations leading healthcare providers. It's seems HCA's cloud is compromised. The cloud has a number of high priority vulnerabilities, malware, ransomware, zero day, etc. Patient accounts aiming involved, (some patients received letters of serious PII, PHI compromise) lost records, patient blacklisting, hacking, and nefarious manipulations by providers. I've been made aware of CORHIO closing compromised patient accounts. Some patients account access and data has reportedly been lost.\n#VirTool:Win32/Obfuscator.ADB\nALF:HeraklezEval:Ransom:Win32/CVE\nRansom:Win32/StopCrypt.AK!MTB\nRansom:Win32/Wannaren.A\nTrojan:Win32/BlackMon\nTrojan:Win32/Fakefolder\nTulach Malware", "modified": "2024-10-15T14:02:54.772000", "created": "2024-08-17T11:36:40.810000", "tags": [ "microsoft edge", "iocs", "alberta ndp", "security", "vc rescue", "disk", "apple", "google", "windows", "powershell", "security https", "no data", "tag count", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "site", "cisco umbrella", "alexa top", "blacklist", "million", "mail spammer", "firehol", "ip address", "noname057", "anonymizer", "firehol proxy", "proxy", "india mail", "malware", "full name", "first", "v3 serial", "number", "cus odigicert", "global tls", "rsa4096 sha256", "ca1 validity", "subject public", "key info", "dns replication", "date", "script script", "as12912", "a domains", "a li", "poland unknown", "t mobile", "domains", "przejd", "passive dns", "authority", "meta", "accept", "cname", "record type", "ttl value", "aaaa", "poland", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "location poland", "asnone united", "moved", "location", "vary", "accept encoding", "content type", "virtool", "related pulses", "file samples", "files matching", "show", "search", "date hash", "next", "showing", "as39198", "body", "window", "certificate", "hostname", "unknown", "red bull", "script urls", "as2828 verizon", "ireland unknown", "gmt content", "as8068", "as8075", "servers", "creation date", "united", "trojan", "trojan features", "win32", "msr aug", "urls", "reverse dns", "trojandropper", "historical ssl", "referrer", "infiltrate", "threat network", "malicious", "snapchat", "eternal blue", "sneaky simay", "groups", "covert", "probe", "whois lookup", "domain name", "united", "as15169 google", "a nxdomain", "germany", "dynamicloader", "yara rule", "high", "medium", "port", "dynamic", "domain", "file name", "pcap", "copy", "url host", "port method", "user agent", "okrnserver", "002000", "hit tcpmemhit", "algorithm", "data", "cus oentrust", "entrust", "l1k validity", "cpl lwarszawa", "ot mobile", "status", "name servers", "as6354", "mtb aug", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "location united", "win32 exe", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "vs2010", "info compiler", "products", "vs2008", "header intel", "name md5", "type", "language", "ascii text", "cyrillic", "registrar of", "domain names", "ii llc", "contacted", "file type", "mb file", "graph", "ip detections", "country", "type name", "network", "tsara brashears", "december", "typhon reborn", "speakez securus", "hacktool", "emotet", "formbook", "critical", "installer", "tofsee", "hiddentear", "cnc", "email collection", "apple data", "data collection", "tsara brashears", "for privacy", "record value", "emails", "expiration date", "swipper", "tulach", "aitm", "query", "observed dns", "activity dns", "total", "google llc", "pe32", "write", "april", "defender", "otx telemetry", "win32cve aug", "polska s", "copyright", "levelblue", "dashboard", "pulse submit", "url analysis", "as20940", "as16625 akamai", "entrustdns", "france", "entries", "refresh", "443 ma2592000", "net174", "net1740000", "mcics", "read c", "write c", "tlsv1", "default", "module load", "execution", "dock", "persistence", "xport", "redacted for", "privacy tech", "privacy admin", "organization", "postal code", "stateprovince", "server", "registrar abuse", "code", "high priority", "critical", "CVE-2023-29059" ], "references": [ "uat.drw.hcahealthcare.cloud | developers.t-mobile.pl | kwvjuemg.exe", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "Antivirus Detections: Ransom:Win32/Wannaren.A UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX Alerts procmem_yara creates_largekey process_creation_suspicious_location network_bind deletes_executed_files dead_connect dynamic_function_loading encrypted_ioc http_request network_cnc_https_generic powershell_download powershell_request enumerates_running_processes stealth_window cape_extracted_content injection_rwx network_http", "Yara Detections: LZMA , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "Alerts: procmem_yara creates_largekey process_creation_suspicious_location network_bind cape_extracted_content", "Alerts: deletes_executed_files dead_connect dynamic_function_loading encrypted_ioc http_request injection_rwx network_http", "Alerts: network_cnc_https_generic powershell_download powershell_request enumerates_running_processes stealth_window", "nr-data.net [Apple Private Data Collection]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://twitter.com/PORNO_SEXYBABES | twitter.com | www.pornhub.com | www.anyxxxtube.net", "Apple path:https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | itunes.apple.com", "record-viewer-application.hcahealthcare.cloud", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled", "Tulach IP: 114.114.114.114", "Antivirus Detections: #VirTool:Win32/Obfuscator.ADB | IDS Detections:Observed DNS Query to .biz TLD | Domains Contacted: pywolwnvd.biz", "Yara Detections: SUSP_Unsigned_GoogleUpdate OriginalFilenameGoogleUpdate.exe | Alerts cape_extracted_content", "Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS) 'Swipper'", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29059 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29059\\", "cvename.cg | https://cve.mitre.org/cgi | https://cve.mitre.org/cgi-bin/cvename.cg... | https://cve.mitre.org/cgi-bin/cvename.cgi?nam...", "https://cve.mitre.org/includes/jquery-migrate-3.0.0.min.js | https://cve.mitre.org/includes/printerfriendly.js | https://cve.mitre.org/css/main.css", "https://cve.mitre.org/images/cvelogobanner.png | https://cve.mitre.org/images/linkedin.jpg | https://cve.mitre.org/images/medium.png", "https://cve.mitre.org/images/nvd-logo.png | https://cve.mitre.org/images/search_icon.png | https://cve.mitre.org/images/twitter.jpg", "https://cve.mitre.org/images/youtube.png | https://cve.mitre.org/includes/browserheight.js | https://cve.mitre.org/includes/jquery-3.2.1.min.js", "https://cve.mitre.org/css/print.css | https://cve.mitre.org/favicon.ico | https://cve.mitre.org/images/GitHub_round_sm", "https://cve.mitre.org/includes/jquery-migrate-3.0.0.min.js | https://cve.mitre.org/includes/printerfriendly.js | cve.mitre.org" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/BlackMon", "display_name": "Trojan:Win32/BlackMon", "target": "/malware/Trojan:Win32/BlackMon" }, { "id": "Trojan:Win32/Fakefolder", "display_name": "Trojan:Win32/Fakefolder", "target": "/malware/Trojan:Win32/Fakefolder" }, { "id": "Ransom:Win32/Wannaren.A", "display_name": "Ransom:Win32/Wannaren.A", "target": "/malware/Ransom:Win32/Wannaren.A" }, { "id": "Ransom:Win32/StopCrypt.AK!MTB", "display_name": "Ransom:Win32/StopCrypt.AK!MTB", "target": "/malware/Ransom:Win32/StopCrypt.AK!MTB" }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" }, { "id": "ALF:HeraklezEval:Ransom:Win32/CVE", "display_name": "ALF:HeraklezEval:Ransom:Win32/CVE", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [ "Healthcare", "Technology", "Civilian Society", "Telecommunications", "Networking" ], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1975, "FileHash-SHA1": 1731, "FileHash-SHA256": 4646, "URL": 636, "domain": 283, "hostname": 798, "email": 12, "CVE": 3, "SSLCertFingerprint": 2 }, "indicator_count": 10086, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "551 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ccbb1146fb07a45b6b97fe", "name": "Android Remotely Cracked: Swipper? | Being Sabey links found. Framing?", "description": "Targets phone and other devices cracked remotely. Phone calls made to a family member by phone. Some clues left behind.\n1 clue:mike@softwarezpro1.txt\nLong Link:http://bbd383ttka22.top/prize/luckyus-ad/nigh.php?c=69zejibbz5fz1&k=987ad34e7843dd8f3a3cb6559f188769&country_code=US&country_name=United%20States\u00aeion=New%20York&city=Plainview&isp=MCI%20Communications%20Services,%20Inc.%20d/b/a%20Verizon%20Business&lang=ja&ref_domain=&os=iOS&osv=16&browser=Chrome&browserv=115&brand=Apple&model=iPhone&marketing_name=iPhone&tablet=2&rheight=0&rwidth=0&e=5\n Stop! Swipper, Brian Sabey, Tulach, whoever you are. Arrest Jeffrey Reimer Scott DPT for groping breasts, V, assaulting so hard it separated victims hips and SI joint, Spinal Cord Injury length of spine. He literally assaulted her brain out. TBI with Arnold's Chiari. Demyelination from brain to toes. He never denied this to Employers. Hi, DPD Major crimes God Bless you...about the report?", "modified": "2024-10-14T18:03:35.631000", "created": "2024-08-26T17:27:45.763000", "tags": [ "unknown", "meta", "software", "site kit", "as53667", "free", "download full", "search", "showing", "encrypt", "date", "asnone united", "kingdom unknown", "wordpress site", "just", "passive dns", "meta http", "content", "gmt server", "a domains", "body", "server", "registrar", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "registrar iana", "registrar url", "version crack", "crack serial", "keys license", "algorithm", "whois lookup", "creation date", "code", "namesilo", "country", "domain status", "contact email", "first", "historical ssl", "referrer", "cobalt strike", "switch dns", "query", "fraud risk", "traffic", "luna moth", "campaign", "analyzer paste", "iocs", "samples", "phishing", "malware", "maltiverse", "cyber threat", "engineering", "team phishing", "mail spammer", "telefonica co", "emotet", "download", "malicious", "team", "suppobox", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "blacklist", "module load", "service", "create c", "show", "winhttp authip", "write c", "susp", "trojanspy", "related pulses", "copy", "write", "win32", "memcommit", "read c", "x00x00", "high defense", "evasion", "defense evasion", "cryptexportkey", "windows", "shellexecuteexw", "hash", "writeconsolew", "registry", "t1031", "modify existing", "trojan", "dock", "august", "push", "hostnames", "urls http", "cisco umbrella", "site", "alexa top", "million", "safe site", "malicious site", "tofsee", "google domain", "azorult", "runescape", "facebook", "bank", "alexa", "zbot", "dynamicloader", "yara rule", "high", "grum", "medium", "ids detections", "yara detections", "stream", "as15169 google", "as44273 host", "aaaa", "scan endpoints", "all scoreblue", "next", "type texthtml", "google safe", "browsing", "ipv4", "pulse pulses", "urls", "files", "co20230203", "pe resource", "url https", "archive", "posix tar", "flow t1574", "dll sideloading", "media t1091", "t1055", "spawns", "mitre att", "access ta0001", "replication", "dlls privilege", "window", "ip traffic", "udp a83f8110", "hashes", "t1055 spawns", "dlls defense", "dns resolutions", "user", "samplepath", "menu files", "written c", "files copied", "files dropped", "file", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "contained", "info compiler", "products id", "header intel", "name md5", "type", "language", "sha256", "data", "entries", "filehash", "av detections", "as3215 orange", "related", "france unknown", "reverse dns", "singapore asn", "as16509", "united", "updated date", "pulse submit", "url analysis", "verdict", "as16342 toya", "all search", "otx scoreblue", "hostname", "ip address", "poland unknown", "moved", "gmt contenttype", "vary", "gmt content", "content length", "domain", "files ip", "address", "location poland", "asn as16342", "as16276", "as50599", "as8075", "as5617 orange", "a td", "as198921", "as29686 probe", "germany unknown", "germany", "title", "body doctype", "html public", "ietfdtd html", "head body", "as63949 linode", "united kingdom", "arial", "apache", "accept", "related nids", "files location", "flag united", "files domain", "files related", "as20940", "as4230 claro", "data redacted", "name servers", "expiration date", "invalid url", "mtb feb", "body html", "head title", "hacktool", "trojandropper", "mtb mar", "title head", "overview ip", "record value", "td tr", "tr tr", "dostpne jzyki", "tr table", "table", "utwrz stref", "modyfikuj stref", "td td", "win32vb", "win32qqpass", "worm", "win32mofksys", "worm worm", "win32salgorea", "support", "internet mobile", "win32tofsee", "as3842 inmotion", "as40676 psychz", "formbook cnc", "checkin", "exploit", "virtool", "trojan features", "file samples", "files matching", "date hash", "cname", "error", "script urls", "ezcrack all", "script", "provides", "softwares", "script domains", "pragma", "as202425 ip", "emails", "as46606", "crack", "aaaa nxdomain", "whitelisted", "nxdomain", "as36352", "malware trojan", "asnone", "virgin islands", "backdoor", "please", "win32botgor" ], "references": [ "aeuwa03.devtest.call2.team | mike@softwarezpro1.txt | softwarezpro.net | www.softwarezpro.net | mike@ hijacked targets device Attacked!", "http://cracx.net/fonepaw-iphone-data-recovery-3-8-0-crack/ | Malware: 74.208.236.140 malacrack.org ns2.filescrack.com ns1.filescrack.com", "http://softwarezpro.net/wp-content/themes/wellington/assets/js/svgxuse.min.js?ver=1.2.6", "animalpornotube.com | http://animalpornotube.com/files/gifamateurpay.gi | https://crackedvst.info/tag/k7-total-security-trial-resetter/", "https://activationskey.net/passfab-iphone-cracked-free-keys-2022 https://crackedvst.info/ui crackedvst.info: http://www.crackidea.net/", "http://activationskey.net/passfab-for-rar-full-cracked-2022/ activationskey.net: https://activationskey.net/passware-kit-forensic-2021-1-3-crack/ activationskey.net: | crackedvst.info: crackedvst.info:", "www.softwarezpro.net\thttps://i0.wp.com/softwarezpro.net/wp parking.namesilo.com softwarezpro.org softwarezap.net softwarezap.net", "anti-spyware-software.net http://softwarezpro.net/wp | | http://softwarezpro.net/xmlrpc.php | https://softwarezpro.net https://softwarezpro.net/\t URL\thttps://softwarezpro.net/comments/feed/ https://softwarezpro.net/feed/\t https://softwarezpro.net/page/2/\t URL\thttps://softwarezpro.net/wp https://softwarezpro.net/xmlrpc.php", "http://softwarezpro.net/wp-content/themes/wellington/assets/js/navigation.min.js?ver=20220224 | crackedvst.info", "pw-90cc2fc574f6dd6dccf2c3531928b039@privacyguardian.org | https://crackedvst.info/antares-autotune-pro-crack/", "www.endgame.com [Threatening] | https://mobisoft.info/dfx-audio-enhancer-crack | https://mobisoft.info/passfab-iphone-unlocker-key", "7cwork.a-poster.info a-poster.info: members.a-poster.info work.a-poster.info a-poster.info: http://20work.a-poster.info a-poster.info:", "http://250awork.a-poster.info/ a-poster.info: http://252fwork.a-poster.info a-poster.info: http://252fwork.a-poster.info/", "20work.a-poster.info a-poster.info: 250awork.a-poster.info a-poster.info: 252fwork.a-poster.info a-poster.info: a-poster.info:", "Trojan:Win32/Salgorea: FileHash-SHA256 e82334440ceddd927f35831fda83594f3657ca56187f7f7ddd7d60cba1be793", "Worm:Win32/Fasong: FileHash-SHA256 c7f2f4a6ed374bac385fa81177967fd013248652556e4ee95cea7f064f6b25dd", "Trojan:Win32/Glupteba: FileHash-SHA256 5e7fdbc4c66fbefd6aa95047a56c709765f18b3a3a65d5942acb4e4349b09039", "Worm:Win32/Mofksys: FileHash-SHA256 ef1a66214e210bc9ae0aef471b0a09f6083078343a0338fcaf1f2b04ebddbd9a", "Trojan:Win32/QQpass: FileHash-SHA256 86df64999ed25a02debca89a586c931b0f32b1edc0e7aa800c360be3ef456439", "TrojanSpy:Win32/Nivdort.DI: FileHash-SHA256 00734b135321562e7e0df7c2f8eb554435cc25c47f46747f79fc2116ac2cc6ef", "Win32:CrypterX-gen\\ [Trj]: FileHash-SHA256 002ea0849da3c63ce6c09c084567e9470c3616084ef19402316e9d52f35c62a7", "Trojan:Win32/Emotet.PC!MTB: FileHash-SHA256 02b9cac1880e348302125664c4955fd163a219b1eb8b50de0ad350e0c147a0b0", "Trojan:Win32/Zbot.SIBB3!MTB: FileHash-SHA256 bc1739628aadbcc99bcb93caab4a7a73534694c817d57cc0ed735bf4bd0f6e45", "ELF:Hajime-Q\\ [Trj] : FileHash-SHA256 aa310469926150f9d6f980dd6ba200d1c9c7dec7c4b66c7de4cff6a30c038560", "Win32/Tasekjom.A : FileHash-SHA256 1230ac0c362b6049b9de011229707e05852dd11af75ca7071a1f089e6aca61f5", "Win32/Muldrop FileHash-SHA256 67a5e78bb2897b15d510dfce0d89f60330db01d7944ebb4f1dd90ce36c907e1b", "PWS:Win32/VB : FileHash-SHA256 dbc78d07e96562c6370ab515f5d65cea88a1b163ad10718c66d15155f4075630", "Backdoor:Win32/Tofsee: FileHash-SHA256 5b616ad2410bef0bc894c4bff013afe2d7f44dcdeb79420bab14c766cc460aa7", "VirTool:Win32/Obfuscator FileHash-SHA256 874e78143b683016ef8e41977f9d3ee34b97b145b313cdefdeb3e8900db6df73", "RASMONTR.DLL 192.168.56.101", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/http://activationskey.net/wp-content/uploads/2021/02/download-2-7.jpg", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/00734b135321562e7e0df7c2f8eb554435cc25c47f46747f79fc2116ac2cc6ef", "Parked: www.easycrypto.team | 'Parking Crew' ? Several names exist for advesarial 'Parking Hacker Groups' parking.namesilo.com", "Ranks high in search results because device is typically compromised with Convection engine and Keyword Tool", "a-fondness-for-beauty.com", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/ | http://activationskey.net/wp-content/uploads/2021/02/download-2-7.jpg", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/ | https://cracklink.info/iobit-uninstaller-pro-key/", "iobit: https://ezcrack.info/iobit-uninstaller-pro-crack | https://ezcrack.info/iobit-uninstaller-pro-crack/", "http://crackedvst.info/plugin-alliance-bundle-crack/: sedoparking.com | sedoparking.com/frmpark/ -", "Trojan:Win32/Zbot: FileHash-SHA256 b7875b426ce25f1d4785ba7043bbfdba49feb726cc829d681acdd67c3c302c70", "ALF:Trojan:Win32/Cassini_f28c33a2:\tFileHash-SHA256 6fc35cb8e18f0d9d72bc1a7037ae88f8036362799f930a1a30e290d31be3b216", "Backdoor:Win32/Botgor: FileHash-SHA256 b70353b3ecf532ad51e7d6a1790275df02c7393b87d40add47a3baccab39802f", "TrojanDropper:Win32/Muldrop: FileHash-SHA256 bf8e919cf6ce208f1c2f98f07df835099f14e2f8708197b0165479468079d902", "#LowFiCreateRemoteThread: FileHash-SHA256 0ab94d890afef8ebae42007a119a8686f71bdd9bdf357262481daa7c9c7a283e", "Trojan:Win32/Blihan: FileHash-SHA256 dada5208109416153937db5a6f44f03b8b9025347c235acdc70edfa24a2a882e", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | itunes.apple.com", "http://appleid.com-index-manager-info-verify-receipt-account.usa.cc/ |", "https://realcrack.info/sidify-apple-music-converter-crack/ | applehouse-jp.com | iappletech.com | http://apple.int-access-accounts.usa.cc/", "http://apple-store.jspi304es-services-fixedbilling-responsive-managed-update-card.appleid-storeext.usa.cc/", "http://apple-unlocked-login.usa.cc/\t| http://apple.com.locked-account-verify-login.usa.cc/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.DI", "display_name": "TrojanSpy:Win32/Nivdort.DI", "target": "/malware/TrojanSpy:Win32/Nivdort.DI" }, { "id": "Win32:CrypterX-gen\\ [Trj]", "display_name": "Win32:CrypterX-gen\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Trojan:Win32/CryptInject", "display_name": "Trojan:Win32/CryptInject", "target": "/malware/Trojan:Win32/CryptInject" }, { "id": "RASMONTR.DLL", "display_name": "RASMONTR.DLL", "target": null }, { "id": "Trojan:Win32/Salgorea", "display_name": "Trojan:Win32/Salgorea", "target": "/malware/Trojan:Win32/Salgorea" }, { "id": "Worm:Win32/Fasong", "display_name": "Worm:Win32/Fasong", "target": "/malware/Worm:Win32/Fasong" }, { "id": "Trojan:Win32/Glupteba", "display_name": "Trojan:Win32/Glupteba", "target": "/malware/Trojan:Win32/Glupteba" }, { "id": "Worm:Win32/Mofksys", "display_name": "Worm:Win32/Mofksys", "target": "/malware/Worm:Win32/Mofksys" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Trojan:Win32/Zbot.SIBB3!MTB", "display_name": "Trojan:Win32/Zbot.SIBB3!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBB3!MTB" }, { "id": "ELF:Hajime-Q\\ [Trj]", "display_name": "ELF:Hajime-Q\\ [Trj]", "target": null }, { "id": "Win32/Tasekjom.A", "display_name": "Win32/Tasekjom.A", "target": null }, { "id": "TEL:Trojan:Win32/TrojanDownloader", "display_name": "TEL:Trojan:Win32/TrojanDownloader", "target": null }, { "id": "Win32/TrojanDropper", "display_name": "Win32/TrojanDropper", "target": null }, { "id": "Trojan:Win32/Muldrop", "display_name": "Trojan:Win32/Muldrop", "target": "/malware/Trojan:Win32/Muldrop" }, { "id": "PWS:Win32/VB", "display_name": "PWS:Win32/VB", "target": "/malware/PWS:Win32/VB" }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Trojan:Win32/Blihan", "display_name": "Trojan:Win32/Blihan", "target": "/malware/Trojan:Win32/Blihan" }, { "id": "#LowFiCreateRemoteThread", "display_name": "#LowFiCreateRemoteThread", "target": null }, { "id": "Backdoor:Win32/Botgor", "display_name": "Backdoor:Win32/Botgor", "target": "/malware/Backdoor:Win32/Botgor" }, { "id": "ALF:Trojan:Win32/Cassini_f28c33a2", "display_name": "ALF:Trojan:Win32/Cassini_f28c33a2", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" } ], "industries": [ "Technology", "Telecommunications", "Civilian Devices" ], "TLP": "green", "cloned_from": null, "export_count": 112, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1629, "FileHash-MD5": 4822, "URL": 2002, "email": 18, "hostname": 1725, "FileHash-SHA1": 3921, "FileHash-SHA256": 9019, "URI": 1 }, "indicator_count": 23137, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "552 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ba01cb6ef731c30679908b", "name": "BusyBox |Eternal Blue | MITM Attack | Linux Crime Mirai_Botnet_Malware | Brian Sabey attorney", "description": "Verizon Business MCICS?\nMCI Communications Services LLC Verizon Division, doing business as MCI, is a subsidiary of Verizon Communications Inc. that provides a wide range of telecommunications products and services to U.S. federal government customers.\nHandle Swipper, previously scrubbed from internet has been hovering over target for at least 10 years.\n[Known to have used Host: 152.199.19.161\n19.161 is an IP address in AS15133 owned by MCICommunicationsServices,Inc.d/b/aVerizonBusiness and located in US] + [Edgecast Inc ns1.edgecastcdn.net] Swipper, once linked to WikiLeaks threat actor who sent malicious emails to targets and Bank of America employees revealing passcodes from garage door codes to favorite color, ice cream hobbies and passwords. \n[Bin][BusyBox] BusyBox is a software suite that provides several Unix utilities in a single executable file.", "modified": "2024-10-12T00:01:26.015000", "created": "2024-08-12T12:36:27.020000", "tags": [ "network", "orgdnsref", "nethandle", "net174", "net1740000", "mcics", "swipp", "swipper", "jody alaska", "jody huffines", "verizon", "eva120", "block id", "wirelessdatanetwork", "swipp9-arin", "united", "et exploit", "smbds ipc", "show", "search", "default", "asnone", "nids", "generic", "query", "service", "wannacry", "ransom", "malware", "copy", "dock", "write", "eternalblue", "recon", "suspicious", "realtek sdk", "miniigd upnp", "soap command", "exploit", "msie", "windows nt", "high", "binbusybox", "gafgyt", "execution", "mirai", "newremotehost", "mitm", "port", "destination", "newexternalport", "newprotocol", "newinternalport", "rf cum", "newenabled", "addpo", "addportmapping", "whois lookups", "city", "orgdnshandle", "stateprov", "loudoun county", "postalcode", "text", "javascript", "b file", "files", "file type", "json", "graph", "t1064 executes", "modify system", "process t1543", "systemd service", "posts", "mitre att", "ta0002 command", "t1059", "create", "ta0004 create", "ip traffic", "hashes", "file system", "libmultipath", "devftwdt101", "devsda1 devsda2", "files deleted", "e procselffd9", "h devsda2", "created binsh", "shell commands", "binsh binsh", "binsh c", "i lo", "p m0755", "varrunsshd", "processes tree", "referrer", "pe resource", "cry kill", "formbook", "ransomworm", "wannacry kill", "switch dns", "password bypass", "account stealer", "hiddentear", "installer", "skynet", "get http", "memory pattern", "http requests", "request", "host", "cachecontrol", "response", "contentlength", "httponly", "samesitelax", "mofresourcename", "settingswpad", "registry keys", "hdaudiomofname", "acpimofresource", "mofresource", "registry", "kernel context", "runtime modules", "modules", "urls", "cloudflare", "domains", "ip detections", "country", "win32 exe", "mb pe", "mb graph", "summary", "pe32 executable", "ms windows", "intel", "ms visual", "win16 ne", "win32 dynamic", "link library", "vs98", "info compiler", "products id", "sp6 build", "header intel", "name md5", "type", "language", "contained", "r english", "yara rule", "et trojan", "domain http", "cape", "yara detections", "alerts", "logic", "status", "passive dns", "creation date", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "date", "next", "as6167 verizon", "as22394 verizon", "showing", "entries", "aaaa", "cname", "asnone united", "whitelisted", "as20446", "as8075", "ipv4", "unknown", "emails", "expiration date", "name servers", "aaaa nxdomain", "ireland unknown", "nxdomain", "soa nxdomain", "ns nxdomain", "a nxdomain", "as8068", "united kingdom", "domain", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "exploit none", "rce", "ate hash", "spyware", "adversary in the middle", "smugglers gambit", "hitmen", "hallrender", "sreredrum", "pegasus related", "brute force", "target tsara brashears", "brian sabey" ], "references": [ "Researched: 174.215.26.0/255 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks", "Highlighted Text: The following text was observed as standard output, \"[THEA-MALWARE]: Gimme Cum Pwease XD\"", "Trojan.Linux.Mirai.1 | Crime_Mirai | DDoS:Linux/Gafgyt.YA!MTB: FILEHASH - SHA256 a1eff1e00a7d532a6e6d71b3c5328e", "Antivirus Detections: ELF:Mirai-AHC\\ [Trj] , Unix.Trojan.Mirai-7100807-0 , DDoS:Linux/Gafgyt.YA!MTB", "IDS Detections: Huawei Remote Command Execution - Outbound (CVE-2017-17215)", "IDS Detections: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "Yara Detections: Mirai_Botnet_Malware", "High Priority Alerts: dead_host network_icmp osquery_detection network_irc nolookup_communication p2p_cnc", "Interesting Strings: http://schemas.xmlsoap.org/soap/encoding/ http://0.0.0.0/nope", "Interesting Strings: http://schemas.xmlsoap.org/soap/envelope/ 185.244.25.117 127.0.0.1", "ELF Info Header ELF32 2's complement, little endian 1 (current) UNIX - System V EXEC (Executable file) Intel 80386 0x1", "Matches rule Mirai_Botnet_Malware from ruleset crime_mirai by Florian Roth", "Matches rule Linux_Trojan_Mirai_b14f4c5d from ruleset Linux_Trojan_Mirai by Elastic Security", "Matches rule SUSP_XORed_Mozilla from ruleset gen_xor_hunting by Florian Roth", "Matches rule Linux_Trojan_Mirai_fa3ad9d0 from ruleset Linux_Trojan_Mirai by Elastic Security", "https://github.com/Neo23x0/signature-base/search?q=Mirai_Botnet_Malware Desc: Detects Mirai Botnet Malware RULE_AUTHOR: Florian Roth", "Crime_WannaCry | Ransom:Win32/WannaCrypt.H | FILEHASH - SHA256 86f7e04aed8403e6b9f0d4ae880a55f7574c1b177cf6c24234ffa992eadb2c52", "Yara Detections: WannaCry_Ransomware , Win32_Ransomware_WannaCry , Wanna_Cry_Ransomware_Generic ,", "Yara Detections: MS17_010_WanaCry_worm , NHS_Strain_Wanna , stack_string , MS_Visual_Cpp_6_0", "Alerts: nids_exploit_alert nids_malware_alert network_icmp nolookup_communication persistence_autorun network_cnc_http", "IDS Detections: W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1", "IDS Detections: Domain Sinkholed by Kryptos Logic (HTML Response)", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style)", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)", "IDS Detections: ETERNALBLUE Probe Vulnerable System Response MS17-010", "IDS Detections: Observed DNS Query to Suspicious Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com)", "IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection", "Antivirus Detections Sf:WNCryLdr-A\\ [Trj] , Win.Ransomware.WannaCry-6313787-0 , Ransom:Win32/WannaCrypt.H" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "Unix.Trojan.Mirai-7100807-0", "display_name": "Unix.Trojan.Mirai-7100807-0", "target": null }, { "id": "ELF:Mirai-AHC\\ [Trj]", "display_name": "ELF:Mirai-AHC\\ [Trj]", "target": null }, { "id": "Sf:WNCryLdr-A\\ [Trj]", "display_name": "Sf:WNCryLdr-A\\ [Trj]", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Ransomware.WannaCry-6313787-0", "display_name": "Win.Ransomware.WannaCry-6313787-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" } ], "industries": [ "Government", "Healthcare", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2826, "CIDR": 2, "URL": 549, "email": 12, "hostname": 587, "FileHash-MD5": 806, "FileHash-SHA1": 791, "BitcoinAddress": 3, "domain": 388, "CVE": 4 }, "indicator_count": 5968, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "554 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65eadaae65b9123721198d08", "name": "Nivdort | Affected OTX accounts | Yotta Network (Cloned OTX user)", "description": "", "modified": "2024-04-06T23:03:19.046000", "created": "2024-03-08T09:30:22.295000", "tags": [ "methodpost", "threat", "iocs", "urls http", "samples", "cnc", "phishing", "ransom", "emotet", "fraud services", "command _and_control", "trojan", "scanning host", "active threat", "malicious", "date hash", "avast avg", "susp", "win32", "paste", "hostnames", "http response", "final url", "ip address", "status code", "body length", "b body", "headers date", "connection", "first", "utc submissions", "submitters", "computer", "company limited", "gandi sas", "ovh sas", "export", "summary iocs", "graph community", "limited", "yotta network", "gvb gelimed", "kb microsoft", "indonesia", "kyriazhs1975", "vj79", "bc https", "rexxfield", "brian sabey", "as21342", "united", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "urls", "msie", "chrome", "creation date", "search", "dnssec", "entries", "body", "date", "as63949 linode", "mtb feb", "checkin m1", "gmt content", "type", "encrypt", "trojan", "artro", "moved", "pulse pulses", "yotta data", "yotta", "private limited", "india", "limited yotta", "number", "as140641", "network", "facebook", "info", "cisco umbrella", "site", "alexa top", "site top", "million", "safe site", "million alexa", "site safe", "cobalt strike", "malicious url", "blacknet rat", "union", "vidar", "malware", "stealer", "bank", "alexa", "deepscan", "phishing", "team", "super", "blacknet", "babar", "detection list", "blacklist http", "sample", "submission", "history first", "analysis", "utc http", "response final", "url http", "kb body", "path", "as396982 google", "bq mar", "win32cve mar", "exploit", "virtool", "status", "name servers", "emails", "servers", "next", "files", "as44273 host", "germany unknown", "expiration date", "showing", "win32upatre mar", "milehighmedia", "ids detections", "possible fake", "av checkin", "initial checkin", "checkin", "utah data", "center", "june", "data center", "responsible", "nsa utah", "march", "closeup view", "july", "view", "february", "prism", "cascade", "darpa", "twitter", "as20940", "aaaa", "as16625 akamai", "nxdomain", "whitelisted", "domain", "as54113", "msil", "cryp", "files show", "entries related", "domains", "as15169 google", "gmt cache", "sameorigin", "trojandropper", "asnone united", "title error", "porkbun", "mtb mar", "trojanspy", "installer", "loader", "hijacker", "targeting", "as30456", "sec ch", "for privacy", "ch ua", "hash avast", "avg clamav", "msdefender mar", "lowfi", "dns replication", "ip detections", "country", "contacted", "graph", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "file size", "open threat", "learn", "html info", "exchange meta", "tags twitter", "alienvault", "script tags", "iframe tags", "google tag", "manager anchor", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "google", "amazon ec2", "email", "city", "server", "amazon data", "amazon", "code", "form", "po box", "tech", "show", "description ype", "collections", "partru", "execution", "fake host" ], "references": [ "Part II -Some users OTX accounts connected to the following | Unexpected revelation |", "Title Salzburg Airport | Public Operations Display Portal | http://quantum.emsbk.com/", "go.sabey.com | sabey.com | smear.cloud | w1.voyeurweb.com | Never stops...", "https://www.milehighmedia.com/legal/2257", "http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "http://schoolcare.dyndns.org/soap/ISCKeyUpdater", "http://callenjoy.net/index.php | watchhers.net | emails.redvue.com | nexus.devnautiluscloud.net | http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "http://45.159.189.105/bot/regex | http://46.109.184.5/search.htm | http://acycseiiqsau.org/ | emsbk.innocraft.cloud | jenkins.devnautiluscloud.net |", "hostmaster.hostmaster.hostmaster.cartography.midst.co.uk | message.htm.com | quantum.emsbk.com http://cms.static.hw.famedownload.com/famedigital/m/", "http://cms.static.hw.famedownload.com/famedigital/m/1b6j9enlerq8k4g8/header-big8.jpg", "CnC IP's: 104.200.21.37 | 106.14.226.91 | 192.187.111.221 | 198.58.118.167 | 208.100.26.245 | 34.174.78.212", "Cookies AWSALB h0mLG52+gDNUdBHb468xx6EZCua7FVRvlZWH7URKSKV27WSs637El46CBcw8RmPBxIAT2jqmmByDbnMIsYobUWhWbNadYFsxVQk/gVDcDfdixV/5aQn0VRon9gXO", "https://nsa.gov1.info/utah-data-center", "https://softwaremill.com/grpc-vs-rest/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Arab Emirates" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "AndroidOverlayMalware - MOB-S0012", "display_name": "AndroidOverlayMalware - MOB-S0012", "target": null }, { "id": "#Lowfi:LUA:AutoItV3CraftedOverlay", "display_name": "#Lowfi:LUA:AutoItV3CraftedOverlay", "target": null }, { "id": "Crypt3.BWVY", "display_name": "Crypt3.BWVY", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" }, { "id": "Dropper.Generic_r.EC", "display_name": "Dropper.Generic_r.EC", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "ALF:Trojan:Win32/Zbot", "display_name": "ALF:Trojan:Win32/Zbot", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1605", "name": "Command-Line Interface", "display_name": "T1605 - Command-Line Interface" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology", "Financial" ], "TLP": "white", "cloned_from": "65ea56ae1992b02a25aa5c51", "export_count": 63, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6765, "FileHash-MD5": 688, "FileHash-SHA1": 422, "FileHash-SHA256": 3169, "domain": 2171, "hostname": 1714, "email": 11, "CVE": 2, "CIDR": 2 }, "indicator_count": 14944, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "742 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65ea56ae1992b02a25aa5c51", "name": "TrojanSpy:Win32/Nivdort | Affected OTX accounts | Yotta Network", "description": "Part II -Some users OTX accounts connected to the following | Unexpected revelation | A group of hackers masquerading as attorneys, government officials, advocates, fake nsa, security professional, help desk, etc. I don't know the association with otx.alienvault. Unauthorized logins OTX users. accounts. Deleted and modified pulses, etc. Needs further research for me to fully understand.", "modified": "2024-04-06T23:03:19.046000", "created": "2024-03-08T00:07:10.521000", "tags": [ "methodpost", "threat", "iocs", "urls http", "samples", "cnc", "phishing", "ransom", "emotet", "fraud services", "command _and_control", "trojan", "scanning host", "active threat", "malicious", "date hash", "avast avg", "susp", "win32", "paste", "hostnames", "http response", "final url", "ip address", "status code", "body length", "b body", "headers date", "connection", "first", "utc submissions", "submitters", "computer", "company limited", "gandi sas", "ovh sas", "export", "summary iocs", "graph community", "limited", "yotta network", "gvb gelimed", "kb microsoft", "indonesia", "kyriazhs1975", "vj79", "bc https", "rexxfield", "brian sabey", "as21342", "united", "passive dns", "unknown", "scan endpoints", "all scoreblue", "ipv4", "pulse submit", "url analysis", "urls", "msie", "chrome", "creation date", "search", "dnssec", "entries", "body", "date", "as63949 linode", "mtb feb", "checkin m1", "gmt content", "type", "encrypt", "trojan", "artro", "moved", "pulse pulses", "yotta data", "yotta", "private limited", "india", "limited yotta", "number", "as140641", "network", "facebook", "info", "cisco umbrella", "site", "alexa top", "site top", "million", "safe site", "million alexa", "site safe", "cobalt strike", "malicious url", "blacknet rat", "union", "vidar", "malware", "stealer", "bank", "alexa", "deepscan", "phishing", "team", "super", "blacknet", "babar", "detection list", "blacklist http", "sample", "submission", "history first", "analysis", "utc http", "response final", "url http", "kb body", "path", "as396982 google", "bq mar", "win32cve mar", "exploit", "virtool", "status", "name servers", "emails", "servers", "next", "files", "as44273 host", "germany unknown", "expiration date", "showing", "win32upatre mar", "milehighmedia", "ids detections", "possible fake", "av checkin", "initial checkin", "checkin", "utah data", "center", "june", "data center", "responsible", "nsa utah", "march", "closeup view", "july", "view", "february", "prism", "cascade", "darpa", "twitter", "as20940", "aaaa", "as16625 akamai", "nxdomain", "whitelisted", "domain", "as54113", "msil", "cryp", "files show", "entries related", "domains", "as15169 google", "gmt cache", "sameorigin", "trojandropper", "asnone united", "title error", "porkbun", "mtb mar", "trojanspy", "installer", "loader", "hijacker", "targeting", "as30456", "sec ch", "for privacy", "ch ua", "hash avast", "avg clamav", "msdefender mar", "lowfi", "dns replication", "ip detections", "country", "contacted", "graph", "ssdeep", "file type", "html internet", "magic html", "ascii text", "trid file", "file size", "open threat", "learn", "html info", "exchange meta", "tags twitter", "alienvault", "script tags", "iframe tags", "google tag", "manager anchor", "iana", "whois lookup", "ipv4 address", "ripe ncc", "afrinic", "africa", "apnic", "asia pacific", "arin", "lacnic", "google", "amazon ec2", "email", "city", "server", "amazon data", "amazon", "code", "form", "po box", "tech", "show", "description ype", "collections", "partru", "execution", "fake host" ], "references": [ "Part II -Some users OTX accounts connected to the following | Unexpected revelation |", "Title Salzburg Airport | Public Operations Display Portal | http://quantum.emsbk.com/", "go.sabey.com | sabey.com | smear.cloud | w1.voyeurweb.com | Never stops...", "https://www.milehighmedia.com/legal/2257", "http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "http://schoolcare.dyndns.org/soap/ISCKeyUpdater", "http://callenjoy.net/index.php | watchhers.net | emails.redvue.com | nexus.devnautiluscloud.net | http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "http://45.159.189.105/bot/regex | http://46.109.184.5/search.htm | http://acycseiiqsau.org/ | emsbk.innocraft.cloud | jenkins.devnautiluscloud.net |", "hostmaster.hostmaster.hostmaster.cartography.midst.co.uk | message.htm.com | quantum.emsbk.com http://cms.static.hw.famedownload.com/famedigital/m/", "http://cms.static.hw.famedownload.com/famedigital/m/1b6j9enlerq8k4g8/header-big8.jpg", "CnC IP's: 104.200.21.37 | 106.14.226.91 | 192.187.111.221 | 198.58.118.167 | 208.100.26.245 | 34.174.78.212", "Cookies AWSALB h0mLG52+gDNUdBHb468xx6EZCua7FVRvlZWH7URKSKV27WSs637El46CBcw8RmPBxIAT2jqmmByDbnMIsYobUWhWbNadYFsxVQk/gVDcDfdixV/5aQn0VRon9gXO", "https://nsa.gov1.info/utah-data-center", "https://softwaremill.com/grpc-vs-rest/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "United Arab Emirates" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.CW", "display_name": "TrojanSpy:Win32/Nivdort.CW", "target": "/malware/TrojanSpy:Win32/Nivdort.CW" }, { "id": "AndroidOverlayMalware - MOB-S0012", "display_name": "AndroidOverlayMalware - MOB-S0012", "target": null }, { "id": "#Lowfi:LUA:AutoItV3CraftedOverlay", "display_name": "#Lowfi:LUA:AutoItV3CraftedOverlay", "target": null }, { "id": "Crypt3.BWVY", "display_name": "Crypt3.BWVY", "target": null }, { "id": "Artro", "display_name": "Artro", "target": null }, { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Trojan:Win32/Floxif.E", "display_name": "Trojan:Win32/Floxif.E", "target": "/malware/Trojan:Win32/Floxif.E" }, { "id": "BlackNET", "display_name": "BlackNET", "target": null }, { "id": "Babar", "display_name": "Babar", "target": null }, { "id": "Malware", "display_name": "Malware", "target": null }, { "id": "VirTool:Win32/Injector.gen!BQ", "display_name": "VirTool:Win32/Injector.gen!BQ", "target": "/malware/VirTool:Win32/Injector.gen!BQ" }, { "id": "Win32:Malware-gen", "display_name": "Win32:Malware-gen", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" }, { "id": "Dropper.Generic_r.EC", "display_name": "Dropper.Generic_r.EC", "target": null }, { "id": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "display_name": "ALF:HeraklezEval:Trojan:Win32/Ymacco.AA47", "target": null }, { "id": "ALF:Trojan:Win32/Zbot", "display_name": "ALF:Trojan:Win32/Zbot", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1605", "name": "Command-Line Interface", "display_name": "T1605 - Command-Line Interface" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1156", "name": "Malicious Shell Modification", "display_name": "T1156 - Malicious Shell Modification" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1444", "name": "Masquerade as Legitimate Application", "display_name": "T1444 - Masquerade as Legitimate Application" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1583.004", "name": "Server", "display_name": "T1583.004 - Server" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1410", "name": "Network Traffic Capture or Redirection", "display_name": "T1410 - Network Traffic Capture or Redirection" } ], "industries": [ "Civil Society", "Telecommunications", "Technology", "Financial" ], "TLP": "white", "cloned_from": null, "export_count": 59, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6765, "FileHash-MD5": 688, "FileHash-SHA1": 422, "FileHash-SHA256": 3169, "domain": 2171, "hostname": 1714, "email": 11, "CVE": 2, "CIDR": 2 }, "indicator_count": 14944, "is_author": false, "is_subscribing": null, "subscriber_count": 231, "modified_text": "742 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655686e2c072557f03e9cba2", "name": "https://myaccount.uscis.gov/ [pulse created by Octoseek]", "description": "", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-16T21:17:22.087000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655650c9b2be6cc930c92cf3", "export_count": 102, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65580c52bf98f256b6a01da6", "name": "https://myaccount.uscis.gov/", "description": "", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-18T00:58:58.944000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655650c9b2be6cc930c92cf3", "export_count": 101, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656aac25a8a2caaddf0d3b88", "name": "https://myaccount.uscis.gov/", "description": "", "modified": "2023-12-16T15:00:49.451000", "created": "2023-12-02T04:01:41.427000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655652f6ddcbf952a599cded", "export_count": 93, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 227, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655657ca2e402d4f98283de9", "name": "https://myaccount.uscis.gov/ ", "description": "", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-16T17:56:26.312000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655650c9b2be6cc930c92cf3", "export_count": 100, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65565477da453c46f05a6ac4", "name": "BTW VirusTotal - \" interesting files written to disk during execution'", "description": "", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-16T17:42:15.123000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655650c9b2be6cc930c92cf3", "export_count": 101, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 223, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655652f6ddcbf952a599cded", "name": "https://myaccount.uscis.gov/", "description": "After Mark Montano Md reported alleged acts by Jeffrey Scott Reimer after receiving 'multiple' reports of him aggressively pursuing Brashears, she was contacted, told she violated the Patriot Act by Big O Tires?!! Received letters from the above and harassed for years. Colorado Workers compensation is so corrupt this may be my last post. She was immediately framed , blamed, porn smeared and stalked. Denied medical care , when received died on surgery table, revised and disabled. Even the mafia would tackle only the associates bringing undue negative attention to their own organization.", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-16T17:35:50.285000", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 100, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655650c9b2be6cc930c92cf3", "name": "https://myaccount.uscis.gov/", "description": "HOW!?!? My device was remotely logged into this account somehow.\nThis is egregious. Silence Threats. I have no connection to this but was contacted by a while ago. I don't know how or why a part of the government would attack a person with a TBI and C1 - S1 Spinal cord injury allegedly caused by Colorado physical therapist and protect him. Why is victim, tracked and unsafe, receiving death threats, monitored, denied medical care, stalked EVERYWHERE. \nEven felons aren't monitored for life. STOP.\nWill this get us killed. Do the right thing.\nGod bless America, purge the government.\nThe truth should set you fee not get you harmed.", "modified": "2023-12-16T15:00:49.451000", "created": "2023-11-16T17:26:33", "tags": [ "whois record", "ssl certificate", "whois whois", "communicating", "referrer", "ip address", "contacted", "pe resource", "historical ssl", "collections wow", "cobalt", "stealer", "quasar", "remcos", "ursnif", "fabookie", "name verdict", "exit", "node tcp", "traffic", "united", "et tor", "known tor", "relayrouter", "anonymizer", "tor known", "tor relayrouter", "cisco umbrella", "site", "safe site", "heur", "maltiverse", "million", "alexa top", "unsafe", "html", "team", "riskware", "malware", "phishing", "union", "bank", "outbreak", "downer", "shell", "mediamagnet", "sality", "swrort", "adaptivebee", "unruy", "iobit", "dropper", "trojanx", "artemis", "installcore", "webshell", "exploit", "crack", "webtoolbar", "detection list", "blacklist http", "september", "threat roundup", "execution", "metro", "formbook", "kgs0", "kls0", "blacklist https", "malicious site", "malware site", "phishing site", "download", "malicious", "azorult", "service", "runescape", "facebook", "genkryptik", "fuery", "wacatac", "alexa", "dbatloader", "nanocore rat", "agent tesla", "binder", "dridex", "hawkeye", "small", "netwire", "trojan", "redline stealer", "lumma stealer", "trojanspy", "redline", "lumma", "tsara brashears", "whois", "asn owner", "highly targeted", "relacionada", "lolkek", "emotet", "dark power", "wiper", "ransomware", "cobalt strike", "quasar rat", "core", "bitrat", "hacktool", "critical", "copy", "installer", "meta", "as15169 google", "aaaa", "a domains", "videosdewebcams", "search", "passive dns", "urls", "record value", "date", "certificate", "scan endpoints", "all octoseek", "pulse pulses", "files" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany" ], "malware_families": [ { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null }, { "id": "RedLine", "display_name": "RedLine", "target": null }, { "id": "Lumma", "display_name": "Lumma", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 102, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 204, "FileHash-SHA1": 182, "FileHash-SHA256": 6268, "URL": 13989, "domain": 3229, "hostname": 4412, "CVE": 19, "email": 3 }, "indicator_count": 28306, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "855 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a161f0681f4ff3d67feb", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-12-06T16:29:21.844000", "created": "2023-12-06T16:29:21.844000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7844, "FileHash-MD5": 562, "FileHash-SHA1": 429, "URL": 22749, "hostname": 9461, "domain": 4578, "SSLCertFingerprint": 20, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 45680, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a145926a5676de0e2a1a", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-12-06T16:28:53.979000", "created": "2023-12-06T16:28:53.979000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7844, "FileHash-MD5": 562, "FileHash-SHA1": 429, "URL": 22749, "hostname": 9461, "domain": 4578, "SSLCertFingerprint": 20, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 45680, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657098da69092274d6ba0e32", "name": "grapher", "description": "", "modified": "2023-12-06T15:52:58.296000", "created": "2023-12-06T15:52:58.296000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1183, "domain": 106, "hostname": 287, "URL": 873, "FileHash-MD5": 244, "FileHash-SHA1": 244 }, "indicator_count": 2937, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657095584e3e8573cf5ecac2", "name": "Graph", "description": "", "modified": "2023-12-06T15:38:00.344000", "created": "2023-12-06T15:38:00.344000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1183, "domain": 106, "hostname": 287, "URL": 873, "FileHash-MD5": 244, "FileHash-SHA1": 244 }, "indicator_count": 2937, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65708122b0514054bd29b713", "name": "a.pub.network:timcast-com:pubfig.min.js", "description": "", "modified": "2023-12-06T14:11:46.462000", "created": "2023-12-06T14:11:46.462000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "domain": 416, "URL": 2786, "FileHash-SHA256": 955, "hostname": 1095, "SSLCertFingerprint": 14, "FileHash-MD5": 66, "FileHash-SHA1": 24, "CIDR": 5, "email": 1 }, "indicator_count": 5363, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707e5b7df6f60133e8fb50", "name": "Jeeng / Powerbox", "description": "", "modified": "2023-12-06T13:59:55.129000", "created": "2023-12-06T13:59:55.129000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-SHA256": 9072, "domain": 2500, "hostname": 3584, "URL": 13548, "FileHash-MD5": 197, "FileHash-SHA1": 162, "email": 19, "CIDR": 20, "SSLCertFingerprint": 2, "BitcoinAddress": 1 }, "indicator_count": 29108, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707bf3841fe9f857870735", "name": "Jack Posobiec\u2019s Pay-share.com Bonanza", "description": "", "modified": "2023-12-06T13:49:39.465000", "created": "2023-12-06T13:49:39.465000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3887, "hostname": 1423, "domain": 675, "FileHash-SHA256": 2044, "FileHash-MD5": 245, "FileHash-SHA1": 212, "CIDR": 18, "email": 10, "CVE": 3, "SSLCertFingerprint": 6 }, "indicator_count": 8523, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707b9630308cb99a817277", "name": "Pool's Closed", "description": "", "modified": "2023-12-06T13:48:06.514000", "created": "2023-12-06T13:48:06.514000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7844, "FileHash-MD5": 562, "FileHash-SHA1": 429, "URL": 22749, "hostname": 9461, "domain": 4578, "SSLCertFingerprint": 20, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 45680, "is_author": false, "is_subscribing": null, "subscriber_count": 111, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64f37719db054ccde25aa9df", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-09-02T17:55:37.269000", "created": "2023-09-02T17:55:37.269000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": "5fa57698ac0f6638b7b9a8ba", "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7851, "URL": 23098, "hostname": 9521, "domain": 4595, "SSLCertFingerprint": 22, "FileHash-MD5": 564, "FileHash-SHA1": 432, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 46120, "is_author": false, "is_subscribing": null, "subscriber_count": 221, "modified_text": "960 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64f3771616d9a9891947e4df", "name": "Pool's Closed (by @scnrscnr)", "description": "", "modified": "2023-09-02T17:55:34.095000", "created": "2023-09-02T17:55:34.095000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": "5fa57698ac0f6638b7b9a8ba", "export_count": 15, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 7851, "URL": 23098, "hostname": 9521, "domain": 4595, "SSLCertFingerprint": 22, "FileHash-MD5": 564, "FileHash-SHA1": 432, "CIDR": 32, "email": 3, "CVE": 2 }, "indicator_count": 46120, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "960 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "641a6d8fab7252498bb2d3db", "name": "grapher", "description": "", "modified": "2023-03-22T02:53:12.826000", "created": "2023-03-22T02:53:03.077000", "tags": [ "roxio creator", "ipp id", "winzip", "global", "trackerurlhttps", "winzip25", "winzip26", "nxt5", "nxt7", "nxt8", "entity" ], "references": [ "https://www.virustotal.com/graph/gdc07fb14cc0e432fa996f01b58fecf8cd97ec785c28e4ba38ab7703e65e43c8e", "trkcfg.ini", "dorkingbeauty1 - Uploading app data TMP files from Lenovo IdeaPad fully updated (apparently) - files.json" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "63a13d01d5e9794cfde438da", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": true, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "1111.1111", "id": "227366", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 873, "hostname": 287, "domain": 106, "FileHash-SHA256": 1183, "FileHash-MD5": 244, "FileHash-SHA1": 244 }, "indicator_count": 2937, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "1124 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63a13d01d5e9794cfde438da", "name": "Graph", "description": "https://www.virustotal.com/gui/collection/af71f2cbd4c4a2a04f6c1a781506662e8b8ca56b6faeab665e392355ff6afc0c", "modified": "2023-01-19T04:03:03.278000", "created": "2022-12-20T04:41:37.401000", "tags": [ "roxio creator", "ipp id", "winzip", "global", "trackerurlhttps", "winzip25", "winzip26", "nxt5", "nxt7", "nxt8", "entity" ], "references": [ "https://www.virustotal.com/graph/gdc07fb14cc0e432fa996f01b58fecf8cd97ec785c28e4ba38ab7703e65e43c8e", "trkcfg.ini", "dorkingbeauty1 - Uploading app data TMP files from Lenovo IdeaPad fully updated (apparently) - files.json" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 873, "hostname": 287, "domain": 106, "FileHash-SHA256": 1183, "FileHash-MD5": 244, "FileHash-SHA1": 244 }, "indicator_count": 2937, "is_author": false, "is_subscribing": null, "subscriber_count": 94, "modified_text": "1186 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62298f3e6e3fb7012a880988", "name": "a.pub.network:timcast-com:pubfig.min.js", "description": "a.pub.network:timcast-com:pubfig.min.js.webloc", "modified": "2022-06-12T22:01:23.105000", "created": "2022-03-10T05:40:14.909000", "tags": [], "references": [ "a.pub.network:timcast-com:pubfig.min.js.webloc" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scnrscnr", "id": "126475", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2786, "FileHash-SHA256": 955, "hostname": 1095, "FileHash-MD5": 66, "FileHash-SHA1": 24, "domain": 416, "email": 1, "CIDR": 5, "SSLCertFingerprint": 14, "CVE": 1 }, "indicator_count": 5363, "is_author": false, "is_subscribing": null, "subscriber_count": 91, "modified_text": "1407 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "620c3b1f8af7ea0dcf2c1218", "name": "Jeeng / Powerbox", "description": "", "modified": "2022-06-12T22:01:23.105000", "created": "2022-02-15T23:45:35.234000", "tags": [ "Jeeng", "tim pool", "timcast" ], "references": [ "cf20ed53-cb6d-4dfd-a4e8-794fbe163efc.pcap" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scnrscnr", "id": "126475", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 9072, "domain": 2500, "URL": 13548, "hostname": 3584, "FileHash-MD5": 197, "FileHash-SHA1": 162, "CVE": 3, "CIDR": 20, "SSLCertFingerprint": 2, "email": 19, "BitcoinAddress": 1 }, "indicator_count": 29108, "is_author": false, "is_subscribing": null, "subscriber_count": 97, "modified_text": "1407 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "60e6c1075f3f5592cb7d80d2", "name": "Jack Posobiec\u2019s Pay-share.com Bonanza", "description": "Looks like a dead site, talks like a dead site, walks like a dead site, isn\u2019t a dead nor parked site.", "modified": "2022-06-09T00:00:13.607000", "created": "2021-07-08T09:10:31.087000", "tags": [ "enable javascript", "browser", "internet explorer", "firefox", "chrome", "safari", "opera", "codes fire", "stick tricks", "coupons knoji", "discount codes", "best uk", "hosting omega", "media hoekbank", "leasen", "writers per", "hour frskrat" ], "references": [ "https://www.pay-share.com/", "http://www.enable-javascript.com/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scnrscnr", "id": "126475", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3887, "hostname": 1423, "FileHash-SHA256": 2044, "domain": 675, "FileHash-MD5": 245, "FileHash-SHA1": 212, "CIDR": 18, "email": 10, "CVE": 3, "SSLCertFingerprint": 6 }, "indicator_count": 8523, "is_author": false, "is_subscribing": null, "subscriber_count": 99, "modified_text": "1410 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "cvename.cg | https://cve.mitre.org/cgi | https://cve.mitre.org/cgi-bin/cvename.cg... | https://cve.mitre.org/cgi-bin/cvename.cgi?nam...", "Interesting Strings: http://schemas.xmlsoap.org/soap/envelope/ 185.244.25.117 127.0.0.1", "https://wallpapers-nature.com/tsara-brashears/urlscan-io https://www.sweetheartvideo.com/tsara-brashears", "https://omodeling.wpenginepowered.com/wp-content/uploads/2020/07/modelhub-pornhub-sell-nudes-1024x57", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/. http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html", "Source : Binary File ATT&CK ID T1566.002", "Detected Non-Google domain serving Google homepage details", "http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears", "https://activationskey.net/passfab-iphone-cracked-free-keys-2022 https://crackedvst.info/ui crackedvst.info: http://www.crackidea.net/", "http://cracx.net/fonepaw-iphone-data-recovery-3-8-0-crack/ | Malware: 74.208.236.140 malacrack.org ns2.filescrack.com ns1.filescrack.com", "www.endgame.com [Threatening] | https://mobisoft.info/dfx-audio-enhancer-crack | https://mobisoft.info/passfab-iphone-unlocker-key", "a-fondness-for-beauty.com", "Yara Detections: LZMA , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "http://pornstarsporno.net/tsara-brashears.html http://vtwctr.org/explore/inmate-tsara-brashears/", "Trojan:Win32/Salgorea: FileHash-SHA256 e82334440ceddd927f35831fda83594f3657ca56187f7f7ddd7d60cba1be793", "https://thebrotherssabey.com/2016/03/12/how | https://thebrotherssabey.com/2016/01/18/ballroom", "HTML contains suspicious external redirect patterns details Suspicious redirect patterns detected: Redirect Types: Delayed Redirect Redirects to: /doodles/ Suspicious", "ALF:Trojan:Win32/Cassini_f28c33a2:\tFileHash-SHA256 6fc35cb8e18f0d9d72bc1a7037ae88f8036362799f930a1a30e290d31be3b216", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | itunes.apple.com", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/00734b135321562e7e0df7c2f8eb554435cc25c47f46747f79fc2116ac2cc6ef", "Pool Closed", "Alerts: procmem_yara creates_largekey process_creation_suspicious_location network_bind cape_extracted_content", "bfxxxhindi.to | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "iobit: https://ezcrack.info/iobit-uninstaller-pro-crack | https://ezcrack.info/iobit-uninstaller-pro-crack/", "http://pixelrz.com/lists/keywords/%20dr-jeffrey-reimer-dpt-funds-tsara-brashears/ https://xlxx.mobi", "http://softwarezpro.net/wp-content/themes/wellington/assets/js/navigation.min.js?ver=20220224 | crackedvst.info", "http://pickyhot.disqus.com/ \u2022 https://www.teslarati.com/tesla-hackers \u2022 https://pickyhot.disqus.com/tsara-brashears", "IDS Detections: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "Domain match: \"media-mbst-pub-ue1.s3.amazonaws.com\" possible high risk indicator. Commonly abused for malicious purposes. .", "Parked: www.easycrypto.team | 'Parking Crew' ? Several names exist for advesarial 'Parking Hacker Groups' parking.namesilo.com", "IDS Detections: W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1", "http://callenjoy.net/index.php | watchhers.net | emails.redvue.com | nexus.devnautiluscloud.net | http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "CnC IP's: 104.200.21.37 | 106.14.226.91 | 192.187.111.221 | 198.58.118.167 | 208.100.26.245 | 34.174.78.212", "https://www.teslarati.com/tesla-model-s-hitch-torklift-ecohitch-3-year-update/", "http://sexiezpics.com/tsara-brashears-hardcore-porn | https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "http://itsupport.sabey.com http://www.sabey.com | http://root.sabeydatacenters.com/ | http://server1.sabeydatacenters.com | http://smtp1.sabeydatacenters.com No Expiration\t http://smtps.sabeydatacenters.com | http://smtpseguro.sabeydatacenters.com", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net https://www.sweetheartvideo.com/tsara-brashears/", "https://forums.teslarati.com/threads/humanlike-ai-robot-sophia-calls-out-elon-musk-during-live-interview.4970/", "nr-data.net [Apple Private Data Collection]", "Trojan:Win32/Glupteba: FileHash-SHA256 5e7fdbc4c66fbefd6aa95047a56c709765f18b3a3a65d5942acb4e4349b09039", "http://crackedvst.info/plugin-alliance-bundle-crack/: sedoparking.com | sedoparking.com/frmpark/ -", "root.sabeydatacenters.com | server1.sabeydatacenters.com | smtps.sabeydatacenters.com | smtpseguro.sabeydatacenters.com", "hostmaster.hostmaster.hostmaster.cartography.midst.co.uk | message.htm.com | quantum.emsbk.com http://cms.static.hw.famedownload.com/famedigital/m/", "uat.drw.hcahealthcare.cloud | developers.t-mobile.pl | kwvjuemg.exe", "Alerts: network_cnc_https_generic powershell_download powershell_request enumerates_running_processes stealth_window", "https://softwaremill.com/grpc-vs-rest/", "https://thebrotherssabey.com/author/thebrotherssabey/ | https://thebrotherssabey.com/category/homosexuality", "https://urlscan.io/domain/cdn2e-videos2.yjcontentdelivery.com | http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html", "https://www.teslarati.com/tesla-lands-87-million-megapack-belgium/", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-at-concentra/ http://pornohata.com/mov/tsara-brashears/", "http://staging.sabeydatacenters.com | https://sabey.com/careers/ | https://vpn2.sabey.com | https://www.sabey.com | https://www.vpn.sabey.com |", "remote.files.downloadnow-1.com | remote.sabeydatacenters.com | poczta.sabeydatacenters.com | pop.sabeydatacenters.com", "Researched: 174.215.26.0/255 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks", "TrojanDropper:Win32/Muldrop: FileHash-SHA256 bf8e919cf6ce208f1c2f98f07df835099f14e2f8708197b0165479468079d902", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29059 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29059\\", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer http://pixelrz.com/lists/keywords/brashears-tsara-buzz-news", "Ranks high in search results because device is typically compromised with Convection engine and Keyword Tool", "#LowFiCreateRemoteThread: FileHash-SHA256 0ab94d890afef8ebae42007a119a8686f71bdd9bdf357262481daa7c9c7a283e", "www.sexpornimages.com http://hicksandchicks.org/ju/tsara-brashears/ hlebo.mobi pornpx.com www.potnhub.org", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/ | http://activationskey.net/wp-content/uploads/2021/02/download-2-7.jpg", "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception http://pixelrz.com/lists/keywords/tsara-brashears-dead/ http://orangeporntube.net/tsara-brashears.html", "http://kompoz.me/find/tsara-brashears-submission-on-august-27-via-manual/ http://redpornvideos.net/tsara-brashears.html", "IDS Detections: ETERNALBLUE Probe Vulnerable System Response MS17-010", "Female states title as \u2018intern\u2019 dropped false information at front desk of CBI. Claims target ID theft victim. True", "http://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concentra-medic", "Detected Google homepage HTML served from suspicious domain Matched required Google homepage markers", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/ | http://videolal.com/tsara-brashears-dead-by-daylight.html", "https://cdn.teslarati.com \u2022 https://forums.teslarati.com/", "20work.a-poster.info a-poster.info: 250awork.a-poster.info a-poster.info: 252fwork.a-poster.info a-poster.info: a-poster.info:", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "bfxxxhindi.to www.bfxxxhindi.to https://www.bfxxxhindi.to tsara brashears bfxxxhindi.to https://www.bfxxxhindi.to/trend/eaUvPMTg3NzMytY07Q/", "https://thebrotherssabey.com/2018/12/05/nature | https://thebrotherssabey.com/2019/01/20/miracle/ | https://thebrotherssabey.com/20", "onlyindianporn.tv | sexpornimages.com | http://www.sexpornimages.com/hillary/hillary-clinton", "https://mypornvid.fun/videos/3/o00vnGgcVx0/dude-sex-fuck-a-deer-wapporn-video-com/fuck-deer", "CBI (Colorado) - target believes she was redirected to malicious actors. Staffers not found in directory.", "https://thebrotherssabey.com/category/pregnancy | https://thebrotherssabey.com/category/homosexuality", "https://wallpapers-nature.com/ https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "http://onlyindianporn.tv/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concent | http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge", "http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/ | https://www.applefilmaker.com | https://www.applefilmaker.com/1odbU3D", "cf20ed53-cb6d-4dfd-a4e8-794fbe163efc.pcap", "Redirect (Delayed Redirect): setTimeout(function(){location.href= source Binary File relevance 10/10 ATT&CK ID T1189", "https://github.com/Neo23x0/signature-base/search?q=Mirai_Botnet_Malware Desc: Detects Mirai Botnet Malware RULE_AUTHOR: Florian Roth", "dorkingbeauty1 - Uploading app data TMP files from Lenovo IdeaPad fully updated (apparently) - files.json", "Alerts: nids_exploit_alert nids_malware_alert network_icmp nolookup_communication persistence_autorun network_cnc_http", "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html", "aeuwa03.devtest.call2.team | mike@softwarezpro1.txt | softwarezpro.net | www.softwarezpro.net | mike@ hijacked targets device Attacked!", "Tulach IP: 114.114.114.114", "Antivirus Detections Sf:WNCryLdr-A\\ [Trj] , Win.Ransomware.WannaCry-6313787-0 , Ransom:Win32/WannaCrypt.H", "https://SafeBae.org | https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "http://schoolcare.dyndns.org/soap/ISCKeyUpdater", "http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html | http://videolal.com/tsara-brashears-dead.html |", "http://apple-store.jspi304es-services-fixedbilling-responsive-managed-update-card.appleid-storeext.usa.cc/", "https://nsa.gov1.info/utah-data-center", "anybunny.tv | http://anybunny.tv/search/eva-lisa | http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us", "https://billpay.stcu.org/csp/ws/ALKAMI-S5M/html/PC_Remote_Role_Due_XP_Help/role1_faq_email_notifications.html billpay.stcu.org", "https://xlxx.mobi phishing\thttps://2beeg.me https://2beeg.net https://www.redporn.video https://youjizz.sex 2beeg.me xlxx.mobi ladys.one", "http://dev.browserweb.yandex.kg/ \u2022 https://api.messenger.yandex.az/ \u2022 https://yandex.uz/maps/-/CLWNeAKm", "IDS Detections: Domain Sinkholed by Kryptos Logic (HTML Response)", "https://cve.mitre.org/images/youtube.png | https://cve.mitre.org/includes/browserheight.js | https://cve.mitre.org/includes/jquery-3.2.1.min.js", "Title Salzburg Airport | Public Operations Display Portal | http://quantum.emsbk.com/", "http://www.aiupnow.com/2023/04/pakistani-hackers-use-linux-malware.html\\", "http://activationskey.net/passfab-for-rar-full-cracked-2022/ activationskey.net: https://activationskey.net/passware-kit-forensic-2021-1-3-crack/ activationskey.net: | crackedvst.info: crackedvst.info:", "http://alohatube.xyz/search/tsara-brashears http://alohatube.xyz/search/tsara-brashears/", "www.anyxxxtube.net | sv2.mypornvid.fun | www.porn100.tv | www.redporn.video | https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing |", "http://apple-unlocked-login.usa.cc/\t| http://apple.com.locked-account-verify-login.usa.cc/", "https://thebrotherssabey.com | https://thebrotherssabey.com/2015/08/24/why | staging.sabeydatacenters.com |", "record-viewer-application.hcahealthcare.cloud", "https://thebrotherssabey.com/feed/ | https://thebrotherssabey.com/discourse | https://thebrotherssabey.com/comments/feed/", "https://www.google.com/search?client=ms-android-tcl-rvo2b&sca_esv=677ff2260c38da6a&sca_upv=1&q=tsara%20brashears&tbm=vid&source=lnms&fbs=AEQNm0Aa4sjWe7Rqy32pFwRj0UkWd8nbOJfsBGGB5IQQO6L3J5MIFhvnvU242yFxzEEp3BfRFWcyM5BvpTgNzM3vKj4sz-C2iLdc_0v0iAkScdtYjVPIGyVlvwujMCY6xcQ3LIupWIQPyPPfztGwIqpQ9H2EXqXXY4GBGq8hpekXoFuduDqktZzSriMQxAlKPjQviXaDVnUYcgWw9ejzcyECyIGanCUinw&sa=X&biw=1128&bih=1971&dpr=2&no_sw_cr=1&zx=1724209326040&sssc=1", "http://videolal.com/tsara-brashears-assaulted-by-jeffrey-reimer.html http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html", "Alerts: deletes_executed_files dead_connect dynamic_function_loading encrypted_ioc http_request injection_rwx network_http", "https://thebrotherssabey.com/2018/12/05/nature-of-scripture-part-5-conclusions/ | https://thebrotherssabey.com/2019/08/01/why", "https://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-nearby.html. |", "http://pornbitter.com/storage/tsara-brashears/ http://www.gdsl-pallemoebler.info/seach/tsara-brashears/ advocate-smyslova.ru", "https://kompoz.me/find/tsara-brashears-submission-on-august-27-via-manual/ sexiezpics.com", "Worm:Win32/Mofksys: FileHash-SHA256 ef1a66214e210bc9ae0aef471b0a09f6083078343a0338fcaf1f2b04ebddbd9a", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/http://activationskey.net/wp-content/uploads/2021/02/download-2-7.jpg", "https://www.teslarati.com/TESLA-DEBUTS-GROK-AI-UPDATE-2025-26-WHAT-YOU-NEED-TO-KNOW/", "authsmtp.sabeydatacenters.com | go.sabey.com | thebrotherssabey.com | mx5.sabeydatacenters.com | posta.sabeydatacenters.com", "Source: Binary File relevance 10/10 ATT&CK ID T1204.001 | Target contacted CBI re: Suspicious looking Google Homepage.", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)", "pw-90cc2fc574f6dd6dccf2c3531928b039@privacyguardian.org | https://crackedvst.info/antares-autotune-pro-crack/", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ orangeporntube.net www.tryporno.net", "storage.ladys.one ladys.one: | http://photos.ladys.one ladys.one: | http://porno.ladys.one ladys.one: | http://storage.ladys.one ladys.one: | http://xxx-videos.ladys.one ladys.one:", "CBI - asked target to enter Gmail in a resource. Targets Gmail account disappeared", "thebrotherssabey.wordpress.com | https://hallrender.com/attorney/brian-sabey", "https://www.teslarati.com/spacex", "http://flexporn.net/tsara-brashears.html http://onlyindianporn.net/videos/tsara-brashears/ http://pornbitter.com/storage/tsara-brashears/", "Pool's Closed", "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-medical.html", "https://cve.mitre.org/css/print.css | https://cve.mitre.org/favicon.ico | https://cve.mitre.org/images/GitHub_round_sm", "http://pornpx.com/trends/tsara-brashears-submission-on-august-27-via-manual/1/ http://www.potnhub.org/tsara-brashears.html", "thebrotherssabey.wordpress.com http://www.sabey.com | http://resources.sabeydatacenters.com | http://root.sabeydatacenters.com", "Backdoor:Win32/Botgor: FileHash-SHA256 b70353b3ecf532ad51e7d6a1790275df02c7393b87d40add47a3baccab39802f", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled", "Interesting Strings: http://schemas.xmlsoap.org/soap/encoding/ http://0.0.0.0/nope", "https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "https://thebrotherssabey.com/category/pregnancy | https://thebrotherssabey.com/discourse | onlyindianporn2.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ Domain mom2fuck.mobi https://youjizz.sex/tsara-brashears.html https://youjizz.sex", "https://www.pay-share.com/", "https://www.teslarati.com/", "http://www.tryporn.net/seach/tsara-brashears/ hicksandchicks.org redpornvideos.net http://advocate-smyslova.ru/tsara-brashears/", "pornhub.com/gay/video/search?search=tsara%2Blynn%2Bbrashears%2Blesbian", "myhotzpic.com pornohata.com pornstarsporno.net aninditaannisa.blogspot.com/2019/02/tsara-brashears", "Yara Detections: Mirai_Botnet_Malware", "Antivirus Detections: #VirTool:Win32/Obfuscator.ADB | IDS Detections:Observed DNS Query to .biz TLD | Domains Contacted: pywolwnvd.biz", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language http://www.music-forum.", "1a8fc49a4265fe146976/1523680312 | https://thebrotherssabey.com/2018/04/22/the | https://thebrotherssabey.com/2019/07/08/suffering", "www.wwwgitlab.gitlab.git.git.gitlab.git.128-199-7-137.cprapid.com", "High Priority Alerts: dead_host network_icmp osquery_detection network_irc nolookup_communication p2p_cnc", "Trojan:Win32/QQpass: FileHash-SHA256 86df64999ed25a02debca89a586c931b0f32b1edc0e7aa800c360be3ef456439", "https://cve.mitre.org/images/nvd-logo.png | https://cve.mitre.org/images/search_icon.png | https://cve.mitre.org/images/twitter.jpg", "a.pub.network:timcast-com:pubfig.min.js.webloc", "https://www.teslarati.com/tesla-model-3-crash-insight-60mph-collision/", "Hostname aninditaannisa.blogspot.com No Expiration\t0\t URL aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html billpay.stcu.org", "Yara Detections: MS17_010_WanaCry_worm , NHS_Strain_Wanna , stack_string , MS_Visual_Cpp_6_0", "Backdoor:Win32/Tofsee: FileHash-SHA256 5b616ad2410bef0bc894c4bff013afe2d7f44dcdeb79420bab14c766cc460aa7", "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/", "mypornvid.fun | porn100.tv | amp.mypornvid.fun | cdn10.mypornvid.fun | cdn11.mypornvid.fun | cdn5.mypornvid.fun | cdn8.mypornvid.fun", "Matches rule Linux_Trojan_Mirai_fa3ad9d0 from ruleset Linux_Trojan_Mirai by Elastic Security", "Crime_WannaCry | Ransom:Win32/WannaCrypt.H | FILEHASH - SHA256 86f7e04aed8403e6b9f0d4ae880a55f7574c1b177cf6c24234ffa992eadb2c52", "Antivirus Detections: ELF:Mirai-AHC\\ [Trj] , Unix.Trojan.Mirai-7100807-0 , DDoS:Linux/Gafgyt.YA!MTB", "IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection", "Part II -Some users OTX accounts connected to the following | Unexpected revelation |", "go.sabey.com | sabey.com | smear.cloud | w1.voyeurweb.com | Never stops...", "trkcfg.ini", "http://thebrotherssabey.com/2018 | https://thebrotherssabey.com/2019/01/20/miracle/ | https://thebrotherssabey.com/2019/07/08/suffering", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html", "Win32/Tasekjom.A : FileHash-SHA256 1230ac0c362b6049b9de011229707e05852dd11af75ca7071a1f089e6aca61f5", "https://cve.mitre.org/images/cvelogobanner.png | https://cve.mitre.org/images/linkedin.jpg | https://cve.mitre.org/images/medium.png", "Win32:CrypterX-gen\\ [Trj]: FileHash-SHA256 002ea0849da3c63ce6c09c084567e9470c3616084ef19402316e9d52f35c62a7", "IDS Detections: Observed DNS Query to Suspicious Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com)", "Trojan.Linux.Mirai.1 | Crime_Mirai | DDoS:Linux/Gafgyt.YA!MTB: FILEHASH - SHA256 a1eff1e00a7d532a6e6d71b3c5328e", "http://onlyindianporn2.com/videos/tsara-brashears/ onlyindianporn2.com-porn.html aninditaannisa.blogspot.com porno-trash.net", "Antivirus Detections: Ransom:Win32/Wannaren.A UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX Alerts procmem_yara creates_largekey process_creation_suspicious_location network_bind deletes_executed_files dead_connect dynamic_function_loading encrypted_ioc http_request network_cnc_https_generic powershell_download powershell_request enumerates_running_processes stealth_window cape_extracted_content injection_rwx network_http", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/ | https://cracklink.info/iobit-uninstaller-pro-key/", "https://thebrotherssabey.com/comments/feed/ | https://thebrotherssabey.com/category/pregnancy", "Cookies AWSALB h0mLG52+gDNUdBHb468xx6EZCua7FVRvlZWH7URKSKV27WSs637El46CBcw8RmPBxIAT2jqmmByDbnMIsYobUWhWbNadYFsxVQk/gVDcDfdixV/5aQn0VRon9gXO", "http://250awork.a-poster.info/ a-poster.info: http://252fwork.a-poster.info a-poster.info: http://252fwork.a-poster.info/", "Trojan:Win32/Blihan: FileHash-SHA256 dada5208109416153937db5a6f44f03b8b9025347c235acdc70edfa24a2a882e", "http://sexiezpics.com/tsara-brashears-hardcore-porn http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family", "https://info.sabeydatacenters.com/r/404532/1/1523680312/open/1 | http://onlyindianporn2.com/videos/dia-sabey/?p=13", "forceusercontent.com | sabey.com | tulach.cc | http://thebrotherssabey.com/2018m.sabeydatacenters.com | https://www.vpn.sabey.com/", "https://thebrotherssabey.com/comments/feed/ | mail2.sabeydatacenters.com | mails.sabeydatacenters.com | newmail.sabeydatacenters.com", "https://www.teslarati.com/wp-content/themes/teslarati-mag/map/", "http://onlyindianporn2.com/videos/vichatter-young-11//title/0.7292669771257236", "https://thebrotherssabey.com/2019/01/20/miracle/?share=twitter | https://thebrotherssabey.com/author/dbsabey/", "Trojan:Win32/Emotet.PC!MTB: FileHash-SHA256 02b9cac1880e348302125664c4955fd163a219b1eb8b50de0ad350e0c147a0b0", "https://realcrack.info/sidify-apple-music-converter-crack/ | applehouse-jp.com | iappletech.com | http://apple.int-access-accounts.usa.cc/", "https://thebrotherssabey.com/2016/01/18/ballroom | resources.sabeydatacenters.com | https://thebrotherssabey.com/feed/", "https://www.sweetheartvideo.com/tsara-brashears/ | https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "animalpornotube.com | http://animalpornotube.com/files/gifamateurpay.gi | https://crackedvst.info/tag/k7-total-security-trial-resetter/", "https://forums.teslarati.com/data/avatars/m/5/5998.jpg?1504431665 \u2022 https://forums.teslarati.com/forums/model-3.4/", "Trojan:Win32/Zbot.SIBB3!MTB: FileHash-SHA256 bc1739628aadbcc99bcb93caab4a7a73534694c817d57cc0ed735bf4bd0f6e45", "http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us www.tryporn.net", "Trojan:Win32/Zbot: FileHash-SHA256 b7875b426ce25f1d4785ba7043bbfdba49feb726cc829d681acdd67c3c302c70", "https://www.milehighmedia.com/legal/2257", "Matches rule SUSP_XORed_Mozilla from ruleset gen_xor_hunting by Florian Roth", "http://45.159.189.105/bot/regex | http://46.109.184.5/search.htm | http://acycseiiqsau.org/ | emsbk.innocraft.cloud | jenkins.devnautiluscloud.net |", "http://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concentra-medical-center", "https://www.teslarati.com/tesla-robotaxi-vs-new-york-taxi-why-the-yellow-cab-a-lot-to-lose/", "https://info.sabeydatacenters.com/listUnsubscribeHeader/u/404532/732bdcab2311714bb73d4d507e6508d215afb4dbc5111a8fc49a4265fe14697", "PWS:Win32/VB : FileHash-SHA256 dbc78d07e96562c6370ab515f5d65cea88a1b163ad10718c66d15155f4075630", "https://thebrotherssabey.com/author/thebrotherssabey/ | https://thebrotherssabey.com/author/dbsabey/", "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language | https://wallpapers-nature.com/tsara-brashears/urlscan-io", "https://thebrotherssabey.com/comments/feed/ | https://thebrotherssabey.com/2019/01/20/miracle/", "https://kompoz2.com/tv/454575/blonde-slut-sara-jay-with-big-ass-is-fucked-in-doggy-style.html", "https://twitter.com/PORNO_SEXYBABES | twitter.com | www.pornhub.com | www.anyxxxtube.net", "http://browntubeporn.com/tsara-brashears.html browntubeporn.com http://pornvideoj.com/tsara-brashears.htm", "Highlighted Text: The following text was observed as standard output, \"[THEA-MALWARE]: Gimme Cum Pwease XD\"", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "https://cve.mitre.org/includes/jquery-migrate-3.0.0.min.js | https://cve.mitre.org/includes/printerfriendly.js | https://cve.mitre.org/css/main.css", "https://thebrotherssabey.com/2015/08/24/why | https://thebrotherssabey.com/20 | https://thebrotherssabey.com | https://thebrotherssabey.com", "www.softwarezpro.net\thttps://i0.wp.com/softwarezpro.net/wp parking.namesilo.com softwarezpro.org softwarezap.net softwarezap.net", "External resources linked to high-risk commonly abused domains detected: mc.yandex.ru | script | src snd.click | src |", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "http://go.sabey.com http://vpn2.sabey.com | http://resources.sabeydatacenters.com | http://root.sabeydatacenters.com |", "Yara Detections: WannaCry_Ransomware , Win32_Ransomware_WannaCry , Wanna_Cry_Ransomware_Generic ,", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "feestzalenvanvlaanderen.be www.gdsl-pallemoebler.info http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us", "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct-miscinception.html", "Matches rule Linux_Trojan_Mirai_b14f4c5d from ruleset Linux_Trojan_Mirai by Elastic Security", "http://appleid.com-index-manager-info-verify-receipt-account.usa.cc/ |", "https://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara%20-brashears-massage-nearby.html", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "https://www.teslarati.com/tesla-giga-shanghai-builds-5-millionth-battery-pack/", "http://finishstrong.net/index.php?email=google_romania2000@yahoo.com&method=post&len", "7cwork.a-poster.info a-poster.info: members.a-poster.info work.a-poster.info a-poster.info: http://20work.a-poster.info a-poster.info:", "ELF:Hajime-Q\\ [Trj] : FileHash-SHA256 aa310469926150f9d6f980dd6ba200d1c9c7dec7c4b66c7de4cff6a30c038560", "http://www.gdsl-pallemoebler.info/seach/tsara-brashears/ advocate-smyslova.ru feestzalenvanvlaanderen.be www.gdsl-pallemoebler.info", "anti-spyware-software.net http://softwarezpro.net/wp | | http://softwarezpro.net/xmlrpc.php | https://softwarezpro.net https://softwarezpro.net/\t URL\thttps://softwarezpro.net/comments/feed/ https://softwarezpro.net/feed/\t https://softwarezpro.net/page/2/\t URL\thttps://softwarezpro.net/wp https://softwarezpro.net/xmlrpc.php", "TrojanSpy:Win32/Nivdort.DI: FileHash-SHA256 00734b135321562e7e0df7c2f8eb554435cc25c47f46747f79fc2116ac2cc6ef", "http://videolal.com/tsara-brashears-pueblo.html , http://videolal.com/tsara-brashears.html", "tsara-brashears-deadspin-twitter-suspended-account-help.ht videolal.com wallpapers-nature.com www.sweetheartvideo.com", "https://thebrotherssabey.com/2018/12/05/nature | https://thebrotherssabey.com/2017/04/17/truth", "https://www.virustotal.com/graph/gdc07fb14cc0e432fa996f01b58fecf8cd97ec785c28e4ba38ab7703e65e43c8e", "https://hallrender.com/attorney/brian-sabey | https://thebrotherssabey.com/2019/01/20/miracle/?share=twitter", "Domain: \"snd.click\" possible high risk indicator. Domain uses TLD that is commonly abused for malicious purposes", "https://info.sabeydatacenters.com/emailPreference/epc/404532/EcSDdxFsTp4vgdAzwbcD5rWn7oROwp5s8Buq0L48dF0/732bdcab2311714bb73d4d507e6508d215afb4dbc511", "https://cve.mitre.org/includes/jquery-migrate-3.0.0.min.js | https://cve.mitre.org/includes/printerfriendly.js | cve.mitre.org", "https://www.teslarati.com/tesla-tsla-monster-investment-rise-alaska-dept-of-revenue/", "https://thebrotherssabey.com/2015/08/24/why | https://thebrotherssabey.com/2016/03/12/how | https://thebrotherssabey.com/2017/04/17/truth", "ELF Info Header ELF32 2's complement, little endian 1 (current) UNIX - System V EXEC (Executable file) Intel 80386 0x1", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style)", "http://www.bukaporn.net/trend/tsara-brashears/ http://onlyindianporn.tv/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concentra", "pornlynx.com \u2022 https://pornlynx.com \u2022 https://www.pornlynx", "http://sabey.com/construction/ | https://tulach.cc/ | sabeydatacenters.com | https://thebrotherssabey.com | http://root.sabeydatacenters.com/ No Expiration\t0\t URL http://server1.sabeydatacenters.com No Expiration\t0\t URL http://smtp1.sabeydatacenters.com No Expiration\t http://smtps.sabeydatacenters.com | http://smtpseguro.sabeydatacenters.com | http://staging.sabeydatacenters.com", "http://www.enable-javascript.com/", "Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS) 'Swipper'", "RASMONTR.DLL 192.168.56.101", "Alleged CBI staffer refuses to provide evidence of identity theft resolution. Target unaware of. what\u2019s true", "Win32/Muldrop FileHash-SHA256 67a5e78bb2897b15d510dfce0d89f60330db01d7944ebb4f1dd90ce36c907e1b", "http://www.tryporno.net/movies/tsara-brashears/ http://www.pixelrz.com/lists/keywords/tsara-brashears/", "IDS Detections: Huawei Remote Command Execution - Outbound (CVE-2017-17215)", "Matches rule Mirai_Botnet_Malware from ruleset crime_mirai by Florian Roth", "https://videolal.com/videos/tsara-brashears-dead-by-daylight.html | tsara-brashears-deadspin-twitter-suspended-account-help.ht", "Yara Detections: SUSP_Unsigned_GoogleUpdate OriginalFilenameGoogleUpdate.exe | Alerts cape_extracted_content", "http://softwarezpro.net/wp-content/themes/wellington/assets/js/svgxuse.min.js?ver=1.2.6", "http://www.xvxx.me/clips/nadia-ali-hardcore/199530/", "Apple path:https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | itunes.apple.com", "VirTool:Win32/Obfuscator FileHash-SHA256 874e78143b683016ef8e41977f9d3ee34b97b145b313cdefdeb3e8900db6df73", "https://info.sabeydatacenters.com/webmail/404532/1590752290/6c9ed1e0b6b364689835e8c6bd51ed2198f99ee8ec7fa1924787e4e9b6382872", "http://cms.static.hw.famedownload.com/famedigital/m/1b6j9enlerq8k4g8/header-big8.jpg", "Worm:Win32/Fasong: FileHash-SHA256 c7f2f4a6ed374bac385fa81177967fd013248652556e4ee95cea7f064f6b25dd" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [ "Brian Sabey | Tulach | Sabey Data Centers" ], "malware_families": [ "Virtool:win32/injector.gen!bq", "Trojan:win32/glupteba", "Win32/tasekjom.a", "Trojan:win32/blackmon", "Alf:heraklezeval:ransom:win32/cve", "Win32/trojandropper", "Alf:trojan:win32/zbot", "Unix.trojan.mirai-7100807-0", "Trojan:win32/cryptinject", "Ms defender\ttrojan:win32/qbot.kvd!mtb", "Trojanspy:win32/nivdort.cw", "Trojan:win32/qqpass", "Blacknet", "Backdoor:win32/tofsee", "Trojan:win32/blihan", "Elf:mirai-ahc\\ [trj]", "Win32/tofsee.ax", "Tel:trojan:win32/trojandownloader", "Dropper.generic_r.ec", "Win32:malware-gen", "Worm:win32/mofksys", "Win.malware.jaik-9940406-0", "Artro", "Trojanspy:win32/nivdort.di", "Babar", "Trojan:win32/fakefolder", "Elf:hajime-q\\ [trj]", "Webtoolbar", "Redline", "Trojan:win32/floxif.e", "Rasmontr.dll", "Worm:win32/fasong", "#lowficreateremotethread", "Alf:heraklezeval:trojan:win32/ymacco.aa47", "Win32:crypterx-gen\\ [trj]", "Win.malware.snojan-6775202-0", "Ransom:win32/stopcrypt.ak!mtb", "Malware", "Alf:jasyp:trojan:win32/genmaldown!atmn", "Trojanspy", "Androidoverlaymalware - mob-s0012", "Backdoor:win32/botgor", "Lumma", "Trojan:win32/salgorea", "Trojan:win32/zombie.a", "Crypt3.bwvy", "Ransom:win32/wannaren.a", "Trojan:win32/emotet.pc!mtb", "Trojan:win32/zbot.sibb3!mtb", "Ransom:win32/wannacrypt.h", "Pws:win32/vb", "Ddos:linux/gafgyt.ya!mtb", "Worm:win32/mofksys.rnd!mtb", "Mirai", "Alf:trojan:win32/cassini_f28c33a2", "Tulach malware", "Win.ransomware.wannacry-6313787-0", "#lowfi:lua:autoitv3craftedoverlay", "Sf:wncryldr-a\\ [trj]", "Trojan:win32/muldrop", "#virtool:win32/obfuscator.adb" ], "industries": [ "Telecommunications", "Civil society", "Healthcare", "Financial", "Ad fraud", "Media", "Networking", "Government", "Civilian devices", "Technology", "Civilian society" ], "unique_indicators": 203544 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/payper.pt", "whois": "http://whois.domaintools.com/payper.pt", "domain": "payper.pt", "hostname": "develop.payper.pt" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 34, "pulses": [ { "id": "69a9cd444aa144401d0c4988", "name": "Pools Open", "description": "", "modified": "2026-04-15T19:21:28.851000", "created": "2026-03-05T18:36:52.014000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": "5fa57698ac0f6638b7b9a8ba", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8098, "URL": 23428, "hostname": 9592, "domain": 4727, "SSLCertFingerprint": 22, "FileHash-MD5": 696, "FileHash-SHA1": 457, "CIDR": 78, "email": 3, "CVE": 2 }, "indicator_count": 47103, "is_author": false, "is_subscribing": null, "subscriber_count": 50, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "693adba47b2cce69440c726a", "name": "TESLA HACKERS | Login Google", "description": "Attackers target victims Google account, Google browser, Google homepage.\n\nTesla Hackers in the job. Tesla hackers are very young , angry, kids who chased target around mercilessly in their vehicles, photographed target, drive threateningly. Nothing sophisticated about the stalker crewl. This is intentional. Finding troubled individuals who are desperate for power is pretty easy. \n\nThe hit men range from gang members, white , black , Hispanic to the highly educated, Hit man who attempted to take target out was a spoiled, angry , aggressive, sneering POC. He walked in Denver. The next morning , the area target was driven if roadway was closed off and filled with a rather large road crew, work continues to work on this area. (Charlie Kirk like). Alleged traffic officer claims cameras pointed in different directions that night. He was identified as a computer science major by a PI. This feels so dangerous.", "modified": "2026-01-10T13:01:53.320000", "created": "2025-12-11T14:56:36.874000", "tags": [ "tlsv1", "united", "oamazon", "cnamazon rsa", "jfif", "ogoogle trust", "cngts ca", "exif standard", "tiff image", "xresolution74", "execution", "dock", "write", "persistence", "malware", "encrypt", "ca https", "no expiration", "iocs", "url https", "enter source", "url or", "text drag", "drop or", "browse to", "select file", "ipv4", "url http", "type indicator", "sec ch", "ch ua", "unknown", "ua full", "ua platform", "as44273 host", "ua bitness", "msie", "chrome", "backdoor", "trojandropper", "passive dns", "forbidden", "body", "twitter", "trojan", "cookie", "title", "windows nt", "wow64", "slcc2", "media center", "read c", "port", "destination", "local", "moved", "integration all", "urls", "files", "reverse dns", "location united", "america flag", "name servers", "hostname", "unique", "expires wed", "gmt date", "server", "date wed", "connection", "use linux", "cybersecurity", "http", "ip address", "files location", "flag united", "win32", "urls show", "date checked", "url hostname", "server response", "virtool", "date hash", "avast avg", "heur", "lowfi", "k sep", "contacted", "related tags", "none file", "type", "present dec", "present nov", "mtb mar", "aaaa", "hacktool", "indicator role", "domain", "url add", "as20940", "as16625 akamai", "present mar", "present may", "as54113", "present apr", "ipv4 add", "url analysis", "servers", "emails", "hostname add", "present aug", "present sep", "present oct", "status", "present jul", "data upload", "extraction", "as208722 yandex", "russia unknown", "a domains", "expirestue", "path", "certificate", "medium", "alerts show", "ck technique", "technique id", "installs", "pe32", "intel", "ms windows", "high", "icmp traffic", "dns query", "packing t1045", "t1045", "screenshots", "file type", "date february", "pm size", "imphash pehash", "guard", "syst", "learn", "ck id", "name tactics", "suspicious", "informative", "adversaries", "command", "initial access", "spawns", "t1590 gather", "flag", "united kingdom", "command decode", "belgium belgium", "federation", "france france", "ireland ireland", "canada canada", "suricata ipv4", "click", "tesla hackers", "elon musk", "show", "richhash", "external", "virustotal api", "comments", "vendor finding", "notes clamav", "ms defender", "files matching", "copy", "found", "ssl certificate", "windir", "openurl c", "prefetch2", "analysis", "tor analysis", "dns requests", "domain address", "yara rule", "reads", "number", "sample analysis", "hide samples", "entries", "samples show", "next yara", "detections name", "devcv5 ujrb", "ujrb", "uja1t", "show technique", "mitre att", "ck matrix", "ascii text", "pattern match", "sha1", "network traffic", "show process", "general" ], "references": [ "https://www.teslarati.com/spacex", "https://omodeling.wpenginepowered.com/wp-content/uploads/2020/07/modelhub-pornhub-sell-nudes-1024x57", "https://cdn.teslarati.com \u2022 https://forums.teslarati.com/", "https://forums.teslarati.com/data/avatars/m/5/5998.jpg?1504431665 \u2022 https://forums.teslarati.com/forums/model-3.4/", "https://forums.teslarati.com/threads/humanlike-ai-robot-sophia-calls-out-elon-musk-during-live-interview.4970/", "https://www.teslarati.com/tesla-model-s-hitch-torklift-ecohitch-3-year-update/", "https://www.teslarati.com/tesla-tsla-monster-investment-rise-alaska-dept-of-revenue/", "https://www.teslarati.com/wp-content/themes/teslarati-mag/map/", "https://www.teslarati.com/tesla-model-3-crash-insight-60mph-collision/", "https://www.teslarati.com/", "https://www.teslarati.com/spacex", "https://www.teslarati.com/tesla-lands-87-million-megapack-belgium/", "https://www.teslarati.com/tesla-giga-shanghai-builds-5-millionth-battery-pack/", "https://www.teslarati.com/TESLA-DEBUTS-GROK-AI-UPDATE-2025-26-WHAT-YOU-NEED-TO-KNOW/", "https://www.teslarati.com/tesla-robotaxi-vs-new-york-taxi-why-the-yellow-cab-a-lot-to-lose/", "pornlynx.com \u2022 https://pornlynx.com \u2022 https://www.pornlynx", "http://www.aiupnow.com/2023/04/pakistani-hackers-use-linux-malware.html\\", "http://pickyhot.disqus.com/ \u2022 https://www.teslarati.com/tesla-hackers \u2022 https://pickyhot.disqus.com/tsara-brashears", "http://dev.browserweb.yandex.kg/ \u2022 https://api.messenger.yandex.az/ \u2022 https://yandex.uz/maps/-/CLWNeAKm", "HTML contains suspicious external redirect patterns details Suspicious redirect patterns detected: Redirect Types: Delayed Redirect Redirects to: /doodles/ Suspicious", "Redirect (Delayed Redirect): setTimeout(function(){location.href= source Binary File relevance 10/10 ATT&CK ID T1189", "External resources linked to high-risk commonly abused domains detected: mc.yandex.ru | script | src snd.click | src |", "Source : Binary File ATT&CK ID T1566.002", "Domain match: \"media-mbst-pub-ue1.s3.amazonaws.com\" possible high risk indicator. Commonly abused for malicious purposes. .", "Domain: \"snd.click\" possible high risk indicator. Domain uses TLD that is commonly abused for malicious purposes", "Detected Non-Google domain serving Google homepage details", "Detected Google homepage HTML served from suspicious domain Matched required Google homepage markers", "Source: Binary File relevance 10/10 ATT&CK ID T1204.001 | Target contacted CBI re: Suspicious looking Google Homepage.", "CBI (Colorado) - target believes she was redirected to malicious actors. Staffers not found in directory.", "Female states title as \u2018intern\u2019 dropped false information at front desk of CBI. Claims target ID theft victim. True", "Alleged CBI staffer refuses to provide evidence of identity theft resolution. Target unaware of. what\u2019s true", "CBI - asked target to enter Gmail in a resource. Targets Gmail account disappeared" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Germany", "Japan" ], "malware_families": [ { "id": "Worm:Win32/Mofksys.RND!MTB", "display_name": "Worm:Win32/Mofksys.RND!MTB", "target": "/malware/Worm:Win32/Mofksys.RND!MTB" }, { "id": "Ms Defender\tTrojan:Win32/Qbot.KVD!MTB", "display_name": "Ms Defender\tTrojan:Win32/Qbot.KVD!MTB", "target": "/malware/Ms Defender\tTrojan:Win32/Qbot.KVD!MTB" }, { "id": "Trojan:Win32/Zombie.A", "display_name": "Trojan:Win32/Zombie.A", "target": "/malware/Trojan:Win32/Zombie.A" }, { "id": "Win.Malware.Jaik-9940406-0", "display_name": "Win.Malware.Jaik-9940406-0", "target": null }, { "id": "ALF:JASYP:Trojan:Win32/Genmaldown!atmn", "display_name": "ALF:JASYP:Trojan:Win32/Genmaldown!atmn", "target": null }, { "id": "Win.Malware.Snojan-6775202-0", "display_name": "Win.Malware.Snojan-6775202-0", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1069", "name": "Permission Groups Discovery", "display_name": "T1069 - Permission Groups Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1590", "name": "Gather Victim Network Information", "display_name": "T1590 - Gather Victim Network Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1207", "name": "Rogue Domain Controller", "display_name": "T1207 - Rogue Domain Controller" }, { "id": "T1136.002", "name": "Domain Account", "display_name": "T1136.002 - Domain Account" }, { "id": "T1003.005", "name": "Cached Domain Credentials", "display_name": "T1003.005 - Cached Domain Credentials" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1568.002", "name": "Domain Generation Algorithms", "display_name": "T1568.002 - Domain Generation Algorithms" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5894, "FileHash-MD5": 458, "FileHash-SHA1": 305, "FileHash-SHA256": 2481, "SSLCertFingerprint": 26, "hostname": 2406, "domain": 966, "email": 16, "CVE": 1 }, "indicator_count": 12553, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "99 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "5fa57698ac0f6638b7b9a8ba", "name": "Pool's Closed", "description": "Two paupers from the meadow spring forth an upheaval of nasty sites on the world wide web.", "modified": "2025-12-27T05:02:34.910000", "created": "2020-11-06T16:15:20.139000", "tags": [ "Timothy Pool", "Christopher Pool", "Pool's Closed" ], "references": [ "Pool Closed", "Pool's Closed" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Media", "ad fraud" ], "TLP": "white", "cloned_from": null, "export_count": 61, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 4, "follower_count": 0, "vote": 0, "author": { "username": "scnrscnr", "id": "126475", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_126475/resized/80/avatar_67ca5b7bae.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 8098, "URL": 23426, "hostname": 9590, "domain": 4727, "SSLCertFingerprint": 22, "FileHash-MD5": 696, "FileHash-SHA1": 457, "CIDR": 78, "email": 3, "CVE": 2 }, "indicator_count": 47099, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "113 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "687605f986433ebf2673f0b8", "name": "Win.Malware.Downloadguide-6803841-0 | Patient Monitoring", "description": "Part of an elaborate, unrelenting espionage campaign , multiple compromises, targeting.\n> alf:PUA:Win32/DownloadGuide \nLink below found in previous Pulse -[http://s0.patient.media/res/f91b97f6b547405cb4370cbb003dfea2-jquery-1.11.1.min.js.gzip]\n\u2022 Win.Malware.Downloadguide-6803841-0\nYara:\nresearch_pe_signed_outside_timestamp\n\u2022\nkernel32_dll_xor_exe_key_51_key_byte_encoded \u2022\nxor_0x33_kernel32_dll \u2022 \nConcerning: {Domain\tAddress\tRegistrar\tCountry\ns0.patient.media\n-\tGoDaddy.com, LLC\nOrganization: Egton Medical Information Systems Limited\nName Server: ns34.domaincontrol.com\nCreation Date: 2015-01-12T16:20:56}\n\n{https://www.anyxxxtube.net/search-porn/tsara-brashears/}\n{https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net}\n{wallpapers-nature.com}\n{https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian}", "modified": "2025-08-14T07:05:00.239000", "created": "2025-07-15T07:40:41.180000", "tags": [ "url http", "url https", "indicator role", "title added", "active related", "pulses hostname", "entries", "gmt etag", "server", "ecacc", "serving ip", "address", "dom dom", "data upload", "extraction", "pdf report", "enter", "failed", "extraction data", "enter sc", "type", "extra data", "extri please", "review data", "excluded tous", "tui sugges", "find", "show", "at filer", "iocs", "levelbluelabs", "please", "included iocs", "excluded io", "find suggested", "types", "domain data", "search", "o please", "manually add", "c data", "o suggesteo", "include data", "review uus", "u exclude", "find s", "indicaok data", "dom doman", "filehash", "md5 add", "pulse pulses", "av detections", "ids detections", "yara detections", "alerts", "analysis date", "file score", "copy", "push", "copy md5", "copy sha1", "copy sha256", "sha1", "sha256", "pattern match", "ascii text", "size", "mitre att", "utf8", "null", "refresh", "body", "span", "hybrid", "general", "local", "path", "click", "date", "strings", "error", "tools", "look", "verify", "restart", "learn", "command", "ck id", "name tactics", "suspicious", "informative", "spawns", "evasion att", "t1480 execution", "discovery att" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 3597, "FileHash-MD5": 343, "domain": 547, "hostname": 1222, "FileHash-SHA1": 343, "FileHash-SHA256": 4464, "CVE": 1, "email": 1 }, "indicator_count": 10518, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "248 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "686c676bcc053e0fc51f01b2", "name": "ALL T8 research led to Firm_IP\u2019s = BoFa , WikiLeaks, United Healthcare, HCA, T-Mobile, Dish , AT&T, Apple,+ Breaches despite other speculations with 0 relations", "description": "", "modified": "2025-08-05T15:03:36.451000", "created": "2025-07-08T00:33:47.021000", "tags": [ "url https", "type indicator", "role title", "added active", "related pulses", "url http", "showing", "entries", "indicator role", "title added", "active related", "pulses url", "ipv4", "filehashmd5", "filehashsha1", "filehashsha256", "indicators show", "search", "reputation", "et att", "ck id", "t1060", "run keys", "startup", "folder", "scan", "iocs", "learn more", "hostname", "types of", "pagehrsappjbpst", "actionu", "focusapplicant", "siteid1", "postingseq1", "t1036", "t1043", "port", "t1085", "rundll32", "t1114", "t1179", "fbi flash", "cu000163mw", "compromise", "found", "uunet", "code", "reverse domain", "lookup", "ragnar", "locker", "ragnar locker", "cidr", "pulses", "types", "windows", "linux", "united", "trojandropper", "mtb jun", "trojan", "win32upatre aug", "mtb may", "gmt server", "ecacc", "files", "suspicious", "body", "data upload", "extraction", "cve cve20170147", "cve cve20178570", "cve cve20178977", "url feb", "pulses hostname", "a1sticas", "next associated", "present mar", "present jun", "present may", "france", "date", "ip address", "present apr", "virtool", "name servers", "value emails", "name john", "shipton", "dynadot privacy", "po box", "city san", "mateo country", "us creation", "news videos", "maps assist", "search settings", "safe search", "date more", "images bae", "systems defense", "bae systems", "london", "britain", "akamai rank", "script urls", "status", "a domains", "accept encoding", "unknown ns", "meta", "encrypt", "https", "report spam", "created", "year ago", "modified", "octoseek public", "cyber attack", "pegasus", "westlaw", "hallrender", "front", "sabey", "enter s", "include review", "exclude sugges", "failed", "sc type", "extr included", "manually add", "puls", "excludedocs", "sugges data", "phishing", "apple pegasus", "detections", "references", "stranger things", "http", "yara", "upx alerts", "fort collins", "help4u", "communications", "orgtechhandle", "domain", "no entries", "cchk asnas26658", "vj92", "search filter", "time sabey", "x show", "indicator type", "email", "filehashimphash", "filehashpehash", "backdoor", "ransom", "checkin", "alphacrypt cnc", "beacon", "jeffrey scott", "terse http", "possible", "accept", "xorddos", "ck ids", "t1512", "camera", "t1071", "protocol", "ta0001", "access", "ta0002", "ta0003", "ta0004", "cookie", "show", "ally", "melika", "part1", "trojanclicker", "bayrob", "android", "ransomware", "sakula rat", "t1125", "video capture", "t1566", "t1068", "t1190", "application", "t1472", "t1457", "media content", "social media", "doppelgnging", "t1080", "shared content", "t1449", "exploit ss7", "phone callssms", "enter sc", "type", "no expiration", "expiration", "months ago", "expiration http", "reimer dpt", "r role", "sa victim", "daisy coleman", "source", "weeks ago", "tbmvid", "sourcelnms", "zx1724209326040", "ahtrnaah typ", "url url", "url domain", "pulse sthow", "ah types", "ind indicator", "data uptoad", "extrachttp", "dulce sphown", "aho data", "typ url", "url dom", "hos hostname", "hos host", "dom dom" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "686adf91f725a8b7f9850192", "export_count": 56, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8149, "domain": 1067, "hostname": 2103, "FileHash-SHA256": 1617, "URI": 1, "FilePath": 1, "FileHash-MD5": 412, "FileHash-SHA1": 368, "CIDR": 4, "CVE": 6, "email": 10 }, "indicator_count": 13738, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "257 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "686adf91f725a8b7f9850192", "name": "Dystopian Life & Death of an American Crime Victim | Boldy predicted how she will die", "description": "Palantir - a data analytics company, known as a military intelligence tool. co-founded by billionaire investor , Trump supporter and Republican mega donor Musk aligned; Peter Thiel, as per New York. \n\nFounded in 2003, known for its data analytics platforms - Palantir Gotham & Palantir Foundry are used by government & private sectors for various applications, including defense & healthcare. The company faces criticism for its role in government surveillance & data privacy concerns.\nPalantir can be linked to malicious, malware packed , compromised malvertisements about victim allegedly SA\u2019d by her physical therapist Jeffrey Scott Reimer DPT. Apparently target was paid a small settlement via lengthy phone battle by a man representing himself as Brian Sabey ,Esq of Hall Render. \n Palantir, admittedly designs cyber weapon that \u2018kills people\u2019. Are governments abusing to terrorize, silence & even harm/kill American citizens. Is this an elaborate hoax?\nTeam 8 \n#rip #plantantir #Hosanna #dystopian #targeted", "modified": "2025-08-05T15:03:36.451000", "created": "2025-07-06T20:41:53.748000", "tags": [ "url https", "type indicator", "role title", "added active", "related pulses", "url http", "showing", "entries", "indicator role", "title added", "active related", "pulses url", "ipv4", "filehashmd5", "filehashsha1", "filehashsha256", "indicators show", "search", "reputation", "et att", "ck id", "t1060", "run keys", "startup", "folder", "scan", "iocs", "learn more", "hostname", "types of", "pagehrsappjbpst", "actionu", "focusapplicant", "siteid1", "postingseq1", "t1036", "t1043", "port", "t1085", "rundll32", "t1114", "t1179", "fbi flash", "cu000163mw", "compromise", "found", "uunet", "code", "reverse domain", "lookup", "ragnar", "locker", "ragnar locker", "cidr", "pulses", "types", "windows", "linux", "united", "trojandropper", "mtb jun", "trojan", "win32upatre aug", "mtb may", "gmt server", "ecacc", "files", "suspicious", "body", "data upload", "extraction", "cve cve20170147", "cve cve20178570", "cve cve20178977", "url feb", "pulses hostname", "a1sticas", "next associated", "present mar", "present jun", "present may", "france", "date", "ip address", "present apr", "virtool", "name servers", "value emails", "name john", "shipton", "dynadot privacy", "po box", "city san", "mateo country", "us creation", "news videos", "maps assist", "search settings", "safe search", "date more", "images bae", "systems defense", "bae systems", "london", "britain", "akamai rank", "script urls", "status", "a domains", "accept encoding", "unknown ns", "meta", "encrypt", "https", "report spam", "created", "year ago", "modified", "octoseek public", "cyber attack", "pegasus", "westlaw", "hallrender", "front", "sabey", "enter s", "include review", "exclude sugges", "failed", "sc type", "extr included", "manually add", "puls", "excludedocs", "sugges data", "phishing", "apple pegasus", "detections", "references", "stranger things", "http", "yara", "upx alerts", "fort collins", "help4u", "communications", "orgtechhandle", "domain", "no entries", "cchk asnas26658", "vj92", "search filter", "time sabey", "x show", "indicator type", "email", "filehashimphash", "filehashpehash", "backdoor", "ransom", "checkin", "alphacrypt cnc", "beacon", "jeffrey scott", "terse http", "possible", "accept", "xorddos", "ck ids", "t1512", "camera", "t1071", "protocol", "ta0001", "access", "ta0002", "ta0003", "ta0004", "cookie", "show", "ally", "melika", "part1", "trojanclicker", "bayrob", "android", "ransomware", "sakula rat", "t1125", "video capture", "t1566", "t1068", "t1190", "application", "t1472", "t1457", "media content", "social media", "doppelgnging", "t1080", "shared content", "t1449", "exploit ss7", "phone callssms", "enter sc", "type", "no expiration", "expiration", "months ago", "expiration http", "reimer dpt", "r role", "sa victim", "daisy coleman", "source", "weeks ago", "tbmvid", "sourcelnms", "zx1724209326040", "ahtrnaah typ", "url url", "url domain", "pulse sthow", "ah types", "ind indicator", "data uptoad", "extrachttp", "dulce sphown", "aho data", "typ url", "url dom", "hos hostname", "hos host", "dom dom" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1085", "name": "Rundll32", "display_name": "T1085 - Rundll32" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1051", "name": "Shared Webroot", "display_name": "T1051 - Shared Webroot" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1123", "name": "Audio Capture", "display_name": "T1123 - Audio Capture" }, { "id": "T1155", "name": "AppleScript", "display_name": "T1155 - AppleScript" }, { "id": "T1210", "name": "Exploitation of Remote Services", "display_name": "T1210 - Exploitation of Remote Services" }, { "id": "T1506", "name": "Web Session Cookie", "display_name": "T1506 - Web Session Cookie" }, { "id": "T1512", "name": "Capture Camera", "display_name": "T1512 - Capture Camera" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 8149, "domain": 1067, "hostname": 2103, "FileHash-SHA256": 1617, "URI": 1, "FilePath": 1, "FileHash-MD5": 412, "FileHash-SHA1": 368, "CIDR": 4, "CVE": 6, "email": 10 }, "indicator_count": 13738, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "257 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66d4916fa7338286448118a1", "name": "Jeffrey Scott Reimer DPT | Brian Sabey, SWIPPER -X.Com migration to Twitter ", "description": "", "modified": "2024-10-19T18:02:34.237000", "created": "2024-09-01T16:08:15.260000", "tags": [ "url https", "filehashsha256", "browse scan", "report spam", "author", "output", "tsara brashears", "created", "days ago", "showing", "trojan", "win32", "msil", "trojanspy", "virtool", "scan endpoints", "all search", "otx scoreblue", "author avatar", "fraud", "june", "worm", "search", "tsara type", "indicator role", "title added", "active related", "pulses url", "url http", "ipv6", "type indicator", "role title", "added active", "related pulses", "sort", "least", "researched", "f https", "scan", "iocs", "learn more", "filehashmd5", "hostname", "domain", "indicators show", "browser", "unsupported", "view", "continue", "watch tsara", "searchtsa", "brashears", "most relevant", "porn videos", "download", "google search", "open threat", "babe", "green", "daily", "play", "fullscreen", "tsara", "videos", "love", "top tsara", "xxx videos", "hardcore porn", "jeffrey reimer", "puts", "porn", "javascript", "body", "creation date", "record value", "united", "gmt content", "gmt max", "age900", "httponly x", "date", "unknown", "pragma", "levelblue", "exchange open", "threat exchange", "indicator", "safebae", "get involved", "anyone else", "press", "data reports", "teen students", "become", "chapter lead", "become a", "certified peer", "district", "brian sabey", "sabey data", "hallrender", "sabey data centers", "swipper", "mark b sabey", "m brian sabey", "2beeg", "thebrotherssabey", "urls", "show", "cloudflarenet", "us urlscan", "skip", "accessibility", "all images", "videos shopping", "forums news", "web more", "tools", "service", "malicious", "size", "recent", "off blur", "find", "summary", "securitytrails", "urlscan https", "tryporn", "icann whois", "data problem", "disclaimer", "judaporn", "kompoz", "blur filter", "search results", "xxxvideohd", "hacker news", "item", "url", "website", "web", "scanner", "analyze", "analyzer", "september", "domains", "sale worldwide", "street", "gate parkway", "stateprovince", "postal code", "route", "open", "watch", "links", "footer", "delete see", "delete c", "tofsee", "grum", "entries", "cape", "high", "total", "copy", "write", "malware", "patched", "next", "please" ], "references": [ "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "thebrotherssabey.wordpress.com | https://hallrender.com/attorney/brian-sabey", "https://twitter.com/ootiosum/status/1812208222150726029a4dmHAxV0M0QIHawADl4Qr4kDegUI-QEQAA&usg=AOvVaw37yALadqlgoR9_xlQ5B4Hm", "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/", "https://SafeBae.org | https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "http://sexiezpics.com/tsara-brashears-hardcore-porn | https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "https://urlscan.io/domain/cdn2e-videos2.yjcontentdelivery.com | http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html", "https://www.google.com/search?client=ms-android-tcl-rvo2b&sca_esv=677ff2260c38da6a&sca_upv=1&q=tsara%20brashears&tbm=vid&source=lnms&fbs=AEQNm0Aa4sjWe7Rqy32pFwRj0UkWd8nbOJfsBGGB5IQQO6L3J5MIFhvnvU242yFxzEEp3BfRFWcyM5BvpTgNzM3vKj4sz-C2iLdc_0v0iAkScdtYjVPIGyVlvwujMCY6xcQ3LIupWIQPyPPfztGwIqpQ9H2EXqXXY4GBGq8hpekXoFuduDqktZzSriMQxAlKPjQviXaDVnUYcgWw9ejzcyECyIGanCUinw&sa=X&biw=1128&bih=1971&dpr=2&no_sw_cr=1&zx=1724209326040&sssc=1", "bfxxxhindi.to | https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://billpay.stcu.org/csp/ws/ALKAMI-S5M/html/PC_Remote_Role_Due_XP_Help/role1_faq_email_notifications.html billpay.stcu.org", "bfxxxhindi.to www.bfxxxhindi.to https://www.bfxxxhindi.to tsara brashears bfxxxhindi.to https://www.bfxxxhindi.to/trend/eaUvPMTg3NzMytY07Q/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer/", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/. http://www.music-forum.org/www-cixiu888-com-tsara-brashears.html", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "http://alohatube.xyz/search/tsara-brashears http://alohatube.xyz/search/tsara-brashears/", "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-sexual-misconduct-miscinception.html", "http://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concentra-medic", "http://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concentra-medical-center", "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-denver.html", "http://videolal.com/jeffrey-reimer-dpt-assaulted-tsara-brashears-medical.html", "http://videolal.com/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-misconduct-miscinception.html", "http://videolal.com/tsara-brashears-assaulted-by-jeffrey-reimer.html http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html", "http://videolal.com/tsara-brashears-pueblo.html , http://videolal.com/tsara-brashears.html", "http://pornbitter.com/storage/tsara-brashears/ http://www.gdsl-pallemoebler.info/seach/tsara-brashears/ advocate-smyslova.ru", "http://browntubeporn.com/tsara-brashears.html browntubeporn.com http://pornvideoj.com/tsara-brashears.htm", "pornhub.com/gay/video/search?search=tsara%2Blynn%2Bbrashears%2Blesbian", "feestzalenvanvlaanderen.be www.gdsl-pallemoebler.info http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us", "http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us www.tryporn.net", "http://www.gdsl-pallemoebler.info/seach/tsara-brashears/ advocate-smyslova.ru feestzalenvanvlaanderen.be www.gdsl-pallemoebler.info", "http://www.tryporn.net/seach/tsara-brashears/ hicksandchicks.org redpornvideos.net http://advocate-smyslova.ru/tsara-brashears/", "http://flexporn.net/tsara-brashears.html http://onlyindianporn.net/videos/tsara-brashears/ http://pornbitter.com/storage/tsara-brashears/", "http://pornpx.com/trends/tsara-brashears-submission-on-august-27-via-manual/1/ http://www.potnhub.org/tsara-brashears.html", "http://www.bukaporn.net/trend/tsara-brashears/ http://onlyindianporn.tv/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concentra", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html", "www.sexpornimages.com http://hicksandchicks.org/ju/tsara-brashears/ hlebo.mobi pornpx.com www.potnhub.org", "http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Language http://www.music-forum.", "http://kompoz.me/find/tsara-brashears-submission-on-august-27-via-manual/ http://redpornvideos.net/tsara-brashears.html", "https://wallpapers-nature.com/ https://wallpapers-nature.com/%20tsara-brashears/urlscan-io", "https://wallpapers-nature.com/tsara-brashears/urlscan-io https://www.sweetheartvideo.com/tsara-brashears", "https://wallpapers-nature.com/tsara-brashears/tse1-mm-bing-net https://www.sweetheartvideo.com/tsara-brashears/", "https://www.sweetheartvideo.com/tsara-brashears/ | https://www.sweetheartvideo.com/tsara-brashearsAccept-Language", "https://www.sweetheartvideo.com/tsara-brashearsAccept-Language | https://wallpapers-nature.com/tsara-brashears/urlscan-io", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "https://xlxx.mobi phishing\thttps://2beeg.me https://2beeg.net https://www.redporn.video https://youjizz.sex 2beeg.me xlxx.mobi ladys.one", "tsara-brashears-deadspin-twitter-suspended-account-help.ht videolal.com wallpapers-nature.com www.sweetheartvideo.com", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ Domain mom2fuck.mobi https://youjizz.sex/tsara-brashears.html https://youjizz.sex", "http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-by-jeffrey-reimer http://pixelrz.com/lists/keywords/brashears-tsara-buzz-news", "http://pixelrz.com/lists/keywords/%20dr-jeffrey-reimer-dpt-funds-tsara-brashears/ https://xlxx.mobi", "http://pixelrz.com/lists/keywords/dr-jeffrey-reimer-dpt-funds-tsara-brashears/ orangeporntube.net www.tryporno.net", "http://pixelrz.com/lists/keywords/tsara-brashears-massage-misconduct-misconception http://pixelrz.com/lists/keywords/tsara-brashears-dead/ http://orangeporntube.net/tsara-brashears.html", "http://www.tryporno.net/movies/tsara-brashears/ http://www.pixelrz.com/lists/keywords/tsara-brashears/", "https://kompoz.me/find/tsara-brashears-submission-on-august-27-via-manual/ sexiezpics.com", "http://sexiezpics.com/tsara-brashears-hardcore-porn http://mypornvid.com/videos/27/x510fb2/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears/caillou-finger-family", "http://pixelrz.com/lists/keywords/tsara-brashears-assaulted-at-concentra/ http://pornohata.com/mov/tsara-brashears/", "http://onlyindianporn2.com/videos/tsara-brashears/ onlyindianporn2.com-porn.html aninditaannisa.blogspot.com porno-trash.net", "myhotzpic.com pornohata.com pornstarsporno.net aninditaannisa.blogspot.com/2019/02/tsara-brashears", "http://pornstarsporno.net/tsara-brashears.html http://vtwctr.org/explore/inmate-tsara-brashears/", "https://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara%20-brashears-massage-nearby.html", "Hostname aninditaannisa.blogspot.com No Expiration\t0\t URL aninditaannisa.blogspot.com/2019/02/tsara-brashears-porn.html billpay.stcu.org", "http://hghltd.yandex.net/yandbtm?fmode=inject&url=http://siteinlink.d1.cnbd.net/search/tsara-brashears-assaulted-by-jeffrey-reimer", "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/", "thebrotherssabey.wordpress.com http://www.sabey.com | http://resources.sabeydatacenters.com | http://root.sabeydatacenters.com", "http://go.sabey.com http://vpn2.sabey.com | http://resources.sabeydatacenters.com | http://root.sabeydatacenters.com |", "http://itsupport.sabey.com http://www.sabey.com | http://root.sabeydatacenters.com/ | http://server1.sabeydatacenters.com | http://smtp1.sabeydatacenters.com No Expiration\t http://smtps.sabeydatacenters.com | http://smtpseguro.sabeydatacenters.com", "http://sabey.com/construction/ | https://tulach.cc/ | sabeydatacenters.com | https://thebrotherssabey.com | http://root.sabeydatacenters.com/ No Expiration\t0\t URL http://server1.sabeydatacenters.com No Expiration\t0\t URL http://smtp1.sabeydatacenters.com No Expiration\t http://smtps.sabeydatacenters.com | http://smtpseguro.sabeydatacenters.com | http://staging.sabeydatacenters.com", "https://info.sabeydatacenters.com/webmail/404532/1590752290/6c9ed1e0b6b364689835e8c6bd51ed2198f99ee8ec7fa1924787e4e9b6382872", "forceusercontent.com | sabey.com | tulach.cc | http://thebrotherssabey.com/2018m.sabeydatacenters.com | https://www.vpn.sabey.com/", "root.sabeydatacenters.com | server1.sabeydatacenters.com | smtps.sabeydatacenters.com | smtpseguro.sabeydatacenters.com", "https://thebrotherssabey.com | https://thebrotherssabey.com/2015/08/24/why | staging.sabeydatacenters.com |", "authsmtp.sabeydatacenters.com | go.sabey.com | thebrotherssabey.com | mx5.sabeydatacenters.com | posta.sabeydatacenters.com", "remote.files.downloadnow-1.com | remote.sabeydatacenters.com | poczta.sabeydatacenters.com | pop.sabeydatacenters.com", "https://thebrotherssabey.com/2018/12/05/nature | https://thebrotherssabey.com/2019/01/20/miracle/ | https://thebrotherssabey.com/20", "https://thebrotherssabey.com/2015/08/24/why | https://thebrotherssabey.com/2016/03/12/how | https://thebrotherssabey.com/2017/04/17/truth", "https://thebrotherssabey.com/2016/01/18/ballroom | resources.sabeydatacenters.com | https://thebrotherssabey.com/feed/", "https://thebrotherssabey.com/comments/feed/ | mail2.sabeydatacenters.com | mails.sabeydatacenters.com | newmail.sabeydatacenters.com", "http://staging.sabeydatacenters.com | https://sabey.com/careers/ | https://vpn2.sabey.com | https://www.sabey.com | https://www.vpn.sabey.com |", "https://info.sabeydatacenters.com/emailPreference/epc/404532/EcSDdxFsTp4vgdAzwbcD5rWn7oROwp5s8Buq0L48dF0/732bdcab2311714bb73d4d507e6508d215afb4dbc511", "1a8fc49a4265fe146976/1523680312 | https://thebrotherssabey.com/2018/04/22/the | https://thebrotherssabey.com/2019/07/08/suffering", "https://info.sabeydatacenters.com/listUnsubscribeHeader/u/404532/732bdcab2311714bb73d4d507e6508d215afb4dbc5111a8fc49a4265fe14697", "https://info.sabeydatacenters.com/r/404532/1/1523680312/open/1 | http://onlyindianporn2.com/videos/dia-sabey/?p=13", "https://thebrotherssabey.com/category/pregnancy | https://thebrotherssabey.com/discourse | onlyindianporn2.com", "https://thebrotherssabey.com/2019/01/20/miracle/?share=twitter | https://thebrotherssabey.com/author/dbsabey/", "https://thebrotherssabey.com/author/thebrotherssabey/ | https://thebrotherssabey.com/category/homosexuality", "https://thebrotherssabey.com/2018/12/05/nature-of-scripture-part-5-conclusions/ | https://thebrotherssabey.com/2019/08/01/why", "mypornvid.fun | porn100.tv | amp.mypornvid.fun | cdn10.mypornvid.fun | cdn11.mypornvid.fun | cdn5.mypornvid.fun | cdn8.mypornvid.fun", "www.anyxxxtube.net | sv2.mypornvid.fun | www.porn100.tv | www.redporn.video | https://www.anyxxxtube.net/search-porn/tsara-brashears/ phishing |", "http://amp.mypornvid.fun/videos/2/SLFGMWoQaCU/white-dpt-jeffrey-reimer-loves-pretty-indian-patient-forces-sex-3gp-video-tsara-brashears", "anybunny.tv | http://anybunny.tv/search/eva-lisa | http://anybunny.tv/search/tsara-brashears-submission-on-august-27-via-manual.html&us", "https://videolal.co/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-massage-nearby.html. |", "http://onlyindianporn.tv/videos/jeffrey-reimer-dpt-assaulted-tsara-brashears-concent | http://wapwon.live/category/tsara-brashears-assaulted-by-jeffrey-reimerAccept-Languauge", "onlyindianporn.tv | sexpornimages.com | http://www.sexpornimages.com/hillary/hillary-clinton", "https://mypornvid.fun/videos/3/o00vnGgcVx0/dude-sex-fuck-a-deer-wapporn-video-com/fuck-deer", "http://www.sexpornimages.com/tsara/tsara-lynn-brashears-porn/7x56y.html", "http://siteinlink.d1.cnbd.net/search/tsara-brashears-dead/ | http://videolal.com/tsara-brashears-dead-by-daylight.html", "http://videolal.com/tsara-brashears-dead-or-alive-song-rap.html | http://videolal.com/tsara-brashears-dead.html |", "https://thebrotherssabey.com/comments/feed/ | https://thebrotherssabey.com/2019/01/20/miracle/", "https://videolal.com/videos/tsara-brashears-dead-by-daylight.html | tsara-brashears-deadspin-twitter-suspended-account-help.ht", "https://thebrotherssabey.com/2018/12/05/nature | https://thebrotherssabey.com/2017/04/17/truth", "https://thebrotherssabey.com/2016/03/12/how | https://thebrotherssabey.com/2016/01/18/ballroom", "https://thebrotherssabey.com/comments/feed/ | https://thebrotherssabey.com/category/pregnancy", "https://thebrotherssabey.com/feed/ | https://thebrotherssabey.com/discourse | https://thebrotherssabey.com/comments/feed/", "https://thebrotherssabey.com/2015/08/24/why | https://thebrotherssabey.com/20 | https://thebrotherssabey.com | https://thebrotherssabey.com", "http://thebrotherssabey.com/2018 | https://thebrotherssabey.com/2019/01/20/miracle/ | https://thebrotherssabey.com/2019/07/08/suffering", "https://thebrotherssabey.com/category/pregnancy | https://thebrotherssabey.com/category/homosexuality", "https://thebrotherssabey.com/author/thebrotherssabey/ | https://thebrotherssabey.com/author/dbsabey/", "http://siteinlink.d1.cnbd.net/site/maps.google.com.lb/ | https://www.applefilmaker.com | https://www.applefilmaker.com/1odbU3D", "www.wwwgitlab.gitlab.git.git.gitlab.git.128-199-7-137.cprapid.com", "https://thebrotherssabey.wordpress.com/wp-admin/customize.php?url=https://thebrotherssabey.wordpress.com/", "https://hallrender.com/attorney/brian-sabey | https://thebrotherssabey.com/2019/01/20/miracle/?share=twitter", "storage.ladys.one ladys.one: | http://photos.ladys.one ladys.one: | http://porno.ladys.one ladys.one: | http://storage.ladys.one ladys.one: | http://xxx-videos.ladys.one ladys.one:", "http://www.xvxx.me/clips/nadia-ali-hardcore/199530/", "https://kompoz2.com/tv/454575/blonde-slut-sara-jay-with-big-ass-is-fucked-in-doggy-style.html", "http://onlyindianporn2.com/videos/vichatter-young-11//title/0.7292669771257236" ], "public": 1, "adversary": "Brian Sabey | Tulach | Sabey Data Centers", "targeted_countries": [ "United States of America", "Netherlands", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "Win32/Tofsee.AX", "display_name": "Win32/Tofsee.AX", "target": null }, { "id": "Trojan:Win32/Muldrop", "display_name": "Trojan:Win32/Muldrop", "target": "/malware/Trojan:Win32/Muldrop" } ], "attack_ids": [ { "id": "T1125", "name": "Video Capture", "display_name": "T1125 - Video Capture" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1190", "name": "Exploit Public-Facing Application", "display_name": "T1190 - Exploit Public-Facing Application" }, { "id": "T1472", "name": "Generate Fraudulent Advertising Revenue", "display_name": "T1472 - Generate Fraudulent Advertising Revenue" }, { "id": "T1457", "name": "Malicious Media Content", "display_name": "T1457 - Malicious Media Content" }, { "id": "T1586.001", "name": "Social Media Accounts", "display_name": "T1586.001 - Social Media Accounts" }, { "id": "T1055.013", "name": "Process Doppelg\u00e4nging", "display_name": "T1055.013 - Process Doppelg\u00e4nging" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" } ], "industries": [], "TLP": "green", "cloned_from": "66ccbd92f716bb0ca0fda93d", "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 121, "FileHash-SHA1": 116, "FileHash-SHA256": 935, "URL": 5882, "domain": 571, "hostname": 1418, "email": 9, "CIDR": 1, "SSLCertFingerprint": 1 }, "indicator_count": 9054, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "547 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66c08b488620dac7697026c7", "name": "Fakefolder | Ransom:Win32/CVE affecting HCA Healthcare cloud", "description": "Cloud computing - User Acceptance Testing (UAT)\napparently used by HCA one of the nations leading healthcare providers. It's seems HCA's cloud is compromised. The cloud has a number of high priority vulnerabilities, malware, ransomware, zero day, etc. Patient accounts aiming involved, (some patients received letters of serious PII, PHI compromise) lost records, patient blacklisting, hacking, and nefarious manipulations by providers. I've been made aware of CORHIO closing compromised patient accounts. Some patients account access and data has reportedly been lost.\n#VirTool:Win32/Obfuscator.ADB\nALF:HeraklezEval:Ransom:Win32/CVE\nRansom:Win32/StopCrypt.AK!MTB\nRansom:Win32/Wannaren.A\nTrojan:Win32/BlackMon\nTrojan:Win32/Fakefolder\nTulach Malware", "modified": "2024-10-15T14:02:54.772000", "created": "2024-08-17T11:36:40.810000", "tags": [ "microsoft edge", "iocs", "alberta ndp", "security", "vc rescue", "disk", "apple", "google", "windows", "powershell", "security https", "no data", "tag count", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "site", "cisco umbrella", "alexa top", "blacklist", "million", "mail spammer", "firehol", "ip address", "noname057", "anonymizer", "firehol proxy", "proxy", "india mail", "malware", "full name", "first", "v3 serial", "number", "cus odigicert", "global tls", "rsa4096 sha256", "ca1 validity", "subject public", "key info", "dns replication", "date", "script script", "as12912", "a domains", "a li", "poland unknown", "t mobile", "domains", "przejd", "passive dns", "authority", "meta", "accept", "cname", "record type", "ttl value", "aaaa", "poland", "scan endpoints", "all scoreblue", "ipv4", "pulse pulses", "files", "location poland", "asnone united", "moved", "location", "vary", "accept encoding", "content type", "virtool", "related pulses", "file samples", "files matching", "show", "search", "date hash", "next", "showing", "as39198", "body", "window", "certificate", "hostname", "unknown", "red bull", "script urls", "as2828 verizon", "ireland unknown", "gmt content", "as8068", "as8075", "servers", "creation date", "united", "trojan", "trojan features", "win32", "msr aug", "urls", "reverse dns", "trojandropper", "historical ssl", "referrer", "infiltrate", "threat network", "malicious", "snapchat", "eternal blue", "sneaky simay", "groups", "covert", "probe", "whois lookup", "domain name", "united", "as15169 google", "a nxdomain", "germany", "dynamicloader", "yara rule", "high", "medium", "port", "dynamic", "domain", "file name", "pcap", "copy", "url host", "port method", "user agent", "okrnserver", "002000", "hit tcpmemhit", "algorithm", "data", "cus oentrust", "entrust", "l1k validity", "cpl lwarszawa", "ot mobile", "status", "name servers", "as6354", "mtb aug", "key algorithm", "key identifier", "subject key", "identifier", "x509v3 key", "usage", "info", "location united", "win32 exe", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "vs2010", "info compiler", "products", "vs2008", "header intel", "name md5", "type", "language", "ascii text", "cyrillic", "registrar of", "domain names", "ii llc", "contacted", "file type", "mb file", "graph", "ip detections", "country", "type name", "network", "tsara brashears", "december", "typhon reborn", "speakez securus", "hacktool", "emotet", "formbook", "critical", "installer", "tofsee", "hiddentear", "cnc", "email collection", "apple data", "data collection", "tsara brashears", "for privacy", "record value", "emails", "expiration date", "swipper", "tulach", "aitm", "query", "observed dns", "activity dns", "total", "google llc", "pe32", "write", "april", "defender", "otx telemetry", "win32cve aug", "polska s", "copyright", "levelblue", "dashboard", "pulse submit", "url analysis", "as20940", "as16625 akamai", "entrustdns", "france", "entries", "refresh", "443 ma2592000", "net174", "net1740000", "mcics", "read c", "write c", "tlsv1", "default", "module load", "execution", "dock", "persistence", "xport", "redacted for", "privacy tech", "privacy admin", "organization", "postal code", "stateprovince", "server", "registrar abuse", "code", "high priority", "critical", "CVE-2023-29059" ], "references": [ "uat.drw.hcahealthcare.cloud | developers.t-mobile.pl | kwvjuemg.exe", "uat.drw.hcahealthcare.cloud US Admin Email: cd2fa1f805494bc7s@ehc.com Admin Organization: HCA - Information Technology & Services, Inc.", "Antivirus Detections: Ransom:Win32/Wannaren.A UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX Alerts procmem_yara creates_largekey process_creation_suspicious_location network_bind deletes_executed_files dead_connect dynamic_function_loading encrypted_ioc http_request network_cnc_https_generic powershell_download powershell_request enumerates_running_processes stealth_window cape_extracted_content injection_rwx network_http", "Yara Detections: LZMA , UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser , UPXv20MarkusLaszloReiser , UPX", "Alerts: procmem_yara creates_largekey process_creation_suspicious_location network_bind cape_extracted_content", "Alerts: deletes_executed_files dead_connect dynamic_function_loading encrypted_ioc http_request injection_rwx network_http", "Alerts: network_cnc_https_generic powershell_download powershell_request enumerates_running_processes stealth_window", "nr-data.net [Apple Private Data Collection]", "https://www.anyxxxtube.net/search-porn/tsara-brashears/", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian", "https://twitter.com/PORNO_SEXYBABES | twitter.com | www.pornhub.com | www.anyxxxtube.net", "Apple path:https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | itunes.apple.com", "record-viewer-application.hcahealthcare.cloud", "https://www.assurant.com/?utm_source=email&utm_medium=email&utm_campaign=Mobile_Transactional_withad&utm_content=Deductible+Charge+Acknowled", "Tulach IP: 114.114.114.114", "Antivirus Detections: #VirTool:Win32/Obfuscator.ADB | IDS Detections:Observed DNS Query to .biz TLD | Domains Contacted: pywolwnvd.biz", "Yara Detections: SUSP_Unsigned_GoogleUpdate OriginalFilenameGoogleUpdate.exe | Alerts cape_extracted_content", "Parent: NET174 (NET-174-0-0-0-0) NetType: Direct Allocation Organization: Verizon Business (MCICS) 'Swipper'", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29059 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29059\\", "cvename.cg | https://cve.mitre.org/cgi | https://cve.mitre.org/cgi-bin/cvename.cg... | https://cve.mitre.org/cgi-bin/cvename.cgi?nam...", "https://cve.mitre.org/includes/jquery-migrate-3.0.0.min.js | https://cve.mitre.org/includes/printerfriendly.js | https://cve.mitre.org/css/main.css", "https://cve.mitre.org/images/cvelogobanner.png | https://cve.mitre.org/images/linkedin.jpg | https://cve.mitre.org/images/medium.png", "https://cve.mitre.org/images/nvd-logo.png | https://cve.mitre.org/images/search_icon.png | https://cve.mitre.org/images/twitter.jpg", "https://cve.mitre.org/images/youtube.png | https://cve.mitre.org/includes/browserheight.js | https://cve.mitre.org/includes/jquery-3.2.1.min.js", "https://cve.mitre.org/css/print.css | https://cve.mitre.org/favicon.ico | https://cve.mitre.org/images/GitHub_round_sm", "https://cve.mitre.org/includes/jquery-migrate-3.0.0.min.js | https://cve.mitre.org/includes/printerfriendly.js | cve.mitre.org" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Trojan:Win32/BlackMon", "display_name": "Trojan:Win32/BlackMon", "target": "/malware/Trojan:Win32/BlackMon" }, { "id": "Trojan:Win32/Fakefolder", "display_name": "Trojan:Win32/Fakefolder", "target": "/malware/Trojan:Win32/Fakefolder" }, { "id": "Ransom:Win32/Wannaren.A", "display_name": "Ransom:Win32/Wannaren.A", "target": "/malware/Ransom:Win32/Wannaren.A" }, { "id": "Ransom:Win32/StopCrypt.AK!MTB", "display_name": "Ransom:Win32/StopCrypt.AK!MTB", "target": "/malware/Ransom:Win32/StopCrypt.AK!MTB" }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" }, { "id": "ALF:HeraklezEval:Ransom:Win32/CVE", "display_name": "ALF:HeraklezEval:Ransom:Win32/CVE", "target": null } ], "attack_ids": [ { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1119", "name": "Automated Collection", "display_name": "T1119 - Automated Collection" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" } ], "industries": [ "Healthcare", "Technology", "Civilian Society", "Telecommunications", "Networking" ], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1975, "FileHash-SHA1": 1731, "FileHash-SHA256": 4646, "URL": 636, "domain": 283, "hostname": 798, "email": 12, "CVE": 3, "SSLCertFingerprint": 2 }, "indicator_count": 10086, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "551 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ccbb1146fb07a45b6b97fe", "name": "Android Remotely Cracked: Swipper? | Being Sabey links found. Framing?", "description": "Targets phone and other devices cracked remotely. Phone calls made to a family member by phone. Some clues left behind.\n1 clue:mike@softwarezpro1.txt\nLong Link:http://bbd383ttka22.top/prize/luckyus-ad/nigh.php?c=69zejibbz5fz1&k=987ad34e7843dd8f3a3cb6559f188769&country_code=US&country_name=United%20States\u00aeion=New%20York&city=Plainview&isp=MCI%20Communications%20Services,%20Inc.%20d/b/a%20Verizon%20Business&lang=ja&ref_domain=&os=iOS&osv=16&browser=Chrome&browserv=115&brand=Apple&model=iPhone&marketing_name=iPhone&tablet=2&rheight=0&rwidth=0&e=5\n Stop! Swipper, Brian Sabey, Tulach, whoever you are. Arrest Jeffrey Reimer Scott DPT for groping breasts, V, assaulting so hard it separated victims hips and SI joint, Spinal Cord Injury length of spine. He literally assaulted her brain out. TBI with Arnold's Chiari. Demyelination from brain to toes. He never denied this to Employers. Hi, DPD Major crimes God Bless you...about the report?", "modified": "2024-10-14T18:03:35.631000", "created": "2024-08-26T17:27:45.763000", "tags": [ "unknown", "meta", "software", "site kit", "as53667", "free", "download full", "search", "showing", "encrypt", "date", "asnone united", "kingdom unknown", "wordpress site", "just", "passive dns", "meta http", "content", "gmt server", "a domains", "body", "server", "registrar", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "registrar iana", "registrar url", "version crack", "crack serial", "keys license", "algorithm", "whois lookup", "creation date", "code", "namesilo", "country", "domain status", "contact email", "first", "historical ssl", "referrer", "cobalt strike", "switch dns", "query", "fraud risk", "traffic", "luna moth", "campaign", "analyzer paste", "iocs", "samples", "phishing", "malware", "maltiverse", "cyber threat", "engineering", "team phishing", "mail spammer", "telefonica co", "emotet", "download", "malicious", "team", "suppobox", "analyzer threat", "url summary", "ip summary", "summary", "sample", "detection list", "blacklist", "module load", "service", "create c", "show", "winhttp authip", "write c", "susp", "trojanspy", "related pulses", "copy", "write", "win32", "memcommit", "read c", "x00x00", "high defense", "evasion", "defense evasion", "cryptexportkey", "windows", "shellexecuteexw", "hash", "writeconsolew", "registry", "t1031", "modify existing", "trojan", "dock", "august", "push", "hostnames", "urls http", "cisco umbrella", "site", "alexa top", "million", "safe site", "malicious site", "tofsee", "google domain", "azorult", "runescape", "facebook", "bank", "alexa", "zbot", "dynamicloader", "yara rule", "high", "grum", "medium", "ids detections", "yara detections", "stream", "as15169 google", "as44273 host", "aaaa", "scan endpoints", "all scoreblue", "next", "type texthtml", "google safe", "browsing", "ipv4", "pulse pulses", "urls", "files", "co20230203", "pe resource", "url https", "archive", "posix tar", "flow t1574", "dll sideloading", "media t1091", "t1055", "spawns", "mitre att", "access ta0001", "replication", "dlls privilege", "window", "ip traffic", "udp a83f8110", "hashes", "t1055 spawns", "dlls defense", "dns resolutions", "user", "samplepath", "menu files", "written c", "files copied", "files dropped", "file", "pe32 executable", "ms windows", "intel", "win16 ne", "os2 executable", "generic windos", "executable", "contained", "info compiler", "products id", "header intel", "name md5", "type", "language", "sha256", "data", "entries", "filehash", "av detections", "as3215 orange", "related", "france unknown", "reverse dns", "singapore asn", "as16509", "united", "updated date", "pulse submit", "url analysis", "verdict", "as16342 toya", "all search", "otx scoreblue", "hostname", "ip address", "poland unknown", "moved", "gmt contenttype", "vary", "gmt content", "content length", "domain", "files ip", "address", "location poland", "asn as16342", "as16276", "as50599", "as8075", "as5617 orange", "a td", "as198921", "as29686 probe", "germany unknown", "germany", "title", "body doctype", "html public", "ietfdtd html", "head body", "as63949 linode", "united kingdom", "arial", "apache", "accept", "related nids", "files location", "flag united", "files domain", "files related", "as20940", "as4230 claro", "data redacted", "name servers", "expiration date", "invalid url", "mtb feb", "body html", "head title", "hacktool", "trojandropper", "mtb mar", "title head", "overview ip", "record value", "td tr", "tr tr", "dostpne jzyki", "tr table", "table", "utwrz stref", "modyfikuj stref", "td td", "win32vb", "win32qqpass", "worm", "win32mofksys", "worm worm", "win32salgorea", "support", "internet mobile", "win32tofsee", "as3842 inmotion", "as40676 psychz", "formbook cnc", "checkin", "exploit", "virtool", "trojan features", "file samples", "files matching", "date hash", "cname", "error", "script urls", "ezcrack all", "script", "provides", "softwares", "script domains", "pragma", "as202425 ip", "emails", "as46606", "crack", "aaaa nxdomain", "whitelisted", "nxdomain", "as36352", "malware trojan", "asnone", "virgin islands", "backdoor", "please", "win32botgor" ], "references": [ "aeuwa03.devtest.call2.team | mike@softwarezpro1.txt | softwarezpro.net | www.softwarezpro.net | mike@ hijacked targets device Attacked!", "http://cracx.net/fonepaw-iphone-data-recovery-3-8-0-crack/ | Malware: 74.208.236.140 malacrack.org ns2.filescrack.com ns1.filescrack.com", "http://softwarezpro.net/wp-content/themes/wellington/assets/js/svgxuse.min.js?ver=1.2.6", "animalpornotube.com | http://animalpornotube.com/files/gifamateurpay.gi | https://crackedvst.info/tag/k7-total-security-trial-resetter/", "https://activationskey.net/passfab-iphone-cracked-free-keys-2022 https://crackedvst.info/ui crackedvst.info: http://www.crackidea.net/", "http://activationskey.net/passfab-for-rar-full-cracked-2022/ activationskey.net: https://activationskey.net/passware-kit-forensic-2021-1-3-crack/ activationskey.net: | crackedvst.info: crackedvst.info:", "www.softwarezpro.net\thttps://i0.wp.com/softwarezpro.net/wp parking.namesilo.com softwarezpro.org softwarezap.net softwarezap.net", "anti-spyware-software.net http://softwarezpro.net/wp | | http://softwarezpro.net/xmlrpc.php | https://softwarezpro.net https://softwarezpro.net/\t URL\thttps://softwarezpro.net/comments/feed/ https://softwarezpro.net/feed/\t https://softwarezpro.net/page/2/\t URL\thttps://softwarezpro.net/wp https://softwarezpro.net/xmlrpc.php", "http://softwarezpro.net/wp-content/themes/wellington/assets/js/navigation.min.js?ver=20220224 | crackedvst.info", "pw-90cc2fc574f6dd6dccf2c3531928b039@privacyguardian.org | https://crackedvst.info/antares-autotune-pro-crack/", "www.endgame.com [Threatening] | https://mobisoft.info/dfx-audio-enhancer-crack | https://mobisoft.info/passfab-iphone-unlocker-key", "7cwork.a-poster.info a-poster.info: members.a-poster.info work.a-poster.info a-poster.info: http://20work.a-poster.info a-poster.info:", "http://250awork.a-poster.info/ a-poster.info: http://252fwork.a-poster.info a-poster.info: http://252fwork.a-poster.info/", "20work.a-poster.info a-poster.info: 250awork.a-poster.info a-poster.info: 252fwork.a-poster.info a-poster.info: a-poster.info:", "Trojan:Win32/Salgorea: FileHash-SHA256 e82334440ceddd927f35831fda83594f3657ca56187f7f7ddd7d60cba1be793", "Worm:Win32/Fasong: FileHash-SHA256 c7f2f4a6ed374bac385fa81177967fd013248652556e4ee95cea7f064f6b25dd", "Trojan:Win32/Glupteba: FileHash-SHA256 5e7fdbc4c66fbefd6aa95047a56c709765f18b3a3a65d5942acb4e4349b09039", "Worm:Win32/Mofksys: FileHash-SHA256 ef1a66214e210bc9ae0aef471b0a09f6083078343a0338fcaf1f2b04ebddbd9a", "Trojan:Win32/QQpass: FileHash-SHA256 86df64999ed25a02debca89a586c931b0f32b1edc0e7aa800c360be3ef456439", "TrojanSpy:Win32/Nivdort.DI: FileHash-SHA256 00734b135321562e7e0df7c2f8eb554435cc25c47f46747f79fc2116ac2cc6ef", "Win32:CrypterX-gen\\ [Trj]: FileHash-SHA256 002ea0849da3c63ce6c09c084567e9470c3616084ef19402316e9d52f35c62a7", "Trojan:Win32/Emotet.PC!MTB: FileHash-SHA256 02b9cac1880e348302125664c4955fd163a219b1eb8b50de0ad350e0c147a0b0", "Trojan:Win32/Zbot.SIBB3!MTB: FileHash-SHA256 bc1739628aadbcc99bcb93caab4a7a73534694c817d57cc0ed735bf4bd0f6e45", "ELF:Hajime-Q\\ [Trj] : FileHash-SHA256 aa310469926150f9d6f980dd6ba200d1c9c7dec7c4b66c7de4cff6a30c038560", "Win32/Tasekjom.A : FileHash-SHA256 1230ac0c362b6049b9de011229707e05852dd11af75ca7071a1f089e6aca61f5", "Win32/Muldrop FileHash-SHA256 67a5e78bb2897b15d510dfce0d89f60330db01d7944ebb4f1dd90ce36c907e1b", "PWS:Win32/VB : FileHash-SHA256 dbc78d07e96562c6370ab515f5d65cea88a1b163ad10718c66d15155f4075630", "Backdoor:Win32/Tofsee: FileHash-SHA256 5b616ad2410bef0bc894c4bff013afe2d7f44dcdeb79420bab14c766cc460aa7", "VirTool:Win32/Obfuscator FileHash-SHA256 874e78143b683016ef8e41977f9d3ee34b97b145b313cdefdeb3e8900db6df73", "RASMONTR.DLL 192.168.56.101", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/http://activationskey.net/wp-content/uploads/2021/02/download-2-7.jpg", "https://otx.alienvault.com/otxapi/indicators/file/screenshot/00734b135321562e7e0df7c2f8eb554435cc25c47f46747f79fc2116ac2cc6ef", "Parked: www.easycrypto.team | 'Parking Crew' ? Several names exist for advesarial 'Parking Hacker Groups' parking.namesilo.com", "Ranks high in search results because device is typically compromised with Convection engine and Keyword Tool", "a-fondness-for-beauty.com", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/ | http://activationskey.net/wp-content/uploads/2021/02/download-2-7.jpg", "iobit: https://cracxfree.com/iobit-malware-fighter-pro-2/ | https://cracklink.info/iobit-uninstaller-pro-key/", "iobit: https://ezcrack.info/iobit-uninstaller-pro-crack | https://ezcrack.info/iobit-uninstaller-pro-crack/", "http://crackedvst.info/plugin-alliance-bundle-crack/: sedoparking.com | sedoparking.com/frmpark/ -", "Trojan:Win32/Zbot: FileHash-SHA256 b7875b426ce25f1d4785ba7043bbfdba49feb726cc829d681acdd67c3c302c70", "ALF:Trojan:Win32/Cassini_f28c33a2:\tFileHash-SHA256 6fc35cb8e18f0d9d72bc1a7037ae88f8036362799f930a1a30e290d31be3b216", "Backdoor:Win32/Botgor: FileHash-SHA256 b70353b3ecf532ad51e7d6a1790275df02c7393b87d40add47a3baccab39802f", "TrojanDropper:Win32/Muldrop: FileHash-SHA256 bf8e919cf6ce208f1c2f98f07df835099f14e2f8708197b0165479468079d902", "#LowFiCreateRemoteThread: FileHash-SHA256 0ab94d890afef8ebae42007a119a8686f71bdd9bdf357262481daa7c9c7a283e", "Trojan:Win32/Blihan: FileHash-SHA256 dada5208109416153937db5a6f44f03b8b9025347c235acdc70edfa24a2a882e", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | itunes.apple.com", "http://appleid.com-index-manager-info-verify-receipt-account.usa.cc/ |", "https://realcrack.info/sidify-apple-music-converter-crack/ | applehouse-jp.com | iappletech.com | http://apple.int-access-accounts.usa.cc/", "http://apple-store.jspi304es-services-fixedbilling-responsive-managed-update-card.appleid-storeext.usa.cc/", "http://apple-unlocked-login.usa.cc/\t| http://apple.com.locked-account-verify-login.usa.cc/" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "TrojanSpy:Win32/Nivdort.DI", "display_name": "TrojanSpy:Win32/Nivdort.DI", "target": "/malware/TrojanSpy:Win32/Nivdort.DI" }, { "id": "Win32:CrypterX-gen\\ [Trj]", "display_name": "Win32:CrypterX-gen\\ [Trj]", "target": null }, { "id": "Trojan:Win32/Emotet.PC!MTB", "display_name": "Trojan:Win32/Emotet.PC!MTB", "target": "/malware/Trojan:Win32/Emotet.PC!MTB" }, { "id": "Trojan:Win32/CryptInject", "display_name": "Trojan:Win32/CryptInject", "target": "/malware/Trojan:Win32/CryptInject" }, { "id": "RASMONTR.DLL", "display_name": "RASMONTR.DLL", "target": null }, { "id": "Trojan:Win32/Salgorea", "display_name": "Trojan:Win32/Salgorea", "target": "/malware/Trojan:Win32/Salgorea" }, { "id": "Worm:Win32/Fasong", "display_name": "Worm:Win32/Fasong", "target": "/malware/Worm:Win32/Fasong" }, { "id": "Trojan:Win32/Glupteba", "display_name": "Trojan:Win32/Glupteba", "target": "/malware/Trojan:Win32/Glupteba" }, { "id": "Worm:Win32/Mofksys", "display_name": "Worm:Win32/Mofksys", "target": "/malware/Worm:Win32/Mofksys" }, { "id": "Trojan:Win32/QQpass", "display_name": "Trojan:Win32/QQpass", "target": "/malware/Trojan:Win32/QQpass" }, { "id": "Trojan:Win32/Zbot.SIBB3!MTB", "display_name": "Trojan:Win32/Zbot.SIBB3!MTB", "target": "/malware/Trojan:Win32/Zbot.SIBB3!MTB" }, { "id": "ELF:Hajime-Q\\ [Trj]", "display_name": "ELF:Hajime-Q\\ [Trj]", "target": null }, { "id": "Win32/Tasekjom.A", "display_name": "Win32/Tasekjom.A", "target": null }, { "id": "TEL:Trojan:Win32/TrojanDownloader", "display_name": "TEL:Trojan:Win32/TrojanDownloader", "target": null }, { "id": "Win32/TrojanDropper", "display_name": "Win32/TrojanDropper", "target": null }, { "id": "Trojan:Win32/Muldrop", "display_name": "Trojan:Win32/Muldrop", "target": "/malware/Trojan:Win32/Muldrop" }, { "id": "PWS:Win32/VB", "display_name": "PWS:Win32/VB", "target": "/malware/PWS:Win32/VB" }, { "id": "Backdoor:Win32/Tofsee", "display_name": "Backdoor:Win32/Tofsee", "target": "/malware/Backdoor:Win32/Tofsee" }, { "id": "Trojan:Win32/Blihan", "display_name": "Trojan:Win32/Blihan", "target": "/malware/Trojan:Win32/Blihan" }, { "id": "#LowFiCreateRemoteThread", "display_name": "#LowFiCreateRemoteThread", "target": null }, { "id": "Backdoor:Win32/Botgor", "display_name": "Backdoor:Win32/Botgor", "target": "/malware/Backdoor:Win32/Botgor" }, { "id": "ALF:Trojan:Win32/Cassini_f28c33a2", "display_name": "ALF:Trojan:Win32/Cassini_f28c33a2", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1147", "name": "Hidden Users", "display_name": "T1147 - Hidden Users" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1010", "name": "Application Window Discovery", "display_name": "T1010 - Application Window Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1120", "name": "Peripheral Device Discovery", "display_name": "T1120 - Peripheral Device Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" } ], "industries": [ "Technology", "Telecommunications", "Civilian Devices" ], "TLP": "green", "cloned_from": null, "export_count": 112, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1629, "FileHash-MD5": 4822, "URL": 2002, "email": 18, "hostname": 1725, "FileHash-SHA1": 3921, "FileHash-SHA256": 9019, "URI": 1 }, "indicator_count": 23137, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "552 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66ba01cb6ef731c30679908b", "name": "BusyBox |Eternal Blue | MITM Attack | Linux Crime Mirai_Botnet_Malware | Brian Sabey attorney", "description": "Verizon Business MCICS?\nMCI Communications Services LLC Verizon Division, doing business as MCI, is a subsidiary of Verizon Communications Inc. that provides a wide range of telecommunications products and services to U.S. federal government customers.\nHandle Swipper, previously scrubbed from internet has been hovering over target for at least 10 years.\n[Known to have used Host: 152.199.19.161\n19.161 is an IP address in AS15133 owned by MCICommunicationsServices,Inc.d/b/aVerizonBusiness and located in US] + [Edgecast Inc ns1.edgecastcdn.net] Swipper, once linked to WikiLeaks threat actor who sent malicious emails to targets and Bank of America employees revealing passcodes from garage door codes to favorite color, ice cream hobbies and passwords. \n[Bin][BusyBox] BusyBox is a software suite that provides several Unix utilities in a single executable file.", "modified": "2024-10-12T00:01:26.015000", "created": "2024-08-12T12:36:27.020000", "tags": [ "network", "orgdnsref", "nethandle", "net174", "net1740000", "mcics", "swipp", "swipper", "jody alaska", "jody huffines", "verizon", "eva120", "block id", "wirelessdatanetwork", "swipp9-arin", "united", "et exploit", "smbds ipc", "show", "search", "default", "asnone", "nids", "generic", "query", "service", "wannacry", "ransom", "malware", "copy", "dock", "write", "eternalblue", "recon", "suspicious", "realtek sdk", "miniigd upnp", "soap command", "exploit", "msie", "windows nt", "high", "binbusybox", "gafgyt", "execution", "mirai", "newremotehost", "mitm", "port", "destination", "newexternalport", "newprotocol", "newinternalport", "rf cum", "newenabled", "addpo", "addportmapping", "whois lookups", "city", "orgdnshandle", "stateprov", "loudoun county", "postalcode", "text", "javascript", "b file", "files", "file type", "json", "graph", "t1064 executes", "modify system", "process t1543", "systemd service", "posts", "mitre att", "ta0002 command", "t1059", "create", "ta0004 create", "ip traffic", "hashes", "file system", "libmultipath", "devftwdt101", "devsda1 devsda2", "files deleted", "e procselffd9", "h devsda2", "created binsh", "shell commands", "binsh binsh", "binsh c", "i lo", "p m0755", "varrunsshd", "processes tree", "referrer", "pe resource", "cry kill", "formbook", "ransomworm", "wannacry kill", "switch dns", "password bypass", "account stealer", "hiddentear", "installer", "skynet", "get http", "memory pattern", "http requests", "request", "host", "cachecontrol", "response", "contentlength", "httponly", "samesitelax", "mofresourcename", "settingswpad", "registry keys", "hdaudiomofname", "acpimofresource", "mofresource", "registry", "kernel context", "runtime modules", "modules", "urls", "cloudflare", "domains", "ip detections", "country", "win32 exe", "mb pe", "mb graph", "summary", "pe32 executable", "ms windows", "intel", "ms visual", "win16 ne", "win32 dynamic", "link library", "vs98", "info compiler", "products id", "sp6 build", "header intel", "name md5", "type", "language", "contained", "r english", "yara rule", "et trojan", "domain http", "cape", "yara detections", "alerts", "logic", "status", "passive dns", "creation date", "scan endpoints", "all scoreblue", "hostname", "pulse submit", "url analysis", "date", "next", "as6167 verizon", "as22394 verizon", "showing", "entries", "aaaa", "cname", "asnone united", "whitelisted", "as20446", "as8075", "ipv4", "unknown", "emails", "expiration date", "name servers", "aaaa nxdomain", "ireland unknown", "nxdomain", "soa nxdomain", "ns nxdomain", "a nxdomain", "as8068", "united kingdom", "domain", "cve201717215", "huawei remote", "huawei hg532", "malware worm", "exploit none", "rce", "ate hash", "spyware", "adversary in the middle", "smugglers gambit", "hitmen", "hallrender", "sreredrum", "pegasus related", "brute force", "target tsara brashears", "brian sabey" ], "references": [ "Researched: 174.215.26.0/255 AS 6167 (CELLCO-PART) US | Swipper | Loudon County, Va | Ongoing attacks", "Highlighted Text: The following text was observed as standard output, \"[THEA-MALWARE]: Gimme Cum Pwease XD\"", "Trojan.Linux.Mirai.1 | Crime_Mirai | DDoS:Linux/Gafgyt.YA!MTB: FILEHASH - SHA256 a1eff1e00a7d532a6e6d71b3c5328e", "Antivirus Detections: ELF:Mirai-AHC\\ [Trj] , Unix.Trojan.Mirai-7100807-0 , DDoS:Linux/Gafgyt.YA!MTB", "IDS Detections: Huawei Remote Command Execution - Outbound (CVE-2017-17215)", "IDS Detections: Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound", "Yara Detections: Mirai_Botnet_Malware", "High Priority Alerts: dead_host network_icmp osquery_detection network_irc nolookup_communication p2p_cnc", "Interesting Strings: http://schemas.xmlsoap.org/soap/encoding/ http://0.0.0.0/nope", "Interesting Strings: http://schemas.xmlsoap.org/soap/envelope/ 185.244.25.117 127.0.0.1", "ELF Info Header ELF32 2's complement, little endian 1 (current) UNIX - System V EXEC (Executable file) Intel 80386 0x1", "Matches rule Mirai_Botnet_Malware from ruleset crime_mirai by Florian Roth", "Matches rule Linux_Trojan_Mirai_b14f4c5d from ruleset Linux_Trojan_Mirai by Elastic Security", "Matches rule SUSP_XORed_Mozilla from ruleset gen_xor_hunting by Florian Roth", "Matches rule Linux_Trojan_Mirai_fa3ad9d0 from ruleset Linux_Trojan_Mirai by Elastic Security", "https://github.com/Neo23x0/signature-base/search?q=Mirai_Botnet_Malware Desc: Detects Mirai Botnet Malware RULE_AUTHOR: Florian Roth", "Crime_WannaCry | Ransom:Win32/WannaCrypt.H | FILEHASH - SHA256 86f7e04aed8403e6b9f0d4ae880a55f7574c1b177cf6c24234ffa992eadb2c52", "Yara Detections: WannaCry_Ransomware , Win32_Ransomware_WannaCry , Wanna_Cry_Ransomware_Generic ,", "Yara Detections: MS17_010_WanaCry_worm , NHS_Strain_Wanna , stack_string , MS_Visual_Cpp_6_0", "Alerts: nids_exploit_alert nids_malware_alert network_icmp nolookup_communication persistence_autorun network_cnc_http", "IDS Detections: W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1", "IDS Detections: Domain Sinkholed by Kryptos Logic (HTML Response)", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (MSF style)", "IDS Detections: Possible ETERNALBLUE Probe MS17-010 (Generic Flags)", "IDS Detections: ETERNALBLUE Probe Vulnerable System Response MS17-010", "IDS Detections: Observed DNS Query to Suspicious Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com)", "IDS Detections: Behavioral Unusual Port 445 traffic Potential Scan or Infection", "Antivirus Detections Sf:WNCryLdr-A\\ [Trj] , Win.Ransomware.WannaCry-6313787-0 , Ransom:Win32/WannaCrypt.H" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "DDoS:Linux/Gafgyt.YA!MTB", "display_name": "DDoS:Linux/Gafgyt.YA!MTB", "target": "/malware/DDoS:Linux/Gafgyt.YA!MTB" }, { "id": "Unix.Trojan.Mirai-7100807-0", "display_name": "Unix.Trojan.Mirai-7100807-0", "target": null }, { "id": "ELF:Mirai-AHC\\ [Trj]", "display_name": "ELF:Mirai-AHC\\ [Trj]", "target": null }, { "id": "Sf:WNCryLdr-A\\ [Trj]", "display_name": "Sf:WNCryLdr-A\\ [Trj]", "target": null }, { "id": "Ransom:Win32/WannaCrypt.H", "display_name": "Ransom:Win32/WannaCrypt.H", "target": "/malware/Ransom:Win32/WannaCrypt.H" }, { "id": "Win.Ransomware.WannaCry-6313787-0", "display_name": "Win.Ransomware.WannaCry-6313787-0", "target": null }, { "id": "Mirai", "display_name": "Mirai", "target": null } ], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1045", "name": "Software Packing", "display_name": "T1045 - Software Packing" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1143", "name": "Hidden Window", "display_name": "T1143 - Hidden Window" }, { "id": "T1158", "name": "Hidden Files and Directories", "display_name": "T1158 - Hidden Files and Directories" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1064", "name": "Scripting", "display_name": "T1064 - Scripting" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1543", "name": "Create or Modify System Process", "display_name": "T1543 - Create or Modify System Process" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1557", "name": "Man-in-the-Middle", "display_name": "T1557 - Man-in-the-Middle" } ], "industries": [ "Government", "Healthcare", "Civilian Society" ], "TLP": "green", "cloned_from": null, "export_count": 41, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 2826, "CIDR": 2, "URL": 549, "email": 12, "hostname": 587, "FileHash-MD5": 806, "FileHash-SHA1": 791, "BitcoinAddress": 3, "domain": 388, "CVE": 4 }, "indicator_count": 5968, "is_author": false, "is_subscribing": null, "subscriber_count": 230, "modified_text": "554 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://develop.payper.pt", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://develop.payper.pt", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776638279.5226033 }